]>
git.ipfire.org Git - people/ms/dnsmasq.git/blob - src/forward.c
1 /* dnsmasq is Copyright (c) 2000-2014 Simon Kelley
3 This program is free software; you can redistribute it and/or modify
4 it under the terms of the GNU General Public License as published by
5 the Free Software Foundation; version 2 dated June, 1991, or
6 (at your option) version 3 dated 29 June, 2007.
8 This program is distributed in the hope that it will be useful,
9 but WITHOUT ANY WARRANTY; without even the implied warranty of
10 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 GNU General Public License for more details.
13 You should have received a copy of the GNU General Public License
14 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 static struct frec
*lookup_frec(unsigned short id
, void *hash
);
20 static struct frec
*lookup_frec_by_sender(unsigned short id
,
21 union mysockaddr
*addr
,
23 static unsigned short get_id(void);
24 static void free_frec(struct frec
*f
);
27 static int tcp_key_recurse(time_t now
, int status
, struct dns_header
*header
, size_t n
,
28 int class, char *name
, char *keyname
, struct server
*server
, int *keycount
);
29 static int do_check_sign(time_t now
, struct dns_header
*header
, size_t plen
, char *name
, char *keyname
, int class);
30 static int send_check_sign(time_t now
, struct dns_header
*header
, size_t plen
, char *name
, char *keyname
);
34 /* Send a UDP packet with its source address set as "source"
35 unless nowild is true, when we just send it with the kernel default */
36 int send_from(int fd
, int nowild
, char *packet
, size_t len
,
37 union mysockaddr
*to
, struct all_addr
*source
,
43 struct cmsghdr align
; /* this ensures alignment */
44 #if defined(HAVE_LINUX_NETWORK)
45 char control
[CMSG_SPACE(sizeof(struct in_pktinfo
))];
46 #elif defined(IP_SENDSRCADDR)
47 char control
[CMSG_SPACE(sizeof(struct in_addr
))];
50 char control6
[CMSG_SPACE(sizeof(struct in6_pktinfo
))];
54 iov
[0].iov_base
= packet
;
57 msg
.msg_control
= NULL
;
58 msg
.msg_controllen
= 0;
61 msg
.msg_namelen
= sa_len(to
);
67 struct cmsghdr
*cmptr
;
68 msg
.msg_control
= &control_u
;
69 msg
.msg_controllen
= sizeof(control_u
);
70 cmptr
= CMSG_FIRSTHDR(&msg
);
72 if (to
->sa
.sa_family
== AF_INET
)
74 #if defined(HAVE_LINUX_NETWORK)
77 p
.ipi_spec_dst
= source
->addr
.addr4
;
78 memcpy(CMSG_DATA(cmptr
), &p
, sizeof(p
));
79 msg
.msg_controllen
= cmptr
->cmsg_len
= CMSG_LEN(sizeof(struct in_pktinfo
));
80 cmptr
->cmsg_level
= IPPROTO_IP
;
81 cmptr
->cmsg_type
= IP_PKTINFO
;
82 #elif defined(IP_SENDSRCADDR)
83 memcpy(CMSG_DATA(cmptr
), &(source
->addr
.addr4
), sizeof(source
->addr
.addr4
));
84 msg
.msg_controllen
= cmptr
->cmsg_len
= CMSG_LEN(sizeof(struct in_addr
));
85 cmptr
->cmsg_level
= IPPROTO_IP
;
86 cmptr
->cmsg_type
= IP_SENDSRCADDR
;
93 p
.ipi6_ifindex
= iface
; /* Need iface for IPv6 to handle link-local addrs */
94 p
.ipi6_addr
= source
->addr
.addr6
;
95 memcpy(CMSG_DATA(cmptr
), &p
, sizeof(p
));
96 msg
.msg_controllen
= cmptr
->cmsg_len
= CMSG_LEN(sizeof(struct in6_pktinfo
));
97 cmptr
->cmsg_type
= daemon
->v6pktinfo
;
98 cmptr
->cmsg_level
= IPPROTO_IPV6
;
101 (void)iface
; /* eliminate warning */
105 while (sendmsg(fd
, &msg
, 0) == -1)
110 /* If interface is still in DAD, EINVAL results - ignore that. */
114 my_syslog(LOG_ERR
, _("failed to send packet: %s"), strerror(errno
));
121 static unsigned int search_servers(time_t now
, struct all_addr
**addrpp
,
122 unsigned int qtype
, char *qdomain
, int *type
, char **domain
, int *norebind
)
125 /* If the query ends in the domain in one of our servers, set
126 domain to point to that name. We find the largest match to allow both
127 domain.org and sub.domain.org to exist. */
129 unsigned int namelen
= strlen(qdomain
);
130 unsigned int matchlen
= 0;
132 unsigned int flags
= 0;
134 for (serv
= daemon
->servers
; serv
; serv
=serv
->next
)
135 /* domain matches take priority over NODOTS matches */
136 if ((serv
->flags
& SERV_FOR_NODOTS
) && *type
!= SERV_HAS_DOMAIN
&& !strchr(qdomain
, '.') && namelen
!= 0)
138 unsigned int sflag
= serv
->addr
.sa
.sa_family
== AF_INET
? F_IPV4
: F_IPV6
;
139 *type
= SERV_FOR_NODOTS
;
140 if (serv
->flags
& SERV_NO_ADDR
)
142 else if (serv
->flags
& SERV_LITERAL_ADDRESS
)
147 if (serv
->addr
.sa
.sa_family
== AF_INET
)
148 *addrpp
= (struct all_addr
*)&serv
->addr
.in
.sin_addr
;
151 *addrpp
= (struct all_addr
*)&serv
->addr
.in6
.sin6_addr
;
154 else if (!flags
|| (flags
& F_NXDOMAIN
))
158 else if (serv
->flags
& SERV_HAS_DOMAIN
)
160 unsigned int domainlen
= strlen(serv
->domain
);
161 char *matchstart
= qdomain
+ namelen
- domainlen
;
162 if (namelen
>= domainlen
&&
163 hostname_isequal(matchstart
, serv
->domain
) &&
164 (domainlen
== 0 || namelen
== domainlen
|| *(matchstart
-1) == '.' ))
166 if (serv
->flags
& SERV_NO_REBIND
)
170 unsigned int sflag
= serv
->addr
.sa
.sa_family
== AF_INET
? F_IPV4
: F_IPV6
;
171 /* implement priority rules for --address and --server for same domain.
