]> git.ipfire.org Git - people/ms/dnsmasq.git/blob - src/forward.c
projects / people / ms / dnsmasq.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Fix stack-smashing crash in DNSSEC. Thanks to Henk Jan Agteresch.
[people/ms/dnsmasq.git] / src / forward.c
1 /* dnsmasq is Copyright (c) 2000-2014 Simon Kelley
2
3 This program is free software; you can redistribute it and/or modify
4 it under the terms of the GNU General Public License as published by
5 the Free Software Foundation; version 2 dated June, 1991, or
6 (at your option) version 3 dated 29 June, 2007.
7
8 This program is distributed in the hope that it will be useful,
9 but WITHOUT ANY WARRANTY; without even the implied warranty of
10 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 GNU General Public License for more details.
12
13 You should have received a copy of the GNU General Public License
14 along with this program. If not, see <http://www.gnu.org/licenses/>.
15 */
16
17 #include "dnsmasq.h"
18
19 static struct frec *lookup_frec(unsigned short id, void *hash);
20 static struct frec *lookup_frec_by_sender(unsigned short id,
21 union mysockaddr *addr,
22 void *hash);
23 static unsigned short get_id(void);
24 static void free_frec(struct frec *f);
25 static struct randfd *allocate_rfd(int family);
26
27 /* Send a UDP packet with its source address set as "source"
28 unless nowild is true, when we just send it with the kernel default */
29 int send_from(int fd, int nowild, char *packet, size_t len,
30 union mysockaddr *to, struct all_addr *source,
31 unsigned int iface)
32 {
33 struct msghdr msg;
34 struct iovec iov[1];
35 union {
36 struct cmsghdr align; /* this ensures alignment */
37 #if defined(HAVE_LINUX_NETWORK)
38 char control[CMSG_SPACE(sizeof(struct in_pktinfo))];
39 #elif defined(IP_SENDSRCADDR)
40 char control[CMSG_SPACE(sizeof(struct in_addr))];
41 #endif
42 #ifdef HAVE_IPV6
43 char control6[CMSG_SPACE(sizeof(struct in6_pktinfo))];
44 #endif
45 } control_u;
46
47 iov[0].iov_base = packet;
48 iov[0].iov_len = len;
49
50 msg.msg_control = NULL;
51 msg.msg_controllen = 0;
52 msg.msg_flags = 0;
53 msg.msg_name = to;
54 msg.msg_namelen = sa_len(to);
55 msg.msg_iov = iov;
56 msg.msg_iovlen = 1;
57
58 if (!nowild)
59 {
60 struct cmsghdr *cmptr;
61 msg.msg_control = &control_u;
62 msg.msg_controllen = sizeof(control_u);
63 cmptr = CMSG_FIRSTHDR(&msg);
64
65 if (to->sa.sa_family == AF_INET)
66 {
67 #if defined(HAVE_LINUX_NETWORK)
68 struct in_pktinfo p;
69 p.ipi_ifindex = 0;
70 p.ipi_spec_dst = source->addr.addr4;
71 memcpy(CMSG_DATA(cmptr), &p, sizeof(p));
72 msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo));
73 cmptr->cmsg_level = IPPROTO_IP;
74 cmptr->cmsg_type = IP_PKTINFO;
75 #elif defined(IP_SENDSRCADDR)
76 memcpy(CMSG_DATA(cmptr), &(source->addr.addr4), sizeof(source->addr.addr4));
77 msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_addr));
78 cmptr->cmsg_level = IPPROTO_IP;
79 cmptr->cmsg_type = IP_SENDSRCADDR;
80 #endif
81 }
82 else
83 #ifdef HAVE_IPV6
84 {
85 struct in6_pktinfo p;
86 p.ipi6_ifindex = iface; /* Need iface for IPv6 to handle link-local addrs */
87 p.ipi6_addr = source->addr.addr6;
88 memcpy(CMSG_DATA(cmptr), &p, sizeof(p));
89 msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo));
90 cmptr->cmsg_type = daemon->v6pktinfo;
91 cmptr->cmsg_level = IPPROTO_IPV6;
92 }
93 #else
94 (void)iface; /* eliminate warning */
95 #endif
96 }
97
98 while (sendmsg(fd, &msg, 0) == -1)
99 {
100 if (retry_send())
101 continue;
102
103 /* If interface is still in DAD, EINVAL results - ignore that. */
104 if (errno == EINVAL)
105 break;
106
107 my_syslog(LOG_ERR, _("failed to send packet: %s"), strerror(errno));
108 return 0;
109 }
110
111 return 1;
112 }
113
114 static unsigned int search_servers(time_t now, struct all_addr **addrpp,
115 unsigned int qtype, char *qdomain, int *type, char **domain, int *norebind)
116
117 {
118 /* If the query ends in the domain in one of our servers, set
119 domain to point to that name. We find the largest match to allow both
120 domain.org and sub.domain.org to exist. */
121
122 unsigned int namelen = strlen(qdomain);
123 unsigned int matchlen = 0;
124 struct server *serv;
125 unsigned int flags = 0;
126
127 for (serv = daemon->servers; serv; serv=serv->next)
128 /* domain matches take priority over NODOTS matches */
129 if ((serv->flags & SERV_FOR_NODOTS) && *type != SERV_HAS_DOMAIN && !strchr(qdomain, '.') && namelen != 0)
130 {
131 unsigned int sflag = serv->addr.sa.sa_family == AF_INET ? F_IPV4 : F_IPV6;
132 *type = SERV_FOR_NODOTS;
133 if (serv->flags & SERV_NO_ADDR)
134 flags = F_NXDOMAIN;
135 else if (serv->flags & SERV_LITERAL_ADDRESS)
136 {
137 if (sflag & qtype)
138 {
139 flags = sflag;
140 if (serv->addr.sa.sa_family == AF_INET)
141 *addrpp = (struct all_addr *)&serv->addr.in.sin_addr;
142 #ifdef HAVE_IPV6
143 else
144 *addrpp = (struct all_addr *)&serv->addr.in6.sin6_addr;
145 #endif
146 }
147 else if (!flags || (flags & F_NXDOMAIN))
148 flags = F_NOERR;
149 }
150 }
151 else if (serv->flags & SERV_HAS_DOMAIN)
152 {
153 unsigned int domainlen = strlen(serv->domain);
154 char *matchstart = qdomain + namelen - domainlen;
155 if (namelen >= domainlen &&
156 hostname_isequal(matchstart, serv->domain) &&
157 (domainlen == 0 || namelen == domainlen || *(matchstart-1) == '.' ))
158 {
159 if (serv->flags & SERV_NO_REBIND)
160 *norebind = 1;
161 else
162 {
163 unsigned int sflag = serv->addr.sa.sa_family == AF_INET ? F_IPV4 : F_IPV6;
164 /* implement priority rules for --address and --server for same domain.
