]> git.ipfire.org Git - people/ms/dnsmasq.git/blob - src/forward.c
projects / people / ms / dnsmasq.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Handle truncated replies in DNSSEC validation.
[people/ms/dnsmasq.git] / src / forward.c
1 /* dnsmasq is Copyright (c) 2000-2013 Simon Kelley
2
3 This program is free software; you can redistribute it and/or modify
4 it under the terms of the GNU General Public License as published by
5 the Free Software Foundation; version 2 dated June, 1991, or
6 (at your option) version 3 dated 29 June, 2007.
7
8 This program is distributed in the hope that it will be useful,
9 but WITHOUT ANY WARRANTY; without even the implied warranty of
10 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 GNU General Public License for more details.
12
13 You should have received a copy of the GNU General Public License
14 along with this program. If not, see <http://www.gnu.org/licenses/>.
15 */
16
17 #include "dnsmasq.h"
18
19 static struct frec *lookup_frec(unsigned short id, unsigned int crc);
20 static struct frec *lookup_frec_by_sender(unsigned short id,
21 union mysockaddr *addr,
22 unsigned int crc);
23 static unsigned short get_id(unsigned int crc);
24 static void free_frec(struct frec *f);
25 static struct randfd *allocate_rfd(int family);
26
27 /* Send a UDP packet with its source address set as "source"
28 unless nowild is true, when we just send it with the kernel default */
29 int send_from(int fd, int nowild, char *packet, size_t len,
30 union mysockaddr *to, struct all_addr *source,
31 unsigned int iface)
32 {
33 struct msghdr msg;
34 struct iovec iov[1];
35 union {
36 struct cmsghdr align; /* this ensures alignment */
37 #if defined(HAVE_LINUX_NETWORK)
38 char control[CMSG_SPACE(sizeof(struct in_pktinfo))];
39 #elif defined(IP_SENDSRCADDR)
40 char control[CMSG_SPACE(sizeof(struct in_addr))];
41 #endif
42 #ifdef HAVE_IPV6
43 char control6[CMSG_SPACE(sizeof(struct in6_pktinfo))];
44 #endif
45 } control_u;
46
47 iov[0].iov_base = packet;
48 iov[0].iov_len = len;
49
50 msg.msg_control = NULL;
51 msg.msg_controllen = 0;
52 msg.msg_flags = 0;
53 msg.msg_name = to;
54 msg.msg_namelen = sa_len(to);
55 msg.msg_iov = iov;
56 msg.msg_iovlen = 1;
57
58 if (!nowild)
59 {
60 struct cmsghdr *cmptr;
61 msg.msg_control = &control_u;
62 msg.msg_controllen = sizeof(control_u);
63 cmptr = CMSG_FIRSTHDR(&msg);
64
65 if (to->sa.sa_family == AF_INET)
66 {
67 #if defined(HAVE_LINUX_NETWORK)
68 struct in_pktinfo p;
69 p.ipi_ifindex = 0;
70 p.ipi_spec_dst = source->addr.addr4;
71 memcpy(CMSG_DATA(cmptr), &p, sizeof(p));
72 msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo));
73 cmptr->cmsg_level = IPPROTO_IP;
74 cmptr->cmsg_type = IP_PKTINFO;
75 #elif defined(IP_SENDSRCADDR)
76 memcpy(CMSG_DATA(cmptr), &(source->addr.addr4), sizeof(source->addr.addr4));
77 msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_addr));
78 cmptr->cmsg_level = IPPROTO_IP;
79 cmptr->cmsg_type = IP_SENDSRCADDR;
80 #endif
81 }
82 else
83 #ifdef HAVE_IPV6
84 {
85 struct in6_pktinfo p;
86 p.ipi6_ifindex = iface; /* Need iface for IPv6 to handle link-local addrs */
87 p.ipi6_addr = source->addr.addr6;
88 memcpy(CMSG_DATA(cmptr), &p, sizeof(p));
89 msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo));
90 cmptr->cmsg_type = daemon->v6pktinfo;
91 cmptr->cmsg_level = IPPROTO_IPV6;
92 }
93 #else
94 (void)iface; /* eliminate warning */
95 #endif
96 }
97
98 while (sendmsg(fd, &msg, 0) == -1)
99 {
100 if (retry_send())
101 continue;
102
103 /* If interface is still in DAD, EINVAL results - ignore that. */
104 if (errno == EINVAL)
105 break;
106
107 my_syslog(LOG_ERR, _("failed to send packet: %s"), strerror(errno));
108 return 0;
109 }
110
111 return 1;
112 }
113
114 static unsigned int search_servers(time_t now, struct all_addr **addrpp,
115 unsigned int qtype, char *qdomain, int *type, char **domain, int *norebind)
116
117 {
118 /* If the query ends in the domain in one of our servers, set
119 domain to point to that name. We find the largest match to allow both
120 domain.org and sub.domain.org to exist. */
121
122 unsigned int namelen = strlen(qdomain);
123 unsigned int matchlen = 0;
124 struct server *serv;
125 unsigned int flags = 0;
126
127 for (serv = daemon->servers; serv; serv=serv->next)
128 /* domain matches take priority over NODOTS matches */
129 if ((serv->flags & SERV_FOR_NODOTS) && *type != SERV_HAS_DOMAIN && !strchr(qdomain, '.') && namelen != 0)
130 {
131 unsigned int sflag = serv->addr.sa.sa_family == AF_INET ? F_IPV4 : F_IPV6;
132 *type = SERV_FOR_NODOTS;
133 if (serv->flags & SERV_NO_ADDR)
134 flags = F_NXDOMAIN;
135 else if (serv->flags & SERV_LITERAL_ADDRESS)
136 {
137 if (sflag & qtype)
138 {
139 flags = sflag;
140 if (serv->addr.sa.sa_family == AF_INET)
141 *addrpp = (struct all_addr *)&serv->addr.in.sin_addr;
142 #ifdef HAVE_IPV6
143 else
144 *addrpp = (struct all_addr *)&serv->addr.in6.sin6_addr;
145 #endif
146 }
147 else if (!flags || (flags & F_NXDOMAIN))
148 flags = F_NOERR;
149 }
150 }
151 else if (serv->flags & SERV_HAS_DOMAIN)
152 {
153 unsigned int domainlen = strlen(serv->domain);
154 char *matchstart = qdomain + namelen - domainlen;
155 if (namelen >= domainlen &&
156 hostname_isequal(matchstart, serv->domain) &&
157 (domainlen == 0 || namelen == domainlen || *(matchstart-1) == '.' ))
158 {
159 if (serv->flags & SERV_NO_REBIND)
160 *norebind = 1;
161 else
162 {
163 unsigned int sflag = serv->addr.sa.sa_family == AF_INET ? F_IPV4 : F_IPV6;
164 /* implement priority rules for --address and --server for same domain.
