]>
git.ipfire.org Git - people/ms/dnsmasq.git/blob - src/forward.c
1 /* dnsmasq is Copyright (c) 2000-2014 Simon Kelley
3 This program is free software; you can redistribute it and/or modify
4 it under the terms of the GNU General Public License as published by
5 the Free Software Foundation; version 2 dated June, 1991, or
6 (at your option) version 3 dated 29 June, 2007.
8 This program is distributed in the hope that it will be useful,
9 but WITHOUT ANY WARRANTY; without even the implied warranty of
10 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 GNU General Public License for more details.
13 You should have received a copy of the GNU General Public License
14 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 static struct frec
*lookup_frec(unsigned short id
, void *hash
);
20 static struct frec
*lookup_frec_by_sender(unsigned short id
,
21 union mysockaddr
*addr
,
23 static unsigned short get_id(void);
24 static void free_frec(struct frec
*f
);
25 static struct randfd
*allocate_rfd(int family
);
27 /* Send a UDP packet with its source address set as "source"
28 unless nowild is true, when we just send it with the kernel default */
29 int send_from(int fd
, int nowild
, char *packet
, size_t len
,
30 union mysockaddr
*to
, struct all_addr
*source
,
36 struct cmsghdr align
; /* this ensures alignment */
37 #if defined(HAVE_LINUX_NETWORK)
38 char control
[CMSG_SPACE(sizeof(struct in_pktinfo
))];
39 #elif defined(IP_SENDSRCADDR)
40 char control
[CMSG_SPACE(sizeof(struct in_addr
))];
43 char control6
[CMSG_SPACE(sizeof(struct in6_pktinfo
))];
47 iov
[0].iov_base
= packet
;
50 msg
.msg_control
= NULL
;
51 msg
.msg_controllen
= 0;
54 msg
.msg_namelen
= sa_len(to
);
60 struct cmsghdr
*cmptr
;
61 msg
.msg_control
= &control_u
;
62 msg
.msg_controllen
= sizeof(control_u
);
63 cmptr
= CMSG_FIRSTHDR(&msg
);
65 if (to
->sa
.sa_family
== AF_INET
)
67 #if defined(HAVE_LINUX_NETWORK)
70 p
.ipi_spec_dst
= source
->addr
.addr4
;
71 memcpy(CMSG_DATA(cmptr
), &p
, sizeof(p
));
72 msg
.msg_controllen
= cmptr
->cmsg_len
= CMSG_LEN(sizeof(struct in_pktinfo
));
73 cmptr
->cmsg_level
= IPPROTO_IP
;
74 cmptr
->cmsg_type
= IP_PKTINFO
;
75 #elif defined(IP_SENDSRCADDR)
76 memcpy(CMSG_DATA(cmptr
), &(source
->addr
.addr4
), sizeof(source
->addr
.addr4
));
77 msg
.msg_controllen
= cmptr
->cmsg_len
= CMSG_LEN(sizeof(struct in_addr
));
78 cmptr
->cmsg_level
= IPPROTO_IP
;
79 cmptr
->cmsg_type
= IP_SENDSRCADDR
;
86 p
.ipi6_ifindex
= iface
; /* Need iface for IPv6 to handle link-local addrs */
87 p
.ipi6_addr
= source
->addr
.addr6
;
88 memcpy(CMSG_DATA(cmptr
), &p
, sizeof(p
));
89 msg
.msg_controllen
= cmptr
->cmsg_len
= CMSG_LEN(sizeof(struct in6_pktinfo
));
90 cmptr
->cmsg_type
= daemon
->v6pktinfo
;
91 cmptr
->cmsg_level
= IPPROTO_IPV6
;
94 (void)iface
; /* eliminate warning */
98 while (sendmsg(fd
, &msg
, 0) == -1)
103 /* If interface is still in DAD, EINVAL results - ignore that. */
107 my_syslog(LOG_ERR
, _("failed to send packet: %s"), strerror(errno
));
114 static unsigned int search_servers(time_t now
, struct all_addr
**addrpp
,
115 unsigned int qtype
, char *qdomain
, int *type
, char **domain
, int *norebind
)
118 /* If the query ends in the domain in one of our servers, set
119 domain to point to that name. We find the largest match to allow both
120 domain.org and sub.domain.org to exist. */
122 unsigned int namelen
= strlen(qdomain
);
123 unsigned int matchlen
= 0;
125 unsigned int flags
= 0;
127 for (serv
= daemon
->servers
; serv
; serv
=serv
->next
)
128 /* domain matches take priority over NODOTS matches */
129 if ((serv
->flags
& SERV_FOR_NODOTS
) && *type
!= SERV_HAS_DOMAIN
&& !strchr(qdomain
, '.') && namelen
!= 0)
131 unsigned int sflag
= serv
->addr
.sa
.sa_family
== AF_INET
? F_IPV4
: F_IPV6
;
132 *type
= SERV_FOR_NODOTS
;
133 if (serv
->flags
& SERV_NO_ADDR
)
135 else if (serv
->flags
& SERV_LITERAL_ADDRESS
)
140 if (serv
->addr
.sa
.sa_family
== AF_INET
)
141 *addrpp
= (struct all_addr
*)&serv
->addr
.in
.sin_addr
;
144 *addrpp
= (struct all_addr
*)&serv
->addr
.in6
.sin6_addr
;
147 else if (!flags
|| (flags
& F_NXDOMAIN
))
151 else if (serv
->flags
& SERV_HAS_DOMAIN
)
153 unsigned int domainlen
= strlen(serv
->domain
);
154 char *matchstart
= qdomain
+ namelen
- domainlen
;
155 if (namelen
>= domainlen
&&
156 hostname_isequal(matchstart
, serv
->domain
) &&
157 (domainlen
== 0 || namelen
== domainlen
|| *(matchstart
-1) == '.' ))
159 if (serv
->flags
& SERV_NO_REBIND
)
163 unsigned int sflag
= serv
->addr
.sa
.sa_family
== AF_INET
? F_IPV4
: F_IPV6
;
164 /* implement priority rules for --address and --server for same domain.
