]>
git.ipfire.org Git - people/ms/dnsmasq.git/blob - src/forward.c
1 /* dnsmasq is Copyright (c) 2000-2013 Simon Kelley
3 This program is free software; you can redistribute it and/or modify
4 it under the terms of the GNU General Public License as published by
5 the Free Software Foundation; version 2 dated June, 1991, or
6 (at your option) version 3 dated 29 June, 2007.
8 This program is distributed in the hope that it will be useful,
9 but WITHOUT ANY WARRANTY; without even the implied warranty of
10 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 GNU General Public License for more details.
13 You should have received a copy of the GNU General Public License
14 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 static struct frec
*lookup_frec(unsigned short id
, unsigned int crc
);
20 static struct frec
*lookup_frec_by_sender(unsigned short id
,
21 union mysockaddr
*addr
,
23 static unsigned short get_id(unsigned int crc
);
24 static void free_frec(struct frec
*f
);
25 static struct randfd
*allocate_rfd(int family
);
27 /* Send a UDP packet with its source address set as "source"
28 unless nowild is true, when we just send it with the kernel default */
29 int send_from(int fd
, int nowild
, char *packet
, size_t len
,
30 union mysockaddr
*to
, struct all_addr
*source
,
36 struct cmsghdr align
; /* this ensures alignment */
37 #if defined(HAVE_LINUX_NETWORK)
38 char control
[CMSG_SPACE(sizeof(struct in_pktinfo
))];
39 #elif defined(IP_SENDSRCADDR)
40 char control
[CMSG_SPACE(sizeof(struct in_addr
))];
43 char control6
[CMSG_SPACE(sizeof(struct in6_pktinfo
))];
47 iov
[0].iov_base
= packet
;
50 msg
.msg_control
= NULL
;
51 msg
.msg_controllen
= 0;
54 msg
.msg_namelen
= sa_len(to
);
60 struct cmsghdr
*cmptr
;
61 msg
.msg_control
= &control_u
;
62 msg
.msg_controllen
= sizeof(control_u
);
63 cmptr
= CMSG_FIRSTHDR(&msg
);
65 if (to
->sa
.sa_family
== AF_INET
)
67 #if defined(HAVE_LINUX_NETWORK)
70 p
.ipi_spec_dst
= source
->addr
.addr4
;
71 memcpy(CMSG_DATA(cmptr
), &p
, sizeof(p
));
72 msg
.msg_controllen
= cmptr
->cmsg_len
= CMSG_LEN(sizeof(struct in_pktinfo
));
73 cmptr
->cmsg_level
= IPPROTO_IP
;
74 cmptr
->cmsg_type
= IP_PKTINFO
;
75 #elif defined(IP_SENDSRCADDR)
76 memcpy(CMSG_DATA(cmptr
), &(source
->addr
.addr4
), sizeof(source
->addr
.addr4
));
77 msg
.msg_controllen
= cmptr
->cmsg_len
= CMSG_LEN(sizeof(struct in_addr
));
78 cmptr
->cmsg_level
= IPPROTO_IP
;
79 cmptr
->cmsg_type
= IP_SENDSRCADDR
;
86 p
.ipi6_ifindex
= iface
; /* Need iface for IPv6 to handle link-local addrs */
87 p
.ipi6_addr
= source
->addr
.addr6
;
88 memcpy(CMSG_DATA(cmptr
), &p
, sizeof(p
));
89 msg
.msg_controllen
= cmptr
->cmsg_len
= CMSG_LEN(sizeof(struct in6_pktinfo
));
90 cmptr
->cmsg_type
= daemon
->v6pktinfo
;
91 cmptr
->cmsg_level
= IPPROTO_IPV6
;
94 (void)iface
; /* eliminate warning */
98 while (sendmsg(fd
, &msg
, 0) == -1)
103 /* If interface is still in DAD, EINVAL results - ignore that. */
107 my_syslog(LOG_ERR
, _("failed to send packet: %s"), strerror(errno
));
114 static unsigned int search_servers(time_t now
, struct all_addr
**addrpp
,
115 unsigned int qtype
, char *qdomain
, int *type
, char **domain
, int *norebind
)
118 /* If the query ends in the domain in one of our servers, set
119 domain to point to that name. We find the largest match to allow both
120 domain.org and sub.domain.org to exist. */
122 unsigned int namelen
= strlen(qdomain
);
123 unsigned int matchlen
= 0;
125 unsigned int flags
= 0;
127 for (serv
= daemon
->servers
; serv
; serv
=serv
->next
)
128 /* domain matches take priority over NODOTS matches */
129 if ((serv
->flags
& SERV_FOR_NODOTS
) && *type
!= SERV_HAS_DOMAIN
&& !strchr(qdomain
, '.') && namelen
!= 0)
131 unsigned int sflag
= serv
->addr
.sa
.sa_family
== AF_INET
? F_IPV4
: F_IPV6
;
132 *type
= SERV_FOR_NODOTS
;
133 if (serv
->flags
& SERV_NO_ADDR
)
135 else if (serv
->flags
& SERV_LITERAL_ADDRESS
)
140 if (serv
->addr
.sa
.sa_family
== AF_INET
)
141 *addrpp
= (struct all_addr
*)&serv
->addr
.in
.sin_addr
;
144 *addrpp
= (struct all_addr
*)&serv
->addr
.in6
.sin6_addr
;
147 else if (!flags
|| (flags
& F_NXDOMAIN
))
151 else if (serv
->flags
& SERV_HAS_DOMAIN
)
153 unsigned int domainlen
= strlen(serv
->domain
);
154 char *matchstart
= qdomain
+ namelen
- domainlen
;
155 if (namelen
>= domainlen
&&
156 hostname_isequal(matchstart
, serv
->domain
) &&
157 (domainlen
== 0 || namelen
== domainlen
|| *(matchstart
-1) == '.' ))
159 if (serv
->flags
& SERV_NO_REBIND
)
163 unsigned int sflag
= serv
->addr
.sa
.sa_family
== AF_INET
? F_IPV4
: F_IPV6
;
164 /* implement priority rules for --address and --server for same domain.
