]>
git.ipfire.org Git - people/ms/dnsmasq.git/blob - src/forward.c
1 /* dnsmasq is Copyright (c) 2000-2014 Simon Kelley
3 This program is free software; you can redistribute it and/or modify
4 it under the terms of the GNU General Public License as published by
5 the Free Software Foundation; version 2 dated June, 1991, or
6 (at your option) version 3 dated 29 June, 2007.
8 This program is distributed in the hope that it will be useful,
9 but WITHOUT ANY WARRANTY; without even the implied warranty of
10 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 GNU General Public License for more details.
13 You should have received a copy of the GNU General Public License
14 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 static struct frec
*lookup_frec(unsigned short id
, unsigned int crc
);
20 static struct frec
*lookup_frec_by_sender(unsigned short id
,
21 union mysockaddr
*addr
,
23 static unsigned short get_id(unsigned int crc
);
24 static void free_frec(struct frec
*f
);
25 static struct randfd
*allocate_rfd(int family
);
27 /* Send a UDP packet with its source address set as "source"
28 unless nowild is true, when we just send it with the kernel default */
29 int send_from(int fd
, int nowild
, char *packet
, size_t len
,
30 union mysockaddr
*to
, struct all_addr
*source
,
36 struct cmsghdr align
; /* this ensures alignment */
37 #if defined(HAVE_LINUX_NETWORK)
38 char control
[CMSG_SPACE(sizeof(struct in_pktinfo
))];
39 #elif defined(IP_SENDSRCADDR)
40 char control
[CMSG_SPACE(sizeof(struct in_addr
))];
43 char control6
[CMSG_SPACE(sizeof(struct in6_pktinfo
))];
47 iov
[0].iov_base
= packet
;
50 msg
.msg_control
= NULL
;
51 msg
.msg_controllen
= 0;
54 msg
.msg_namelen
= sa_len(to
);
60 struct cmsghdr
*cmptr
;
61 msg
.msg_control
= &control_u
;
62 msg
.msg_controllen
= sizeof(control_u
);
63 cmptr
= CMSG_FIRSTHDR(&msg
);
65 if (to
->sa
.sa_family
== AF_INET
)
67 #if defined(HAVE_LINUX_NETWORK)
70 p
.ipi_spec_dst
= source
->addr
.addr4
;
71 memcpy(CMSG_DATA(cmptr
), &p
, sizeof(p
));
72 msg
.msg_controllen
= cmptr
->cmsg_len
= CMSG_LEN(sizeof(struct in_pktinfo
));
73 cmptr
->cmsg_level
= IPPROTO_IP
;
74 cmptr
->cmsg_type
= IP_PKTINFO
;
75 #elif defined(IP_SENDSRCADDR)
76 memcpy(CMSG_DATA(cmptr
), &(source
->addr
.addr4
), sizeof(source
->addr
.addr4
));
77 msg
.msg_controllen
= cmptr
->cmsg_len
= CMSG_LEN(sizeof(struct in_addr
));
78 cmptr
->cmsg_level
= IPPROTO_IP
;
79 cmptr
->cmsg_type
= IP_SENDSRCADDR
;
86 p
.ipi6_ifindex
= iface
; /* Need iface for IPv6 to handle link-local addrs */
87 p
.ipi6_addr
= source
->addr
.addr6
;
88 memcpy(CMSG_DATA(cmptr
), &p
, sizeof(p
));
89 msg
.msg_controllen
= cmptr
->cmsg_len
= CMSG_LEN(sizeof(struct in6_pktinfo
));
90 cmptr
->cmsg_type
= daemon
->v6pktinfo
;
91 cmptr
->cmsg_level
= IPPROTO_IPV6
;
94 (void)iface
; /* eliminate warning */
98 while (sendmsg(fd
, &msg
, 0) == -1)
103 /* If interface is still in DAD, EINVAL results - ignore that. */
107 my_syslog(LOG_ERR
, _("failed to send packet: %s"), strerror(errno
));
114 static unsigned int search_servers(time_t now
, struct all_addr
**addrpp
,
115 unsigned int qtype
, char *qdomain
, int *type
, char **domain
, int *norebind
)
118 /* If the query ends in the domain in one of our servers, set
119 domain to point to that name. We find the largest match to allow both
120 domain.org and sub.domain.org to exist. */
122 unsigned int namelen
= strlen(qdomain
);
123 unsigned int matchlen
= 0;
125 unsigned int flags
= 0;
127 for (serv
= daemon
->servers
; serv
; serv
=serv
->next
)
128 /* domain matches take priority over NODOTS matches */
129 if ((serv
->flags
& SERV_FOR_NODOTS
) && *type
!= SERV_HAS_DOMAIN
&& !strchr(qdomain
, '.') && namelen
!= 0)
131 unsigned int sflag
= serv
->addr
.sa
.sa_family
== AF_INET
? F_IPV4
: F_IPV6
;
132 *type
= SERV_FOR_NODOTS
;
133 if (serv
->flags
& SERV_NO_ADDR
)
135 else if (serv
->flags
& SERV_LITERAL_ADDRESS
)
140 if (serv
->addr
.sa
.sa_family
== AF_INET
)
141 *addrpp
= (struct all_addr
*)&serv
->addr
.in
.sin_addr
;
144 *addrpp
= (struct all_addr
*)&serv
->addr
.in6
.sin6_addr
;
147 else if (!flags
|| (flags
& F_NXDOMAIN
))
151 else if (serv
->flags
& SERV_HAS_DOMAIN
)
153 unsigned int domainlen
= strlen(serv
->domain
);
154 char *matchstart
= qdomain
+ namelen
- domainlen
;
155 if (namelen
>= domainlen
&&
156 hostname_isequal(matchstart
, serv
->domain
) &&
157 (domainlen
== 0 || namelen
== domainlen
|| *(matchstart
-1) == '.' ))
159 if (serv
->flags
& SERV_NO_REBIND
)
163 unsigned int sflag
= serv
->addr
.sa
.sa_family
== AF_INET
? F_IPV4
: F_IPV6
;
164 /* implement priority rules for --address and --server for same domain.