172 --address wins if the address is for the correct AF
173 --server wins otherwise. */
174 if (domainlen
!= 0 && domainlen
== matchlen
)
176 if ((serv
->flags
& SERV_LITERAL_ADDRESS
))
178 if (!(sflag
& qtype
) && flags
== 0)
183 if (flags
& (F_IPV4
| F_IPV6
))
188 if (domainlen
>= matchlen
)
190 *type
= serv
->flags
& (SERV_HAS_DOMAIN
| SERV_USE_RESOLV
| SERV_NO_REBIND
);
191 *domain
= serv
->domain
;
192 matchlen
= domainlen
;
193 if (serv
->flags
& SERV_NO_ADDR
)
195 else if (serv
->flags
& SERV_LITERAL_ADDRESS
)
200 if (serv
->addr
.sa
.sa_family
== AF_INET
)
201 *addrpp
= (struct all_addr
*)&serv
->addr
.in
.sin_addr
;
204 *addrpp
= (struct all_addr
*)&serv
->addr
.in6
.sin6_addr
;
207 else if (!flags
|| (flags
& F_NXDOMAIN
))
217 if (flags
== 0 && !(qtype
& F_QUERY
) &&
218 option_bool(OPT_NODOTS_LOCAL
) && !strchr(qdomain
, '.') && namelen
!= 0)
219 /* don't forward A or AAAA queries for simple names, except the empty name */
222 if (flags
== F_NXDOMAIN
&& check_for_local_domain(qdomain
, now
))
229 if (flags
== F_NXDOMAIN
|| flags
== F_NOERR
)
230 logflags
= F_NEG
| qtype
;
232 log_query(logflags
| flags
| F_CONFIG
| F_FORWARD
, qdomain
, *addrpp
, NULL
);
234 else if ((*type
) & SERV_USE_RESOLV
)
236 *type
= 0; /* use normal servers for this domain */
242 static int forward_query(int udpfd
, union mysockaddr
*udpaddr
,
243 struct all_addr
*dst_addr
, unsigned int dst_iface
,
244 struct dns_header
*header
, size_t plen
, time_t now
,
245 struct frec
*forward
, int ad_reqd
, int do_bit
)
248 int type
= 0, norebind
= 0;
249 struct all_addr
*addrp
= NULL
;
250 unsigned int flags
= 0;
251 struct server
*start
= NULL
;
253 void *hash
= hash_questions(header
, plen
, daemon
->namebuff
);
255 unsigned int crc
= questions_crc(header
, plen
, daemon
->namebuff
);
258 unsigned int gotname
= extract_request(header
, plen
, daemon
->namebuff
, NULL
);
262 /* may be no servers available. */
263 if (!daemon
->servers
)
265 else if (forward
|| (hash
&& (forward
= lookup_frec_by_sender(ntohs(header
->id
), udpaddr
, hash
))))
268 /* If we've already got an answer to this query, but we're awaiting keys for validation,
269 there's no point retrying the query, retry the key query instead...... */
270 if (forward
->blocking_query
)
274 while (forward
->blocking_query
)
275 forward
= forward
->blocking_query
;
277 blockdata_retrieve(forward
->stash
, forward
->stash_len
, (void *)header
);
278 plen
= forward
->stash_len
;
280 if (forward
->sentto
->addr
.sa
.sa_family
== AF_INET
)
281 log_query(F_DNSSEC
| F_IPV4
, "retry", (struct all_addr
*)&forward
->sentto
->addr
.in
.sin_addr
, "dnssec");
284 log_query(F_DNSSEC
| F_IPV6
, "retry", (struct all_addr
*)&forward
->sentto
->addr
.in6
.sin6_addr
, "dnssec");
287 if (forward
->sentto
->sfd
)
288 fd
= forward
->sentto
->sfd
->fd
;
292 if (forward
->sentto
->addr
.sa
.sa_family
== AF_INET6
)
293 fd
= forward
->rfd6
->fd
;
296 fd
= forward
->rfd4
->fd
;
299 while (sendto(fd
, (char *)header
, plen
, 0,
300 &forward
->sentto
->addr
.sa
,
301 sa_len(&forward
->sentto
->addr
)) == -1 && retry_send());
307 /* retry on existing query, send to all available servers */
308 domain
= forward
->sentto
->domain
;
309 forward
->sentto
->failed_queries
++;
310 if (!option_bool(OPT_ORDER
))
312 forward
->forwardall
= 1;
313 daemon
->last_server
= NULL
;
315 type
= forward
->sentto
->flags
& SERV_TYPE
;
316 if (!(start
= forward
->sentto
->next
))
317 start
= daemon
->servers
; /* at end of list, recycle */
318 header
->id
= htons(forward
->new_id
);
323 flags
= search_servers(now
, &addrp
, gotname
, daemon
->namebuff
, &type
, &domain
, &norebind
);
325 if (!flags
&& !(forward
= get_new_frec(now
, NULL
, 0)))
326 /* table full - server failure. */
331 forward
->source
= *udpaddr
;
332 forward
->dest
= *dst_addr
;
333 forward
->iface
= dst_iface
;
334 forward
->orig_id
= ntohs(header
->id
);
335 forward
->new_id
= get_id();
337 memcpy(forward
->hash
, hash
, HASH_SIZE
);
338 forward
->forwardall
= 0;
341 forward
->flags
|= FREC_NOREBIND
;
342 if (header
->hb4
& HB4_CD
)
343 forward
->flags
|= FREC_CHECKING_DISABLED
;
345 forward
->flags
|= FREC_AD_QUESTION
;
347 forward
->work_counter
= DNSSEC_WORK
;
349 forward
->flags
|= FREC_DO_QUESTION
;
352 header
->id
= htons(forward
->new_id
);
354 /* In strict_order mode, always try servers in the order
355 specified in resolv.conf, if a domain is given
356 always try all the available servers,
357 otherwise, use the one last known to work. */
361 if (option_bool(OPT_ORDER
))
362 start
= daemon
->servers
;
363 else if (!(start
= daemon
->last_server
) ||
364 daemon
->forwardcount
++ > FORWARD_TEST
||
365 difftime(now
, daemon
->forwardtime
) > FORWARD_TIME
)
367 start
= daemon
->servers
;
368 forward
->forwardall
= 1;
369 daemon
->forwardcount
= 0;
370 daemon
->forwardtime
= now
;
375 start
= daemon
->servers
;
376 if (!option_bool(OPT_ORDER
))
377 forward
->forwardall
= 1;
382 /* check for send errors here (no route to host)
383 if we fail to send to all nameservers, send back an error
384 packet straight away (helps modem users when offline) */
386 if (!flags
&& forward
)
388 struct server
*firstsentto
= start
;
391 if (option_bool(OPT_ADD_MAC
))
392 plen
= add_mac(header
, plen
, ((char *) header
) + daemon
->packet_buff_sz
, &forward
->source
);
394 if (option_bool(OPT_CLIENT_SUBNET
))
396 size_t new = add_source_addr(header
, plen
, ((char *) header
) + daemon
->packet_buff_sz
, &forward
->source
);
400 forward
->flags
|= FREC_HAS_SUBNET
;
405 if (option_bool(OPT_DNSSEC_VALID
))
407 size_t new_plen
= add_do_bit(header
, plen
, ((char *) header
) + daemon
->packet_buff_sz
);
409 /* For debugging, set Checking Disabled, otherwise, have the upstream check too,
410 this allows it to select auth servers when one is returning bad data. */
411 if (option_bool(OPT_DNSSEC_DEBUG
))
412 header
->hb4
|= HB4_CD
;
414 if (new_plen
!= plen
)
415 forward
->flags
|= FREC_ADDED_PHEADER
;
423 /* only send to servers dealing with our domain.
424 domain may be NULL, in which case server->domain
425 must be NULL also. */
427 if (type
== (start
->flags
& SERV_TYPE
) &&
428 (type
!= SERV_HAS_DOMAIN
|| hostname_isequal(domain
, start
->domain
)) &&
429 !(start
->flags
& (SERV_LITERAL_ADDRESS
| SERV_LOOP
)))
433 /* find server socket to use, may need to get random one. */
439 if (start
->addr
.sa
.sa_family
== AF_INET6
)
441 if (!forward
->rfd6
&&
442 !(forward
->rfd6
= allocate_rfd(AF_INET6
)))
444 daemon
->rfd_save
= forward
->rfd6
;
445 fd
= forward
->rfd6
->fd
;
450 if (!forward
->rfd4
&&
451 !(forward
->rfd4
= allocate_rfd(AF_INET
)))
453 daemon
->rfd_save
= forward
->rfd4
;
454 fd
= forward
->rfd4
->fd
;
457 #ifdef HAVE_CONNTRACK
458 /* Copy connection mark of incoming query to outgoing connection. */
459 if (option_bool(OPT_CONNTRACK
))
462 if (get_incoming_mark(&forward
->source
, &forward
->dest
, 0, &mark
))
463 setsockopt(fd
, SOL_SOCKET
, SO_MARK
, &mark
, sizeof(unsigned int));
468 if (sendto(fd
, (char *)header
, plen
, 0,
470 sa_len(&start
->addr
)) == -1)
477 /* Keep info in case we want to re-send this packet */
478 daemon
->srv_save
= start
;
479 daemon
->packet_len
= plen
;
482 strcpy(daemon
->namebuff
, "query");
483 if (start
->addr
.sa
.sa_family
== AF_INET
)
484 log_query(F_SERVER
| F_IPV4
| F_FORWARD
, daemon
->namebuff
,
485 (struct all_addr
*)&start
->addr
.in
.sin_addr
, NULL
);
488 log_query(F_SERVER
| F_IPV6
| F_FORWARD
, daemon
->namebuff
,
489 (struct all_addr
*)&start
->addr
.in6
.sin6_addr
, NULL
);
493 forward
->sentto
= start
;
494 if (!forward
->forwardall
)
496 forward
->forwardall
++;
500 if (!(start
= start
->next
))
501 start
= daemon
->servers
;
503 if (start
== firstsentto
)
510 /* could not send on, prepare to return */
511 header
->id
= htons(forward
->orig_id
);
512 free_frec(forward
); /* cancel */
515 /* could not send on, return empty answer or address if known for whole domain */
518 plen
= setup_reply(header
, plen
, addrp
, flags
, daemon
->local_ttl
);
