]> git.ipfire.org Git - people/ms/dnsmasq.git/blob - src/forward.c
projects / people / ms / dnsmasq.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Fix to last commit.
[people/ms/dnsmasq.git] / src / forward.c
1 /* dnsmasq is Copyright (c) 2000-2014 Simon Kelley
2
3 This program is free software; you can redistribute it and/or modify
4 it under the terms of the GNU General Public License as published by
5 the Free Software Foundation; version 2 dated June, 1991, or
6 (at your option) version 3 dated 29 June, 2007.
7
8 This program is distributed in the hope that it will be useful,
9 but WITHOUT ANY WARRANTY; without even the implied warranty of
10 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 GNU General Public License for more details.
12
13 You should have received a copy of the GNU General Public License
14 along with this program. If not, see <http://www.gnu.org/licenses/>.
15 */
16
17 #include "dnsmasq.h"
18
19 static struct frec *lookup_frec(unsigned short id, void *hash);
20 static struct frec *lookup_frec_by_sender(unsigned short id,
21 union mysockaddr *addr,
22 void *hash);
23 static unsigned short get_id(void);
24 static void free_frec(struct frec *f);
25 static struct randfd *allocate_rfd(int family);
26
27 /* Send a UDP packet with its source address set as "source"
28 unless nowild is true, when we just send it with the kernel default */
29 int send_from(int fd, int nowild, char *packet, size_t len,
30 union mysockaddr *to, struct all_addr *source,
31 unsigned int iface)
32 {
33 struct msghdr msg;
34 struct iovec iov[1];
35 union {
36 struct cmsghdr align; /* this ensures alignment */
37 #if defined(HAVE_LINUX_NETWORK)
38 char control[CMSG_SPACE(sizeof(struct in_pktinfo))];
39 #elif defined(IP_SENDSRCADDR)
40 char control[CMSG_SPACE(sizeof(struct in_addr))];
41 #endif
42 #ifdef HAVE_IPV6
43 char control6[CMSG_SPACE(sizeof(struct in6_pktinfo))];
44 #endif
45 } control_u;
46
47 iov[0].iov_base = packet;
48 iov[0].iov_len = len;
49
50 msg.msg_control = NULL;
51 msg.msg_controllen = 0;
52 msg.msg_flags = 0;
53 msg.msg_name = to;
54 msg.msg_namelen = sa_len(to);
55 msg.msg_iov = iov;
56 msg.msg_iovlen = 1;
57
58 if (!nowild)
59 {
60 struct cmsghdr *cmptr;
61 msg.msg_control = &control_u;
62 msg.msg_controllen = sizeof(control_u);
63 cmptr = CMSG_FIRSTHDR(&msg);
64
65 if (to->sa.sa_family == AF_INET)
66 {
67 #if defined(HAVE_LINUX_NETWORK)
68 struct in_pktinfo p;
69 p.ipi_ifindex = 0;
70 p.ipi_spec_dst = source->addr.addr4;
71 memcpy(CMSG_DATA(cmptr), &p, sizeof(p));
72 msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo));
73 cmptr->cmsg_level = IPPROTO_IP;
74 cmptr->cmsg_type = IP_PKTINFO;
75 #elif defined(IP_SENDSRCADDR)
76 memcpy(CMSG_DATA(cmptr), &(source->addr.addr4), sizeof(source->addr.addr4));
77 msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_addr));
78 cmptr->cmsg_level = IPPROTO_IP;
79 cmptr->cmsg_type = IP_SENDSRCADDR;
80 #endif
81 }
82 else
83 #ifdef HAVE_IPV6
84 {
85 struct in6_pktinfo p;
86 p.ipi6_ifindex = iface; /* Need iface for IPv6 to handle link-local addrs */
87 p.ipi6_addr = source->addr.addr6;
88 memcpy(CMSG_DATA(cmptr), &p, sizeof(p));
89 msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo));
90 cmptr->cmsg_type = daemon->v6pktinfo;
91 cmptr->cmsg_level = IPPROTO_IPV6;
92 }
93 #else
94 (void)iface; /* eliminate warning */
95 #endif
96 }
97
98 while (sendmsg(fd, &msg, 0) == -1)
99 {
100 if (retry_send())
101 continue;
102
103 /* If interface is still in DAD, EINVAL results - ignore that. */
104 if (errno == EINVAL)
105 break;
106
107 my_syslog(LOG_ERR, _("failed to send packet: %s"), strerror(errno));
108 return 0;
109 }
110
111 return 1;
112 }
113
114 static unsigned int search_servers(time_t now, struct all_addr **addrpp,
115 unsigned int qtype, char *qdomain, int *type, char **domain, int *norebind)
116
117 {
118 /* If the query ends in the domain in one of our servers, set
119 domain to point to that name. We find the largest match to allow both
120 domain.org and sub.domain.org to exist. */
121
122 unsigned int namelen = strlen(qdomain);
123 unsigned int matchlen = 0;
124 struct server *serv;
125 unsigned int flags = 0;
126
127 for (serv = daemon->servers; serv; serv=serv->next)
128 /* domain matches take priority over NODOTS matches */
129 if ((serv->flags & SERV_FOR_NODOTS) && *type != SERV_HAS_DOMAIN && !strchr(qdomain, '.') && namelen != 0)
130 {
131 unsigned int sflag = serv->addr.sa.sa_family == AF_INET ? F_IPV4 : F_IPV6;
132 *type = SERV_FOR_NODOTS;
133 if (serv->flags & SERV_NO_ADDR)
134 flags = F_NXDOMAIN;
135 else if (serv->flags & SERV_LITERAL_ADDRESS)
136 {
137 if (sflag & qtype)
138 {
139 flags = sflag;
140 if (serv->addr.sa.sa_family == AF_INET)
141 *addrpp = (struct all_addr *)&serv->addr.in.sin_addr;
142 #ifdef HAVE_IPV6
143 else
144 *addrpp = (struct all_addr *)&serv->addr.in6.sin6_addr;
145 #endif
146 }
147 else if (!flags || (flags & F_NXDOMAIN))
148 flags = F_NOERR;
149 }
150 }
151 else if (serv->flags & SERV_HAS_DOMAIN)
152 {
153 unsigned int domainlen = strlen(serv->domain);
154 char *matchstart = qdomain + namelen - domainlen;
155 if (namelen >= domainlen &&
156 hostname_isequal(matchstart, serv->domain) &&
157 (domainlen == 0 || namelen == domainlen || *(matchstart-1) == '.' ))
158 {
159 if (serv->flags & SERV_NO_REBIND)
160 *norebind = 1;
161 else
162 {
163 unsigned int sflag = serv->addr.sa.sa_family == AF_INET ? F_IPV4 : F_IPV6;
164 /* implement priority rules for --address and --server for same domain.