165 --address wins if the address is for the correct AF
166 --server wins otherwise. */
167 if (domainlen != 0 && domainlen == matchlen)
168 {
169 if ((serv->flags & SERV_LITERAL_ADDRESS))
170 {
171 if (!(sflag & qtype) && flags == 0)
172 continue;
173 }
174 else
175 {
176 if (flags & (F_IPV4 | F_IPV6))
177 continue;
178 }
179 }
180
181 if (domainlen >= matchlen)
182 {
183 *type = serv->flags & (SERV_HAS_DOMAIN | SERV_USE_RESOLV | SERV_NO_REBIND);
184 *domain = serv->domain;
185 matchlen = domainlen;
186 if (serv->flags & SERV_NO_ADDR)
187 flags = F_NXDOMAIN;
188 else if (serv->flags & SERV_LITERAL_ADDRESS)
189 {
190 if (sflag & qtype)
191 {
192 flags = sflag;
193 if (serv->addr.sa.sa_family == AF_INET)
194 *addrpp = (struct all_addr *)&serv->addr.in.sin_addr;
195 #ifdef HAVE_IPV6
196 else
197 *addrpp = (struct all_addr *)&serv->addr.in6.sin6_addr;
198 #endif
199 }
200 else if (!flags || (flags & F_NXDOMAIN))
201 flags = F_NOERR;
202 }
203 else
204 flags = 0;
205 }
206 }
207 }
208 }
209
210 if (flags == 0 && !(qtype & F_QUERY) &&
211 option_bool(OPT_NODOTS_LOCAL) && !strchr(qdomain, '.') && namelen != 0)
212 /* don't forward A or AAAA queries for simple names, except the empty name */
213 flags = F_NOERR;
214
215 if (flags == F_NXDOMAIN && check_for_local_domain(qdomain, now))
216 flags = F_NOERR;
217
218 if (flags)
219 {
220 int logflags = 0;
221
222 if (flags == F_NXDOMAIN || flags == F_NOERR)
223 logflags = F_NEG | qtype;
224
225 log_query(logflags | flags | F_CONFIG | F_FORWARD, qdomain, *addrpp, NULL);
226 }
227 else if ((*type) & SERV_USE_RESOLV)
228 {
229 *type = 0; /* use normal servers for this domain */
230 *domain = NULL;
231 }
232 return flags;
233 }
234
235 static int forward_query(int udpfd, union mysockaddr *udpaddr,
236 struct all_addr *dst_addr, unsigned int dst_iface,
237 struct dns_header *header, size_t plen, time_t now, struct frec *forward)
238 {
239 char *domain = NULL;
240 int type = 0, norebind = 0;
241 struct all_addr *addrp = NULL;
242 unsigned int flags = 0;
243 struct server *start = NULL;
244 #ifdef HAVE_DNSSEC
245 void *hash = hash_questions(header, plen, daemon->namebuff);
246 #else
247 unsigned int crc = questions_crc(header, plen, daemon->namebuff);
248 void *hash = &crc;
249 #endif
250 unsigned int gotname = extract_request(header, plen, daemon->namebuff, NULL);
251
252 /* RFC 4035: sect 4.6 para 2 */
253 header->hb4 &= ~HB4_AD;
254
255 /* may be no servers available. */
256 if (!daemon->servers)
257 forward = NULL;
258 else if (forward || (hash && (forward = lookup_frec_by_sender(ntohs(header->id), udpaddr, hash))))
259 {
260 #ifdef HAVE_DNSSEC
261 /* If we've already got an answer to this query, but we're awaiting keys for vaildation,
262 there's no point retrying the query, retry the key query instead...... */
263 if (forward->blocking_query)
264 {
265 int fd;
266
267 while (forward->blocking_query)
268 forward = forward->blocking_query;
269
270 blockdata_retrieve(forward->stash, forward->stash_len, (void *)header);
271 plen = forward->stash_len;
272
273 if (forward->sentto->addr.sa.sa_family)
274 log_query(F_DNSSEC | F_IPV4, "retry", (struct all_addr *)&forward->sentto->addr.in.sin_addr, "dnssec");
275 #ifdef HAVE_IPV6
276 else
277 log_query(F_DNSSEC | F_IPV6, "retry", (struct all_addr *)&forward->sentto->addr.in6.sin6_addr, "dnssec");
278 #endif
279
280 if (forward->sentto->sfd)
281 fd = forward->sentto->sfd->fd;
282 else
283 {
284 #ifdef HAVE_IPV6
285 if (forward->sentto->addr.sa.sa_family == AF_INET6)
286 fd = forward->rfd6->fd;
287 else
288 #endif
289 fd = forward->rfd4->fd;
290 }
291
292 while (sendto(fd, (char *)header, plen, 0,
293 &forward->sentto->addr.sa,
294 sa_len(&forward->sentto->addr)) == -1 && retry_send());
295
296 return 1;
297 }
298 #endif
299
300 /* retry on existing query, send to all available servers */
301 domain = forward->sentto->domain;
302 forward->sentto->failed_queries++;
303 if (!option_bool(OPT_ORDER))
304 {
305 forward->forwardall = 1;
306 daemon->last_server = NULL;
307 }
308 type = forward->sentto->flags & SERV_TYPE;
309 if (!(start = forward->sentto->next))
310 start = daemon->servers; /* at end of list, recycle */
311 header->id = htons(forward->new_id);
312 }
313 else
314 {
315 if (gotname)
316 flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind);
317
318 if (!flags && !(forward = get_new_frec(now, NULL, 0)))
319 /* table full - server failure. */
320 flags = F_NEG;
321
322 if (forward)
323 {
324 forward->source = *udpaddr;
325 forward->dest = *dst_addr;
326 forward->iface = dst_iface;
327 forward->orig_id = ntohs(header->id);
328 forward->new_id = get_id();
329 forward->fd = udpfd;
330 memcpy(forward->hash, hash, HASH_SIZE);
331 forward->forwardall = 0;
332 forward->flags = 0;
333 if (norebind)
334 forward->flags |= FREC_NOREBIND;
335 if (header->hb4 & HB4_CD)
336 forward->flags |= FREC_CHECKING_DISABLED;
337
338 header->id = htons(forward->new_id);
339
340 /* In strict_order mode, always try servers in the order
341 specified in resolv.conf, if a domain is given
342 always try all the available servers,
343 otherwise, use the one last known to work. */
344
345 if (type == 0)
346 {
347 if (option_bool(OPT_ORDER))
348 start = daemon->servers;
349 else if (!(start = daemon->last_server) ||
350 daemon->forwardcount++ > FORWARD_TEST ||
351 difftime(now, daemon->forwardtime) > FORWARD_TIME)
352 {
353 start = daemon->servers;
354 forward->forwardall = 1;
355 daemon->forwardcount = 0;
356 daemon->forwardtime = now;
357 }
358 }
359 else
360 {
361 start = daemon->servers;
362 if (!option_bool(OPT_ORDER))
363 forward->forwardall = 1;
364 }
365 }
366 }
367
368 /* check for send errors here (no route to host)
369 if we fail to send to all nameservers, send back an error
370 packet straight away (helps modem users when offline) */
371
372 if (!flags && forward)
373 {
374 struct server *firstsentto = start;
375 int forwarded = 0;
376
377 if (option_bool(OPT_ADD_MAC))
378 plen = add_mac(header, plen, ((char *) header) + daemon->packet_buff_sz, &forward->source);
379
380 if (option_bool(OPT_CLIENT_SUBNET))
381 {
382 size_t new = add_source_addr(header, plen, ((char *) header) + daemon->packet_buff_sz, &forward->source);
383 if (new != plen)
384 {
385 plen = new;
386 forward->flags |= FREC_HAS_SUBNET;
387 }
388 }
389
390 #ifdef HAVE_DNSSEC
391 if (option_bool(OPT_DNSSEC_VALID))
392 {
393 plen = add_do_bit(header, plen, ((char *) header) + daemon->packet_buff_sz);
394 /* For debugging, set Checking Disabled, otherwise, have the upstream check too,
395 this allows it to select auth servers when one is returning bad data. */
396 if (option_bool(OPT_DNSSEC_DEBUG))
397 header->hb4 |= HB4_CD;
398 }
399 #endif
400
401 while (1)
402 {
403 /* only send to servers dealing with our domain.
