]>
git.ipfire.org Git - people/ms/dnsmasq.git/blob - src/forward.c
1 /* dnsmasq is Copyright (c) 2000-2014 Simon Kelley
3 This program is free software; you can redistribute it and/or modify
4 it under the terms of the GNU General Public License as published by
5 the Free Software Foundation; version 2 dated June, 1991, or
6 (at your option) version 3 dated 29 June, 2007.
8 This program is distributed in the hope that it will be useful,
9 but WITHOUT ANY WARRANTY; without even the implied warranty of
10 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 GNU General Public License for more details.
13 You should have received a copy of the GNU General Public License
14 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 static struct frec
*lookup_frec(unsigned short id
, unsigned int crc
);
20 static struct frec
*lookup_frec_by_sender(unsigned short id
,
21 union mysockaddr
*addr
,
23 static unsigned short get_id(unsigned int crc
);
24 static void free_frec(struct frec
*f
);
25 static struct randfd
*allocate_rfd(int family
);
27 /* Send a UDP packet with its source address set as "source"
28 unless nowild is true, when we just send it with the kernel default */
29 int send_from(int fd
, int nowild
, char *packet
, size_t len
,
30 union mysockaddr
*to
, struct all_addr
*source
,
36 struct cmsghdr align
; /* this ensures alignment */
37 #if defined(HAVE_LINUX_NETWORK)
38 char control
[CMSG_SPACE(sizeof(struct in_pktinfo
))];
39 #elif defined(IP_SENDSRCADDR)
40 char control
[CMSG_SPACE(sizeof(struct in_addr
))];
43 char control6
[CMSG_SPACE(sizeof(struct in6_pktinfo
))];
47 iov
[0].iov_base
= packet
;
50 msg
.msg_control
= NULL
;
51 msg
.msg_controllen
= 0;
54 msg
.msg_namelen
= sa_len(to
);
60 struct cmsghdr
*cmptr
;
61 msg
.msg_control
= &control_u
;
62 msg
.msg_controllen
= sizeof(control_u
);
63 cmptr
= CMSG_FIRSTHDR(&msg
);
65 if (to
->sa
.sa_family
== AF_INET
)
67 #if defined(HAVE_LINUX_NETWORK)
70 p
.ipi_spec_dst
= source
->addr
.addr4
;
71 memcpy(CMSG_DATA(cmptr
), &p
, sizeof(p
));
72 msg
.msg_controllen
= cmptr
->cmsg_len
= CMSG_LEN(sizeof(struct in_pktinfo
));
73 cmptr
->cmsg_level
= IPPROTO_IP
;
74 cmptr
->cmsg_type
= IP_PKTINFO
;
75 #elif defined(IP_SENDSRCADDR)
76 memcpy(CMSG_DATA(cmptr
), &(source
->addr
.addr4
), sizeof(source
->addr
.addr4
));
77 msg
.msg_controllen
= cmptr
->cmsg_len
= CMSG_LEN(sizeof(struct in_addr
));
78 cmptr
->cmsg_level
= IPPROTO_IP
;
79 cmptr
->cmsg_type
= IP_SENDSRCADDR
;
86 p
.ipi6_ifindex
= iface
; /* Need iface for IPv6 to handle link-local addrs */
87 p
.ipi6_addr
= source
->addr
.addr6
;
88 memcpy(CMSG_DATA(cmptr
), &p
, sizeof(p
));
89 msg
.msg_controllen
= cmptr
->cmsg_len
= CMSG_LEN(sizeof(struct in6_pktinfo
));
90 cmptr
->cmsg_type
= daemon
->v6pktinfo
;
91 cmptr
->cmsg_level
= IPPROTO_IPV6
;
94 (void)iface
; /* eliminate warning */
98 while (sendmsg(fd
, &msg
, 0) == -1)
103 /* If interface is still in DAD, EINVAL results - ignore that. */
107 my_syslog(LOG_ERR
, _("failed to send packet: %s"), strerror(errno
));
114 static unsigned int search_servers(time_t now
, struct all_addr
**addrpp
,
115 unsigned int qtype
, char *qdomain
, int *type
, char **domain
, int *norebind
)
118 /* If the query ends in the domain in one of our servers, set
119 domain to point to that name. We find the largest match to allow both
120 domain.org and sub.domain.org to exist. */
122 unsigned int namelen
= strlen(qdomain
);
123 unsigned int matchlen
= 0;
125 unsigned int flags
= 0;
127 for (serv
= daemon
->servers
; serv
; serv
=serv
->next
)
128 /* domain matches take priority over NODOTS matches */
129 if ((serv
->flags
& SERV_FOR_NODOTS
) && *type
!= SERV_HAS_DOMAIN
&& !strchr(qdomain
, '.') && namelen
!= 0)
131 unsigned int sflag
= serv
->addr
.sa
.sa_family
== AF_INET
? F_IPV4
: F_IPV6
;
132 *type
= SERV_FOR_NODOTS
;
133 if (serv
->flags
& SERV_NO_ADDR
)
135 else if (serv
->flags
& SERV_LITERAL_ADDRESS
)
140 if (serv
->addr
.sa
.sa_family
== AF_INET
)
141 *addrpp
= (struct all_addr
*)&serv
->addr
.in
.sin_addr
;
144 *addrpp
= (struct all_addr
*)&serv
->addr
.in6
.sin6_addr
;
147 else if (!flags
|| (flags
& F_NXDOMAIN
))
151 else if (serv
->flags
& SERV_HAS_DOMAIN
)
153 unsigned int domainlen
= strlen(serv
->domain
);
154 char *matchstart
= qdomain
+ namelen
- domainlen
;
155 if (namelen
>= domainlen
&&
156 hostname_isequal(matchstart
, serv
->domain
) &&
157 (domainlen
== 0 || namelen
== domainlen
|| *(matchstart
-1) == '.' ))
159 if (serv
->flags
& SERV_NO_REBIND
)
163 unsigned int sflag
= serv
->addr
.sa
.sa_family
== AF_INET
? F_IPV4
: F_IPV6
;
164 /* implement priority rules for --address and --server for same domain.