165 --address wins if the address is for the correct AF
166 --server wins otherwise. */
167 if (domainlen
!= 0 && domainlen
== matchlen
)
169 if ((serv
->flags
& SERV_LITERAL_ADDRESS
))
171 if (!(sflag
& qtype
) && flags
== 0)
176 if (flags
& (F_IPV4
| F_IPV6
))
181 if (domainlen
>= matchlen
)
183 *type
= serv
->flags
& (SERV_HAS_DOMAIN
| SERV_USE_RESOLV
| SERV_NO_REBIND
);
184 *domain
= serv
->domain
;
185 matchlen
= domainlen
;
186 if (serv
->flags
& SERV_NO_ADDR
)
188 else if (serv
->flags
& SERV_LITERAL_ADDRESS
)
193 if (serv
->addr
.sa
.sa_family
== AF_INET
)
194 *addrpp
= (struct all_addr
*)&serv
->addr
.in
.sin_addr
;
197 *addrpp
= (struct all_addr
*)&serv
->addr
.in6
.sin6_addr
;
200 else if (!flags
|| (flags
& F_NXDOMAIN
))
210 if (flags
== 0 && !(qtype
& F_QUERY
) &&
211 option_bool(OPT_NODOTS_LOCAL
) && !strchr(qdomain
, '.') && namelen
!= 0)
212 /* don't forward A or AAAA queries for simple names, except the empty name */
215 if (flags
== F_NXDOMAIN
&& check_for_local_domain(qdomain
, now
))
222 if (flags
== F_NXDOMAIN
|| flags
== F_NOERR
)
223 logflags
= F_NEG
| qtype
;
225 log_query(logflags
| flags
| F_CONFIG
| F_FORWARD
, qdomain
, *addrpp
, NULL
);
227 else if ((*type
) & SERV_USE_RESOLV
)
229 *type
= 0; /* use normal servers for this domain */
235 static int forward_query(int udpfd
, union mysockaddr
*udpaddr
,
236 struct all_addr
*dst_addr
, unsigned int dst_iface
,
237 struct dns_header
*header
, size_t plen
, time_t now
, struct frec
*forward
)
240 int type
= 0, norebind
= 0;
241 struct all_addr
*addrp
= NULL
;
242 unsigned int crc
= questions_crc(header
, plen
, daemon
->namebuff
);
243 unsigned int flags
= 0;
244 unsigned int gotname
= extract_request(header
, plen
, daemon
->namebuff
, NULL
);
245 struct server
*start
= NULL
;
247 /* RFC 4035: sect 4.6 para 2 */
248 header
->hb4
&= ~HB4_AD
;
250 /* may be no servers available. */
251 if (!daemon
->servers
)
253 else if (forward
|| (forward
= lookup_frec_by_sender(ntohs(header
->id
), udpaddr
, crc
)))
255 /* retry on existing query, send to all available servers */
256 domain
= forward
->sentto
->domain
;
257 forward
->sentto
->failed_queries
++;
258 if (!option_bool(OPT_ORDER
))
260 forward
->forwardall
= 1;
261 daemon
->last_server
= NULL
;
263 type
= forward
->sentto
->flags
& SERV_TYPE
;
264 if (!(start
= forward
->sentto
->next
))
265 start
= daemon
->servers
; /* at end of list, recycle */
266 header
->id
= htons(forward
->new_id
);
271 flags
= search_servers(now
, &addrp
, gotname
, daemon
->namebuff
, &type
, &domain
, &norebind
);
273 if (!flags
&& !(forward
= get_new_frec(now
, NULL
, 0)))
274 /* table full - server failure. */
279 forward
->source
= *udpaddr
;
280 forward
->dest
= *dst_addr
;
281 forward
->iface
= dst_iface
;
282 forward
->orig_id
= ntohs(header
->id
);
283 forward
->new_id
= get_id(crc
);
286 forward
->forwardall
= 0;
289 forward
->flags
|= FREC_NOREBIND
;
290 if (header
->hb4
& HB4_CD
)
291 forward
->flags
|= FREC_CHECKING_DISABLED
;
293 header
->id
= htons(forward
->new_id
);
295 /* In strict_order mode, always try servers in the order
296 specified in resolv.conf, if a domain is given
297 always try all the available servers,
298 otherwise, use the one last known to work. */
302 if (option_bool(OPT_ORDER
))
303 start
= daemon
->servers
;
304 else if (!(start
= daemon
->last_server
) ||
305 daemon
->forwardcount
++ > FORWARD_TEST
||
306 difftime(now
, daemon
->forwardtime
) > FORWARD_TIME
)
308 start
= daemon
->servers
;
309 forward
->forwardall
= 1;
310 daemon
->forwardcount
= 0;
311 daemon
->forwardtime
= now
;
316 start
= daemon
->servers
;
317 if (!option_bool(OPT_ORDER
))
318 forward
->forwardall
= 1;
323 /* check for send errors here (no route to host)
324 if we fail to send to all nameservers, send back an error
325 packet straight away (helps modem users when offline) */
327 if (!flags
&& forward
)
329 struct server
*firstsentto
= start
;
332 if (option_bool(OPT_ADD_MAC
))
333 plen
= add_mac(header
, plen
, ((char *) header
) + PACKETSZ
, &forward
->source
);
335 if (option_bool(OPT_CLIENT_SUBNET
))
337 size_t new = add_source_addr(header
, plen
, ((char *) header
) + PACKETSZ
, &forward
->source
);
341 forward
->flags
|= FREC_HAS_SUBNET
;
346 if (option_bool(OPT_DNSSEC_VALID
))
347 plen
= add_do_bit(header
, plen
, ((char *) header
) + PACKETSZ
);
352 /* only send to servers dealing with our domain.
