]>
git.ipfire.org Git - people/ms/dnsmasq.git/blob - src/forward.c
1 /* dnsmasq is Copyright (c) 2000-2014 Simon Kelley
3 This program is free software; you can redistribute it and/or modify
4 it under the terms of the GNU General Public License as published by
5 the Free Software Foundation; version 2 dated June, 1991, or
6 (at your option) version 3 dated 29 June, 2007.
8 This program is distributed in the hope that it will be useful,
9 but WITHOUT ANY WARRANTY; without even the implied warranty of
10 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 GNU General Public License for more details.
13 You should have received a copy of the GNU General Public License
14 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 static struct frec
*lookup_frec(unsigned short id
, void *hash
);
20 static struct frec
*lookup_frec_by_sender(unsigned short id
,
21 union mysockaddr
*addr
,
23 static unsigned short get_id(void);
24 static void free_frec(struct frec
*f
);
27 static int tcp_key_recurse(time_t now
, int status
, struct dns_header
*header
, size_t n
,
28 int class, char *name
, char *keyname
, struct server
*server
, int *keycount
);
29 static int do_check_sign(struct frec
*forward
, int status
, time_t now
, char *name
, char *keyname
);
30 static int send_check_sign(struct frec
*forward
, time_t now
, struct dns_header
*header
, size_t plen
,
31 char *name
, char *keyname
);
35 /* Send a UDP packet with its source address set as "source"
36 unless nowild is true, when we just send it with the kernel default */
37 int send_from(int fd
, int nowild
, char *packet
, size_t len
,
38 union mysockaddr
*to
, struct all_addr
*source
,
44 struct cmsghdr align
; /* this ensures alignment */
45 #if defined(HAVE_LINUX_NETWORK)
46 char control
[CMSG_SPACE(sizeof(struct in_pktinfo
))];
47 #elif defined(IP_SENDSRCADDR)
48 char control
[CMSG_SPACE(sizeof(struct in_addr
))];
51 char control6
[CMSG_SPACE(sizeof(struct in6_pktinfo
))];
55 iov
[0].iov_base
= packet
;
58 msg
.msg_control
= NULL
;
59 msg
.msg_controllen
= 0;
62 msg
.msg_namelen
= sa_len(to
);
68 struct cmsghdr
*cmptr
;
69 msg
.msg_control
= &control_u
;
70 msg
.msg_controllen
= sizeof(control_u
);
71 cmptr
= CMSG_FIRSTHDR(&msg
);
73 if (to
->sa
.sa_family
== AF_INET
)
75 #if defined(HAVE_LINUX_NETWORK)
78 p
.ipi_spec_dst
= source
->addr
.addr4
;
79 memcpy(CMSG_DATA(cmptr
), &p
, sizeof(p
));
80 msg
.msg_controllen
= cmptr
->cmsg_len
= CMSG_LEN(sizeof(struct in_pktinfo
));
81 cmptr
->cmsg_level
= IPPROTO_IP
;
82 cmptr
->cmsg_type
= IP_PKTINFO
;
83 #elif defined(IP_SENDSRCADDR)
84 memcpy(CMSG_DATA(cmptr
), &(source
->addr
.addr4
), sizeof(source
->addr
.addr4
));
85 msg
.msg_controllen
= cmptr
->cmsg_len
= CMSG_LEN(sizeof(struct in_addr
));
86 cmptr
->cmsg_level
= IPPROTO_IP
;
87 cmptr
->cmsg_type
= IP_SENDSRCADDR
;
94 p
.ipi6_ifindex
= iface
; /* Need iface for IPv6 to handle link-local addrs */
95 p
.ipi6_addr
= source
->addr
.addr6
;
96 memcpy(CMSG_DATA(cmptr
), &p
, sizeof(p
));
97 msg
.msg_controllen
= cmptr
->cmsg_len
= CMSG_LEN(sizeof(struct in6_pktinfo
));
98 cmptr
->cmsg_type
= daemon
->v6pktinfo
;
99 cmptr
->cmsg_level
= IPPROTO_IPV6
;
102 (void)iface
; /* eliminate warning */
106 while (sendmsg(fd
, &msg
, 0) == -1)
111 /* If interface is still in DAD, EINVAL results - ignore that. */
115 my_syslog(LOG_ERR
, _("failed to send packet: %s"), strerror(errno
));
122 static unsigned int search_servers(time_t now
, struct all_addr
**addrpp
,
123 unsigned int qtype
, char *qdomain
, int *type
, char **domain
, int *norebind
)
126 /* If the query ends in the domain in one of our servers, set
127 domain to point to that name. We find the largest match to allow both
128 domain.org and sub.domain.org to exist. */
130 unsigned int namelen
= strlen(qdomain
);
131 unsigned int matchlen
= 0;
133 unsigned int flags
= 0;
135 for (serv
= daemon
->servers
; serv
; serv
=serv
->next
)
136 /* domain matches take priority over NODOTS matches */
137 if ((serv
->flags
& SERV_FOR_NODOTS
) && *type
!= SERV_HAS_DOMAIN
&& !strchr(qdomain
, '.') && namelen
!= 0)
139 unsigned int sflag
= serv
->addr
.sa
.sa_family
== AF_INET
? F_IPV4
: F_IPV6
;
140 *type
= SERV_FOR_NODOTS
;
141 if (serv
->flags
& SERV_NO_ADDR
)
143 else if (serv
->flags
& SERV_LITERAL_ADDRESS
)
148 if (serv
->addr
.sa
.sa_family
== AF_INET
)
149 *addrpp
= (struct all_addr
*)&serv
->addr
.in
.sin_addr
;
152 *addrpp
= (struct all_addr
*)&serv
->addr
.in6
.sin6_addr
;
155 else if (!flags
|| (flags
& F_NXDOMAIN
))
159 else if (serv
->flags
& SERV_HAS_DOMAIN
)
161 unsigned int domainlen
= strlen(serv
->domain
);
162 char *matchstart
= qdomain
+ namelen
- domainlen
;
163 if (namelen
>= domainlen
&&
164 hostname_isequal(matchstart
, serv
->domain
) &&
165 (domainlen
== 0 || namelen
== domainlen
|| *(matchstart
-1) == '.' ))
167 if (serv
->flags
& SERV_NO_REBIND
)
171 unsigned int sflag
= serv
->addr
.sa
.sa_family
== AF_INET
? F_IPV4
: F_IPV6
;
172 /* implement priority rules for --address and --server for same domain.
173 --address wins if the address is for the correct AF
174 --server wins otherwise. */
175 if (domainlen
!= 0 && domainlen
== matchlen
)
177 if ((serv
->flags
& SERV_LITERAL_ADDRESS
))
179 if (!(sflag
& qtype
) && flags
== 0)
184 if (flags
& (F_IPV4
| F_IPV6
))
189 if (domainlen
>= matchlen
)
191 *type
= serv
->flags
& (SERV_HAS_DOMAIN
| SERV_USE_RESOLV
| SERV_NO_REBIND
);
192 *domain
= serv
->domain
;
193 matchlen
= domainlen
;
194 if (serv
->flags
& SERV_NO_ADDR
)
196 else if (serv
->flags
& SERV_LITERAL_ADDRESS
)
201 if (serv
->addr
.sa
.sa_family
== AF_INET
)
202 *addrpp
= (struct all_addr
*)&serv
->addr
.in
.sin_addr
;
205 *addrpp
= (struct all_addr
*)&serv
->addr
.in6
.sin6_addr
;
208 else if (!flags
|| (flags
& F_NXDOMAIN
))
218 if (flags
== 0 && !(qtype
& F_QUERY
) &&
219 option_bool(OPT_NODOTS_LOCAL
) && !strchr(qdomain
, '.') && namelen
!= 0)
220 /* don't forward A or AAAA queries for simple names, except the empty name */
223 if (flags
== F_NXDOMAIN
&& check_for_local_domain(qdomain
, now
))
230 if (flags
== F_NXDOMAIN
|| flags
== F_NOERR
)
231 logflags
= F_NEG
| qtype
;
233 log_query(logflags
| flags
| F_CONFIG
| F_FORWARD
, qdomain
, *addrpp
, NULL
);
235 else if ((*type
) & SERV_USE_RESOLV
)
237 *type
= 0; /* use normal servers for this domain */
243 static int forward_query(int udpfd
, union mysockaddr
*udpaddr
,
244 struct all_addr
*dst_addr
, unsigned int dst_iface
,
245 struct dns_header
*header
, size_t plen
, time_t now
,
246 struct frec
*forward
, int ad_reqd
, int do_bit
)
249 int type
= 0, norebind
= 0;
250 struct all_addr
*addrp
= NULL
;
251 unsigned int flags
= 0;
252 struct server
*start
= NULL
;
254 void *hash
= hash_questions(header
, plen
, daemon
->namebuff
);
256 unsigned int crc
= questions_crc(header
, plen
, daemon
->namebuff
);
259 unsigned int gotname
= extract_request(header
, plen
, daemon
->namebuff
, NULL
);
263 /* may be no servers available. */
264 if (!daemon
->servers
)
266 else if (forward
|| (hash
&& (forward
= lookup_frec_by_sender(ntohs(header
->id
), udpaddr