404 domain may be NULL, in which case server->domain
405 must be NULL also. */
406
407 if (type == (start->flags & SERV_TYPE) &&
408 (type != SERV_HAS_DOMAIN || hostname_isequal(domain, start->domain)) &&
409 !(start->flags & SERV_LITERAL_ADDRESS))
410 {
411 int fd;
412
413 /* find server socket to use, may need to get random one. */
414 if (start->sfd)
415 fd = start->sfd->fd;
416 else
417 {
418 #ifdef HAVE_IPV6
419 if (start->addr.sa.sa_family == AF_INET6)
420 {
421 if (!forward->rfd6 &&
422 !(forward->rfd6 = allocate_rfd(AF_INET6)))
423 break;
424 daemon->rfd_save = forward->rfd6;
425 fd = forward->rfd6->fd;
426 }
427 else
428 #endif
429 {
430 if (!forward->rfd4 &&
431 !(forward->rfd4 = allocate_rfd(AF_INET)))
432 break;
433 daemon->rfd_save = forward->rfd4;
434 fd = forward->rfd4->fd;
435 }
436
437 #ifdef HAVE_CONNTRACK
438 /* Copy connection mark of incoming query to outgoing connection. */
439 if (option_bool(OPT_CONNTRACK))
440 {
441 unsigned int mark;
442 if (get_incoming_mark(&forward->source, &forward->dest, 0, &mark))
443 setsockopt(fd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int));
444 }
445 #endif
446 }
447
448 if (sendto(fd, (char *)header, plen, 0,
449 &start->addr.sa,
450 sa_len(&start->addr)) == -1)
451 {
452 if (retry_send())
453 continue;
454 }
455 else
456 {
457 /* Keep info in case we want to re-send this packet */
458 daemon->srv_save = start;
459 daemon->packet_len = plen;
460
461 if (!gotname)
462 strcpy(daemon->namebuff, "query");
463 if (start->addr.sa.sa_family == AF_INET)
464 log_query(F_SERVER | F_IPV4 | F_FORWARD, daemon->namebuff,
465 (struct all_addr *)&start->addr.in.sin_addr, NULL);
466 #ifdef HAVE_IPV6
467 else
468 log_query(F_SERVER | F_IPV6 | F_FORWARD, daemon->namebuff,
469 (struct all_addr *)&start->addr.in6.sin6_addr, NULL);
470 #endif
471 start->queries++;
472 forwarded = 1;
473 forward->sentto = start;
474 if (!forward->forwardall)
475 break;
476 forward->forwardall++;
477 }
478 }
479
480 if (!(start = start->next))
481 start = daemon->servers;
482
483 if (start == firstsentto)
484 break;
485 }
486
487 if (forwarded)
488 return 1;
489
490 /* could not send on, prepare to return */
491 header->id = htons(forward->orig_id);
492 free_frec(forward); /* cancel */
493 }
494
495 /* could not send on, return empty answer or address if known for whole domain */
496 if (udpfd != -1)
497 {
498 plen = setup_reply(header, plen, addrp, flags, daemon->local_ttl);
499 send_from(udpfd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND), (char *)header, plen, udpaddr, dst_addr, dst_iface);
500 }
501
502 return 0;
503 }
504
505 static size_t process_reply(struct dns_header *header, time_t now, struct server *server, size_t n, int check_rebind,
506 int no_cache, int cache_secure, int check_subnet, union mysockaddr *query_source)
507 {
508 unsigned char *pheader, *sizep;
509 char **sets = 0;
510 int munged = 0, is_sign;
511 size_t plen;
512
513 #ifdef HAVE_IPSET
514 /* Similar algorithm to search_servers. */
515 struct ipsets *ipset_pos;
516 unsigned int namelen = strlen(daemon->namebuff);
517 unsigned int matchlen = 0;
518 for (ipset_pos = daemon->ipsets; ipset_pos; ipset_pos = ipset_pos->next)
519 {
520 unsigned int domainlen = strlen(ipset_pos->domain);
521 char *matchstart = daemon->namebuff + namelen - domainlen;
522 if (namelen >= domainlen && hostname_isequal(matchstart, ipset_pos->domain) &&
523 (domainlen == 0 || namelen == domainlen || *(matchstart - 1) == '.' ) &&
524 domainlen >= matchlen)
525 {
526 matchlen = domainlen;
527 sets = ipset_pos->sets;
528 }
529 }
530 #endif
531
532 /* If upstream is advertising a larger UDP packet size
533 than we allow, trim it so that we don't get overlarge
534 requests for the client. We can't do this for signed packets. */
535
536 if ((pheader = find_pseudoheader(header, n, &plen, &sizep, &is_sign)))
537 {
538 if (!is_sign)
539 {
540 unsigned short udpsz;
541 unsigned char *psave = sizep;
542
543 GETSHORT(udpsz, sizep);
544 if (udpsz > daemon->edns_pktsz)
545 PUTSHORT(daemon->edns_pktsz, psave);
546 }
547
548 if (check_subnet && !check_source(header, plen, pheader, query_source))
549 {
550 my_syslog(LOG_WARNING, _("discarding DNS reply: subnet option mismatch"));
551 return 0;
552 }
553 }
554
555 /* RFC 4035 sect 4.6 para 3 */
556 if (!is_sign && !option_bool(OPT_DNSSEC_PROXY))
557 header->hb4 &= ~HB4_AD;
558
559 if (OPCODE(header) != QUERY || (RCODE(header) != NOERROR && RCODE(header) != NXDOMAIN))
560 return n;
561
562 /* Complain loudly if the upstream server is non-recursive. */
563 if (!(header->hb4 & HB4_RA) && RCODE(header) == NOERROR && ntohs(header->ancount) == 0 &&
564 server && !(server->flags & SERV_WARNED_RECURSIVE))
565 {
566 prettyprint_addr(&server->addr, daemon->namebuff);
567 my_syslog(LOG_WARNING, _("nameserver %s refused to do a recursive query"), daemon->namebuff);
568 if (!option_bool(OPT_LOG))
569 server->flags |= SERV_WARNED_RECURSIVE;
570 }
571
572 if (daemon->bogus_addr && RCODE(header) != NXDOMAIN &&
573 check_for_bogus_wildcard(header, n, daemon->namebuff, daemon->bogus_addr, now))
574 {
575 munged = 1;
576 SET_RCODE(header, NXDOMAIN);
577 header->hb3 &= ~HB3_AA;
578 cache_secure = 0;
579 }
580 else
581 {
582 int doctored = 0;
583
584 if (RCODE(header) == NXDOMAIN &&
585 extract_request(header, n, daemon->namebuff, NULL) &&
586 check_for_local_domain(daemon->namebuff, now))
587 {
588 /* if we forwarded a query for a locally known name (because it was for
589 an unknown type) and the answer is NXDOMAIN, convert that to NODATA,
590 since we know that the domain exists, even if upstream doesn't */
591 munged = 1;
592 header->hb3 |= HB3_AA;
593 SET_RCODE(header, NOERROR);
594 cache_secure = 0;
595 }
596
597 if (extract_addresses(header, n, daemon->namebuff, now, sets, is_sign, check_rebind, no_cache, cache_secure, &doctored))
598 {
599 my_syslog(LOG_WARNING, _("possible DNS-rebind attack detected: %s"), daemon->namebuff);
600 munged = 1;
601 cache_secure = 0;
602 }
603
604 if (doctored)
605 cache_secure = 0;
606 }
607
608 #ifdef HAVE_DNSSEC
609 if (no_cache && !(header->hb4 & HB4_CD))
610 {
611 if (!option_bool(OPT_DNSSEC_DEBUG))
612 {
613 /* Bogus reply, turn into SERVFAIL */
614 SET_RCODE(header, SERVFAIL);
615 munged = 1;
616 }
617 }
618
619 if (option_bool(OPT_DNSSEC_VALID))
620 header->hb4 &= ~HB4_AD;
621
622 if (!(header->hb4 & HB4_CD) && cache_secure)
623 header->hb4 |= HB4_AD;
624 #endif
625
626 /* do this after extract_addresses. Ensure NODATA reply and remove
627 nameserver info. */
628
629 if (munged)
630 {
631 header->ancount = htons(0);
632 header->nscount = htons(0);
633 header->arcount = htons(0);
634 }
635
636 /* the bogus-nxdomain stuff, doctor and NXDOMAIN->NODATA munging can all elide
637 sections of the packet. Find the new length here and put back pseudoheader
638 if it was removed. */
639 return resize_packet(header, n, pheader, plen);
640 }
641
642 /* sets new last_server */
643 void reply_query(int fd, int family, time_t now)
644 {
645 /* packet from peer server, extract data for cache, and send to