165 --address wins if the address is for the correct AF
166 --server wins otherwise. */
167 if (domainlen
!= 0 && domainlen
== matchlen
)
169 if ((serv
->flags
& SERV_LITERAL_ADDRESS
))
171 if (!(sflag
& qtype
) && flags
== 0)
176 if (flags
& (F_IPV4
| F_IPV6
))
181 if (domainlen
>= matchlen
)
183 *type
= serv
->flags
& (SERV_HAS_DOMAIN
| SERV_USE_RESOLV
| SERV_NO_REBIND
);
184 *domain
= serv
->domain
;
185 matchlen
= domainlen
;
186 if (serv
->flags
& SERV_NO_ADDR
)
188 else if (serv
->flags
& SERV_LITERAL_ADDRESS
)
193 if (serv
->addr
.sa
.sa_family
== AF_INET
)
194 *addrpp
= (struct all_addr
*)&serv
->addr
.in
.sin_addr
;
197 *addrpp
= (struct all_addr
*)&serv
->addr
.in6
.sin6_addr
;
200 else if (!flags
|| (flags
& F_NXDOMAIN
))
210 if (flags
== 0 && !(qtype
& F_QUERY
) &&
211 option_bool(OPT_NODOTS_LOCAL
) && !strchr(qdomain
, '.') && namelen
!= 0)
212 /* don't forward A or AAAA queries for simple names, except the empty name */
215 if (flags
== F_NXDOMAIN
&& check_for_local_domain(qdomain
, now
))
222 if (flags
== F_NXDOMAIN
|| flags
== F_NOERR
)
223 logflags
= F_NEG
| qtype
;
225 log_query(logflags
| flags
| F_CONFIG
| F_FORWARD
, qdomain
, *addrpp
, NULL
);
227 else if ((*type
) & SERV_USE_RESOLV
)
229 *type
= 0; /* use normal servers for this domain */
235 static int forward_query(int udpfd
, union mysockaddr
*udpaddr
,
236 struct all_addr
*dst_addr
, unsigned int dst_iface
,
237 struct dns_header
*header
, size_t plen
, time_t now
, struct frec
*forward
)
240 int type
= 0, norebind
= 0;
241 struct all_addr
*addrp
= NULL
;
242 unsigned int crc
= questions_crc(header
, plen
, daemon
->namebuff
);
243 unsigned int flags
= 0;
244 unsigned int gotname
= extract_request(header
, plen
, daemon
->namebuff
, NULL
);
245 struct server
*start
= NULL
;
247 /* RFC 4035: sect 4.6 para 2 */
248 header
->hb4
&= ~HB4_AD
;
250 /* may be no servers available. */
251 if (!daemon
->servers
)
253 else if (forward
|| (forward
= lookup_frec_by_sender(ntohs(header
->id
), udpaddr
, crc
)))
256 /* If we've already got an answer to this query, but we're awaiting keys for vaildation,
257 there's no point retrying the query, retry the key query instead...... */
258 if (forward
->blocking_query
)
262 while (forward
->blocking_query
)
263 forward
= forward
->blocking_query
;
265 blockdata_retrieve(forward
->stash
, forward
->stash_len
, (void *)header
);
266 plen
= forward
->stash_len
;
268 if (forward
->sentto
->addr
.sa
.sa_family
)
269 log_query(F_DNSSEC
| F_IPV4
, "retry", (struct all_addr
*)&forward
->sentto
->addr
.in
.sin_addr
, "dnssec");
272 log_query(F_DNSSEC
| F_IPV6
, "retry", (struct all_addr
*)&forward
->sentto
->addr
.in6
.sin6_addr
, "dnssec");
275 if (forward
->sentto
->sfd
)
276 fd
= forward
->sentto
->sfd
->fd
;
280 if (forward
->sentto
->addr
.sa
.sa_family
== AF_INET6
)
281 fd
= forward
->rfd6
->fd
;
284 fd
= forward
->rfd4
->fd
;
287 while (sendto(fd
, (char *)header
, plen
, 0,
288 &forward
->sentto
->addr
.sa
,
289 sa_len(&forward
->sentto
->addr
)) == -1 && retry_send());
295 /* retry on existing query, send to all available servers */
296 domain
= forward
->sentto
->domain
;
297 forward
->sentto
->failed_queries
++;
298 if (!option_bool(OPT_ORDER
))
300 forward
->forwardall
= 1;
301 daemon
->last_server
= NULL
;
303 type
= forward
->sentto
->flags
& SERV_TYPE
;
304 if (!(start
= forward
->sentto
->next
))
305 start
= daemon
->servers
; /* at end of list, recycle */
306 header
->id
= htons(forward
->new_id
);
311 flags
= search_servers(now
, &addrp
, gotname
, daemon
->namebuff
, &type
, &domain
, &norebind
);
313 if (!flags
&& !(forward
= get_new_frec(now
, NULL
, 0)))
314 /* table full - server failure. */
319 forward
->source
= *udpaddr
;
320 forward
->dest
= *dst_addr
;
321 forward
->iface
= dst_iface
;
322 forward
->orig_id
= ntohs(header
->id
);
323 forward
->new_id
= get_id(crc
);
326 forward
->forwardall
= 0;
329 forward
->flags
|= FREC_NOREBIND
;
330 if (header
->hb4
& HB4_CD
)
331 forward
->flags
|= FREC_CHECKING_DISABLED
;
333 header
->id
= htons(forward
->new_id
);
335 /* In strict_order mode, always try servers in the order
336 specified in resolv.conf, if a domain is given
337 always try all the available servers,
338 otherwise, use the one last known to work. */
342 if (option_bool(OPT_ORDER
))
343 start
= daemon
->servers
;
344 else if (!(start
= daemon
->last_server
) ||
345 daemon
->forwardcount
++ > FORWARD_TEST
||
346 difftime(now
, daemon
->forwardtime
) > FORWARD_TIME
)
348 start
= daemon
->servers
;
349 forward
->forwardall
= 1;
350 daemon
->forwardcount
= 0;
351 daemon
->forwardtime
= now
;
356 start
= daemon
->servers
;
357 if (!option_bool(OPT_ORDER
))
358 forward
->forwardall
= 1;
363 /* check for send errors here (no route to host)
364 if we fail to send to all nameservers, send back an error
365 packet straight away (helps modem users when offline) */
367 if (!flags
&& forward
)
369 struct server
*firstsentto
= start
;
372 if (option_bool(OPT_ADD_MAC
))
373 plen
= add_mac(header
, plen
, ((char *) header
) + daemon
->packet_buff_sz
, &forward
->source
);
375 if (option_bool(OPT_CLIENT_SUBNET
))
377 size_t new = add_source_addr(header
, plen
, ((char *) header
) + daemon
->packet_buff_sz
, &forward
->source
);
381 forward
->flags
|= FREC_HAS_SUBNET
;
386 if (option_bool(OPT_DNSSEC_VALID
))
388 plen
= add_do_bit(header
, plen
, ((char *) header
) + daemon
->packet_buff_sz
);
389 header
->hb4
|= HB4_CD
;
395 /* only send to servers dealing with our domain.