, hash
))))
269 /* If we've already got an answer to this query, but we're awaiting keys for validation,
270 there's no point retrying the query, retry the key query instead...... */
271 if (forward
->blocking_query
)
275 while (forward
->blocking_query
)
276 forward
= forward
->blocking_query
;
278 blockdata_retrieve(forward
->stash
, forward
->stash_len
, (void *)header
);
279 plen
= forward
->stash_len
;
281 if (forward
->sentto
->addr
.sa
.sa_family
== AF_INET
)
282 log_query(F_DNSSEC
| F_IPV4
, "retry", (struct all_addr
*)&forward
->sentto
->addr
.in
.sin_addr
, "dnssec");
285 log_query(F_DNSSEC
| F_IPV6
, "retry", (struct all_addr
*)&forward
->sentto
->addr
.in6
.sin6_addr
, "dnssec");
288 if (forward
->sentto
->sfd
)
289 fd
= forward
->sentto
->sfd
->fd
;
293 if (forward
->sentto
->addr
.sa
.sa_family
== AF_INET6
)
294 fd
= forward
->rfd6
->fd
;
297 fd
= forward
->rfd4
->fd
;
300 while (sendto(fd
, (char *)header
, plen
, 0,
301 &forward
->sentto
->addr
.sa
,
302 sa_len(&forward
->sentto
->addr
)) == -1 && retry_send());
308 /* retry on existing query, send to all available servers */
309 domain
= forward
->sentto
->domain
;
310 forward
->sentto
->failed_queries
++;
311 if (!option_bool(OPT_ORDER
))
313 forward
->forwardall
= 1;
314 daemon
->last_server
= NULL
;
316 type
= forward
->sentto
->flags
& SERV_TYPE
;
317 if (!(start
= forward
->sentto
->next
))
318 start
= daemon
->servers
; /* at end of list, recycle */
319 header
->id
= htons(forward
->new_id
);
324 flags
= search_servers(now
, &addrp
, gotname
, daemon
->namebuff
, &type
, &domain
, &norebind
);
326 if (!flags
&& !(forward
= get_new_frec(now
, NULL
, 0)))
327 /* table full - server failure. */
332 forward
->source
= *udpaddr
;
333 forward
->dest
= *dst_addr
;
334 forward
->iface
= dst_iface
;
335 forward
->orig_id
= ntohs(header
->id
);
336 forward
->new_id
= get_id();
338 memcpy(forward
->hash
, hash
, HASH_SIZE
);
339 forward
->forwardall
= 0;
342 forward
->flags
|= FREC_NOREBIND
;
343 if (header
->hb4
& HB4_CD
)
344 forward
->flags
|= FREC_CHECKING_DISABLED
;
346 forward
->flags
|= FREC_AD_QUESTION
;
348 forward
->work_counter
= DNSSEC_WORK
;
350 forward
->flags
|= FREC_DO_QUESTION
;
353 header
->id
= htons(forward
->new_id
);
355 /* In strict_order mode, always try servers in the order
356 specified in resolv.conf, if a domain is given
357 always try all the available servers,
358 otherwise, use the one last known to work. */
362 if (option_bool(OPT_ORDER
))
363 start
= daemon
->servers
;
364 else if (!(start
= daemon
->last_server
) ||
365 daemon
->forwardcount
++ > FORWARD_TEST
||
366 difftime(now
, daemon
->forwardtime
) > FORWARD_TIME
)
368 start
= daemon
->servers
;
369 forward
->forwardall
= 1;
370 daemon
->forwardcount
= 0;
371 daemon
->forwardtime
= now
;
376 start
= daemon
->servers
;
377 if (!option_bool(OPT_ORDER
))
378 forward
->forwardall
= 1;
383 /* check for send errors here (no route to host)
384 if we fail to send to all nameservers, send back an error
385 packet straight away (helps modem users when offline) */
387 if (!flags
&& forward
)
389 struct server
*firstsentto
= start
;
392 if (option_bool(OPT_ADD_MAC
))
393 plen
= add_mac(header
, plen
, ((char *) header
) + daemon
->packet_buff_sz
, &forward
->source
);
395 if (option_bool(OPT_CLIENT_SUBNET
))
397 size_t new = add_source_addr(header
, plen
, ((char *) header
) + daemon
->packet_buff_sz
, &forward
->source
);
401 forward
->flags
|= FREC_HAS_SUBNET
;
406 if (option_bool(OPT_DNSSEC_VALID
))
408 size_t new_plen
= add_do_bit(header
, plen
, ((char *) header
) + daemon
->packet_buff_sz
);
410 /* For debugging, set Checking Disabled, otherwise, have the upstream check too,
411 this allows it to select auth servers when one is returning bad data. */
412 if (option_bool(OPT_DNSSEC_DEBUG
))
413 header
->hb4
|= HB4_CD
;
415 if (new_plen
!= plen
)
416 forward
->flags
|= FREC_ADDED_PHEADER
;
424 /* only send to servers dealing with our domain.
425 domain may be NULL, in which case server->domain
426 must be NULL also. */
428 if (type
== (start
->flags
& SERV_TYPE
) &&
429 (type
!= SERV_HAS_DOMAIN
|| hostname_isequal(domain
, start
->domain
)) &&
430 !(start
->flags
& (SERV_LITERAL_ADDRESS
| SERV_LOOP
)))
434 /* find server socket to use, may need to get random one. */
440 if (start
->addr
.sa
.sa_family
== AF_INET6
)
442 if (!forward
->rfd6
&&
443 !(forward
->rfd6
= allocate_rfd(AF_INET6
)))
445 daemon
->rfd_save
= forward
->rfd6
;
446 fd
= forward
->rfd6
->fd
;
451 if (!forward
->rfd4
&&
452 !(forward
->rfd4
= allocate_rfd(AF_INET
)))
454 daemon
->rfd_save
= forward
->rfd4
;
455 fd
= forward
->rfd4
->fd
;
458 #ifdef HAVE_CONNTRACK
459 /* Copy connection mark of incoming query to outgoing connection. */
460 if (option_bool(OPT_CONNTRACK
))
463 if (get_incoming_mark(&forward
->source
, &forward
->dest
, 0, &mark
))
464 setsockopt(fd
, SOL_SOCKET
, SO_MARK
, &mark
, sizeof(unsigned int));
469 if (sendto(fd
, (char *)header
, plen
, 0,
471 sa_len(&start
->addr
)) == -1)
478 /* Keep info in case we want to re-send this packet */
479 daemon
->srv_save
= start
;
480 daemon
->packet_len
= plen
;
483 strcpy(daemon
->namebuff
, "query");
484 if (start
->addr
.sa
.sa_family
== AF_INET
)
485 log_query(F_SERVER
| F_IPV4
| F_FORWARD
, daemon
->namebuff
,
486 (struct all_addr
*)&start
->addr
.in
.sin_addr
, NULL
);
489 log_query(F_SERVER
| F_IPV6
| F_FORWARD
, daemon
->namebuff
,
490 (struct all_addr
*)&start
->addr
.in6
.sin6_addr
, NULL
);
494 forward
->sentto
= start
;
495 if (!forward
->forwardall
)
497 forward
->forwardall
++;
501 if (!(start
= start
->next
))
502 start
= daemon
->servers
;
504 if (start
== firstsentto
)
511 /* could not send on, prepare to return */
512 header
->id
= htons(forward
->orig_id
);
513 free_frec(forward
); /* cancel */
516 /* could not send on, return empty answer or address if known for whole domain */
519 plen
= setup_reply(header
, plen
, addrp
, flags
, daemon
->local_ttl
);
520 send_from(udpfd
, option_bool(OPT_NOWILD
) || option_bool(OPT_CLEVERBIND
), (char *)header
, plen
, udpaddr
, dst_addr
, dst_iface
);
526 static size_t process_reply(struct dns_header
*header
, time_t now
, struct server
*server
, size_t n
, int check_rebind
,
527 int no_cache
, int cache_secure
, int ad_reqd
, int do_bit
, int added_pheader
, int check_subnet
, union mysockaddr
*query_source
)
529 unsigned char *pheader
, *sizep
;
531 int munged
= 0, is_sign
;
538 if (daemon
->ipsets
&& extract_request(header
, n
, daemon
->namebuff
, NULL
))
540 /* Similar algorithm to search_servers. */
541 struct ipsets
*ipset_pos
;
542 unsigned int namelen
= strlen(daemon
->namebuff
);
543 unsigned int matchlen
= 0;
544 for (ipset_pos
= daemon
->ipsets
; ipset_pos
; ipset_pos
= ipset_pos
->next
)
546 unsigned int domainlen
= strlen(ipset_pos
->domain
);
547 char *matchstart
= daemon
->namebuff
+ namelen
- domainlen
;
548 if (namelen
>= domainlen
&& hostname_isequal(matchstart
, ipset_pos
->domain
) &&
549 (domainlen
== 0 || namelen
== domainlen
|| *(matchstart
- 1) == '.' ) &&
550 domainlen