519 send_from(udpfd
, option_bool(OPT_NOWILD
) || option_bool(OPT_CLEVERBIND
), (char *)header
, plen
, udpaddr
, dst_addr
, dst_iface
);
525 static size_t process_reply(struct dns_header
*header
, time_t now
, struct server
*server
, size_t n
, int check_rebind
,
526 int no_cache
, int cache_secure
, int ad_reqd
, int do_bit
, int added_pheader
, int check_subnet
, union mysockaddr
*query_source
)
528 unsigned char *pheader
, *sizep
;
530 int munged
= 0, is_sign
;
537 if (daemon
->ipsets
&& extract_request(header
, n
, daemon
->namebuff
, NULL
))
539 /* Similar algorithm to search_servers. */
540 struct ipsets
*ipset_pos
;
541 unsigned int namelen
= strlen(daemon
->namebuff
);
542 unsigned int matchlen
= 0;
543 for (ipset_pos
= daemon
->ipsets
; ipset_pos
; ipset_pos
= ipset_pos
->next
)
545 unsigned int domainlen
= strlen(ipset_pos
->domain
);
546 char *matchstart
= daemon
->namebuff
+ namelen
- domainlen
;
547 if (namelen
>= domainlen
&& hostname_isequal(matchstart
, ipset_pos
->domain
) &&
548 (domainlen
== 0 || namelen
== domainlen
|| *(matchstart
- 1) == '.' ) &&
549 domainlen
>= matchlen
)
551 matchlen
= domainlen
;
552 sets
= ipset_pos
->sets
;
558 /* If upstream is advertising a larger UDP packet size
559 than we allow, trim it so that we don't get overlarge
560 requests for the client. We can't do this for signed packets. */
562 if ((pheader
= find_pseudoheader(header
, n
, &plen
, &sizep
, &is_sign
)))
564 unsigned short udpsz
;
565 unsigned char *psave
= sizep
;
567 GETSHORT(udpsz
, sizep
);
569 if (!is_sign
&& udpsz
> daemon
->edns_pktsz
)
570 PUTSHORT(daemon
->edns_pktsz
, psave
);
572 if (check_subnet
&& !check_source(header
, plen
, pheader
, query_source
))
574 my_syslog(LOG_WARNING
, _("discarding DNS reply: subnet option mismatch"));
581 header
->arcount
= htons(0);
585 /* RFC 4035 sect 4.6 para 3 */
586 if (!is_sign
&& !option_bool(OPT_DNSSEC_PROXY
))
587 header
->hb4
&= ~HB4_AD
;
589 if (OPCODE(header
) != QUERY
|| (RCODE(header
) != NOERROR
&& RCODE(header
) != NXDOMAIN
))
590 return resize_packet(header
, n
, pheader
, plen
);
592 /* Complain loudly if the upstream server is non-recursive. */
593 if (!(header
->hb4
& HB4_RA
) && RCODE(header
) == NOERROR
&& ntohs(header
->ancount
) == 0 &&
594 server
&& !(server
->flags
& SERV_WARNED_RECURSIVE
))
596 prettyprint_addr(&server
->addr
, daemon
->namebuff
);
597 my_syslog(LOG_WARNING
, _("nameserver %s refused to do a recursive query"), daemon
->namebuff
);
598 if (!option_bool(OPT_LOG
))
599 server
->flags
|= SERV_WARNED_RECURSIVE
;
602 if (daemon
->bogus_addr
&& RCODE(header
) != NXDOMAIN
&&
603 check_for_bogus_wildcard(header
, n
, daemon
->namebuff
, daemon
->bogus_addr
, now
))
606 SET_RCODE(header
, NXDOMAIN
);
607 header
->hb3
&= ~HB3_AA
;
614 if (RCODE(header
) == NXDOMAIN
&&
615 extract_request(header
, n
, daemon
->namebuff
, NULL
) &&
616 check_for_local_domain(daemon
->namebuff
, now
))
618 /* if we forwarded a query for a locally known name (because it was for
619 an unknown type) and the answer is NXDOMAIN, convert that to NODATA,
620 since we know that the domain exists, even if upstream doesn't */
622 header
->hb3
|= HB3_AA
;
623 SET_RCODE(header
, NOERROR
);
627 if (extract_addresses(header
, n
, daemon
->namebuff
, now
, sets
, is_sign
, check_rebind
, no_cache
, cache_secure
, &doctored
))
629 my_syslog(LOG_WARNING
, _("possible DNS-rebind attack detected: %s"), daemon
->namebuff
);
639 if (no_cache
&& !(header
->hb4
& HB4_CD
))
641 if (!option_bool(OPT_DNSSEC_DEBUG
))
643 /* Bogus reply, turn into SERVFAIL */
644 SET_RCODE(header
, SERVFAIL
);
649 if (option_bool(OPT_DNSSEC_VALID
))
650 header
->hb4
&= ~HB4_AD
;
652 if (!(header
->hb4
& HB4_CD
) && ad_reqd
&& cache_secure
)
653 header
->hb4
|= HB4_AD
;
655 /* If the requestor didn't set the DO bit, don't return DNSSEC info. */
657 n
= filter_rrsigs(header
, n
);
660 /* do this after extract_addresses. Ensure NODATA reply and remove
665 header
->ancount
= htons(0);
666 header
->nscount
= htons(0);
667 header
->arcount
= htons(0);
670 /* the bogus-nxdomain stuff, doctor and NXDOMAIN->NODATA munging can all elide
671 sections of the packet. Find the new length here and put back pseudoheader
672 if it was removed. */
673 return resize_packet(header
, n
, pheader
, plen
);
676 /* sets new last_server */
677 void reply_query(int fd
, int family
, time_t now
)
679 /* packet from peer server, extract data for cache, and send to
680 original requester */
681 struct dns_header
*header
;
682 union mysockaddr serveraddr
;
683 struct frec
*forward
;
684 socklen_t addrlen
= sizeof(serveraddr
);
685 ssize_t n
= recvfrom(fd
, daemon
->packet
, daemon
->packet_buff_sz
, 0, &serveraddr
.sa
, &addrlen
);
687 struct server
*server
;
693 /* packet buffer overwritten */
694 daemon
->srv_save
= NULL
;
696 /* Determine the address of the server replying so that we can mark that as good */
697 serveraddr
.sa
.sa_family
= family
;
699 if (serveraddr
.sa
.sa_family
== AF_INET6
)
700 serveraddr
.in6
.sin6_flowinfo
= 0;
703 header
= (struct dns_header
*)daemon
->packet
;
705 if (n
< (int)sizeof(struct dns_header
) || !(header
->hb3
& HB3_QR
))
708 /* spoof check: answer must come from known server, */
709 for (server
= daemon
->servers
; server
; server
= server
->next
)
710 if (!(server
->flags
& (SERV_LITERAL_ADDRESS
| SERV_NO_ADDR
)) &&
711 sockaddr_isequal(&server
->addr
, &serveraddr
))
718 hash
= hash_questions(header
, n
, daemon
->namebuff
);
721 crc
= questions_crc(header
, n
, daemon
->namebuff
);
724 if (!(forward
= lookup_frec(ntohs(header
->id
), hash
)))
727 if ((RCODE(header
) == SERVFAIL
|| RCODE(header
) == REFUSED
) &&
728 !option_bool(OPT_ORDER
) &&
729 forward
->forwardall
== 0)
730 /* for broken servers, attempt to send to another one. */
732 unsigned char *pheader
;
736 /* recreate query from reply */
737 pheader
= find_pseudoheader(header
, (size_t)n
, &plen
, NULL
, &is_sign
);
740 header
->ancount
= htons(0);
741 header
->nscount
= htons(0);
742 header
->arcount
= htons(0);
743 if ((nn
= resize_packet(header
, (size_t)n
, pheader
, plen
)))
745 header
->hb3
&= ~(HB3_QR
| HB3_TC
);
746 forward_query(-1, NULL
, NULL
, 0, header
, nn
, now
, forward
, 0, 0);
752 server
= forward
->sentto
;
754 if ((forward
->sentto
->flags
& SERV_TYPE
) == 0)
756 if (RCODE(header
) == REFUSED
)
760 struct server
*last_server
;
762 /* find good server by address if possible, otherwise assume the last one we sent to */
763 for (last_server
= daemon
->servers
; last_server
; last_server
= last_server
->next
)
764 if (!(last_server
->flags
& (SERV_LITERAL_ADDRESS
| SERV_HAS_DOMAIN
| SERV_FOR_NODOTS
| SERV_NO_ADDR
)) &&
765 sockaddr_isequal(&last_server
->addr
, &serveraddr
))
767 server
= last_server
;
771 if (!option_bool(OPT_ALL_SERVERS
))
772 daemon
->last_server
= server
;
775 /* If the answer is an error, keep the forward record in place in case
776 we get a good reply from another server. Kill it when we've
777 had replies from all to avoid filling the forwarding table when
778 everything is broken */
779 if (forward
->forwardall
== 0 || --forward
->forwardall
== 1 || RCODE(header
) != SERVFAIL
)
781 int check_rebind
= 0, no_cache_dnssec
= 0, cache_secure
= 0;
783 if (option_bool(OPT_NO_REBIND
))
784 check_rebind
= !(forward
->flags
& FREC_NOREBIND
);
786 /* Don't cache replies where DNSSEC validation was turned off, either
787 the upstream server told us so, or the original query specified it. */
788 if ((header
->hb4
& HB4_CD
) || (forward
->flags
& FREC_CHECKING_DISABLED
))
792 if (server
&& option_bool(OPT_DNSSEC_VALID
) && !(forward
->flags
& FREC_CHECKING_DISABLED
))
796 /* We've had a reply already, which we're validating. Ignore this duplicate */
797 if (forward
->blocking_query
)
800 if (header
->hb3
& HB3_TC
)
802 /* Truncated answer can't be validated.
803 If this is an answer to a DNSSEC-generated query, we still
804 need to get the client to retry over TCP, so return
805 an answer with the TC bit set, even if the actual answer fits.