396 domain may be NULL, in which case server->domain
397 must be NULL also. */
399 if (type
== (start
->flags
& SERV_TYPE
) &&
400 (type
!= SERV_HAS_DOMAIN
|| hostname_isequal(domain
, start
->domain
)) &&
401 !(start
->flags
& SERV_LITERAL_ADDRESS
))
405 /* find server socket to use, may need to get random one. */
411 if (start
->addr
.sa
.sa_family
== AF_INET6
)
413 if (!forward
->rfd6
&&
414 !(forward
->rfd6
= allocate_rfd(AF_INET6
)))
416 daemon
->rfd_save
= forward
->rfd6
;
417 fd
= forward
->rfd6
->fd
;
422 if (!forward
->rfd4
&&
423 !(forward
->rfd4
= allocate_rfd(AF_INET
)))
425 daemon
->rfd_save
= forward
->rfd4
;
426 fd
= forward
->rfd4
->fd
;
429 #ifdef HAVE_CONNTRACK
430 /* Copy connection mark of incoming query to outgoing connection. */
431 if (option_bool(OPT_CONNTRACK
))
434 if (get_incoming_mark(&forward
->source
, &forward
->dest
, 0, &mark
))
435 setsockopt(fd
, SOL_SOCKET
, SO_MARK
, &mark
, sizeof(unsigned int));
440 if (sendto(fd
, (char *)header
, plen
, 0,
442 sa_len(&start
->addr
)) == -1)
449 /* Keep info in case we want to re-send this packet */
450 daemon
->srv_save
= start
;
451 daemon
->packet_len
= plen
;
454 strcpy(daemon
->namebuff
, "query");
455 if (start
->addr
.sa
.sa_family
== AF_INET
)
456 log_query(F_SERVER
| F_IPV4
| F_FORWARD
, daemon
->namebuff
,
457 (struct all_addr
*)&start
->addr
.in
.sin_addr
, NULL
);
460 log_query(F_SERVER
| F_IPV6
| F_FORWARD
, daemon
->namebuff
,
461 (struct all_addr
*)&start
->addr
.in6
.sin6_addr
, NULL
);
465 forward
->sentto
= start
;
466 if (!forward
->forwardall
)
468 forward
->forwardall
++;
472 if (!(start
= start
->next
))
473 start
= daemon
->servers
;
475 if (start
== firstsentto
)
482 /* could not send on, prepare to return */
483 header
->id
= htons(forward
->orig_id
);
484 free_frec(forward
); /* cancel */
487 /* could not send on, return empty answer or address if known for whole domain */
490 plen
= setup_reply(header
, plen
, addrp
, flags
, daemon
->local_ttl
);
491 send_from(udpfd
, option_bool(OPT_NOWILD
) || option_bool(OPT_CLEVERBIND
), (char *)header
, plen
, udpaddr
, dst_addr
, dst_iface
);
497 static size_t process_reply(struct dns_header
*header
, time_t now
, struct server
*server
, size_t n
, int check_rebind
,
498 int no_cache
, int cache_secure
, int check_subnet
, union mysockaddr
*query_source
)
500 unsigned char *pheader
, *sizep
;
502 int munged
= 0, is_sign
;
506 /* Similar algorithm to search_servers. */
507 struct ipsets
*ipset_pos
;
508 unsigned int namelen
= strlen(daemon
->namebuff
);
509 unsigned int matchlen
= 0;
510 for (ipset_pos
= daemon
->ipsets
; ipset_pos
; ipset_pos
= ipset_pos
->next
)
512 unsigned int domainlen
= strlen(ipset_pos
->domain
);
513 char *matchstart
= daemon
->namebuff
+ namelen
- domainlen
;
514 if (namelen
>= domainlen
&& hostname_isequal(matchstart
, ipset_pos
->domain
) &&
515 (domainlen
== 0 || namelen
== domainlen
|| *(matchstart
- 1) == '.' ) &&
516 domainlen
>= matchlen
)
518 matchlen
= domainlen
;
519 sets
= ipset_pos
->sets
;
524 /* If upstream is advertising a larger UDP packet size
525 than we allow, trim it so that we don't get overlarge
526 requests for the client. We can't do this for signed packets. */
528 if ((pheader
= find_pseudoheader(header
, n
, &plen
, &sizep
, &is_sign
)))
532 unsigned short udpsz
;
533 unsigned char *psave
= sizep
;
535 GETSHORT(udpsz
, sizep
);
536 if (udpsz
> daemon
->edns_pktsz
)
537 PUTSHORT(daemon
->edns_pktsz
, psave
);
540 if (check_subnet
&& !check_source(header
, plen
, pheader
, query_source
))
542 my_syslog(LOG_WARNING
, _("discarding DNS reply: subnet option mismatch"));
547 /* RFC 4035 sect 4.6 para 3 */
548 if (!is_sign
&& !option_bool(OPT_DNSSEC_PROXY
))
549 header
->hb4
&= ~HB4_AD
;
552 if (option_bool(OPT_DNSSEC_VALID
))
553 header
->hb4
&= ~HB4_AD
;
555 if (!(header
->hb4
& HB4_CD
) && cache_secure
)
556 header
->hb4
|= HB4_AD
;
559 if (OPCODE(header
) != QUERY
|| (RCODE(header
) != NOERROR
&& RCODE(header
) != NXDOMAIN
))
562 /* Complain loudly if the upstream server is non-recursive. */
563 if (!(header
->hb4
& HB4_RA
) && RCODE(header
) == NOERROR
&& ntohs(header
->ancount
) == 0 &&
564 server
&& !(server
->flags
& SERV_WARNED_RECURSIVE
))
566 prettyprint_addr(&server
->addr
, daemon
->namebuff
);
567 my_syslog(LOG_WARNING
, _("nameserver %s refused to do a recursive query"), daemon
->namebuff
);
568 if (!option_bool(OPT_LOG
))
569 server
->flags
|= SERV_WARNED_RECURSIVE
;
572 if (daemon
->bogus_addr
&& RCODE(header
) != NXDOMAIN
&&
573 check_for_bogus_wildcard(header
, n
, daemon
->namebuff
, daemon
->bogus_addr
, now
))
576 SET_RCODE(header
, NXDOMAIN
);
577 header
->hb3
&= ~HB3_AA
;
581 if (RCODE(header
) == NXDOMAIN
&&
582 extract_request(header
, n
, daemon
->namebuff
, NULL
) &&
583 check_for_local_domain(daemon
->namebuff
, now
))
585 /* if we forwarded a query for a locally known name (because it was for
586 an unknown type) and the answer is NXDOMAIN, convert that to NODATA,
587 since we know that the domain exists, even if upstream doesn't */
589 header
->hb3
|= HB3_AA
;
590 SET_RCODE(header
, NOERROR
);
593 if (extract_addresses(header
, n
, daemon
->namebuff
, now
, sets
, is_sign
, check_rebind
, no_cache
, cache_secure
))
595 my_syslog(LOG_WARNING
, _("possible DNS-rebind attack detected: %s"), daemon
->namebuff
);
601 if (no_cache
&& !(header
->hb4
& HB4_CD
))
603 if (option_bool(OPT_DNSSEC_PERMISS
))
608 if (extract_request(header
, (size_t)n
, daemon
->namebuff
, &type
))
610 querystr("", types
, type
);
611 my_syslog(LOG_WARNING
, _("DNSSEC validation failed: query %s%s"), daemon
->namebuff
, types
);
614 my_syslog(LOG_WARNING
, _("DNSSEC validation failed for unknown query"));
618 /* Bogus reply, turn into SERVFAIL */
619 SET_RCODE(header
, SERVFAIL
);
625 /* do this after extract_addresses. Ensure NODATA reply and remove
630 header
->ancount
= htons(0);
631 header
->nscount
= htons(0);
632 header
->arcount
= htons(0);
635 /* the bogus-nxdomain stuff, doctor and NXDOMAIN->NODATA munging can all elide
636 sections of the packet. Find the new length here and put back pseudoheader
637 if it was removed. */
638 return resize_packet(header
, n
, pheader
, plen
);
641 /* sets new last_server */
642 void reply_query(int fd