165 --address wins if the address is for the correct AF
166 --server wins otherwise. */
167 if (domainlen != 0 && domainlen == matchlen)
168 {
169 if ((serv->flags & SERV_LITERAL_ADDRESS))
170 {
171 if (!(sflag & qtype) && flags == 0)
172 continue;
173 }
174 else
175 {
176 if (flags & (F_IPV4 | F_IPV6))
177 continue;
178 }
179 }
180
181 if (domainlen >= matchlen)
182 {
183 *type = serv->flags & (SERV_HAS_DOMAIN | SERV_USE_RESOLV | SERV_NO_REBIND);
184 *domain = serv->domain;
185 matchlen = domainlen;
186 if (serv->flags & SERV_NO_ADDR)
187 flags = F_NXDOMAIN;
188 else if (serv->flags & SERV_LITERAL_ADDRESS)
189 {
190 if (sflag & qtype)
191 {
192 flags = sflag;
193 if (serv->addr.sa.sa_family == AF_INET)
194 *addrpp = (struct all_addr *)&serv->addr.in.sin_addr;
195 #ifdef HAVE_IPV6
196 else
197 *addrpp = (struct all_addr *)&serv->addr.in6.sin6_addr;
198 #endif
199 }
200 else if (!flags || (flags & F_NXDOMAIN))
201 flags = F_NOERR;
202 }
203 else
204 flags = 0;
205 }
206 }
207 }
208 }
209
210 if (flags == 0 && !(qtype & F_QUERY) &&
211 option_bool(OPT_NODOTS_LOCAL) && !strchr(qdomain, '.') && namelen != 0)
212 /* don't forward A or AAAA queries for simple names, except the empty name */
213 flags = F_NOERR;
214
215 if (flags == F_NXDOMAIN && check_for_local_domain(qdomain, now))
216 flags = F_NOERR;
217
218 if (flags)
219 {
220 int logflags = 0;
221
222 if (flags == F_NXDOMAIN || flags == F_NOERR)
223 logflags = F_NEG | qtype;
224
225 log_query(logflags | flags | F_CONFIG | F_FORWARD, qdomain, *addrpp, NULL);
226 }
227 else if ((*type) & SERV_USE_RESOLV)
228 {
229 *type = 0; /* use normal servers for this domain */
230 *domain = NULL;
231 }
232 return flags;
233 }
234
235 static int forward_query(int udpfd, union mysockaddr *udpaddr,
236 struct all_addr *dst_addr, unsigned int dst_iface,
237 struct dns_header *header, size_t plen, time_t now, struct frec *forward)
238 {
239 char *domain = NULL;
240 int type = 0, norebind = 0;
241 struct all_addr *addrp = NULL;
242 unsigned int flags = 0;
243 struct server *start = NULL;
244 #ifdef HAVE_DNSSEC
245 void *hash = hash_questions(header, plen, daemon->namebuff);
246 #else
247 unsigned int crc = questions_crc(header, plen, daemon->namebuff);
248 void *hash = &crc;
249 #endif
250 unsigned int gotname = extract_request(header, plen, daemon->namebuff, NULL);
251
252 /* RFC 4035: sect 4.6 para 2 */
253 header->hb4 &= ~HB4_AD;
254
255 /* may be no servers available. */
256 if (!daemon->servers)
257 forward = NULL;
258 else if (forward || (hash && (forward = lookup_frec_by_sender(ntohs(header->id), udpaddr, hash))))
259 {
260 #ifdef HAVE_DNSSEC
261 /* If we've already got an answer to this query, but we're awaiting keys for vaildation,
262 there's no point retrying the query, retry the key query instead...... */
263 if (forward->blocking_query)
264 {
265 int fd;
266
267 while (forward->blocking_query)
268 forward = forward->blocking_query;
269
270 blockdata_retrieve(forward->stash, forward->stash_len, (void *)header);
271 plen = forward->stash_len;
272
273 if (forward->sentto->addr.sa.sa_family)
274 log_query(F_DNSSEC | F_IPV4, "retry", (struct all_addr *)&forward->sentto->addr.in.sin_addr, "dnssec");
275 #ifdef HAVE_IPV6
276 else
277 log_query(F_DNSSEC | F_IPV6, "retry", (struct all_addr *)&forward->sentto->addr.in6.sin6_addr, "dnssec");
278 #endif
279
280 if (forward->sentto->sfd)
281 fd = forward->sentto->sfd->fd;
282 else
283 {
284 #ifdef HAVE_IPV6
285 if (forward->sentto->addr.sa.sa_family == AF_INET6)
286 fd = forward->rfd6->fd;
287 else
288 #endif
289 fd = forward->rfd4->fd;
290 }
291
292 while (sendto(fd, (char *)header, plen, 0,
293 &forward->sentto->addr.sa,
294 sa_len(&forward->sentto->addr)) == -1 && retry_send());
295
296 return 1;
297 }
298 #endif
299
300 /* retry on existing query, send to all available servers */
301 domain = forward->sentto->domain;
302 forward->sentto->failed_queries++;
303 if (!option_bool(OPT_ORDER))
304 {
305 forward->forwardall = 1;
306 daemon->last_server = NULL;
307 }
308 type = forward->sentto->flags & SERV_TYPE;
309 if (!(start = forward->sentto->next))
310 start = daemon->servers; /* at end of list, recycle */
311 header->id = htons(forward->new_id);
312 }
313 else
314 {
315 if (gotname)
316 flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind);
317
318 if (!flags && !(forward = get_new_frec(now, NULL, 0)))
319 /* table full - server failure. */
320 flags = F_NEG;
321
322 if (forward)
323 {
324 forward->source = *udpaddr;
325 forward->dest = *dst_addr;
326 forward->iface = dst_iface;
327 forward->orig_id = ntohs(header->id);
328 forward->new_id = get_id();
329 forward->fd = udpfd;
330 memcpy(forward->hash, hash, HASH_SIZE);
331 forward->forwardall = 0;
332 forward->flags = 0;
333 if (norebind)
334 forward->flags |= FREC_NOREBIND;
335 if (header->hb4 & HB4_CD)
336 forward->flags |= FREC_CHECKING_DISABLED;
337
338 header->id = htons(forward->new_id);
339
340 /* In strict_order mode, always try servers in the order
341 specified in resolv.conf, if a domain is given
342 always try all the available servers,
343 otherwise, use the one last known to work. */
344
345 if (type == 0)
346 {
347 if (option_bool(OPT_ORDER))
348 start = daemon->servers;
349 else if (!(start = daemon->last_server) ||
350 daemon->forwardcount++ > FORWARD_TEST ||
351 difftime(now, daemon->forwardtime) > FORWARD_TIME)
352 {
353 start = daemon->servers;
354 forward->forwardall = 1;
355 daemon->forwardcount = 0;
356 daemon->forwardtime = now;
357 }
358 }
359 else
360 {
361 start = daemon->servers;
362 if (!option_bool(OPT_ORDER))
363 forward->forwardall = 1;
364 }
365 }
366 }
367
368 /* check for send errors here (no route to host)
369 if we fail to send to all nameservers, send back an error
370 packet straight away (helps modem users when offline) */
371
372 if (!flags && forward)
373 {
374 struct server *firstsentto = start;
375 int forwarded = 0;
376
377 if (option_bool(OPT_ADD_MAC))
378 plen = add_mac(header, plen, ((char *) header) + daemon->packet_buff_sz, &forward->source);
379
380 if (option_bool(OPT_CLIENT_SUBNET))
381 {
382 size_t new = add_source_addr(header, plen, ((char *) header) + daemon->packet_buff_sz, &forward->source);
383 if (new != plen)
384 {
385 plen = new;
386 forward->flags |= FREC_HAS_SUBNET;
387 }
388 }
389
390 #ifdef HAVE_DNSSEC
391 if (option_bool(OPT_DNSSEC_VALID))
392 {
393 plen = add_do_bit(header, plen, ((char *) header) + daemon->packet_buff_sz);
394 /* For debugging, set Checking Disabled, otherwise, have the upstream check too,
395 this allows it to select auth servers when one is returning bad data. */
396 if (option_bool(OPT_DNSSEC_DEBUG))
397 header->hb4 |= HB4_CD;
398 }
399 #endif
400
401 while (1)
402 {
403 /* only send to servers dealing with our domain.
