]> git.ipfire.org Git - people/ms/dnsmasq.git/blob - src/forward.c
projects / people / ms / dnsmasq.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge branch 'inotify'
[people/ms/dnsmasq.git] / src / forward.c
1 /* dnsmasq is Copyright (c) 2000-2014 Simon Kelley
2
3 This program is free software; you can redistribute it and/or modify
4 it under the terms of the GNU General Public License as published by
5 the Free Software Foundation; version 2 dated June, 1991, or
6 (at your option) version 3 dated 29 June, 2007.
7
8 This program is distributed in the hope that it will be useful,
9 but WITHOUT ANY WARRANTY; without even the implied warranty of
10 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 GNU General Public License for more details.
12
13 You should have received a copy of the GNU General Public License
14 along with this program. If not, see <http://www.gnu.org/licenses/>.
15 */
16
17 #include "dnsmasq.h"
18
19 static struct frec *lookup_frec(unsigned short id, void *hash);
20 static struct frec *lookup_frec_by_sender(unsigned short id,
21 union mysockaddr *addr,
22 void *hash);
23 static unsigned short get_id(void);
24 static void free_frec(struct frec *f);
25
26 #ifdef HAVE_DNSSEC
27 static int tcp_key_recurse(time_t now, int status, struct dns_header *header, size_t n,
28 int class, char *name, char *keyname, struct server *server, int *keycount);
29 static int do_check_sign(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int class);
30 static int send_check_sign(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname);
31 #endif
32
33
34 /* Send a UDP packet with its source address set as "source"
35 unless nowild is true, when we just send it with the kernel default */
36 int send_from(int fd, int nowild, char *packet, size_t len,
37 union mysockaddr *to, struct all_addr *source,
38 unsigned int iface)
39 {
40 struct msghdr msg;
41 struct iovec iov[1];
42 union {
43 struct cmsghdr align; /* this ensures alignment */
44 #if defined(HAVE_LINUX_NETWORK)
45 char control[CMSG_SPACE(sizeof(struct in_pktinfo))];
46 #elif defined(IP_SENDSRCADDR)
47 char control[CMSG_SPACE(sizeof(struct in_addr))];
48 #endif
49 #ifdef HAVE_IPV6
50 char control6[CMSG_SPACE(sizeof(struct in6_pktinfo))];
51 #endif
52 } control_u;
53
54 iov[0].iov_base = packet;
55 iov[0].iov_len = len;
56
57 msg.msg_control = NULL;
58 msg.msg_controllen = 0;
59 msg.msg_flags = 0;
60 msg.msg_name = to;
61 msg.msg_namelen = sa_len(to);
62 msg.msg_iov = iov;
63 msg.msg_iovlen = 1;
64
65 if (!nowild)
66 {
67 struct cmsghdr *cmptr;
68 msg.msg_control = &control_u;
69 msg.msg_controllen = sizeof(control_u);
70 cmptr = CMSG_FIRSTHDR(&msg);
71
72 if (to->sa.sa_family == AF_INET)
73 {
74 #if defined(HAVE_LINUX_NETWORK)
75 struct in_pktinfo p;
76 p.ipi_ifindex = 0;
77 p.ipi_spec_dst = source->addr.addr4;
78 memcpy(CMSG_DATA(cmptr), &p, sizeof(p));
79 msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo));
80 cmptr->cmsg_level = IPPROTO_IP;
81 cmptr->cmsg_type = IP_PKTINFO;
82 #elif defined(IP_SENDSRCADDR)
83 memcpy(CMSG_DATA(cmptr), &(source->addr.addr4), sizeof(source->addr.addr4));
84 msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_addr));
85 cmptr->cmsg_level = IPPROTO_IP;
86 cmptr->cmsg_type = IP_SENDSRCADDR;
87 #endif
88 }
89 else
90 #ifdef HAVE_IPV6
91 {
92 struct in6_pktinfo p;
93 p.ipi6_ifindex = iface; /* Need iface for IPv6 to handle link-local addrs */
94 p.ipi6_addr = source->addr.addr6;
95 memcpy(CMSG_DATA(cmptr), &p, sizeof(p));
96 msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo));
97 cmptr->cmsg_type = daemon->v6pktinfo;
98 cmptr->cmsg_level = IPPROTO_IPV6;
99 }
100 #else
101 (void)iface; /* eliminate warning */
102 #endif
103 }
104
105 while (sendmsg(fd, &msg, 0) == -1)
106 {
107 if (retry_send())
108 continue;
109
110 /* If interface is still in DAD, EINVAL results - ignore that. */
111 if (errno == EINVAL)
112 break;
113
114 my_syslog(LOG_ERR, _("failed to send packet: %s"), strerror(errno));
115 return 0;
116 }
117
118 return 1;
119 }
120
121 static unsigned int search_servers(time_t now, struct all_addr **addrpp,
122 unsigned int qtype, char *qdomain, int *type, char **domain, int *norebind)
123
124 {
125 /* If the query ends in the domain in one of our servers, set
126 domain to point to that name. We find the largest match to allow both
127 domain.org and sub.domain.org to exist. */
128
129 unsigned int namelen = strlen(qdomain);
130 unsigned int matchlen = 0;
131 struct server *serv;
132 unsigned int flags = 0;
133
134 for (serv = daemon->servers; serv; serv=serv->next)
135 /* domain matches take priority over NODOTS matches */
136 if ((serv->flags & SERV_FOR_NODOTS) && *type != SERV_HAS_DOMAIN && !strchr(qdomain, '.') && namelen != 0)
137 {
138 unsigned int sflag = serv->addr.sa.sa_family == AF_INET ? F_IPV4 : F_IPV6;
139 *type = SERV_FOR_NODOTS;
140 if (serv->flags & SERV_NO_ADDR)
141 flags = F_NXDOMAIN;
142 else if (serv->flags & SERV_LITERAL_ADDRESS)
143 {
144 if (sflag & qtype)
145 {
146 flags = sflag;
147 if (serv->addr.sa.sa_family == AF_INET)
148 *addrpp = (struct all_addr *)&serv->addr.in.sin_addr;
149 #ifdef HAVE_IPV6
150 else
151 *addrpp = (struct all_addr *)&serv->addr.in6.sin6_addr;
152 #endif
153 }
154 else if (!flags || (flags & F_NXDOMAIN))
155 flags = F_NOERR;
156 }
157 }
158 else if (serv->flags & SERV_HAS_DOMAIN)
159 {
160 unsigned int domainlen = strlen(serv->domain);
161 char *matchstart = qdomain + namelen - domainlen;
162 if (namelen >= domainlen &&
163 hostname_isequal(matchstart, serv->domain) &&
164 (domainlen == 0 || namelen == domainlen || *(matchstart-1) == '.' ))
165 {
166 if (serv->flags & SERV_NO_REBIND)
167 *norebind = 1;
168 else
169 {
170 unsigned int sflag = serv->addr.sa.sa_family == AF_INET ? F_IPV4 : F_IPV6;
171 /* implement priority rules for --address and --server for same domain.
172 --address wins if the address is for the correct AF
173 --server wins otherwise. */
174 if (domainlen != 0 && domainlen == matchlen)
175 {
176 if ((serv->flags & SERV_LITERAL_ADDRESS))
177 {
178 if (!(sflag & qtype) && flags == 0)
179 continue;
180 }
181 else
182 {
183 if (flags & (F_IPV4 | F_IPV6))
184 continue;
185 }
186 }
187
188 if (domainlen >= matchlen)
189 {
190 *type = serv->flags & (SERV_HAS_DOMAIN | SERV_USE_RESOLV | SERV_NO_REBIND);
191 *domain = serv->domain;
192 matchlen = domainlen;
193 if (serv->flags & SERV_NO_ADDR)
194 flags = F_NXDOMAIN;
195 else if (serv->flags & SERV_LITERAL_ADDRESS)
196 {
197 if (sflag & qtype)
198 {
199 flags = sflag;
200 if (serv->addr.sa.sa_family == AF_INET)
201 *addrpp = (struct all_addr *)&serv->addr.in.sin_addr;
202 #ifdef HAVE_IPV6
203 else
204 *addrpp = (struct all_addr *)&serv->addr.in6.sin6_addr;
205 #endif
206 }
207 else if (!flags || (flags & F_NXDOMAIN))
208 flags = F_NOERR;
209 }
210 else
211 flags = 0;
212 }
213 }
214 }
215 }
216
217 if (flags == 0 && !(qtype & F_QUERY) &&
218 option_bool(OPT_NODOTS_LOCAL) && !strchr(qdomain, '.') && namelen != 0)
219 /* don't forward A or AAAA queries for simple names, except the empty name */
220 flags = F_NOERR;
221
222 if (flags == F_NXDOMAIN && check_for_local_domain(qdomain, now))
223 flags = F_NOERR;
224
225 if (flags)
226 {
227 int logflags = 0;
228
229 if (flags == F_NXDOMAIN || flags == F_NOERR)
230 logflags = F_NEG | qtype;
231
232 log_query(logflags | flags | F_CONFIG | F_FORWARD, qdomain, *addrpp, NULL);
233 }
234 else if ((*type) & SERV_USE_RESOLV)
235 {
236 *type = 0; /* use normal servers for this domain */
237 *domain = NULL;
238 }
239 return flags;
240 }
241
242 static int forward_query(int udpfd, union mysockaddr *udpaddr,
243 struct all_addr *dst_addr, unsigned int dst_iface,
244 struct dns_header *header, size_t plen, time_t now,
245 struct frec *forward, int ad_reqd, int do_bit)
246 {
247 char *domain = NULL;
248 int type = 0, norebind = 0;
249 struct all_addr *addrp = NULL;
250 unsigned int flags = 0;
251 struct server *start = NULL;
252 #ifdef HAVE_DNSSEC
253 void *hash = hash_questions(header, plen, daemon->namebuff);
254 #else
255 unsigned int crc = questions_crc(header, plen, daemon->namebuff);
256 void *hash = &crc;
257 #endif