353 domain may be NULL, in which case server->domain
354 must be NULL also. */
356 if (type
== (start
->flags
& SERV_TYPE
) &&
357 (type
!= SERV_HAS_DOMAIN
|| hostname_isequal(domain
, start
->domain
)) &&
358 !(start
->flags
& SERV_LITERAL_ADDRESS
))
362 /* find server socket to use, may need to get random one. */
368 if (start
->addr
.sa
.sa_family
== AF_INET6
)
370 if (!forward
->rfd6
&&
371 !(forward
->rfd6
= allocate_rfd(AF_INET6
)))
373 daemon
->rfd_save
= forward
->rfd6
;
374 fd
= forward
->rfd6
->fd
;
379 if (!forward
->rfd4
&&
380 !(forward
->rfd4
= allocate_rfd(AF_INET
)))
382 daemon
->rfd_save
= forward
->rfd4
;
383 fd
= forward
->rfd4
->fd
;
386 #ifdef HAVE_CONNTRACK
387 /* Copy connection mark of incoming query to outgoing connection. */
388 if (option_bool(OPT_CONNTRACK
))
391 if (get_incoming_mark(&forward
->source
, &forward
->dest
, 0, &mark
))
392 setsockopt(fd
, SOL_SOCKET
, SO_MARK
, &mark
, sizeof(unsigned int));
397 if (sendto(fd
, (char *)header
, plen
, 0,
399 sa_len(&start
->addr
)) == -1)
406 /* Keep info in case we want to re-send this packet */
407 daemon
->srv_save
= start
;
408 daemon
->packet_len
= plen
;
411 strcpy(daemon
->namebuff
, "query");
412 if (start
->addr
.sa
.sa_family
== AF_INET
)
413 log_query(F_SERVER
| F_IPV4
| F_FORWARD
, daemon
->namebuff
,
414 (struct all_addr
*)&start
->addr
.in
.sin_addr
, NULL
);
417 log_query(F_SERVER
| F_IPV6
| F_FORWARD
, daemon
->namebuff
,
418 (struct all_addr
*)&start
->addr
.in6
.sin6_addr
, NULL
);
422 forward
->sentto
= start
;
423 if (!forward
->forwardall
)
425 forward
->forwardall
++;
429 if (!(start
= start
->next
))
430 start
= daemon
->servers
;
432 if (start
== firstsentto
)
439 /* could not send on, prepare to return */
440 header
->id
= htons(forward
->orig_id
);
441 free_frec(forward
); /* cancel */
444 /* could not send on, return empty answer or address if known for whole domain */
447 plen
= setup_reply(header
, plen
, addrp
, flags
, daemon
->local_ttl
);
448 send_from(udpfd
, option_bool(OPT_NOWILD
) || option_bool(OPT_CLEVERBIND
), (char *)header
, plen
, udpaddr
, dst_addr
, dst_iface
);
454 static size_t process_reply(struct dns_header
*header
, time_t now
, struct server
*server
, size_t n
, int check_rebind
,
455 int no_cache
, int cache_secure
, int check_subnet
, union mysockaddr
*query_source
)
457 unsigned char *pheader
, *sizep
;
459 int munged
= 0, is_sign
;
464 /* Similar algorithm to search_servers. */
465 struct ipsets
*ipset_pos
;
466 unsigned int namelen
= strlen(daemon
->namebuff
);
467 unsigned int matchlen
= 0;
468 for (ipset_pos
= daemon
->ipsets
; ipset_pos
; ipset_pos
= ipset_pos
->next
)
470 unsigned int domainlen
= strlen(ipset_pos
->domain
);
471 char *matchstart
= daemon
->namebuff
+ namelen
- domainlen
;
472 if (namelen
>= domainlen
&& hostname_isequal(matchstart
, ipset_pos
->domain
) &&
473 (domainlen
== 0 || namelen
== domainlen
|| *(matchstart
- 1) == '.' ) &&
474 domainlen
>= matchlen
) {
475 matchlen
= domainlen
;
476 sets
= ipset_pos
->sets
;
481 /* If upstream is advertising a larger UDP packet size
482 than we allow, trim it so that we don't get overlarge
483 requests for the client. We can't do this for signed packets. */
485 if ((pheader
= find_pseudoheader(header
, n
, &plen
, &sizep
, &is_sign
)))
489 unsigned short udpsz
;
490 unsigned char *psave
= sizep
;
492 GETSHORT(udpsz
, sizep
);
493 if (udpsz
> daemon
->edns_pktsz
)
494 PUTSHORT(daemon
->edns_pktsz
, psave
);
497 if (check_subnet
&& !check_source(header
, plen
, pheader
, query_source
))
499 my_syslog(LOG_WARNING
, _("discarding DNS reply: subnet option mismatch"));
504 /* RFC 4035 sect 4.6 para 3 */
505 if (!is_sign
&& !option_bool(OPT_DNSSEC_PROXY
))
509 if (option_bool(OPT_DNSSEC_VALID
))
510 squash_ad
= no_cache
;
513 header
->hb4
|= HB4_AD
;
517 header
->hb4
&= ~HB4_AD
;
519 if (OPCODE(header
) != QUERY
|| (RCODE(header
) != NOERROR
&& RCODE(header
) != NXDOMAIN
))
522 /* Complain loudly if the upstream server is non-recursive. */
523 if (!(header
->hb4
& HB4_RA
) && RCODE(header
) == NOERROR
&& ntohs(header
->ancount
) == 0 &&
524 server
&& !(server
->flags
& SERV_WARNED_RECURSIVE
))
526 prettyprint_addr(&server
->addr
, daemon
->namebuff
);
527 my_syslog(LOG_WARNING
, _("nameserver %s refused to do a recursive query"), daemon
->namebuff
);
528 if (!option_bool(OPT_LOG
))
529 server
->flags
|= SERV_WARNED_RECURSIVE
;
532 if (daemon
->bogus_addr
&& RCODE(header
) != NXDOMAIN
&&
533 check_for_bogus_wildcard(header
, n
, daemon
->namebuff
, daemon
->bogus_addr
, now
))
536 SET_RCODE(header
, NXDOMAIN
);
537 header
->hb3
&= ~HB3_AA
;
541 if (RCODE(header
) == NXDOMAIN
&&
542 extract_request(header
, n
, daemon
->namebuff
, NULL
) &&
543 check_for_local_domain(daemon
->namebuff
, now
))
545 /* if we forwarded a query for a locally known name (because it was for
546 an unknown type) and the answer is NXDOMAIN, convert that to NODATA,
547 since we know that the domain exists, even if upstream doesn't */
549 header
->hb3
|= HB3_AA
;
550 SET_RCODE(header
, NOERROR
);
553 if (extract_addresses(header
, n
, daemon
->namebuff
, now
, sets
, is_sign
, check_rebind
, no_cache
))
555 my_syslog(LOG_WARNING
, _("possible DNS-rebind attack detected: %s"), daemon
->namebuff
);
560 /* do this after extract_addresses. Ensure NODATA reply and remove
565 header
->ancount
= htons(0);
566 header
->nscount
= htons(0);
567 header
->arcount
= htons(0);