>= matchlen
)
552 matchlen
= domainlen
;
553 sets
= ipset_pos
->sets
;
559 /* If upstream is advertising a larger UDP packet size
560 than we allow, trim it so that we don't get overlarge
561 requests for the client. We can't do this for signed packets. */
563 if ((pheader
= find_pseudoheader(header
, n
, &plen
, &sizep
, &is_sign
)))
565 unsigned short udpsz
;
566 unsigned char *psave
= sizep
;
568 GETSHORT(udpsz
, sizep
);
570 if (!is_sign
&& udpsz
> daemon
->edns_pktsz
)
571 PUTSHORT(daemon
->edns_pktsz
, psave
);
573 if (check_subnet
&& !check_source(header
, plen
, pheader
, query_source
))
575 my_syslog(LOG_WARNING
, _("discarding DNS reply: subnet option mismatch"));
582 header
->arcount
= htons(0);
586 /* RFC 4035 sect 4.6 para 3 */
587 if (!is_sign
&& !option_bool(OPT_DNSSEC_PROXY
))
588 header
->hb4
&= ~HB4_AD
;
590 if (OPCODE(header
) != QUERY
|| (RCODE(header
) != NOERROR
&& RCODE(header
) != NXDOMAIN
))
591 return resize_packet(header
, n
, pheader
, plen
);
593 /* Complain loudly if the upstream server is non-recursive. */
594 if (!(header
->hb4
& HB4_RA
) && RCODE(header
) == NOERROR
&& ntohs(header
->ancount
) == 0 &&
595 server
&& !(server
->flags
& SERV_WARNED_RECURSIVE
))
597 prettyprint_addr(&server
->addr
, daemon
->namebuff
);
598 my_syslog(LOG_WARNING
, _("nameserver %s refused to do a recursive query"), daemon
->namebuff
);
599 if (!option_bool(OPT_LOG
))
600 server
->flags
|= SERV_WARNED_RECURSIVE
;
603 if (daemon
->bogus_addr
&& RCODE(header
) != NXDOMAIN
&&
604 check_for_bogus_wildcard(header
, n
, daemon
->namebuff
, daemon
->bogus_addr
, now
))
607 SET_RCODE(header
, NXDOMAIN
);
608 header
->hb3
&= ~HB3_AA
;
615 if (RCODE(header
) == NXDOMAIN
&&
616 extract_request(header
, n
, daemon
->namebuff
, NULL
) &&
617 check_for_local_domain(daemon
->namebuff
, now
))
619 /* if we forwarded a query for a locally known name (because it was for
620 an unknown type) and the answer is NXDOMAIN, convert that to NODATA,
621 since we know that the domain exists, even if upstream doesn't */
623 header
->hb3
|= HB3_AA
;
624 SET_RCODE(header
, NOERROR
);
628 if (extract_addresses(header
, n
, daemon
->namebuff
, now
, sets
, is_sign
, check_rebind
, no_cache
, cache_secure
, &doctored
))
630 my_syslog(LOG_WARNING
, _("possible DNS-rebind attack detected: %s"), daemon
->namebuff
);
640 if (no_cache
&& !(header
->hb4
& HB4_CD
))
642 if (!option_bool(OPT_DNSSEC_DEBUG
))
644 /* Bogus reply, turn into SERVFAIL */
645 SET_RCODE(header
, SERVFAIL
);
650 if (option_bool(OPT_DNSSEC_VALID
))
651 header
->hb4
&= ~HB4_AD
;
653 if (!(header
->hb4
& HB4_CD
) && ad_reqd
&& cache_secure
)
654 header
->hb4
|= HB4_AD
;
656 /* If the requestor didn't set the DO bit, don't return DNSSEC info. */
658 n
= filter_rrsigs(header
, n
);
661 /* do this after extract_addresses. Ensure NODATA reply and remove
666 header
->ancount
= htons(0);
667 header
->nscount
= htons(0);
668 header
->arcount
= htons(0);
671 /* the bogus-nxdomain stuff, doctor and NXDOMAIN->NODATA munging can all elide
672 sections of the packet. Find the new length here and put back pseudoheader
673 if it was removed. */
674 return resize_packet(header
, n
, pheader
, plen
);
677 /* sets new last_server */
678 void reply_query(int fd
, int family
, time_t now
)
680 /* packet from peer server, extract data for cache, and send to
681 original requester */
682 struct dns_header
*header
;
683 union mysockaddr serveraddr
;
684 struct frec
*forward
;
685 socklen_t addrlen
= sizeof(serveraddr
);
686 ssize_t n
= recvfrom(fd
, daemon
->packet
, daemon
->packet_buff_sz
, 0, &serveraddr
.sa
, &addrlen
);
688 struct server
*server
;
694 /* packet buffer overwritten */
695 daemon
->srv_save
= NULL
;
697 /* Determine the address of the server replying so that we can mark that as good */
698 serveraddr
.sa
.sa_family
= family
;
700 if (serveraddr
.sa
.sa_family
== AF_INET6
)
701 serveraddr
.in6
.sin6_flowinfo
= 0;
704 header
= (struct dns_header
*)daemon
->packet
;
706 if (n
< (int)sizeof(struct dns_header
) || !(header
->hb3
& HB3_QR
))
709 /* spoof check: answer must come from known server, */
710 for (server
= daemon
->servers
; server
; server
= server
->next
)
711 if (!(server
->flags
& (SERV_LITERAL_ADDRESS
| SERV_NO_ADDR
)) &&
712 sockaddr_isequal(&server
->addr
, &serveraddr
))
719 hash
= hash_questions(header
, n
, daemon
->namebuff
);
722 crc
= questions_crc(header
, n
, daemon
->namebuff
);
725 if (!(forward
= lookup_frec(ntohs(header
->id
), hash
)))
728 if (daemon
->ignore_addr
&& RCODE(header
) == NOERROR
&&
729 check_for_ignored_address(header
, n
, daemon
->ignore_addr
))
732 if ((RCODE(header
) == SERVFAIL
|| RCODE(header
) == REFUSED
) &&
733 !option_bool(OPT_ORDER
) &&
734 forward
->forwardall
== 0)
735 /* for broken servers, attempt to send to another one. */
737 unsigned char *pheader
;
741 /* recreate query from reply */
742 pheader
= find_pseudoheader(header
, (size_t)n
, &plen
, NULL
, &is_sign
);
745 header
->ancount
= htons(0);
746 header
->nscount
= htons(0);
747 header
->arcount
= htons(0);
748 if ((nn
= resize_packet(header
, (size_t)n
, pheader
, plen
)))
750 header
->hb3
&= ~(HB3_QR
| HB3_TC
);
751 forward_query(-1, NULL
, NULL
, 0, header
, nn
, now
, forward
, 0, 0);
757 server
= forward
->sentto
;
759 if ((forward
->sentto
->flags
& SERV_TYPE
) == 0)
761 if (RCODE(header
) == REFUSED
)
765 struct server
*last_server
;
767 /* find good server by address if possible, otherwise assume the last one we sent to */
768 for (last_server
= daemon
->servers
; last_server
; last_server
= last_server
->next
)
769 if (!(last_server
->flags
& (SERV_LITERAL_ADDRESS
| SERV_HAS_DOMAIN
| SERV_FOR_NODOTS
| SERV_NO_ADDR
)) &&
770 sockaddr_isequal(&last_server
->addr
, &serveraddr
))
772 server
= last_server
;
776 if (!option_bool(OPT_ALL_SERVERS
))
777 daemon
->last_server
= server
;
780 /* If the answer is an error, keep the forward record in place in case
781 we get a good reply from another server. Kill it when we've
782 had replies from all to avoid filling the forwarding table when
783 everything is broken */
784 if (forward
->forwardall
== 0 || --forward
->forwardall
== 1 || RCODE(header
) != SERVFAIL
)
786 int check_rebind
= 0, no_cache_dnssec
= 0, cache_secure
= 0;
788 if (option_bool(OPT_NO_REBIND
))
789 check_rebind
= !(forward
->flags
& FREC_NOREBIND
);
791 /* Don't cache replies where DNSSEC validation was turned off, either
792 the upstream server told us so, or the original query specified it. */
793 if ((header
->hb4
& HB4_CD
) || (forward
->flags
& FREC_CHECKING_DISABLED
))
797 if (server
&& option_bool(OPT_DNSSEC_VALID
) && !(forward
->flags
& FREC_CHECKING_DISABLED
))
801 /* We've had a reply already, which we're validating. Ignore this duplicate */
802 if (forward
->blocking_query
)
805 if (header
->hb3
& HB3_TC
)
807 /* Truncated answer can't be validated.
808 If this is an answer to a DNSSEC-generated query, we still
809 need to get the client to retry over TCP, so return
810 an answer with the TC bit set, even if the actual answer fits.