258 unsigned int gotname = extract_request(header, plen, daemon->namebuff, NULL);
259
260 (void)do_bit;
261
262 /* may be no servers available. */
263 if (!daemon->servers)
264 forward = NULL;
265 else if (forward || (hash && (forward = lookup_frec_by_sender(ntohs(header->id), udpaddr, hash))))
266 {
267 #ifdef HAVE_DNSSEC
268 /* If we've already got an answer to this query, but we're awaiting keys for validation,
269 there's no point retrying the query, retry the key query instead...... */
270 if (forward->blocking_query)
271 {
272 int fd;
273
274 while (forward->blocking_query)
275 forward = forward->blocking_query;
276
277 blockdata_retrieve(forward->stash, forward->stash_len, (void *)header);
278 plen = forward->stash_len;
279
280 if (forward->sentto->addr.sa.sa_family == AF_INET)
281 log_query(F_DNSSEC | F_IPV4, "retry", (struct all_addr *)&forward->sentto->addr.in.sin_addr, "dnssec");
282 #ifdef HAVE_IPV6
283 else
284 log_query(F_DNSSEC | F_IPV6, "retry", (struct all_addr *)&forward->sentto->addr.in6.sin6_addr, "dnssec");
285 #endif
286
287 if (forward->sentto->sfd)
288 fd = forward->sentto->sfd->fd;
289 else
290 {
291 #ifdef HAVE_IPV6
292 if (forward->sentto->addr.sa.sa_family == AF_INET6)
293 fd = forward->rfd6->fd;
294 else
295 #endif
296 fd = forward->rfd4->fd;
297 }
298
299 while (sendto(fd, (char *)header, plen, 0,
300 &forward->sentto->addr.sa,
301 sa_len(&forward->sentto->addr)) == -1 && retry_send());
302
303 return 1;
304 }
305 #endif
306
307 /* retry on existing query, send to all available servers */
308 domain = forward->sentto->domain;
309 forward->sentto->failed_queries++;
310 if (!option_bool(OPT_ORDER))
311 {
312 forward->forwardall = 1;
313 daemon->last_server = NULL;
314 }
315 type = forward->sentto->flags & SERV_TYPE;
316 if (!(start = forward->sentto->next))
317 start = daemon->servers; /* at end of list, recycle */
318 header->id = htons(forward->new_id);
319 }
320 else
321 {
322 if (gotname)
323 flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind);
324
325 if (!flags && !(forward = get_new_frec(now, NULL, 0)))
326 /* table full - server failure. */
327 flags = F_NEG;
328
329 if (forward)
330 {
331 forward->source = *udpaddr;
332 forward->dest = *dst_addr;
333 forward->iface = dst_iface;
334 forward->orig_id = ntohs(header->id);
335 forward->new_id = get_id();
336 forward->fd = udpfd;
337 memcpy(forward->hash, hash, HASH_SIZE);
338 forward->forwardall = 0;
339 forward->flags = 0;
340 if (norebind)
341 forward->flags |= FREC_NOREBIND;
342 if (header->hb4 & HB4_CD)
343 forward->flags |= FREC_CHECKING_DISABLED;
344 if (ad_reqd)
345 forward->flags |= FREC_AD_QUESTION;
346 #ifdef HAVE_DNSSEC
347 forward->work_counter = DNSSEC_WORK;
348 if (do_bit)
349 forward->flags |= FREC_DO_QUESTION;
350 #endif
351
352 header->id = htons(forward->new_id);
353
354 /* In strict_order mode, always try servers in the order
355 specified in resolv.conf, if a domain is given
356 always try all the available servers,
357 otherwise, use the one last known to work. */
358
359 if (type == 0)
360 {
361 if (option_bool(OPT_ORDER))
362 start = daemon->servers;
363 else if (!(start = daemon->last_server) ||
364 daemon->forwardcount++ > FORWARD_TEST ||
365 difftime(now, daemon->forwardtime) > FORWARD_TIME)
366 {
367 start = daemon->servers;
368 forward->forwardall = 1;
369 daemon->forwardcount = 0;
370 daemon->forwardtime = now;
371 }
372 }
373 else
374 {
375 start = daemon->servers;
376 if (!option_bool(OPT_ORDER))
377 forward->forwardall = 1;
378 }
379 }
380 }
381
382 /* check for send errors here (no route to host)
383 if we fail to send to all nameservers, send back an error
384 packet straight away (helps modem users when offline) */
385
386 if (!flags && forward)
387 {
388 struct server *firstsentto = start;
389 int forwarded = 0;
390
391 if (option_bool(OPT_ADD_MAC))
392 plen = add_mac(header, plen, ((char *) header) + daemon->packet_buff_sz, &forward->source);
393
394 if (option_bool(OPT_CLIENT_SUBNET))
395 {
396 size_t new = add_source_addr(header, plen, ((char *) header) + daemon->packet_buff_sz, &forward->source);
397 if (new != plen)
398 {
399 plen = new;
400 forward->flags |= FREC_HAS_SUBNET;
401 }
402 }
403
404 #ifdef HAVE_DNSSEC
405 if (option_bool(OPT_DNSSEC_VALID))
406 {
407 size_t new_plen = add_do_bit(header, plen, ((char *) header) + daemon->packet_buff_sz);
408
409 /* For debugging, set Checking Disabled, otherwise, have the upstream check too,
410 this allows it to select auth servers when one is returning bad data. */
411 if (option_bool(OPT_DNSSEC_DEBUG))
412 header->hb4 |= HB4_CD;
413
414 if (new_plen != plen)
415 forward->flags |= FREC_ADDED_PHEADER;
416
417 plen = new_plen;
418 }
419 #endif
420
421 while (1)
422 {
423 /* only send to servers dealing with our domain.
424 domain may be NULL, in which case server->domain
425 must be NULL also. */
426
427 if (type == (start->flags & SERV_TYPE) &&
428 (type != SERV_HAS_DOMAIN || hostname_isequal(domain, start->domain)) &&
429 !(start->flags & (SERV_LITERAL_ADDRESS | SERV_LOOP)))
430 {
431 int fd;
432
433 /* find server socket to use, may need to get random one. */
434 if (start->sfd)
435 fd = start->sfd->fd;
436 else
437 {
438 #ifdef HAVE_IPV6
439 if (start->addr.sa.sa_family == AF_INET6)
440 {
441 if (!forward->rfd6 &&
442 !(forward->rfd6 = allocate_rfd(AF_INET6)))
443 break;
444 daemon->rfd_save = forward->rfd6;
445 fd = forward->rfd6->fd;
446 }
447 else
448 #endif
449 {
450 if (!forward->rfd4 &&
451 !(forward->rfd4 = allocate_rfd(AF_INET)))
452 break;
453 daemon->rfd_save = forward->rfd4;
454 fd = forward->rfd4->fd;
455 }
456
457 #ifdef HAVE_CONNTRACK
458 /* Copy connection mark of incoming query to outgoing connection. */
459 if (option_bool(OPT_CONNTRACK))
460 {
461 unsigned int mark;
462 if (get_incoming_mark(&forward->source, &forward->dest, 0, &mark))
463 setsockopt(fd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int));
464 }
465 #endif
466 }
467
468 if (sendto(fd, (char *)header, plen, 0,
469 &start->addr.sa,
470 sa_len(&start->addr)) == -1)
471 {
472 if (retry_send())
473 continue;
474 }
475 else
476 {
477 /* Keep info in case we want to re-send this packet */
478 daemon->srv_save = start;
479 daemon->packet_len = plen;
480
481 if (!gotname)
482 strcpy(daemon->namebuff, "query");
483 if (start->addr.sa.sa_family == AF_INET)
484 log_query(F_SERVER | F_IPV4 | F_FORWARD, daemon->namebuff,
485 (struct all_addr *)&start->addr.in.sin_addr, NULL);
486 #ifdef HAVE_IPV6
487 else
488 log_query(F_SERVER | F_IPV6 | F_FORWARD, daemon->namebuff,
489 (struct all_addr *)&start->addr.in6.sin6_addr, NULL);
490 #endif
491 start->queries++;
492 forwarded = 1;
493 forward->sentto = start;
494 if (!forward->forwardall)
495 break;
496 forward->forwardall++;
497 }
498 }
499
500 if (!(start = start->next))
501 start = daemon->servers;
502
503 if (start == firstsentto)
504 break;
505 }
506
507 if (forwarded)
508 return 1;
509
510 /* could not send on, prepare to return */
511 header->id = htons(forward->orig_id);
512 free_frec(forward); /* cancel */
513 }
514
515 /* could not send on, return empty answer or address if known for whole domain */
516 if (udpfd != -1)
517 {
518 plen = setup_reply(header, plen, addrp, flags, daemon->local_ttl);
519 send_from(udpfd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND), (char *)header, plen, udpaddr, dst_addr, dst_iface);
520 }
521
522 return 0;
523 }
524
525 static size_t process_reply(struct dns_header *header, time_t now, struct server *server, size_t n, int check_rebind,
526 int no_cache, int cache_secure, int ad_reqd, int do_bit, int added_pheader, int check_subnet, union mysockaddr *query_source)
527 {
528 unsigned char *pheader, *sizep;
529 char **sets = 0;
530 int munged = 0, is_sign;
531 size_t plen;
532
533 (void)ad_reqd;
534 (void) do_bit;
535
536 #ifdef HAVE_IPSET
537 if (daemon->ipsets && extract_request(header, n, daemon->namebuff, NULL))
538 {
539 /* Similar algorithm to search_servers. */
540 struct ipsets *ipset_pos;
541 unsigned int namelen = strlen(daemon->namebuff);
542 unsigned int matchlen = 0;
543 for (ipset_pos = daemon->ipsets; ipset_pos; ipset_pos = ipset_pos->next)
544 {