404 domain may be NULL, in which case server->domain
405 must be NULL also. */
406
407 if (type == (start->flags & SERV_TYPE) &&
408 (type != SERV_HAS_DOMAIN || hostname_isequal(domain, start->domain)) &&
409 !(start->flags & SERV_LITERAL_ADDRESS))
410 {
411 int fd;
412
413 /* find server socket to use, may need to get random one. */
414 if (start->sfd)
415 fd = start->sfd->fd;
416 else
417 {
418 #ifdef HAVE_IPV6
419 if (start->addr.sa.sa_family == AF_INET6)
420 {
421 if (!forward->rfd6 &&
422 !(forward->rfd6 = allocate_rfd(AF_INET6)))
423 break;
424 daemon->rfd_save = forward->rfd6;
425 fd = forward->rfd6->fd;
426 }
427 else
428 #endif
429 {
430 if (!forward->rfd4 &&
431 !(forward->rfd4 = allocate_rfd(AF_INET)))
432 break;
433 daemon->rfd_save = forward->rfd4;
434 fd = forward->rfd4->fd;
435 }
436
437 #ifdef HAVE_CONNTRACK
438 /* Copy connection mark of incoming query to outgoing connection. */
439 if (option_bool(OPT_CONNTRACK))
440 {
441 unsigned int mark;
442 if (get_incoming_mark(&forward->source, &forward->dest, 0, &mark))
443 setsockopt(fd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int));
444 }
445 #endif
446 }
447
448 if (sendto(fd, (char *)header, plen, 0,
449 &start->addr.sa,
450 sa_len(&start->addr)) == -1)
451 {
452 if (retry_send())
453 continue;
454 }
455 else
456 {
457 /* Keep info in case we want to re-send this packet */
458 daemon->srv_save = start;
459 daemon->packet_len = plen;
460
461 if (!gotname)
462 strcpy(daemon->namebuff, "query");
463 if (start->addr.sa.sa_family == AF_INET)
464 log_query(F_SERVER | F_IPV4 | F_FORWARD, daemon->namebuff,
465 (struct all_addr *)&start->addr.in.sin_addr, NULL);
466 #ifdef HAVE_IPV6
467 else
468 log_query(F_SERVER | F_IPV6 | F_FORWARD, daemon->namebuff,
469 (struct all_addr *)&start->addr.in6.sin6_addr, NULL);
470 #endif
471 start->queries++;
472 forwarded = 1;
473 forward->sentto = start;
474 if (!forward->forwardall)
475 break;
476 forward->forwardall++;
477 }
478 }
479
480 if (!(start = start->next))
481 start = daemon->servers;
482
483 if (start == firstsentto)
484 break;
485 }
486
487 if (forwarded)
488 return 1;
489
490 /* could not send on, prepare to return */
491 header->id = htons(forward->orig_id);
492 free_frec(forward); /* cancel */
493 }
494
495 /* could not send on, return empty answer or address if known for whole domain */
496 if (udpfd != -1)
497 {
498 plen = setup_reply(header, plen, addrp, flags, daemon->local_ttl);
499 send_from(udpfd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND), (char *)header, plen, udpaddr, dst_addr, dst_iface);
500 }
501
502 return 0;
503 }
504
505 static size_t process_reply(struct dns_header *header, time_t now, struct server *server, size_t n, int check_rebind,
506 int no_cache, int cache_secure, int check_subnet, union mysockaddr *query_source)
507 {
508 unsigned char *pheader, *sizep;
509 char **sets = 0;
510 int munged = 0, is_sign;
511 size_t plen;
512
513 #ifdef HAVE_IPSET
514 /* Similar algorithm to search_servers. */
515 struct ipsets *ipset_pos;
516 unsigned int namelen = strlen(daemon->namebuff);
517 unsigned int matchlen = 0;
518 for (ipset_pos = daemon->ipsets; ipset_pos; ipset_pos = ipset_pos->next)
519 {
520 unsigned int domainlen = strlen(ipset_pos->domain);
521 char *matchstart = daemon->namebuff + namelen - domainlen;
522 if (namelen >= domainlen && hostname_isequal(matchstart, ipset_pos->domain) &&
523 (domainlen == 0 || namelen == domainlen || *(matchstart - 1) == '.' ) &&
524 domainlen >= matchlen)
525 {
526 matchlen = domainlen;
527 sets = ipset_pos->sets;
528 }
529 }
530 #endif
531
532 /* If upstream is advertising a larger UDP packet size
533 than we allow, trim it so that we don't get overlarge
534 requests for the client. We can't do this for signed packets. */
535
536 if ((pheader = find_pseudoheader(header, n, &plen, &sizep, &is_sign)))
537 {
538 if (!is_sign)
539 {
540 unsigned short udpsz;
541 unsigned char *psave = sizep;
542
543 GETSHORT(udpsz, sizep);
544 if (udpsz > daemon->edns_pktsz)
545 PUTSHORT(daemon->edns_pktsz, psave);
546 }
547
548 if (check_subnet && !check_source(header, plen, pheader, query_source))
549 {
550 my_syslog(LOG_WARNING, _("discarding DNS reply: subnet option mismatch"));
551 return 0;
552 }
553 }
554
555 /* RFC 4035 sect 4.6 para 3 */
556 if (!is_sign && !option_bool(OPT_DNSSEC_PROXY))
557 header->hb4 &= ~HB4_AD;
558
559 #ifdef HAVE_DNSSEC
560 if (option_bool(OPT_DNSSEC_VALID))
561 header->hb4 &= ~HB4_AD;
562
563 if (!(header->hb4 & HB4_CD) && cache_secure)
564 header->hb4 |= HB4_AD;
565 #endif
566
567 if (OPCODE(header) != QUERY || (RCODE(header) != NOERROR && RCODE(header) != NXDOMAIN))
568 return n;
569
570 /* Complain loudly if the upstream server is non-recursive. */
571 if (!(header->hb4 & HB4_RA) && RCODE(header) == NOERROR && ntohs(header->ancount) == 0 &&
572 server && !(server->flags & SERV_WARNED_RECURSIVE))
573 {
574 prettyprint_addr(&server->addr, daemon->namebuff);
575 my_syslog(LOG_WARNING, _("nameserver %s refused to do a recursive query"), daemon->namebuff);
576 if (!option_bool(OPT_LOG))
577 server->flags |= SERV_WARNED_RECURSIVE;
578 }
579
580 if (daemon->bogus_addr && RCODE(header) != NXDOMAIN &&
581 check_for_bogus_wildcard(header, n, daemon->namebuff, daemon->bogus_addr, now))
582 {
583 munged = 1;
584 SET_RCODE(header, NXDOMAIN);
585 header->hb3 &= ~HB3_AA;
586 }
587 else
588 {
589 if (RCODE(header) == NXDOMAIN &&
590 extract_request(header, n, daemon->namebuff, NULL) &&
591 check_for_local_domain(daemon->namebuff, now))
592 {
593 /* if we forwarded a query for a locally known name (because it was for
594 an unknown type) and the answer is NXDOMAIN, convert that to NODATA,
595 since we know that the domain exists, even if upstream doesn't */
596 munged = 1;
597 header->hb3 |= HB3_AA;
598 SET_RCODE(header, NOERROR);
599 }
600
601 if (extract_addresses(header, n, daemon->namebuff, now, sets, is_sign, check_rebind, no_cache, cache_secure))
602 {
603 my_syslog(LOG_WARNING, _("possible DNS-rebind attack detected: %s"), daemon->namebuff);
604 munged = 1;
605 }
606 }
607
608 #ifdef HAVE_DNSSEC
609 if (no_cache && !(header->hb4 & HB4_CD))
610 {
611 if (option_bool(OPT_DNSSEC_PERMISS))
612 {
613 unsigned short type;
614 char types[20];
615
616 if (extract_request(header, (size_t)n, daemon->namebuff, &type))
617 {
618 querystr("", types, type);
619 my_syslog(LOG_WARNING, _("DNSSEC validation failed: query %s%s"), daemon->namebuff, types);
620 }
621 else
622 my_syslog(LOG_WARNING, _("DNSSEC validation failed for unknown query"));
623 }
624 else
625 {
626 /* Bogus reply, turn into SERVFAIL */
627 SET_RCODE(header, SERVFAIL);
628 munged = 1;
629 }
630 }
631 #endif
632
633 /* do this after extract_addresses. Ensure NODATA reply and remove
634 nameserver info. */
635
636 if (munged)
637 {
638 header->ancount = htons(0);
639 header->nscount = htons(0);
640 header->arcount = htons(0);
641 }
642
643 /* the bogus-nxdomain stuff, doctor and NXDOMAIN->NODATA munging can all elide
644 sections of the packet. Find the new length here and put back pseudoheader
645 if it was removed. */
646 return resize_packet(header, n, pheader, plen);
647 }
648
649 /* sets new last_server */