646 original requester */
647 struct dns_header *header;
648 union mysockaddr serveraddr;
649 struct frec *forward;
650 socklen_t addrlen = sizeof(serveraddr);
651 ssize_t n = recvfrom(fd, daemon->packet, daemon->packet_buff_sz, 0, &serveraddr.sa, &addrlen);
652 size_t nn;
653 struct server *server;
654 void *hash;
655 #ifndef HAVE_DNSSEC
656 unsigned int crc;
657 #endif
658
659 /* packet buffer overwritten */
660 daemon->srv_save = NULL;
661
662 /* Determine the address of the server replying so that we can mark that as good */
663 serveraddr.sa.sa_family = family;
664 #ifdef HAVE_IPV6
665 if (serveraddr.sa.sa_family == AF_INET6)
666 serveraddr.in6.sin6_flowinfo = 0;
667 #endif
668
669 /* spoof check: answer must come from known server, */
670 for (server = daemon->servers; server; server = server->next)
671 if (!(server->flags & (SERV_LITERAL_ADDRESS | SERV_NO_ADDR)) &&
672 sockaddr_isequal(&server->addr, &serveraddr))
673 break;
674
675 header = (struct dns_header *)daemon->packet;
676
677 #ifdef HAVE_DNSSEC
678 hash = hash_questions(header, n, daemon->namebuff);
679 #else
680 hash = &crc;
681 crc = questions_crc(header, n, daemon->namebuff);
682 #endif
683
684 if (!server ||
685 n < (int)sizeof(struct dns_header) || !(header->hb3 & HB3_QR) ||
686 !(forward = lookup_frec(ntohs(header->id), hash)))
687 return;
688
689 if ((RCODE(header) == SERVFAIL || RCODE(header) == REFUSED) &&
690 !option_bool(OPT_ORDER) &&
691 forward->forwardall == 0)
692 /* for broken servers, attempt to send to another one. */
693 {
694 unsigned char *pheader;
695 size_t plen;
696 int is_sign;
697
698 /* recreate query from reply */
699 pheader = find_pseudoheader(header, (size_t)n, &plen, NULL, &is_sign);
700 if (!is_sign)
701 {
702 header->ancount = htons(0);
703 header->nscount = htons(0);
704 header->arcount = htons(0);
705 if ((nn = resize_packet(header, (size_t)n, pheader, plen)))
706 {
707 header->hb3 &= ~(HB3_QR | HB3_TC);
708 forward_query(-1, NULL, NULL, 0, header, nn, now, forward);
709 return;
710 }
711 }
712 }
713
714 server = forward->sentto;
715
716 if ((forward->sentto->flags & SERV_TYPE) == 0)
717 {
718 if (RCODE(header) == SERVFAIL || RCODE(header) == REFUSED)
719 server = NULL;
720 else
721 {
722 struct server *last_server;
723
724 /* find good server by address if possible, otherwise assume the last one we sent to */
725 for (last_server = daemon->servers; last_server; last_server = last_server->next)
726 if (!(last_server->flags & (SERV_LITERAL_ADDRESS | SERV_HAS_DOMAIN | SERV_FOR_NODOTS | SERV_NO_ADDR)) &&
727 sockaddr_isequal(&last_server->addr, &serveraddr))
728 {
729 server = last_server;
730 break;
731 }
732 }
733 if (!option_bool(OPT_ALL_SERVERS))
734 daemon->last_server = server;
735 }
736
737 /* If the answer is an error, keep the forward record in place in case
738 we get a good reply from another server. Kill it when we've
739 had replies from all to avoid filling the forwarding table when
740 everything is broken */
741 if (forward->forwardall == 0 || --forward->forwardall == 1 ||
742 (RCODE(header) != REFUSED && RCODE(header) != SERVFAIL))
743 {
744 int check_rebind = 0, no_cache_dnssec = 0, cache_secure = 0;
745
746 if (option_bool(OPT_NO_REBIND))
747 check_rebind = !(forward->flags & FREC_NOREBIND);
748
749 /* Don't cache replies where DNSSEC validation was turned off, either
750 the upstream server told us so, or the original query specified it. */
751 if ((header->hb4 & HB4_CD) || (forward->flags & FREC_CHECKING_DISABLED))
752 no_cache_dnssec = 1;
753
754 #ifdef HAVE_DNSSEC
755 if (option_bool(OPT_DNSSEC_VALID) && !(forward->flags & FREC_CHECKING_DISABLED))
756 {
757 int status;
758
759 /* We've had a reply already, which we're validating. Ignore this duplicate */
760 if (forward->blocking_query)
761 return;
762
763 if (header->hb3 & HB3_TC)
764 {
765 /* Truncated answer can't be validated.
766 If this is an answer to a DNSSEC-generated query, we still
767 need to get the client to retry over TCP, so return
768 an answer with the TC bit set, even if the actual answer fits.
769 */
770 status = STAT_TRUNCATED;
771 }
772 else if (forward->flags & FREC_DNSKEY_QUERY)
773 status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
774 else if (forward->flags & FREC_DS_QUERY)
775 status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
776 else
777 status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class);
778
779 /* Can't validate, as we're missing key data. Put this
780 answer aside, whilst we get that. */
781 if (status == STAT_NEED_DS || status == STAT_NEED_KEY)
782 {
783 struct frec *new;
784
785 if ((new = get_new_frec(now, NULL, 1)))
786 {
787 struct frec *next = new->next;
788 *new = *forward; /* copy everything, then overwrite */
789 new->next = next;
790 new->blocking_query = NULL;
791 new->rfd4 = NULL;
792 #ifdef HAVE_IPV6
793 new->rfd6 = NULL;
794 #endif
795 new->flags &= ~(FREC_DNSKEY_QUERY | FREC_DS_QUERY);
796
797 /* Free any saved query */
798 if (forward->stash)
799 blockdata_free(forward->stash);
800
801 /* Now save reply pending receipt of key data */
802 if (!(forward->stash = blockdata_alloc((char *)header, n)))
803 free_frec(new); /* malloc failure, unwind */
804 else
805 {
806 int fd;
807
808 forward->stash_len = n;
809
810 new->dependent = forward; /* to find query awaiting new one. */
811 forward->blocking_query = new; /* for garbage cleaning */
812 /* validate routines leave name of required record in daemon->keyname */
813 if (status == STAT_NEED_KEY)
814 {
815 new->flags |= FREC_DNSKEY_QUERY;
816 nn = dnssec_generate_query(header, ((char *) header) + daemon->packet_buff_sz,
817 daemon->keyname, forward->class, T_DNSKEY, &server->addr);
818 }
819 else
820 {
821 new->flags |= FREC_DS_QUERY;
822 nn = dnssec_generate_query(header,((char *) header) + daemon->packet_buff_sz,
823 daemon->keyname, forward->class, T_DS, &server->addr);
824 }
825 if ((hash = hash_questions(header, nn, daemon->namebuff)))
826 memcpy(new->hash, hash, HASH_SIZE);
827 new->new_id = get_id();
828 header->id = htons(new->new_id);
829 /* Save query for retransmission */
830 new->stash = blockdata_alloc((char *)header, nn);
831 new->stash_len = nn;
832
833 /* Don't resend this. */
834 daemon->srv_save = NULL;
835
836 if (server->sfd)
837 fd = server->sfd->fd;
838 else
839 {
840 fd = -1;
841 #ifdef HAVE_IPV6
842 if (server->addr.sa.sa_family == AF_INET6)
843 {
844 if (new->rfd6 || (new->rfd6 = allocate_rfd(AF_INET6)))
845 fd = new->rfd6->fd;
846 }
847 else
848 #endif
849 {
850 if (new->rfd4 || (new->rfd4 = allocate_rfd(AF_INET)))
851 fd = new->rfd4->fd;
852 }
853 }
854
855 if (fd != -1)
856 {
857 while (sendto(fd, (char *)header, nn, 0, &server->addr.sa, sa_len(&server->addr)) == -1 && retry_send());
858 server->queries++;
859 }
860 }
861 }
862
863 return;
864 }
865
866 /* Ok, we reached far enough up the chain-of-trust that we can validate something.
867 Now wind back down, pulling back answers which wouldn't previously validate
868 and validate them with the new data. Failure to find needed data here is an internal error.