165 --address wins if the address is for the correct AF
166 --server wins otherwise. */
167 if (domainlen
!= 0 && domainlen
== matchlen
)
169 if ((serv
->flags
& SERV_LITERAL_ADDRESS
))
171 if (!(sflag
& qtype
) && flags
== 0)
176 if (flags
& (F_IPV4
| F_IPV6
))
181 if (domainlen
>= matchlen
)
183 *type
= serv
->flags
& (SERV_HAS_DOMAIN
| SERV_USE_RESOLV
| SERV_NO_REBIND
);
184 *domain
= serv
->domain
;
185 matchlen
= domainlen
;
186 if (serv
->flags
& SERV_NO_ADDR
)
188 else if (serv
->flags
& SERV_LITERAL_ADDRESS
)
193 if (serv
->addr
.sa
.sa_family
== AF_INET
)
194 *addrpp
= (struct all_addr
*)&serv
->addr
.in
.sin_addr
;
197 *addrpp
= (struct all_addr
*)&serv
->addr
.in6
.sin6_addr
;
200 else if (!flags
|| (flags
& F_NXDOMAIN
))
210 if (flags
== 0 && !(qtype
& F_QUERY
) &&
211 option_bool(OPT_NODOTS_LOCAL
) && !strchr(qdomain
, '.') && namelen
!= 0)
212 /* don't forward A or AAAA queries for simple names, except the empty name */
215 if (flags
== F_NXDOMAIN
&& check_for_local_domain(qdomain
, now
))
222 if (flags
== F_NXDOMAIN
|| flags
== F_NOERR
)
223 logflags
= F_NEG
| qtype
;
225 log_query(logflags
| flags
| F_CONFIG
| F_FORWARD
, qdomain
, *addrpp
, NULL
);
227 else if ((*type
) & SERV_USE_RESOLV
)
229 *type
= 0; /* use normal servers for this domain */
235 static int forward_query(int udpfd
, union mysockaddr
*udpaddr
,
236 struct all_addr
*dst_addr
, unsigned int dst_iface
,
237 struct dns_header
*header
, size_t plen
, time_t now
, struct frec
*forward
)
240 int type
= 0, norebind
= 0;
241 struct all_addr
*addrp
= NULL
;
242 unsigned int flags
= 0;
243 struct server
*start
= NULL
;
245 void *hash
= hash_questions(header
, plen
, daemon
->namebuff
);
247 unsigned int crc
= questions_crc(header
, plen
, daemon
->namebuff
);
250 unsigned int gotname
= extract_request(header
, plen
, daemon
->namebuff
, NULL
);
252 /* RFC 4035: sect 4.6 para 2 */
253 header
->hb4
&= ~HB4_AD
;
255 /* may be no servers available. */
256 if (!daemon
->servers
)
258 else if (forward
|| (hash
&& (forward
= lookup_frec_by_sender(ntohs(header
->id
), udpaddr
, hash
))))
261 /* If we've already got an answer to this query, but we're awaiting keys for vaildation,
262 there's no point retrying the query, retry the key query instead...... */
263 if (forward
->blocking_query
)
267 while (forward
->blocking_query
)
268 forward
= forward
->blocking_query
;
270 blockdata_retrieve(forward
->stash
, forward
->stash_len
, (void *)header
);
271 plen
= forward
->stash_len
;
273 if (forward
->sentto
->addr
.sa
.sa_family
)
274 log_query(F_DNSSEC
| F_IPV4
, "retry", (struct all_addr
*)&forward
->sentto
->addr
.in
.sin_addr
, "dnssec");
277 log_query(F_DNSSEC
| F_IPV6
, "retry", (struct all_addr
*)&forward
->sentto
->addr
.in6
.sin6_addr
, "dnssec");
280 if (forward
->sentto
->sfd
)
281 fd
= forward
->sentto
->sfd
->fd
;
285 if (forward
->sentto
->addr
.sa
.sa_family
== AF_INET6
)
286 fd
= forward
->rfd6
->fd
;
289 fd
= forward
->rfd4
->fd
;
292 while (sendto(fd
, (char *)header
, plen
, 0,
293 &forward
->sentto
->addr
.sa
,
294 sa_len(&forward
->sentto
->addr
)) == -1 && retry_send());
300 /* retry on existing query, send to all available servers */
301 domain
= forward
->sentto
->domain
;
302 forward
->sentto
->failed_queries
++;
303 if (!option_bool(OPT_ORDER
))
305 forward
->forwardall
= 1;
306 daemon
->last_server
= NULL
;
308 type
= forward
->sentto
->flags
& SERV_TYPE
;
309 if (!(start
= forward
->sentto
->next
))
310 start
= daemon
->servers
; /* at end of list, recycle */
311 header
->id
= htons(forward
->new_id
);
316 flags
= search_servers(now
, &addrp
, gotname
, daemon
->namebuff
, &type
, &domain
, &norebind
);
318 if (!flags
&& !(forward
= get_new_frec(now
, NULL
, 0)))
319 /* table full - server failure. */
324 forward
->source
= *udpaddr
;
325 forward
->dest
= *dst_addr
;
326 forward
->iface
= dst_iface
;
327 forward
->orig_id
= ntohs(header
->id
);
328 forward
->new_id
= get_id();
330 memcpy(forward
->hash
, hash
, HASH_SIZE
);
331 forward
->forwardall
= 0;
334 forward
->flags
|= FREC_NOREBIND
;
335 if (header
->hb4
& HB4_CD
)
336 forward
->flags
|= FREC_CHECKING_DISABLED
;
338 header
->id
= htons(forward
->new_id
);
340 /* In strict_order mode, always try servers in the order
341 specified in resolv.conf, if a domain is given
342 always try all the available servers,
343 otherwise, use the one last known to work. */
347 if (option_bool(OPT_ORDER
))
348 start
= daemon
->servers
;
349 else if (!(start
= daemon
->last_server
) ||
350 daemon
->forwardcount
++ > FORWARD_TEST
||
351 difftime(now
, daemon
->forwardtime
) > FORWARD_TIME
)
353 start
= daemon
->servers
;
354 forward
->forwardall
= 1;
355 daemon
->forwardcount
= 0;
356 daemon
->forwardtime
= now
;
361 start
= daemon
->servers
;
362 if (!option_bool(OPT_ORDER
))
363 forward
->forwardall
= 1;
368 /* check for send errors here (no route to host)
369 if we fail to send to all nameservers, send back an error
370 packet straight away (helps modem users when offline) */
372 if (!flags
&& forward
)
374 struct server
*firstsentto
= start
;
377 if (option_bool(OPT_ADD_MAC
))
378 plen
= add_mac(header
, plen
, ((char *) header
) + daemon
->packet_buff_sz
, &forward
->source
);
380 if (option_bool(OPT_CLIENT_SUBNET
))
382 size_t new = add_source_addr(header
, plen
, ((char *) header
) + daemon
->packet_buff_sz
, &forward
->source
);
386 forward
->flags
|= FREC_HAS_SUBNET
;
391 if (option_bool(OPT_DNSSEC_VALID
))
393 plen
= add_do_bit(header
, plen
, ((char *) header
) + daemon
->packet_buff_sz
);
394 /* For debugging, set Checking Disabled, otherwise, have the upstream check too,
395 this allows it to select auth servers when one is returning bad data. */
396 if (option_bool(OPT_DNSSEC_DEBUG
))
397 header
->hb4
|= HB4_CD
;
403 /* only send to servers dealing with our domain.