812 status
= STAT_TRUNCATED
;
814 else if (forward
->flags
& FREC_DNSKEY_QUERY
)
815 status
= dnssec_validate_by_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
816 else if (forward
->flags
& FREC_DS_QUERY
)
818 status
= dnssec_validate_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
819 if (status
== STAT_NO_DS
|| status
== STAT_NO_NS
)
822 else if (forward
->flags
& FREC_CHECK_NOSIGN
)
824 status
= dnssec_validate_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
825 if (status
!= STAT_NEED_KEY
)
826 status
= do_check_sign(forward
, status
, now
, daemon
->namebuff
, daemon
->keyname
);
830 status
= dnssec_validate_reply(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, &forward
->class, NULL
, NULL
);
831 if (status
== STAT_NO_SIG
)
833 if (option_bool(OPT_DNSSEC_NO_SIGN
))
834 status
= send_check_sign(forward
, now
, header
, n
, daemon
->namebuff
, daemon
->keyname
);
836 status
= STAT_INSECURE
;
839 /* Can't validate, as we're missing key data. Put this
840 answer aside, whilst we get that. */
841 if (status
== STAT_NEED_DS
|| status
== STAT_NEED_DS_NEG
|| status
== STAT_NEED_KEY
)
843 struct frec
*new, *orig
;
845 /* Free any saved query */
847 blockdata_free(forward
->stash
);
849 /* Now save reply pending receipt of key data */
850 if (!(forward
->stash
= blockdata_alloc((char *)header
, n
)))
852 forward
->stash_len
= n
;
855 /* Find the original query that started it all.... */
856 for (orig
= forward
; orig
->dependent
; orig
= orig
->dependent
);
858 if (--orig
->work_counter
== 0 || !(new = get_new_frec(now
, NULL
, 1)))
859 status
= STAT_INSECURE
;
863 struct frec
*next
= new->next
;
864 *new = *forward
; /* copy everything, then overwrite */
866 new->blocking_query
= NULL
;
867 new->sentto
= server
;
869 new->orig_domain
= NULL
;
873 new->flags
&= ~(FREC_DNSKEY_QUERY
| FREC_DS_QUERY
| FREC_CHECK_NOSIGN
);
875 new->dependent
= forward
; /* to find query awaiting new one. */
876 forward
->blocking_query
= new; /* for garbage cleaning */
877 /* validate routines leave name of required record in daemon->keyname */
878 if (status
== STAT_NEED_KEY
)
880 new->flags
|= FREC_DNSKEY_QUERY
;
881 nn
= dnssec_generate_query(header
, ((char *) header
) + daemon
->packet_buff_sz
,
882 daemon
->keyname
, forward
->class, T_DNSKEY
, &server
->addr
);
886 if (status
== STAT_NEED_DS_NEG
)
887 new->flags
|= FREC_CHECK_NOSIGN
;
889 new->flags
|= FREC_DS_QUERY
;
890 nn
= dnssec_generate_query(header
,((char *) header
) + daemon
->packet_buff_sz
,
891 daemon
->keyname
, forward
->class, T_DS
, &server
->addr
);
893 if ((hash
= hash_questions(header
, nn
, daemon
->namebuff
)))
894 memcpy(new->hash
, hash
, HASH_SIZE
);
895 new->new_id
= get_id();
896 header
->id
= htons(new->new_id
);
897 /* Save query for retransmission */
898 if (!(new->stash
= blockdata_alloc((char *)header
, nn
)))
903 /* Don't resend this. */
904 daemon
->srv_save
= NULL
;
907 fd
= server
->sfd
->fd
;
912 if (server
->addr
.sa
.sa_family
== AF_INET6
)
914 if (new->rfd6
|| (new->rfd6
= allocate_rfd(AF_INET6
)))
920 if (new->rfd4
|| (new->rfd4
= allocate_rfd(AF_INET
)))
927 while (sendto(fd
, (char *)header
, nn
, 0, &server
->addr
.sa
, sa_len(&server
->addr
)) == -1 && retry_send());
935 /* Ok, we reached far enough up the chain-of-trust that we can validate something.
936 Now wind back down, pulling back answers which wouldn't previously validate
937 and validate them with the new data. Note that if an answer needs multiple
938 keys to validate, we may find another key is needed, in which case we set off
939 down another branch of the tree. Once we get to the original answer
940 (FREC_DNSSEC_QUERY not set) and it validates, return it to the original requestor. */
941 while (forward
->dependent
)
943 struct frec
*prev
= forward
->dependent
;
946 forward
->blocking_query
= NULL
; /* already gone */
947 blockdata_retrieve(forward
->stash
, forward
->stash_len
, (void *)header
);
948 n
= forward
->stash_len
;
950 if (status
== STAT_SECURE
)
952 if (forward
->flags
& FREC_DNSKEY_QUERY
)
953 status
= dnssec_validate_by_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
954 else if (forward
->flags
& FREC_DS_QUERY
)
956 status
= dnssec_validate_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
957 if (status
== STAT_NO_DS
|| status
== STAT_NO_NS
)
960 else if (forward
->flags
& FREC_CHECK_NOSIGN
)
962 status
= dnssec_validate_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
963 if (status
!= STAT_NEED_KEY
)
964 status
= do_check_sign(forward
, status
, now
, daemon
->namebuff
, daemon
->keyname
);
968 status
= dnssec_validate_reply(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, &forward
->class, NULL
, NULL
);
969 if (status
== STAT_NO_SIG
)
971 if (option_bool(OPT_DNSSEC_NO_SIGN
))
972 status
= send_check_sign(forward
, now
, header
, n
, daemon
->namebuff
, daemon
->keyname
);
974 status
= STAT_INSECURE
;
978 if (status
== STAT_NEED_DS
|| status
== STAT_NEED_DS_NEG
|| status
== STAT_NEED_KEY
)
983 if (status
== STAT_TRUNCATED
)
984 header
->hb3
|= HB3_TC
;
989 if (forward
->work_counter
== 0)
990 result
= "ABANDONED";
992 result
= (status
== STAT_SECURE
? "SECURE" : (status
== STAT_INSECURE
? "INSECURE" : "BOGUS"));
994 log_query(F_KEYTAG
| F_SECSTAT
, "result", NULL
, result
);
999 if (status
== STAT_SECURE
)
1001 else if (status
== STAT_BOGUS
)
1002 no_cache_dnssec
= 1;
1006 /* restore CD bit to the value in the query */
1007 if (forward
->flags
& FREC_CHECKING_DISABLED
)
1008 header
->hb4
|= HB4_CD
;
1010 header
->hb4
&= ~HB4_CD
;
1012 if ((nn
= process_reply(header
, now
, server
, (size_t)n
, check_rebind
, no_cache_dnssec
, cache_secure
,
1013 forward
->flags
& FREC_AD_QUESTION
, forward
->flags
& FREC_DO_QUESTION
,
1014 forward
->flags
& FREC_ADDED_PHEADER
, forward
->flags
& FREC_HAS_SUBNET
, &forward
->source
)))
1016 header
->id
= htons(forward
->orig_id
);
1017 header
->hb4
|= HB4_RA
; /* recursion if available */
1018 send_from(forward
->fd
, option_bool(OPT_NOWILD
) || option_bool (OPT_CLEVERBIND
), daemon
->packet
, nn
,
1019 &forward
->source
, &forward
->dest
, forward
->iface
);
1021 free_frec(forward
); /* cancel */
1026 void receive_query(struct listener
*listen
, time_t now
)
1028 struct dns_header
*header
= (struct dns_header
*)daemon
->packet
;
1029 union mysockaddr source_addr
;
1030 unsigned short type
;
1031 struct all_addr dst_addr
;
1032 struct in_addr netmask
, dst_addr_4
;
1035 int if_index
= 0, auth_dns
= 0;
1039 struct iovec iov
[1];
1041 struct cmsghdr
*cmptr
;
1043 struct cmsghdr align
; /* this ensures alignment */
1045 char control6
[CMSG_SPACE(sizeof(struct in6_pktinfo
))];
1047 #if defined(HAVE_LINUX_NETWORK)
1048 char control
[CMSG_SPACE(sizeof(struct in_pktinfo
))];
1049 #elif defined(IP_RECVDSTADDR) && defined(HAVE_SOLARIS_NETWORK)
1050 char control
[CMSG_SPACE(sizeof(struct in_addr
)) +
1051 CMSG_SPACE(sizeof(unsigned int))];
1052 #elif defined(IP_RECVDSTADDR)
1053 char control
[CMSG_SPACE(sizeof(struct in_addr
)) +
1054 CMSG_SPACE(sizeof(struct sockaddr_dl
))];
1058 /* Can always get recvd interface for IPv6 */
1059 int check_dst
= !option_bool(OPT_NOWILD
) || listen
->family
== AF_INET6
;
1061 int check_dst
= !option_bool(OPT_NOWILD
);
1064 /* packet buffer overwritten */
1065 daemon
->srv_save
= NULL
;
1067 dst_addr_4
.s_addr
= dst_addr
.addr
.addr4
.s_addr
= 0;
1070 if (option_bool(OPT_NOWILD
) && listen
->iface
)
1072 auth_dns
= listen
->iface
->dns_auth
;
1074 if (listen
->family
== AF_INET
)
1076 dst_addr_4
= dst_addr
.addr
.addr4
= listen
->iface
->addr
.in
.sin_addr
;
1077 netmask
= listen
->iface
->netmask
;
1081 iov
[0].iov_base
= daemon
->packet
;
1082 iov
[0].iov_len
= daemon
->edns_pktsz
;
1084 msg
.msg_control
= control_u
.control
;
1085 msg
.msg_controllen
= sizeof(control_u
);
1087 msg
.msg_name
= &source_addr
;
1088 msg
.msg_namelen
= sizeof(source_addr
);
1092 if ((n
= recvmsg(listen
->fd
, &msg
, 0)) == -1)
1095 if (n
< (int)sizeof(struct dns_header
) ||
1096 (msg
.msg_flags
& MSG_TRUNC
) ||
1097 (header
->hb3
& HB3_QR
))
1100 source_addr
.sa
.sa_family
= listen
->family
;
1102 if (listen
->family
== AF_INET
)
1104 /* Source-port == 0 is an error, we can't send back to that.