869 Once we get to the original answer (FREC_DNSSEC_QUERY not set) and it validates,
870 return it to the original requestor. */
871 while (forward->dependent)
872 {
873 struct frec *prev = forward->dependent;
874 free_frec(forward);
875 forward = prev;
876 forward->blocking_query = NULL; /* already gone */
877 blockdata_retrieve(forward->stash, forward->stash_len, (void *)header);
878 n = forward->stash_len;
879
880 if (status == STAT_SECURE)
881 {
882 if (forward->flags & FREC_DNSKEY_QUERY)
883 status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
884 else if (forward->flags & FREC_DS_QUERY)
885 status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
886 else
887 status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class);
888
889 if (status == STAT_NEED_DS || status == STAT_NEED_KEY)
890 {
891 my_syslog(LOG_ERR, _("Unexpected missing data for DNSSEC validation"));
892 status = STAT_INSECURE;
893 }
894 }
895 }
896
897 if (status == STAT_TRUNCATED)
898 header->hb3 |= HB3_TC;
899 else
900 log_query(F_KEYTAG | F_SECSTAT, "result", NULL,
901 status == STAT_SECURE ? "SECURE" : (status == STAT_INSECURE ? "INSECURE" : "BOGUS"));
902
903 no_cache_dnssec = 0;
904
905 if (status == STAT_SECURE)
906 cache_secure = 1;
907 else if (status == STAT_BOGUS)
908 no_cache_dnssec = 1;
909
910 /* restore CD bit to the value in the query */
911 if (forward->flags & FREC_CHECKING_DISABLED)
912 header->hb4 |= HB4_CD;
913 else
914 header->hb4 &= ~HB4_CD;
915 }
916 #endif
917
918 if ((nn = process_reply(header, now, server, (size_t)n, check_rebind, no_cache_dnssec, cache_secure,
919 forward->flags & FREC_HAS_SUBNET, &forward->source)))
920 {
921 header->id = htons(forward->orig_id);
922 header->hb4 |= HB4_RA; /* recursion if available */
923 send_from(forward->fd, option_bool(OPT_NOWILD) || option_bool (OPT_CLEVERBIND), daemon->packet, nn,
924 &forward->source, &forward->dest, forward->iface);
925 }
926 free_frec(forward); /* cancel */
927 }
928 }
929
930
931 void receive_query(struct listener *listen, time_t now)
932 {
933 struct dns_header *header = (struct dns_header *)daemon->packet;
934 union mysockaddr source_addr;
935 unsigned short type;
936 struct all_addr dst_addr;
937 struct in_addr netmask, dst_addr_4;
938 size_t m;
939 ssize_t n;
940 int if_index = 0, auth_dns = 0;
941 #ifdef HAVE_AUTH
942 int local_auth = 0;
943 #endif
944 struct iovec iov[1];
945 struct msghdr msg;
946 struct cmsghdr *cmptr;
947 union {
948 struct cmsghdr align; /* this ensures alignment */
949 #ifdef HAVE_IPV6
950 char control6[CMSG_SPACE(sizeof(struct in6_pktinfo))];
951 #endif
952 #if defined(HAVE_LINUX_NETWORK)
953 char control[CMSG_SPACE(sizeof(struct in_pktinfo))];
954 #elif defined(IP_RECVDSTADDR) && defined(HAVE_SOLARIS_NETWORK)
955 char control[CMSG_SPACE(sizeof(struct in_addr)) +
956 CMSG_SPACE(sizeof(unsigned int))];
957 #elif defined(IP_RECVDSTADDR)
958 char control[CMSG_SPACE(sizeof(struct in_addr)) +
959 CMSG_SPACE(sizeof(struct sockaddr_dl))];
960 #endif
961 } control_u;
962 #ifdef HAVE_IPV6
963 /* Can always get recvd interface for IPv6 */
964 int check_dst = !option_bool(OPT_NOWILD) || listen->family == AF_INET6;
965 #else
966 int check_dst = !option_bool(OPT_NOWILD);
967 #endif
968
969 /* packet buffer overwritten */
970 daemon->srv_save = NULL;
971
972 dst_addr_4.s_addr = 0;
973 netmask.s_addr = 0;
974
975 if (option_bool(OPT_NOWILD) && listen->iface)
976 {
977 auth_dns = listen->iface->dns_auth;
978
979 if (listen->family == AF_INET)
980 {
981 dst_addr_4 = listen->iface->addr.in.sin_addr;
982 netmask = listen->iface->netmask;
983 }
984 }
985
986 iov[0].iov_base = daemon->packet;
987 iov[0].iov_len = daemon->edns_pktsz;
988
989 msg.msg_control = control_u.control;
990 msg.msg_controllen = sizeof(control_u);
991 msg.msg_flags = 0;
992 msg.msg_name = &source_addr;
993 msg.msg_namelen = sizeof(source_addr);
994 msg.msg_iov = iov;
995 msg.msg_iovlen = 1;
996
997 if ((n = recvmsg(listen->fd, &msg, 0)) == -1)
998 return;
999
1000 if (n < (int)sizeof(struct dns_header) ||
1001 (msg.msg_flags & MSG_TRUNC) ||
1002 (header->hb3 & HB3_QR))
1003 return;
1004
1005 source_addr.sa.sa_family = listen->family;
1006 #ifdef HAVE_IPV6
1007 if (listen->family == AF_INET6)
1008 source_addr.in6.sin6_flowinfo = 0;
1009 #endif
1010
1011 if (check_dst)
1012 {
1013 struct ifreq ifr;
1014
1015 if (msg.msg_controllen < sizeof(struct cmsghdr))
1016 return;
1017
1018 #if defined(HAVE_LINUX_NETWORK)
1019 if (listen->family == AF_INET)
1020 for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
1021 if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_PKTINFO)
1022 {
1023 union {
1024 unsigned char *c;
1025 struct in_pktinfo *p;
1026 } p;
1027 p.c = CMSG_DATA(cmptr);
1028 dst_addr_4 = dst_addr.addr.addr4 = p.p->ipi_spec_dst;
1029 if_index = p.p->ipi_ifindex;
1030 }
1031 #elif defined(IP_RECVDSTADDR) && defined(IP_RECVIF)
1032 if (listen->family == AF_INET)
1033 {
1034 for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
1035 {
1036 union {
1037 unsigned char *c;
1038 unsigned int *i;
1039 struct in_addr *a;
1040 #ifndef HAVE_SOLARIS_NETWORK
1041 struct sockaddr_dl *s;
1042 #endif
1043 } p;
1044 p.c = CMSG_DATA(cmptr);
1045 if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVDSTADDR)
1046 dst_addr_4 = dst_addr.addr.addr4 = *(p.a);
1047 else if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVIF)
1048 #ifdef HAVE_SOLARIS_NETWORK
1049 if_index = *(p.i);
1050 #else
1051 if_index = p.s->sdl_index;
1052 #endif
1053 }
1054 }
1055 #endif
1056
1057 #ifdef HAVE_IPV6
1058 if (listen->family == AF_INET6)
1059 {
1060 for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
1061 if (cmptr->cmsg_level == IPPROTO_IPV6 && cmptr->cmsg_type == daemon->v6pktinfo)
1062 {
1063 union {
1064 unsigned char *c;
1065 struct in6_pktinfo *p;
1066 } p;
1067 p.c = CMSG_DATA(cmptr);
1068
1069 dst_addr.addr.addr6 = p.p->ipi6_addr;
1070 if_index = p.p->ipi6_ifindex;
1071 }
1072 }
1073 #endif
1074
1075 /* enforce available interface configuration */
1076
1077 if (!indextoname(listen->fd, if_index, ifr.ifr_name))
1078 return;
1079
1080 if (!iface_check(listen->family, &dst_addr, ifr.ifr_name, &auth_dns))
1081 {
1082 if (!option_bool(OPT_CLEVERBIND))
1083 enumerate_interfaces(0);
1084 if (!loopback_exception(listen->fd, listen->family, &dst_addr, ifr.ifr_name) &&
1085 !label_exception(if_index, listen->family, &dst_addr))
1086 return;
1087 }
1088
1089 if (listen->family == AF_INET && option_bool(OPT_LOCALISE))
1090 {
1091 struct irec *iface;
1092
1093 /* get the netmask of the interface whch has the address we were sent to.