570 /* the bogus-nxdomain stuff, doctor and NXDOMAIN->NODATA munging can all elide
571 sections of the packet. Find the new length here and put back pseudoheader
572 if it was removed. */
573 return resize_packet(header
, n
, pheader
, plen
);
576 /* sets new last_server */
577 void reply_query(int fd
, int family
, time_t now
)
579 /* packet from peer server, extract data for cache, and send to
580 original requester */
581 struct dns_header
*header
;
582 union mysockaddr serveraddr
;
583 struct frec
*forward
;
584 socklen_t addrlen
= sizeof(serveraddr
);
585 ssize_t n
= recvfrom(fd
, daemon
->packet
, daemon
->edns_pktsz
, 0, &serveraddr
.sa
, &addrlen
);
587 struct server
*server
;
589 /* packet buffer overwritten */
590 daemon
->srv_save
= NULL
;
592 /* Determine the address of the server replying so that we can mark that as good */
593 serveraddr
.sa
.sa_family
= family
;
595 if (serveraddr
.sa
.sa_family
== AF_INET6
)
596 serveraddr
.in6
.sin6_flowinfo
= 0;
599 /* spoof check: answer must come from known server, */
600 for (server
= daemon
->servers
; server
; server
= server
->next
)
601 if (!(server
->flags
& (SERV_LITERAL_ADDRESS
| SERV_NO_ADDR
)) &&
602 sockaddr_isequal(&server
->addr
, &serveraddr
))
605 header
= (struct dns_header
*)daemon
->packet
;
608 n
< (int)sizeof(struct dns_header
) || !(header
->hb3
& HB3_QR
) ||
609 !(forward
= lookup_frec(ntohs(header
->id
), questions_crc(header
, n
, daemon
->namebuff
))))
612 if ((RCODE(header
) == SERVFAIL
|| RCODE(header
) == REFUSED
) &&
613 !option_bool(OPT_ORDER
) &&
614 forward
->forwardall
== 0)
615 /* for broken servers, attempt to send to another one. */
617 unsigned char *pheader
;
621 /* recreate query from reply */
622 pheader
= find_pseudoheader(header
, (size_t)n
, &plen
, NULL
, &is_sign
);
625 header
->ancount
= htons(0);
626 header
->nscount
= htons(0);
627 header
->arcount
= htons(0);
628 if ((nn
= resize_packet(header
, (size_t)n
, pheader
, plen
)))
630 header
->hb3
&= ~(HB3_QR
| HB3_TC
);
631 forward_query(-1, NULL
, NULL
, 0, header
, nn
, now
, forward
);
637 server
= forward
->sentto
;
639 if ((forward
->sentto
->flags
& SERV_TYPE
) == 0)
641 if (RCODE(header
) == SERVFAIL
|| RCODE(header
) == REFUSED
)
645 struct server
*last_server
;
647 /* find good server by address if possible, otherwise assume the last one we sent to */
648 for (last_server
= daemon
->servers
; last_server
; last_server
= last_server
->next
)
649 if (!(last_server
->flags
& (SERV_LITERAL_ADDRESS
| SERV_HAS_DOMAIN
| SERV_FOR_NODOTS
| SERV_NO_ADDR
)) &&
650 sockaddr_isequal(&last_server
->addr
, &serveraddr
))
652 server
= last_server
;
656 if (!option_bool(OPT_ALL_SERVERS
))
657 daemon
->last_server
= server
;
660 /* If the answer is an error, keep the forward record in place in case
661 we get a good reply from another server. Kill it when we've
662 had replies from all to avoid filling the forwarding table when
663 everything is broken */
664 if (forward
->forwardall
== 0 || --forward
->forwardall
== 1 ||
665 (RCODE(header
) != REFUSED
&& RCODE(header
) != SERVFAIL
))
667 int check_rebind
= 0, no_cache_dnssec
= 0, cache_secure
= 0;
669 if (option_bool(OPT_NO_REBIND
))
670 check_rebind
= !(forward
->flags
& FREC_NOREBIND
);
672 /* Don't cache replies where DNSSEC validation was turned off, either
673 the upstream server told us so, or the original query specified it. */
674 if ((header
->hb4
& HB4_CD
) || (forward
->flags
& FREC_CHECKING_DISABLED
))
678 if (option_bool(OPT_DNSSEC_VALID
) && !(forward
->flags
& FREC_CHECKING_DISABLED
))
683 if (forward
->flags
& FREC_DNSKEY_QUERY
)
684 status
= dnssec_validate_by_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
685 else if (forward
->flags
& FREC_DS_QUERY
)
686 status
= dnssec_validate_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
688 status
= dnssec_validate_reply(header
, n
, daemon
->namebuff
, daemon
->keyname
, &forward
->class);
690 /* Can't validate, as we're missing key data. Put this
691 answer aside, whilst we get that. */
692 if (status
== STAT_NEED_DS
|| status
== STAT_NEED_KEY
)
695 if ((forward
->stash
= blockdata_alloc((char *)header
, n
)))
697 forward
->stash_len
= n
;
699 if ((new = get_new_frec(now
, NULL
, 1)))
703 new = forward
; /* copy everything, then overwrite */
704 new->dependent
= forward
; /* to find query awaiting new one. */
705 forward
->blocking_query
= new; /* for garbage cleaning */
706 /* validate routines leave name of required record in daemon->namebuff */
707 if (status
== STAT_NEED_KEY
)
709 new->flags
|= FREC_DNSKEY_QUERY
;
710 nn
= dnssec_generate_query(header
, daemon
->namebuff
, class, T_DNSKEY
);
712 else if (status
== STAT_NEED_DS
)
714 new->flags
|= FREC_DS_QUERY
;
715 nn
= dnssec_generate_query(header
, daemon
->namebuff
, class, T_DS
);
717 new->crc
= questions_crc(header
, nn
, daemon
->namebuff
);
718 new->new_id
= get_id(new->crc
);
719 header
->id
= htons(new->new_id
);
721 /* Don't resend this. */
722 daemon
->srv_save
= NULL
;
725 fd
= server
->sfd
->fd
;
728 /* Note that we use the same random port for the DNSSEC stuff */
729 if (server
->addr
.sa
.sa_family
== AF_INET6
)
732 new->rfd6
->refcount
++;
738 new->rfd4
->refcount
++;
741 /* Send DNSSEC query to same server as original query */
742 while (sendto(fd
, (char *)header
, nn
, 0, &server
->addr
.sa
, sa_len(&server
->addr
)) == -1 && retry_send());
748 /* Ok, we reached far enough up the chain-of-trust that we can validate something.