650 void reply_query(int fd, int family, time_t now)
651 {
652 /* packet from peer server, extract data for cache, and send to
653 original requester */
654 struct dns_header *header;
655 union mysockaddr serveraddr;
656 struct frec *forward;
657 socklen_t addrlen = sizeof(serveraddr);
658 ssize_t n = recvfrom(fd, daemon->packet, daemon->packet_buff_sz, 0, &serveraddr.sa, &addrlen);
659 size_t nn;
660 struct server *server;
661 void *hash;
662 #ifndef HAVE_DNSSEC
663 unsigned int crc;
664 #endif
665
666 /* packet buffer overwritten */
667 daemon->srv_save = NULL;
668
669 /* Determine the address of the server replying so that we can mark that as good */
670 serveraddr.sa.sa_family = family;
671 #ifdef HAVE_IPV6
672 if (serveraddr.sa.sa_family == AF_INET6)
673 serveraddr.in6.sin6_flowinfo = 0;
674 #endif
675
676 /* spoof check: answer must come from known server, */
677 for (server = daemon->servers; server; server = server->next)
678 if (!(server->flags & (SERV_LITERAL_ADDRESS | SERV_NO_ADDR)) &&
679 sockaddr_isequal(&server->addr, &serveraddr))
680 break;
681
682 header = (struct dns_header *)daemon->packet;
683
684 #ifdef HAVE_DNSSEC
685 hash = hash_questions(header, n, daemon->namebuff);
686 #else
687 hash = &crc;
688 crc = questions_crc(header, n, daemon->namebuff);
689 #endif
690
691 if (!server ||
692 n < (int)sizeof(struct dns_header) || !(header->hb3 & HB3_QR) ||
693 !(forward = lookup_frec(ntohs(header->id), hash)))
694 return;
695
696 if ((RCODE(header) == SERVFAIL || RCODE(header) == REFUSED) &&
697 !option_bool(OPT_ORDER) &&
698 forward->forwardall == 0)
699 /* for broken servers, attempt to send to another one. */
700 {
701 unsigned char *pheader;
702 size_t plen;
703 int is_sign;
704
705 /* recreate query from reply */
706 pheader = find_pseudoheader(header, (size_t)n, &plen, NULL, &is_sign);
707 if (!is_sign)
708 {
709 header->ancount = htons(0);
710 header->nscount = htons(0);
711 header->arcount = htons(0);
712 if ((nn = resize_packet(header, (size_t)n, pheader, plen)))
713 {
714 header->hb3 &= ~(HB3_QR | HB3_TC);
715 forward_query(-1, NULL, NULL, 0, header, nn, now, forward);
716 return;
717 }
718 }
719 }
720
721 server = forward->sentto;
722
723 if ((forward->sentto->flags & SERV_TYPE) == 0)
724 {
725 if (RCODE(header) == SERVFAIL || RCODE(header) == REFUSED)
726 server = NULL;
727 else
728 {
729 struct server *last_server;
730
731 /* find good server by address if possible, otherwise assume the last one we sent to */
732 for (last_server = daemon->servers; last_server; last_server = last_server->next)
733 if (!(last_server->flags & (SERV_LITERAL_ADDRESS | SERV_HAS_DOMAIN | SERV_FOR_NODOTS | SERV_NO_ADDR)) &&
734 sockaddr_isequal(&last_server->addr, &serveraddr))
735 {
736 server = last_server;
737 break;
738 }
739 }
740 if (!option_bool(OPT_ALL_SERVERS))
741 daemon->last_server = server;
742 }
743
744 /* If the answer is an error, keep the forward record in place in case
745 we get a good reply from another server. Kill it when we've
746 had replies from all to avoid filling the forwarding table when
747 everything is broken */
748 if (forward->forwardall == 0 || --forward->forwardall == 1 ||
749 (RCODE(header) != REFUSED && RCODE(header) != SERVFAIL))
750 {
751 int check_rebind = 0, no_cache_dnssec = 0, cache_secure = 0;
752
753 if (option_bool(OPT_NO_REBIND))
754 check_rebind = !(forward->flags & FREC_NOREBIND);
755
756 /* Don't cache replies where DNSSEC validation was turned off, either
757 the upstream server told us so, or the original query specified it. */
758 if ((header->hb4 & HB4_CD) || (forward->flags & FREC_CHECKING_DISABLED))
759 no_cache_dnssec = 1;
760
761 #ifdef HAVE_DNSSEC
762 if (option_bool(OPT_DNSSEC_VALID) && !(forward->flags & FREC_CHECKING_DISABLED))
763 {
764 int status;
765
766 /* We've had a reply already, which we're validating. Ignore this duplicate */
767 if (forward->blocking_query)
768 return;
769
770 if (header->hb3 & HB3_TC)
771 {
772 /* Truncated answer can't be validated.
773 If this is an answer to a DNSSEC-generated query, we still
774 need to get the client to retry over TCP, so return
775 an answer with the TC bit set, even if the actual answer fits.
776 */
777 status = STAT_TRUNCATED;
778 }
779 else if (forward->flags & FREC_DNSKEY_QUERY)
780 status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
781 else if (forward->flags & FREC_DS_QUERY)
782 status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
783 else
784 status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class);
785
786 /* Can't validate, as we're missing key data. Put this
787 answer aside, whilst we get that. */
788 if (status == STAT_NEED_DS || status == STAT_NEED_KEY)
789 {
790 struct frec *new;
791
792 if ((new = get_new_frec(now, NULL, 1)))
793 {
794 struct frec *next = new->next;
795 *new = *forward; /* copy everything, then overwrite */
796 new->next = next;
797 new->blocking_query = NULL;
798 new->rfd4 = NULL;
799 #ifdef HAVE_IPV6
800 new->rfd6 = NULL;
801 #endif
802 new->flags &= ~(FREC_DNSKEY_QUERY | FREC_DS_QUERY);
803
804 /* Free any saved query */
805 if (forward->stash)
806 blockdata_free(forward->stash);
807
808 /* Now save reply pending receipt of key data */
809 if (!(forward->stash = blockdata_alloc((char *)header, n)))
810 free_frec(new); /* malloc failure, unwind */
811 else
812 {
813 int fd;
814
815 forward->stash_len = n;
816
817 new->dependent = forward; /* to find query awaiting new one. */
818 forward->blocking_query = new; /* for garbage cleaning */
819 /* validate routines leave name of required record in daemon->keyname */
820 if (status == STAT_NEED_KEY)
821 {
822 new->flags |= FREC_DNSKEY_QUERY;
823 nn = dnssec_generate_query(header, ((char *) header) + daemon->packet_buff_sz,
824 daemon->keyname, forward->class, T_DNSKEY, &server->addr);
825 }
826 else
827 {
828 new->flags |= FREC_DS_QUERY;
829 nn = dnssec_generate_query(header,((char *) header) + daemon->packet_buff_sz,
830 daemon->keyname, forward->class, T_DS, &server->addr);
831 }
832 if ((hash = hash_questions(header, nn, daemon->namebuff)))
833 memcpy(new->hash, hash, HASH_SIZE);
834 new->new_id = get_id();
835 header->id = htons(new->new_id);
836 /* Save query for retransmission */
837 new->stash = blockdata_alloc((char *)header, nn);
838 new->stash_len = nn;
839
840 /* Don't resend this. */
841 daemon->srv_save = NULL;
842
843 if (server->sfd)
844 fd = server->sfd->fd;
845 else
846 {
847 fd = -1;
848 #ifdef HAVE_IPV6
849 if (server->addr.sa.sa_family == AF_INET6)
850 {
851 if (new->rfd6 || (new->rfd6 = allocate_rfd(AF_INET6)))
852 fd = new->rfd6->fd;
853 }
854 else
855 #endif
856 {
857 if (new->rfd4 || (new->rfd4 = allocate_rfd(AF_INET)))
858 fd = new->rfd4->fd;
859 }
860 }
861
862 if (fd != -1)
863 {
864 while (sendto(fd, (char *)header, nn, 0, &server->addr.sa, sa_len(&server->addr)) == -1 && retry_send());
865 server->queries++;
866 }
867 }
868 }
869
870 return;
871 }
872
873 /* Ok, we reached far enough up the chain-of-trust that we can validate something.
874 Now wind back down, pulling back answers which wouldn't previously validate
875 and validate them with the new data. Failure to find needed data here is an internal error.