165 --address wins if the address is for the correct AF
166 --server wins otherwise. */
167 if (domainlen
!= 0 && domainlen
== matchlen
)
169 if ((serv
->flags
& SERV_LITERAL_ADDRESS
))
171 if (!(sflag
& qtype
) && flags
== 0)
176 if (flags
& (F_IPV4
| F_IPV6
))
181 if (domainlen
>= matchlen
)
183 *type
= serv
->flags
& (SERV_HAS_DOMAIN
| SERV_USE_RESOLV
| SERV_NO_REBIND
);
184 *domain
= serv
->domain
;
185 matchlen
= domainlen
;
186 if (serv
->flags
& SERV_NO_ADDR
)
188 else if (serv
->flags
& SERV_LITERAL_ADDRESS
)
193 if (serv
->addr
.sa
.sa_family
== AF_INET
)
194 *addrpp
= (struct all_addr
*)&serv
->addr
.in
.sin_addr
;
197 *addrpp
= (struct all_addr
*)&serv
->addr
.in6
.sin6_addr
;
200 else if (!flags
|| (flags
& F_NXDOMAIN
))
210 if (flags
== 0 && !(qtype
& F_QUERY
) &&
211 option_bool(OPT_NODOTS_LOCAL
) && !strchr(qdomain
, '.') && namelen
!= 0)
212 /* don't forward A or AAAA queries for simple names, except the empty name */
215 if (flags
== F_NXDOMAIN
&& check_for_local_domain(qdomain
, now
))
222 if (flags
== F_NXDOMAIN
|| flags
== F_NOERR
)
223 logflags
= F_NEG
| qtype
;
225 log_query(logflags
| flags
| F_CONFIG
| F_FORWARD
, qdomain
, *addrpp
, NULL
);
227 else if ((*type
) & SERV_USE_RESOLV
)
229 *type
= 0; /* use normal servers for this domain */
235 static int forward_query(int udpfd
, union mysockaddr
*udpaddr
,
236 struct all_addr
*dst_addr
, unsigned int dst_iface
,
237 struct dns_header
*header
, size_t plen
, time_t now
, struct frec
*forward
)
240 int type
= 0, norebind
= 0;
241 struct all_addr
*addrp
= NULL
;
242 unsigned int crc
= questions_crc(header
, plen
, daemon
->namebuff
);
243 unsigned int flags
= 0;
244 unsigned int gotname
= extract_request(header
, plen
, daemon
->namebuff
, NULL
);
245 struct server
*start
= NULL
;
247 /* RFC 4035: sect 4.6 para 2 */
248 header
->hb4
&= ~HB4_AD
;
250 /* may be no servers available. */
251 if (!daemon
->servers
)
253 else if (forward
|| (forward
= lookup_frec_by_sender(ntohs(header
->id
), udpaddr
, crc
)))
255 /* retry on existing query, send to all available servers */
256 domain
= forward
->sentto
->domain
;
257 forward
->sentto
->failed_queries
++;
258 if (!option_bool(OPT_ORDER
))
260 forward
->forwardall
= 1;
261 daemon
->last_server
= NULL
;
263 type
= forward
->sentto
->flags
& SERV_TYPE
;
264 if (!(start
= forward
->sentto
->next
))
265 start
= daemon
->servers
; /* at end of list, recycle */
266 header
->id
= htons(forward
->new_id
);
271 flags
= search_servers(now
, &addrp
, gotname
, daemon
->namebuff
, &type
, &domain
, &norebind
);
273 if (!flags
&& !(forward
= get_new_frec(now
, NULL
, 0)))
274 /* table full - server failure. */
279 forward
->source
= *udpaddr
;
280 forward
->dest
= *dst_addr
;
281 forward
->iface
= dst_iface
;
282 forward
->orig_id
= ntohs(header
->id
);
283 forward
->new_id
= get_id(crc
);
286 forward
->forwardall
= 0;
289 forward
->flags
|= FREC_NOREBIND
;
290 if (header
->hb4
& HB4_CD
)
291 forward
->flags
|= FREC_CHECKING_DISABLED
;
293 header
->id
= htons(forward
->new_id
);
295 /* In strict_order mode, always try servers in the order
296 specified in resolv.conf, if a domain is given
297 always try all the available servers,
298 otherwise, use the one last known to work. */
302 if (option_bool(OPT_ORDER
))
303 start
= daemon
->servers
;
304 else if (!(start
= daemon
->last_server
) ||
305 daemon
->forwardcount
++ > FORWARD_TEST
||
306 difftime(now
, daemon
->forwardtime
) > FORWARD_TIME
)
308 start
= daemon
->servers
;
309 forward
->forwardall
= 1;
310 daemon
->forwardcount
= 0;
311 daemon
->forwardtime
= now
;
316 start
= daemon
->servers
;
317 if (!option_bool(OPT_ORDER
))
318 forward
->forwardall
= 1;