545 unsigned int domainlen = strlen(ipset_pos->domain);
546 char *matchstart = daemon->namebuff + namelen - domainlen;
547 if (namelen >= domainlen && hostname_isequal(matchstart, ipset_pos->domain) &&
548 (domainlen == 0 || namelen == domainlen || *(matchstart - 1) == '.' ) &&
549 domainlen >= matchlen)
550 {
551 matchlen = domainlen;
552 sets = ipset_pos->sets;
553 }
554 }
555 }
556 #endif
557
558 /* If upstream is advertising a larger UDP packet size
559 than we allow, trim it so that we don't get overlarge
560 requests for the client. We can't do this for signed packets. */
561
562 if ((pheader = find_pseudoheader(header, n, &plen, &sizep, &is_sign)))
563 {
564 unsigned short udpsz;
565 unsigned char *psave = sizep;
566
567 GETSHORT(udpsz, sizep);
568
569 if (!is_sign && udpsz > daemon->edns_pktsz)
570 PUTSHORT(daemon->edns_pktsz, psave);
571
572 if (check_subnet && !check_source(header, plen, pheader, query_source))
573 {
574 my_syslog(LOG_WARNING, _("discarding DNS reply: subnet option mismatch"));
575 return 0;
576 }
577
578 if (added_pheader)
579 {
580 pheader = 0;
581 header->arcount = htons(0);
582 }
583 }
584
585 /* RFC 4035 sect 4.6 para 3 */
586 if (!is_sign && !option_bool(OPT_DNSSEC_PROXY))
587 header->hb4 &= ~HB4_AD;
588
589 if (OPCODE(header) != QUERY || (RCODE(header) != NOERROR && RCODE(header) != NXDOMAIN))
590 return resize_packet(header, n, pheader, plen);
591
592 /* Complain loudly if the upstream server is non-recursive. */
593 if (!(header->hb4 & HB4_RA) && RCODE(header) == NOERROR && ntohs(header->ancount) == 0 &&
594 server && !(server->flags & SERV_WARNED_RECURSIVE))
595 {
596 prettyprint_addr(&server->addr, daemon->namebuff);
597 my_syslog(LOG_WARNING, _("nameserver %s refused to do a recursive query"), daemon->namebuff);
598 if (!option_bool(OPT_LOG))
599 server->flags |= SERV_WARNED_RECURSIVE;
600 }
601
602 if (daemon->bogus_addr && RCODE(header) != NXDOMAIN &&
603 check_for_bogus_wildcard(header, n, daemon->namebuff, daemon->bogus_addr, now))
604 {
605 munged = 1;
606 SET_RCODE(header, NXDOMAIN);
607 header->hb3 &= ~HB3_AA;
608 cache_secure = 0;
609 }
610 else
611 {
612 int doctored = 0;
613
614 if (RCODE(header) == NXDOMAIN &&
615 extract_request(header, n, daemon->namebuff, NULL) &&
616 check_for_local_domain(daemon->namebuff, now))
617 {
618 /* if we forwarded a query for a locally known name (because it was for
619 an unknown type) and the answer is NXDOMAIN, convert that to NODATA,
620 since we know that the domain exists, even if upstream doesn't */
621 munged = 1;
622 header->hb3 |= HB3_AA;
623 SET_RCODE(header, NOERROR);
624 cache_secure = 0;
625 }
626
627 if (extract_addresses(header, n, daemon->namebuff, now, sets, is_sign, check_rebind, no_cache, cache_secure, &doctored))
628 {
629 my_syslog(LOG_WARNING, _("possible DNS-rebind attack detected: %s"), daemon->namebuff);
630 munged = 1;
631 cache_secure = 0;
632 }
633
634 if (doctored)
635 cache_secure = 0;
636 }
637
638 #ifdef HAVE_DNSSEC
639 if (no_cache && !(header->hb4 & HB4_CD))
640 {
641 if (!option_bool(OPT_DNSSEC_DEBUG))
642 {
643 /* Bogus reply, turn into SERVFAIL */
644 SET_RCODE(header, SERVFAIL);
645 munged = 1;
646 }
647 }
648
649 if (option_bool(OPT_DNSSEC_VALID))
650 header->hb4 &= ~HB4_AD;
651
652 if (!(header->hb4 & HB4_CD) && ad_reqd && cache_secure)
653 header->hb4 |= HB4_AD;
654
655 /* If the requestor didn't set the DO bit, don't return DNSSEC info. */
656 if (!do_bit)
657 n = filter_rrsigs(header, n);
658 #endif
659
660 /* do this after extract_addresses. Ensure NODATA reply and remove
661 nameserver info. */
662
663 if (munged)
664 {
665 header->ancount = htons(0);
666 header->nscount = htons(0);
667 header->arcount = htons(0);
668 }
669
670 /* the bogus-nxdomain stuff, doctor and NXDOMAIN->NODATA munging can all elide
671 sections of the packet. Find the new length here and put back pseudoheader
672 if it was removed. */
673 return resize_packet(header, n, pheader, plen);
674 }
675
676 /* sets new last_server */
677 void reply_query(int fd, int family, time_t now)
678 {
679 /* packet from peer server, extract data for cache, and send to
680 original requester */
681 struct dns_header *header;
682 union mysockaddr serveraddr;
683 struct frec *forward;
684 socklen_t addrlen = sizeof(serveraddr);
685 ssize_t n = recvfrom(fd, daemon->packet, daemon->packet_buff_sz, 0, &serveraddr.sa, &addrlen);
686 size_t nn;
687 struct server *server;
688 void *hash;
689 #ifndef HAVE_DNSSEC
690 unsigned int crc;
691 #endif
692
693 /* packet buffer overwritten */
694 daemon->srv_save = NULL;
695
696 /* Determine the address of the server replying so that we can mark that as good */
697 serveraddr.sa.sa_family = family;
698 #ifdef HAVE_IPV6
699 if (serveraddr.sa.sa_family == AF_INET6)
700 serveraddr.in6.sin6_flowinfo = 0;
701 #endif
702
703 header = (struct dns_header *)daemon->packet;
704
705 if (n < (int)sizeof(struct dns_header) || !(header->hb3 & HB3_QR))
706 return;
707
708 /* spoof check: answer must come from known server, */
709 for (server = daemon->servers; server; server = server->next)
710 if (!(server->flags & (SERV_LITERAL_ADDRESS | SERV_NO_ADDR)) &&
711 sockaddr_isequal(&server->addr, &serveraddr))
712 break;
713
714 if (!server)
715 return;
716
717 #ifdef HAVE_DNSSEC
718 hash = hash_questions(header, n, daemon->namebuff);
719 #else
720 hash = &crc;
721 crc = questions_crc(header, n, daemon->namebuff);
722 #endif
723
724 if (!(forward = lookup_frec(ntohs(header->id), hash)))
725 return;
726
727 if ((RCODE(header) == SERVFAIL || RCODE(header) == REFUSED) &&
728 !option_bool(OPT_ORDER) &&
729 forward->forwardall == 0)
730 /* for broken servers, attempt to send to another one. */
731 {
732 unsigned char *pheader;
733 size_t plen;
734 int is_sign;
735
736 /* recreate query from reply */
737 pheader = find_pseudoheader(header, (size_t)n, &plen, NULL, &is_sign);
738 if (!is_sign)
739 {
740 header->ancount = htons(0);
741 header->nscount = htons(0);
742 header->arcount = htons(0);
743 if ((nn = resize_packet(header, (size_t)n, pheader, plen)))
744 {
745 header->hb3 &= ~(HB3_QR | HB3_TC);
746 forward_query(-1, NULL, NULL, 0, header, nn, now, forward, 0, 0);
747 return;
748 }
749 }
750 }
751
752 server = forward->sentto;
753
754 if ((forward->sentto->flags & SERV_TYPE) == 0)
755 {
756 if (RCODE(header) == REFUSED)
757 server = NULL;
758 else
759 {
760 struct server *last_server;
761
762 /* find good server by address if possible, otherwise assume the last one we sent to */
763 for (last_server = daemon->servers; last_server; last_server = last_server->next)
764 if (!(last_server->flags & (SERV_LITERAL_ADDRESS | SERV_HAS_DOMAIN | SERV_FOR_NODOTS | SERV_NO_ADDR)) &&
765 sockaddr_isequal(&last_server->addr, &serveraddr))
766 {
767 server = last_server;
768 break;
769 }
770 }
771 if (!option_bool(OPT_ALL_SERVERS))
772 daemon->last_server = server;
773 }
774
775 /* If the answer is an error, keep the forward record in place in case
776 we get a good reply from another server. Kill it when we've
777 had replies from all to avoid filling the forwarding table when
778 everything is broken */
779 if (forward->forwardall == 0 || --forward->forwardall == 1 || RCODE(header) != SERVFAIL)
780 {
781 int check_rebind = 0, no_cache_dnssec = 0, cache_secure = 0;
782
783 if (option_bool(OPT_NO_REBIND))
784 check_rebind = !(forward->flags & FREC_NOREBIND);
785
786 /* Don't cache replies where DNSSEC validation was turned off, either
787 the upstream server told us so, or the original query specified it. */
788 if ((header->hb4 & HB4_CD) || (forward->flags & FREC_CHECKING_DISABLED))
789 no_cache_dnssec = 1;
790
791 #ifdef HAVE_DNSSEC
792 if (server && option_bool(OPT_DNSSEC_VALID) && !(forward->flags & FREC_CHECKING_DISABLED))
793 {
794 int status;
795
796 /* We've had a reply already, which we're validating. Ignore this duplicate */
797 if (forward->blocking_query)
798 return;
799
800 if (header->hb3 & HB3_TC)
801 {
802 /* Truncated answer can't be validated.
803 If this is an answer to a DNSSEC-generated query, we still
804 need to get the client to retry over TCP, so return
805 an answer with the TC bit set, even if the actual answer fits.