876 Once we get to the original answer (FREC_DNSSEC_QUERY not set) and it validates,
877 return it to the original requestor. */
878 while (forward->dependent)
879 {
880 struct frec *prev = forward->dependent;
881 free_frec(forward);
882 forward = prev;
883 forward->blocking_query = NULL; /* already gone */
884 blockdata_retrieve(forward->stash, forward->stash_len, (void *)header);
885 n = forward->stash_len;
886
887 if (status == STAT_SECURE)
888 {
889 if (forward->flags & FREC_DNSKEY_QUERY)
890 status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
891 else if (forward->flags & FREC_DS_QUERY)
892 status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
893 else
894 status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class);
895
896 if (status == STAT_NEED_DS || status == STAT_NEED_KEY)
897 {
898 my_syslog(LOG_ERR, _("Unexpected missing data for DNSSEC validation"));
899 status = STAT_INSECURE;
900 }
901 }
902 }
903
904 if (status == STAT_TRUNCATED)
905 header->hb3 |= HB3_TC;
906 else
907 log_query(F_KEYTAG | F_SECSTAT, "result", NULL,
908 status == STAT_SECURE ? "SECURE" : (status == STAT_INSECURE ? "INSECURE" : "BOGUS"));
909
910 no_cache_dnssec = 0;
911
912 if (status == STAT_SECURE)
913 cache_secure = 1;
914 else if (status == STAT_BOGUS)
915 no_cache_dnssec = 1;
916
917 /* restore CD bit to the value in the query */
918 if (forward->flags & FREC_CHECKING_DISABLED)
919 header->hb4 |= HB4_CD;
920 else
921 header->hb4 &= ~HB4_CD;
922 }
923 #endif
924
925 if ((nn = process_reply(header, now, server, (size_t)n, check_rebind, no_cache_dnssec, cache_secure,
926 forward->flags & FREC_HAS_SUBNET, &forward->source)))
927 {
928 header->id = htons(forward->orig_id);
929 header->hb4 |= HB4_RA; /* recursion if available */
930 send_from(forward->fd, option_bool(OPT_NOWILD) || option_bool (OPT_CLEVERBIND), daemon->packet, nn,
931 &forward->source, &forward->dest, forward->iface);
932 }
933 free_frec(forward); /* cancel */
934 }
935 }
936
937
938 void receive_query(struct listener *listen, time_t now)
939 {
940 struct dns_header *header = (struct dns_header *)daemon->packet;
941 union mysockaddr source_addr;
942 unsigned short type;
943 struct all_addr dst_addr;
944 struct in_addr netmask, dst_addr_4;
945 size_t m;
946 ssize_t n;
947 int if_index = 0, auth_dns = 0;
948 #ifdef HAVE_AUTH
949 int local_auth = 0;
950 #endif
951 struct iovec iov[1];
952 struct msghdr msg;
953 struct cmsghdr *cmptr;
954 union {
955 struct cmsghdr align; /* this ensures alignment */
956 #ifdef HAVE_IPV6
957 char control6[CMSG_SPACE(sizeof(struct in6_pktinfo))];
958 #endif
959 #if defined(HAVE_LINUX_NETWORK)
960 char control[CMSG_SPACE(sizeof(struct in_pktinfo))];
961 #elif defined(IP_RECVDSTADDR) && defined(HAVE_SOLARIS_NETWORK)
962 char control[CMSG_SPACE(sizeof(struct in_addr)) +
963 CMSG_SPACE(sizeof(unsigned int))];
964 #elif defined(IP_RECVDSTADDR)
965 char control[CMSG_SPACE(sizeof(struct in_addr)) +
966 CMSG_SPACE(sizeof(struct sockaddr_dl))];
967 #endif
968 } control_u;
969 #ifdef HAVE_IPV6
970 /* Can always get recvd interface for IPv6 */
971 int check_dst = !option_bool(OPT_NOWILD) || listen->family == AF_INET6;
972 #else
973 int check_dst = !option_bool(OPT_NOWILD);
974 #endif
975
976 /* packet buffer overwritten */
977 daemon->srv_save = NULL;
978
979 dst_addr_4.s_addr = 0;
980 netmask.s_addr = 0;
981
982 if (option_bool(OPT_NOWILD) && listen->iface)
983 {
984 auth_dns = listen->iface->dns_auth;
985
986 if (listen->family == AF_INET)
987 {
988 dst_addr_4 = listen->iface->addr.in.sin_addr;
989 netmask = listen->iface->netmask;
990 }
991 }
992
993 iov[0].iov_base = daemon->packet;
994 iov[0].iov_len = daemon->edns_pktsz;
995
996 msg.msg_control = control_u.control;
997 msg.msg_controllen = sizeof(control_u);
998 msg.msg_flags = 0;
999 msg.msg_name = &source_addr;
1000 msg.msg_namelen = sizeof(source_addr);
1001 msg.msg_iov = iov;
1002 msg.msg_iovlen = 1;
1003
1004 if ((n = recvmsg(listen->fd, &msg, 0)) == -1)
1005 return;
1006
1007 if (n < (int)sizeof(struct dns_header) ||
1008 (msg.msg_flags & MSG_TRUNC) ||
1009 (header->hb3 & HB3_QR))
1010 return;
1011
1012 source_addr.sa.sa_family = listen->family;
1013 #ifdef HAVE_IPV6
1014 if (listen->family == AF_INET6)
1015 source_addr.in6.sin6_flowinfo = 0;
1016 #endif
1017
1018 if (check_dst)
1019 {
1020 struct ifreq ifr;
1021
1022 if (msg.msg_controllen < sizeof(struct cmsghdr))
1023 return;
1024
1025 #if defined(HAVE_LINUX_NETWORK)
1026 if (listen->family == AF_INET)
1027 for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
1028 if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_PKTINFO)
1029 {
1030 union {
1031 unsigned char *c;
1032 struct in_pktinfo *p;
1033 } p;
1034 p.c = CMSG_DATA(cmptr);
1035 dst_addr_4 = dst_addr.addr.addr4 = p.p->ipi_spec_dst;
1036 if_index = p.p->ipi_ifindex;
1037 }
1038 #elif defined(IP_RECVDSTADDR) && defined(IP_RECVIF)
1039 if (listen->family == AF_INET)
1040 {
1041 for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
1042 {
1043 union {
1044 unsigned char *c;
1045 unsigned int *i;
1046 struct in_addr *a;
1047 #ifndef HAVE_SOLARIS_NETWORK
1048 struct sockaddr_dl *s;
1049 #endif
1050 } p;
1051 p.c = CMSG_DATA(cmptr);
1052 if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVDSTADDR)
1053 dst_addr_4 = dst_addr.addr.addr4 = *(p.a);
1054 else if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVIF)
1055 #ifdef HAVE_SOLARIS_NETWORK
1056 if_index = *(p.i);
1057 #else
1058 if_index = p.s->sdl_index;
1059 #endif
1060 }
1061 }
1062 #endif
1063
1064 #ifdef HAVE_IPV6
1065 if (listen->family == AF_INET6)
1066 {
1067 for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
1068 if (cmptr->cmsg_level == IPPROTO_IPV6 && cmptr->cmsg_type == daemon->v6pktinfo)
1069 {
1070 union {
1071 unsigned char *c;
1072 struct in6_pktinfo *p;
1073 } p;
1074 p.c = CMSG_DATA(cmptr);
1075
1076 dst_addr.addr.addr6 = p.p->ipi6_addr;
1077 if_index = p.p->ipi6_ifindex;
1078 }
1079 }
1080 #endif
1081
1082 /* enforce available interface configuration */
1083
1084 if (!indextoname(listen->fd, if_index, ifr.ifr_name))
1085 return;
1086
1087 if (!iface_check(listen->family, &dst_addr, ifr.ifr_name, &auth_dns))
1088 {
1089 if (!option_bool(OPT_CLEVERBIND))
1090 enumerate_interfaces(0);
1091 if (!loopback_exception(listen->fd, listen->family, &dst_addr, ifr.ifr_name) &&
1092 !label_exception(if_index, listen->family, &dst_addr))
1093 return;
1094 }
1095
1096 if (listen->family == AF_INET && option_bool(OPT_LOCALISE))
1097 {
1098 struct irec *iface;
1099
1100 /* get the netmask of the interface whch has the address we were sent to.