323 /* check for send errors here (no route to host)
324 if we fail to send to all nameservers, send back an error
325 packet straight away (helps modem users when offline) */
327 if (!flags
&& forward
)
329 struct server
*firstsentto
= start
;
332 if (option_bool(OPT_ADD_MAC
))
333 plen
= add_mac(header
, plen
, ((char *) header
) + daemon
->packet_buff_sz
, &forward
->source
);
335 if (option_bool(OPT_CLIENT_SUBNET
))
337 size_t new = add_source_addr(header
, plen
, ((char *) header
) + daemon
->packet_buff_sz
, &forward
->source
);
341 forward
->flags
|= FREC_HAS_SUBNET
;
346 if (option_bool(OPT_DNSSEC_VALID
))
348 plen
= add_do_bit(header
, plen
, ((char *) header
) + daemon
->packet_buff_sz
);
349 header
->hb4
|= HB4_CD
;
355 /* only send to servers dealing with our domain.
356 domain may be NULL, in which case server->domain
357 must be NULL also. */
359 if (type
== (start
->flags
& SERV_TYPE
) &&
360 (type
!= SERV_HAS_DOMAIN
|| hostname_isequal(domain
, start
->domain
)) &&
361 !(start
->flags
& SERV_LITERAL_ADDRESS
))
365 /* find server socket to use, may need to get random one. */
371 if (start
->addr
.sa
.sa_family
== AF_INET6
)
373 if (!forward
->rfd6
&&
374 !(forward
->rfd6
= allocate_rfd(AF_INET6
)))
376 daemon
->rfd_save
= forward
->rfd6
;
377 fd
= forward
->rfd6
->fd
;
382 if (!forward
->rfd4
&&
383 !(forward
->rfd4
= allocate_rfd(AF_INET
)))
385 daemon
->rfd_save
= forward
->rfd4
;
386 fd
= forward
->rfd4
->fd
;
389 #ifdef HAVE_CONNTRACK
390 /* Copy connection mark of incoming query to outgoing connection. */
391 if (option_bool(OPT_CONNTRACK
))
394 if (get_incoming_mark(&forward
->source
, &forward
->dest
, 0, &mark
))
395 setsockopt(fd
, SOL_SOCKET
, SO_MARK
, &mark
, sizeof(unsigned int));
400 if (sendto(fd
, (char *)header
, plen
, 0,
402 sa_len(&start
->addr
)) == -1)
409 /* Keep info in case we want to re-send this packet */
410 daemon
->srv_save
= start
;
411 daemon
->packet_len
= plen
;
414 strcpy(daemon
->namebuff
, "query");
415 if (start
->addr
.sa
.sa_family
== AF_INET
)
416 log_query(F_SERVER
| F_IPV4
| F_FORWARD
, daemon
->namebuff
,
417 (struct all_addr
*)&start
->addr
.in
.sin_addr
, NULL
);
420 log_query(F_SERVER
| F_IPV6
| F_FORWARD
, daemon
->namebuff
,
421 (struct all_addr
*)&start
->addr
.in6
.sin6_addr
, NULL
);
425 forward
->sentto
= start
;
426 if (!forward
->forwardall
)
428 forward
->forwardall
++;
432 if (!(start
= start
->next
))
433 start
= daemon
->servers
;
435 if (start
== firstsentto
)
442 /* could not send on, prepare to return */
443 header
->id
= htons(forward
->orig_id
);
444 free_frec(forward
); /* cancel */
447 /* could not send on, return empty answer or address if known for whole domain */
450 plen
= setup_reply(header
, plen
, addrp
, flags
, daemon
->local_ttl
);
451 send_from(udpfd
, option_bool(OPT_NOWILD
) || option_bool(OPT_CLEVERBIND
), (char *)header
, plen
, udpaddr
, dst_addr
, dst_iface
);
457 static size_t process_reply(struct dns_header
*header
, time_t now
, struct server
*server
, size_t n
, int check_rebind
,
458 int no_cache
, int cache_secure
, int check_subnet
, union mysockaddr
*query_source
)
460 unsigned char *pheader
, *sizep
;
462 int munged
= 0, is_sign
;
467 /* Similar algorithm to search_servers. */
468 struct ipsets
*ipset_pos
;
469 unsigned int namelen
= strlen(daemon
->namebuff
);
470 unsigned int matchlen
= 0;
471 for (ipset_pos
= daemon
->ipsets
; ipset_pos
; ipset_pos
= ipset_pos
->next
)
473 unsigned int domainlen
= strlen(ipset_pos
->domain
);
474 char *matchstart
= daemon
->namebuff
+ namelen
- domainlen
;
475 if (namelen
>= domainlen
&& hostname_isequal(matchstart
, ipset_pos
->domain
) &&
476 (domainlen
== 0 || namelen
== domainlen
|| *(matchstart
- 1) == '.' ) &&