404 domain may be NULL, in which case server->domain
405 must be NULL also. */
407 if (type
== (start
->flags
& SERV_TYPE
) &&
408 (type
!= SERV_HAS_DOMAIN
|| hostname_isequal(domain
, start
->domain
)) &&
409 !(start
->flags
& SERV_LITERAL_ADDRESS
))
413 /* find server socket to use, may need to get random one. */
419 if (start
->addr
.sa
.sa_family
== AF_INET6
)
421 if (!forward
->rfd6
&&
422 !(forward
->rfd6
= allocate_rfd(AF_INET6
)))
424 daemon
->rfd_save
= forward
->rfd6
;
425 fd
= forward
->rfd6
->fd
;
430 if (!forward
->rfd4
&&
431 !(forward
->rfd4
= allocate_rfd(AF_INET
)))
433 daemon
->rfd_save
= forward
->rfd4
;
434 fd
= forward
->rfd4
->fd
;
437 #ifdef HAVE_CONNTRACK
438 /* Copy connection mark of incoming query to outgoing connection. */
439 if (option_bool(OPT_CONNTRACK
))
442 if (get_incoming_mark(&forward
->source
, &forward
->dest
, 0, &mark
))
443 setsockopt(fd
, SOL_SOCKET
, SO_MARK
, &mark
, sizeof(unsigned int));
448 if (sendto(fd
, (char *)header
, plen
, 0,
450 sa_len(&start
->addr
)) == -1)
457 /* Keep info in case we want to re-send this packet */
458 daemon
->srv_save
= start
;
459 daemon
->packet_len
= plen
;
462 strcpy(daemon
->namebuff
, "query");
463 if (start
->addr
.sa
.sa_family
== AF_INET
)
464 log_query(F_SERVER
| F_IPV4
| F_FORWARD
, daemon
->namebuff
,
465 (struct all_addr
*)&start
->addr
.in
.sin_addr
, NULL
);
468 log_query(F_SERVER
| F_IPV6
| F_FORWARD
, daemon
->namebuff
,
469 (struct all_addr
*)&start
->addr
.in6
.sin6_addr
, NULL
);
473 forward
->sentto
= start
;
474 if (!forward
->forwardall
)
476 forward
->forwardall
++;
480 if (!(start
= start
->next
))
481 start
= daemon
->servers
;
483 if (start
== firstsentto
)
490 /* could not send on, prepare to return */
491 header
->id
= htons(forward
->orig_id
);
492 free_frec(forward
); /* cancel */
495 /* could not send on, return empty answer or address if known for whole domain */
498 plen
= setup_reply(header
, plen
, addrp
, flags
, daemon
->local_ttl
);
499 send_from(udpfd
, option_bool(OPT_NOWILD
) || option_bool(OPT_CLEVERBIND
), (char *)header
, plen
, udpaddr
, dst_addr
, dst_iface
);
505 static size_t process_reply(struct dns_header
*header
, time_t now
, struct server
*server
, size_t n
, int check_rebind
,
506 int no_cache
, int cache_secure
, int check_subnet
, union mysockaddr
*query_source
)
508 unsigned char *pheader
, *sizep
;
510 int munged
= 0, is_sign
;
514 /* Similar algorithm to search_servers. */
515 struct ipsets
*ipset_pos
;
516 unsigned int namelen
= strlen(daemon
->namebuff
);
517 unsigned int matchlen
= 0;
518 for (ipset_pos
= daemon
->ipsets
; ipset_pos
; ipset_pos
= ipset_pos
->next
)
520 unsigned int domainlen
= strlen(ipset_pos
->domain
);
521 char *matchstart
= daemon
->namebuff
+ namelen
- domainlen
;
522 if (namelen
>= domainlen
&& hostname_isequal(matchstart
, ipset_pos
->domain
) &&
523 (domainlen
== 0 || namelen
== domainlen
|| *(matchstart
- 1) == '.' ) &&
524 domainlen
>= matchlen
)
526 matchlen
= domainlen
;
527 sets
= ipset_pos
->sets
;
532 /* If upstream is advertising a larger UDP packet size
533 than we allow, trim it so that we don't get overlarge
534 requests for the client. We can't do this for signed packets. */
536 if ((pheader
= find_pseudoheader(header
, n
, &plen
, &sizep
, &is_sign
)))
540 unsigned short udpsz
;
541 unsigned char *psave
= sizep
;
543 GETSHORT(udpsz
, sizep
);
544 if (udpsz
> daemon
->edns_pktsz
)
545 PUTSHORT(daemon
->edns_pktsz
, psave
);
548 if (check_subnet
&& !check_source(header
, plen
, pheader
, query_source
))
550 my_syslog(LOG_WARNING
, _("discarding DNS reply: subnet option mismatch"));
555 /* RFC 4035 sect 4.6 para 3 */
556 if (!is_sign
&& !option_bool(OPT_DNSSEC_PROXY
))
557 header
->hb4
&= ~HB4_AD
;
560 if (option_bool(OPT_DNSSEC_VALID
))
561 header
->hb4
&= ~HB4_AD
;
563 if (!(header
->hb4
& HB4_CD
) && cache_secure
)
564 header
->hb4
|= HB4_AD
;
567 if (OPCODE(header
) != QUERY
|| (RCODE(header
) != NOERROR
&& RCODE(header
) != NXDOMAIN
))
570 /* Complain loudly if the upstream server is non-recursive. */
571 if (!(header
->hb4
& HB4_RA
) && RCODE(header
) == NOERROR
&& ntohs(header
->ancount
) == 0 &&
572 server
&& !(server
->flags
& SERV_WARNED_RECURSIVE
))
574 prettyprint_addr(&server
->addr
, daemon
->namebuff
);
575 my_syslog(LOG_WARNING
, _("nameserver %s refused to do a recursive query"), daemon
->namebuff
);
576 if (!option_bool(OPT_LOG
))
577 server
->flags
|= SERV_WARNED_RECURSIVE
;
580 if (daemon
->bogus_addr
&& RCODE(header
) != NXDOMAIN
&&
581 check_for_bogus_wildcard(header
, n
, daemon
->namebuff
, daemon
->bogus_addr
, now
))
584 SET_RCODE(header
, NXDOMAIN
);
585 header
->hb3
&= ~HB3_AA
;
589 if (RCODE(header
) == NXDOMAIN
&&
590 extract_request(header
, n
, daemon
->namebuff
, NULL
) &&
591 check_for_local_domain(daemon
->namebuff
, now
))
593 /* if we forwarded a query for a locally known name (because it was for
594 an unknown type) and the answer is NXDOMAIN, convert that to NODATA,
595 since we know that the domain exists, even if upstream doesn't */
597 header
->hb3
|= HB3_AA
;
598 SET_RCODE(header
, NOERROR
);
601 if (extract_addresses(header
, n
, daemon
->namebuff
, now
, sets
, is_sign
, check_rebind
, no_cache
, cache_secure
))
603 my_syslog(LOG_WARNING
, _("possible DNS-rebind attack detected: %s"), daemon
->namebuff
);
609 if (no_cache
&& !(header
->hb4
& HB4_CD
))
611 if (option_bool(OPT_DNSSEC_PERMISS
))
616 if (extract_request(header
, (size_t)n
, daemon
->namebuff
, &type
))
618 querystr("", types
, type
);
619 my_syslog(LOG_WARNING
, _("DNSSEC validation failed: query %s%s"), daemon
->namebuff
, types
);
622 my_syslog(LOG_WARNING
, _("DNSSEC validation failed for unknown query"));
626 /* Bogus reply, turn into SERVFAIL */
627 SET_RCODE(header
, SERVFAIL
);
633 /* do this after extract_addresses. Ensure NODATA reply and remove
638 header
->ancount
= htons(0);
639 header
->nscount
= htons(0);
640 header
->arcount
= htons(0);
643 /* the bogus-nxdomain stuff, doctor and NXDOMAIN->NODATA munging can all elide
644 sections of the packet. Find the new length here and put back pseudoheader
645 if it was removed. */
646 return resize_packet(header
, n
, pheader
, plen
);