1105 http://www.ietf.org/mail-archive/web/dnsop/current/msg11441.html */
1106 if (source_addr
.in
.sin_port
== 0)
1112 /* Source-port == 0 is an error, we can't send back to that. */
1113 if (source_addr
.in6
.sin6_port
== 0)
1115 source_addr
.in6
.sin6_flowinfo
= 0;
1119 /* We can be configured to only accept queries from at-most-one-hop-away addresses. */
1120 if (option_bool(OPT_LOCAL_SERVICE
))
1122 struct addrlist
*addr
;
1124 if (listen
->family
== AF_INET6
)
1126 for (addr
= daemon
->interface_addrs
; addr
; addr
= addr
->next
)
1127 if ((addr
->flags
& ADDRLIST_IPV6
) &&
1128 is_same_net6(&addr
->addr
.addr
.addr6
, &source_addr
.in6
.sin6_addr
, addr
->prefixlen
))
1134 struct in_addr netmask
;
1135 for (addr
= daemon
->interface_addrs
; addr
; addr
= addr
->next
)
1137 netmask
.s_addr
= htonl(~(in_addr_t
)0 << (32 - addr
->prefixlen
));
1138 if (!(addr
->flags
& ADDRLIST_IPV6
) &&
1139 is_same_net(addr
->addr
.addr
.addr4
, source_addr
.in
.sin_addr
, netmask
))
1145 static int warned
= 0;
1148 my_syslog(LOG_WARNING
, _("Ignoring query from non-local network"));
1159 if (msg
.msg_controllen
< sizeof(struct cmsghdr
))
1162 #if defined(HAVE_LINUX_NETWORK)
1163 if (listen
->family
== AF_INET
)
1164 for (cmptr
= CMSG_FIRSTHDR(&msg
); cmptr
; cmptr
= CMSG_NXTHDR(&msg
, cmptr
))
1165 if (cmptr
->cmsg_level
== IPPROTO_IP
&& cmptr
->cmsg_type
== IP_PKTINFO
)
1169 struct in_pktinfo
*p
;
1171 p
.c
= CMSG_DATA(cmptr
);
1172 dst_addr_4
= dst_addr
.addr
.addr4
= p
.p
->ipi_spec_dst
;
1173 if_index
= p
.p
->ipi_ifindex
;
1175 #elif defined(IP_RECVDSTADDR) && defined(IP_RECVIF)
1176 if (listen
->family
== AF_INET
)
1178 for (cmptr
= CMSG_FIRSTHDR(&msg
); cmptr
; cmptr
= CMSG_NXTHDR(&msg
, cmptr
))
1184 #ifndef HAVE_SOLARIS_NETWORK
1185 struct sockaddr_dl
*s
;
1188 p
.c
= CMSG_DATA(cmptr
);
1189 if (cmptr
->cmsg_level
== IPPROTO_IP
&& cmptr
->cmsg_type
== IP_RECVDSTADDR
)
1190 dst_addr_4
= dst_addr
.addr
.addr4
= *(p
.a
);
1191 else if (cmptr
->cmsg_level
== IPPROTO_IP
&& cmptr
->cmsg_type
== IP_RECVIF
)
1192 #ifdef HAVE_SOLARIS_NETWORK
1195 if_index
= p
.s
->sdl_index
;
1202 if (listen
->family
== AF_INET6
)
1204 for (cmptr
= CMSG_FIRSTHDR(&msg
); cmptr
; cmptr
= CMSG_NXTHDR(&msg
, cmptr
))
1205 if (cmptr
->cmsg_level
== IPPROTO_IPV6
&& cmptr
->cmsg_type
== daemon
->v6pktinfo
)
1209 struct in6_pktinfo
*p
;
1211 p
.c
= CMSG_DATA(cmptr
);
1213 dst_addr
.addr
.addr6
= p
.p
->ipi6_addr
;
1214 if_index
= p
.p
->ipi6_ifindex
;
1219 /* enforce available interface configuration */
1221 if (!indextoname(listen
->fd
, if_index
, ifr
.ifr_name
))
1224 if (!iface_check(listen
->family
, &dst_addr
, ifr
.ifr_name
, &auth_dns
))
1226 if (!option_bool(OPT_CLEVERBIND
))
1227 enumerate_interfaces(0);
1228 if (!loopback_exception(listen
->fd
, listen
->family
, &dst_addr
, ifr
.ifr_name
) &&
1229 !label_exception(if_index
, listen
->family
, &dst_addr
))
1233 if (listen
->family
== AF_INET
&& option_bool(OPT_LOCALISE
))
1237 /* get the netmask of the interface whch has the address we were sent to.
1238 This is no neccessarily the interface we arrived on. */
1240 for (iface
= daemon
->interfaces
; iface
; iface
= iface
->next
)
1241 if (iface
->addr
.sa
.sa_family
== AF_INET
&&
1242 iface
->addr
.in
.sin_addr
.s_addr
== dst_addr_4
.s_addr
)
1245 /* interface may be new */
1246 if (!iface
&& !option_bool(OPT_CLEVERBIND
))
1247 enumerate_interfaces(0);
1249 for (iface
= daemon
->interfaces
; iface
; iface
= iface
->next
)
1250 if (iface
->addr
.sa
.sa_family
== AF_INET
&&
1251 iface
->addr
.in
.sin_addr
.s_addr
== dst_addr_4
.s_addr
)
1254 /* If we failed, abandon localisation */
1256 netmask
= iface
->netmask
;
1258 dst_addr_4
.s_addr
= 0;
1262 if (extract_request(header
, (size_t)n
, daemon
->namebuff
, &type
))
1265 struct auth_zone
*zone
;
1267 char *types
= querystr(auth_dns
? "auth" : "query", type
);
1269 if (listen
->family
== AF_INET
)
1270 log_query(F_QUERY
| F_IPV4
| F_FORWARD
, daemon
->namebuff
,
1271 (struct all_addr
*)&source_addr
.in
.sin_addr
, types
);
1274 log_query(F_QUERY
| F_IPV6
| F_FORWARD
, daemon
->namebuff
,
1275 (struct all_addr
*)&source_addr
.in6
.sin6_addr
, types
);
1279 /* find queries for zones we're authoritative for, and answer them directly */
1281 for (zone
= daemon
->auth_zones
; zone
; zone
= zone
->next
)
1282 if (in_zone(zone
, daemon
->namebuff
, NULL
))
1291 /* Check for forwarding loop */
1292 if (detect_loop(daemon
->namebuff
, type
))
1300 m
= answer_auth(header
, ((char *) header
) + daemon
->packet_buff_sz
, (size_t)n
, now
, &source_addr
, local_auth
);
1303 send_from(listen
->fd
, option_bool(OPT_NOWILD
) || option_bool(OPT_CLEVERBIND
),
1304 (char *)header
, m
, &source_addr
, &dst_addr
, if_index
);
1305 daemon
->auth_answer
++;
1311 int ad_reqd
, do_bit
;
1312 m
= answer_request(header
, ((char *) header
) + daemon
->packet_buff_sz
, (size_t)n
,
1313 dst_addr_4
, netmask
, now
, &ad_reqd
, &do_bit
);
1317 send_from(listen
->fd
, option_bool(OPT_NOWILD
) || option_bool(OPT_CLEVERBIND
),
1318 (char *)header
, m
, &source_addr
, &dst_addr
, if_index
);
1319 daemon
->local_answer
++;
1321 else if (forward_query(listen
->fd
, &source_addr
, &dst_addr
, if_index
,
1322 header
, (size_t)n
, now
, NULL
, ad_reqd
, do_bit
))
1323 daemon
->queries_forwarded
++;
1325 daemon
->local_answer
++;
1331 /* UDP: we've got an unsigned answer, return STAT_INSECURE if we can prove there's no DS
1332 and therefore the answer shouldn't be signed, or STAT_BOGUS if it should be, or
1333 STAT_NEED_DS_NEG and keyname if we need to do the query. */
1334 static int send_check_sign(struct frec
*forward
, time_t now
, struct dns_header
*header
, size_t plen
,
1335 char *name
, char *keyname
)
1337 int status
= dnssec_chase_cname(now
, header
, plen
, name
, keyname
);
1339 if (status
!= STAT_INSECURE
)
1342 /* Store the domain we're trying to check. */
1343 forward
->name_start
= strlen(name
);
1344 forward
->name_len
= forward
->name_start
+ 1;
1345 if (!(forward
->orig_domain
= blockdata_alloc(name
, forward
->name_len
)))
1348 return do_check_sign(forward
, 0, now
, name
, keyname
);
1351 /* We either have a a reply (header non-NULL, or we need to start by looking in the cache */
1352 static int do_check_sign(struct frec
*forward
, int status
, time_t now
, char *name
, char *keyname
)
1354 /* get domain we're checking back from blockdata store, it's stored on the original query. */
1355 while (forward
->dependent
)
1356 forward
= forward
->dependent
;
1358 blockdata_retrieve(forward
->orig_domain
, forward
->name_len
, name
);
1368 /* Haven't received answer, see if in cache */
1369 if (!(crecp
= cache_find_by_name(NULL
, &name
[forward
->name_start
], now
, F_DS
)))
1371 /* put name of DS record we're missing into keyname */
1372 strcpy(keyname
, &name
[forward
->name_start
]);
1373 /* and wait for reply to arrive */
1374 return STAT_NEED_DS_NEG
;
1377 /* F_DNSSECOK misused in DS cache records to non-existance of NS record */
1378 if (!(crecp
->flags
& F_NEG
))
1379 status
= STAT_SECURE
;
1380 else if (crecp
->flags
& F_DNSSECOK
)
1381 status
= STAT_NO_DS
;
1383 status
= STAT_NO_NS
;
1386 /* Have entered non-signed part of DNS tree. */
1387 if (status
== STAT_NO_DS
)
1388 return STAT_INSECURE
;
1390 if (status
== STAT_BOGUS
)
1393 /* There's a proven DS record, or we're within a zone, where there doesn't need
1394 to be a DS record. Add a name and try again.