807 status
= STAT_TRUNCATED
;
809 else if (forward
->flags
& FREC_DNSKEY_QUERY
)
810 status
= dnssec_validate_by_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
811 else if (forward
->flags
& FREC_DS_QUERY
)
813 status
= dnssec_validate_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
814 if (status
== STAT_NO_DS
)
815 status
= STAT_INSECURE
;
817 else if (forward
->flags
& FREC_CHECK_NOSIGN
)
818 status
= do_check_sign(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
821 status
= dnssec_validate_reply(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, &forward
->class, NULL
);
822 if (status
== STAT_NO_SIG
)
824 if (option_bool(OPT_DNSSEC_NO_SIGN
))
825 status
= send_check_sign(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
);
827 status
= STAT_INSECURE
;
830 /* Can't validate, as we're missing key data. Put this
831 answer aside, whilst we get that. */
832 if (status
== STAT_NEED_DS
|| status
== STAT_NEED_DS_NEG
|| status
== STAT_NEED_KEY
)
834 struct frec
*new, *orig
;
836 /* Free any saved query */
838 blockdata_free(forward
->stash
);
840 /* Now save reply pending receipt of key data */
841 if (!(forward
->stash
= blockdata_alloc((char *)header
, n
)))
843 forward
->stash_len
= n
;
846 /* Find the original query that started it all.... */
847 for (orig
= forward
; orig
->dependent
; orig
= orig
->dependent
);
849 if (--orig
->work_counter
== 0 || !(new = get_new_frec(now
, NULL
, 1)))
850 status
= STAT_INSECURE
;
854 struct frec
*next
= new->next
;
855 *new = *forward
; /* copy everything, then overwrite */
857 new->blocking_query
= NULL
;
858 new->sentto
= server
;
863 new->flags
&= ~(FREC_DNSKEY_QUERY
| FREC_DS_QUERY
| FREC_CHECK_NOSIGN
);
865 new->dependent
= forward
; /* to find query awaiting new one. */
866 forward
->blocking_query
= new; /* for garbage cleaning */
867 /* validate routines leave name of required record in daemon->keyname */
868 if (status
== STAT_NEED_KEY
)
870 new->flags
|= FREC_DNSKEY_QUERY
;
871 nn
= dnssec_generate_query(header
, ((char *) header
) + daemon
->packet_buff_sz
,
872 daemon
->keyname
, forward
->class, T_DNSKEY
, &server
->addr
);
876 if (status
== STAT_NEED_DS_NEG
)
877 new->flags
|= FREC_CHECK_NOSIGN
;
879 new->flags
|= FREC_DS_QUERY
;
880 nn
= dnssec_generate_query(header
,((char *) header
) + daemon
->packet_buff_sz
,
881 daemon
->keyname
, forward
->class, T_DS
, &server
->addr
);
883 if ((hash
= hash_questions(header
, nn
, daemon
->namebuff
)))
884 memcpy(new->hash
, hash
, HASH_SIZE
);
885 new->new_id
= get_id();
886 header
->id
= htons(new->new_id
);
887 /* Save query for retransmission */
888 new->stash
= blockdata_alloc((char *)header
, nn
);
891 /* Don't resend this. */
892 daemon
->srv_save
= NULL
;
895 fd
= server
->sfd
->fd
;
900 if (server
->addr
.sa
.sa_family
== AF_INET6
)
902 if (new->rfd6
|| (new->rfd6
= allocate_rfd(AF_INET6
)))
908 if (new->rfd4
|| (new->rfd4
= allocate_rfd(AF_INET
)))
915 while (sendto(fd
, (char *)header
, nn
, 0, &server
->addr
.sa
, sa_len(&server
->addr
)) == -1 && retry_send());
923 /* Ok, we reached far enough up the chain-of-trust that we can validate something.
924 Now wind back down, pulling back answers which wouldn't previously validate
925 and validate them with the new data. Note that if an answer needs multiple
926 keys to validate, we may find another key is needed, in which case we set off
927 down another branch of the tree. Once we get to the original answer
928 (FREC_DNSSEC_QUERY not set) and it validates, return it to the original requestor. */
929 while (forward
->dependent
)
931 struct frec
*prev
= forward
->dependent
;
934 forward
->blocking_query
= NULL
; /* already gone */
935 blockdata_retrieve(forward
->stash
, forward
->stash_len
, (void *)header
);
936 n
= forward
->stash_len
;
938 if (status
== STAT_SECURE
)
940 if (forward
->flags
& FREC_DNSKEY_QUERY
)
941 status
= dnssec_validate_by_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
942 else if (forward
->flags
& FREC_DS_QUERY
)
944 status
= dnssec_validate_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
945 if (status
== STAT_NO_DS
)
946 status
= STAT_INSECURE
;
948 else if (forward
->flags
& FREC_CHECK_NOSIGN
)
949 status
= do_check_sign(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
952 status
= dnssec_validate_reply(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, &forward
->class, NULL
);
953 if (status
== STAT_NO_SIG
)
955 if (option_bool(OPT_DNSSEC_NO_SIGN
))
956 status
= send_check_sign(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
);
958 status
= STAT_INSECURE
;
962 if (status
== STAT_NEED_DS
|| status
== STAT_NEED_DS_NEG
|| status
== STAT_NEED_KEY
)
967 if (status
== STAT_TRUNCATED
)
968 header
->hb3
|= HB3_TC
;
973 if (forward
->work_counter
== 0)
974 result
= "ABANDONED";
976 result
= (status
== STAT_SECURE
? "SECURE" : (status
== STAT_INSECURE
? "INSECURE" : "BOGUS"));
978 log_query(F_KEYTAG
| F_SECSTAT
, "result", NULL
, result
);
983 if (status
== STAT_SECURE
)
985 else if (status
== STAT_BOGUS
)
990 /* restore CD bit to the value in the query */
991 if (forward
->flags
& FREC_CHECKING_DISABLED
)
992 header
->hb4
|= HB4_CD
;
994 header
->hb4
&= ~HB4_CD
;
996 if ((nn
= process_reply(header
, now
, server
, (size_t)n
, check_rebind
, no_cache_dnssec
, cache_secure
,
997 forward
->flags
& FREC_AD_QUESTION
, forward
->flags
& FREC_DO_QUESTION
,
998 forward
->flags
& FREC_ADDED_PHEADER
, forward
->flags
& FREC_HAS_SUBNET
, &forward
->source
)))
1000 header
->id
= htons(forward
->orig_id
);
1001 header
->hb4
|= HB4_RA
; /* recursion if available */
1002 send_from(forward
->fd
, option_bool(OPT_NOWILD
) || option_bool (OPT_CLEVERBIND
), daemon
->packet
, nn
,
1003 &forward
->source
, &forward
->dest
, forward
->iface
);
1005 free_frec(forward
); /* cancel */
1010 void receive_query(struct listener
*listen
, time_t now
)
1012 struct dns_header
*header
= (struct dns_header
*)daemon
->packet
;
1013 union mysockaddr source_addr
;
1014 unsigned short type
;
1015 struct all_addr dst_addr
;
1016 struct in_addr netmask
, dst_addr_4
;
1019 int if_index
= 0, auth_dns
= 0;
1023 struct iovec iov
[1];
1025 struct cmsghdr
*cmptr
;
1027 struct cmsghdr align
; /* this ensures alignment */
1029 char control6
[CMSG_SPACE(sizeof(struct in6_pktinfo
))];
1031 #if defined(HAVE_LINUX_NETWORK)
1032 char control
[CMSG_SPACE(sizeof(struct in_pktinfo
))];
1033 #elif defined(IP_RECVDSTADDR) && defined(HAVE_SOLARIS_NETWORK)
1034 char control
[CMSG_SPACE(sizeof(struct in_addr
)) +
1035 CMSG_SPACE(sizeof(unsigned int))];
1036 #elif defined(IP_RECVDSTADDR)
1037 char control
[CMSG_SPACE(sizeof(struct in_addr
)) +
1038 CMSG_SPACE(sizeof(struct sockaddr_dl
))];
1042 /* Can always get recvd interface for IPv6 */
1043 int check_dst
= !option_bool(OPT_NOWILD
) || listen
->family
== AF_INET6
;
1045 int check_dst
= !option_bool(OPT_NOWILD
);
1048 /* packet buffer overwritten */
1049 daemon
->srv_save
= NULL
;
1051 dst_addr_4
.s_addr
= dst_addr
.addr
.addr4
.s_addr
= 0;
1054 if (option_bool(OPT_NOWILD
) && listen
->iface
)
1056 auth_dns
= listen
->iface
->dns_auth
;
1058 if (listen
->family
== AF_INET
)
1060 dst_addr_4
= dst_addr
.addr
.addr4
= listen
->iface
->addr
.in
.sin_addr
;
1061 netmask
= listen
->iface
->netmask
;
1065 iov
[0].iov_base
= daemon
->packet
;
1066 iov
[0].iov_len
= daemon
->edns_pktsz
;
1068 msg
.msg_control
= control_u
.control
;
1069 msg
.msg_controllen
= sizeof(control_u
);
1071 msg
.msg_name
= &source_addr
;
1072 msg
.msg_namelen
= sizeof(source_addr
);
1076 if ((n
= recvmsg(listen
->fd
, &msg
, 0)) == -1)
1079 if (n
< (int)sizeof(struct dns_header
) ||
1080 (msg
.msg_flags
& MSG_TRUNC
) ||
1081 (header
->hb3
& HB3_QR
))
1084 source_addr
.sa
.sa_family
= listen
->family
;
1086 if (listen
->family
== AF_INET
)
1088 /* Source-port == 0 is an error, we can't send back to that.