806 */
807 status = STAT_TRUNCATED;
808 }
809 else if (forward->flags & FREC_DNSKEY_QUERY)
810 status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
811 else if (forward->flags & FREC_DS_QUERY)
812 {
813 status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
814 if (status == STAT_NO_DS)
815 status = STAT_INSECURE;
816 }
817 else if (forward->flags & FREC_CHECK_NOSIGN)
818 status = do_check_sign(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
819 else
820 {
821 status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class, NULL);
822 if (status == STAT_NO_SIG)
823 {
824 if (option_bool(OPT_DNSSEC_NO_SIGN))
825 status = send_check_sign(now, header, n, daemon->namebuff, daemon->keyname);
826 else
827 status = STAT_INSECURE;
828 }
829 }
830 /* Can't validate, as we're missing key data. Put this
831 answer aside, whilst we get that. */
832 if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG || status == STAT_NEED_KEY)
833 {
834 struct frec *new, *orig;
835
836 /* Free any saved query */
837 if (forward->stash)
838 blockdata_free(forward->stash);
839
840 /* Now save reply pending receipt of key data */
841 if (!(forward->stash = blockdata_alloc((char *)header, n)))
842 return;
843 forward->stash_len = n;
844
845 anotherkey:
846 /* Find the original query that started it all.... */
847 for (orig = forward; orig->dependent; orig = orig->dependent);
848
849 if (--orig->work_counter == 0 || !(new = get_new_frec(now, NULL, 1)))
850 status = STAT_INSECURE;
851 else
852 {
853 int fd;
854 struct frec *next = new->next;
855 *new = *forward; /* copy everything, then overwrite */
856 new->next = next;
857 new->blocking_query = NULL;
858 new->sentto = server;
859 new->rfd4 = NULL;
860 #ifdef HAVE_IPV6
861 new->rfd6 = NULL;
862 #endif
863 new->flags &= ~(FREC_DNSKEY_QUERY | FREC_DS_QUERY | FREC_CHECK_NOSIGN);
864
865 new->dependent = forward; /* to find query awaiting new one. */
866 forward->blocking_query = new; /* for garbage cleaning */
867 /* validate routines leave name of required record in daemon->keyname */
868 if (status == STAT_NEED_KEY)
869 {
870 new->flags |= FREC_DNSKEY_QUERY;
871 nn = dnssec_generate_query(header, ((char *) header) + daemon->packet_buff_sz,
872 daemon->keyname, forward->class, T_DNSKEY, &server->addr);
873 }
874 else
875 {
876 if (status == STAT_NEED_DS_NEG)
877 new->flags |= FREC_CHECK_NOSIGN;
878 else
879 new->flags |= FREC_DS_QUERY;
880 nn = dnssec_generate_query(header,((char *) header) + daemon->packet_buff_sz,
881 daemon->keyname, forward->class, T_DS, &server->addr);
882 }
883 if ((hash = hash_questions(header, nn, daemon->namebuff)))
884 memcpy(new->hash, hash, HASH_SIZE);
885 new->new_id = get_id();
886 header->id = htons(new->new_id);
887 /* Save query for retransmission */
888 new->stash = blockdata_alloc((char *)header, nn);
889 new->stash_len = nn;
890
891 /* Don't resend this. */
892 daemon->srv_save = NULL;
893
894 if (server->sfd)
895 fd = server->sfd->fd;
896 else
897 {
898 fd = -1;
899 #ifdef HAVE_IPV6
900 if (server->addr.sa.sa_family == AF_INET6)
901 {
902 if (new->rfd6 || (new->rfd6 = allocate_rfd(AF_INET6)))
903 fd = new->rfd6->fd;
904 }
905 else
906 #endif
907 {
908 if (new->rfd4 || (new->rfd4 = allocate_rfd(AF_INET)))
909 fd = new->rfd4->fd;
910 }
911 }
912
913 if (fd != -1)
914 {
915 while (sendto(fd, (char *)header, nn, 0, &server->addr.sa, sa_len(&server->addr)) == -1 && retry_send());
916 server->queries++;
917 }
918
919 return;
920 }
921 }
922
923 /* Ok, we reached far enough up the chain-of-trust that we can validate something.
924 Now wind back down, pulling back answers which wouldn't previously validate
925 and validate them with the new data. Note that if an answer needs multiple
926 keys to validate, we may find another key is needed, in which case we set off
927 down another branch of the tree. Once we get to the original answer
928 (FREC_DNSSEC_QUERY not set) and it validates, return it to the original requestor. */
929 while (forward->dependent)
930 {
931 struct frec *prev = forward->dependent;
932 free_frec(forward);
933 forward = prev;
934 forward->blocking_query = NULL; /* already gone */
935 blockdata_retrieve(forward->stash, forward->stash_len, (void *)header);
936 n = forward->stash_len;
937
938 if (status == STAT_SECURE)
939 {
940 if (forward->flags & FREC_DNSKEY_QUERY)
941 status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
942 else if (forward->flags & FREC_DS_QUERY)
943 {
944 status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
945 if (status == STAT_NO_DS)
946 status = STAT_INSECURE;
947 }
948 else if (forward->flags & FREC_CHECK_NOSIGN)
949 status = do_check_sign(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
950 else
951 {
952 status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class, NULL);
953 if (status == STAT_NO_SIG)
954 {
955 if (option_bool(OPT_DNSSEC_NO_SIGN))
956 status = send_check_sign(now, header, n, daemon->namebuff, daemon->keyname);
957 else
958 status = STAT_INSECURE;
959 }
960 }
961
962 if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG || status == STAT_NEED_KEY)
963 goto anotherkey;
964 }
965 }
966
967 if (status == STAT_TRUNCATED)
968 header->hb3 |= HB3_TC;
969 else
970 {
971 char *result;
972
973 if (forward->work_counter == 0)
974 result = "ABANDONED";
975 else
976 result = (status == STAT_SECURE ? "SECURE" : (status == STAT_INSECURE ? "INSECURE" : "BOGUS"));
977
978 log_query(F_KEYTAG | F_SECSTAT, "result", NULL, result);
979 }
980
981 no_cache_dnssec = 0;
982
983 if (status == STAT_SECURE)
984 cache_secure = 1;
985 else if (status == STAT_BOGUS)
986 no_cache_dnssec = 1;
987 }
988 #endif
989
990 /* restore CD bit to the value in the query */
991 if (forward->flags & FREC_CHECKING_DISABLED)
992 header->hb4 |= HB4_CD;
993 else
994 header->hb4 &= ~HB4_CD;
995
996 if ((nn = process_reply(header, now, server, (size_t)n, check_rebind, no_cache_dnssec, cache_secure,
997 forward->flags & FREC_AD_QUESTION, forward->flags & FREC_DO_QUESTION,
998 forward->flags & FREC_ADDED_PHEADER, forward->flags & FREC_HAS_SUBNET, &forward->source)))
999 {
1000 header->id = htons(forward->orig_id);
1001 header->hb4 |= HB4_RA; /* recursion if available */
1002 send_from(forward->fd, option_bool(OPT_NOWILD) || option_bool (OPT_CLEVERBIND), daemon->packet, nn,
1003 &forward->source, &forward->dest, forward->iface);
1004 }
1005 free_frec(forward); /* cancel */
1006 }
1007 }
1008
1009
1010 void receive_query(struct listener *listen, time_t now)
1011 {
1012 struct dns_header *header = (struct dns_header *)daemon->packet;
1013 union mysockaddr source_addr;
1014 unsigned short type;
1015 struct all_addr dst_addr;
1016 struct in_addr netmask, dst_addr_4;
1017 size_t m;
1018 ssize_t n;
1019 int if_index = 0, auth_dns = 0;
1020 #ifdef HAVE_AUTH
1021 int local_auth = 0;
1022 #endif
1023 struct iovec iov[1];
1024 struct msghdr msg;
1025 struct cmsghdr *cmptr;
1026 union {
1027 struct cmsghdr align; /* this ensures alignment */
1028 #ifdef HAVE_IPV6
1029 char control6[CMSG_SPACE(sizeof(struct in6_pktinfo))];
1030 #endif
1031 #if defined(HAVE_LINUX_NETWORK)
1032 char control[CMSG_SPACE(sizeof(struct in_pktinfo))];
1033 #elif defined(IP_RECVDSTADDR) && defined(HAVE_SOLARIS_NETWORK)
1034 char control[CMSG_SPACE(sizeof(struct in_addr)) +
1035 CMSG_SPACE(sizeof(unsigned int))];
1036 #elif defined(IP_RECVDSTADDR)
1037 char control[CMSG_SPACE(sizeof(struct in_addr)) +
1038 CMSG_SPACE(sizeof(struct sockaddr_dl))];
1039 #endif
1040 } control_u;
1041 #ifdef HAVE_IPV6
1042 /* Can always get recvd interface for IPv6 */
1043 int check_dst = !option_bool(OPT_NOWILD) || listen->family == AF_INET6;
1044 #else
1045 int check_dst = !option_bool(OPT_NOWILD);
1046 #endif
1047
1048 /* packet buffer overwritten */
1049 daemon->srv_save = NULL;
1050
1051 dst_addr_4.s_addr = dst_addr.addr.addr4.s_addr = 0;
1052 netmask.s_addr = 0;
1053
1054 if (option_bool(OPT_NOWILD) && listen->iface)
1055 {
1056 auth_dns = listen->iface->dns_auth;
1057
1058 if (listen->family == AF_INET)
1059 {
1060 dst_addr_4 = dst_addr.addr.addr4 = listen->iface->addr.in.sin_addr;
1061 netmask = listen->iface->netmask;
1062 }
1063 }
1064
1065 iov[0].iov_base = daemon->packet;
1066 iov[0].iov_len = daemon->edns_pktsz;
1067
1068 msg.msg_control = control_u.control;
1069 msg.msg_controllen = sizeof(control_u);
1070 msg.msg_flags = 0;
1071 msg.msg_name = &source_addr;
1072 msg.msg_namelen = sizeof(source_addr);
1073 msg.msg_iov = iov;
1074 msg.msg_iovlen = 1;
1075
1076 if ((n = recvmsg(listen->fd, &msg, 0)) == -1)
1077 return;
1078
1079 if (n < (int)sizeof(struct dns_header) ||
1080 (msg.msg_flags & MSG_TRUNC) ||
1081 (header->hb3 & HB3_QR))
1082 return;
1083
1084 source_addr.sa.sa_family = listen->family;
1085
1086 if (listen->family == AF_INET)
1087 {
1088 /* Source-port == 0 is an error, we can't send back to that.