1101 This is no neccessarily the interface we arrived on. */
1102
1103 for (iface = daemon->interfaces; iface; iface = iface->next)
1104 if (iface->addr.sa.sa_family == AF_INET &&
1105 iface->addr.in.sin_addr.s_addr == dst_addr_4.s_addr)
1106 break;
1107
1108 /* interface may be new */
1109 if (!iface && !option_bool(OPT_CLEVERBIND))
1110 enumerate_interfaces(0);
1111
1112 for (iface = daemon->interfaces; iface; iface = iface->next)
1113 if (iface->addr.sa.sa_family == AF_INET &&
1114 iface->addr.in.sin_addr.s_addr == dst_addr_4.s_addr)
1115 break;
1116
1117 /* If we failed, abandon localisation */
1118 if (iface)
1119 netmask = iface->netmask;
1120 else
1121 dst_addr_4.s_addr = 0;
1122 }
1123 }
1124
1125 if (extract_request(header, (size_t)n, daemon->namebuff, &type))
1126 {
1127 char types[20];
1128 #ifdef HAVE_AUTH
1129 struct auth_zone *zone;
1130 #endif
1131
1132 querystr(auth_dns ? "auth" : "query", types, type);
1133
1134 if (listen->family == AF_INET)
1135 log_query(F_QUERY | F_IPV4 | F_FORWARD, daemon->namebuff,
1136 (struct all_addr *)&source_addr.in.sin_addr, types);
1137 #ifdef HAVE_IPV6
1138 else
1139 log_query(F_QUERY | F_IPV6 | F_FORWARD, daemon->namebuff,
1140 (struct all_addr *)&source_addr.in6.sin6_addr, types);
1141 #endif
1142
1143 #ifdef HAVE_AUTH
1144 /* find queries for zones we're authoritative for, and answer them directly */
1145 if (!auth_dns)
1146 for (zone = daemon->auth_zones; zone; zone = zone->next)
1147 if (in_zone(zone, daemon->namebuff, NULL))
1148 {
1149 auth_dns = 1;
1150 local_auth = 1;
1151 break;
1152 }
1153 #endif
1154 }
1155
1156 #ifdef HAVE_AUTH
1157 if (auth_dns)
1158 {
1159 m = answer_auth(header, ((char *) header) + daemon->packet_buff_sz, (size_t)n, now, &source_addr, local_auth);
1160 if (m >= 1)
1161 {
1162 send_from(listen->fd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND),
1163 (char *)header, m, &source_addr, &dst_addr, if_index);
1164 daemon->auth_answer++;
1165 }
1166 }
1167 else
1168 #endif
1169 {
1170 m = answer_request(header, ((char *) header) + daemon->packet_buff_sz, (size_t)n,
1171 dst_addr_4, netmask, now);
1172
1173 if (m >= 1)
1174 {
1175 send_from(listen->fd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND),
1176 (char *)header, m, &source_addr, &dst_addr, if_index);
1177 daemon->local_answer++;
1178 }
1179 else if (forward_query(listen->fd, &source_addr, &dst_addr, if_index,
1180 header, (size_t)n, now, NULL))
1181 daemon->queries_forwarded++;
1182 else
1183 daemon->local_answer++;
1184 }
1185 }
1186
1187 #ifdef HAVE_DNSSEC
1188 static int tcp_key_recurse(time_t now, int status, int class, char *keyname, struct server *server)
1189 {
1190 /* Recurse up the key heirarchy */
1191 size_t n;
1192 unsigned char *packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16));
1193 unsigned char *payload = &packet[2];
1194 struct dns_header *header = (struct dns_header *)payload;
1195 u16 *length = (u16 *)packet;
1196 int new_status;
1197 unsigned char c1, c2;
1198
1199 n = dnssec_generate_query(header, ((char *) header) + 65536, keyname, class,
1200 status == STAT_NEED_KEY ? T_DNSKEY : T_DS, &server->addr);
1201
1202 *length = htons(n);
1203
1204 if (!read_write(server->tcpfd, packet, n + sizeof(u16), 0) ||
1205 !read_write(server->tcpfd, &c1, 1, 1) ||
1206 !read_write(server->tcpfd, &c2, 1, 1) ||
1207 !read_write(server->tcpfd, payload, (c1 << 8) | c2, 1))
1208 {
1209 close(server->tcpfd);
1210 server->tcpfd = -1;
1211 new_status = STAT_INSECURE;
1212 }
1213 else
1214 {
1215 n = (c1 << 8) | c2;
1216
1217 if (status == STAT_NEED_KEY)
1218 new_status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, class);
1219 else
1220 new_status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, class);
1221
1222 if (new_status == STAT_NEED_DS || new_status == STAT_NEED_KEY)
1223 {
1224 if ((new_status = tcp_key_recurse(now, new_status, class, daemon->keyname, server) == STAT_SECURE))
1225 {
1226 if (status == STAT_NEED_KEY)
1227 new_status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, class);
1228 else
1229 new_status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, class);
1230
1231 if (new_status == STAT_NEED_DS || new_status == STAT_NEED_KEY)
1232 {
1233 my_syslog(LOG_ERR, _("Unexpected missing data for DNSSEC validation"));
1234 status = STAT_INSECURE;
1235 }
1236 }
1237 }
1238 }
1239
1240 free(packet);
1241
1242 return new_status;
1243 }
1244 #endif
1245
1246
1247 /* The daemon forks before calling this: it should deal with one connection,
1248 blocking as neccessary, and then return. Note, need to be a bit careful
1249 about resources for debug mode, when the fork is suppressed: that's
1250 done by the caller. */
1251 unsigned char *tcp_request(int confd, time_t now,
1252 union mysockaddr *local_addr, struct in_addr netmask, int auth_dns)
1253 {
1254 size_t size = 0;
1255 int norebind = 0;
1256 #ifdef HAVE_AUTH
1257 int local_auth = 0;
1258 #endif
1259 int checking_disabled, check_subnet, no_cache_dnssec = 0, cache_secure = 0;
1260 size_t m;
1261 unsigned short qtype;
1262 unsigned int gotname;
1263 unsigned char c1, c2;
1264 /* Max TCP packet + slop + size */
1265 unsigned char *packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16));
1266 unsigned char *payload = &packet[2];
1267 /* largest field in header is 16-bits, so this is still sufficiently aligned */
1268 struct dns_header *header = (struct dns_header *)payload;
1269 u16 *length = (u16 *)packet;
1270 struct server *last_server;
1271 struct in_addr dst_addr_4;
1272 union mysockaddr peer_addr;
1273 socklen_t peer_len = sizeof(union mysockaddr);
1274
1275 if (getpeername(confd, (struct sockaddr *)&peer_addr, &peer_len) == -1)
1276 return packet;
1277
1278 while (1)
1279 {
1280 if (!packet ||
1281 !read_write(confd, &c1, 1, 1) || !read_write(confd, &c2, 1, 1) ||
1282 !(size = c1 << 8 | c2) ||
1283 !read_write(confd, payload, size, 1))
1284 return packet;
1285
1286 if (size < (int)sizeof(struct dns_header))
1287 continue;
1288
1289 check_subnet = 0;
1290
1291 /* save state of "cd" flag in query */
1292 if ((checking_disabled = header->hb4 & HB4_CD))
1293 no_cache_dnssec = 1;
1294
1295 /* RFC 4035: sect 4.6 para 2 */
1296 header->hb4 &= ~HB4_AD;
1297
1298 if ((gotname = extract_request(header, (unsigned int)size, daemon->namebuff, &qtype)))
1299 {
1300 char types[20];
1301 #ifdef HAVE_AUTH
1302 struct auth_zone *zone;
1303 #endif
1304 querystr(auth_dns ? "auth" : "query", types, qtype);