1395 If we've already tried the whole name, then fail */
1397 if (forward
->name_start
== 0)
1400 for (p
= &name
[forward
->name_start
-2]; (*p
!= '.') && (p
!= name
); p
--);
1405 forward
->name_start
= p
- name
;
1406 status
= 0; /* force to cache when we iterate. */
1410 /* Move toward the root, until we find a signed non-existance of a DS, in which case
1411 an unsigned answer is OK, or we find a signed DS, in which case there should be
1412 a signature, and the answer is BOGUS */
1413 static int tcp_check_for_unsigned_zone(time_t now
, struct dns_header
*header
, size_t plen
, int class, char *name
,
1414 char *keyname
, struct server
*server
, int *keycount
)
1417 unsigned char *packet
, *payload
;
1419 unsigned char *p
= (unsigned char *)(header
+1);
1420 int status
, name_len
;
1421 struct blockdata
*block
;
1425 /* Get first insecure entry in CNAME chain */
1426 status
= tcp_key_recurse(now
, STAT_CHASE_CNAME
, header
, plen
, class, name
, keyname
, server
, keycount
);
1427 if (status
== STAT_BOGUS
)
1430 if (!(packet
= whine_malloc(65536 + MAXDNAME
+ RRFIXEDSZ
+ sizeof(u16
))))
1433 payload
= &packet
[2];
1434 header
= (struct dns_header
*)payload
;
1435 length
= (u16
*)packet
;
1437 /* Stash the name away, since the buffer will be trashed when we recurse */
1438 name_len
= strlen(name
) + 1;
1439 name_start
= name
+ name_len
- 1;
1441 if (!(block
= blockdata_alloc(name
, name_len
)))
1449 unsigned char c1
, c2
;
1452 if (--(*keycount
) == 0)
1455 blockdata_free(block
);
1459 while (crecp
= cache_find_by_name(NULL
, name_start
, now
, F_DS
))
1461 if ((crecp
->flags
& F_NEG
) && (crecp
->flags
& F_DNSSECOK
))
1463 /* Found a secure denial of DS - delegation is indeed insecure */
1465 blockdata_free(block
);
1466 return STAT_INSECURE
;
1469 /* Here, either there's a secure DS, or no NS and no DS, and therefore no delegation.
1470 Add another label and continue. */
1472 if (name_start
== name
)
1475 blockdata_free(block
);
1476 return STAT_BOGUS
; /* run out of labels */
1480 while (*name_start
!= '.' && name_start
!= name
)
1482 if (name_start
!= name
)
1486 /* Can't find it in the cache, have to send a query */
1488 m
= dnssec_generate_query(header
, ((char *) header
) + 65536, name_start
, class, T_DS
, &server
->addr
);
1492 if (read_write(server
->tcpfd
, packet
, m
+ sizeof(u16
), 0) &&
1493 read_write(server
->tcpfd
, &c1
, 1, 1) &&
1494 read_write(server
->tcpfd
, &c2
, 1, 1) &&
1495 read_write(server
->tcpfd
, payload
, (c1
<< 8) | c2
, 1))
1499 /* Note this trashes all three name workspaces */
1500 status
= tcp_key_recurse(now
, STAT_NEED_DS_NEG
, header
, m
, class, name
, keyname
, server
, keycount
);
1502 if (status
== STAT_NO_DS
)
1504 /* Found a secure denial of DS - delegation is indeed insecure */
1506 blockdata_free(block
);
1507 return STAT_INSECURE
;
1510 if (status
== STAT_BOGUS
)
1513 blockdata_free(block
);
1517 /* Here, either there's a secure DS, or no NS and no DS, and therefore no delegation.
1518 Add another label and continue. */
1520 /* Get name we're checking back. */
1521 blockdata_retrieve(block
, name_len
, name
);
1523 if (name_start
== name
)
1526 blockdata_free(block
);
1527 return STAT_BOGUS
; /* run out of labels */
1531 while (*name_start
!= '.' && name_start
!= name
)
1533 if (name_start
!= name
)
1540 blockdata_free(block
);
1541 return STAT_BOGUS
; /* run out of labels */
1546 static int tcp_key_recurse(time_t now
, int status
, struct dns_header
*header
, size_t n
,
1547 int class, char *name
, char *keyname
, struct server
*server
, int *keycount
)
1549 /* Recurse up the key heirarchy */
1552 /* limit the amount of work we do, to avoid cycling forever on loops in the DNS */
1553 if (--(*keycount
) == 0)
1554 return STAT_INSECURE
;
1556 if (status
== STAT_NEED_KEY
)
1557 new_status
= dnssec_validate_by_ds(now
, header
, n
, name
, keyname
, class);
1558 else if (status
== STAT_NEED_DS
|| status
== STAT_NEED_DS_NEG
)
1560 new_status
= dnssec_validate_ds(now
, header
, n
, name
, keyname
, class);
1561 if (status
== STAT_NEED_DS
&& (new_status
== STAT_NO_DS
|| new_status
== STAT_NO_NS
))
1562 new_status
= STAT_BOGUS
;
1564 else if (status
== STAT_CHASE_CNAME
)
1565 new_status
= dnssec_chase_cname(now
, header
, n
, name
, keyname
);
1568 new_status
= dnssec_validate_reply(now
, header
, n
, name
, keyname
, &class, NULL
, NULL
);
1570 if (new_status
== STAT_NO_SIG
)
1572 if (option_bool(OPT_DNSSEC_NO_SIGN
))
1573 new_status
= tcp_check_for_unsigned_zone(now
, header
, n
, class, name
, keyname
, server
, keycount
);
1575 new_status
= STAT_INSECURE
;
1579 /* Can't validate because we need a key/DS whose name now in keyname.
1580 Make query for same, and recurse to validate */
1581 if (new_status
== STAT_NEED_DS
|| new_status
== STAT_NEED_KEY
)
1584 unsigned char *packet
= whine_malloc(65536 + MAXDNAME
+ RRFIXEDSZ
+ sizeof(u16
));
1585 unsigned char *payload
= &packet
[2];
1586 struct dns_header
*new_header
= (struct dns_header
*)payload
;
1587 u16
*length
= (u16
*)packet
;
1588 unsigned char c1
, c2
;
1591 return STAT_INSECURE
;
1594 m
= dnssec_generate_query(new_header
, ((char *) new_header
) + 65536, keyname
, class,
1595 new_status
== STAT_NEED_KEY
? T_DNSKEY
: T_DS
, &server
->addr
);
1599 if (!read_write(server
->tcpfd
, packet
, m
+ sizeof(u16
), 0) ||
1600 !read_write(server
->tcpfd
, &c1
, 1, 1) ||
1601 !read_write(server
->tcpfd
, &c2
, 1, 1) ||
1602 !read_write(server
->tcpfd
, payload
, (c1
<< 8) | c2
, 1))
1603 new_status
= STAT_INSECURE
;
1608 new_status
= tcp_key_recurse(now
, new_status
, new_header
, m
, class, name
, keyname
, server
, keycount
);
1610 if (new_status
== STAT_SECURE
)
1612 /* Reached a validated record, now try again at this level.