1089 http://www.ietf.org/mail-archive/web/dnsop/current/msg11441.html */
1090 if (source_addr.in.sin_port == 0)
1091 return;
1092 }
1093 #ifdef HAVE_IPV6
1094 else
1095 {
1096 /* Source-port == 0 is an error, we can't send back to that. */
1097 if (source_addr.in6.sin6_port == 0)
1098 return;
1099 source_addr.in6.sin6_flowinfo = 0;
1100 }
1101 #endif
1102
1103 /* We can be configured to only accept queries from at-most-one-hop-away addresses. */
1104 if (option_bool(OPT_LOCAL_SERVICE))
1105 {
1106 struct addrlist *addr;
1107 #ifdef HAVE_IPV6
1108 if (listen->family == AF_INET6)
1109 {
1110 for (addr = daemon->interface_addrs; addr; addr = addr->next)
1111 if ((addr->flags & ADDRLIST_IPV6) &&
1112 is_same_net6(&addr->addr.addr.addr6, &source_addr.in6.sin6_addr, addr->prefixlen))
1113 break;
1114 }
1115 else
1116 #endif
1117 {
1118 struct in_addr netmask;
1119 for (addr = daemon->interface_addrs; addr; addr = addr->next)
1120 {
1121 netmask.s_addr = htonl(~(in_addr_t)0 << (32 - addr->prefixlen));
1122 if (!(addr->flags & ADDRLIST_IPV6) &&
1123 is_same_net(addr->addr.addr.addr4, source_addr.in.sin_addr, netmask))
1124 break;
1125 }
1126 }
1127 if (!addr)
1128 {
1129 static int warned = 0;
1130 if (!warned)
1131 {
1132 my_syslog(LOG_WARNING, _("Ignoring query from non-local network"));
1133 warned = 1;
1134 }
1135 return;
1136 }
1137 }
1138
1139 if (check_dst)
1140 {
1141 struct ifreq ifr;
1142
1143 if (msg.msg_controllen < sizeof(struct cmsghdr))
1144 return;
1145
1146 #if defined(HAVE_LINUX_NETWORK)
1147 if (listen->family == AF_INET)
1148 for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
1149 if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_PKTINFO)
1150 {
1151 union {
1152 unsigned char *c;
1153 struct in_pktinfo *p;
1154 } p;
1155 p.c = CMSG_DATA(cmptr);
1156 dst_addr_4 = dst_addr.addr.addr4 = p.p->ipi_spec_dst;
1157 if_index = p.p->ipi_ifindex;
1158 }
1159 #elif defined(IP_RECVDSTADDR) && defined(IP_RECVIF)
1160 if (listen->family == AF_INET)
1161 {
1162 for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
1163 {
1164 union {
1165 unsigned char *c;
1166 unsigned int *i;
1167 struct in_addr *a;
1168 #ifndef HAVE_SOLARIS_NETWORK
1169 struct sockaddr_dl *s;
1170 #endif
1171 } p;
1172 p.c = CMSG_DATA(cmptr);
1173 if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVDSTADDR)
1174 dst_addr_4 = dst_addr.addr.addr4 = *(p.a);
1175 else if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVIF)
1176 #ifdef HAVE_SOLARIS_NETWORK
1177 if_index = *(p.i);
1178 #else
1179 if_index = p.s->sdl_index;
1180 #endif
1181 }
1182 }
1183 #endif
1184
1185 #ifdef HAVE_IPV6
1186 if (listen->family == AF_INET6)
1187 {
1188 for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
1189 if (cmptr->cmsg_level == IPPROTO_IPV6 && cmptr->cmsg_type == daemon->v6pktinfo)
1190 {
1191 union {
1192 unsigned char *c;
1193 struct in6_pktinfo *p;
1194 } p;
1195 p.c = CMSG_DATA(cmptr);
1196
1197 dst_addr.addr.addr6 = p.p->ipi6_addr;
1198 if_index = p.p->ipi6_ifindex;
1199 }
1200 }
1201 #endif
1202
1203 /* enforce available interface configuration */
1204
1205 if (!indextoname(listen->fd, if_index, ifr.ifr_name))
1206 return;
1207
1208 if (!iface_check(listen->family, &dst_addr, ifr.ifr_name, &auth_dns))
1209 {
1210 if (!option_bool(OPT_CLEVERBIND))
1211 enumerate_interfaces(0);
1212 if (!loopback_exception(listen->fd, listen->family, &dst_addr, ifr.ifr_name) &&
1213 !label_exception(if_index, listen->family, &dst_addr))
1214 return;
1215 }
1216
1217 if (listen->family == AF_INET && option_bool(OPT_LOCALISE))
1218 {
1219 struct irec *iface;
1220
1221 /* get the netmask of the interface whch has the address we were sent to.
1222 This is no neccessarily the interface we arrived on. */
1223
1224 for (iface = daemon->interfaces; iface; iface = iface->next)
1225 if (iface->addr.sa.sa_family == AF_INET &&
1226 iface->addr.in.sin_addr.s_addr == dst_addr_4.s_addr)
1227 break;
1228
1229 /* interface may be new */
1230 if (!iface && !option_bool(OPT_CLEVERBIND))
1231 enumerate_interfaces(0);
1232
1233 for (iface = daemon->interfaces; iface; iface = iface->next)
1234 if (iface->addr.sa.sa_family == AF_INET &&
1235 iface->addr.in.sin_addr.s_addr == dst_addr_4.s_addr)
1236 break;
1237
1238 /* If we failed, abandon localisation */
1239 if (iface)
1240 netmask = iface->netmask;
1241 else
1242 dst_addr_4.s_addr = 0;
1243 }
1244 }
1245
1246 if (extract_request(header, (size_t)n, daemon->namebuff, &type))
1247 {
1248 #ifdef HAVE_AUTH
1249 struct auth_zone *zone;
1250 #endif
1251 char *types = querystr(auth_dns ? "auth" : "query", type);
1252
1253 if (listen->family == AF_INET)
1254 log_query(F_QUERY | F_IPV4 | F_FORWARD, daemon->namebuff,
1255 (struct all_addr *)&source_addr.in.sin_addr, types);
1256 #ifdef HAVE_IPV6
1257 else
1258 log_query(F_QUERY | F_IPV6 | F_FORWARD, daemon->namebuff,
1259 (struct all_addr *)&source_addr.in6.sin6_addr, types);
1260 #endif
1261
1262 #ifdef HAVE_AUTH
1263 /* find queries for zones we're authoritative for, and answer them directly */
1264 if (!auth_dns)
1265 for (zone = daemon->auth_zones; zone; zone = zone->next)
1266 if (in_zone(zone, daemon->namebuff, NULL))
1267 {
1268 auth_dns = 1;
1269 local_auth = 1;
1270 break;
1271 }
1272 #endif
1273
1274 #ifdef HAVE_LOOP
1275 /* Check for forwarding loop */
1276 if (detect_loop(daemon->namebuff, type))
1277 return;
1278 #endif
1279 }
1280
1281 #ifdef HAVE_AUTH
1282 if (auth_dns)
1283 {
1284 m = answer_auth(header, ((char *) header) + daemon->packet_buff_sz, (size_t)n, now, &source_addr, local_auth);
1285 if (m >= 1)
1286 {
1287 send_from(listen->fd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND),
1288 (char *)header, m, &source_addr, &dst_addr, if_index);
1289 daemon->auth_answer++;
1290 }
1291 }
1292 else
1293 #endif
1294 {
1295 int ad_reqd, do_bit;
1296 m = answer_request(header, ((char *) header) + daemon->packet_buff_sz, (size_t)n,
1297 dst_addr_4, netmask, now, &ad_reqd, &do_bit);
1298
1299 if (m >= 1)
1300 {
1301 send_from(listen->fd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND),
1302 (char *)header, m, &source_addr, &dst_addr, if_index);
1303 daemon->local_answer++;
1304 }
1305 else if (forward_query(listen->fd, &source_addr, &dst_addr, if_index,
1306 header, (size_t)n, now, NULL, ad_reqd, do_bit))
1307 daemon->queries_forwarded++;
1308 else
1309 daemon->local_answer++;
1310 }
1311 }
1312
1313 #ifdef HAVE_DNSSEC
1314
1315 /* UDP: we've got an unsigned answer, return STAT_INSECURE if we can prove there's no DS
1316 and therefore the answer shouldn't be signed, or STAT_BOGUS if it should be, or
1317 STAT_NEED_DS_NEG and keyname if we need to do the query. */
1318 static int send_check_sign(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname)
1319 {
1320 struct crec *crecp;
1321 char *name_start = name;
1322 int status = dnssec_chase_cname(now, header, plen, name, keyname);
1323
1324 if (status != STAT_INSECURE)
1325 return status;
1326
1327 while (1)
1328 {
1329 crecp = cache_find_by_name(NULL, name_start, now, F_DS);
1330
1331 if (crecp && (crecp->flags & F_DNSSECOK))
1332 return (crecp->flags & F_NEG) ? STAT_INSECURE : STAT_BOGUS;
1333
1334 if (crecp && (crecp->flags & F_NEG) && (name_start = strchr(name_start, '.')))
1335 {
1336 name_start++; /* chop a label off and try again */
1337 continue;
1338 }
1339
1340 /* Reached the root */
1341 if (!name_start)
1342 return STAT_BOGUS;
1343
1344 strcpy(keyname, name_start);
1345 return STAT_NEED_DS_NEG;
1346 }
1347 }
1348
1349 /* Got answer to DS query from send_check_sign, check for proven non-existence, or make the next DS query to try. */
1350 static int do_check_sign(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int class)
1351
1352 {
1353 char *name_start;
1354 unsigned char *p;
1355 int status;
1356
1357 /* In this case only, a SERVFAIL reply allows us to continue up the tree, looking for a
1358 suitable NSEC reply to DS queries. */
1359 if (RCODE(header) != SERVFAIL)
1360 {
1361 status = dnssec_validate_ds(now, header, plen, name, keyname, class);
1362
1363 if (status != STAT_INSECURE)
1364 {
1365 if (status == STAT_NO_DS)
1366 status = STAT_INSECURE;
1367 return status;
1368 }
1369 }
1370
1371 p = (unsigned char *)(header+1);
1372
1373 if (extract_name(header, plen, &p, name, 1, 4) &&
1374 (name_start = strchr(name, '.')))