165 --address wins if the address is for the correct AF
166 --server wins otherwise. */
167 if (domainlen != 0 && domainlen == matchlen)
168 {
169 if ((serv->flags & SERV_LITERAL_ADDRESS))
170 {
171 if (!(sflag & qtype) && flags == 0)
172 continue;
173 }
174 else
175 {
176 if (flags & (F_IPV4 | F_IPV6))
177 continue;
178 }
179 }
180
181 if (domainlen >= matchlen)
182 {
183 *type = serv->flags & (SERV_HAS_DOMAIN | SERV_USE_RESOLV | SERV_NO_REBIND);
184 *domain = serv->domain;
185 matchlen = domainlen;
186 if (serv->flags & SERV_NO_ADDR)
187 flags = F_NXDOMAIN;
188 else if (serv->flags & SERV_LITERAL_ADDRESS)
189 {
190 if (sflag & qtype)
191 {
192 flags = sflag;
193 if (serv->addr.sa.sa_family == AF_INET)
194 *addrpp = (struct all_addr *)&serv->addr.in.sin_addr;
195 #ifdef HAVE_IPV6
196 else
197 *addrpp = (struct all_addr *)&serv->addr.in6.sin6_addr;
198 #endif
199 }
200 else if (!flags || (flags & F_NXDOMAIN))
201 flags = F_NOERR;
202 }
203 else
204 flags = 0;
205 }
206 }
207 }
208 }
209
210 if (flags == 0 && !(qtype & F_QUERY) &&
211 option_bool(OPT_NODOTS_LOCAL) && !strchr(qdomain, '.') && namelen != 0)
212 /* don't forward A or AAAA queries for simple names, except the empty name */
213 flags = F_NOERR;
214
215 if (flags == F_NXDOMAIN && check_for_local_domain(qdomain, now))
216 flags = F_NOERR;
217
218 if (flags)
219 {
220 int logflags = 0;
221
222 if (flags == F_NXDOMAIN || flags == F_NOERR)
223 logflags = F_NEG | qtype;
224
225 log_query(logflags | flags | F_CONFIG | F_FORWARD, qdomain, *addrpp, NULL);
226 }
227 else if ((*type) & SERV_USE_RESOLV)
228 {
229 *type = 0; /* use normal servers for this domain */
230 *domain = NULL;
231 }
232 return flags;
233 }
234
235 static int forward_query(int udpfd, union mysockaddr *udpaddr,
236 struct all_addr *dst_addr, unsigned int dst_iface,
237 struct dns_header *header, size_t plen, time_t now, struct frec *forward)
238 {
239 char *domain = NULL;
240 int type = 0, norebind = 0;
241 struct all_addr *addrp = NULL;
242 unsigned int crc = questions_crc(header, plen, daemon->namebuff);
243 unsigned int flags = 0;
244 unsigned int gotname = extract_request(header, plen, daemon->namebuff, NULL);
245 struct server *start = NULL;
246
247 /* RFC 4035: sect 4.6 para 2 */
248 header->hb4 &= ~HB4_AD;
249
250 /* may be no servers available. */
251 if (!daemon->servers)
252 forward = NULL;
253 else if (forward || (forward = lookup_frec_by_sender(ntohs(header->id), udpaddr, crc)))
254 {
255 /* retry on existing query, send to all available servers */
256 domain = forward->sentto->domain;
257 forward->sentto->failed_queries++;
258 if (!option_bool(OPT_ORDER))
259 {
260 forward->forwardall = 1;
261 daemon->last_server = NULL;
262 }
263 type = forward->sentto->flags & SERV_TYPE;
264 if (!(start = forward->sentto->next))
265 start = daemon->servers; /* at end of list, recycle */
266 header->id = htons(forward->new_id);
267 }
268 else
269 {
270 if (gotname)
271 flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind);
272
273 if (!flags && !(forward = get_new_frec(now, NULL, 0)))
274 /* table full - server failure. */
275 flags = F_NEG;
276
277 if (forward)
278 {
279 forward->source = *udpaddr;
280 forward->dest = *dst_addr;
281 forward->iface = dst_iface;
282 forward->orig_id = ntohs(header->id);
283 forward->new_id = get_id(crc);
284 forward->fd = udpfd;
285 forward->crc = crc;
286 forward->forwardall = 0;
287 forward->flags = 0;
288 if (norebind)
289 forward->flags |= FREC_NOREBIND;
290 if (header->hb4 & HB4_CD)
291 forward->flags |= FREC_CHECKING_DISABLED;
292
293 header->id = htons(forward->new_id);
294
295 /* In strict_order mode, always try servers in the order
296 specified in resolv.conf, if a domain is given
297 always try all the available servers,
298 otherwise, use the one last known to work. */
299
300 if (type == 0)
301 {
302 if (option_bool(OPT_ORDER))
303 start = daemon->servers;
304 else if (!(start = daemon->last_server) ||
305 daemon->forwardcount++ > FORWARD_TEST ||
306 difftime(now, daemon->forwardtime) > FORWARD_TIME)
307 {
308 start = daemon->servers;
309 forward->forwardall = 1;
310 daemon->forwardcount = 0;
311 daemon->forwardtime = now;
312 }
313 }
314 else
315 {
316 start = daemon->servers;
317 if (!option_bool(OPT_ORDER))
318 forward->forwardall = 1;
319 }
320 }
321 }
322
323 /* check for send errors here (no route to host)
324 if we fail to send to all nameservers, send back an error
325 packet straight away (helps modem users when offline) */
326
327 if (!flags && forward)
328 {
329 struct server *firstsentto = start;
330 int forwarded = 0;
331
332 if (option_bool(OPT_ADD_MAC))
333 plen = add_mac(header, plen, ((char *) header) + PACKETSZ, &forward->source);
334
335 if (option_bool(OPT_CLIENT_SUBNET))
336 {
337 size_t new = add_source_addr(header, plen, ((char *) header) + PACKETSZ, &forward->source);
338 if (new != plen)
339 {
340 plen = new;
341 forward->flags |= FREC_HAS_SUBNET;
342 }
343 }
344
345 #ifdef HAVE_DNSSEC
346 if (option_bool(OPT_DNSSEC_VALID))
347 {
348 plen = add_do_bit(header, plen, ((char *) header) + PACKETSZ);
349 header->hb4 |= HB4_CD;
350 }
351 #endif
352
353 while (1)
354 {
355 /* only send to servers dealing with our domain.