749 Now wind back down, pulling back answers which wouldn't previously validate
750 and validate them with the new data. Failure to find needed data here is an internal error.
751 Once we get to the original answer (FREC_DNSSEC_QUERY not set) and it validates,
752 return it to the original requestor. */
753 while (forward
->dependent
)
755 struct frec
*prev
= forward
->dependent
;
758 blockdata_retrieve_and_free(forward
->stash
, forward
->stash_len
, (void *)header
);
759 n
= forward
->stash_len
;
760 if (status
== STAT_SECURE
)
762 if (forward
->flags
& FREC_DNSKEY_QUERY
)
763 status
= dnssec_validate_by_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
764 else if (forward
->flags
& FREC_DS_QUERY
)
765 status
= dnssec_validate_dnskey(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
767 if (status
== STAT_NEED_DS
|| status
== STAT_NEED_KEY
)
768 my_syslog(LOG_ERR
, _("Unexpected missing data for DNSSEC validation"));
772 /* All DNSKEY and DS records done and in cache, now finally validate original
773 answer, provided last DNSKEY is OK. */
774 if (status
== STAT_SECURE
)
775 status
= dnssec_validate_reply(header
, n
, daemon
->namebuff
, daemon
->keyname
, &forward
->class);
777 if (status
== STAT_SECURE
)
779 /* TODO return SERVFAIL here */
780 else if (status
== STAT_BOGUS
)
785 if ((nn
= process_reply(header
, now
, server
, (size_t)n
, check_rebind
, no_cache_dnssec
, cache_secure
,
786 forward
->flags
& FREC_HAS_SUBNET
, &forward
->source
)))
788 header
->id
= htons(forward
->orig_id
);
789 header
->hb4
|= HB4_RA
; /* recursion if available */
790 send_from(forward
->fd
, option_bool(OPT_NOWILD
) || option_bool (OPT_CLEVERBIND
), daemon
->packet
, nn
,
791 &forward
->source
, &forward
->dest
, forward
->iface
);
793 free_frec(forward
); /* cancel */
798 void receive_query(struct listener
*listen
, time_t now
)
800 struct dns_header
*header
= (struct dns_header
*)daemon
->packet
;
801 union mysockaddr source_addr
;
803 struct all_addr dst_addr
;
804 struct in_addr netmask
, dst_addr_4
;
807 int if_index
= 0, auth_dns
= 0;
813 struct cmsghdr
*cmptr
;
815 struct cmsghdr align
; /* this ensures alignment */
817 char control6
[CMSG_SPACE(sizeof(struct in6_pktinfo
))];
819 #if defined(HAVE_LINUX_NETWORK)
820 char control
[CMSG_SPACE(sizeof(struct in_pktinfo
))];
821 #elif defined(IP_RECVDSTADDR) && defined(HAVE_SOLARIS_NETWORK)
822 char control
[CMSG_SPACE(sizeof(struct in_addr
)) +
823 CMSG_SPACE(sizeof(unsigned int))];
824 #elif defined(IP_RECVDSTADDR)
825 char control
[CMSG_SPACE(sizeof(struct in_addr
)) +
826 CMSG_SPACE(sizeof(struct sockaddr_dl
))];
830 /* Can always get recvd interface for IPv6 */
831 int check_dst
= !option_bool(OPT_NOWILD
) || listen
->family
== AF_INET6
;
833 int check_dst
= !option_bool(OPT_NOWILD
);
836 /* packet buffer overwritten */
837 daemon
->srv_save
= NULL
;
839 dst_addr_4
.s_addr
= 0;
842 if (option_bool(OPT_NOWILD
) && listen
->iface
)
844 auth_dns
= listen
->iface
->dns_auth
;
846 if (listen
->family
== AF_INET
)
848 dst_addr_4
= listen
->iface
->addr
.in
.sin_addr
;
849 netmask
= listen
->iface
->netmask
;
853 iov
[0].iov_base
= daemon
->packet
;
854 iov
[0].iov_len
= daemon
->edns_pktsz
;
856 msg
.msg_control
= control_u
.control
;
857 msg
.msg_controllen
= sizeof(control_u
);
859 msg
.msg_name
= &source_addr
;
860 msg
.msg_namelen
= sizeof(source_addr
);
864 if ((n
= recvmsg(listen
->fd
, &msg
, 0)) == -1)
867 if (n
< (int)sizeof(struct dns_header
) ||
868 (msg
.msg_flags
& MSG_TRUNC
) ||
869 (header
->hb3
& HB3_QR
))
872 source_addr
.sa
.sa_family
= listen
->family
;
874 if (listen
->family
== AF_INET6
)
875 source_addr
.in6
.sin6_flowinfo
= 0;
882 if (msg
.msg_controllen
< sizeof(struct cmsghdr
))
885 #if defined(HAVE_LINUX_NETWORK)
886 if (listen
->family
== AF_INET
)
887 for (cmptr
= CMSG_FIRSTHDR(&msg
); cmptr
; cmptr
= CMSG_NXTHDR(&msg
, cmptr
))
888 if (cmptr
->cmsg_level
== IPPROTO_IP
&& cmptr
->cmsg_type
== IP_PKTINFO
)
892 struct in_pktinfo
*p
;
894 p
.c
= CMSG_DATA(cmptr
);
895 dst_addr_4
= dst_addr
.addr
.addr4
= p
.p
->ipi_spec_dst
;
896 if_index
= p
.p
->ipi_ifindex
;
898 #elif defined(IP_RECVDSTADDR) && defined(IP_RECVIF)
899 if (listen
->family
== AF_INET
)
901 for (cmptr
= CMSG_FIRSTHDR(&msg
); cmptr
; cmptr
= CMSG_NXTHDR(&msg
, cmptr
))
907 #ifndef HAVE_SOLARIS_NETWORK
908 struct sockaddr_dl
*s
;
911 p
.c
= CMSG_DATA(cmptr
);
912 if (cmptr
->cmsg_level
== IPPROTO_IP
&& cmptr
->cmsg_type
== IP_RECVDSTADDR
)
913 dst_addr_4
= dst_addr
.addr
.addr4
= *(p
.a
);
914 else if (cmptr
->cmsg_level