1375 {
1376 name_start++; /* chop a label off and try again */
1377 strcpy(keyname, name_start);
1378 return STAT_NEED_DS_NEG;
1379 }
1380
1381 return STAT_BOGUS;
1382 }
1383
1384 /* Move toward the root, until we find a signed non-existance of a DS, in which case
1385 an unsigned answer is OK, or we find a signed DS, in which case there should be
1386 a signature, and the answer is BOGUS */
1387 static int tcp_check_for_unsigned_zone(time_t now, struct dns_header *header, size_t plen, int class, char *name,
1388 char *keyname, struct server *server, int *keycount)
1389 {
1390 size_t m;
1391 unsigned char *packet, *payload;
1392 u16 *length;
1393 unsigned char *p = (unsigned char *)(header+1);
1394 int status;
1395 char *name_start = name;
1396
1397 /* Get first insecure entry in CNAME chain */
1398 status = tcp_key_recurse(now, STAT_CHASE_CNAME, header, plen, class, name, keyname, server, keycount);
1399 if (status == STAT_BOGUS)
1400 return STAT_BOGUS;
1401
1402 if (!(packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16))))
1403 return STAT_BOGUS;
1404
1405 payload = &packet[2];
1406 header = (struct dns_header *)payload;
1407 length = (u16 *)packet;
1408
1409 while (1)
1410 {
1411 unsigned char *newhash, hash[HASH_SIZE];
1412 unsigned char c1, c2;
1413 struct crec *crecp = cache_find_by_name(NULL, name_start, now, F_DS);
1414
1415 if (--(*keycount) == 0)
1416 {
1417 free(packet);
1418 return STAT_BOGUS;
1419 }
1420
1421 if (crecp && (crecp->flags & F_DNSSECOK))
1422 {
1423 free(packet);
1424 return (crecp->flags & F_NEG) ? STAT_INSECURE : STAT_BOGUS;
1425 }
1426
1427 /* If we have cached insecurely that a DS doesn't exist,
1428 ise that is a hit for where to start looking for the secure one */
1429 if (crecp && (crecp->flags & F_NEG) && (name_start = strchr(name_start, '.')))
1430 {
1431 name_start++; /* chop a label off and try again */
1432 continue;
1433 }
1434
1435 /* reached the root */
1436 if (!name_start)
1437 {
1438 free(packet);
1439 return STAT_BOGUS;
1440 }
1441
1442 m = dnssec_generate_query(header, ((char *) header) + 65536, name_start, class, T_DS, &server->addr);
1443
1444 /* We rely on the question section coming back unchanged, ensure it is with the hash. */
1445 if ((newhash = hash_questions(header, (unsigned int)m, name)))
1446 {
1447 memcpy(hash, newhash, HASH_SIZE);
1448
1449 *length = htons(m);
1450
1451 if (read_write(server->tcpfd, packet, m + sizeof(u16), 0) &&
1452 read_write(server->tcpfd, &c1, 1, 1) &&
1453 read_write(server->tcpfd, &c2, 1, 1) &&
1454 read_write(server->tcpfd, payload, (c1 << 8) | c2, 1))
1455 {
1456 m = (c1 << 8) | c2;
1457
1458 newhash = hash_questions(header, (unsigned int)m, name);
1459 if (newhash && memcmp(hash, newhash, HASH_SIZE) == 0)
1460 {
1461 /* In this case only, a SERVFAIL reply allows us to continue up the tree, looking for a
1462 suitable NSEC reply to DS queries. */
1463 if (RCODE(header) == SERVFAIL)
1464 status = STAT_INSECURE;
1465 else
1466 /* Note this trashes all three name workspaces */
1467 status = tcp_key_recurse(now, STAT_NEED_DS_NEG, header, m, class, name, keyname, server, keycount);
1468
1469 /* We've found a DS which proves the bit of the DNS where the
1470 original query is, is unsigned, so the answer is OK,
1471 if unvalidated. */
1472 if (status == STAT_NO_DS)
1473 {
1474 free(packet);
1475 return STAT_INSECURE;
1476 }
1477
1478 /* No DS, not got to DNSSEC-land yet, go up. */
1479 if (status == STAT_INSECURE)
1480 {
1481 p = (unsigned char *)(header+1);
1482
1483 if (extract_name(header, plen, &p, name, 1, 4) &&
1484 (name_start = strchr(name, '.')))
1485 {
1486 name_start++; /* chop a label off and try again */
1487 continue;
1488 }
1489 }
1490 }
1491 }
1492 }
1493
1494 free(packet);
1495
1496 return STAT_BOGUS;
1497 }
1498 }
1499
1500 static int tcp_key_recurse(time_t now, int status, struct dns_header *header, size_t n,
1501 int class, char *name, char *keyname, struct server *server, int *keycount)
1502 {
1503 /* Recurse up the key heirarchy */
1504 int new_status;
1505
1506 /* limit the amount of work we do, to avoid cycling forever on loops in the DNS */
1507 if (--(*keycount) == 0)
1508 return STAT_INSECURE;
1509
1510 if (status == STAT_NEED_KEY)
1511 new_status = dnssec_validate_by_ds(now, header, n, name, keyname, class);
1512 else if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG)
1513 {
1514 new_status = dnssec_validate_ds(now, header, n, name, keyname, class);
1515 if (status == STAT_NEED_DS && new_status == STAT_NO_DS)
1516 new_status = STAT_INSECURE;
1517 }
1518 else if (status == STAT_CHASE_CNAME)
1519 new_status = dnssec_chase_cname(now, header, n, name, keyname);
1520 else
1521 {
1522 new_status = dnssec_validate_reply(now, header, n, name, keyname, &class, NULL);
1523
1524 if (new_status == STAT_NO_SIG)
1525 {
1526 if (option_bool(OPT_DNSSEC_NO_SIGN))
1527 new_status = tcp_check_for_unsigned_zone(now, header, n, class, name, keyname, server, keycount);
1528 else
1529 new_status = STAT_INSECURE;
1530 }
1531 }
1532
1533 /* Can't validate because we need a key/DS whose name now in keyname.
1534 Make query for same, and recurse to validate */
1535 if (new_status == STAT_NEED_DS || new_status == STAT_NEED_KEY)
1536 {
1537 size_t m;
1538 unsigned char *packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16));
1539 unsigned char *payload = &packet[2];
1540 struct dns_header *new_header = (struct dns_header *)payload;
1541 u16 *length = (u16 *)packet;
1542 unsigned char c1, c2;
1543
1544 if (!packet)
1545 return STAT_INSECURE;
1546
1547 another_tcp_key:
1548 m = dnssec_generate_query(new_header, ((char *) new_header) + 65536, keyname, class,
1549 new_status == STAT_NEED_KEY ? T_DNSKEY : T_DS, &server->addr);
1550
1551 *length = htons(m);
1552
1553 if (!read_write(server->tcpfd, packet, m + sizeof(u16), 0) ||
1554 !read_write(server->tcpfd, &c1, 1, 1) ||
1555 !read_write(server->tcpfd, &c2, 1, 1) ||
1556 !read_write(server->tcpfd, payload, (c1 << 8) | c2, 1))
1557 new_status = STAT_INSECURE;
1558 else
1559 {
1560 m = (c1 << 8) | c2;
1561
1562 new_status = tcp_key_recurse(now, new_status, new_header, m, class, name, keyname, server, keycount);
1563
1564 if (new_status == STAT_SECURE)
1565 {
1566 /* Reached a validated record, now try again at this level.