356 domain may be NULL, in which case server->domain
357 must be NULL also. */
358
359 if (type == (start->flags & SERV_TYPE) &&
360 (type != SERV_HAS_DOMAIN || hostname_isequal(domain, start->domain)) &&
361 !(start->flags & SERV_LITERAL_ADDRESS))
362 {
363 int fd;
364
365 /* find server socket to use, may need to get random one. */
366 if (start->sfd)
367 fd = start->sfd->fd;
368 else
369 {
370 #ifdef HAVE_IPV6
371 if (start->addr.sa.sa_family == AF_INET6)
372 {
373 if (!forward->rfd6 &&
374 !(forward->rfd6 = allocate_rfd(AF_INET6)))
375 break;
376 daemon->rfd_save = forward->rfd6;
377 fd = forward->rfd6->fd;
378 }
379 else
380 #endif
381 {
382 if (!forward->rfd4 &&
383 !(forward->rfd4 = allocate_rfd(AF_INET)))
384 break;
385 daemon->rfd_save = forward->rfd4;
386 fd = forward->rfd4->fd;
387 }
388
389 #ifdef HAVE_CONNTRACK
390 /* Copy connection mark of incoming query to outgoing connection. */
391 if (option_bool(OPT_CONNTRACK))
392 {
393 unsigned int mark;
394 if (get_incoming_mark(&forward->source, &forward->dest, 0, &mark))
395 setsockopt(fd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int));
396 }
397 #endif
398 }
399
400 if (sendto(fd, (char *)header, plen, 0,
401 &start->addr.sa,
402 sa_len(&start->addr)) == -1)
403 {
404 if (retry_send())
405 continue;
406 }
407 else
408 {
409 /* Keep info in case we want to re-send this packet */
410 daemon->srv_save = start;
411 daemon->packet_len = plen;
412
413 if (!gotname)
414 strcpy(daemon->namebuff, "query");
415 if (start->addr.sa.sa_family == AF_INET)
416 log_query(F_SERVER | F_IPV4 | F_FORWARD, daemon->namebuff,
417 (struct all_addr *)&start->addr.in.sin_addr, NULL);
418 #ifdef HAVE_IPV6
419 else
420 log_query(F_SERVER | F_IPV6 | F_FORWARD, daemon->namebuff,
421 (struct all_addr *)&start->addr.in6.sin6_addr, NULL);
422 #endif
423 start->queries++;
424 forwarded = 1;
425 forward->sentto = start;
426 if (!forward->forwardall)
427 break;
428 forward->forwardall++;
429 }
430 }
431
432 if (!(start = start->next))
433 start = daemon->servers;
434
435 if (start == firstsentto)
436 break;
437 }
438
439 if (forwarded)
440 return 1;
441
442 /* could not send on, prepare to return */
443 header->id = htons(forward->orig_id);
444 free_frec(forward); /* cancel */
445 }
446
447 /* could not send on, return empty answer or address if known for whole domain */
448 if (udpfd != -1)
449 {
450 plen = setup_reply(header, plen, addrp, flags, daemon->local_ttl);
451 send_from(udpfd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND), (char *)header, plen, udpaddr, dst_addr, dst_iface);
452 }
453
454 return 0;
455 }
456
457 static size_t process_reply(struct dns_header *header, time_t now, struct server *server, size_t n, int check_rebind,
458 int no_cache, int cache_secure, int check_subnet, union mysockaddr *query_source)
459 {
460 unsigned char *pheader, *sizep;
461 char **sets = 0;
462 int munged = 0, is_sign;
463 size_t plen;
464 int squash_ad = 0;
465
466 #ifdef HAVE_IPSET
467 /* Similar algorithm to search_servers. */
468 struct ipsets *ipset_pos;
469 unsigned int namelen = strlen(daemon->namebuff);
470 unsigned int matchlen = 0;
471 for (ipset_pos = daemon->ipsets; ipset_pos; ipset_pos = ipset_pos->next)
472 {
473 unsigned int domainlen = strlen(ipset_pos->domain);
474 char *matchstart = daemon->namebuff + namelen - domainlen;
475 if (namelen >= domainlen && hostname_isequal(matchstart, ipset_pos->domain) &&
476 (domainlen == 0 || namelen == domainlen || *(matchstart - 1) == '.' ) &&
477 domainlen >= matchlen) {
478 matchlen = domainlen;
479 sets = ipset_pos->sets;
480 }
481 }
482 #endif
483
484 /* If upstream is advertising a larger UDP packet size
485 than we allow, trim it so that we don't get overlarge
486 requests for the client. We can't do this for signed packets. */
487
488 if ((pheader = find_pseudoheader(header, n, &plen, &sizep, &is_sign)))
489 {
490 if (!is_sign)
491 {
492 unsigned short udpsz;
493 unsigned char *psave = sizep;
494
495 GETSHORT(udpsz, sizep);
496 if (udpsz > daemon->edns_pktsz)
497 PUTSHORT(daemon->edns_pktsz, psave);
498 }
499
500 if (check_subnet && !check_source(header, plen, pheader, query_source))
501 {
502 my_syslog(LOG_WARNING, _("discarding DNS reply: subnet option mismatch"));
503 return 0;
504 }
505 }
506
507 /* RFC 4035 sect 4.6 para 3 */
508 if (!is_sign && !option_bool(OPT_DNSSEC_PROXY))
509 squash_ad = 1;
510
511 #ifdef HAVE_DNSSEC
512 if (option_bool(OPT_DNSSEC_VALID))
513 squash_ad = no_cache;
514
515 if (cache_secure)
516 header->hb4 |= HB4_AD;
517 #endif
518
519 if (squash_ad)
520 header->hb4 &= ~HB4_AD;
521
522 if (OPCODE(header) != QUERY || (RCODE(header) != NOERROR && RCODE(header) != NXDOMAIN))
523 return n;
524
525 /* Complain loudly if the upstream server is non-recursive. */
526 if (!(header->hb4 & HB4_RA) && RCODE(header) == NOERROR && ntohs(header->ancount) == 0 &&
527 server && !(server->flags & SERV_WARNED_RECURSIVE))
528 {
529 prettyprint_addr(&server->addr, daemon->namebuff);
530 my_syslog(LOG_WARNING, _("nameserver %s refused to do a recursive query"), daemon->namebuff);
531 if (!option_bool(OPT_LOG))
532 server->flags |= SERV_WARNED_RECURSIVE;
533 }
534
535 if (daemon->bogus_addr && RCODE(header) != NXDOMAIN &&
536 check_for_bogus_wildcard(header, n, daemon->namebuff, daemon->bogus_addr, now))
537 {
538 munged = 1;
539 SET_RCODE(header, NXDOMAIN);
540 header->hb3 &= ~HB3_AA;
541 }
542 else
543 {
544 if (RCODE(header) == NXDOMAIN &&
545 extract_request(header, n, daemon->namebuff, NULL) &&
546 check_for_local_domain(daemon->namebuff, now))
547 {
548 /* if we forwarded a query for a locally known name (because it was for
549 an unknown type) and the answer is NXDOMAIN, convert that to NODATA,
550 since we know that the domain exists, even if upstream doesn't */
551 munged = 1;
552 header->hb3 |= HB3_AA;
553 SET_RCODE(header, NOERROR);
554 }
555
556 if (extract_addresses(header, n, daemon->namebuff, now, sets, is_sign, check_rebind, no_cache, cache_secure))
557 {
558 my_syslog(LOG_WARNING, _("possible DNS-rebind attack detected: %s"), daemon->namebuff);
559 munged = 1;
560 }
561 }
562
563 /* do this after extract_addresses. Ensure NODATA reply and remove
564 nameserver info. */
565
566 if (munged)
567 {
568 header->ancount = htons(0);
569 header->nscount = htons(0);
570 header->arcount = htons(0);
571 }
572
573 /* the bogus-nxdomain stuff, doctor and NXDOMAIN->NODATA munging can all elide
574 sections of the packet. Find the new length here and put back pseudoheader
575 if it was removed. */
576 return resize_packet(header, n, pheader, plen);
577 }
578