== IPPROTO_IP
&& cmptr
->cmsg_type
== IP_RECVIF
)
915 #ifdef HAVE_SOLARIS_NETWORK
918 if_index
= p
.s
->sdl_index
;
925 if (listen
->family
== AF_INET6
)
927 for (cmptr
= CMSG_FIRSTHDR(&msg
); cmptr
; cmptr
= CMSG_NXTHDR(&msg
, cmptr
))
928 if (cmptr
->cmsg_level
== IPPROTO_IPV6
&& cmptr
->cmsg_type
== daemon
->v6pktinfo
)
932 struct in6_pktinfo
*p
;
934 p
.c
= CMSG_DATA(cmptr
);
936 dst_addr
.addr
.addr6
= p
.p
->ipi6_addr
;
937 if_index
= p
.p
->ipi6_ifindex
;
942 /* enforce available interface configuration */
944 if (!indextoname(listen
->fd
, if_index
, ifr
.ifr_name
))
947 if (!iface_check(listen
->family
, &dst_addr
, ifr
.ifr_name
, &auth_dns
))
949 if (!option_bool(OPT_CLEVERBIND
))
950 enumerate_interfaces(0);
951 if (!loopback_exception(listen
->fd
, listen
->family
, &dst_addr
, ifr
.ifr_name
) &&
952 !label_exception(if_index
, listen
->family
, &dst_addr
))
956 if (listen
->family
== AF_INET
&& option_bool(OPT_LOCALISE
))
960 /* get the netmask of the interface whch has the address we were sent to.
961 This is no neccessarily the interface we arrived on. */
963 for (iface
= daemon
->interfaces
; iface
; iface
= iface
->next
)
964 if (iface
->addr
.sa
.sa_family
== AF_INET
&&
965 iface
->addr
.in
.sin_addr
.s_addr
== dst_addr_4
.s_addr
)
968 /* interface may be new */
969 if (!iface
&& !option_bool(OPT_CLEVERBIND
))
970 enumerate_interfaces(0);
972 for (iface
= daemon
->interfaces
; iface
; iface
= iface
->next
)
973 if (iface
->addr
.sa
.sa_family
== AF_INET
&&
974 iface
->addr
.in
.sin_addr
.s_addr
== dst_addr_4
.s_addr
)
977 /* If we failed, abandon localisation */
979 netmask
= iface
->netmask
;
981 dst_addr_4
.s_addr
= 0;
985 if (extract_request(header
, (size_t)n
, daemon
->namebuff
, &type
))
989 struct auth_zone
*zone
;
992 querystr(auth_dns
? "auth" : "query", types
, type
);
994 if (listen
->family
== AF_INET
)
995 log_query(F_QUERY
| F_IPV4
| F_FORWARD
, daemon
->namebuff
,
996 (struct all_addr
*)&source_addr
.in
.sin_addr
, types
);
999 log_query(F_QUERY
| F_IPV6
| F_FORWARD
, daemon
->namebuff
,
1000 (struct all_addr
*)&source_addr
.in6
.sin6_addr
, types
);
1004 /* find queries for zones we're authoritative for, and answer them directly */
1006 for (zone
= daemon
->auth_zones
; zone
; zone
= zone
->next
)
1007 if (in_zone(zone
, daemon
->namebuff
, NULL
))
1019 m
= answer_auth(header
, ((char *) header
) + PACKETSZ
, (size_t)n
, now
, &source_addr
, local_auth
);
1022 send_from(listen
->fd
, option_bool(OPT_NOWILD
) || option_bool(OPT_CLEVERBIND
),
1023 (char *)header
, m
, &source_addr
, &dst_addr
, if_index
);
1024 daemon
->auth_answer
++;
1030 m
= answer_request(header
, ((char *) header
) + PACKETSZ
, (size_t)n
,
1031 dst_addr_4
, netmask
, now
);
1035 send_from(listen
->fd
, option_bool(OPT_NOWILD
) || option_bool(OPT_CLEVERBIND
),
1036 (char *)header
, m
, &source_addr
, &dst_addr
, if_index
);
1037 daemon
->local_answer
++;
1039 else if (forward_query(listen
->fd
, &source_addr
, &dst_addr
, if_index
,
1040 header
, (size_t)n
, now
, NULL
))
1041 daemon
->queries_forwarded
++;
1043 daemon
->local_answer
++;
1047 /* The daemon forks before calling this: it should deal with one connection,
1048 blocking as neccessary, and then return. Note, need to be a bit careful
1049 about resources for debug mode, when the fork is suppressed: that's
1050 done by the caller. */
1051 unsigned char *tcp_request(int confd
, time_t now
,
1052 union mysockaddr
*local_addr
, struct in_addr netmask
, int auth_dns
)
1059 int checking_disabled
, check_subnet
;
1061 unsigned short qtype
;
1062 unsigned int gotname
;
1063 unsigned char c1
, c2
;
1064 /* Max TCP packet + slop + size */
1065 unsigned char *packet
= whine_malloc(65536 + MAXDNAME
+ RRFIXEDSZ
+ sizeof(u16
));
1066 unsigned char *payload
= &packet
[2];
1067 /* largest field in header is 16-bits, so this is still sufficiently aligned */
1068 struct dns_header
*header
= (struct dns_header
*)payload
;
1069 u16
*length
= (u16
*)packet
;
1070 struct server
*last_server
;
1071 struct in_addr dst_addr_4
;
1072 union mysockaddr peer_addr
;
1073 socklen_t peer_len
= sizeof(union mysockaddr
);
1075 if (getpeername(confd
, (struct sockaddr
*)&peer_addr
, &peer_len
) == -1)
1081 !read_write(confd
, &c1
, 1, 1) || !read_write(confd
, &c2
, 1, 1) ||
1082 !(size
= c1
<< 8 | c2
) ||
1083 !read_write(confd
, payload
, size
, 1))
1086 if (size
< (int)sizeof(struct dns_header
))
1091 /* save state of "cd" flag in query */
1092 checking_disabled
= header
->hb4
& HB4_CD
;
1094 /* RFC 4035: sect 4.6 para 2 */