477 domainlen
>= matchlen
) {
478 matchlen
= domainlen
;
479 sets
= ipset_pos
->sets
;
484 /* If upstream is advertising a larger UDP packet size
485 than we allow, trim it so that we don't get overlarge
486 requests for the client. We can't do this for signed packets. */
488 if ((pheader
= find_pseudoheader(header
, n
, &plen
, &sizep
, &is_sign
)))
492 unsigned short udpsz
;
493 unsigned char *psave
= sizep
;
495 GETSHORT(udpsz
, sizep
);
496 if (udpsz
> daemon
->edns_pktsz
)
497 PUTSHORT(daemon
->edns_pktsz
, psave
);
500 if (check_subnet
&& !check_source(header
, plen
, pheader
, query_source
))
502 my_syslog(LOG_WARNING
, _("discarding DNS reply: subnet option mismatch"));
507 /* RFC 4035 sect 4.6 para 3 */
508 if (!is_sign
&& !option_bool(OPT_DNSSEC_PROXY
))
512 if (option_bool(OPT_DNSSEC_VALID
))
513 squash_ad
= no_cache
;
516 header
->hb4
|= HB4_AD
;
520 header
->hb4
&= ~HB4_AD
;
522 if (OPCODE(header
) != QUERY
|| (RCODE(header
) != NOERROR
&& RCODE(header
) != NXDOMAIN
))
525 /* Complain loudly if the upstream server is non-recursive. */
526 if (!(header
->hb4
& HB4_RA
) && RCODE(header
) == NOERROR
&& ntohs(header
->ancount
) == 0 &&
527 server
&& !(server
->flags
& SERV_WARNED_RECURSIVE
))
529 prettyprint_addr(&server
->addr
, daemon
->namebuff
);
530 my_syslog(LOG_WARNING
, _("nameserver %s refused to do a recursive query"), daemon
->namebuff
);
531 if (!option_bool(OPT_LOG
))
532 server
->flags
|= SERV_WARNED_RECURSIVE
;
535 if (daemon
->bogus_addr
&& RCODE(header
) != NXDOMAIN
&&
536 check_for_bogus_wildcard(header
, n
, daemon
->namebuff
, daemon
->bogus_addr
, now
))
539 SET_RCODE(header
, NXDOMAIN
);
540 header
->hb3
&= ~HB3_AA
;
544 if (RCODE(header
) == NXDOMAIN
&&
545 extract_request(header
, n
, daemon
->namebuff
, NULL
) &&
546 check_for_local_domain(daemon
->namebuff
, now
))
548 /* if we forwarded a query for a locally known name (because it was for
549 an unknown type) and the answer is NXDOMAIN, convert that to NODATA,
550 since we know that the domain exists, even if upstream doesn't */
552 header
->hb3
|= HB3_AA
;
553 SET_RCODE(header
, NOERROR
);
556 if (extract_addresses(header
, n
, daemon
->namebuff
, now
, sets
, is_sign
, check_rebind
, no_cache
, cache_secure
))
558 my_syslog(LOG_WARNING
, _("possible DNS-rebind attack detected: %s"), daemon
->namebuff
);
563 /* do this after extract_addresses. Ensure NODATA reply and remove
568 header
->ancount
= htons(0);
569 header
->nscount
= htons(0);
570 header
->arcount
= htons(0);
573 /* the bogus-nxdomain stuff, doctor and NXDOMAIN->NODATA munging can all elide
574 sections of the packet. Find the new length here and put back pseudoheader
575 if it was removed. */
576 return resize_packet(header
, n
, pheader
, plen
);
579 /* sets new last_server */
580 void reply_query(int fd
, int family
, time_t now
)
582 /* packet from peer server, extract data for cache, and send to
583 original requester */
584 struct dns_header
*header
;
585 union mysockaddr serveraddr
;
586 struct frec
*forward
;
587 socklen_t addrlen
= sizeof(serveraddr
);
588 ssize_t n
= recvfrom(fd
, daemon
->packet
, daemon
->packet_buff_sz
, 0, &serveraddr
.sa
, &addrlen
);
590 struct server
*server
;
592 /* packet buffer overwritten */
593 daemon
->srv_save
= NULL
;
595 /* Determine the address of the server replying so that we can mark that as good */
596 serveraddr
.sa
.sa_family
= family
;
598 if (serveraddr
.sa
.sa_family
== AF_INET6
)
599 serveraddr
.in6
.sin6_flowinfo
= 0;
602 /* spoof check: answer must come from known server, */
603 for (server
= daemon
->servers
; server
; server
= server
->next
)
604 if (!(server
->flags
& (SERV_LITERAL_ADDRESS
| SERV_NO_ADDR
)) &&