579 /* sets new last_server */
580 void reply_query(int fd, int family, time_t now)
581 {
582 /* packet from peer server, extract data for cache, and send to
583 original requester */
584 struct dns_header *header;
585 union mysockaddr serveraddr;
586 struct frec *forward;
587 socklen_t addrlen = sizeof(serveraddr);
588 ssize_t n = recvfrom(fd, daemon->packet, daemon->edns_pktsz, 0, &serveraddr.sa, &addrlen);
589 size_t nn;
590 struct server *server;
591
592 /* packet buffer overwritten */
593 daemon->srv_save = NULL;
594
595 /* Determine the address of the server replying so that we can mark that as good */
596 serveraddr.sa.sa_family = family;
597 #ifdef HAVE_IPV6
598 if (serveraddr.sa.sa_family == AF_INET6)
599 serveraddr.in6.sin6_flowinfo = 0;
600 #endif
601
602 /* spoof check: answer must come from known server, */
603 for (server = daemon->servers; server; server = server->next)
604 if (!(server->flags & (SERV_LITERAL_ADDRESS | SERV_NO_ADDR)) &&
605 sockaddr_isequal(&server->addr, &serveraddr))
606 break;
607
608 header = (struct dns_header *)daemon->packet;
609
610 if (!server ||
611 n < (int)sizeof(struct dns_header) || !(header->hb3 & HB3_QR) ||
612 !(forward = lookup_frec(ntohs(header->id), questions_crc(header, n, daemon->namebuff))))
613 return;
614
615 if ((RCODE(header) == SERVFAIL || RCODE(header) == REFUSED) &&
616 !option_bool(OPT_ORDER) &&
617 forward->forwardall == 0)
618 /* for broken servers, attempt to send to another one. */
619 {
620 unsigned char *pheader;
621 size_t plen;
622 int is_sign;
623
624 /* recreate query from reply */
625 pheader = find_pseudoheader(header, (size_t)n, &plen, NULL, &is_sign);
626 if (!is_sign)
627 {
628 header->ancount = htons(0);
629 header->nscount = htons(0);
630 header->arcount = htons(0);
631 if ((nn = resize_packet(header, (size_t)n, pheader, plen)))
632 {
633 header->hb3 &= ~(HB3_QR | HB3_TC);
634 forward_query(-1, NULL, NULL, 0, header, nn, now, forward);
635 return;
636 }
637 }
638 }
639
640 server = forward->sentto;
641
642 if ((forward->sentto->flags & SERV_TYPE) == 0)
643 {
644 if (RCODE(header) == SERVFAIL || RCODE(header) == REFUSED)
645 server = NULL;
646 else
647 {
648 struct server *last_server;
649
650 /* find good server by address if possible, otherwise assume the last one we sent to */
651 for (last_server = daemon->servers; last_server; last_server = last_server->next)
652 if (!(last_server->flags & (SERV_LITERAL_ADDRESS | SERV_HAS_DOMAIN | SERV_FOR_NODOTS | SERV_NO_ADDR)) &&
653 sockaddr_isequal(&last_server->addr, &serveraddr))
654 {
655 server = last_server;
656 break;
657 }
658 }
659 if (!option_bool(OPT_ALL_SERVERS))
660 daemon->last_server = server;
661 }
662
663 /* If the answer is an error, keep the forward record in place in case
664 we get a good reply from another server. Kill it when we've
665 had replies from all to avoid filling the forwarding table when
666 everything is broken */
667 if (forward->forwardall == 0 || --forward->forwardall == 1 ||
668 (RCODE(header) != REFUSED && RCODE(header) != SERVFAIL))
669 {
670 int check_rebind = 0, no_cache_dnssec = 0, cache_secure = 0;
671
672 if (option_bool(OPT_NO_REBIND))
673 check_rebind = !(forward->flags & FREC_NOREBIND);
674
675 /* Don't cache replies where DNSSEC validation was turned off, either
676 the upstream server told us so, or the original query specified it. */
677 if ((header->hb4 & HB4_CD) || (forward->flags & FREC_CHECKING_DISABLED))
678 no_cache_dnssec = 1;
679
680 #ifdef HAVE_DNSSEC
681 if (option_bool(OPT_DNSSEC_VALID) && !(forward->flags & FREC_CHECKING_DISABLED))
682 {
683 int status;
684
685 /* We've had a reply already, which we're validating. Ignore this duplicate */
686 if (forward->stash)
687 return;
688
689 if (header->hb3 & HB3_TC)
690 {
691 /* Truncated answer can't be validated.
692 The client will retry over TCP, but if this is an answer to a
693 DNSSEC-generated query, we have a problem. Should really re-send
694 over TCP. No-one with any sense will make a DNSKEY or DS RRset
695 exceed 4096, so this may not be a real problem. Just log
696 for now. */
697 if (forward->flags & (FREC_DNSKEY_QUERY | FREC_DS_QUERY))
698 my_syslog(LOG_ERR, _("Reply to DNSSEC query truncated - validation fails."));
699 status = STAT_INSECURE;
700 }
701 else if (forward->flags & FREC_DNSKEY_QUERY)
702 status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
703 else if (forward->flags & FREC_DS_QUERY)
704 status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
705 else
706 status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class);
707
708 /* Can't validate, as we're missing key data. Put this
709 answer aside, whilst we get that. */
710 if (status == STAT_NEED_DS || status == STAT_NEED_KEY)
711 {
712 struct frec *new;
713
714 if ((new = get_new_frec(now, NULL, 1)))
715 {
716 struct frec *next = new->next;
717 *new = *forward; /* copy everything, then overwrite */
718 new->next = next;
719 new->stash = NULL;
720 new->blocking_query = NULL;
721 new->flags &= ~(FREC_DNSKEY_QUERY | FREC_DS_QUERY);
722
723 if ((forward->stash = blockdata_alloc((char *)header, n)))
724 {
725 int fd;
726
727 forward->stash_len = n;
728
729 new->dependent = forward; /* to find query awaiting new one. */
730 forward->blocking_query = new; /* for garbage cleaning */
731 /* validate routines leave name of required record in daemon->keyname */
732 if (status == STAT_NEED_KEY)
733 {
734 new->flags |= FREC_DNSKEY_QUERY;
735 nn = dnssec_generate_query(header, daemon->keyname, forward->class, T_DNSKEY, &server->addr);
736 }
737 else if (status == STAT_NEED_DS)
738 {
739 new->flags |= FREC_DS_QUERY;
740 nn = dnssec_generate_query(header, daemon->keyname, forward->class, T_DS, &server->addr);
741 }
742 new->crc = questions_crc(header, nn, daemon->namebuff);
743 new->new_id = get_id(new->crc);
744 header->id = htons(new->new_id);
745
746 /* Don't resend this. */
747 daemon->srv_save = NULL;
748
749 if (server->sfd)
750 fd = server->sfd->fd;
751 else
752 #ifdef HAVE_IPV6
753 /* Note that we use the same random port for the DNSSEC stuff */
754 if (server->addr.sa.sa_family == AF_INET6)
755 {
756 fd = new->rfd6->fd;
757 new->rfd6->refcount++;
758 }
759 else
760 #endif
761 {
762 fd = new->rfd4->fd;
763 new->rfd4->refcount++;
764 }
765
766 /* Send DNSSEC query to same server as original query */
767 while (sendto(fd, (char *)header, nn, 0, &server->addr.sa, sa_len(&server->addr)) == -1 && retry_send());
768 server->queries++;
769 }
770 }
771
772 return;
773 }
774
775 /* Ok, we reached far enough up the chain-of-trust that we can validate something.