649 /* sets new last_server */
650 void reply_query(int fd
, int family
, time_t now
)
652 /* packet from peer server, extract data for cache, and send to
653 original requester */
654 struct dns_header
*header
;
655 union mysockaddr serveraddr
;
656 struct frec
*forward
;
657 socklen_t addrlen
= sizeof(serveraddr
);
658 ssize_t n
= recvfrom(fd
, daemon
->packet
, daemon
->packet_buff_sz
, 0, &serveraddr
.sa
, &addrlen
);
660 struct server
*server
;
666 /* packet buffer overwritten */
667 daemon
->srv_save
= NULL
;
669 /* Determine the address of the server replying so that we can mark that as good */
670 serveraddr
.sa
.sa_family
= family
;
672 if (serveraddr
.sa
.sa_family
== AF_INET6
)
673 serveraddr
.in6
.sin6_flowinfo
= 0;
676 /* spoof check: answer must come from known server, */
677 for (server
= daemon
->servers
; server
; server
= server
->next
)
678 if (!(server
->flags
& (SERV_LITERAL_ADDRESS
| SERV_NO_ADDR
)) &&
679 sockaddr_isequal(&server
->addr
, &serveraddr
))
682 header
= (struct dns_header
*)daemon
->packet
;
685 hash
= hash_questions(header
, n
, daemon
->namebuff
);
688 crc
= questions_crc(header
, n
, daemon
->namebuff
);
692 n
< (int)sizeof(struct dns_header
) || !(header
->hb3
& HB3_QR
) ||
693 !(forward
= lookup_frec(ntohs(header
->id
), hash
)))
696 if ((RCODE(header
) == SERVFAIL
|| RCODE(header
) == REFUSED
) &&
697 !option_bool(OPT_ORDER
) &&
698 forward
->forwardall
== 0)
699 /* for broken servers, attempt to send to another one. */
701 unsigned char *pheader
;
705 /* recreate query from reply */
706 pheader
= find_pseudoheader(header
, (size_t)n
, &plen
, NULL
, &is_sign
);
709 header
->ancount
= htons(0);
710 header
->nscount
= htons(0);
711 header
->arcount
= htons(0);
712 if ((nn
= resize_packet(header
, (size_t)n
, pheader
, plen
)))
714 header
->hb3
&= ~(HB3_QR
| HB3_TC
);
715 forward_query(-1, NULL
, NULL
, 0, header
, nn
, now
, forward
);
721 server
= forward
->sentto
;
723 if ((forward
->sentto
->flags
& SERV_TYPE
) == 0)
725 if (RCODE(header
) == SERVFAIL
|| RCODE(header
) == REFUSED
)
729 struct server
*last_server
;
731 /* find good server by address if possible, otherwise assume the last one we sent to */
732 for (last_server
= daemon
->servers
; last_server
; last_server
= last_server
->next
)
733 if (!(last_server
->flags
& (SERV_LITERAL_ADDRESS
| SERV_HAS_DOMAIN
| SERV_FOR_NODOTS
| SERV_NO_ADDR
)) &&
734 sockaddr_isequal(&last_server
->addr
, &serveraddr
))
736 server
= last_server
;
740 if (!option_bool(OPT_ALL_SERVERS
))
741 daemon
->last_server
= server
;
744 /* If the answer is an error, keep the forward record in place in case
745 we get a good reply from another server. Kill it when we've
746 had replies from all to avoid filling the forwarding table when
747 everything is broken */
748 if (forward
->forwardall
== 0 || --forward
->forwardall
== 1 ||
749 (RCODE(header
) != REFUSED
&& RCODE(header
) != SERVFAIL
))
751 int check_rebind
= 0, no_cache_dnssec
= 0, cache_secure
= 0;
753 if (option_bool(OPT_NO_REBIND
))
754 check_rebind
= !(forward
->flags
& FREC_NOREBIND
);
756 /* Don't cache replies where DNSSEC validation was turned off, either
757 the upstream server told us so, or the original query specified it. */
758 if ((header
->hb4
& HB4_CD
) || (forward
->flags
& FREC_CHECKING_DISABLED
))
762 if (option_bool(OPT_DNSSEC_VALID
) && !(forward
->flags
& FREC_CHECKING_DISABLED
))
766 /* We've had a reply already, which we're validating. Ignore this duplicate */
767 if (forward
->blocking_query
)
770 if (header
->hb3
& HB3_TC
)
772 /* Truncated answer can't be validated.
773 If this is an answer to a DNSSEC-generated query, we still
774 need to get the client to retry over TCP, so return
775 an answer with the TC bit set, even if the actual answer fits.
777 status
= STAT_TRUNCATED
;
779 else if (forward
->flags
& FREC_DNSKEY_QUERY
)
780 status
= dnssec_validate_by_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
781 else if (forward
->flags
& FREC_DS_QUERY
)
782 status
= dnssec_validate_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
784 status
= dnssec_validate_reply(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, &forward
->class);
786 /* Can't validate, as we're missing key data. Put this
787 answer aside, whilst we get that. */
788 if (status
== STAT_NEED_DS
|| status
== STAT_NEED_KEY
)
792 if ((new = get_new_frec(now
, NULL
, 1)))
794 struct frec
*next
= new->next
;
795 *new = *forward
; /* copy everything, then overwrite */
797 new->blocking_query
= NULL
;
802 new->flags
&= ~(FREC_DNSKEY_QUERY
| FREC_DS_QUERY
);
804 /* Free any saved query */
806 blockdata_free(forward
->stash
);
808 /* Now save reply pending receipt of key data */
809 if (!(forward
->stash
= blockdata_alloc((char *)header
, n
)))
810 free_frec(new); /* malloc failure, unwind */
815 forward
->stash_len
= n
;
817 new->dependent
= forward
; /* to find query awaiting new one. */
818 forward
->blocking_query
= new; /* for garbage cleaning */
819 /* validate routines leave name of required record in daemon->keyname */
820 if (status
== STAT_NEED_KEY
)
822 new->flags
|= FREC_DNSKEY_QUERY
;
823 nn
= dnssec_generate_query(header
, ((char *) header
) + daemon
->packet_buff_sz
,
824 daemon
->keyname
, forward
->class, T_DNSKEY
, &server
->addr
);
828 new->flags
|= FREC_DS_QUERY
;
829 nn
= dnssec_generate_query(header
,((char *) header
) + daemon
->packet_buff_sz
,
830 daemon
->keyname
, forward
->class, T_DS
, &server
->addr
);
832 if ((hash
= hash_questions(header
, nn
, daemon
->namebuff
)))
833 memcpy(new->hash
, hash
, HASH_SIZE
);
834 new->new_id
= get_id();
835 header
->id
= htons(new->new_id
);
836 /* Save query for retransmission */
837 new->stash
= blockdata_alloc((char *)header
, nn
);
840 /* Don't resend this. */
841 daemon
->srv_save
= NULL
;
844 fd
= server
->sfd
->fd
;
849 if (server
->addr
.sa
.sa_family
== AF_INET6
)
851 if (new->rfd6
|| (new->rfd6
= allocate_rfd(AF_INET6
)))
857 if (new->rfd4
|| (new->rfd4
= allocate_rfd(AF_INET
)))
864 while (sendto(fd
, (char *)header
, nn
, 0, &server
->addr
.sa
, sa_len(&server
->addr
)) == -1 && retry_send());
873 /* Ok, we reached far enough up the chain-of-trust that we can validate something.