1089 http://www.ietf.org/mail-archive/web/dnsop/current/msg11441.html */
1090 if (source_addr
.in
.sin_port
== 0)
1096 /* Source-port == 0 is an error, we can't send back to that. */
1097 if (source_addr
.in6
.sin6_port
== 0)
1099 source_addr
.in6
.sin6_flowinfo
= 0;
1103 /* We can be configured to only accept queries from at-most-one-hop-away addresses. */
1104 if (option_bool(OPT_LOCAL_SERVICE
))
1106 struct addrlist
*addr
;
1108 if (listen
->family
== AF_INET6
)
1110 for (addr
= daemon
->interface_addrs
; addr
; addr
= addr
->next
)
1111 if ((addr
->flags
& ADDRLIST_IPV6
) &&
1112 is_same_net6(&addr
->addr
.addr
.addr6
, &source_addr
.in6
.sin6_addr
, addr
->prefixlen
))
1118 struct in_addr netmask
;
1119 for (addr
= daemon
->interface_addrs
; addr
; addr
= addr
->next
)
1121 netmask
.s_addr
= htonl(~(in_addr_t
)0 << (32 - addr
->prefixlen
));
1122 if (!(addr
->flags
& ADDRLIST_IPV6
) &&
1123 is_same_net(addr
->addr
.addr
.addr4
, source_addr
.in
.sin_addr
, netmask
))
1129 static int warned
= 0;
1132 my_syslog(LOG_WARNING
, _("Ignoring query from non-local network"));
1143 if (msg
.msg_controllen
< sizeof(struct cmsghdr
))
1146 #if defined(HAVE_LINUX_NETWORK)
1147 if (listen
->family
== AF_INET
)
1148 for (cmptr
= CMSG_FIRSTHDR(&msg
); cmptr
; cmptr
= CMSG_NXTHDR(&msg
, cmptr
))
1149 if (cmptr
->cmsg_level
== IPPROTO_IP
&& cmptr
->cmsg_type
== IP_PKTINFO
)
1153 struct in_pktinfo
*p
;
1155 p
.c
= CMSG_DATA(cmptr
);
1156 dst_addr_4
= dst_addr
.addr
.addr4
= p
.p
->ipi_spec_dst
;
1157 if_index
= p
.p
->ipi_ifindex
;
1159 #elif defined(IP_RECVDSTADDR) && defined(IP_RECVIF)
1160 if (listen
->family
== AF_INET
)
1162 for (cmptr
= CMSG_FIRSTHDR(&msg
); cmptr
; cmptr
= CMSG_NXTHDR(&msg
, cmptr
))
1168 #ifndef HAVE_SOLARIS_NETWORK
1169 struct sockaddr_dl
*s
;
1172 p
.c
= CMSG_DATA(cmptr
);
1173 if (cmptr
->cmsg_level
== IPPROTO_IP
&& cmptr
->cmsg_type
== IP_RECVDSTADDR
)
1174 dst_addr_4
= dst_addr
.addr
.addr4
= *(p
.a
);
1175 else if (cmptr
->cmsg_level
== IPPROTO_IP
&& cmptr
->cmsg_type
== IP_RECVIF
)
1176 #ifdef HAVE_SOLARIS_NETWORK
1179 if_index
= p
.s
->sdl_index
;
1186 if (listen
->family
== AF_INET6
)
1188 for (cmptr
= CMSG_FIRSTHDR(&msg
); cmptr
; cmptr
= CMSG_NXTHDR(&msg
, cmptr
))
1189 if (cmptr
->cmsg_level
== IPPROTO_IPV6
&& cmptr
->cmsg_type
== daemon
->v6pktinfo
)
1193 struct in6_pktinfo
*p
;
1195 p
.c
= CMSG_DATA(cmptr
);
1197 dst_addr
.addr
.addr6
= p
.p
->ipi6_addr
;
1198 if_index
= p
.p
->ipi6_ifindex
;
1203 /* enforce available interface configuration */
1205 if (!indextoname(listen
->fd
, if_index
, ifr
.ifr_name
))
1208 if (!iface_check(listen
->family
, &dst_addr
, ifr
.ifr_name
, &auth_dns
))
1210 if (!option_bool(OPT_CLEVERBIND
))
1211 enumerate_interfaces(0);
1212 if (!loopback_exception(listen
->fd
, listen
->family
, &dst_addr
, ifr
.ifr_name
) &&
1213 !label_exception(if_index
, listen
->family
, &dst_addr
))
1217 if (listen
->family
== AF_INET
&& option_bool(OPT_LOCALISE
))
1221 /* get the netmask of the interface whch has the address we were sent to.
1222 This is no neccessarily the interface we arrived on. */
1224 for (iface
= daemon
->interfaces
; iface
; iface
= iface
->next
)
1225 if (iface
->addr
.sa
.sa_family
== AF_INET
&&
1226 iface
->addr
.in
.sin_addr
.s_addr
== dst_addr_4
.s_addr
)
1229 /* interface may be new */
1230 if (!iface
&& !option_bool(OPT_CLEVERBIND
))
1231 enumerate_interfaces(0);
1233 for (iface
= daemon
->interfaces
; iface
; iface
= iface
->next
)
1234 if (iface
->addr
.sa
.sa_family
== AF_INET
&&
1235 iface
->addr
.in
.sin_addr
.s_addr
== dst_addr_4
.s_addr
)
1238 /* If we failed, abandon localisation */
1240 netmask
= iface
->netmask
;
1242 dst_addr_4
.s_addr
= 0;
1246 if (extract_request(header
, (size_t)n
, daemon
->namebuff
, &type
))
1249 struct auth_zone
*zone
;
1251 char *types
= querystr(auth_dns
? "auth" : "query", type
);
1253 if (listen
->family
== AF_INET
)
1254 log_query(F_QUERY
| F_IPV4
| F_FORWARD
, daemon
->namebuff
,
1255 (struct all_addr
*)&source_addr
.in
.sin_addr
, types
);
1258 log_query(F_QUERY
| F_IPV6
| F_FORWARD
, daemon
->namebuff
,
1259 (struct all_addr
*)&source_addr
.in6
.sin6_addr
, types
);
1263 /* find queries for zones we're authoritative for, and answer them directly */
1265 for (zone
= daemon
->auth_zones
; zone
; zone
= zone
->next
)
1266 if (in_zone(zone
, daemon
->namebuff
, NULL
))
1275 /* Check for forwarding loop */
1276 if (detect_loop(daemon
->namebuff
, type
))
1284 m
= answer_auth(header
, ((char *) header
) + daemon
->packet_buff_sz
, (size_t)n
, now
, &source_addr
, local_auth
);
1287 send_from(listen
->fd
, option_bool(OPT_NOWILD
) || option_bool(OPT_CLEVERBIND
),
1288 (char *)header
, m
, &source_addr
, &dst_addr
, if_index
);
1289 daemon
->auth_answer
++;
1295 int ad_reqd
, do_bit
;
1296 m
= answer_request(header
, ((char *) header
) + daemon
->packet_buff_sz
, (size_t)n
,
1297 dst_addr_4
, netmask
, now
, &ad_reqd
, &do_bit
);
1301 send_from(listen
->fd
, option_bool(OPT_NOWILD
) || option_bool(OPT_CLEVERBIND
),
1302 (char *)header
, m
, &source_addr
, &dst_addr
, if_index
);
1303 daemon
->local_answer
++;
1305 else if (forward_query(listen
->fd
, &source_addr
, &dst_addr
, if_index
,
1306 header
, (size_t)n
, now
, NULL
, ad_reqd
, do_bit
))
1307 daemon
->queries_forwarded
++;
1309 daemon
->local_answer
++;
1315 /* UDP: we've got an unsigned answer, return STAT_INSECURE if we can prove there's no DS
1316 and therefore the answer shouldn't be signed, or STAT_BOGUS if it should be, or
1317 STAT_NEED_DS_NEG and keyname if we need to do the query. */
1318 static int send_check_sign(time_t now
, struct dns_header
*header
, size_t plen
, char *name
, char *keyname
)
1321 char *name_start
= name
;
1322 int status
= dnssec_chase_cname(now
, header
, plen
, name
, keyname
);
1324 if (status
!= STAT_INSECURE
)
1329 crecp
= cache_find_by_name(NULL
, name_start
, now
, F_DS
);
1331 if (crecp
&& (crecp
->flags
& F_DNSSECOK
))
1332 return (crecp
->flags
& F_NEG
) ? STAT_INSECURE
: STAT_BOGUS
;
1334 if (crecp
&& (crecp
->flags
& F_NEG
) && (name_start
= strchr(name_start
, '.')))