1094 This is no neccessarily the interface we arrived on. */
1095
1096 for (iface = daemon->interfaces; iface; iface = iface->next)
1097 if (iface->addr.sa.sa_family == AF_INET &&
1098 iface->addr.in.sin_addr.s_addr == dst_addr_4.s_addr)
1099 break;
1100
1101 /* interface may be new */
1102 if (!iface && !option_bool(OPT_CLEVERBIND))
1103 enumerate_interfaces(0);
1104
1105 for (iface = daemon->interfaces; iface; iface = iface->next)
1106 if (iface->addr.sa.sa_family == AF_INET &&
1107 iface->addr.in.sin_addr.s_addr == dst_addr_4.s_addr)
1108 break;
1109
1110 /* If we failed, abandon localisation */
1111 if (iface)
1112 netmask = iface->netmask;
1113 else
1114 dst_addr_4.s_addr = 0;
1115 }
1116 }
1117
1118 if (extract_request(header, (size_t)n, daemon->namebuff, &type))
1119 {
1120 #ifdef HAVE_AUTH
1121 struct auth_zone *zone;
1122 #endif
1123 char *types = querystr(auth_dns ? "auth" : "query", type);
1124
1125 if (listen->family == AF_INET)
1126 log_query(F_QUERY | F_IPV4 | F_FORWARD, daemon->namebuff,
1127 (struct all_addr *)&source_addr.in.sin_addr, types);
1128 #ifdef HAVE_IPV6
1129 else
1130 log_query(F_QUERY | F_IPV6 | F_FORWARD, daemon->namebuff,
1131 (struct all_addr *)&source_addr.in6.sin6_addr, types);
1132 #endif
1133
1134 #ifdef HAVE_AUTH
1135 /* find queries for zones we're authoritative for, and answer them directly */
1136 if (!auth_dns)
1137 for (zone = daemon->auth_zones; zone; zone = zone->next)
1138 if (in_zone(zone, daemon->namebuff, NULL))
1139 {
1140 auth_dns = 1;
1141 local_auth = 1;
1142 break;
1143 }
1144 #endif
1145 }
1146
1147 #ifdef HAVE_AUTH
1148 if (auth_dns)
1149 {
1150 m = answer_auth(header, ((char *) header) + daemon->packet_buff_sz, (size_t)n, now, &source_addr, local_auth);
1151 if (m >= 1)
1152 {
1153 send_from(listen->fd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND),
1154 (char *)header, m, &source_addr, &dst_addr, if_index);
1155 daemon->auth_answer++;
1156 }
1157 }
1158 else
1159 #endif
1160 {
1161 m = answer_request(header, ((char *) header) + daemon->packet_buff_sz, (size_t)n,
1162 dst_addr_4, netmask, now);
1163
1164 if (m >= 1)
1165 {
1166 send_from(listen->fd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND),
1167 (char *)header, m, &source_addr, &dst_addr, if_index);
1168 daemon->local_answer++;
1169 }
1170 else if (forward_query(listen->fd, &source_addr, &dst_addr, if_index,
1171 header, (size_t)n, now, NULL))
1172 daemon->queries_forwarded++;
1173 else
1174 daemon->local_answer++;
1175 }
1176 }
1177
1178 #ifdef HAVE_DNSSEC
1179 static int tcp_key_recurse(time_t now, int status, int class, char *keyname, struct server *server)
1180 {
1181 /* Recurse up the key heirarchy */
1182 size_t n;
1183 unsigned char *packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16));
1184 unsigned char *payload = &packet[2];
1185 struct dns_header *header = (struct dns_header *)payload;
1186 u16 *length = (u16 *)packet;
1187 int new_status;
1188 unsigned char c1, c2;
1189
1190 n = dnssec_generate_query(header, ((char *) header) + 65536, keyname, class,
1191 status == STAT_NEED_KEY ? T_DNSKEY : T_DS, &server->addr);
1192
1193 *length = htons(n);
1194
1195 if (!read_write(server->tcpfd, packet, n + sizeof(u16), 0) ||
1196 !read_write(server->tcpfd, &c1, 1, 1) ||
1197 !read_write(server->tcpfd, &c2, 1, 1) ||
1198 !read_write(server->tcpfd, payload, (c1 << 8) | c2, 1))
1199 {
1200 close(server->tcpfd);
1201 server->tcpfd = -1;
1202 new_status = STAT_INSECURE;
1203 }
1204 else
1205 {
1206 n = (c1 << 8) | c2;
1207
1208 if (status == STAT_NEED_KEY)
1209 new_status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, class);
1210 else
1211 new_status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, class);
1212
1213 if (new_status == STAT_NEED_DS || new_status == STAT_NEED_KEY)
1214 {
1215 if ((new_status = tcp_key_recurse(now, new_status, class, daemon->keyname, server) == STAT_SECURE))
1216 {
1217 if (status == STAT_NEED_KEY)
1218 new_status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, class);
1219 else
1220 new_status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, class);
1221
1222 if (new_status == STAT_NEED_DS || new_status == STAT_NEED_KEY)
1223 {
1224 my_syslog(LOG_ERR, _("Unexpected missing data for DNSSEC validation"));
1225 status = STAT_INSECURE;
1226 }
1227 }
1228 }
1229 }
1230
1231 free(packet);
1232
1233 return new_status;
1234 }
1235 #endif
1236
1237
1238 /* The daemon forks before calling this: it should deal with one connection,
1239 blocking as neccessary, and then return. Note, need to be a bit careful
1240 about resources for debug mode, when the fork is suppressed: that's
1241 done by the caller. */
1242 unsigned char *tcp_request(int confd, time_t now,
1243 union mysockaddr *local_addr, struct in_addr netmask, int auth_dns)
1244 {
1245 size_t size = 0;
1246 int norebind = 0;
1247 #ifdef HAVE_AUTH
1248 int local_auth = 0;
1249 #endif
1250 int checking_disabled, check_subnet, no_cache_dnssec = 0, cache_secure = 0;
1251 size_t m;
1252 unsigned short qtype;
1253 unsigned int gotname;
1254 unsigned char c1, c2;
1255 /* Max TCP packet + slop + size */
1256 unsigned char *packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16));
1257 unsigned char *payload = &packet[2];
1258 /* largest field in header is 16-bits, so this is still sufficiently aligned */
1259 struct dns_header *header = (struct dns_header *)payload;
1260 u16 *length = (u16 *)packet;
1261 struct server *last_server;
1262 struct in_addr dst_addr_4;
1263 union mysockaddr peer_addr;
1264 socklen_t peer_len = sizeof(union mysockaddr);
1265
1266 if (getpeername(confd, (struct sockaddr *)&peer_addr, &peer_len) == -1)
1267 return packet;
1268
1269 while (1)
1270 {
1271 if (!packet ||
1272 !read_write(confd, &c1, 1, 1) || !read_write(confd, &c2, 1, 1) ||
1273 !(size = c1 << 8 | c2) ||
1274 !read_write(confd, payload, size, 1))
1275 return packet;
1276
1277 if (size < (int)sizeof(struct dns_header))
1278 continue;
1279
1280 check_subnet = 0;
1281
1282 /* save state of "cd" flag in query */
1283 if ((checking_disabled = header->hb4 & HB4_CD))
1284 no_cache_dnssec = 1;
1285
1286 /* RFC 4035: sect 4.6 para 2 */
1287 header->hb4 &= ~HB4_AD;
1288
1289 if ((gotname = extract_request(header, (unsigned int)size, daemon->namebuff, &qtype)))
1290 {
1291 #ifdef HAVE_AUTH
1292 struct auth_zone *zone;
1293 #endif
1294 char *types = querystr(auth_dns ? "auth" : "query", qtype);
1295
1296 if (peer_addr.sa.sa_family == AF_INET)