1613 Note that we may get ANOTHER NEED_* if an answer needs more than one key.
1614 If so, go round again. */
1616 if (status
== STAT_NEED_KEY
)
1617 new_status
= dnssec_validate_by_ds(now
, header
, n
, name
, keyname
, class);
1618 else if (status
== STAT_NEED_DS
|| status
== STAT_NEED_DS_NEG
)
1620 new_status
= dnssec_validate_ds(now
, header
, n
, name
, keyname
, class);
1621 if (status
== STAT_NEED_DS
&& (new_status
== STAT_NO_DS
|| new_status
== STAT_NO_NS
))
1622 new_status
= STAT_BOGUS
; /* Validated no DS */
1624 else if (status
== STAT_CHASE_CNAME
)
1625 new_status
= dnssec_chase_cname(now
, header
, n
, name
, keyname
);
1628 new_status
= dnssec_validate_reply(now
, header
, n
, name
, keyname
, &class, NULL
, NULL
);
1630 if (new_status
== STAT_NO_SIG
)
1632 if (option_bool(OPT_DNSSEC_NO_SIGN
))
1633 new_status
= tcp_check_for_unsigned_zone(now
, header
, n
, class, name
, keyname
, server
, keycount
);
1635 new_status
= STAT_INSECURE
;
1639 if (new_status
== STAT_NEED_DS
|| new_status
== STAT_NEED_KEY
)
1640 goto another_tcp_key
;
1651 /* The daemon forks before calling this: it should deal with one connection,
1652 blocking as neccessary, and then return. Note, need to be a bit careful
1653 about resources for debug mode, when the fork is suppressed: that's
1654 done by the caller. */
1655 unsigned char *tcp_request(int confd
, time_t now
,
1656 union mysockaddr
*local_addr
, struct in_addr netmask
, int auth_dns
)
1663 int checking_disabled
, ad_question
, do_bit
, added_pheader
= 0;
1664 int check_subnet
, no_cache_dnssec
= 0, cache_secure
= 0;
1666 unsigned short qtype
;
1667 unsigned int gotname
;
1668 unsigned char c1
, c2
;
1669 /* Max TCP packet + slop + size */
1670 unsigned char *packet
= whine_malloc(65536 + MAXDNAME
+ RRFIXEDSZ
+ sizeof(u16
));
1671 unsigned char *payload
= &packet
[2];
1672 /* largest field in header is 16-bits, so this is still sufficiently aligned */
1673 struct dns_header
*header
= (struct dns_header
*)payload
;
1674 u16
*length
= (u16
*)packet
;
1675 struct server
*last_server
;
1676 struct in_addr dst_addr_4
;
1677 union mysockaddr peer_addr
;
1678 socklen_t peer_len
= sizeof(union mysockaddr
);
1680 if (getpeername(confd
, (struct sockaddr
*)&peer_addr
, &peer_len
) == -1)
1683 /* We can be configured to only accept queries from at-most-one-hop-away addresses. */
1684 if (option_bool(OPT_LOCAL_SERVICE
))
1686 struct addrlist
*addr
;
1688 if (peer_addr
.sa
.sa_family
== AF_INET6
)
1690 for (addr
= daemon
->interface_addrs
; addr
; addr
= addr
->next
)
1691 if ((addr
->flags
& ADDRLIST_IPV6
) &&
1692 is_same_net6(&addr
->addr
.addr
.addr6
, &peer_addr
.in6
.sin6_addr
, addr
->prefixlen
))
1698 struct in_addr netmask
;
1699 for (addr
= daemon
->interface_addrs
; addr
; addr
= addr
->next
)
1701 netmask
.s_addr
= htonl(~(in_addr_t
)0 << (32 - addr
->prefixlen
));
1702 if (!(addr
->flags
& ADDRLIST_IPV6
) &&
1703 is_same_net(addr
->addr
.addr
.addr4
, peer_addr
.in
.sin_addr
, netmask
))
1709 my_syslog(LOG_WARNING
, _("Ignoring query from non-local network"));
1717 !read_write(confd
, &c1
, 1, 1) || !read_write(confd
, &c2
, 1, 1) ||
1718 !(size
= c1
<< 8 | c2
) ||
1719 !read_write(confd
, payload
, size
, 1))
1722 if (size
< (int)sizeof(struct dns_header
))
1727 /* save state of "cd" flag in query */
1728 if ((checking_disabled
= header
->hb4
& HB4_CD
))
1729 no_cache_dnssec
= 1;
1731 if ((gotname
= extract_request(header
, (unsigned int)size
, daemon
->namebuff
, &qtype
)))
1734 struct auth_zone
*zone
;
1736 char *types
= querystr(auth_dns
? "auth" : "query", qtype
);
1738 if (peer_addr
.sa
.sa_family
== AF_INET
)
1739 log_query(F_QUERY
| F_IPV4
| F_FORWARD
, daemon
->namebuff
,
1740 (struct all_addr
*)&peer_addr
.in
.sin_addr
, types
);
1743 log_query(F_QUERY
| F_IPV6
| F_FORWARD
, daemon
->namebuff
,
1744 (struct all_addr
*)&peer_addr
.in6
.sin6_addr
, types
);
1748 /* find queries for zones we're authoritative for, and answer them directly */
1750 for (zone
= daemon
->auth_zones
; zone
; zone
= zone
->next
)
1751 if (in_zone(zone
, daemon
->namebuff
, NULL
))
1760 if (local_addr
->sa
.sa_family
== AF_INET
)
1761 dst_addr_4
= local_addr
->in
.sin_addr
;
1763 dst_addr_4
.s_addr
= 0;
1767 m
= answer_auth(header
, ((char *) header
) + 65536, (size_t)size
, now
, &peer_addr
, local_auth
);
1771 /* m > 0 if answered from cache */
1772 m
= answer_request(header
, ((char *) header
) + 65536, (size_t)size
,
1773 dst_addr_4
, netmask
, now
, &ad_question
, &do_bit
);
1775 /* Do this by steam now we're not in the select() loop */
1776 check_log_writer(NULL
);
1780 unsigned int flags
= 0;
1781 struct all_addr
*addrp
= NULL
;
1783 char *domain
= NULL
;
1785 if (option_bool(OPT_ADD_MAC
))
1786 size
= add_mac(header
, size
, ((char *) header
) + 65536, &peer_addr
);
1788 if (option_bool(OPT_CLIENT_SUBNET
))
1790 size_t new = add_source_addr(header
, size
, ((char *) header
) + 65536, &peer_addr
);
1799 flags
= search_servers(now
, &addrp
, gotname
, daemon
->namebuff
, &type
, &domain
, &norebind
);
1801 if (type
!= 0 || option_bool(OPT_ORDER
) || !daemon
->last_server
)
1802 last_server
= daemon
->servers
;
1804 last_server
= daemon
->last_server
;
1806 if (!flags
&& last_server
)
1808 struct server
*firstsendto
= NULL
;
1810 unsigned char *newhash
, hash
[HASH_SIZE
];
1811 if ((newhash
= hash_questions(header
, (unsigned int)size
, daemon
->namebuff
)))
1812 memcpy(hash
, newhash
, HASH_SIZE
);
1814 memset(hash
, 0, HASH_SIZE
);
1816 unsigned int crc
= questions_crc(header
, (unsigned int)size
, daemon
->namebuff
);
1818 /* Loop round available servers until we succeed in connecting to one.