1095 header
->hb4
&= ~HB4_AD
;
1097 if ((gotname
= extract_request(header
, (unsigned int)size
, daemon
->namebuff
, &qtype
)))
1101 struct auth_zone
*zone
;
1103 querystr(auth_dns
? "auth" : "query", types
, qtype
);
1105 if (peer_addr
.sa
.sa_family
== AF_INET
)
1106 log_query(F_QUERY
| F_IPV4
| F_FORWARD
, daemon
->namebuff
,
1107 (struct all_addr
*)&peer_addr
.in
.sin_addr
, types
);
1110 log_query(F_QUERY
| F_IPV6
| F_FORWARD
, daemon
->namebuff
,
1111 (struct all_addr
*)&peer_addr
.in6
.sin6_addr
, types
);
1115 /* find queries for zones we're authoritative for, and answer them directly */
1117 for (zone
= daemon
->auth_zones
; zone
; zone
= zone
->next
)
1118 if (in_zone(zone
, daemon
->namebuff
, NULL
))
1127 if (local_addr
->sa
.sa_family
== AF_INET
)
1128 dst_addr_4
= local_addr
->in
.sin_addr
;
1130 dst_addr_4
.s_addr
= 0;
1134 m
= answer_auth(header
, ((char *) header
) + 65536, (size_t)size
, now
, &peer_addr
, local_auth
);
1138 /* m > 0 if answered from cache */
1139 m
= answer_request(header
, ((char *) header
) + 65536, (size_t)size
,
1140 dst_addr_4
, netmask
, now
);
1142 /* Do this by steam now we're not in the select() loop */
1143 check_log_writer(NULL
);
1147 unsigned int flags
= 0;
1148 struct all_addr
*addrp
= NULL
;
1150 char *domain
= NULL
;
1152 if (option_bool(OPT_ADD_MAC
))
1153 size
= add_mac(header
, size
, ((char *) header
) + 65536, &peer_addr
);
1155 if (option_bool(OPT_CLIENT_SUBNET
))
1157 size_t new = add_source_addr(header
, size
, ((char *) header
) + 65536, &peer_addr
);
1166 flags
= search_servers(now
, &addrp
, gotname
, daemon
->namebuff
, &type
, &domain
, &norebind
);
1168 if (type
!= 0 || option_bool(OPT_ORDER
) || !daemon
->last_server
)
1169 last_server
= daemon
->servers
;
1171 last_server
= daemon
->last_server
;
1173 if (!flags
&& last_server
)
1175 struct server
*firstsendto
= NULL
;
1176 unsigned int crc
= questions_crc(header
, (unsigned int)size
, daemon
->namebuff
);
1178 /* Loop round available servers until we succeed in connecting to one.
1179 Note that this code subtley ensures that consecutive queries on this connection
1180 which can go to the same server, do so. */
1184 firstsendto
= last_server
;
1187 if (!(last_server
= last_server
->next
))
1188 last_server
= daemon
->servers
;
1190 if (last_server
== firstsendto
)
1194 /* server for wrong domain */
1195 if (type
!= (last_server
->flags
& SERV_TYPE
) ||
1196 (type
== SERV_HAS_DOMAIN
&& !hostname_isequal(domain
, last_server
->domain
)))
1199 if (last_server
->tcpfd
== -1)
1201 if ((last_server
->tcpfd
= socket(last_server
->addr
.sa
.sa_family
, SOCK_STREAM
, 0)) == -1)
1204 if ((!local_bind(last_server
->tcpfd
, &last_server
->source_addr
, last_server
->interface
, 1) ||
1205 connect(last_server
->tcpfd
, &last_server
->addr
.sa
, sa_len(&last_server
->addr
)) == -1))
1207 close(last_server
->tcpfd
);
1208 last_server
->tcpfd
= -1;
1212 #ifdef HAVE_CONNTRACK
1213 /* Copy connection mark of incoming query to outgoing connection. */
1214 if (option_bool(OPT_CONNTRACK
))
1217 struct all_addr local
;
1219 if (local_addr
->sa
.sa_family
== AF_INET6
)
1220 local
.addr
.addr6
= local_addr
->in6
.sin6_addr
;
1223 local
.addr
.addr4
= local_addr
->in
.sin_addr
;
1225 if (get_incoming_mark(&peer_addr
, &local
, 1, &mark
))
1226 setsockopt(last_server
->tcpfd
, SOL_SOCKET
, SO_MARK
, &mark
, sizeof(unsigned int));
1231 *length
= htons(size
);
1233 if (!read_write(last_server
->tcpfd
, packet
, size
+ sizeof(u16
), 0) ||
1234 !read_write(last_server
->tcpfd
, &c1
, 1, 1) ||
1235 !read_write(last_server
->tcpfd
, &c2
, 1, 1))
1237 close(last_server
->tcpfd
);
1238 last_server
->tcpfd
= -1;
1243 if (!read_write(last_server
->tcpfd
, payload
, m
, 1))
1247 strcpy(daemon
->namebuff
, "query");
1248 if (last_server
->addr
.sa
.sa_family
== AF_INET
)
1249 log_query(F_SERVER
| F_IPV4
| F_FORWARD
, daemon
->namebuff
,
1250 (struct all_addr
*)&last_server
->addr
.in
.sin_addr
, NULL
);
1253 log_query(F_SERVER
| F_IPV6
| F_FORWARD
, daemon
->namebuff
,
1254 (struct all_addr
*)&last_server
->addr
.in6
.sin6_addr
, NULL
);
1257 /* There's no point in updating the cache, since this process will exit and
1258 lose the information after a few queries. We make this call for the alias and
1259 bogus-nxdomain side-effects. */
1260 /* If the crc of the question section doesn't match the crc we sent, then
1261 someone might be attempting to insert bogus values into the cache by
1262 sending replies containing questions and bogus answers. */
1263 if (crc