776 Now wind back down, pulling back answers which wouldn't previously validate
777 and validate them with the new data. Failure to find needed data here is an internal error.
778 Once we get to the original answer (FREC_DNSSEC_QUERY not set) and it validates,
779 return it to the original requestor. */
780 if (forward->flags & (FREC_DNSKEY_QUERY | FREC_DS_QUERY))
781 {
782 while (forward->dependent)
783 {
784 struct frec *prev;
785
786 if (status == STAT_SECURE)
787 {
788 if (forward->flags & FREC_DNSKEY_QUERY)
789 status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
790 else if (forward->flags & FREC_DS_QUERY)
791 status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
792 }
793
794 prev = forward->dependent;
795 free_frec(forward);
796 forward = prev;
797 forward->blocking_query = NULL; /* already gone */
798 blockdata_retrieve(forward->stash, forward->stash_len, (void *)header);
799 n = forward->stash_len;
800 }
801
802 /* All DNSKEY and DS records done and in cache, now finally validate original
803 answer, provided last DNSKEY is OK. */
804 if (status == STAT_SECURE)
805 status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class);
806
807 if (status == STAT_NEED_DS || status == STAT_NEED_KEY)
808 {
809 my_syslog(LOG_ERR, _("Unexpected missing data for DNSSEC validation"));
810 status = STAT_INSECURE;
811 }
812 }
813
814 log_query(F_KEYTAG | F_SECSTAT, "result", NULL,
815 status == STAT_SECURE ? "SECURE" : (status == STAT_INSECURE ? "INSECURE" : "BOGUS"));
816
817 no_cache_dnssec = 0;
818
819 if (status == STAT_SECURE)
820 cache_secure = 1;
821 /* TODO return SERVFAIL here */
822 else if (status == STAT_BOGUS)
823 no_cache_dnssec = 1;
824
825 /* restore CD bit to the value in the query */
826 if (forward->flags & FREC_CHECKING_DISABLED)
827 header->hb4 |= HB4_CD;
828 else
829 header->hb4 &= ~HB4_CD;
830 }
831 #endif
832
833 if ((nn = process_reply(header, now, server, (size_t)n, check_rebind, no_cache_dnssec, cache_secure,
834 forward->flags & FREC_HAS_SUBNET, &forward->source)))
835 {
836 header->id = htons(forward->orig_id);
837 header->hb4 |= HB4_RA; /* recursion if available */
838 send_from(forward->fd, option_bool(OPT_NOWILD) || option_bool (OPT_CLEVERBIND), daemon->packet, nn,
839 &forward->source, &forward->dest, forward->iface);
840 }
841 free_frec(forward); /* cancel */
842 }
843 }
844
845
846 void receive_query(struct listener *listen, time_t now)
847 {
848 struct dns_header *header = (struct dns_header *)daemon->packet;
849 union mysockaddr source_addr;
850 unsigned short type;
851 struct all_addr dst_addr;
852 struct in_addr netmask, dst_addr_4;
853 size_t m;
854 ssize_t n;
855 int if_index = 0, auth_dns = 0;
856 #ifdef HAVE_AUTH
857 int local_auth = 0;
858 #endif
859 struct iovec iov[1];
860 struct msghdr msg;
861 struct cmsghdr *cmptr;
862 union {
863 struct cmsghdr align; /* this ensures alignment */
864 #ifdef HAVE_IPV6
865 char control6[CMSG_SPACE(sizeof(struct in6_pktinfo))];
866 #endif
867 #if defined(HAVE_LINUX_NETWORK)
868 char control[CMSG_SPACE(sizeof(struct in_pktinfo))];
869 #elif defined(IP_RECVDSTADDR) && defined(HAVE_SOLARIS_NETWORK)
870 char control[CMSG_SPACE(sizeof(struct in_addr)) +
871 CMSG_SPACE(sizeof(unsigned int))];
872 #elif defined(IP_RECVDSTADDR)
873 char control[CMSG_SPACE(sizeof(struct in_addr)) +
874 CMSG_SPACE(sizeof(struct sockaddr_dl))];
875 #endif
876 } control_u;
877 #ifdef HAVE_IPV6
878 /* Can always get recvd interface for IPv6 */
879 int check_dst = !option_bool(OPT_NOWILD) || listen->family == AF_INET6;
880 #else
881 int check_dst = !option_bool(OPT_NOWILD);
882 #endif
883
884 /* packet buffer overwritten */
885 daemon->srv_save = NULL;
886
887 dst_addr_4.s_addr = 0;
888 netmask.s_addr = 0;
889
890 if (option_bool(OPT_NOWILD) && listen->iface)
891 {
892 auth_dns = listen->iface->dns_auth;
893
894 if (listen->family == AF_INET)
895 {
896 dst_addr_4 = listen->iface->addr.in.sin_addr;
897 netmask = listen->iface->netmask;
898 }
899 }
900
901 iov[0].iov_base = daemon->packet;
902 iov[0].iov_len = daemon->edns_pktsz;
903
904 msg.msg_control = control_u.control;
905 msg.msg_controllen = sizeof(control_u);
906 msg.msg_flags = 0;
907 msg.msg_name = &source_addr;
908 msg.msg_namelen = sizeof(source_addr);
909 msg.msg_iov = iov;
910 msg.msg_iovlen = 1;
911
912 if ((n = recvmsg(listen->fd, &msg, 0)) == -1)
913 return;
914
915 if (n < (int)sizeof(struct dns_header) ||
916 (msg.msg_flags & MSG_TRUNC) ||
917 (header->hb3 & HB3_QR))
918 return;
919
920 source_addr.sa.sa_family = listen->family;
921 #ifdef HAVE_IPV6
922 if (listen->family == AF_INET6)
923 source_addr.in6.sin6_flowinfo = 0;
924 #endif
925
926 if (check_dst)
927 {
928 struct ifreq ifr;
929
930 if (msg.msg_controllen < sizeof(struct cmsghdr))
931 return;
932
933 #if defined(HAVE_LINUX_NETWORK)
934 if (listen->family == AF_INET)
935 for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
936 if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_PKTINFO)
937 {
938 union {
939 unsigned char *c;
940 struct in_pktinfo *p;
941 } p;
942 p.c = CMSG_DATA(cmptr);
943 dst_addr_4 = dst_addr.addr.addr4 = p.p->ipi_spec_dst;
944 if_index = p.p->ipi_ifindex;
945 }
946 #elif defined(IP_RECVDSTADDR) && defined(IP_RECVIF)
947 if (listen->family == AF_INET)
948 {
949 for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
950 {
951 union {
952 unsigned char *c;
953 unsigned int *i;
954 struct in_addr *a;
955 #ifndef HAVE_SOLARIS_NETWORK
956 struct sockaddr_dl *s;
957 #endif
958 } p;
959 p.c = CMSG_DATA(cmptr);
960 if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVDSTADDR)
961 dst_addr_4 = dst_addr.addr.addr4 = *(p.a);
962 else if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVIF)
963 #ifdef HAVE_SOLARIS_NETWORK
964 if_index = *(p.i);
965 #else
966 if_index = p.s->sdl_index;
967 #endif
968 }
969 }
970 #endif
971
972 #ifdef HAVE_IPV6
973 if (listen->family == AF_INET6)
974 {
975 for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
976 if (cmptr->cmsg_level == IPPROTO_IPV6 && cmptr->cmsg_type == daemon->v6pktinfo)
977 {
978 union {
979 unsigned char *c;
980 struct in6_pktinfo *p;
981 } p;
982 p.c = CMSG_DATA(cmptr);
983
984 dst_addr.addr.addr6 = p.p->ipi6_addr;
985 if_index = p.p->ipi6_ifindex;
986 }
987 }
988 #endif
989
990 /* enforce available interface configuration */
991
992 if (!indextoname(listen->fd, if_index, ifr.ifr_name))
993 return;
994
995 if (!iface_check(listen->family, &dst_addr, ifr.ifr_name, &auth_dns))
996 {
997 if (!option_bool(OPT_CLEVERBIND))
998 enumerate_interfaces(0);
999 if (!loopback_exception(listen->fd, listen->family, &dst_addr, ifr.ifr_name) &&
1000 !label_exception(if_index, listen->family, &dst_addr))
1001 return;
1002 }
1003
1004 if (listen->family == AF_INET && option_bool(OPT_LOCALISE))
1005 {
1006 struct irec *iface;
1007
1008 /* get the netmask of the interface whch has the address we were sent to.