605 sockaddr_isequal(&server
->addr
, &serveraddr
))
608 header
= (struct dns_header
*)daemon
->packet
;
611 n
< (int)sizeof(struct dns_header
) || !(header
->hb3
& HB3_QR
) ||
612 !(forward
= lookup_frec(ntohs(header
->id
), questions_crc(header
, n
, daemon
->namebuff
))))
615 if ((RCODE(header
) == SERVFAIL
|| RCODE(header
) == REFUSED
) &&
616 !option_bool(OPT_ORDER
) &&
617 forward
->forwardall
== 0)
618 /* for broken servers, attempt to send to another one. */
620 unsigned char *pheader
;
624 /* recreate query from reply */
625 pheader
= find_pseudoheader(header
, (size_t)n
, &plen
, NULL
, &is_sign
);
628 header
->ancount
= htons(0);
629 header
->nscount
= htons(0);
630 header
->arcount
= htons(0);
631 if ((nn
= resize_packet(header
, (size_t)n
, pheader
, plen
)))
633 header
->hb3
&= ~(HB3_QR
| HB3_TC
);
634 forward_query(-1, NULL
, NULL
, 0, header
, nn
, now
, forward
);
640 server
= forward
->sentto
;
642 if ((forward
->sentto
->flags
& SERV_TYPE
) == 0)
644 if (RCODE(header
) == SERVFAIL
|| RCODE(header
) == REFUSED
)
648 struct server
*last_server
;
650 /* find good server by address if possible, otherwise assume the last one we sent to */
651 for (last_server
= daemon
->servers
; last_server
; last_server
= last_server
->next
)
652 if (!(last_server
->flags
& (SERV_LITERAL_ADDRESS
| SERV_HAS_DOMAIN
| SERV_FOR_NODOTS
| SERV_NO_ADDR
)) &&
653 sockaddr_isequal(&last_server
->addr
, &serveraddr
))
655 server
= last_server
;
659 if (!option_bool(OPT_ALL_SERVERS
))
660 daemon
->last_server
= server
;
663 /* If the answer is an error, keep the forward record in place in case
664 we get a good reply from another server. Kill it when we've
665 had replies from all to avoid filling the forwarding table when
666 everything is broken */
667 if (forward
->forwardall
== 0 || --forward
->forwardall
== 1 ||
668 (RCODE(header
) != REFUSED
&& RCODE(header
) != SERVFAIL
))
670 int check_rebind
= 0, no_cache_dnssec
= 0, cache_secure
= 0;
672 if (option_bool(OPT_NO_REBIND
))
673 check_rebind
= !(forward
->flags
& FREC_NOREBIND
);
675 /* Don't cache replies where DNSSEC validation was turned off, either
676 the upstream server told us so, or the original query specified it. */
677 if ((header
->hb4
& HB4_CD
) || (forward
->flags
& FREC_CHECKING_DISABLED
))
681 if (option_bool(OPT_DNSSEC_VALID
) && !(forward
->flags
& FREC_CHECKING_DISABLED
))
685 /* We've had a reply already, which we're validating. Ignore this duplicate */
689 if (header
->hb3
& HB3_TC
)
691 /* Truncated answer can't be validated.
692 The client will retry over TCP, but if this is an answer to a
693 DNSSEC-generated query, we have a problem. Should really re-send
694 over TCP. No-one with any sense will make a DNSKEY or DS RRset
695 exceed 4096, so this may not be a real problem. Just log
697 if (forward
->flags
& (FREC_DNSKEY_QUERY
| FREC_DS_QUERY
))
698 my_syslog(LOG_ERR
, _("Reply to DNSSEC query truncated - validation fails."));
699 status
= STAT_INSECURE
;
701 else if (forward
->flags
& FREC_DNSKEY_QUERY
)
702 status
= dnssec_validate_by_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
703 else if (forward
->flags
& FREC_DS_QUERY
)
704 status
= dnssec_validate_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
706 status
= dnssec_validate_reply(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, &forward
->class);
708 /* Can't validate, as we're missing key data. Put this
709 answer aside, whilst we get that. */
710 if (status
== STAT_NEED_DS
|| status
== STAT_NEED_KEY
)
714 if ((new = get_new_frec(now
, NULL
, 1)))
716 struct frec
*next
= new->next
;
717 *new = *forward
; /* copy everything, then overwrite */
720 new->blocking_query
= NULL
;
725 new->flags