, int family
, time_t now
)
644 /* packet from peer server, extract data for cache, and send to
645 original requester */
646 struct dns_header
*header
;
647 union mysockaddr serveraddr
;
648 struct frec
*forward
;
649 socklen_t addrlen
= sizeof(serveraddr
);
650 ssize_t n
= recvfrom(fd
, daemon
->packet
, daemon
->packet_buff_sz
, 0, &serveraddr
.sa
, &addrlen
);
652 struct server
*server
;
654 /* packet buffer overwritten */
655 daemon
->srv_save
= NULL
;
657 /* Determine the address of the server replying so that we can mark that as good */
658 serveraddr
.sa
.sa_family
= family
;
660 if (serveraddr
.sa
.sa_family
== AF_INET6
)
661 serveraddr
.in6
.sin6_flowinfo
= 0;
664 /* spoof check: answer must come from known server, */
665 for (server
= daemon
->servers
; server
; server
= server
->next
)
666 if (!(server
->flags
& (SERV_LITERAL_ADDRESS
| SERV_NO_ADDR
)) &&
667 sockaddr_isequal(&server
->addr
, &serveraddr
))
670 header
= (struct dns_header
*)daemon
->packet
;
673 n
< (int)sizeof(struct dns_header
) || !(header
->hb3
& HB3_QR
) ||
674 !(forward
= lookup_frec(ntohs(header
->id
), questions_crc(header
, n
, daemon
->namebuff
))))
677 if ((RCODE(header
) == SERVFAIL
|| RCODE(header
) == REFUSED
) &&
678 !option_bool(OPT_ORDER
) &&
679 forward
->forwardall
== 0)
680 /* for broken servers, attempt to send to another one. */
682 unsigned char *pheader
;
686 /* recreate query from reply */
687 pheader
= find_pseudoheader(header
, (size_t)n
, &plen
, NULL
, &is_sign
);
690 header
->ancount
= htons(0);
691 header
->nscount
= htons(0);
692 header
->arcount
= htons(0);
693 if ((nn
= resize_packet(header
, (size_t)n
, pheader
, plen
)))
695 header
->hb3
&= ~(HB3_QR
| HB3_TC
);
696 forward_query(-1, NULL
, NULL
, 0, header
, nn
, now
, forward
);
702 server
= forward
->sentto
;
704 if ((forward
->sentto
->flags
& SERV_TYPE
) == 0)
706 if (RCODE(header
) == SERVFAIL
|| RCODE(header
) == REFUSED
)
710 struct server
*last_server
;
712 /* find good server by address if possible, otherwise assume the last one we sent to */
713 for (last_server
= daemon
->servers
; last_server
; last_server
= last_server
->next
)
714 if (!(last_server
->flags
& (SERV_LITERAL_ADDRESS
| SERV_HAS_DOMAIN
| SERV_FOR_NODOTS
| SERV_NO_ADDR
)) &&
715 sockaddr_isequal(&last_server
->addr
, &serveraddr
))
717 server
= last_server
;
721 if (!option_bool(OPT_ALL_SERVERS
))
722 daemon
->last_server
= server
;
725 /* If the answer is an error, keep the forward record in place in case
726 we get a good reply from another server. Kill it when we've
727 had replies from all to avoid filling the forwarding table when
728 everything is broken */
729 if (forward
->forwardall
== 0 || --forward
->forwardall
== 1 ||
730 (RCODE(header
) != REFUSED
&& RCODE(header
) != SERVFAIL
))
732 int check_rebind
= 0, no_cache_dnssec
= 0, cache_secure
= 0;
734 if (option_bool(OPT_NO_REBIND
))
735 check_rebind
= !(forward
->flags
& FREC_NOREBIND
);
737 /* Don't cache replies where DNSSEC validation was turned off, either
738 the upstream server told us so, or the original query specified it. */
739 if ((header
->hb4
& HB4_CD
) || (forward
->flags
& FREC_CHECKING_DISABLED
))
743 if (option_bool(OPT_DNSSEC_VALID
) && !(forward
->flags
& FREC_CHECKING_DISABLED
))
747 /* We've had a reply already, which we're validating. Ignore this duplicate */
748 if (forward
->blocking_query
)
751 if (header
->hb3
& HB3_TC
)
753 /* Truncated answer can't be validated.
754 The client will retry over TCP, but if this is an answer to a
755 DNSSEC-generated query, we have a problem. Should really re-send
756 over TCP. No-one with any sense will make a DNSKEY or DS RRset
757 exceed 4096, so this may not be a real problem. Just log
759 if (forward
->flags
& (FREC_DNSKEY_QUERY
| FREC_DS_QUERY
))
760 my_syslog(LOG_ERR
, _("Reply to DNSSEC query truncated - validation fails."));
761 status
= STAT_INSECURE
;
763 else if (forward
->flags
& FREC_DNSKEY_QUERY
)
764 status
= dnssec_validate_by_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
765 else if (forward
->flags
& FREC_DS_QUERY
)
766 status
= dnssec_validate_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
768 status
= dnssec_validate_reply(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, &forward
->class);
770 /* Can't validate, as we're missing key data. Put this
771 answer aside, whilst we get that. */
772 if (status
== STAT_NEED_DS
|| status
== STAT_NEED_KEY
)
776 if ((new = get_new_frec(now
, NULL
, 1)))
778 struct frec
*next
= new->next
;
779 *new = *forward
; /* copy everything, then overwrite */
781 new->blocking_query
= NULL
;
786 new->flags
&= ~(FREC_DNSKEY_QUERY
| FREC_DS_QUERY
);
788 /* Free any saved query */
790 blockdata_free(forward
->stash
);
792 /* Now save reply pending receipt of key data */
793 if (!(forward
->stash
= blockdata_alloc((char *)header
, n
)))
794 free_frec(new); /* malloc failure, unwind */
799 forward
->stash_len
= n
;
801 new->dependent
= forward
; /* to find query awaiting new one. */
802 forward
->blocking_query
= new; /* for garbage cleaning */
803 /* validate routines leave name of required record in daemon->keyname */
804 if (status
== STAT_NEED_KEY
)
806 new->flags
|= FREC_DNSKEY_QUERY
;
807 nn
= dnssec_generate_query(header
, ((char *) header
) + daemon
->packet_buff_sz
,
808 daemon
->keyname
, forward
->class, T_DNSKEY
, &server
->addr
);
812 new->flags
|= FREC_DS_QUERY
;
813 nn
= dnssec_generate_query(header
,((char *) header
) + daemon
->packet_buff_sz
,
814 daemon
->keyname
, forward
->class, T_DS
, &server
->addr
);
816 new->crc
= questions_crc(header
, nn
, daemon
->namebuff
);
817 new->new_id
= get_id(new->crc
);
818 header
->id
= htons(new->new_id
);
819 /* Save query for retransmission */
820 new->stash
= blockdata_alloc((char *)header
, nn
);
823 /* Don't resend this. */
824 daemon
->srv_save
= NULL
;
827 fd
= server
->sfd
->fd
;
832 if (server
->addr
.sa
.sa_family
== AF_INET6
)
834 if (new->rfd6
|| (new->rfd6
= allocate_rfd(AF_INET6
)))
840 if (new->rfd4
|| (new->rfd4
= allocate_rfd(AF_INET
)))
847 while (sendto(fd
, (char *)header
, nn
, 0, &server
->addr
.sa
, sa_len(&server
->addr
)) == -1 && retry_send());
856 /* Ok, we reached far enough up the chain-of-trust that we can validate something.