874 Now wind back down, pulling back answers which wouldn't previously validate
875 and validate them with the new data. Failure to find needed data here is an internal error.
876 Once we get to the original answer (FREC_DNSSEC_QUERY not set) and it validates,
877 return it to the original requestor. */
878 while (forward
->dependent
)
880 struct frec
*prev
= forward
->dependent
;
883 forward
->blocking_query
= NULL
; /* already gone */
884 blockdata_retrieve(forward
->stash
, forward
->stash_len
, (void *)header
);
885 n
= forward
->stash_len
;
887 if (status
== STAT_SECURE
)
889 if (forward
->flags
& FREC_DNSKEY_QUERY
)
890 status
= dnssec_validate_by_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
891 else if (forward
->flags
& FREC_DS_QUERY
)
892 status
= dnssec_validate_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
894 status
= dnssec_validate_reply(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, &forward
->class);
896 if (status
== STAT_NEED_DS
|| status
== STAT_NEED_KEY
)
898 my_syslog(LOG_ERR
, _("Unexpected missing data for DNSSEC validation"));
899 status
= STAT_INSECURE
;
904 if (status
== STAT_TRUNCATED
)
905 header
->hb3
|= HB3_TC
;
907 log_query(F_KEYTAG
| F_SECSTAT
, "result", NULL
,
908 status
== STAT_SECURE
? "SECURE" : (status
== STAT_INSECURE
? "INSECURE" : "BOGUS"));
912 if (status
== STAT_SECURE
)
914 else if (status
== STAT_BOGUS
)
917 /* restore CD bit to the value in the query */
918 if (forward
->flags
& FREC_CHECKING_DISABLED
)
919 header
->hb4
|= HB4_CD
;
921 header
->hb4
&= ~HB4_CD
;
925 if ((nn
= process_reply(header
, now
, server
, (size_t)n
, check_rebind
, no_cache_dnssec
, cache_secure
,
926 forward
->flags
& FREC_HAS_SUBNET
, &forward
->source
)))
928 header
->id
= htons(forward
->orig_id
);
929 header
->hb4
|= HB4_RA
; /* recursion if available */
930 send_from(forward
->fd
, option_bool(OPT_NOWILD
) || option_bool (OPT_CLEVERBIND
), daemon
->packet
, nn
,
931 &forward
->source
, &forward
->dest
, forward
->iface
);
933 free_frec(forward
); /* cancel */
938 void receive_query(struct listener
*listen
, time_t now
)
940 struct dns_header
*header
= (struct dns_header
*)daemon
->packet
;
941 union mysockaddr source_addr
;
943 struct all_addr dst_addr
;
944 struct in_addr netmask
, dst_addr_4
;
947 int if_index
= 0, auth_dns
= 0;
953 struct cmsghdr
*cmptr
;
955 struct cmsghdr align
; /* this ensures alignment */
957 char control6
[CMSG_SPACE(sizeof(struct in6_pktinfo
))];
959 #if defined(HAVE_LINUX_NETWORK)
960 char control
[CMSG_SPACE(sizeof(struct in_pktinfo
))];
961 #elif defined(IP_RECVDSTADDR) && defined(HAVE_SOLARIS_NETWORK)
962 char control
[CMSG_SPACE(sizeof(struct in_addr
)) +
963 CMSG_SPACE(sizeof(unsigned int))];
964 #elif defined(IP_RECVDSTADDR)
965 char control
[CMSG_SPACE(sizeof(struct in_addr
)) +
966 CMSG_SPACE(sizeof(struct sockaddr_dl
))];
970 /* Can always get recvd interface for IPv6 */
971 int check_dst
= !option_bool(OPT_NOWILD
) || listen
->family
== AF_INET6
;
973 int check_dst
= !option_bool(OPT_NOWILD
);
976 /* packet buffer overwritten */
977 daemon
->srv_save
= NULL
;
979 dst_addr_4
.s_addr
= 0;
982 if (option_bool(OPT_NOWILD
) && listen
->iface
)
984 auth_dns
= listen
->iface
->dns_auth
;
986 if (listen
->family
== AF_INET
)
988 dst_addr_4
= listen
->iface
->addr
.in
.sin_addr
;
989 netmask
= listen
->iface
->netmask
;
993 iov
[0].iov_base
= daemon
->packet
;
994 iov
[0].iov_len
= daemon
->edns_pktsz
;
996 msg
.msg_control
= control_u
.control
;
997 msg
.msg_controllen
= sizeof(control_u
);
999 msg
.msg_name
= &source_addr
;
1000 msg
.msg_namelen
= sizeof(source_addr
);
1004 if ((n
= recvmsg(listen
->fd
, &msg
, 0)) == -1)
1007 if (n
< (int)sizeof(struct dns_header
) ||
1008 (msg
.msg_flags
& MSG_TRUNC
) ||
1009 (header
->hb3
& HB3_QR
))
1012 source_addr
.sa
.sa_family
= listen
->family
;
1014 if (listen
->family
== AF_INET6
)
1015 source_addr
.in6
.sin6_flowinfo
= 0;
1022 if (msg
.msg_controllen
< sizeof(struct cmsghdr
))
1025 #if defined(HAVE_LINUX_NETWORK)
1026 if (listen
->family
== AF_INET
)
1027 for (cmptr
= CMSG_FIRSTHDR(&msg
); cmptr
; cmptr
= CMSG_NXTHDR(&msg
, cmptr
))
1028 if (cmptr
->cmsg_level
== IPPROTO_IP
&& cmptr
->cmsg_type
== IP_PKTINFO
)
1032 struct in_pktinfo
*p
;
1034 p
.c
= CMSG_DATA(cmptr
);
1035 dst_addr_4
= dst_addr
.addr
.addr4
= p
.p
->ipi_spec_dst
;
1036 if_index
= p
.p
->ipi_ifindex
;
1038 #elif defined(IP_RECVDSTADDR) && defined(IP_RECVIF)
1039 if (listen
->family
== AF_INET
)
1041 for (cmptr
= CMSG_FIRSTHDR(&msg
); cmptr
; cmptr
= CMSG_NXTHDR(&msg
, cmptr
))
1047 #ifndef HAVE_SOLARIS_NETWORK
1048 struct sockaddr_dl
*s
;
1051 p
.c
= CMSG_DATA(cmptr
);
1052 if (cmptr
->cmsg_level
== IPPROTO_IP
&& cmptr
->cmsg_type
== IP_RECVDSTADDR
)
1053 dst_addr_4
= dst_addr
.addr
.addr4
= *(p
.a
);
1054 else if (cmptr
->cmsg_level
== IPPROTO_IP
&& cmptr
->cmsg_type
== IP_RECVIF
)
1055 #ifdef HAVE_SOLARIS_NETWORK
1058 if_index
= p
.s
->sdl_index
;
1065 if (listen
->family
== AF_INET6
)
1067 for (cmptr
= CMSG_FIRSTHDR(&msg
); cmptr
; cmptr
= CMSG_NXTHDR(&msg
, cmptr
))
1068 if (cmptr
->cmsg_level
== IPPROTO_IPV6
&& cmptr
->cmsg_type
== daemon
->v6pktinfo
)
1072 struct in6_pktinfo
*p
;
1074 p
.c
= CMSG_DATA(cmptr
);
1076 dst_addr
.addr
.addr6
= p
.p
->ipi6_addr
;
1077 if_index
= p
.p
->ipi6_ifindex
;
1082 /* enforce available interface configuration */
1084 if (!indextoname(listen
->fd
, if_index
, ifr
.ifr_name
))
1087 if (!iface_check(listen
->family
, &dst_addr
, ifr
.ifr_name
, &auth_dns
))
1089 if (!option_bool(OPT_CLEVERBIND
))
1090 enumerate_interfaces(0);
1091 if (!loopback_exception(listen
->fd
, listen
->family
, &dst_addr
, ifr
.ifr_name
) &&
1092 !label_exception(if_index
, listen
->family
, &dst_addr
))
1096 if (listen
->family
== AF_INET
&& option_bool(OPT_LOCALISE
))
1100 /* get the netmask of the interface whch has the address we were sent to.