&= ~(FREC_DNSKEY_QUERY
| FREC_DS_QUERY
);
727 if ((forward
->stash
= blockdata_alloc((char *)header
, n
)))
731 forward
->stash_len
= n
;
733 new->dependent
= forward
; /* to find query awaiting new one. */
734 forward
->blocking_query
= new; /* for garbage cleaning */
735 /* validate routines leave name of required record in daemon->keyname */
736 if (status
== STAT_NEED_KEY
)
738 new->flags
|= FREC_DNSKEY_QUERY
;
739 nn
= dnssec_generate_query(header
, ((char *) header
) + daemon
->packet_buff_sz
,
740 daemon
->keyname
, forward
->class, T_DNSKEY
, &server
->addr
);
742 else if (status
== STAT_NEED_DS
)
744 new->flags
|= FREC_DS_QUERY
;
745 nn
= dnssec_generate_query(header
,((char *) header
) + daemon
->packet_buff_sz
,
746 daemon
->keyname
, forward
->class, T_DS
, &server
->addr
);
748 new->crc
= questions_crc(header
, nn
, daemon
->namebuff
);
749 new->new_id
= get_id(new->crc
);
750 header
->id
= htons(new->new_id
);
752 /* Don't resend this. */
753 daemon
->srv_save
= NULL
;
756 fd
= server
->sfd
->fd
;
761 if (server
->addr
.sa
.sa_family
== AF_INET6
)
763 if (new->rfd6
|| (new->rfd6
= allocate_rfd(AF_INET6
)))
769 if (new->rfd4
|| (new->rfd4
= allocate_rfd(AF_INET
)))
776 while (sendto(fd
, (char *)header
, nn
, 0, &server
->addr
.sa
, sa_len(&server
->addr
)) == -1 && retry_send());
785 /* Ok, we reached far enough up the chain-of-trust that we can validate something.
786 Now wind back down, pulling back answers which wouldn't previously validate
787 and validate them with the new data. Failure to find needed data here is an internal error.
788 Once we get to the original answer (FREC_DNSSEC_QUERY not set) and it validates,
789 return it to the original requestor. */
790 if (forward
->flags
& (FREC_DNSKEY_QUERY
| FREC_DS_QUERY
))
792 while (forward
->dependent
)
796 if (status
== STAT_SECURE
)
798 if (forward
->flags
& FREC_DNSKEY_QUERY
)
799 status
= dnssec_validate_by_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
800 else if (forward
->flags
& FREC_DS_QUERY
)
801 status
= dnssec_validate_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
804 prev
= forward
->dependent
;
807 forward
->blocking_query
= NULL
; /* already gone */
808 blockdata_retrieve(forward
->stash
, forward
->stash_len
, (void *)header
);
809 n
= forward
->stash_len
;
812 /* All DNSKEY and DS records done and in cache, now finally validate original
813 answer, provided last DNSKEY is OK. */
814 if (status
== STAT_SECURE
)
815 status
= dnssec_validate_reply(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, &forward
->class);
817 if (status
== STAT_NEED_DS
|| status
== STAT_NEED_KEY
)
819 my_syslog(LOG_ERR
, _("Unexpected missing data for DNSSEC validation"));
820 status
= STAT_INSECURE
;
824 log_query(F_KEYTAG
| F_SECSTAT
, "result", NULL
,
825 status
== STAT_SECURE
? "SECURE" : (status
== STAT_INSECURE
? "INSECURE" : "BOGUS"));
829 if (status
== STAT_SECURE
)
831 /* TODO return SERVFAIL here */
832 else if (status
== STAT_BOGUS
)
835 /* restore CD bit to the value in the query */
836 if (forward
->flags
& FREC_CHECKING_DISABLED
)
837 header
->hb4
|= HB4_CD
;
839 header
->hb4
&= ~HB4_CD
;
843 if ((nn
= process_reply(header
, now
, server
, (size_t)n
, check_rebind
, no_cache_dnssec
, cache_secure
,
844 forward
->flags
& FREC_HAS_SUBNET
, &forward
->source
)))
846 header
->id
= htons(forward
->orig_id
);
847 header
->hb4
|= HB4_RA
; /* recursion if available */
848 send_from(forward
->fd
, option_bool(OPT_NOWILD
) || option_bool (OPT_CLEVERBIND
), daemon
->packet
, nn
,
849 &forward
->source
, &forward
->dest
, forward
->iface
);
851 free_frec(forward
); /* cancel */
856 void receive_query(struct listener
*listen
, time_t now
)
858 struct dns_header