== questions_crc(header
, (unsigned int)m
, daemon
->namebuff
))
1264 m
= process_reply(header
, now
, last_server
, (unsigned int)m
,
1265 option_bool(OPT_NO_REBIND
) && !norebind
, checking_disabled
,
1266 0, check_subnet
, &peer_addr
); /* TODO - cache secure */
1272 /* In case of local answer or no connections made. */
1274 m
= setup_reply(header
, (unsigned int)size
, addrp
, flags
, daemon
->local_ttl
);
1278 check_log_writer(NULL
);
1282 if (m
== 0 || !read_write(confd
, packet
, m
+ sizeof(u16
), 0))
1287 static struct frec
*allocate_frec(time_t now
)
1291 if ((f
= (struct frec
*)whine_malloc(sizeof(struct frec
))))
1293 f
->next
= daemon
->frec_list
;
1302 f
->blocking_query
= NULL
;
1304 daemon
->frec_list
= f
;
1310 static struct randfd
*allocate_rfd(int family
)
1312 static int finger
= 0;
1315 /* limit the number of sockets we have open to avoid starvation of
1316 (eg) TFTP. Once we have a reasonable number, randomness should be OK */
1318 for (i
= 0; i
< RANDOM_SOCKS
; i
++)
1319 if (daemon
->randomsocks
[i
].refcount
== 0)
1321 if ((daemon
->randomsocks
[i
].fd
= random_sock(family
)) == -1)
1324 daemon
->randomsocks
[i
].refcount
= 1;
1325 daemon
->randomsocks
[i
].family
= family
;
1326 return &daemon
->randomsocks
[i
];
1329 /* No free ones or cannot get new socket, grab an existing one */
1330 for (i
= 0; i
< RANDOM_SOCKS
; i
++)
1332 int j
= (i
+finger
) % RANDOM_SOCKS
;
1333 if (daemon
->randomsocks
[j
].refcount
!= 0 &&
1334 daemon
->randomsocks
[j
].family
== family
&&
1335 daemon
->randomsocks
[j
].refcount
!= 0xffff)
1338 daemon
->randomsocks
[j
].refcount
++;
1339 return &daemon
->randomsocks
[j
];
1343 return NULL
; /* doom */
1346 static void free_frec(struct frec
*f
)
1348 if (f
->rfd4
&& --(f
->rfd4
->refcount
) == 0)
1356 if (f
->rfd6
&& --(f
->rfd6
->refcount
) == 0)
1364 blockdata_free(f
->stash
);
1366 /* Anything we're waiting on is pointless now, too */
1367 if (f
->blocking_query
)
1368 free_frec(f
->blocking_query
);
1369 f
->blocking_query
= NULL
;
1374 /* if wait==NULL return a free or older than TIMEOUT record.
1375 else return *wait zero if one available, or *wait is delay to
1376 when the oldest in-use record will expire. Impose an absolute
1377 limit of 4*TIMEOUT before we wipe things (for random sockets).
1378 If force is set, always return a result, even if we have
1379 to allocate above the limit. */
1380 struct frec
*get_new_frec(time_t now
, int *wait
, int force
)
1382 struct frec
*f
, *oldest
, *target
;
1388 for (f
= daemon
->frec_list
, oldest
= NULL
, target
= NULL
, count
= 0; f
; f
= f
->next
, count
++)
1393 if (difftime(now
, f
->time
) >= 4*TIMEOUT
)
1399 if (!oldest
|| difftime(f
->time
, oldest
->time
) <= 0)
1409 /* can't find empty one, use oldest if there is one
1410 and it's older than timeout */
1411 if (oldest
&& ((int)difftime(now
, oldest
->time
)) >= TIMEOUT
)
1413 /* keep stuff for twice timeout if we can by allocating a new
1415 if (difftime(now
, oldest
->time
) < 2*TIMEOUT
&&
1416 count
<= daemon
->ftabsize
&&
1417 (f
= allocate_frec(now
)))
1428 /* none available, calculate time 'till oldest record expires */
1429 if (!force
&& count
> daemon
->ftabsize
)
1431 static time_t last_log
= 0;
1434 *wait
= oldest
->time
+ (time_t)TIMEOUT
- now
;
1436 if ((int)difftime(now
, last_log
) > 5)
1439 my_syslog(LOG_WARNING
, _("Maximum number of concurrent DNS queries reached (max: %d)"), daemon
->ftabsize
);
1445 if (!(f
= allocate_frec(now
)) && wait
)
1446 /* wait one second on malloc failure */
1449 return f
; /* OK if malloc fails and this is NULL */
1452 /* crc is all-ones if not known. */
1453 static struct frec
*lookup_frec(unsigned short id
, unsigned int crc
)
1457 for(f
= daemon
->frec_list
; f
; f
= f
->next
)
1458 if (f
->sentto
&& f
->new_id
== id
&&
1459 (f
->crc
== crc
|| crc
== 0xffffffff))
1465 static struct frec
*lookup_frec_by_sender(unsigned short id
,
1466 union mysockaddr
*addr
,
1471 for(f
= daemon
->frec_list
; f
; f
= f
->next
)
1475 sockaddr_isequal(&f
->source
, addr
))
1481 /* A server record is going away, remove references to it */
1482 void server_gone(struct server
*server
)
1486 for (f
= daemon
->frec_list
; f
; f
= f
->next
)
1487 if (f
->sentto
&& f
->sentto
== server
)
1490 if (daemon
->last_server
== server
)
1491 daemon
->last_server
= NULL
;
1493 if (daemon
->srv_save
== server
)
1494 daemon
->srv_save
= NULL
;
1497 /* return unique random ids. */
1498 static unsigned short get_id(unsigned int crc
)
1500 unsigned short ret
= 0;
1504 while (lookup_frec(ret
, crc
));