1305
1306 if (peer_addr.sa.sa_family == AF_INET)
1307 log_query(F_QUERY | F_IPV4 | F_FORWARD, daemon->namebuff,
1308 (struct all_addr *)&peer_addr.in.sin_addr, types);
1309 #ifdef HAVE_IPV6
1310 else
1311 log_query(F_QUERY | F_IPV6 | F_FORWARD, daemon->namebuff,
1312 (struct all_addr *)&peer_addr.in6.sin6_addr, types);
1313 #endif
1314
1315 #ifdef HAVE_AUTH
1316 /* find queries for zones we're authoritative for, and answer them directly */
1317 if (!auth_dns)
1318 for (zone = daemon->auth_zones; zone; zone = zone->next)
1319 if (in_zone(zone, daemon->namebuff, NULL))
1320 {
1321 auth_dns = 1;
1322 local_auth = 1;
1323 break;
1324 }
1325 #endif
1326 }
1327
1328 if (local_addr->sa.sa_family == AF_INET)
1329 dst_addr_4 = local_addr->in.sin_addr;
1330 else
1331 dst_addr_4.s_addr = 0;
1332
1333 #ifdef HAVE_AUTH
1334 if (auth_dns)
1335 m = answer_auth(header, ((char *) header) + 65536, (size_t)size, now, &peer_addr, local_auth);
1336 else
1337 #endif
1338 {
1339 /* m > 0 if answered from cache */
1340 m = answer_request(header, ((char *) header) + 65536, (size_t)size,
1341 dst_addr_4, netmask, now);
1342
1343 /* Do this by steam now we're not in the select() loop */
1344 check_log_writer(NULL);
1345
1346 if (m == 0)
1347 {
1348 unsigned int flags = 0;
1349 struct all_addr *addrp = NULL;
1350 int type = 0;
1351 char *domain = NULL;
1352
1353 if (option_bool(OPT_ADD_MAC))
1354 size = add_mac(header, size, ((char *) header) + 65536, &peer_addr);
1355
1356 if (option_bool(OPT_CLIENT_SUBNET))
1357 {
1358 size_t new = add_source_addr(header, size, ((char *) header) + 65536, &peer_addr);
1359 if (size != new)
1360 {
1361 size = new;
1362 check_subnet = 1;
1363 }
1364 }
1365
1366 if (gotname)
1367 flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind);
1368
1369 if (type != 0 || option_bool(OPT_ORDER) || !daemon->last_server)
1370 last_server = daemon->servers;
1371 else
1372 last_server = daemon->last_server;
1373
1374 if (!flags && last_server)
1375 {
1376 struct server *firstsendto = NULL;
1377 #ifdef HAVE_DNSSEC
1378 unsigned char *newhash, hash[HASH_SIZE];
1379 if ((newhash = hash_questions(header, (unsigned int)size, daemon->keyname)))
1380 memcpy(hash, newhash, HASH_SIZE);
1381 #else
1382 unsigned int crc = questions_crc(header, (unsigned int)size, daemon->namebuff);
1383 #endif
1384 /* Loop round available servers until we succeed in connecting to one.
1385 Note that this code subtley ensures that consecutive queries on this connection
1386 which can go to the same server, do so. */
1387 while (1)
1388 {
1389 if (!firstsendto)
1390 firstsendto = last_server;
1391 else
1392 {
1393 if (!(last_server = last_server->next))
1394 last_server = daemon->servers;
1395
1396 if (last_server == firstsendto)
1397 break;
1398 }
1399
1400 /* server for wrong domain */
1401 if (type != (last_server->flags & SERV_TYPE) ||
1402 (type == SERV_HAS_DOMAIN && !hostname_isequal(domain, last_server->domain)))
1403 continue;
1404
1405 if (last_server->tcpfd == -1)
1406 {
1407 if ((last_server->tcpfd = socket(last_server->addr.sa.sa_family, SOCK_STREAM, 0)) == -1)
1408 continue;
1409
1410 if ((!local_bind(last_server->tcpfd, &last_server->source_addr, last_server->interface, 1) ||
1411 connect(last_server->tcpfd, &last_server->addr.sa, sa_len(&last_server->addr)) == -1))
1412 {
1413 close(last_server->tcpfd);
1414 last_server->tcpfd = -1;
1415 continue;
1416 }
1417
1418 #ifdef HAVE_DNSSEC
1419 if (option_bool(OPT_DNSSEC_VALID))
1420 {
1421 size = add_do_bit(header, size, ((char *) header) + 65536);
1422 header->hb4 |= HB4_CD;
1423 }
1424 #endif
1425
1426 #ifdef HAVE_CONNTRACK
1427 /* Copy connection mark of incoming query to outgoing connection. */
1428 if (option_bool(OPT_CONNTRACK))
1429 {
1430 unsigned int mark;
1431 struct all_addr local;
1432 #ifdef HAVE_IPV6
1433 if (local_addr->sa.sa_family == AF_INET6)
1434 local.addr.addr6 = local_addr->in6.sin6_addr;
1435 else
1436 #endif
1437 local.addr.addr4 = local_addr->in.sin_addr;
1438
1439 if (get_incoming_mark(&peer_addr, &local, 1, &mark))
1440 setsockopt(last_server->tcpfd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int));
1441 }
1442 #endif
1443 }
1444
1445 *length = htons(size);
1446
1447 if (!read_write(last_server->tcpfd, packet, size + sizeof(u16), 0) ||
1448 !read_write(last_server->tcpfd, &c1, 1, 1) ||
1449 !read_write(last_server->tcpfd, &c2, 1, 1) ||
1450 !read_write(last_server->tcpfd, payload, (c1 << 8) | c2, 1))
1451 {
1452 close(last_server->tcpfd);
1453 last_server->tcpfd = -1;
1454 continue;
1455 }
1456
1457 m = (c1 << 8) | c2;
1458
1459 if (!gotname)
1460 strcpy(daemon->namebuff, "query");
1461 if (last_server->addr.sa.sa_family == AF_INET)
1462 log_query(F_SERVER | F_IPV4 | F_FORWARD, daemon->namebuff,
1463 (struct all_addr *)&last_server->addr.in.sin_addr, NULL);
1464 #ifdef HAVE_IPV6
1465 else
1466 log_query(F_SERVER | F_IPV6 | F_FORWARD, daemon->namebuff,
1467 (struct all_addr *)&last_server->addr.in6.sin6_addr, NULL);
1468 #endif
1469
1470 #ifdef HAVE_DNSSEC
1471 if (option_bool(OPT_DNSSEC_VALID) && !checking_disabled)
1472 {
1473 int class, status;
1474
1475 status = dnssec_validate_reply(now, header, m, daemon->namebuff, daemon->keyname, &class);
1476
1477 if (status == STAT_NEED_DS || status == STAT_NEED_KEY)
1478 {
1479 if ((status = tcp_key_recurse(now, status, class, daemon->keyname, last_server)) == STAT_SECURE)
1480 status = dnssec_validate_reply(now, header, m, daemon->namebuff, daemon->keyname, &class);
1481 }
1482
1483 log_query(F_KEYTAG | F_SECSTAT, "result", NULL,
1484 status == STAT_SECURE ? "SECURE" : (status == STAT_INSECURE ? "INSECURE" : "BOGUS"));
1485
1486 if (status == STAT_BOGUS)
1487 no_cache_dnssec = 1;
1488
1489 if (status == STAT_SECURE)
1490 cache_secure = 1;
1491 }
1492 #endif
1493
1494 /* restore CD bit to the value in the query */
1495 if (checking_disabled)
1496 header->hb4 |= HB4_CD;
1497 else
1498 header->hb4 &= ~HB4_CD;
1499
1500 /* There's no point in updating the cache, since this process will exit and
1501 lose the information after a few queries. We make this call for the alias and
1502 bogus-nxdomain side-effects. */
1503 /* If the crc of the question section doesn't match the crc we sent, then
1504 someone might be attempting to insert bogus values into the cache by
1505 sending replies containing questions and bogus answers. */
1506 #ifdef HAVE_DNSSEC
1507 newhash = hash_questions(header, (unsigned int)m, daemon->namebuff);