1101 This is no neccessarily the interface we arrived on. */
1103 for (iface
= daemon
->interfaces
; iface
; iface
= iface
->next
)
1104 if (iface
->addr
.sa
.sa_family
== AF_INET
&&
1105 iface
->addr
.in
.sin_addr
.s_addr
== dst_addr_4
.s_addr
)
1108 /* interface may be new */
1109 if (!iface
&& !option_bool(OPT_CLEVERBIND
))
1110 enumerate_interfaces(0);
1112 for (iface
= daemon
->interfaces
; iface
; iface
= iface
->next
)
1113 if (iface
->addr
.sa
.sa_family
== AF_INET
&&
1114 iface
->addr
.in
.sin_addr
.s_addr
== dst_addr_4
.s_addr
)
1117 /* If we failed, abandon localisation */
1119 netmask
= iface
->netmask
;
1121 dst_addr_4
.s_addr
= 0;
1125 if (extract_request(header
, (size_t)n
, daemon
->namebuff
, &type
))
1129 struct auth_zone
*zone
;
1132 querystr(auth_dns
? "auth" : "query", types
, type
);
1134 if (listen
->family
== AF_INET
)
1135 log_query(F_QUERY
| F_IPV4
| F_FORWARD
, daemon
->namebuff
,
1136 (struct all_addr
*)&source_addr
.in
.sin_addr
, types
);
1139 log_query(F_QUERY
| F_IPV6
| F_FORWARD
, daemon
->namebuff
,
1140 (struct all_addr
*)&source_addr
.in6
.sin6_addr
, types
);
1144 /* find queries for zones we're authoritative for, and answer them directly */
1146 for (zone
= daemon
->auth_zones
; zone
; zone
= zone
->next
)
1147 if (in_zone(zone
, daemon
->namebuff
, NULL
))
1159 m
= answer_auth(header
, ((char *) header
) + daemon
->packet_buff_sz
, (size_t)n
, now
, &source_addr
, local_auth
);
1162 send_from(listen
->fd
, option_bool(OPT_NOWILD
) || option_bool(OPT_CLEVERBIND
),
1163 (char *)header
, m
, &source_addr
, &dst_addr
, if_index
);
1164 daemon
->auth_answer
++;
1170 m
= answer_request(header
, ((char *) header
) + daemon
->packet_buff_sz
, (size_t)n
,
1171 dst_addr_4
, netmask
, now
);
1175 send_from(listen
->fd
, option_bool(OPT_NOWILD
) || option_bool(OPT_CLEVERBIND
),
1176 (char *)header
, m
, &source_addr
, &dst_addr
, if_index
);
1177 daemon
->local_answer
++;
1179 else if (forward_query(listen
->fd
, &source_addr
, &dst_addr
, if_index
,
1180 header
, (size_t)n
, now
, NULL
))
1181 daemon
->queries_forwarded
++;
1183 daemon
->local_answer
++;
1188 static int tcp_key_recurse(time_t now
, int status
, int class, char *keyname
, struct server
*server
)
1190 /* Recurse up the key heirarchy */
1192 unsigned char *packet
= whine_malloc(65536 + MAXDNAME
+ RRFIXEDSZ
+ sizeof(u16
));
1193 unsigned char *payload
= &packet
[2];
1194 struct dns_header
*header
= (struct dns_header
*)payload
;
1195 u16
*length
= (u16
*)packet
;
1197 unsigned char c1
, c2
;
1199 n
= dnssec_generate_query(header
, ((char *) header
) + 65536, keyname
, class,
1200 status
== STAT_NEED_KEY
? T_DNSKEY
: T_DS
, &server
->addr
);
1204 if (!read_write(server
->tcpfd
, packet
, n
+ sizeof(u16
), 0) ||
1205 !read_write(server
->tcpfd
, &c1
, 1, 1) ||
1206 !read_write(server
->tcpfd
, &c2
, 1, 1) ||
1207 !read_write(server
->tcpfd
, payload
, (c1
<< 8) | c2
, 1))
1209 close(server
->tcpfd
);
1211 new_status
= STAT_INSECURE
;
1217 if (status
== STAT_NEED_KEY
)
1218 new_status
= dnssec_validate_by_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, class);
1220 new_status
= dnssec_validate_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, class);
1222 if (new_status
== STAT_NEED_DS
|| new_status
== STAT_NEED_KEY
)
1224 if ((new_status
= tcp_key_recurse(now
, new_status
, class, daemon
->keyname
, server
) == STAT_SECURE
))
1226 if (status
== STAT_NEED_KEY
)
1227 new_status
= dnssec_validate_by_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, class);
1229 new_status
= dnssec_validate_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, class);
1231 if (new_status
== STAT_NEED_DS
|| new_status
== STAT_NEED_KEY
)
1233 my_syslog(LOG_ERR
, _("Unexpected missing data for DNSSEC validation"));
1234 status
= STAT_INSECURE
;
1247 /* The daemon forks before calling this: it should deal with one connection,
1248 blocking as neccessary, and then return. Note, need to be a bit careful
1249 about resources for debug mode, when the fork is suppressed: that's
1250 done by the caller. */
1251 unsigned char *tcp_request(int confd
, time_t now
,
1252 union mysockaddr
*local_addr
, struct in_addr netmask
, int auth_dns
)
1259 int checking_disabled
, check_subnet
, no_cache_dnssec
= 0, cache_secure
= 0;
1261 unsigned short qtype
;
1262 unsigned int gotname
;
1263 unsigned char c1
, c2
;
1264 /* Max TCP packet + slop + size */
1265 unsigned char *packet
= whine_malloc(65536 + MAXDNAME
+ RRFIXEDSZ
+ sizeof(u16
));
1266 unsigned char *payload
= &packet
[2];
1267 /* largest field in header is 16-bits, so this is still sufficiently aligned */
1268 struct dns_header
*header
= (struct dns_header
*)payload
;
1269 u16
*length
= (u16
*)packet
;
1270 struct server
*last_server
;
1271 struct in_addr dst_addr_4
;
1272 union mysockaddr peer_addr
;
1273 socklen_t peer_len
= sizeof(union mysockaddr
);
1275 if (getpeername(confd
, (struct sockaddr
*)&peer_addr
, &peer_len
) == -1)
1281 !read_write(confd
, &c1
, 1, 1) || !read_write(confd
, &c2
, 1, 1) ||
1282 !(size
= c1
<< 8 | c2
) ||
1283 !read_write(confd
, payload
, size
, 1))
1286 if (size
< (int)sizeof(struct dns_header
))
1291 /* save state of "cd" flag in query */
1292 if ((checking_disabled
= header
->hb4
& HB4_CD