857 Now wind back down, pulling back answers which wouldn't previously validate
858 and validate them with the new data. Failure to find needed data here is an internal error.
859 Once we get to the original answer (FREC_DNSSEC_QUERY not set) and it validates,
860 return it to the original requestor. */
861 if (forward
->flags
& (FREC_DNSKEY_QUERY
| FREC_DS_QUERY
))
863 while (forward
->dependent
)
867 if (status
== STAT_SECURE
)
869 if (forward
->flags
& FREC_DNSKEY_QUERY
)
870 status
= dnssec_validate_by_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
871 else if (forward
->flags
& FREC_DS_QUERY
)
872 status
= dnssec_validate_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
875 prev
= forward
->dependent
;
878 forward
->blocking_query
= NULL
; /* already gone */
879 blockdata_retrieve(forward
->stash
, forward
->stash_len
, (void *)header
);
880 n
= forward
->stash_len
;
883 /* All DNSKEY and DS records done and in cache, now finally validate original
884 answer, provided last DNSKEY is OK. */
885 if (status
== STAT_SECURE
)
886 status
= dnssec_validate_reply(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, &forward
->class);
888 if (status
== STAT_NEED_DS
|| status
== STAT_NEED_KEY
)
890 my_syslog(LOG_ERR
, _("Unexpected missing data for DNSSEC validation"));
891 status
= STAT_INSECURE
;
895 log_query(F_KEYTAG
| F_SECSTAT
, "result", NULL
,
896 status
== STAT_SECURE
? "SECURE" : (status
== STAT_INSECURE
? "INSECURE" : "BOGUS"));
900 if (status
== STAT_SECURE
)
902 else if (status
== STAT_BOGUS
)
905 /* restore CD bit to the value in the query */
906 if (forward
->flags
& FREC_CHECKING_DISABLED
)
907 header
->hb4
|= HB4_CD
;
909 header
->hb4
&= ~HB4_CD
;
913 if ((nn
= process_reply(header
, now
, server
, (size_t)n
, check_rebind
, no_cache_dnssec
, cache_secure
,
914 forward
->flags
& FREC_HAS_SUBNET
, &forward
->source
)))
916 header
->id
= htons(forward
->orig_id
);
917 header
->hb4
|= HB4_RA
; /* recursion if available */
918 send_from(forward
->fd
, option_bool(OPT_NOWILD
) || option_bool (OPT_CLEVERBIND
), daemon
->packet
, nn
,
919 &forward
->source
, &forward
->dest
, forward
->iface
);
921 free_frec(forward
); /* cancel */
926 void receive_query(struct listener
*listen
, time_t now
)
928 struct dns_header
*header
= (struct dns_header
*)daemon
->packet
;
929 union mysockaddr source_addr
;
931 struct all_addr dst_addr
;
932 struct in_addr netmask
, dst_addr_4
;
935 int if_index
= 0, auth_dns
= 0;
941 struct cmsghdr
*cmptr
;
943 struct cmsghdr align
; /* this ensures alignment */
945 char control6
[CMSG_SPACE(sizeof(struct in6_pktinfo
))];
947 #if defined(HAVE_LINUX_NETWORK)
948 char control
[CMSG_SPACE(sizeof(struct in_pktinfo
))];
949 #elif defined(IP_RECVDSTADDR) && defined(HAVE_SOLARIS_NETWORK)
950 char control
[CMSG_SPACE(sizeof(struct in_addr
)) +
951 CMSG_SPACE(sizeof(unsigned int))];
952 #elif defined(IP_RECVDSTADDR)
953 char control
[CMSG_SPACE(sizeof(struct in_addr
)) +
954 CMSG_SPACE(sizeof(struct sockaddr_dl
))];
958 /* Can always get recvd interface for IPv6 */
959 int check_dst
= !option_bool(OPT_NOWILD
) || listen
->family
== AF_INET6
;
961 int check_dst
= !option_bool(OPT_NOWILD
);
964 /* packet buffer overwritten */
965 daemon
->srv_save
= NULL
;
967 dst_addr_4
.s_addr
= 0;
970 if (option_bool(OPT_NOWILD
) && listen
->iface
)
972 auth_dns
= listen
->iface
->dns_auth
;
974 if (listen
->family
== AF_INET
)
976 dst_addr_4
= listen
->iface
->addr
.in
.sin_addr
;
977 netmask
= listen
->iface
->netmask
;
981 iov
[0].iov_base
= daemon
->packet
;
982 iov
[0].iov_len
= daemon
->edns_pktsz
;
984 msg
.msg_control
= control_u
.control
;
985 msg
.msg_controllen
= sizeof(control_u
);
987 msg
.msg_name
= &source_addr
;
988 msg
.msg_namelen
= sizeof(source_addr
);
992 if ((n
= recvmsg(listen
->fd
, &msg
, 0)) == -1)
995 if (n
< (int)sizeof(struct dns_header
) ||
996 (msg
.msg_flags
& MSG_TRUNC
) ||
997 (header
->hb3
& HB3_QR
))
1000 source_addr
.sa
.sa_family
= listen
->family
;
1002 if (listen
->family
== AF_INET6
)
1003 source_addr
.in6
.sin6_flowinfo
= 0;
1010 if (msg
.msg_controllen
< sizeof(struct cmsghdr
))
1013 #if defined(HAVE_LINUX_NETWORK)
1014 if (listen
->family
== AF_INET
)
1015 for (cmptr
= CMSG_FIRSTHDR(&msg
); cmptr
; cmptr
= CMSG_NXTHDR(&msg
, cmptr
))
1016 if (cmptr
->cmsg_level
== IPPROTO_IP
&& cmptr
->cmsg_type
== IP_PKTINFO
)
1020 struct in_pktinfo
*p
;
1022 p
.c
= CMSG_DATA(cmptr
);
1023 dst_addr_4
= dst_addr
.addr
.addr4
= p
.p
->ipi_spec_dst
;
1024 if_index
= p
.p
->ipi_ifindex
;
1026 #elif defined(IP_RECVDSTADDR) && defined(IP_RECVIF)
1027 if (listen
->family
== AF_INET
)
1029 for (cmptr
= CMSG_FIRSTHDR(&msg
); cmptr
; cmptr
= CMSG_NXTHDR(&msg
, cmptr
))
1035 #ifndef HAVE_SOLARIS_NETWORK
1036 struct sockaddr_dl
*s
;
1039 p
.c
= CMSG_DATA(cmptr
);
1040 if (cmptr
->cmsg_level
== IPPROTO_IP
&& cmptr
->cmsg_type
== IP_RECVDSTADDR
)
1041 dst_addr_4
= dst_addr
.addr
.addr4
= *(p
.a
);
1042 else if (cmptr
->cmsg_level
== IPPROTO_IP
&& cmptr
->cmsg_type
== IP_RECVIF
)
1043 #ifdef HAVE_SOLARIS_NETWORK
1046 if_index
= p
.s
->sdl_index
;
1053 if (listen
->family
== AF_INET6
)
1055 for (cmptr
= CMSG_FIRSTHDR(&msg
); cmptr
; cmptr
= CMSG_NXTHDR(&msg
, cmptr
))
1056 if (cmptr
->cmsg_level
== IPPROTO_IPV6
&& cmptr
->cmsg_type
== daemon
->v6pktinfo
)
1060 struct in6_pktinfo
*p
;
1062 p
.c
= CMSG_DATA(cmptr
);
1064 dst_addr
.addr
.addr6
= p
.p
->ipi6_addr
;
1065 if_index
= p
.p
->ipi6_ifindex
;
1070 /* enforce available interface configuration */
1072 if (!indextoname(listen
->fd
, if_index
, ifr
.ifr_name
))
1075 if (!iface_check(listen
->family
, &dst_addr
, ifr
.ifr_name
, &auth_dns
))
1077 if (!option_bool(OPT_CLEVERBIND
))
1078 enumerate_interfaces(0);
1079 if (!loopback_exception(listen
->fd
, listen
->family
, &dst_addr
, ifr
.ifr_name
) &&
1080 !label_exception(if_index
, listen
->family
, &dst_addr
))
1084 if (listen
->family
== AF_INET
&& option_bool(OPT_LOCALISE
))
1088 /* get the netmask of the interface whch has the address we were sent to.