1009 This is no neccessarily the interface we arrived on. */
1010
1011 for (iface = daemon->interfaces; iface; iface = iface->next)
1012 if (iface->addr.sa.sa_family == AF_INET &&
1013 iface->addr.in.sin_addr.s_addr == dst_addr_4.s_addr)
1014 break;
1015
1016 /* interface may be new */
1017 if (!iface && !option_bool(OPT_CLEVERBIND))
1018 enumerate_interfaces(0);
1019
1020 for (iface = daemon->interfaces; iface; iface = iface->next)
1021 if (iface->addr.sa.sa_family == AF_INET &&
1022 iface->addr.in.sin_addr.s_addr == dst_addr_4.s_addr)
1023 break;
1024
1025 /* If we failed, abandon localisation */
1026 if (iface)
1027 netmask = iface->netmask;
1028 else
1029 dst_addr_4.s_addr = 0;
1030 }
1031 }
1032
1033 if (extract_request(header, (size_t)n, daemon->namebuff, &type))
1034 {
1035 char types[20];
1036 #ifdef HAVE_AUTH
1037 struct auth_zone *zone;
1038 #endif
1039
1040 querystr(auth_dns ? "auth" : "query", types, type);
1041
1042 if (listen->family == AF_INET)
1043 log_query(F_QUERY | F_IPV4 | F_FORWARD, daemon->namebuff,
1044 (struct all_addr *)&source_addr.in.sin_addr, types);
1045 #ifdef HAVE_IPV6
1046 else
1047 log_query(F_QUERY | F_IPV6 | F_FORWARD, daemon->namebuff,
1048 (struct all_addr *)&source_addr.in6.sin6_addr, types);
1049 #endif
1050
1051 #ifdef HAVE_AUTH
1052 /* find queries for zones we're authoritative for, and answer them directly */
1053 if (!auth_dns)
1054 for (zone = daemon->auth_zones; zone; zone = zone->next)
1055 if (in_zone(zone, daemon->namebuff, NULL))
1056 {
1057 auth_dns = 1;
1058 local_auth = 1;
1059 break;
1060 }
1061 #endif
1062 }
1063
1064 #ifdef HAVE_AUTH
1065 if (auth_dns)
1066 {
1067 m = answer_auth(header, ((char *) header) + PACKETSZ, (size_t)n, now, &source_addr, local_auth);
1068 if (m >= 1)
1069 {
1070 send_from(listen->fd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND),
1071 (char *)header, m, &source_addr, &dst_addr, if_index);
1072 daemon->auth_answer++;
1073 }
1074 }
1075 else
1076 #endif
1077 {
1078 m = answer_request(header, ((char *) header) + PACKETSZ, (size_t)n,
1079 dst_addr_4, netmask, now);
1080
1081 if (m >= 1)
1082 {
1083 send_from(listen->fd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND),
1084 (char *)header, m, &source_addr, &dst_addr, if_index);
1085 daemon->local_answer++;
1086 }
1087 else if (forward_query(listen->fd, &source_addr, &dst_addr, if_index,
1088 header, (size_t)n, now, NULL))
1089 daemon->queries_forwarded++;
1090 else
1091 daemon->local_answer++;
1092 }
1093 }
1094
1095 /* The daemon forks before calling this: it should deal with one connection,
1096 blocking as neccessary, and then return. Note, need to be a bit careful
1097 about resources for debug mode, when the fork is suppressed: that's
1098 done by the caller. */
1099 unsigned char *tcp_request(int confd, time_t now,
1100 union mysockaddr *local_addr, struct in_addr netmask, int auth_dns)
1101 {
1102 size_t size = 0;
1103 int norebind = 0;
1104 #ifdef HAVE_AUTH
1105 int local_auth = 0;
1106 #endif
1107 int checking_disabled, check_subnet;
1108 size_t m;
1109 unsigned short qtype;
1110 unsigned int gotname;
1111 unsigned char c1, c2;
1112 /* Max TCP packet + slop + size */
1113 unsigned char *packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16));
1114 unsigned char *payload = &packet[2];
1115 /* largest field in header is 16-bits, so this is still sufficiently aligned */
1116 struct dns_header *header = (struct dns_header *)payload;
1117 u16 *length = (u16 *)packet;
1118 struct server *last_server;
1119 struct in_addr dst_addr_4;
1120 union mysockaddr peer_addr;
1121 socklen_t peer_len = sizeof(union mysockaddr);
1122
1123 if (getpeername(confd, (struct sockaddr *)&peer_addr, &peer_len) == -1)
1124 return packet;
1125
1126 while (1)
1127 {
1128 if (!packet ||
1129 !read_write(confd, &c1, 1, 1) || !read_write(confd, &c2, 1, 1) ||
1130 !(size = c1 << 8 | c2) ||
1131 !read_write(confd, payload, size, 1))
1132 return packet;
1133
1134 if (size < (int)sizeof(struct dns_header))
1135 continue;
1136
1137 check_subnet = 0;
1138
1139 /* save state of "cd" flag in query */
1140 checking_disabled = header->hb4 & HB4_CD;
1141
1142 /* RFC 4035: sect 4.6 para 2 */
1143 header->hb4 &= ~HB4_AD;
1144
1145 if ((gotname = extract_request(header, (unsigned int)size, daemon->namebuff, &qtype)))
1146 {
1147 char types[20];
1148 #ifdef HAVE_AUTH
1149 struct auth_zone *zone;
1150 #endif
1151 querystr(auth_dns ? "auth" : "query", types, qtype);
1152
1153 if (peer_addr.sa.sa_family == AF_INET)
1154 log_query(F_QUERY | F_IPV4 | F_FORWARD, daemon->namebuff,
1155 (struct all_addr *)&peer_addr.in.sin_addr, types);
1156 #ifdef HAVE_IPV6
1157 else
1158 log_query(F_QUERY | F_IPV6 | F_FORWARD, daemon->namebuff,
1159 (struct all_addr *)&peer_addr.in6.sin6_addr, types);
1160 #endif
1161
1162 #ifdef HAVE_AUTH
1163 /* find queries for zones we're authoritative for, and answer them directly */
1164 if (!auth_dns)
1165 for (zone = daemon->auth_zones; zone; zone = zone->next)
1166 if (in_zone(zone, daemon->namebuff, NULL))
1167 {
1168 auth_dns = 1;
1169 local_auth = 1;
1170 break;
1171 }
1172 #endif
1173 }
1174
1175 if (local_addr->sa.sa_family == AF_INET)
1176 dst_addr_4 = local_addr->in.sin_addr;
1177 else
1178 dst_addr_4.s_addr = 0;