))
1293 no_cache_dnssec
= 1;
1295 /* RFC 4035: sect 4.6 para 2 */
1296 header
->hb4
&= ~HB4_AD
;
1298 if ((gotname
= extract_request(header
, (unsigned int)size
, daemon
->namebuff
, &qtype
)))
1302 struct auth_zone
*zone
;
1304 querystr(auth_dns
? "auth" : "query", types
, qtype
);
1306 if (peer_addr
.sa
.sa_family
== AF_INET
)
1307 log_query(F_QUERY
| F_IPV4
| F_FORWARD
, daemon
->namebuff
,
1308 (struct all_addr
*)&peer_addr
.in
.sin_addr
, types
);
1311 log_query(F_QUERY
| F_IPV6
| F_FORWARD
, daemon
->namebuff
,
1312 (struct all_addr
*)&peer_addr
.in6
.sin6_addr
, types
);
1316 /* find queries for zones we're authoritative for, and answer them directly */
1318 for (zone
= daemon
->auth_zones
; zone
; zone
= zone
->next
)
1319 if (in_zone(zone
, daemon
->namebuff
, NULL
))
1328 if (local_addr
->sa
.sa_family
== AF_INET
)
1329 dst_addr_4
= local_addr
->in
.sin_addr
;
1331 dst_addr_4
.s_addr
= 0;
1335 m
= answer_auth(header
, ((char *) header
) + 65536, (size_t)size
, now
, &peer_addr
, local_auth
);
1339 /* m > 0 if answered from cache */
1340 m
= answer_request(header
, ((char *) header
) + 65536, (size_t)size
,
1341 dst_addr_4
, netmask
, now
);
1343 /* Do this by steam now we're not in the select() loop */
1344 check_log_writer(NULL
);
1348 unsigned int flags
= 0;
1349 struct all_addr
*addrp
= NULL
;
1351 char *domain
= NULL
;
1353 if (option_bool(OPT_ADD_MAC
))
1354 size
= add_mac(header
, size
, ((char *) header
) + 65536, &peer_addr
);
1356 if (option_bool(OPT_CLIENT_SUBNET
))
1358 size_t new = add_source_addr(header
, size
, ((char *) header
) + 65536, &peer_addr
);
1367 flags
= search_servers(now
, &addrp
, gotname
, daemon
->namebuff
, &type
, &domain
, &norebind
);
1369 if (type
!= 0 || option_bool(OPT_ORDER
) || !daemon
->last_server
)
1370 last_server
= daemon
->servers
;
1372 last_server
= daemon
->last_server
;
1374 if (!flags
&& last_server
)
1376 struct server
*firstsendto
= NULL
;
1378 unsigned char *newhash
, hash
[HASH_SIZE
];
1379 if ((newhash
= hash_questions(header
, (unsigned int)size
, daemon
->keyname
)))
1380 memcpy(hash
, newhash
, HASH_SIZE
);
1382 unsigned int crc
= questions_crc(header
, (unsigned int)size
, daemon
->namebuff
);
1384 /* Loop round available servers until we succeed in connecting to one.
1385 Note that this code subtley ensures that consecutive queries on this connection
1386 which can go to the same server, do so. */
1390 firstsendto
= last_server
;
1393 if (!(last_server
= last_server
->next
))
1394 last_server
= daemon
->servers
;
1396 if (last_server
== firstsendto
)
1400 /* server for wrong domain */
1401 if (type
!= (last_server
->flags
& SERV_TYPE
) ||
1402 (type
== SERV_HAS_DOMAIN
&& !hostname_isequal(domain
, last_server
->domain
)))
1405 if (last_server
->tcpfd
== -1)
1407 if ((last_server
->tcpfd
= socket(last_server
->addr
.sa
.sa_family
, SOCK_STREAM
, 0)) == -1)
1410 if ((!local_bind(last_server
->tcpfd
, &last_server
->source_addr
, last_server
->interface
, 1) ||
1411 connect(last_server
->tcpfd
, &last_server
->addr
.sa
, sa_len(&last_server
->addr
)) == -1))
1413 close(last_server
->tcpfd
);
1414 last_server
->tcpfd
= -1;
1419 if (option_bool(OPT_DNSSEC_VALID
))
1421 size
= add_do_bit(header
, size
, ((char *) header
) + 65536);
1422 header
->hb4
|= HB4_CD
;
1426 #ifdef HAVE_CONNTRACK
1427 /* Copy connection mark of incoming query to outgoing connection. */
1428 if (option_bool(OPT_CONNTRACK
))
1431 struct all_addr local
;
1433 if (local_addr
->sa
.sa_family
== AF_INET6
)
1434 local
.addr
.addr6
= local_addr
->in6
.sin6_addr
;
1437 local
.addr
.addr4
= local_addr
->in
.sin_addr
;
1439 if (get_incoming_mark(&peer_addr
, &local
, 1, &mark
))
1440 setsockopt(last_server
->tcpfd
, SOL_SOCKET
, SO_MARK
, &mark
, sizeof(unsigned int));
1445 *length
= htons(size
);
1447 if (!read_write(last_server
->tcpfd
, packet
, size
+ sizeof(u16
), 0) ||
1448 !read_write(last_server
->tcpfd
, &c1
, 1, 1) ||
1449 !read_write(last_server
->tcpfd
, &c2
, 1, 1) ||
1450 !read_write(last_server
->tcpfd
, payload
, (c1
<< 8) | c2
, 1))
1452 close(last_server
->tcpfd
);
1453 last_server
->tcpfd
= -1;
1460 strcpy(daemon
->namebuff
, "query");
1461 if (last_server
->addr
.sa
.sa_family
== AF_INET
)
1462 log_query(F_SERVER
| F_IPV4
| F_FORWARD
, daemon
->namebuff
,
1463 (struct all_addr
*)&last_server
->addr
.in
.sin_addr
, NULL
);
1466 log_query(F_SERVER
| F_IPV6
| F_FORWARD
, daemon
->namebuff
,
1467 (struct all_addr
*)&last_server
->addr
.in6
.sin6_addr
, NULL
);
1471 if (option_bool(OPT_DNSSEC_VALID
) && !checking_disabled
)
1475 status
= dnssec_validate_reply(now
, header
, m
, daemon
->namebuff
, daemon
->keyname
, &class);
1477 if (status
== STAT_NEED_DS
|| status
== STAT_NEED_KEY
)
1479 if ((status
= tcp_key_recurse(now
, status
, class, daemon
->keyname
, last_server
)) == STAT_SECURE
)
1480 status
= dnssec_validate_reply(now
, header
, m
, daemon
->namebuff
, daemon
->keyname
, &class);
1483 log_query(F_KEYTAG
| F_SECSTAT
, "result", NULL
,
1484 status
== STAT_SECURE
? "SECURE" : (status
== STAT_INSECURE
? "INSECURE" : "BOGUS"));
1486 if (status
== STAT_BOGUS
)
1487 no_cache_dnssec
= 1;
1489 if (status
== STAT_SECURE
)
1494 /* restore CD bit to the value in the query */
1495 if (checking_disabled