1336 name_start
++; /* chop a label off and try again */
1340 /* Reached the root */
1344 strcpy(keyname
, name_start
);
1345 return STAT_NEED_DS_NEG
;
1349 /* Got answer to DS query from send_check_sign, check for proven non-existence, or make the next DS query to try. */
1350 static int do_check_sign(time_t now
, struct dns_header
*header
, size_t plen
, char *name
, char *keyname
, int class)
1357 /* In this case only, a SERVFAIL reply allows us to continue up the tree, looking for a
1358 suitable NSEC reply to DS queries. */
1359 if (RCODE(header
) != SERVFAIL
)
1361 status
= dnssec_validate_ds(now
, header
, plen
, name
, keyname
, class);
1363 if (status
!= STAT_INSECURE
)
1365 if (status
== STAT_NO_DS
)
1366 status
= STAT_INSECURE
;
1371 p
= (unsigned char *)(header
+1);
1373 if (extract_name(header
, plen
, &p
, name
, 1, 4) &&
1374 (name_start
= strchr(name
, '.')))
1376 name_start
++; /* chop a label off and try again */
1377 strcpy(keyname
, name_start
);
1378 return STAT_NEED_DS_NEG
;
1384 /* Move toward the root, until we find a signed non-existance of a DS, in which case
1385 an unsigned answer is OK, or we find a signed DS, in which case there should be
1386 a signature, and the answer is BOGUS */
1387 static int tcp_check_for_unsigned_zone(time_t now
, struct dns_header
*header
, size_t plen
, int class, char *name
,
1388 char *keyname
, struct server
*server
, int *keycount
)
1391 unsigned char *packet
, *payload
;
1393 unsigned char *p
= (unsigned char *)(header
+1);
1395 char *name_start
= name
;
1397 /* Get first insecure entry in CNAME chain */
1398 status
= tcp_key_recurse(now
, STAT_CHASE_CNAME
, header
, plen
, class, name
, keyname
, server
, keycount
);
1399 if (status
== STAT_BOGUS
)
1402 if (!(packet
= whine_malloc(65536 + MAXDNAME
+ RRFIXEDSZ
+ sizeof(u16
))))
1405 payload
= &packet
[2];
1406 header
= (struct dns_header
*)payload
;
1407 length
= (u16
*)packet
;
1411 unsigned char *newhash
, hash
[HASH_SIZE
];
1412 unsigned char c1
, c2
;
1413 struct crec
*crecp
= cache_find_by_name(NULL
, name_start
, now
, F_DS
);
1415 if (--(*keycount
) == 0)
1421 if (crecp
&& (crecp
->flags
& F_DNSSECOK
))
1424 return (crecp
->flags
& F_NEG
) ? STAT_INSECURE
: STAT_BOGUS
;
1427 /* If we have cached insecurely that a DS doesn't exist,
1428 ise that is a hit for where to start looking for the secure one */
1429 if (crecp
&& (crecp
->flags
& F_NEG
) && (name_start
= strchr(name_start
, '.')))
1431 name_start
++; /* chop a label off and try again */
1435 /* reached the root */
1442 m
= dnssec_generate_query(header
, ((char *) header
) + 65536, name_start
, class, T_DS
, &server
->addr
);
1444 /* We rely on the question section coming back unchanged, ensure it is with the hash. */
1445 if ((newhash
= hash_questions(header
, (unsigned int)m
, name
)))
1447 memcpy(hash
, newhash
, HASH_SIZE
);
1451 if (read_write(server
->tcpfd
, packet
, m
+ sizeof(u16
), 0) &&
1452 read_write(server
->tcpfd
, &c1
, 1, 1) &&
1453 read_write(server
->tcpfd
, &c2
, 1, 1) &&
1454 read_write(server
->tcpfd
, payload
, (c1
<< 8) | c2
, 1))
1458 newhash
= hash_questions(header
, (unsigned int)m
, name
);
1459 if (newhash
&& memcmp(hash
, newhash
, HASH_SIZE
) == 0)
1461 /* In this case only, a SERVFAIL reply allows us to continue up the tree, looking for a
1462 suitable NSEC reply to DS queries. */
1463 if (RCODE(header
) == SERVFAIL
)
1464 status
= STAT_INSECURE
;
1466 /* Note this trashes all three name workspaces */
1467 status
= tcp_key_recurse(now
, STAT_NEED_DS_NEG
, header
, m
, class, name
, keyname
, server
, keycount
);
1469 /* We've found a DS which proves the bit of the DNS where the
1470 original query is, is unsigned, so the answer is OK,
1472 if (status
== STAT_NO_DS
)
1475 return STAT_INSECURE
;
1478 /* No DS, not got to DNSSEC-land yet, go up. */
1479 if (status
== STAT_INSECURE
)
1481 p
= (unsigned char *)(header
+1);
1483 if (extract_name(header
, plen
, &p
, name
, 1, 4) &&
1484 (name_start
= strchr(name
, '.')))
1486 name_start
++; /* chop a label off and try again */
1500 static int tcp_key_recurse(time_t now
, int status
, struct dns_header
*header
, size_t n
,
1501 int class, char *name
, char *keyname
, struct server
*server
, int *keycount
)
1503 /* Recurse up the key heirarchy */
1506 /* limit the amount of work we do, to avoid cycling forever on loops in the DNS */
1507 if (--(*keycount
) == 0)
1508 return STAT_INSECURE
;
1510 if (status
== STAT_NEED_KEY
)
1511 new_status
= dnssec_validate_by_ds(now
, header
, n
, name
, keyname
, class);
1512 else if (status
== STAT_NEED_DS
|| status
== STAT_NEED_DS_NEG
)
1514 new_status
= dnssec_validate_ds(now
, header
, n
, name
, keyname
, class);
1515 if (status
== STAT_NEED_DS
&& new_status
== STAT_NO_DS
)
1516 new_status
= STAT_INSECURE
;
1518 else if (status
== STAT_CHASE_CNAME
)
1519 new_status
= dnssec_chase_cname(now
, header
, n
, name
, keyname
);
1522 new_status
= dnssec_validate_reply(now
, header
, n
, name
, keyname
, &class, NULL
);
1524 if (new_status
== STAT_NO_SIG
)
1526 if (option_bool(OPT_DNSSEC_NO_SIGN
))
1527 new_status
= tcp_check_for_unsigned_zone(now
, header
, n
, class, name
, keyname
, server
, keycount
);
1529 new_status
= STAT_INSECURE
;
1533 /* Can't validate because we need a key/DS whose name now in keyname.
1534 Make query for same, and recurse to validate */
1535 if (new_status
== STAT_NEED_DS
|| new_status
== STAT_NEED_KEY
)
1538 unsigned char *packet
= whine_malloc(65536 + MAXDNAME
+ RRFIXEDSZ
+ sizeof(u16
));
1539 unsigned char *payload
= &packet
[2];
1540 struct dns_header
*new_header
= (struct dns_header
*)payload
;
1541 u16
*length
= (u16
*)packet
;
1542 unsigned char c1
, c2
;
1545 return STAT_INSECURE
;
1548 m
= dnssec_generate_query(new_header
, ((char *) new_header
) + 65536, keyname
, class,
1549 new_status
== STAT_NEED_KEY
? T_DNSKEY
: T_DS
, &server
->addr
);
1553 if (!read_write(server
->tcpfd
, packet
, m
+ sizeof(u16
), 0) ||
1554 !read_write(server
->tcpfd
, &c1
, 1, 1) ||
1555 !read_write(server
->tcpfd
, &c2
, 1, 1) ||
1556 !read_write(server
->tcpfd
, payload
, (c1
<< 8) | c2
, 1))
1557 new_status
= STAT_INSECURE
;
1562 new_status
= tcp_key_recurse(now
, new_status
, new_header
, m
, class, name
, keyname
, server
, keycount
);
1564 if (new_status
== STAT_SECURE
)
1566 /* Reached a validated record, now try again at this level.