1089 This is no neccessarily the interface we arrived on. */
1091 for (iface
= daemon
->interfaces
; iface
; iface
= iface
->next
)
1092 if (iface
->addr
.sa
.sa_family
== AF_INET
&&
1093 iface
->addr
.in
.sin_addr
.s_addr
== dst_addr_4
.s_addr
)
1096 /* interface may be new */
1097 if (!iface
&& !option_bool(OPT_CLEVERBIND
))
1098 enumerate_interfaces(0);
1100 for (iface
= daemon
->interfaces
; iface
; iface
= iface
->next
)
1101 if (iface
->addr
.sa
.sa_family
== AF_INET
&&
1102 iface
->addr
.in
.sin_addr
.s_addr
== dst_addr_4
.s_addr
)
1105 /* If we failed, abandon localisation */
1107 netmask
= iface
->netmask
;
1109 dst_addr_4
.s_addr
= 0;
1113 if (extract_request(header
, (size_t)n
, daemon
->namebuff
, &type
))
1117 struct auth_zone
*zone
;
1120 querystr(auth_dns
? "auth" : "query", types
, type
);
1122 if (listen
->family
== AF_INET
)
1123 log_query(F_QUERY
| F_IPV4
| F_FORWARD
, daemon
->namebuff
,
1124 (struct all_addr
*)&source_addr
.in
.sin_addr
, types
);
1127 log_query(F_QUERY
| F_IPV6
| F_FORWARD
, daemon
->namebuff
,
1128 (struct all_addr
*)&source_addr
.in6
.sin6_addr
, types
);
1132 /* find queries for zones we're authoritative for, and answer them directly */
1134 for (zone
= daemon
->auth_zones
; zone
; zone
= zone
->next
)
1135 if (in_zone(zone
, daemon
->namebuff
, NULL
))
1147 m
= answer_auth(header
, ((char *) header
) + daemon
->packet_buff_sz
, (size_t)n
, now
, &source_addr
, local_auth
);
1150 send_from(listen
->fd
, option_bool(OPT_NOWILD
) || option_bool(OPT_CLEVERBIND
),
1151 (char *)header
, m
, &source_addr
, &dst_addr
, if_index
);
1152 daemon
->auth_answer
++;
1158 m
= answer_request(header
, ((char *) header
) + daemon
->packet_buff_sz
, (size_t)n
,
1159 dst_addr_4
, netmask
, now
);
1163 send_from(listen
->fd
, option_bool(OPT_NOWILD
) || option_bool(OPT_CLEVERBIND
),
1164 (char *)header
, m
, &source_addr
, &dst_addr
, if_index
);
1165 daemon
->local_answer
++;
1167 else if (forward_query(listen
->fd
, &source_addr
, &dst_addr
, if_index
,
1168 header
, (size_t)n
, now
, NULL
))
1169 daemon
->queries_forwarded
++;
1171 daemon
->local_answer
++;
1176 static int tcp_key_recurse(time_t now
, int status
, int class, char *keyname
, struct server
*server
)
1178 /* Recurse up the key heirarchy */
1180 unsigned char *packet
= whine_malloc(65536 + MAXDNAME
+ RRFIXEDSZ
+ sizeof(u16
));
1181 unsigned char *payload
= &packet
[2];
1182 struct dns_header
*header
= (struct dns_header
*)payload
;
1183 u16
*length
= (u16
*)packet
;
1185 unsigned char c1
, c2
;
1187 n
= dnssec_generate_query(header
, ((char *) header
) + 65536, keyname
, class,
1188 status
== STAT_NEED_KEY
? T_DNSKEY
: T_DS
, &server
->addr
);
1192 if (!read_write(server
->tcpfd
, packet
, n
+ sizeof(u16
), 0) ||
1193 !read_write(server
->tcpfd
, &c1
, 1, 1) ||
1194 !read_write(server
->tcpfd
, &c2
, 1, 1) ||
1195 !read_write(server
->tcpfd
, payload
, (c1
<< 8) | c2
, 1))
1197 close(server
->tcpfd
);
1199 new_status
= STAT_INSECURE
;
1205 if (status
== STAT_NEED_KEY
)
1206 new_status
= dnssec_validate_by_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, class);
1208 new_status
= dnssec_validate_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, class);
1210 if (new_status
== STAT_NEED_DS
|| new_status
== STAT_NEED_KEY
)
1212 if ((new_status
= tcp_key_recurse(now
, new_status
, class, daemon
->keyname
, server
) == STAT_SECURE
))
1214 if (status
== STAT_NEED_KEY
)
1215 new_status
= dnssec_validate_by_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, class);
1217 new_status
= dnssec_validate_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, class);
1219 if (new_status
== STAT_NEED_DS
|| new_status
== STAT_NEED_KEY
)
1221 my_syslog(LOG_ERR
, _("Unexpected missing data for DNSSEC validation"));
1222 status
= STAT_INSECURE
;
1235 /* The daemon forks before calling this: it should deal with one connection,
1236 blocking as neccessary, and then return. Note, need to be a bit careful
1237 about resources for debug mode, when the fork is suppressed: that's
1238 done by the caller. */
1239 unsigned char *tcp_request(int confd
, time_t now
,
1240 union mysockaddr
*local_addr
, struct in_addr netmask
, int auth_dns
)
1247 int checking_disabled
, check_subnet
, no_cache_dnssec
= 0, cache_secure
= 0;
1249 unsigned short qtype
;
1250 unsigned int gotname
;
1251 unsigned char c1
, c2
;
1252 /* Max TCP packet + slop + size */
1253 unsigned char *packet
= whine_malloc(65536 + MAXDNAME
+ RRFIXEDSZ
+ sizeof(u16
));
1254 unsigned char *payload
= &packet
[2];
1255 /* largest field in header is 16-bits, so this is still sufficiently aligned */
1256 struct dns_header
*header
= (struct dns_header
*)payload
;
1257 u16
*length
= (u16
*)packet
;
1258 struct server
*last_server
;
1259 struct in_addr dst_addr_4
;
1260 union mysockaddr peer_addr
;
1261 socklen_t peer_len
= sizeof(union mysockaddr
);
1263 if (getpeername(confd
, (struct sockaddr
*)&peer_addr
, &peer_len
) == -1)
1269 !read_write(confd
, &c1
, 1, 1) || !read_write(confd
, &c2
, 1, 1) ||
1270 !(size
= c1
<< 8 | c2
) ||
1271 !read_write(confd
, payload
, size
, 1))
1274 if (size