1819 Note that this code subtley ensures that consecutive queries on this connection
1820 which can go to the same server, do so. */
1824 firstsendto
= last_server
;
1827 if (!(last_server
= last_server
->next
))
1828 last_server
= daemon
->servers
;
1830 if (last_server
== firstsendto
)
1834 /* server for wrong domain */
1835 if (type
!= (last_server
->flags
& SERV_TYPE
) ||
1836 (type
== SERV_HAS_DOMAIN
&& !hostname_isequal(domain
, last_server
->domain
)) ||
1837 (last_server
->flags
& (SERV_LITERAL_ADDRESS
| SERV_LOOP
)))
1840 if (last_server
->tcpfd
== -1)
1842 if ((last_server
->tcpfd
= socket(last_server
->addr
.sa
.sa_family
, SOCK_STREAM
, 0)) == -1)
1845 #ifdef HAVE_CONNTRACK
1846 /* Copy connection mark of incoming query to outgoing connection. */
1847 if (option_bool(OPT_CONNTRACK
))
1850 struct all_addr local
;
1852 if (local_addr
->sa
.sa_family
== AF_INET6
)
1853 local
.addr
.addr6
= local_addr
->in6
.sin6_addr
;
1856 local
.addr
.addr4
= local_addr
->in
.sin_addr
;
1858 if (get_incoming_mark(&peer_addr
, &local
, 1, &mark
))
1859 setsockopt(last_server
->tcpfd
, SOL_SOCKET
, SO_MARK
, &mark
, sizeof(unsigned int));
1863 if ((!local_bind(last_server
->tcpfd
, &last_server
->source_addr
, last_server
->interface
, 1) ||
1864 connect(last_server
->tcpfd
, &last_server
->addr
.sa
, sa_len(&last_server
->addr
)) == -1))
1866 close(last_server
->tcpfd
);
1867 last_server
->tcpfd
= -1;
1872 if (option_bool(OPT_DNSSEC_VALID
))
1874 size_t new_size
= add_do_bit(header
, size
, ((char *) header
) + 65536);
1876 /* For debugging, set Checking Disabled, otherwise, have the upstream check too,
1877 this allows it to select auth servers when one is returning bad data. */
1878 if (option_bool(OPT_DNSSEC_DEBUG
))
1879 header
->hb4
|= HB4_CD
;
1881 if (size
!= new_size
)
1889 *length
= htons(size
);
1891 /* get query name again for logging - may have been overwritten */
1892 if (!(gotname
= extract_request(header
, (unsigned int)size
, daemon
->namebuff
, &qtype
)))
1893 strcpy(daemon
->namebuff
, "query");
1895 if (!read_write(last_server
->tcpfd
, packet
, size
+ sizeof(u16
), 0) ||
1896 !read_write(last_server
->tcpfd
, &c1
, 1, 1) ||
1897 !read_write(last_server
->tcpfd
, &c2
, 1, 1) ||
1898 !read_write(last_server
->tcpfd
, payload
, (c1
<< 8) | c2
, 1))
1900 close(last_server
->tcpfd
);
1901 last_server
->tcpfd
= -1;
1907 if (last_server
->addr
.sa
.sa_family
== AF_INET
)
1908 log_query(F_SERVER
| F_IPV4
| F_FORWARD
, daemon
->namebuff
,
1909 (struct all_addr
*)&last_server
->addr
.in
.sin_addr
, NULL
);
1912 log_query(F_SERVER
| F_IPV6
| F_FORWARD
, daemon
->namebuff
,
1913 (struct all_addr
*)&last_server
->addr
.in6
.sin6_addr
, NULL
);
1917 if (option_bool(OPT_DNSSEC_VALID
) && !checking_disabled
)
1919 int keycount
= DNSSEC_WORK
; /* Limit to number of DNSSEC questions, to catch loops and avoid filling cache. */
1920 int status
= tcp_key_recurse(now
, STAT_TRUNCATED
, header
, m
, 0, daemon
->namebuff
, daemon
->keyname
, last_server
, &keycount
);
1924 result
= "ABANDONED";
1926 result
= (status
== STAT_SECURE
? "SECURE" : (status
== STAT_INSECURE
? "INSECURE" : "BOGUS"));
1928 log_query(F_KEYTAG
| F_SECSTAT
, "result", NULL
, result
);
1930 if (status
== STAT_BOGUS
)
1931 no_cache_dnssec
= 1;
1933 if (status
== STAT_SECURE
)
1938 /* restore CD bit to the value in the query */
1939 if (checking_disabled
)
1940 header
->hb4
|= HB4_CD
;
1942 header
->hb4
&= ~HB4_CD
;
1944 /* There's no point in updating the cache, since this process will exit and
1945 lose the information after a few queries. We make this call for the alias and
1946 bogus-nxdomain side-effects. */
1947 /* If the crc of the question section doesn't match the crc we sent, then
1948 someone might be attempting to insert bogus values into the cache by
1949 sending replies containing questions and bogus answers. */
1951 newhash
= hash_questions(header
, (unsigned int)m
, daemon
->namebuff
);
1952 if (!newhash
|| memcmp(hash
, newhash
, HASH_SIZE
) != 0)
1958 if (crc
!= questions_crc(header
, (unsigned int)m
, daemon
->namebuff
))
1965 m
= process_reply(header
, now
, last_server
, (unsigned int)m
,
1966 option_bool(OPT_NO_REBIND
) && !norebind
, no_cache_dnssec
,
1967 cache_secure
, ad_question
, do_bit
, added_pheader
, check_subnet
, &peer_addr
);
1973 /* In case of local answer or no connections made. */
1975 m
= setup_reply(header
, (unsigned int)size
, addrp
, flags
, daemon
->local_ttl
);
1979 check_log_writer(NULL
);
1983 if (m
== 0 || !read_write(confd
, packet
, m
+ sizeof(u16
), 0))
1988 static struct frec
*allocate_frec(time_t now
)
1992 if ((f
= (struct frec
*)whine_malloc(sizeof(struct frec
))))
1994 f
->next
= daemon
->frec_list
;
2003 f
->dependent
= NULL
;
2004 f
->blocking_query
= NULL
;
2006 f
->orig_domain
= NULL
;
2008 daemon
->frec_list
= f
;
2014 struct randfd
*allocate_rfd(int family
)
2016 static int finger
= 0;
2019 /* limit the number of sockets we have open to avoid starvation of
2020 (eg) TFTP. Once we have a reasonable number, randomness should be OK */
2022 for (i
= 0; i
< RANDOM_SOCKS
; i
++)
2023 if (daemon
->randomsocks
[i
].refcount
== 0)
2025 if ((daemon
->randomsocks
[i
].fd
= random_sock(family
)) == -1)
2028 daemon
->randomsocks
[i
].refcount
= 1;
2029 daemon
->randomsocks
[i
].family
= family
;
2030 return &daemon
->randomsocks
[i
];
2033 /* No free ones or cannot get new socket, grab an existing one */
2034 for (i
= 0; i
< RANDOM_SOCKS
; i
++)
2036 int j
= (i
+finger
) % RANDOM_SOCKS
;
2037 if (daemon
->randomsocks
[j
].refcount
!= 0 &&
2038 daemon
->randomsocks
[j
].family
== family
&&
2039 daemon
->randomsocks
[j
].refcount
!= 0xffff)
2042 daemon
->randomsocks
[j
].refcount
++;
2043 return &daemon
->randomsocks
[j
];
2047 return NULL
; /* doom */
2050 void free_rfd(struct randfd
*rfd
)
2052 if (rfd
&& --(rfd
->refcount
) == 0)
2056 static void free_frec(struct frec
*f
)
2071 blockdata_free(f
->stash
);
2077 blockdata_free(f
->orig_domain
);
2078 f
->orig_domain
= NULL
;
2081 /* Anything we're waiting on is pointless now, too */
2082 if (f
->blocking_query
)
2083 free_frec(f
->blocking_query
);
2084 f
->blocking_query
= NULL
;
2085 f
->dependent
= NULL
;
2089 /* if wait==NULL return a free or older than TIMEOUT record.
2090 else return *wait zero if one available, or *wait is delay to
2091 when the oldest in-use record will expire. Impose an absolute
2092 limit of 4*TIMEOUT before we wipe things (for random sockets).
2093 If force is set, always return a result, even if we have
2094 to allocate above the limit. */
2095 struct frec
*get_new_frec(time_t now
, int *wait
, int force
)
2097 struct frec
*f
, *oldest
, *target
;
2103 for (f
= daemon
->frec_list
, oldest
= NULL
, target
= NULL
, count
= 0; f
; f
= f
->next
, count
++)
2108 if (difftime(now
, f
->time
) >= 4*TIMEOUT
)
2114 if (!oldest
|| difftime(f
->time
, oldest
->time
) <= 0)
2124 /* can't find empty one, use oldest if there is one
2125 and it's older than timeout */
2126 if (oldest
&& ((int)difftime(now
, oldest
->time
)) >= TIMEOUT
)
2128 /* keep stuff for twice timeout if we can by allocating a new
2130 if (difftime(now
, oldest
->time
) < 2*TIMEOUT
&&
2131 count
<= daemon
->ftabsize
&&
2132 (f
= allocate_frec(now
)))
2143 /* none available, calculate time 'till oldest record expires */
2144 if (!force
&& count
> daemon
->ftabsize
)
2146 static time_t last_log
= 0;
2149 *wait
= oldest
->time
+ (time_t)TIMEOUT
- now
;
2151 if ((int)difftime(now
, last_log
) > 5)
2154 my_syslog(LOG_WARNING
, _("Maximum number of concurrent DNS queries reached (max: %d)"), daemon
->ftabsize
);
2160 if (!(f
= allocate_frec(now
)) && wait
)
2161 /* wait one second on malloc failure */
2164 return f
; /* OK if malloc fails and this is NULL */
2167 /* crc is all-ones if not known. */
2168 static struct frec
*lookup_frec(unsigned short id
, void *hash
)
2172 for(f
= daemon
->frec_list
; f
; f
= f
->next
)
2173 if (f
->sentto
&& f
->new_id
== id
&&
2174 (!hash
|| memcmp(hash
, f
->hash
, HASH_SIZE
) == 0))
2180 static struct frec
*lookup_frec_by_sender(unsigned short id
,
2181 union mysockaddr
*addr
,
2186 for(f
= daemon
->frec_list
; f
; f
= f
->next
)
2189 memcmp(hash
, f
->hash
, HASH_SIZE
) == 0 &&
2190 sockaddr_isequal(&f
->source
, addr
))
2196 /* Send query packet again, if we can. */
2199 if (daemon
->srv_save
)
2203 if (daemon
->srv_save
->sfd
)
2204 fd
= daemon
->srv_save
->sfd
->fd
;
2205 else if (daemon
->rfd_save
&& daemon
->rfd_save
->refcount
!= 0)
2206 fd
= daemon
->rfd_save
->fd
;
2210 while(sendto(fd
, daemon
->packet
, daemon
->packet_len
, 0,
2211 &daemon
->srv_save
->addr
.sa
, sa_len(&daemon
->srv_save
->addr
)) == -1 && retry_send());
2215 /* A server record is going away, remove references to it */
2216 void server_gone(struct server
*server
)
2220 for (f
= daemon
->frec_list
; f
; f
= f
->next
)
2221 if (f
->sentto
&& f
->sentto
== server
)
2224 if (daemon
->last_server
== server
)
2225 daemon
->last_server
= NULL
;
2227 if (daemon
->srv_save
== server
)
2228 daemon
->srv_save
= NULL
;
2231 /* return unique random ids. */
2232 static unsigned short get_id(void)
2234 unsigned short ret
= 0;
2238 while (lookup_frec(ret
, NULL
));