1508 if (!newhash || memcmp(hash, newhash, HASH_SIZE) != 0)
1509 {
1510 m = 0;
1511 break;
1512 }
1513 #else
1514 if (crc != questions_crc(header, (unsigned int)m, daemon->namebuff))
1515 {
1516 m = 0;
1517 break;
1518 }
1519 #endif
1520
1521 m = process_reply(header, now, last_server, (unsigned int)m,
1522 option_bool(OPT_NO_REBIND) && !norebind, no_cache_dnssec,
1523 cache_secure, check_subnet, &peer_addr);
1524
1525 break;
1526 }
1527 }
1528
1529 /* In case of local answer or no connections made. */
1530 if (m == 0)
1531 m = setup_reply(header, (unsigned int)size, addrp, flags, daemon->local_ttl);
1532 }
1533 }
1534
1535 check_log_writer(NULL);
1536
1537 *length = htons(m);
1538
1539 if (m == 0 || !read_write(confd, packet, m + sizeof(u16), 0))
1540 return packet;
1541 }
1542 }
1543
1544 static struct frec *allocate_frec(time_t now)
1545 {
1546 struct frec *f;
1547
1548 if ((f = (struct frec *)whine_malloc(sizeof(struct frec))))
1549 {
1550 f->next = daemon->frec_list;
1551 f->time = now;
1552 f->sentto = NULL;
1553 f->rfd4 = NULL;
1554 f->flags = 0;
1555 #ifdef HAVE_IPV6
1556 f->rfd6 = NULL;
1557 #endif
1558 #ifdef HAVE_DNSSEC
1559 f->blocking_query = NULL;
1560 f->stash = NULL;
1561 #endif
1562 daemon->frec_list = f;
1563 }
1564
1565 return f;
1566 }
1567
1568 static struct randfd *allocate_rfd(int family)
1569 {
1570 static int finger = 0;
1571 int i;
1572
1573 /* limit the number of sockets we have open to avoid starvation of
1574 (eg) TFTP. Once we have a reasonable number, randomness should be OK */
1575
1576 for (i = 0; i < RANDOM_SOCKS; i++)
1577 if (daemon->randomsocks[i].refcount == 0)
1578 {
1579 if ((daemon->randomsocks[i].fd = random_sock(family)) == -1)
1580 break;
1581
1582 daemon->randomsocks[i].refcount = 1;
1583 daemon->randomsocks[i].family = family;
1584 return &daemon->randomsocks[i];
1585 }
1586
1587 /* No free ones or cannot get new socket, grab an existing one */
1588 for (i = 0; i < RANDOM_SOCKS; i++)
1589 {
1590 int j = (i+finger) % RANDOM_SOCKS;
1591 if (daemon->randomsocks[j].refcount != 0 &&
1592 daemon->randomsocks[j].family == family &&
1593 daemon->randomsocks[j].refcount != 0xffff)
1594 {
1595 finger = j;
1596 daemon->randomsocks[j].refcount++;
1597 return &daemon->randomsocks[j];
1598 }
1599 }
1600
1601 return NULL; /* doom */
1602 }
1603 static void free_frec(struct frec *f)
1604 {
1605 if (f->rfd4 && --(f->rfd4->refcount) == 0)
1606 close(f->rfd4->fd);
1607
1608 f->rfd4 = NULL;
1609 f->sentto = NULL;
1610 f->flags = 0;
1611
1612 #ifdef HAVE_IPV6
1613 if (f->rfd6 && --(f->rfd6->refcount) == 0)
1614 close(f->rfd6->fd);
1615
1616 f->rfd6 = NULL;
1617 #endif
1618
1619 #ifdef HAVE_DNSSEC
1620 if (f->stash)
1621 {
1622 blockdata_free(f->stash);
1623 f->stash = NULL;
1624 }
1625
1626 /* Anything we're waiting on is pointless now, too */
1627 if (f->blocking_query)
1628 free_frec(f->blocking_query);
1629 f->blocking_query = NULL;
1630 f->dependent = NULL;
1631 #endif
1632 }
1633
1634 /* if wait==NULL return a free or older than TIMEOUT record.
1635 else return *wait zero if one available, or *wait is delay to
1636 when the oldest in-use record will expire. Impose an absolute
1637 limit of 4*TIMEOUT before we wipe things (for random sockets).
1638 If force is set, always return a result, even if we have
1639 to allocate above the limit. */
1640 struct frec *get_new_frec(time_t now, int *wait, int force)
1641 {
1642 struct frec *f, *oldest, *target;
1643 int count;
1644
1645 if (wait)
1646 *wait = 0;
1647
1648 for (f = daemon->frec_list, oldest = NULL, target = NULL, count = 0; f; f = f->next, count++)
1649 if (!f->sentto)
1650 target = f;
1651 else
1652 {
1653 if (difftime(now, f->time) >= 4*TIMEOUT)
1654 {
1655 free_frec(f);
1656 target = f;
1657 }
1658
1659 if (!oldest || difftime(f->time, oldest->time) <= 0)
1660 oldest = f;
1661 }
1662
1663 if (target)
1664 {
1665 target->time = now;
1666 return target;
1667 }
1668
1669 /* can't find empty one, use oldest if there is one
1670 and it's older than timeout */
1671 if (oldest && ((int)difftime(now, oldest->time)) >= TIMEOUT)
1672 {
1673 /* keep stuff for twice timeout if we can by allocating a new
1674 record instead */
1675 if (difftime(now, oldest->time) < 2*TIMEOUT &&
1676 count <= daemon->ftabsize &&
1677 (f = allocate_frec(now)))
1678 return f;
1679
1680 if (!wait)
1681 {
1682 free_frec(oldest);
1683 oldest->time = now;
1684 }
1685 return oldest;
1686 }
1687
1688 /* none available, calculate time 'till oldest record expires */
1689 if (!force && count > daemon->ftabsize)
1690 {
1691 static time_t last_log = 0;
1692
1693 if (oldest && wait)
1694 *wait = oldest->time + (time_t)TIMEOUT - now;
1695
1696 if ((int)difftime(now, last_log) > 5)
1697 {
1698 last_log = now;
1699 my_syslog(LOG_WARNING, _("Maximum number of concurrent DNS queries reached (max: %d)"), daemon->ftabsize);
1700 }
1701
1702 return NULL;
1703 }
1704
1705 if (!(f = allocate_frec(now)) && wait)
1706 /* wait one second on malloc failure */
1707 *wait = 1;
1708
1709 return f; /* OK if malloc fails and this is NULL */
1710 }
1711
1712 /* crc is all-ones if not known. */
1713 static struct frec *lookup_frec(unsigned short id, void *hash)
1714 {
1715 struct frec *f;
1716
1717 for(f = daemon->frec_list; f; f = f->next)
1718 if (f->sentto && f->new_id == id &&
1719 (!hash || memcmp(hash, f->hash, HASH_SIZE) == 0))
1720 return f;
1721
1722 return NULL;
1723 }
1724
1725 static struct frec *lookup_frec_by_sender(unsigned short id,
1726 union mysockaddr *addr,
1727 void *hash)
1728 {
1729 struct frec *f;
1730
1731 for(f = daemon->frec_list; f; f = f->next)
1732 if (f->sentto &&
1733 f->orig_id == id &&
1734 memcmp(hash, f->hash, HASH_SIZE) == 0 &&
1735 sockaddr_isequal(&f->source, addr))
1736 return f;
1737
1738 return NULL;
1739 }
1740
1741 /* A server record is going away, remove references to it */
1742 void server_gone(struct server *server)
1743 {
1744 struct frec *f;
1745
1746 for (f = daemon->frec_list; f; f = f->next)
1747 if (f->sentto && f->sentto == server)
1748 free_frec(f);
1749
1750 if (daemon->last_server == server)
1751 daemon->last_server = NULL;
1752
1753 if (daemon->srv_save == server)
1754 daemon->srv_save = NULL;
1755 }
1756
1757 /* return unique random ids. */
1758 static unsigned short get_id(void)
1759 {
1760 unsigned short ret = 0;
1761
1762 do
1763 ret = rand16();
1764 while (lookup_frec(ret, NULL));
1765
1766 return ret;
1767 }
1768
1769
1770
1771
1772
Michael's tree of dnsmasq.