< (int)sizeof(struct dns_header
))
1279 /* save state of "cd" flag in query */
1280 if ((checking_disabled
= header
->hb4
& HB4_CD
))
1281 no_cache_dnssec
= 1;
1283 /* RFC 4035: sect 4.6 para 2 */
1284 header
->hb4
&= ~HB4_AD
;
1286 if ((gotname
= extract_request(header
, (unsigned int)size
, daemon
->namebuff
, &qtype
)))
1290 struct auth_zone
*zone
;
1292 querystr(auth_dns
? "auth" : "query", types
, qtype
);
1294 if (peer_addr
.sa
.sa_family
== AF_INET
)
1295 log_query(F_QUERY
| F_IPV4
| F_FORWARD
, daemon
->namebuff
,
1296 (struct all_addr
*)&peer_addr
.in
.sin_addr
, types
);
1299 log_query(F_QUERY
| F_IPV6
| F_FORWARD
, daemon
->namebuff
,
1300 (struct all_addr
*)&peer_addr
.in6
.sin6_addr
, types
);
1304 /* find queries for zones we're authoritative for, and answer them directly */
1306 for (zone
= daemon
->auth_zones
; zone
; zone
= zone
->next
)
1307 if (in_zone(zone
, daemon
->namebuff
, NULL
))
1316 if (local_addr
->sa
.sa_family
== AF_INET
)
1317 dst_addr_4
= local_addr
->in
.sin_addr
;
1319 dst_addr_4
.s_addr
= 0;
1323 m
= answer_auth(header
, ((char *) header
) + 65536, (size_t)size
, now
, &peer_addr
, local_auth
);
1327 /* m > 0 if answered from cache */
1328 m
= answer_request(header
, ((char *) header
) + 65536, (size_t)size
,
1329 dst_addr_4
, netmask
, now
);
1331 /* Do this by steam now we're not in the select() loop */
1332 check_log_writer(NULL
);
1336 unsigned int flags
= 0;
1337 struct all_addr
*addrp
= NULL
;
1339 char *domain
= NULL
;
1341 if (option_bool(OPT_ADD_MAC
))
1342 size
= add_mac(header
, size
, ((char *) header
) + 65536, &peer_addr
);
1344 if (option_bool(OPT_CLIENT_SUBNET
))
1346 size_t new = add_source_addr(header
, size
, ((char *) header
) + 65536, &peer_addr
);
1355 flags
= search_servers(now
, &addrp
, gotname
, daemon
->namebuff
, &type
, &domain
, &norebind
);
1357 if (type
!= 0 || option_bool(OPT_ORDER
) || !daemon
->last_server
)
1358 last_server
= daemon
->servers
;
1360 last_server
= daemon
->last_server
;
1362 if (!flags
&& last_server
)
1364 struct server
*firstsendto
= NULL
;
1365 unsigned int crc
= questions_crc(header
, (unsigned int)size
, daemon
->namebuff
);
1367 /* Loop round available servers until we succeed in connecting to one.
1368 Note that this code subtley ensures that consecutive queries on this connection
1369 which can go to the same server, do so. */
1373 firstsendto
= last_server
;
1376 if (!(last_server
= last_server
->next
))
1377 last_server
= daemon
->servers
;
1379 if (last_server
== firstsendto
)
1383 /* server for wrong domain */
1384 if (type
!= (last_server
->flags
& SERV_TYPE
) ||
1385 (type
== SERV_HAS_DOMAIN
&& !hostname_isequal(domain
, last_server
->domain
)))
1388 if (last_server
->tcpfd
== -1)
1390 if ((last_server
->tcpfd
= socket(last_server
->addr
.sa
.sa_family
, SOCK_STREAM
, 0)) == -1)
1393 if ((!local_bind(last_server
->tcpfd
, &last_server
->source_addr
, last_server
->interface
, 1) ||
1394 connect(last_server
->tcpfd
, &last_server
->addr
.sa
, sa_len(&last_server
->addr
)) == -1))
1396 close(last_server
->tcpfd
);
1397 last_server
->tcpfd
= -1;
1402 if (option_bool(OPT_DNSSEC_VALID
))
1404 size
= add_do_bit(header
, size
, ((char *) header
) + 65536);
1405 header
->hb4
|= HB4_CD
;
1409 #ifdef HAVE_CONNTRACK
1410 /* Copy connection mark of incoming query to outgoing connection. */
1411 if (option_bool(OPT_CONNTRACK
))
1414 struct all_addr local
;
1416 if (local_addr
->sa
.sa_family
== AF_INET6
)
1417 local
.addr
.addr6
= local_addr
->in6
.sin6_addr
;
1420 local
.addr
.addr4
= local_addr
->in
.sin_addr
;
1422 if (get_incoming_mark(&peer_addr
, &local
, 1, &mark
))
1423 setsockopt(last_server
->tcpfd
, SOL_SOCKET
, SO_MARK
, &mark
, sizeof(unsigned int));
1428 *length
= htons(size
);
1430 if (!read_write(last_server
->tcpfd
, packet
, size
+ sizeof(u16
), 0) ||
1431 !read_write(last_server
->tcpfd
, &c1
, 1, 1) ||
1432 !read_write(last_server
->tcpfd
, &c2
, 1, 1) ||
1433 !read_write(last_server
->tcpfd
, payload
, (c1
<< 8) | c2
, 1))
1435 close(last_server
->tcpfd
);
1436 last_server
->tcpfd
= -1;
1443 strcpy(daemon
->namebuff
, "query");
1444 if (last_server
->addr
.sa
.sa_family
== AF_INET
)
1445 log_query(F_SERVER
| F_IPV4
| F_FORWARD
, daemon
->namebuff
,
1446 (struct all_addr
*)&last_server
->addr
.in
.sin_addr
, NULL
);
1449 log_query(F_SERVER
| F_IPV6
| F_FORWARD
, daemon
->namebuff
,
1450 (struct all_addr
*)&last_server
->addr
.in6
.sin6_addr
, NULL
);
1454 if (option_bool(OPT_DNSSEC_VALID
) && !checking_disabled
)
1458 status
= dnssec_validate_reply(now
, header
, m
, daemon
->namebuff
, daemon
->keyname
, &class);
1460 if (status
== STAT_NEED_DS
|| status
== STAT_NEED_KEY
)
1462 if ((status
= tcp_key_recurse(now
, status
, class, daemon
->keyname
, last_server
)) == STAT_SECURE
)
1463 status
= dnssec_validate_reply(now
, header
, m
, daemon
->namebuff
, daemon
->keyname
, &class);
1466 log_query(F_KEYTAG
| F_SECSTAT
, "result", NULL
,
1467 status
== STAT_SECURE
? "SECURE" : (status
== STAT_INSECURE
? "INSECURE" : "BOGUS"));
1469 if (status
== STAT_BOGUS
)
1470 no_cache_dnssec
= 1;
1472 if (status
== STAT_SECURE