1567 Note that we may get ANOTHER NEED_* if an answer needs more than one key.
1568 If so, go round again. */
1570 if (status
== STAT_NEED_KEY
)
1571 new_status
= dnssec_validate_by_ds(now
, header
, n
, name
, keyname
, class);
1572 else if (status
== STAT_NEED_DS
|| status
== STAT_NEED_DS_NEG
)
1574 new_status
= dnssec_validate_ds(now
, header
, n
, name
, keyname
, class);
1575 if (status
== STAT_NEED_DS
&& new_status
== STAT_NO_DS
)
1576 new_status
= STAT_INSECURE
; /* Validated no DS */
1578 else if (status
== STAT_CHASE_CNAME
)
1579 new_status
= dnssec_chase_cname(now
, header
, n
, name
, keyname
);
1582 new_status
= dnssec_validate_reply(now
, header
, n
, name
, keyname
, &class, NULL
);
1584 if (new_status
== STAT_NO_SIG
)
1586 if (option_bool(OPT_DNSSEC_NO_SIGN
))
1587 new_status
= tcp_check_for_unsigned_zone(now
, header
, n
, class, name
, keyname
, server
, keycount
);
1589 new_status
= STAT_INSECURE
;
1593 if (new_status
== STAT_NEED_DS
|| new_status
== STAT_NEED_KEY
)
1594 goto another_tcp_key
;
1605 /* The daemon forks before calling this: it should deal with one connection,
1606 blocking as neccessary, and then return. Note, need to be a bit careful
1607 about resources for debug mode, when the fork is suppressed: that's
1608 done by the caller. */
1609 unsigned char *tcp_request(int confd
, time_t now
,
1610 union mysockaddr
*local_addr
, struct in_addr netmask
, int auth_dns
)
1617 int checking_disabled
, ad_question
, do_bit
, added_pheader
= 0;
1618 int check_subnet
, no_cache_dnssec
= 0, cache_secure
= 0;
1620 unsigned short qtype
;
1621 unsigned int gotname
;
1622 unsigned char c1
, c2
;
1623 /* Max TCP packet + slop + size */
1624 unsigned char *packet
= whine_malloc(65536 + MAXDNAME
+ RRFIXEDSZ
+ sizeof(u16
));
1625 unsigned char *payload
= &packet
[2];
1626 /* largest field in header is 16-bits, so this is still sufficiently aligned */
1627 struct dns_header
*header
= (struct dns_header
*)payload
;
1628 u16
*length
= (u16
*)packet
;
1629 struct server
*last_server
;
1630 struct in_addr dst_addr_4
;
1631 union mysockaddr peer_addr
;
1632 socklen_t peer_len
= sizeof(union mysockaddr
);
1634 if (getpeername(confd
, (struct sockaddr
*)&peer_addr
, &peer_len
) == -1)
1637 /* We can be configured to only accept queries from at-most-one-hop-away addresses. */
1638 if (option_bool(OPT_LOCAL_SERVICE
))
1640 struct addrlist
*addr
;
1642 if (peer_addr
.sa
.sa_family
== AF_INET6
)
1644 for (addr
= daemon
->interface_addrs
; addr
; addr
= addr
->next
)
1645 if ((addr
->flags
& ADDRLIST_IPV6
) &&
1646 is_same_net6(&addr
->addr
.addr
.addr6
, &peer_addr
.in6
.sin6_addr
, addr
->prefixlen
))
1652 struct in_addr netmask
;
1653 for (addr
= daemon
->interface_addrs
; addr
; addr
= addr
->next
)
1655 netmask
.s_addr
= htonl(~(in_addr_t
)0 << (32 - addr
->prefixlen
));
1656 if (!(addr
->flags
& ADDRLIST_IPV6
) &&
1657 is_same_net(addr
->addr
.addr
.addr4
, peer_addr
.in
.sin_addr
, netmask
))
1663 my_syslog(LOG_WARNING
, _("Ignoring query from non-local network"));
1671 !read_write(confd
, &c1
, 1, 1) || !read_write(confd
, &c2
, 1, 1) ||
1672 !(size
= c1
<< 8 | c2
) ||
1673 !read_write(confd
, payload
, size
, 1))
1676 if (size
< (int)sizeof(struct dns_header
))
1681 /* save state of "cd" flag in query */
1682 if ((checking_disabled
= header
->hb4
& HB4_CD
))
1683 no_cache_dnssec
= 1;
1685 if ((gotname
= extract_request(header
, (unsigned int)size
, daemon
->namebuff
, &qtype
)))
1688 struct auth_zone
*zone
;
1690 char *types
= querystr(auth_dns
? "auth" : "query", qtype
);
1692 if (peer_addr
.sa
.sa_family
== AF_INET
)
1693 log_query(F_QUERY
| F_IPV4
| F_FORWARD
, daemon
->namebuff
,
1694 (struct all_addr
*)&peer_addr
.in
.sin_addr
, types
);
1697 log_query(F_QUERY
| F_IPV6
| F_FORWARD
, daemon
->namebuff
,
1698 (struct all_addr
*)&peer_addr
.in6
.sin6_addr
, types
);
1702 /* find queries for zones we're authoritative for, and answer them directly */
1704 for (zone
= daemon
->auth_zones
; zone
; zone
= zone
->next
)
1705 if (in_zone(zone
, daemon
->namebuff
, NULL
))
1714 if (local_addr
->sa
.sa_family
== AF_INET
)
1715 dst_addr_4
= local_addr
->in
.sin_addr
;
1717 dst_addr_4
.s_addr
= 0;
1721 m
= answer_auth(header
, ((char *) header
) + 65536, (size_t)size
, now
, &peer_addr
, local_auth
);
1725 /* m > 0 if answered from cache */
1726 m
= answer_request(header
, ((char *) header
) + 65536, (size_t)size
,
1727 dst_addr_4
, netmask
, now
, &ad_question
, &do_bit
);
1729 /* Do this by steam now we're not in the select() loop */
1730 check_log_writer(NULL
);
1734 unsigned int flags
= 0;
1735 struct all_addr
*addrp
= NULL
;
1737 char *domain
= NULL
;
1739 if (option_bool(OPT_ADD_MAC
))
1740 size
= add_mac(header
, size
, ((char *) header
) + 65536, &peer_addr
);
1742 if (option_bool(OPT_CLIENT_SUBNET
))
1744 size_t new = add_source_addr(header
, size
, ((char *) header
) + 65536, &peer_addr
);
1753 flags
= search_servers(now
, &addrp
, gotname
, daemon
->namebuff
, &type
, &domain
, &norebind
);
1755 if (type
!= 0 || option_bool(OPT_ORDER
) || !daemon
->last_server
)
1756 last_server
= daemon
->servers
;
1758 last_server
= daemon
->last_server
;
1760 if (!flags
&& last_server
)
1762 struct server
*firstsendto
= NULL
;
1764 unsigned char *newhash
, hash
[HASH_SIZE
];
1765 if ((newhash
= hash_questions(header
, (unsigned int)size
, daemon
->namebuff
)))
1766 memcpy(hash
, newhash
, HASH_SIZE
);
1768 memset(hash
, 0, HASH_SIZE
);
1770 unsigned int crc
= questions_crc(header
, (unsigned int)size
, daemon
->namebuff
);
1772 /* Loop round available servers until we succeed in connecting to one.