)
1496 header
->hb4
|= HB4_CD
;
1498 header
->hb4
&= ~HB4_CD
;
1500 /* There's no point in updating the cache, since this process will exit and
1501 lose the information after a few queries. We make this call for the alias and
1502 bogus-nxdomain side-effects. */
1503 /* If the crc of the question section doesn't match the crc we sent, then
1504 someone might be attempting to insert bogus values into the cache by
1505 sending replies containing questions and bogus answers. */
1507 newhash
= hash_questions(header
, (unsigned int)m
, daemon
->namebuff
);
1508 if (!newhash
|| memcmp(hash
, newhash
, HASH_SIZE
) != 0)
1514 if (crc
!= questions_crc(header
, (unsigned int)m
, daemon
->namebuff
))
1521 m
= process_reply(header
, now
, last_server
, (unsigned int)m
,
1522 option_bool(OPT_NO_REBIND
) && !norebind
, no_cache_dnssec
,
1523 cache_secure
, check_subnet
, &peer_addr
);
1529 /* In case of local answer or no connections made. */
1531 m
= setup_reply(header
, (unsigned int)size
, addrp
, flags
, daemon
->local_ttl
);
1535 check_log_writer(NULL
);
1539 if (m
== 0 || !read_write(confd
, packet
, m
+ sizeof(u16
), 0))
1544 static struct frec
*allocate_frec(time_t now
)
1548 if ((f
= (struct frec
*)whine_malloc(sizeof(struct frec
))))
1550 f
->next
= daemon
->frec_list
;
1559 f
->blocking_query
= NULL
;
1562 daemon
->frec_list
= f
;
1568 static struct randfd
*allocate_rfd(int family
)
1570 static int finger
= 0;
1573 /* limit the number of sockets we have open to avoid starvation of
1574 (eg) TFTP. Once we have a reasonable number, randomness should be OK */
1576 for (i
= 0; i
< RANDOM_SOCKS
; i
++)
1577 if (daemon
->randomsocks
[i
].refcount
== 0)
1579 if ((daemon
->randomsocks
[i
].fd
= random_sock(family
)) == -1)
1582 daemon
->randomsocks
[i
].refcount
= 1;
1583 daemon
->randomsocks
[i
].family
= family
;
1584 return &daemon
->randomsocks
[i
];
1587 /* No free ones or cannot get new socket, grab an existing one */
1588 for (i
= 0; i
< RANDOM_SOCKS
; i
++)
1590 int j
= (i
+finger
) % RANDOM_SOCKS
;
1591 if (daemon
->randomsocks
[j
].refcount
!= 0 &&
1592 daemon
->randomsocks
[j
].family
== family
&&
1593 daemon
->randomsocks
[j
].refcount
!= 0xffff)
1596 daemon
->randomsocks
[j
].refcount
++;
1597 return &daemon
->randomsocks
[j
];
1601 return NULL
; /* doom */
1603 static void free_frec(struct frec
*f
)
1605 if (f
->rfd4
&& --(f
->rfd4
->refcount
) == 0)
1613 if (f
->rfd6
&& --(f
->rfd6
->refcount
) == 0)
1622 blockdata_free(f
->stash
);
1626 /* Anything we're waiting on is pointless now, too */
1627 if (f
->blocking_query
)
1628 free_frec(f
->blocking_query
);
1629 f
->blocking_query
= NULL
;
1630 f
->dependent
= NULL
;
1634 /* if wait==NULL return a free or older than TIMEOUT record.
1635 else return *wait zero if one available, or *wait is delay to
1636 when the oldest in-use record will expire. Impose an absolute
1637 limit of 4*TIMEOUT before we wipe things (for random sockets).
1638 If force is set, always return a result, even if we have
1639 to allocate above the limit. */
1640 struct frec
*get_new_frec(time_t now
, int *wait
, int force
)
1642 struct frec
*f
, *oldest
, *target
;
1648 for (f
= daemon
->frec_list
, oldest
= NULL
, target
= NULL
, count
= 0; f
; f
= f
->next
, count
++)
1653 if (difftime(now
, f
->time
) >= 4*TIMEOUT
)
1659 if (!oldest
|| difftime(f
->time
, oldest
->time
) <= 0)
1669 /* can't find empty one, use oldest if there is one
1670 and it's older than timeout */
1671 if (oldest
&& ((int)difftime(now
, oldest
->time
)) >= TIMEOUT
)
1673 /* keep stuff for twice timeout if we can by allocating a new
1675 if (difftime(now
, oldest
->time
) < 2*TIMEOUT
&&
1676 count
<= daemon
->ftabsize
&&
1677 (f
= allocate_frec(now
)))
1688 /* none available, calculate time 'till oldest record expires */
1689 if (!force
&& count
> daemon
->ftabsize
)
1691 static time_t last_log
= 0;
1694 *wait
= oldest
->time
+ (time_t)TIMEOUT
- now
;
1696 if ((int)difftime(now
, last_log
) > 5)
1699 my_syslog(LOG_WARNING
, _("Maximum number of concurrent DNS queries reached (max: %d)"), daemon
->ftabsize
);
1705 if (!(f
= allocate_frec(now
)) && wait
)
1706 /* wait one second on malloc failure */
1709 return f
; /* OK if malloc fails and this is NULL */
1712 /* crc is all-ones if not known. */
1713 static struct frec
*lookup_frec(unsigned short id
, void *hash
)
1717 for(f
= daemon
->frec_list
; f
; f
= f
->next
)
1718 if (f
->sentto
&& f
->new_id
== id
&&
1719 (!hash
|| memcmp(hash
, f
->hash
, HASH_SIZE
) == 0))
1725 static struct frec
*lookup_frec_by_sender(unsigned short id
,
1726 union mysockaddr
*addr
,
1731 for(f
= daemon
->frec_list
; f
; f
= f
->next
)
1734 memcmp(hash
, f
->hash
, HASH_SIZE
) == 0 &&
1735 sockaddr_isequal(&f
->source
, addr
))
1741 /* A server record is going away, remove references to it */
1742 void server_gone(struct server
*server
)
1746 for (f
= daemon
->frec_list
; f
; f
= f
->next
)
1747 if (f
->sentto
&& f
->sentto
== server
)
1750 if (daemon
->last_server
== server
)
1751 daemon
->last_server
= NULL
;
1753 if (daemon
->srv_save
== server
)
1754 daemon
->srv_save
= NULL
;
1757 /* return unique random ids. */
1758 static unsigned short get_id(void)
1760 unsigned short ret
= 0;
1764 while (lookup_frec(ret
, NULL
));