1567 Note that we may get ANOTHER NEED_* if an answer needs more than one key.
1568 If so, go round again. */
1569
1570 if (status == STAT_NEED_KEY)
1571 new_status = dnssec_validate_by_ds(now, header, n, name, keyname, class);
1572 else if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG)
1573 {
1574 new_status = dnssec_validate_ds(now, header, n, name, keyname, class);
1575 if (status == STAT_NEED_DS && new_status == STAT_NO_DS)
1576 new_status = STAT_INSECURE; /* Validated no DS */
1577 }
1578 else if (status == STAT_CHASE_CNAME)
1579 new_status = dnssec_chase_cname(now, header, n, name, keyname);
1580 else
1581 {
1582 new_status = dnssec_validate_reply(now, header, n, name, keyname, &class, NULL);
1583
1584 if (new_status == STAT_NO_SIG)
1585 {
1586 if (option_bool(OPT_DNSSEC_NO_SIGN))
1587 new_status = tcp_check_for_unsigned_zone(now, header, n, class, name, keyname, server, keycount);
1588 else
1589 new_status = STAT_INSECURE;
1590 }
1591 }
1592
1593 if (new_status == STAT_NEED_DS || new_status == STAT_NEED_KEY)
1594 goto another_tcp_key;
1595 }
1596 }
1597
1598 free(packet);
1599 }
1600 return new_status;
1601 }
1602 #endif
1603
1604
1605 /* The daemon forks before calling this: it should deal with one connection,
1606 blocking as neccessary, and then return. Note, need to be a bit careful
1607 about resources for debug mode, when the fork is suppressed: that's
1608 done by the caller. */
1609 unsigned char *tcp_request(int confd, time_t now,
1610 union mysockaddr *local_addr, struct in_addr netmask, int auth_dns)
1611 {
1612 size_t size = 0;
1613 int norebind = 0;
1614 #ifdef HAVE_AUTH
1615 int local_auth = 0;
1616 #endif
1617 int checking_disabled, ad_question, do_bit, added_pheader = 0;
1618 int check_subnet, no_cache_dnssec = 0, cache_secure = 0;
1619 size_t m;
1620 unsigned short qtype;
1621 unsigned int gotname;
1622 unsigned char c1, c2;
1623 /* Max TCP packet + slop + size */
1624 unsigned char *packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16));
1625 unsigned char *payload = &packet[2];
1626 /* largest field in header is 16-bits, so this is still sufficiently aligned */
1627 struct dns_header *header = (struct dns_header *)payload;
1628 u16 *length = (u16 *)packet;
1629 struct server *last_server;
1630 struct in_addr dst_addr_4;
1631 union mysockaddr peer_addr;
1632 socklen_t peer_len = sizeof(union mysockaddr);
1633
1634 if (getpeername(confd, (struct sockaddr *)&peer_addr, &peer_len) == -1)
1635 return packet;
1636
1637 /* We can be configured to only accept queries from at-most-one-hop-away addresses. */
1638 if (option_bool(OPT_LOCAL_SERVICE))
1639 {
1640 struct addrlist *addr;
1641 #ifdef HAVE_IPV6
1642 if (peer_addr.sa.sa_family == AF_INET6)
1643 {
1644 for (addr = daemon->interface_addrs; addr; addr = addr->next)
1645 if ((addr->flags & ADDRLIST_IPV6) &&
1646 is_same_net6(&addr->addr.addr.addr6, &peer_addr.in6.sin6_addr, addr->prefixlen))
1647 break;
1648 }
1649 else
1650 #endif
1651 {
1652 struct in_addr netmask;
1653 for (addr = daemon->interface_addrs; addr; addr = addr->next)
1654 {
1655 netmask.s_addr = htonl(~(in_addr_t)0 << (32 - addr->prefixlen));
1656 if (!(addr->flags & ADDRLIST_IPV6) &&
1657 is_same_net(addr->addr.addr.addr4, peer_addr.in.sin_addr, netmask))
1658 break;
1659 }
1660 }
1661 if (!addr)
1662 {
1663 my_syslog(LOG_WARNING, _("Ignoring query from non-local network"));
1664 return packet;
1665 }
1666 }
1667
1668 while (1)
1669 {
1670 if (!packet ||
1671 !read_write(confd, &c1, 1, 1) || !read_write(confd, &c2, 1, 1) ||
1672 !(size = c1 << 8 | c2) ||
1673 !read_write(confd, payload, size, 1))
1674 return packet;
1675
1676 if (size < (int)sizeof(struct dns_header))
1677 continue;
1678
1679 check_subnet = 0;
1680
1681 /* save state of "cd" flag in query */
1682 if ((checking_disabled = header->hb4 & HB4_CD))
1683 no_cache_dnssec = 1;
1684
1685 if ((gotname = extract_request(header, (unsigned int)size, daemon->namebuff, &qtype)))
1686 {
1687 #ifdef HAVE_AUTH
1688 struct auth_zone *zone;
1689 #endif
1690 char *types = querystr(auth_dns ? "auth" : "query", qtype);
1691
1692 if (peer_addr.sa.sa_family == AF_INET)
1693 log_query(F_QUERY | F_IPV4 | F_FORWARD, daemon->namebuff,
1694 (struct all_addr *)&peer_addr.in.sin_addr, types);
1695 #ifdef HAVE_IPV6
1696 else
1697 log_query(F_QUERY | F_IPV6 | F_FORWARD, daemon->namebuff,
1698 (struct all_addr *)&peer_addr.in6.sin6_addr, types);
1699 #endif
1700
1701 #ifdef HAVE_AUTH
1702 /* find queries for zones we're authoritative for, and answer them directly */
1703 if (!auth_dns)
1704 for (zone = daemon->auth_zones; zone; zone = zone->next)
1705 if (in_zone(zone, daemon->namebuff, NULL))
1706 {
1707 auth_dns = 1;
1708 local_auth = 1;
1709 break;
1710 }
1711 #endif
1712 }
1713
1714 if (local_addr->sa.sa_family == AF_INET)
1715 dst_addr_4 = local_addr->in.sin_addr;
1716 else
1717 dst_addr_4.s_addr = 0;
1718
1719 #ifdef HAVE_AUTH
1720 if (auth_dns)
1721 m = answer_auth(header, ((char *) header) + 65536, (size_t)size, now, &peer_addr, local_auth);
1722 else
1723 #endif
1724 {
1725 /* m > 0 if answered from cache */
1726 m = answer_request(header, ((char *) header) + 65536, (size_t)size,
1727 dst_addr_4, netmask, now, &ad_question, &do_bit);
1728
1729 /* Do this by steam now we're not in the select() loop */
1730 check_log_writer(NULL);
1731
1732 if (m == 0)
1733 {
1734 unsigned int flags = 0;
1735 struct all_addr *addrp = NULL;
1736 int type = 0;
1737 char *domain = NULL;
1738
1739 if (option_bool(OPT_ADD_MAC))
1740 size = add_mac(header, size, ((char *) header) + 65536, &peer_addr);
1741
1742 if (option_bool(OPT_CLIENT_SUBNET))
1743 {
1744 size_t new = add_source_addr(header, size, ((char *) header) + 65536, &peer_addr);
1745 if (size != new)
1746 {
1747 size = new;
1748 check_subnet = 1;
1749 }
1750 }
1751
1752 if (gotname)
1753 flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind);
1754
1755 if (type != 0 || option_bool(OPT_ORDER) || !daemon->last_server)
1756 last_server = daemon->servers;
1757 else
1758 last_server = daemon->last_server;
1759
1760 if (!flags && last_server)
1761 {
1762 struct server *firstsendto = NULL;
1763 #ifdef HAVE_DNSSEC
1764 unsigned char *newhash, hash[HASH_SIZE];
1765 if ((newhash = hash_questions(header, (unsigned int)size, daemon->namebuff)))
1766 memcpy(hash, newhash, HASH_SIZE);
1767 else
1768 memset(hash, 0, HASH_SIZE);
1769 #else
1770 unsigned int crc = questions_crc(header, (unsigned int)size, daemon->namebuff);
1771 #endif
1772 /* Loop round available servers until we succeed in connecting to one.
1773 Note that this code subtley ensures that consecutive queries on this connection
1774 which can go to the same server, do so. */
1775 while (1)
1776 {
1777 if (!firstsendto)
1778 firstsendto = last_server;
1779 else
1780 {
1781 if (!(last_server = last_server->next))
1782 last_server = daemon->servers;
1783
1784 if (last_server == firstsendto)
1785 break;
1786 }
1787
1788 /* server for wrong domain */
1789 if (type != (last_server->flags & SERV_TYPE) ||
1790 (type == SERV_HAS_DOMAIN && !hostname_isequal(domain, last_server->domain)) ||
1791 (last_server->flags & (SERV_LITERAL_ADDRESS | SERV_LOOP)))
1792 continue;
1793
1794 if (last_server->tcpfd == -1)
1795 {
1796 if ((last_server->tcpfd = socket(last_server->addr.sa.sa_family, SOCK_STREAM, 0)) == -1)
1797 continue;
1798
1799 #ifdef HAVE_CONNTRACK
1800 /* Copy connection mark of incoming query to outgoing connection. */
1801 if (option_bool(OPT_CONNTRACK))
1802 {
1803 unsigned int mark;
1804 struct all_addr local;
1805 #ifdef HAVE_IPV6
1806 if (local_addr->sa.sa_family == AF_INET6)
1807 local.addr.addr6 = local_addr->in6.sin6_addr;
1808 else
1809 #endif
1810 local.addr.addr4 = local_addr->in.sin_addr;
1811
1812 if (get_incoming_mark(&peer_addr, &local, 1, &mark))
1813 setsockopt(last_server->tcpfd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int));
1814 }
1815 #endif
1816
1817 if ((!local_bind(last_server->tcpfd, &last_server->source_addr, last_server->interface, 1) ||
1818 connect(last_server->tcpfd, &last_server->addr.sa, sa_len(&last_server->addr)) == -1))
1819 {
1820 close(last_server->tcpfd);
1821 last_server->tcpfd = -1;
1822 continue;
1823 }
1824
1825 #ifdef HAVE_DNSSEC
1826 if (option_bool(OPT_DNSSEC_VALID))
1827 {
1828 size_t new_size = add_do_bit(header, size, ((char *) header) + 65536);
1829
1830 /* For debugging, set Checking Disabled, otherwise, have the upstream check too,
1831 this allows it to select auth servers when one is returning bad data. */
1832 if (option_bool(OPT_DNSSEC_DEBUG))
1833 header->hb4 |= HB4_CD;
1834
1835 if (size != new_size)
1836 added_pheader = 1;
1837
1838 size = new_size;
1839 }
1840 #endif
1841 }
1842
1843 *length = htons(size);
1844
1845 /* get query name again for logging - may have been overwritten */
1846 if (!(gotname = extract_request(header, (unsigned int)size, daemon->namebuff, &qtype)))
1847 strcpy(daemon->namebuff, "query");
1848
1849 if (!read_write(last_server->tcpfd, packet, size + sizeof(u16), 0) ||
1850 !read_write(last_server->tcpfd, &c1, 1, 1) ||