*header
= (struct dns_header
*)daemon
->packet
;
859 union mysockaddr source_addr
;
861 struct all_addr dst_addr
;
862 struct in_addr netmask
, dst_addr_4
;
865 int if_index
= 0, auth_dns
= 0;
871 struct cmsghdr
*cmptr
;
873 struct cmsghdr align
; /* this ensures alignment */
875 char control6
[CMSG_SPACE(sizeof(struct in6_pktinfo
))];
877 #if defined(HAVE_LINUX_NETWORK)
878 char control
[CMSG_SPACE(sizeof(struct in_pktinfo
))];
879 #elif defined(IP_RECVDSTADDR) && defined(HAVE_SOLARIS_NETWORK)
880 char control
[CMSG_SPACE(sizeof(struct in_addr
)) +
881 CMSG_SPACE(sizeof(unsigned int))];
882 #elif defined(IP_RECVDSTADDR)
883 char control
[CMSG_SPACE(sizeof(struct in_addr
)) +
884 CMSG_SPACE(sizeof(struct sockaddr_dl
))];
888 /* Can always get recvd interface for IPv6 */
889 int check_dst
= !option_bool(OPT_NOWILD
) || listen
->family
== AF_INET6
;
891 int check_dst
= !option_bool(OPT_NOWILD
);
894 /* packet buffer overwritten */
895 daemon
->srv_save
= NULL
;
897 dst_addr_4
.s_addr
= 0;
900 if (option_bool(OPT_NOWILD
) && listen
->iface
)
902 auth_dns
= listen
->iface
->dns_auth
;
904 if (listen
->family
== AF_INET
)
906 dst_addr_4
= listen
->iface
->addr
.in
.sin_addr
;
907 netmask
= listen
->iface
->netmask
;
911 iov
[0].iov_base
= daemon
->packet
;
912 iov
[0].iov_len
= daemon
->edns_pktsz
;
914 msg
.msg_control
= control_u
.control
;
915 msg
.msg_controllen
= sizeof(control_u
);
917 msg
.msg_name
= &source_addr
;
918 msg
.msg_namelen
= sizeof(source_addr
);
922 if ((n
= recvmsg(listen
->fd
, &msg
, 0)) == -1)
925 if (n
< (int)sizeof(struct dns_header
) ||
926 (msg
.msg_flags
& MSG_TRUNC
) ||
927 (header
->hb3
& HB3_QR
))
930 source_addr
.sa
.sa_family
= listen
->family
;
932 if (listen
->family
== AF_INET6
)
933 source_addr
.in6
.sin6_flowinfo
= 0;
940 if (msg
.msg_controllen
< sizeof(struct cmsghdr
))
943 #if defined(HAVE_LINUX_NETWORK)
944 if (listen
->family
== AF_INET
)
945 for (cmptr
= CMSG_FIRSTHDR(&msg
); cmptr
; cmptr
= CMSG_NXTHDR(&msg
, cmptr
))
946 if (cmptr
->cmsg_level
== IPPROTO_IP
&& cmptr
->cmsg_type
== IP_PKTINFO
)
950 struct in_pktinfo
*p
;
952 p
.c
= CMSG_DATA(cmptr
);
953 dst_addr_4
= dst_addr
.addr
.addr4
= p
.p
->ipi_spec_dst
;
954 if_index
= p
.p
->ipi_ifindex
;
956 #elif defined(IP_RECVDSTADDR) && defined(IP_RECVIF)
957 if (listen
->family
== AF_INET
)
959 for (cmptr
= CMSG_FIRSTHDR(&msg
); cmptr
; cmptr
= CMSG_NXTHDR(&msg
, cmptr
))
965 #ifndef HAVE_SOLARIS_NETWORK
966 struct sockaddr_dl
*s
;
969 p
.c
= CMSG_DATA(cmptr
);
970 if (cmptr
->cmsg_level
== IPPROTO_IP
&& cmptr
->cmsg_type
== IP_RECVDSTADDR
)
971 dst_addr_4
= dst_addr
.addr
.addr4
= *(p
.a
);
972 else if (cmptr
->cmsg_level
== IPPROTO_IP
&& cmptr
->cmsg_type
== IP_RECVIF
)
973 #ifdef HAVE_SOLARIS_NETWORK
976 if_index
= p
.s
->sdl_index
;
983 if (listen
->family
== AF_INET6
)
985 for (cmptr
= CMSG_FIRSTHDR(&msg
); cmptr
; cmptr
= CMSG_NXTHDR(&msg
, cmptr
))
986 if (cmptr
->cmsg_level
== IPPROTO_IPV6
&& cmptr
->cmsg_type
== daemon
->v6pktinfo
)
990 struct in6_pktinfo
*p
;
992 p
.c
= CMSG_DATA(cmptr
);
994 dst_addr
.addr
.addr6
= p
.p
->ipi6_addr
;
995 if_index
= p
.p
->ipi6_ifindex
;
1000 /* enforce available interface configuration */
1002 if (!indextoname(listen
->fd
, if_index
, ifr
.ifr_name
))
1005 if (!iface_check(listen
->family
, &dst_addr
, ifr
.ifr_name
, &auth_dns
))
1007 if (!option_bool(OPT_CLEVERBIND
))
1008 enumerate_interfaces(0);
1009 if (!loopback_exception(listen
->fd
, listen
->family
, &dst_addr
, ifr
.ifr_name
) &&
1010 !label_exception(if_index
, listen
->family
, &dst_addr
))
1014 if (listen
->family
== AF_INET
&& option_bool(OPT_LOCALISE
))
1018 /* get the netmask of the interface whch has the address we were sent to.