1179
1180 #ifdef HAVE_AUTH
1181 if (auth_dns)
1182 m = answer_auth(header, ((char *) header) + 65536, (size_t)size, now, &peer_addr, local_auth);
1183 else
1184 #endif
1185 {
1186 /* m > 0 if answered from cache */
1187 m = answer_request(header, ((char *) header) + 65536, (size_t)size,
1188 dst_addr_4, netmask, now);
1189
1190 /* Do this by steam now we're not in the select() loop */
1191 check_log_writer(NULL);
1192
1193 if (m == 0)
1194 {
1195 unsigned int flags = 0;
1196 struct all_addr *addrp = NULL;
1197 int type = 0;
1198 char *domain = NULL;
1199
1200 if (option_bool(OPT_ADD_MAC))
1201 size = add_mac(header, size, ((char *) header) + 65536, &peer_addr);
1202
1203 if (option_bool(OPT_CLIENT_SUBNET))
1204 {
1205 size_t new = add_source_addr(header, size, ((char *) header) + 65536, &peer_addr);
1206 if (size != new)
1207 {
1208 size = new;
1209 check_subnet = 1;
1210 }
1211 }
1212
1213 if (gotname)
1214 flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind);
1215
1216 if (type != 0 || option_bool(OPT_ORDER) || !daemon->last_server)
1217 last_server = daemon->servers;
1218 else
1219 last_server = daemon->last_server;
1220
1221 if (!flags && last_server)
1222 {
1223 struct server *firstsendto = NULL;
1224 unsigned int crc = questions_crc(header, (unsigned int)size, daemon->namebuff);
1225
1226 /* Loop round available servers until we succeed in connecting to one.
1227 Note that this code subtley ensures that consecutive queries on this connection
1228 which can go to the same server, do so. */
1229 while (1)
1230 {
1231 if (!firstsendto)
1232 firstsendto = last_server;
1233 else
1234 {
1235 if (!(last_server = last_server->next))
1236 last_server = daemon->servers;
1237
1238 if (last_server == firstsendto)
1239 break;
1240 }
1241
1242 /* server for wrong domain */
1243 if (type != (last_server->flags & SERV_TYPE) ||
1244 (type == SERV_HAS_DOMAIN && !hostname_isequal(domain, last_server->domain)))
1245 continue;
1246
1247 if (last_server->tcpfd == -1)
1248 {
1249 if ((last_server->tcpfd = socket(last_server->addr.sa.sa_family, SOCK_STREAM, 0)) == -1)
1250 continue;
1251
1252 if ((!local_bind(last_server->tcpfd, &last_server->source_addr, last_server->interface, 1) ||
1253 connect(last_server->tcpfd, &last_server->addr.sa, sa_len(&last_server->addr)) == -1))
1254 {
1255 close(last_server->tcpfd);
1256 last_server->tcpfd = -1;
1257 continue;
1258 }
1259
1260 #ifdef HAVE_CONNTRACK
1261 /* Copy connection mark of incoming query to outgoing connection. */
1262 if (option_bool(OPT_CONNTRACK))
1263 {
1264 unsigned int mark;
1265 struct all_addr local;
1266 #ifdef HAVE_IPV6
1267 if (local_addr->sa.sa_family == AF_INET6)
1268 local.addr.addr6 = local_addr->in6.sin6_addr;
1269 else
1270 #endif
1271 local.addr.addr4 = local_addr->in.sin_addr;
1272
1273 if (get_incoming_mark(&peer_addr, &local, 1, &mark))
1274 setsockopt(last_server->tcpfd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int));
1275 }
1276 #endif
1277 }
1278
1279 *length = htons(size);
1280
1281 if (!read_write(last_server->tcpfd, packet, size + sizeof(u16), 0) ||
1282 !read_write(last_server->tcpfd, &c1, 1, 1) ||
1283 !read_write(last_server->tcpfd, &c2, 1, 1))
1284 {
1285 close(last_server->tcpfd);
1286 last_server->tcpfd = -1;
1287 continue;
1288 }
1289
1290 m = (c1 << 8) | c2;
1291 if (!read_write(last_server->tcpfd, payload, m, 1))
1292 return packet;
1293
1294 if (!gotname)
1295 strcpy(daemon->namebuff, "query");
1296 if (last_server->addr.sa.sa_family == AF_INET)
1297 log_query(F_SERVER | F_IPV4 | F_FORWARD, daemon->namebuff,
1298 (struct all_addr *)&last_server->addr.in.sin_addr, NULL);
1299 #ifdef HAVE_IPV6
1300 else
1301 log_query(F_SERVER | F_IPV6 | F_FORWARD, daemon->namebuff,
1302 (struct all_addr *)&last_server->addr.in6.sin6_addr, NULL);
1303 #endif
1304
1305 /* There's no point in updating the cache, since this process will exit and
1306 lose the information after a few queries. We make this call for the alias and
1307 bogus-nxdomain side-effects. */
1308 /* If the crc of the question section doesn't match the crc we sent, then
1309 someone might be attempting to insert bogus values into the cache by
1310 sending replies containing questions and bogus answers. */
1311 if (crc == questions_crc(header, (unsigned int)m, daemon->namebuff))
1312 m = process_reply(header, now, last_server, (unsigned int)m,
1313 option_bool(OPT_NO_REBIND) && !norebind, checking_disabled,
1314 0, check_subnet, &peer_addr); /* TODO - cache secure */
1315
1316 break;
1317 }
1318 }
1319
1320 /* In case of local answer or no connections made. */
1321 if (m == 0)
1322 m = setup_reply(header, (unsigned int)size, addrp, flags, daemon->local_ttl);
1323 }
1324 }
1325
1326 check_log_writer(NULL);
1327
1328 *length = htons(m);
1329
1330 if (m == 0 || !read_write(confd, packet, m + sizeof(u16), 0))
1331 return packet;
1332 }
1333 }
1334
1335 static struct frec *allocate_frec(time_t now)
1336 {
1337 struct frec *f;
1338
1339 if ((f = (struct frec *)whine_malloc(sizeof(struct frec))))
1340 {
1341 f->next = daemon->frec_list;
1342 f->time = now;
1343 f->sentto = NULL;
1344 f->rfd4 = NULL;
1345 f->flags = 0;
1346 #ifdef HAVE_IPV6
1347 f->rfd6 = NULL;
1348 #endif
1349 #ifdef HAVE_DNSSEC
1350 f->blocking_query = NULL;