1297 log_query(F_QUERY | F_IPV4 | F_FORWARD, daemon->namebuff,
1298 (struct all_addr *)&peer_addr.in.sin_addr, types);
1299 #ifdef HAVE_IPV6
1300 else
1301 log_query(F_QUERY | F_IPV6 | F_FORWARD, daemon->namebuff,
1302 (struct all_addr *)&peer_addr.in6.sin6_addr, types);
1303 #endif
1304
1305 #ifdef HAVE_AUTH
1306 /* find queries for zones we're authoritative for, and answer them directly */
1307 if (!auth_dns)
1308 for (zone = daemon->auth_zones; zone; zone = zone->next)
1309 if (in_zone(zone, daemon->namebuff, NULL))
1310 {
1311 auth_dns = 1;
1312 local_auth = 1;
1313 break;
1314 }
1315 #endif
1316 }
1317
1318 if (local_addr->sa.sa_family == AF_INET)
1319 dst_addr_4 = local_addr->in.sin_addr;
1320 else
1321 dst_addr_4.s_addr = 0;
1322
1323 #ifdef HAVE_AUTH
1324 if (auth_dns)
1325 m = answer_auth(header, ((char *) header) + 65536, (size_t)size, now, &peer_addr, local_auth);
1326 else
1327 #endif
1328 {
1329 /* m > 0 if answered from cache */
1330 m = answer_request(header, ((char *) header) + 65536, (size_t)size,
1331 dst_addr_4, netmask, now);
1332
1333 /* Do this by steam now we're not in the select() loop */
1334 check_log_writer(NULL);
1335
1336 if (m == 0)
1337 {
1338 unsigned int flags = 0;
1339 struct all_addr *addrp = NULL;
1340 int type = 0;
1341 char *domain = NULL;
1342
1343 if (option_bool(OPT_ADD_MAC))
1344 size = add_mac(header, size, ((char *) header) + 65536, &peer_addr);
1345
1346 if (option_bool(OPT_CLIENT_SUBNET))
1347 {
1348 size_t new = add_source_addr(header, size, ((char *) header) + 65536, &peer_addr);
1349 if (size != new)
1350 {
1351 size = new;
1352 check_subnet = 1;
1353 }
1354 }
1355
1356 if (gotname)
1357 flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind);
1358
1359 if (type != 0 || option_bool(OPT_ORDER) || !daemon->last_server)
1360 last_server = daemon->servers;
1361 else
1362 last_server = daemon->last_server;
1363
1364 if (!flags && last_server)
1365 {
1366 struct server *firstsendto = NULL;
1367 #ifdef HAVE_DNSSEC
1368 unsigned char *newhash, hash[HASH_SIZE];
1369 if ((newhash = hash_questions(header, (unsigned int)size, daemon->keyname)))
1370 memcpy(hash, newhash, HASH_SIZE);
1371 #else
1372 unsigned int crc = questions_crc(header, (unsigned int)size, daemon->namebuff);
1373 #endif
1374 /* Loop round available servers until we succeed in connecting to one.
1375 Note that this code subtley ensures that consecutive queries on this connection
1376 which can go to the same server, do so. */
1377 while (1)
1378 {
1379 if (!firstsendto)
1380 firstsendto = last_server;
1381 else
1382 {
1383 if (!(last_server = last_server->next))
1384 last_server = daemon->servers;
1385
1386 if (last_server == firstsendto)
1387 break;
1388 }
1389
1390 /* server for wrong domain */
1391 if (type != (last_server->flags & SERV_TYPE) ||
1392 (type == SERV_HAS_DOMAIN && !hostname_isequal(domain, last_server->domain)))
1393 continue;
1394
1395 if (last_server->tcpfd == -1)
1396 {
1397 if ((last_server->tcpfd = socket(last_server->addr.sa.sa_family, SOCK_STREAM, 0)) == -1)
1398 continue;
1399
1400 if ((!local_bind(last_server->tcpfd, &last_server->source_addr, last_server->interface, 1) ||
1401 connect(last_server->tcpfd, &last_server->addr.sa, sa_len(&last_server->addr)) == -1))
1402 {
1403 close(last_server->tcpfd);
1404 last_server->tcpfd = -1;
1405 continue;
1406 }
1407
1408 #ifdef HAVE_DNSSEC
1409 if (option_bool(OPT_DNSSEC_VALID))
1410 {
1411 size = add_do_bit(header, size, ((char *) header) + 65536);
1412 header->hb4 |= HB4_CD;
1413 }
1414 #endif
1415
1416 #ifdef HAVE_CONNTRACK
1417 /* Copy connection mark of incoming query to outgoing connection. */
1418 if (option_bool(OPT_CONNTRACK))
1419 {
1420 unsigned int mark;
1421 struct all_addr local;
1422 #ifdef HAVE_IPV6
1423 if (local_addr->sa.sa_family == AF_INET6)
1424 local.addr.addr6 = local_addr->in6.sin6_addr;
1425 else
1426 #endif
1427 local.addr.addr4 = local_addr->in.sin_addr;
1428
1429 if (get_incoming_mark(&peer_addr, &local, 1, &mark))
1430 setsockopt(last_server->tcpfd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int));
1431 }
1432 #endif
1433 }
1434
1435 *length = htons(size);
1436
1437 if (!read_write(last_server->tcpfd, packet, size + sizeof(u16), 0) ||
1438 !read_write(last_server->tcpfd, &c1, 1, 1) ||
1439 !read_write(last_server->tcpfd, &c2, 1, 1) ||
1440 !read_write(last_server->tcpfd, payload, (c1 << 8) | c2, 1))
1441 {
1442 close(last_server->tcpfd);
1443 last_server->tcpfd = -1;
1444 continue;
1445 }
1446
1447 m = (c1 << 8) | c2;
1448
1449 if (!gotname)
1450 strcpy(daemon->namebuff, "query");
1451 if (last_server->addr.sa.sa_family == AF_INET)
1452 log_query(F_SERVER | F_IPV4 | F_FORWARD, daemon->namebuff,
1453 (struct all_addr *)&last_server->addr.in.sin_addr, NULL);
1454 #ifdef HAVE_IPV6
1455 else
1456 log_query(F_SERVER | F_IPV6 | F_FORWARD, daemon->namebuff,
1457 (struct all_addr *)&last_server->addr.in6.sin6_addr, NULL);
1458 #endif
1459
1460 #ifdef HAVE_DNSSEC
1461 if (option_bool(OPT_DNSSEC_VALID) && !checking_disabled)
1462 {
1463 int class, status;
1464
1465 status = dnssec_validate_reply(now, header, m, daemon->namebuff, daemon->keyname, &class);
1466
1467 if (status == STAT_NEED_DS || status == STAT_NEED_KEY)
1468 {
1469 if ((status = tcp_key_recurse(now, status, class, daemon->keyname, last_server)) == STAT_SECURE)
1470 status = dnssec_validate_reply(now, header, m, daemon->namebuff, daemon->keyname, &class);
1471 }
1472
1473 log_query(F_KEYTAG | F_SECSTAT, "result", NULL,
1474 status == STAT_SECURE ? "SECURE" : (status == STAT_INSECURE ? "INSECURE" : "BOGUS"));
1475
1476 if (status == STAT_BOGUS)
1477 no_cache_dnssec = 1;
1478
1479 if (status == STAT_SECURE)
1480 cache_secure = 1;
1481 }
1482 #endif
1483
1484 /* restore CD bit to the value in the query */
1485 if (checking_disabled)
1486 header->hb4 |= HB4_CD;
1487 else
1488 header->hb4 &= ~HB4_CD;
1489
1490 /* There's no point in updating the cache, since this process will exit and
1491 lose the information after a few queries. We make this call for the alias and
1492 bogus-nxdomain side-effects. */
1493 /* If the crc of the question section doesn't match the crc we sent, then
1494 someone might be attempting to insert bogus values into the cache by
1495 sending replies containing questions and bogus answers. */
1496 #ifdef HAVE_DNSSEC
1497 newhash = hash_questions(header, (unsigned int)m, daemon->namebuff);
1498 if (!newhash || memcmp(hash, newhash, HASH_SIZE) != 0)