1851 !read_write(last_server->tcpfd, &c2, 1, 1) ||
1852 !read_write(last_server->tcpfd, payload, (c1 << 8) | c2, 1))
1853 {
1854 close(last_server->tcpfd);
1855 last_server->tcpfd = -1;
1856 continue;
1857 }
1858
1859 m = (c1 << 8) | c2;
1860
1861 if (last_server->addr.sa.sa_family == AF_INET)
1862 log_query(F_SERVER | F_IPV4 | F_FORWARD, daemon->namebuff,
1863 (struct all_addr *)&last_server->addr.in.sin_addr, NULL);
1864 #ifdef HAVE_IPV6
1865 else
1866 log_query(F_SERVER | F_IPV6 | F_FORWARD, daemon->namebuff,
1867 (struct all_addr *)&last_server->addr.in6.sin6_addr, NULL);
1868 #endif
1869
1870 #ifdef HAVE_DNSSEC
1871 if (option_bool(OPT_DNSSEC_VALID) && !checking_disabled)
1872 {
1873 int keycount = DNSSEC_WORK; /* Limit to number of DNSSEC questions, to catch loops and avoid filling cache. */
1874 int status = tcp_key_recurse(now, STAT_TRUNCATED, header, m, 0, daemon->namebuff, daemon->keyname, last_server, &keycount);
1875 char *result;
1876
1877 if (keycount == 0)
1878 result = "ABANDONED";
1879 else
1880 result = (status == STAT_SECURE ? "SECURE" : (status == STAT_INSECURE ? "INSECURE" : "BOGUS"));
1881
1882 log_query(F_KEYTAG | F_SECSTAT, "result", NULL, result);
1883
1884 if (status == STAT_BOGUS)
1885 no_cache_dnssec = 1;
1886
1887 if (status == STAT_SECURE)
1888 cache_secure = 1;
1889 }
1890 #endif
1891
1892 /* restore CD bit to the value in the query */
1893 if (checking_disabled)
1894 header->hb4 |= HB4_CD;
1895 else
1896 header->hb4 &= ~HB4_CD;
1897
1898 /* There's no point in updating the cache, since this process will exit and
1899 lose the information after a few queries. We make this call for the alias and
1900 bogus-nxdomain side-effects. */
1901 /* If the crc of the question section doesn't match the crc we sent, then
1902 someone might be attempting to insert bogus values into the cache by
1903 sending replies containing questions and bogus answers. */
1904 #ifdef HAVE_DNSSEC
1905 newhash = hash_questions(header, (unsigned int)m, daemon->namebuff);
1906 if (!newhash || memcmp(hash, newhash, HASH_SIZE) != 0)
1907 {
1908 m = 0;
1909 break;
1910 }
1911 #else
1912 if (crc != questions_crc(header, (unsigned int)m, daemon->namebuff))
1913 {
1914 m = 0;
1915 break;
1916 }
1917 #endif
1918
1919 m = process_reply(header, now, last_server, (unsigned int)m,
1920 option_bool(OPT_NO_REBIND) && !norebind, no_cache_dnssec,
1921 cache_secure, ad_question, do_bit, added_pheader, check_subnet, &peer_addr);
1922
1923 break;
1924 }
1925 }
1926
1927 /* In case of local answer or no connections made. */
1928 if (m == 0)
1929 m = setup_reply(header, (unsigned int)size, addrp, flags, daemon->local_ttl);
1930 }
1931 }
1932
1933 check_log_writer(NULL);
1934
1935 *length = htons(m);
1936
1937 if (m == 0 || !read_write(confd, packet, m + sizeof(u16), 0))
1938 return packet;
1939 }
1940 }
1941
1942 static struct frec *allocate_frec(time_t now)
1943 {
1944 struct frec *f;
1945
1946 if ((f = (struct frec *)whine_malloc(sizeof(struct frec))))
1947 {
1948 f->next = daemon->frec_list;
1949 f->time = now;
1950 f->sentto = NULL;
1951 f->rfd4 = NULL;
1952 f->flags = 0;
1953 #ifdef HAVE_IPV6
1954 f->rfd6 = NULL;
1955 #endif
1956 #ifdef HAVE_DNSSEC
1957 f->dependent = NULL;
1958 f->blocking_query = NULL;
1959 f->stash = NULL;
1960 #endif
1961 daemon->frec_list = f;
1962 }
1963
1964 return f;
1965 }
1966
1967 struct randfd *allocate_rfd(int family)
1968 {
1969 static int finger = 0;
1970 int i;
1971
1972 /* limit the number of sockets we have open to avoid starvation of
1973 (eg) TFTP. Once we have a reasonable number, randomness should be OK */
1974
1975 for (i = 0; i < RANDOM_SOCKS; i++)
1976 if (daemon->randomsocks[i].refcount == 0)
1977 {
1978 if ((daemon->randomsocks[i].fd = random_sock(family)) == -1)
1979 break;
1980
1981 daemon->randomsocks[i].refcount = 1;
1982 daemon->randomsocks[i].family = family;
1983 return &daemon->randomsocks[i];
1984 }
1985
1986 /* No free ones or cannot get new socket, grab an existing one */
1987 for (i = 0; i < RANDOM_SOCKS; i++)
1988 {
1989 int j = (i+finger) % RANDOM_SOCKS;
1990 if (daemon->randomsocks[j].refcount != 0 &&
1991 daemon->randomsocks[j].family == family &&
1992 daemon->randomsocks[j].refcount != 0xffff)
1993 {
1994 finger = j;
1995 daemon->randomsocks[j].refcount++;
1996 return &daemon->randomsocks[j];
1997 }
1998 }
1999
2000 return NULL; /* doom */
2001 }
2002
2003 void free_rfd(struct randfd *rfd)
2004 {
2005 if (rfd && --(rfd->refcount) == 0)
2006 close(rfd->fd);
2007 }
2008
2009 static void free_frec(struct frec *f)
2010 {
2011 free_rfd(f->rfd4);
2012 f->rfd4 = NULL;
2013 f->sentto = NULL;
2014 f->flags = 0;
2015
2016 #ifdef HAVE_IPV6
2017 free_rfd(f->rfd6);
2018 f->rfd6 = NULL;
2019 #endif
2020
2021 #ifdef HAVE_DNSSEC
2022 if (f->stash)
2023 {
2024 blockdata_free(f->stash);
2025 f->stash = NULL;
2026 }
2027
2028 /* Anything we're waiting on is pointless now, too */
2029 if (f->blocking_query)
2030 free_frec(f->blocking_query);
2031 f->blocking_query = NULL;
2032 f->dependent = NULL;
2033 #endif
2034 }
2035
2036 /* if wait==NULL return a free or older than TIMEOUT record.
2037 else return *wait zero if one available, or *wait is delay to
2038 when the oldest in-use record will expire. Impose an absolute
2039 limit of 4*TIMEOUT before we wipe things (for random sockets).
2040 If force is set, always return a result, even if we have
2041 to allocate above the limit. */
2042 struct frec *get_new_frec(time_t now, int *wait, int force)
2043 {
2044 struct frec *f, *oldest, *target;
2045 int count;
2046
2047 if (wait)
2048 *wait = 0;
2049
2050 for (f = daemon->frec_list, oldest = NULL, target = NULL, count = 0; f; f = f->next, count++)
2051 if (!f->sentto)
2052 target = f;
2053 else
2054 {
2055 if (difftime(now, f->time) >= 4*TIMEOUT)
2056 {
2057 free_frec(f);
2058 target = f;
2059 }
2060
2061 if (!oldest || difftime(f->time, oldest->time) <= 0)
2062 oldest = f;
2063 }
2064
2065 if (target)
2066 {
2067 target->time = now;
2068 return target;
2069 }
2070
2071 /* can't find empty one, use oldest if there is one
2072 and it's older than timeout */
2073 if (oldest && ((int)difftime(now, oldest->time)) >= TIMEOUT)
2074 {
2075 /* keep stuff for twice timeout if we can by allocating a new
2076 record instead */
2077 if (difftime(now, oldest->time) < 2*TIMEOUT &&
2078 count <= daemon->ftabsize &&
2079 (f = allocate_frec(now)))
2080 return f;
2081
2082 if (!wait)
2083 {
2084 free_frec(oldest);
2085 oldest->time = now;
2086 }
2087 return oldest;
2088 }
2089
2090 /* none available, calculate time 'till oldest record expires */
2091 if (!force && count > daemon->ftabsize)
2092 {
2093 static time_t last_log = 0;
2094
2095 if (oldest && wait)
2096 *wait = oldest->time + (time_t)TIMEOUT - now;
2097
2098 if ((int)difftime(now, last_log) > 5)
2099 {
2100 last_log = now;
2101 my_syslog(LOG_WARNING, _("Maximum number of concurrent DNS queries reached (max: %d)"), daemon->ftabsize);
2102 }
2103
2104 return NULL;
2105 }
2106
2107 if (!(f = allocate_frec(now)) && wait)
2108 /* wait one second on malloc failure */
2109 *wait = 1;
2110
2111 return f; /* OK if malloc fails and this is NULL */
2112 }
2113
2114 /* crc is all-ones if not known. */
2115 static struct frec *lookup_frec(unsigned short id, void *hash)
2116 {
2117 struct frec *f;
2118
2119 for(f = daemon->frec_list; f; f = f->next)
2120 if (f->sentto && f->new_id == id &&
2121 (!hash || memcmp(hash, f->hash, HASH_SIZE) == 0))
2122 return f;
2123
2124 return NULL;
2125 }
2126
2127 static struct frec *lookup_frec_by_sender(unsigned short id,
2128 union mysockaddr *addr,
2129 void *hash)
2130 {
2131 struct frec *f;
2132
2133 for(f = daemon->frec_list; f; f = f->next)
2134 if (f->sentto &&
2135 f->orig_id == id &&
2136 memcmp(hash, f->hash, HASH_SIZE) == 0 &&
2137 sockaddr_isequal(&f->source, addr))
2138 return f;
2139
2140 return NULL;
2141 }
2142
2143 /* Send query packet again, if we can. */
2144 void resend_query()
2145 {
2146 if (daemon->srv_save)
2147 {
2148 int fd;
2149
2150 if (daemon->srv_save->sfd)
2151 fd = daemon->srv_save->sfd->fd;
2152 else if (daemon->rfd_save && daemon->rfd_save->refcount != 0)
2153 fd = daemon->rfd_save->fd;
2154 else
2155 return;
2156
2157 while(sendto(fd, daemon->packet, daemon->packet_len, 0,
2158 &daemon->srv_save->addr.sa, sa_len(&daemon->srv_save->addr)) == -1 && retry_send());
2159 }
2160 }
2161
2162 /* A server record is going away, remove references to it */
2163 void server_gone(struct server *server)
2164 {
2165 struct frec *f;
2166
2167 for (f = daemon->frec_list; f; f = f->next)
2168 if (f->sentto && f->sentto == server)
2169 free_frec(f);
2170
2171 if (daemon->last_server == server)
2172 daemon->last_server = NULL;
2173
2174 if (daemon->srv_save == server)
2175 daemon->srv_save = NULL;
2176 }
2177
2178 /* return unique random ids. */
2179 static unsigned short get_id(void)
2180 {
2181 unsigned short ret = 0;
2182
2183 do
2184 ret = rand16();
2185 while (lookup_frec(ret, NULL));
2186
2187 return ret;
2188 }
2189
2190
2191
2192
2193
Michael's tree of dnsmasq.