1351 #endif
1352 daemon->frec_list = f;
1353 }
1354
1355 return f;
1356 }
1357
1358 static struct randfd *allocate_rfd(int family)
1359 {
1360 static int finger = 0;
1361 int i;
1362
1363 /* limit the number of sockets we have open to avoid starvation of
1364 (eg) TFTP. Once we have a reasonable number, randomness should be OK */
1365
1366 for (i = 0; i < RANDOM_SOCKS; i++)
1367 if (daemon->randomsocks[i].refcount == 0)
1368 {
1369 if ((daemon->randomsocks[i].fd = random_sock(family)) == -1)
1370 break;
1371
1372 daemon->randomsocks[i].refcount = 1;
1373 daemon->randomsocks[i].family = family;
1374 return &daemon->randomsocks[i];
1375 }
1376
1377 /* No free ones or cannot get new socket, grab an existing one */
1378 for (i = 0; i < RANDOM_SOCKS; i++)
1379 {
1380 int j = (i+finger) % RANDOM_SOCKS;
1381 if (daemon->randomsocks[j].refcount != 0 &&
1382 daemon->randomsocks[j].family == family &&
1383 daemon->randomsocks[j].refcount != 0xffff)
1384 {
1385 finger = j;
1386 daemon->randomsocks[j].refcount++;
1387 return &daemon->randomsocks[j];
1388 }
1389 }
1390
1391 return NULL; /* doom */
1392 }
1393 static void free_frec(struct frec *f)
1394 {
1395 if (f->rfd4 && --(f->rfd4->refcount) == 0)
1396 close(f->rfd4->fd);
1397
1398 f->rfd4 = NULL;
1399 f->sentto = NULL;
1400 f->flags = 0;
1401
1402 #ifdef HAVE_IPV6
1403 if (f->rfd6 && --(f->rfd6->refcount) == 0)
1404 close(f->rfd6->fd);
1405
1406 f->rfd6 = NULL;
1407 #endif
1408
1409 #ifdef HAVE_DNSSEC
1410 if (f->stash)
1411 {
1412 blockdata_free(f->stash);
1413 f->stash = NULL;
1414 }
1415
1416 /* Anything we're waiting on is pointless now, too */
1417 if (f->blocking_query)
1418 free_frec(f->blocking_query);
1419 f->blocking_query = NULL;
1420
1421 #endif
1422 }
1423
1424 /* if wait==NULL return a free or older than TIMEOUT record.
1425 else return *wait zero if one available, or *wait is delay to
1426 when the oldest in-use record will expire. Impose an absolute
1427 limit of 4*TIMEOUT before we wipe things (for random sockets).
1428 If force is set, always return a result, even if we have
1429 to allocate above the limit. */
1430 struct frec *get_new_frec(time_t now, int *wait, int force)
1431 {
1432 struct frec *f, *oldest, *target;
1433 int count;
1434
1435 if (wait)
1436 *wait = 0;
1437
1438 for (f = daemon->frec_list, oldest = NULL, target = NULL, count = 0; f; f = f->next, count++)
1439 if (!f->sentto)
1440 target = f;
1441 else
1442 {
1443 if (difftime(now, f->time) >= 4*TIMEOUT)
1444 {
1445 free_frec(f);
1446 target = f;
1447 }
1448
1449 if (!oldest || difftime(f->time, oldest->time) <= 0)
1450 oldest = f;
1451 }
1452
1453 if (target)
1454 {
1455 target->time = now;
1456 return target;
1457 }
1458
1459 /* can't find empty one, use oldest if there is one
1460 and it's older than timeout */
1461 if (oldest && ((int)difftime(now, oldest->time)) >= TIMEOUT)
1462 {
1463 /* keep stuff for twice timeout if we can by allocating a new
1464 record instead */
1465 if (difftime(now, oldest->time) < 2*TIMEOUT &&
1466 count <= daemon->ftabsize &&
1467 (f = allocate_frec(now)))
1468 return f;
1469
1470 if (!wait)
1471 {
1472 free_frec(oldest);
1473 oldest->time = now;
1474 }
1475 return oldest;
1476 }
1477
1478 /* none available, calculate time 'till oldest record expires */
1479 if (!force && count > daemon->ftabsize)
1480 {
1481 static time_t last_log = 0;
1482
1483 if (oldest && wait)
1484 *wait = oldest->time + (time_t)TIMEOUT - now;
1485
1486 if ((int)difftime(now, last_log) > 5)
1487 {
1488 last_log = now;
1489 my_syslog(LOG_WARNING, _("Maximum number of concurrent DNS queries reached (max: %d)"), daemon->ftabsize);
1490 }
1491
1492 return NULL;
1493 }
1494
1495 if (!(f = allocate_frec(now)) && wait)
1496 /* wait one second on malloc failure */
1497 *wait = 1;
1498
1499 return f; /* OK if malloc fails and this is NULL */
1500 }
1501
1502 /* crc is all-ones if not known. */
1503 static struct frec *lookup_frec(unsigned short id, unsigned int crc)
1504 {
1505 struct frec *f;
1506
1507 for(f = daemon->frec_list; f; f = f->next)
1508 if (f->sentto && f->new_id == id &&
1509 (f->crc == crc || crc == 0xffffffff))
1510 return f;
1511
1512 return NULL;
1513 }
1514
1515 static struct frec *lookup_frec_by_sender(unsigned short id,
1516 union mysockaddr *addr,
1517 unsigned int crc)
1518 {
1519 struct frec *f;
1520
1521 for(f = daemon->frec_list; f; f = f->next)
1522 if (f->sentto &&
1523 f->orig_id == id &&
1524 f->crc == crc &&
1525 sockaddr_isequal(&f->source, addr))
1526 return f;
1527
1528 return NULL;
1529 }
1530
1531 /* A server record is going away, remove references to it */
1532 void server_gone(struct server *server)
1533 {
1534 struct frec *f;
1535
1536 for (f = daemon->frec_list; f; f = f->next)
1537 if (f->sentto && f->sentto == server)
1538 free_frec(f);
1539
1540 if (daemon->last_server == server)
1541 daemon->last_server = NULL;
1542
1543 if (daemon->srv_save == server)
1544 daemon->srv_save = NULL;
1545 }
1546
1547 /* return unique random ids. */
1548 static unsigned short get_id(unsigned int crc)
1549 {
1550 unsigned short ret = 0;
1551
1552 do
1553 ret = rand16();
1554 while (lookup_frec(ret, crc));
1555
1556 return ret;
1557 }
1558
1559
1560
1561
1562
Michael's tree of dnsmasq.