1499 {
1500 m = 0;
1501 break;
1502 }
1503 #else
1504 if (crc != questions_crc(header, (unsigned int)m, daemon->namebuff))
1505 {
1506 m = 0;
1507 break;
1508 }
1509 #endif
1510
1511 m = process_reply(header, now, last_server, (unsigned int)m,
1512 option_bool(OPT_NO_REBIND) && !norebind, no_cache_dnssec,
1513 cache_secure, check_subnet, &peer_addr);
1514
1515 break;
1516 }
1517 }
1518
1519 /* In case of local answer or no connections made. */
1520 if (m == 0)
1521 m = setup_reply(header, (unsigned int)size, addrp, flags, daemon->local_ttl);
1522 }
1523 }
1524
1525 check_log_writer(NULL);
1526
1527 *length = htons(m);
1528
1529 if (m == 0 || !read_write(confd, packet, m + sizeof(u16), 0))
1530 return packet;
1531 }
1532 }
1533
1534 static struct frec *allocate_frec(time_t now)
1535 {
1536 struct frec *f;
1537
1538 if ((f = (struct frec *)whine_malloc(sizeof(struct frec))))
1539 {
1540 f->next = daemon->frec_list;
1541 f->time = now;
1542 f->sentto = NULL;
1543 f->rfd4 = NULL;
1544 f->flags = 0;
1545 #ifdef HAVE_IPV6
1546 f->rfd6 = NULL;
1547 #endif
1548 #ifdef HAVE_DNSSEC
1549 f->dependent = NULL;
1550 f->blocking_query = NULL;
1551 f->stash = NULL;
1552 #endif
1553 daemon->frec_list = f;
1554 }
1555
1556 return f;
1557 }
1558
1559 static struct randfd *allocate_rfd(int family)
1560 {
1561 static int finger = 0;
1562 int i;
1563
1564 /* limit the number of sockets we have open to avoid starvation of
1565 (eg) TFTP. Once we have a reasonable number, randomness should be OK */
1566
1567 for (i = 0; i < RANDOM_SOCKS; i++)
1568 if (daemon->randomsocks[i].refcount == 0)
1569 {
1570 if ((daemon->randomsocks[i].fd = random_sock(family)) == -1)
1571 break;
1572
1573 daemon->randomsocks[i].refcount = 1;
1574 daemon->randomsocks[i].family = family;
1575 return &daemon->randomsocks[i];
1576 }
1577
1578 /* No free ones or cannot get new socket, grab an existing one */
1579 for (i = 0; i < RANDOM_SOCKS; i++)
1580 {
1581 int j = (i+finger) % RANDOM_SOCKS;
1582 if (daemon->randomsocks[j].refcount != 0 &&
1583 daemon->randomsocks[j].family == family &&
1584 daemon->randomsocks[j].refcount != 0xffff)
1585 {
1586 finger = j;
1587 daemon->randomsocks[j].refcount++;
1588 return &daemon->randomsocks[j];
1589 }
1590 }
1591
1592 return NULL; /* doom */
1593 }
1594 static void free_frec(struct frec *f)
1595 {
1596 if (f->rfd4 && --(f->rfd4->refcount) == 0)
1597 close(f->rfd4->fd);
1598
1599 f->rfd4 = NULL;
1600 f->sentto = NULL;
1601 f->flags = 0;
1602
1603 #ifdef HAVE_IPV6
1604 if (f->rfd6 && --(f->rfd6->refcount) == 0)
1605 close(f->rfd6->fd);
1606
1607 f->rfd6 = NULL;
1608 #endif
1609
1610 #ifdef HAVE_DNSSEC
1611 if (f->stash)
1612 {
1613 blockdata_free(f->stash);
1614 f->stash = NULL;
1615 }
1616
1617 /* Anything we're waiting on is pointless now, too */
1618 if (f->blocking_query)
1619 free_frec(f->blocking_query);
1620 f->blocking_query = NULL;
1621 f->dependent = NULL;
1622 #endif
1623 }
1624
1625 /* if wait==NULL return a free or older than TIMEOUT record.
1626 else return *wait zero if one available, or *wait is delay to
1627 when the oldest in-use record will expire. Impose an absolute
1628 limit of 4*TIMEOUT before we wipe things (for random sockets).
1629 If force is set, always return a result, even if we have
1630 to allocate above the limit. */
1631 struct frec *get_new_frec(time_t now, int *wait, int force)
1632 {
1633 struct frec *f, *oldest, *target;
1634 int count;
1635
1636 if (wait)
1637 *wait = 0;
1638
1639 for (f = daemon->frec_list, oldest = NULL, target = NULL, count = 0; f; f = f->next, count++)
1640 if (!f->sentto)
1641 target = f;
1642 else
1643 {
1644 if (difftime(now, f->time) >= 4*TIMEOUT)
1645 {
1646 free_frec(f);
1647 target = f;
1648 }
1649
1650 if (!oldest || difftime(f->time, oldest->time) <= 0)
1651 oldest = f;
1652 }
1653
1654 if (target)
1655 {
1656 target->time = now;
1657 return target;
1658 }
1659
1660 /* can't find empty one, use oldest if there is one
1661 and it's older than timeout */
1662 if (oldest && ((int)difftime(now, oldest->time)) >= TIMEOUT)
1663 {
1664 /* keep stuff for twice timeout if we can by allocating a new
1665 record instead */
1666 if (difftime(now, oldest->time) < 2*TIMEOUT &&
1667 count <= daemon->ftabsize &&
1668 (f = allocate_frec(now)))
1669 return f;
1670
1671 if (!wait)
1672 {
1673 free_frec(oldest);
1674 oldest->time = now;
1675 }
1676 return oldest;
1677 }
1678
1679 /* none available, calculate time 'till oldest record expires */
1680 if (!force && count > daemon->ftabsize)
1681 {
1682 static time_t last_log = 0;
1683
1684 if (oldest && wait)
1685 *wait = oldest->time + (time_t)TIMEOUT - now;
1686
1687 if ((int)difftime(now, last_log) > 5)
1688 {
1689 last_log = now;
1690 my_syslog(LOG_WARNING, _("Maximum number of concurrent DNS queries reached (max: %d)"), daemon->ftabsize);
1691 }
1692
1693 return NULL;
1694 }
1695
1696 if (!(f = allocate_frec(now)) && wait)
1697 /* wait one second on malloc failure */
1698 *wait = 1;
1699
1700 return f; /* OK if malloc fails and this is NULL */
1701 }
1702
1703 /* crc is all-ones if not known. */
1704 static struct frec *lookup_frec(unsigned short id, void *hash)
1705 {
1706 struct frec *f;
1707
1708 for(f = daemon->frec_list; f; f = f->next)
1709 if (f->sentto && f->new_id == id &&
1710 (!hash || memcmp(hash, f->hash, HASH_SIZE) == 0))
1711 return f;
1712
1713 return NULL;
1714 }
1715
1716 static struct frec *lookup_frec_by_sender(unsigned short id,
1717 union mysockaddr *addr,
1718 void *hash)
1719 {
1720 struct frec *f;
1721
1722 for(f = daemon->frec_list; f; f = f->next)
1723 if (f->sentto &&
1724 f->orig_id == id &&
1725 memcmp(hash, f->hash, HASH_SIZE) == 0 &&
1726 sockaddr_isequal(&f->source, addr))
1727 return f;
1728
1729 return NULL;
1730 }
1731
1732 /* A server record is going away, remove references to it */
1733 void server_gone(struct server *server)
1734 {
1735 struct frec *f;
1736
1737 for (f = daemon->frec_list; f; f = f->next)
1738 if (f->sentto && f->sentto == server)
1739 free_frec(f);
1740
1741 if (daemon->last_server == server)
1742 daemon->last_server = NULL;
1743
1744 if (daemon->srv_save == server)
1745 daemon->srv_save = NULL;
1746 }
1747
1748 /* return unique random ids. */
1749 static unsigned short get_id(void)
1750 {
1751 unsigned short ret = 0;
1752
1753 do
1754 ret = rand16();
1755 while (lookup_frec(ret, NULL));
1756
1757 return ret;
1758 }
1759
1760
1761
1762
1763
Michael's tree of dnsmasq.