1773 Note that this code subtley ensures that consecutive queries on this connection
1774 which can go to the same server, do so. */
1778 firstsendto
= last_server
;
1781 if (!(last_server
= last_server
->next
))
1782 last_server
= daemon
->servers
;
1784 if (last_server
== firstsendto
)
1788 /* server for wrong domain */
1789 if (type
!= (last_server
->flags
& SERV_TYPE
) ||
1790 (type
== SERV_HAS_DOMAIN
&& !hostname_isequal(domain
, last_server
->domain
)) ||
1791 (last_server
->flags
& (SERV_LITERAL_ADDRESS
| SERV_LOOP
)))
1794 if (last_server
->tcpfd
== -1)
1796 if ((last_server
->tcpfd
= socket(last_server
->addr
.sa
.sa_family
, SOCK_STREAM
, 0)) == -1)
1799 #ifdef HAVE_CONNTRACK
1800 /* Copy connection mark of incoming query to outgoing connection. */
1801 if (option_bool(OPT_CONNTRACK
))
1804 struct all_addr local
;
1806 if (local_addr
->sa
.sa_family
== AF_INET6
)
1807 local
.addr
.addr6
= local_addr
->in6
.sin6_addr
;
1810 local
.addr
.addr4
= local_addr
->in
.sin_addr
;
1812 if (get_incoming_mark(&peer_addr
, &local
, 1, &mark
))
1813 setsockopt(last_server
->tcpfd
, SOL_SOCKET
, SO_MARK
, &mark
, sizeof(unsigned int));
1817 if ((!local_bind(last_server
->tcpfd
, &last_server
->source_addr
, last_server
->interface
, 1) ||
1818 connect(last_server
->tcpfd
, &last_server
->addr
.sa
, sa_len(&last_server
->addr
)) == -1))
1820 close(last_server
->tcpfd
);
1821 last_server
->tcpfd
= -1;
1826 if (option_bool(OPT_DNSSEC_VALID
))
1828 size_t new_size
= add_do_bit(header
, size
, ((char *) header
) + 65536);
1830 /* For debugging, set Checking Disabled, otherwise, have the upstream check too,
1831 this allows it to select auth servers when one is returning bad data. */
1832 if (option_bool(OPT_DNSSEC_DEBUG
))
1833 header
->hb4
|= HB4_CD
;
1835 if (size
!= new_size
)
1843 *length
= htons(size
);
1845 /* get query name again for logging - may have been overwritten */
1846 if (!(gotname
= extract_request(header
, (unsigned int)size
, daemon
->namebuff
, &qtype
)))
1847 strcpy(daemon
->namebuff
, "query");
1849 if (!read_write(last_server
->tcpfd
, packet
, size
+ sizeof(u16
), 0) ||
1850 !read_write(last_server
->tcpfd
, &c1
, 1, 1) ||
1851 !read_write(last_server
->tcpfd
, &c2
, 1, 1) ||
1852 !read_write(last_server
->tcpfd
, payload
, (c1
<< 8) | c2
, 1))
1854 close(last_server
->tcpfd
);
1855 last_server
->tcpfd
= -1;
1861 if (last_server
->addr
.sa
.sa_family
== AF_INET
)
1862 log_query(F_SERVER
| F_IPV4
| F_FORWARD
, daemon
->namebuff
,
1863 (struct all_addr
*)&last_server
->addr
.in
.sin_addr
, NULL
);
1866 log_query(F_SERVER
| F_IPV6
| F_FORWARD
, daemon
->namebuff
,
1867 (struct all_addr
*)&last_server
->addr
.in6
.sin6_addr
, NULL
);
1871 if (option_bool(OPT_DNSSEC_VALID
) && !checking_disabled
)
1873 int keycount
= DNSSEC_WORK
; /* Limit to number of DNSSEC questions, to catch loops and avoid filling cache. */
1874 int status
= tcp_key_recurse(now
, STAT_TRUNCATED
, header
, m
, 0, daemon
->namebuff
, daemon
->keyname
, last_server
, &keycount
);
1878 result
= "ABANDONED";
1880 result
= (status
== STAT_SECURE
? "SECURE" : (status
== STAT_INSECURE
? "INSECURE" : "BOGUS"));
1882 log_query(F_KEYTAG
| F_SECSTAT
, "result", NULL
, result
);
1884 if (status
== STAT_BOGUS
)
1885 no_cache_dnssec
= 1;
1887 if (status
== STAT_SECURE
)
1892 /* restore CD bit to the value in the query */
1893 if (checking_disabled
)
1894 header
->hb4
|= HB4_CD
;
1896 header
->hb4
&= ~HB4_CD
;
1898 /* There's no point in updating the cache, since this process will exit and
1899 lose the information after a few queries. We make this call for the alias and
1900 bogus-nxdomain side-effects. */
1901 /* If the crc of the question section doesn't match the crc we sent, then
1902 someone might be attempting to insert bogus values into the cache by
1903 sending replies containing questions and bogus answers. */
1905 newhash
= hash_questions(header
, (unsigned int)m
, daemon
->namebuff
);
1906 if (!newhash
|| memcmp(hash
, newhash
, HASH_SIZE
) != 0)
1912 if (crc
!= questions_crc(header
, (unsigned int)m
, daemon
->namebuff
))
1919 m
= process_reply(header
, now
, last_server
, (unsigned int)m
,
1920 option_bool(OPT_NO_REBIND
) && !norebind
, no_cache_dnssec
,
1921 cache_secure
, ad_question
, do_bit
, added_pheader
, check_subnet
, &peer_addr
);
1927 /* In case of local answer or no connections made. */
1929 m
= setup_reply(header
, (unsigned int)size
, addrp
, flags
, daemon
->local_ttl
);
1933 check_log_writer(NULL
);
1937 if (m
== 0 || !read_write(confd
, packet
, m
+ sizeof(u16
), 0))
1942 static struct frec
*allocate_frec(time_t now
)
1946 if ((f
= (struct frec
*)whine_malloc(sizeof(struct frec
))))
1948 f
->next
= daemon
->frec_list
;
1957 f
->dependent
= NULL
;
1958 f
->blocking_query
= NULL
;
1961 daemon
->frec_list
= f
;
1967 struct randfd
*allocate_rfd(int family
)
1969 static int finger
= 0;
1972 /* limit the number of sockets we have open to avoid starvation of
1973 (eg) TFTP. Once we have a reasonable number, randomness should be OK */
1975 for (i
= 0; i
< RANDOM_SOCKS
; i
++)
1976 if (daemon
->randomsocks
[i
].refcount
== 0)
1978 if ((daemon
->randomsocks
[i
].fd
= random_sock(family
)) == -1)
1981 daemon
->randomsocks
[i
].refcount
= 1;
1982 daemon
->randomsocks
[i
].family
= family
;
1983 return &daemon
->randomsocks
[i
];
1986 /* No free ones or cannot get new socket, grab an existing one */
1987 for (i
= 0; i
< RANDOM_SOCKS
; i
++)
1989 int j
= (i
+finger
) % RANDOM_SOCKS
;
1990 if (daemon
->randomsocks
[j
].refcount
!= 0 &&
1991 daemon
->randomsocks
[j
].family
== family
&&
1992 daemon
->randomsocks
[j
].refcount
!= 0xffff)
1995 daemon
->randomsocks
[j
].refcount
++;
1996 return &daemon
->randomsocks
[j
];
2000 return NULL
; /* doom */
2003 void free_rfd(struct randfd
*rfd
)
2005 if (rfd
&& --(rfd
->refcount
) == 0)
2009 static void free_frec(struct frec
*f
)
2024 blockdata_free(f
->stash
);
2028 /* Anything we're waiting on is pointless now, too */
2029 if (f
->blocking_query
)
2030 free_frec(f
->blocking_query
);
2031 f
->blocking_query
= NULL
;
2032 f
->dependent
= NULL
;
2036 /* if wait==NULL return a free or older than TIMEOUT record.
2037 else return *wait zero if one available, or *wait is delay to
2038 when the oldest in-use record will expire. Impose an absolute
2039 limit of 4*TIMEOUT before we wipe things (for random sockets).
2040 If force is set, always return a result, even if we have
2041 to allocate above the limit. */
2042 struct frec
*get_new_frec(time_t now
, int *wait
, int force
)
2044 struct frec
*f
, *oldest
, *target
;
2050 for (f
= daemon
->frec_list
, oldest
= NULL
, target
= NULL
, count
= 0; f
; f
= f
->next
, count
++)
2055 if (difftime(now
, f
->time
) >= 4*TIMEOUT
)
2061 if (!oldest
|| difftime(f
->time
, oldest
->time
) <= 0)
2071 /* can't find empty one, use oldest if there is one
2072 and it's older than timeout */
2073 if (oldest
&& ((int)difftime(now
, oldest
->time
)) >= TIMEOUT
)
2075 /* keep stuff for twice timeout if we can by allocating a new
2077 if (difftime(now
, oldest
->time
) < 2*TIMEOUT
&&
2078 count
<= daemon
->ftabsize
&&
2079 (f
= allocate_frec(now
)))
2090 /* none available, calculate time 'till oldest record expires */
2091 if (!force
&& count
> daemon
->ftabsize
)
2093 static time_t last_log
= 0;
2096 *wait
= oldest
->time
+ (time_t)TIMEOUT
- now
;
2098 if ((int)difftime(now
, last_log
) > 5)
2101 my_syslog(LOG_WARNING
, _("Maximum number of concurrent DNS queries reached (max: %d)"), daemon
->ftabsize
);
2107 if (!(f
= allocate_frec(now
)) && wait
)
2108 /* wait one second on malloc failure */
2111 return f
; /* OK if malloc fails and this is NULL */
2114 /* crc is all-ones if not known. */
2115 static struct frec
*lookup_frec(unsigned short id
, void *hash
)
2119 for(f
= daemon
->frec_list
; f
; f
= f
->next
)
2120 if (f
->sentto
&& f
->new_id
== id
&&
2121 (!hash
|| memcmp(hash
, f
->hash
, HASH_SIZE
) == 0))
2127 static struct frec
*lookup_frec_by_sender(unsigned short id
,
2128 union mysockaddr
*addr
,
2133 for(f
= daemon
->frec_list
; f
; f
= f
->next
)
2136 memcmp(hash
, f
->hash
, HASH_SIZE
) == 0 &&
2137 sockaddr_isequal(&f
->source
, addr
))
2143 /* Send query packet again, if we can. */
2146 if (daemon
->srv_save
)
2150 if (daemon
->srv_save
->sfd
)
2151 fd
= daemon
->srv_save
->sfd
->fd
;
2152 else if (daemon
->rfd_save
&& daemon
->rfd_save
->refcount
!= 0)
2153 fd
= daemon
->rfd_save
->fd
;
2157 while(sendto(fd
, daemon
->packet
, daemon
->packet_len
, 0,
2158 &daemon
->srv_save
->addr
.sa
, sa_len(&daemon
->srv_save
->addr
)) == -1 && retry_send());
2162 /* A server record is going away, remove references to it */
2163 void server_gone(struct server
*server
)
2167 for (f
= daemon
->frec_list
; f
; f
= f
->next
)
2168 if (f
->sentto
&& f
->sentto
== server
)
2171 if (daemon
->last_server
== server
)
2172 daemon
->last_server
= NULL
;
2174 if (daemon
->srv_save
== server
)
2175 daemon
->srv_save
= NULL
;
2178 /* return unique random ids. */
2179 static unsigned short get_id(void)
2181 unsigned short ret
= 0;
2185 while (lookup_frec(ret
, NULL
));