)
1477 /* restore CD bit to the value in the query */
1478 if (checking_disabled
)
1479 header
->hb4
|= HB4_CD
;
1481 header
->hb4
&= ~HB4_CD
;
1483 /* There's no point in updating the cache, since this process will exit and
1484 lose the information after a few queries. We make this call for the alias and
1485 bogus-nxdomain side-effects. */
1486 /* If the crc of the question section doesn't match the crc we sent, then
1487 someone might be attempting to insert bogus values into the cache by
1488 sending replies containing questions and bogus answers. */
1489 if (crc
== questions_crc(header
, (unsigned int)m
, daemon
->namebuff
))
1490 m
= process_reply(header
, now
, last_server
, (unsigned int)m
,
1491 option_bool(OPT_NO_REBIND
) && !norebind
, no_cache_dnssec
,
1492 cache_secure
, check_subnet
, &peer_addr
);
1498 /* In case of local answer or no connections made. */
1500 m
= setup_reply(header
, (unsigned int)size
, addrp
, flags
, daemon
->local_ttl
);
1504 check_log_writer(NULL
);
1508 if (m
== 0 || !read_write(confd
, packet
, m
+ sizeof(u16
), 0))
1513 static struct frec
*allocate_frec(time_t now
)
1517 if ((f
= (struct frec
*)whine_malloc(sizeof(struct frec
))))
1519 f
->next
= daemon
->frec_list
;
1528 f
->blocking_query
= NULL
;
1531 daemon
->frec_list
= f
;
1537 static struct randfd
*allocate_rfd(int family
)
1539 static int finger
= 0;
1542 /* limit the number of sockets we have open to avoid starvation of
1543 (eg) TFTP. Once we have a reasonable number, randomness should be OK */
1545 for (i
= 0; i
< RANDOM_SOCKS
; i
++)
1546 if (daemon
->randomsocks
[i
].refcount
== 0)
1548 if ((daemon
->randomsocks
[i
].fd
= random_sock(family
)) == -1)
1551 daemon
->randomsocks
[i
].refcount
= 1;
1552 daemon
->randomsocks
[i
].family
= family
;
1553 return &daemon
->randomsocks
[i
];
1556 /* No free ones or cannot get new socket, grab an existing one */
1557 for (i
= 0; i
< RANDOM_SOCKS
; i
++)
1559 int j
= (i
+finger
) % RANDOM_SOCKS
;
1560 if (daemon
->randomsocks
[j
].refcount
!= 0 &&
1561 daemon
->randomsocks
[j
].family
== family
&&
1562 daemon
->randomsocks
[j
].refcount
!= 0xffff)
1565 daemon
->randomsocks
[j
].refcount
++;
1566 return &daemon
->randomsocks
[j
];
1570 return NULL
; /* doom */
1572 static void free_frec(struct frec
*f
)
1574 if (f
->rfd4
&& --(f
->rfd4
->refcount
) == 0)
1582 if (f
->rfd6
&& --(f
->rfd6
->refcount
) == 0)
1591 blockdata_free(f
->stash
);
1595 /* Anything we're waiting on is pointless now, too */
1596 if (f
->blocking_query
)
1597 free_frec(f
->blocking_query
);
1598 f
->blocking_query
= NULL
;
1603 /* if wait==NULL return a free or older than TIMEOUT record.
1604 else return *wait zero if one available, or *wait is delay to
1605 when the oldest in-use record will expire. Impose an absolute
1606 limit of 4*TIMEOUT before we wipe things (for random sockets).
1607 If force is set, always return a result, even if we have
1608 to allocate above the limit. */
1609 struct frec
*get_new_frec(time_t now
, int *wait
, int force
)
1611 struct frec
*f
, *oldest
, *target
;
1617 for (f
= daemon
->frec_list
, oldest
= NULL
, target
= NULL
, count
= 0; f
; f
= f
->next
, count
++)
1622 if (difftime(now
, f
->time
) >= 4*TIMEOUT
)
1628 if (!oldest
|| difftime(f
->time
, oldest
->time
) <= 0)
1638 /* can't find empty one, use oldest if there is one
1639 and it's older than timeout */
1640 if (oldest
&& ((int)difftime(now
, oldest
->time
)) >= TIMEOUT
)
1642 /* keep stuff for twice timeout if we can by allocating a new
1644 if (difftime(now
, oldest
->time
) < 2*TIMEOUT
&&
1645 count
<= daemon
->ftabsize
&&
1646 (f
= allocate_frec(now
)))
1657 /* none available, calculate time 'till oldest record expires */
1658 if (!force
&& count
> daemon
->ftabsize
)
1660 static time_t last_log
= 0;
1663 *wait
= oldest
->time
+ (time_t)TIMEOUT
- now
;
1665 if ((int)difftime(now
, last_log
) > 5)
1668 my_syslog(LOG_WARNING
, _("Maximum number of concurrent DNS queries reached (max: %d)"), daemon
->ftabsize
);
1674 if (!(f
= allocate_frec(now
)) && wait
)
1675 /* wait one second on malloc failure */
1678 return f
; /* OK if malloc fails and this is NULL */
1681 /* crc is all-ones if not known. */
1682 static struct frec
*lookup_frec(unsigned short id
, unsigned int crc
)
1686 for(f
= daemon
->frec_list
; f
; f
= f
->next
)
1687 if (f
->sentto
&& f
->new_id
== id
&&
1688 (f
->crc
== crc
|| crc
== 0xffffffff))
1694 static struct frec
*lookup_frec_by_sender(unsigned short id
,
1695 union mysockaddr
*addr
,
1700 for(f
= daemon
->frec_list
; f
; f
= f
->next
)
1704 sockaddr_isequal(&f
->source
, addr
))
1710 /* A server record is going away, remove references to it */
1711 void server_gone(struct server
*server
)
1715 for (f
= daemon
->frec_list
; f
; f
= f
->next
)
1716 if (f
->sentto
&& f
->sentto
== server
)
1719 if (daemon
->last_server
== server
)
1720 daemon
->last_server
= NULL
;
1722 if (daemon
->srv_save
== server
)
1723 daemon
->srv_save
= NULL
;
1726 /* return unique random ids. */
1727 static unsigned short get_id(unsigned int crc
)
1729 unsigned short ret
= 0;
1733 while (lookup_frec(ret
, crc
));