1019 This is no neccessarily the interface we arrived on. */
1021 for (iface
= daemon
->interfaces
; iface
; iface
= iface
->next
)
1022 if (iface
->addr
.sa
.sa_family
== AF_INET
&&
1023 iface
->addr
.in
.sin_addr
.s_addr
== dst_addr_4
.s_addr
)
1026 /* interface may be new */
1027 if (!iface
&& !option_bool(OPT_CLEVERBIND
))
1028 enumerate_interfaces(0);
1030 for (iface
= daemon
->interfaces
; iface
; iface
= iface
->next
)
1031 if (iface
->addr
.sa
.sa_family
== AF_INET
&&
1032 iface
->addr
.in
.sin_addr
.s_addr
== dst_addr_4
.s_addr
)
1035 /* If we failed, abandon localisation */
1037 netmask
= iface
->netmask
;
1039 dst_addr_4
.s_addr
= 0;
1043 if (extract_request(header
, (size_t)n
, daemon
->namebuff
, &type
))
1047 struct auth_zone
*zone
;
1050 querystr(auth_dns
? "auth" : "query", types
, type
);
1052 if (listen
->family
== AF_INET
)
1053 log_query(F_QUERY
| F_IPV4
| F_FORWARD
, daemon
->namebuff
,
1054 (struct all_addr
*)&source_addr
.in
.sin_addr
, types
);
1057 log_query(F_QUERY
| F_IPV6
| F_FORWARD
, daemon
->namebuff
,
1058 (struct all_addr
*)&source_addr
.in6
.sin6_addr
, types
);
1062 /* find queries for zones we're authoritative for, and answer them directly */
1064 for (zone
= daemon
->auth_zones
; zone
; zone
= zone
->next
)
1065 if (in_zone(zone
, daemon
->namebuff
, NULL
))
1077 m
= answer_auth(header
, ((char *) header
) + daemon
->packet_buff_sz
, (size_t)n
, now
, &source_addr
, local_auth
);
1080 send_from(listen
->fd
, option_bool(OPT_NOWILD
) || option_bool(OPT_CLEVERBIND
),
1081 (char *)header
, m
, &source_addr
, &dst_addr
, if_index
);
1082 daemon
->auth_answer
++;
1088 m
= answer_request(header
, ((char *) header
) + daemon
->packet_buff_sz
, (size_t)n
,
1089 dst_addr_4
, netmask
, now
);
1093 send_from(listen
->fd
, option_bool(OPT_NOWILD
) || option_bool(OPT_CLEVERBIND
),
1094 (char *)header
, m
, &source_addr
, &dst_addr
, if_index
);
1095 daemon
->local_answer
++;
1097 else if (forward_query(listen
->fd
, &source_addr
, &dst_addr
, if_index
,
1098 header
, (size_t)n
, now
, NULL
))
1099 daemon
->queries_forwarded
++;
1101 daemon
->local_answer
++;
1106 static int tcp_key_recurse(time_t now
, int status
, int class, char *keyname
, struct server
*server
)
1108 /* Recurse up the key heirarchy */
1110 unsigned char *packet
= whine_malloc(65536 + MAXDNAME
+ RRFIXEDSZ
+ sizeof(u16
));
1111 unsigned char *payload
= &packet
[2];
1112 struct dns_header
*header
= (struct dns_header
*)payload
;
1113 u16
*length
= (u16
*)packet
;
1115 unsigned char c1
, c2
;
1117 n
= dnssec_generate_query(header
, ((char *) header
) + 65536, keyname
, class,
1118 status
== STAT_NEED_KEY
? T_DNSKEY
: T_DS
, &server
->addr
);
1122 if (!read_write(server
->tcpfd
, packet
, n
+ sizeof(u16
), 0) ||
1123 !read_write(server
->tcpfd
, &c1
, 1, 1) ||
1124 !read_write(server
->tcpfd
, &c2
, 1, 1) ||
1125 !read_write(server
->tcpfd
, payload
, (c1
<< 8) | c2
, 1))
1127 close(server
->tcpfd
);
1129 new_status
= STAT_INSECURE
;
1135 if (status
== STAT_NEED_KEY
)
1136 new_status
= dnssec_validate_by_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, class);
1138 new_status
= dnssec_validate_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, class);
1140 if (new_status
== STAT_NEED_DS
|| new_status
== STAT_NEED_KEY
)
1142 if ((new_status
= tcp_key_recurse(now
, new_status
, class, daemon
->keyname
, server
) == STAT_SECURE
))
1144 if (status
== STAT_NEED_KEY
)
1145 new_status
= dnssec_validate_by_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, class);
1147 new_status
= dnssec_validate_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, class);
1149 if (new_status
== STAT_NEED_DS
|| new_status
== STAT_NEED_KEY
)
1151 my_syslog(LOG_ERR
, _("Unexpected missing data for DNSSEC validation"));
1152 status
= STAT_INSECURE
;
1165 /* The daemon forks before calling this: it should deal with one connection,
1166 blocking as neccessary, and then return. Note, need to be a bit careful
1167 about resources for debug mode, when the fork is suppressed: that's
1168 done by the caller. */
1169 unsigned char *tcp_request(int confd
, time_t now
,
1170 union mysockaddr
*local_addr
, struct in_addr netmask
, int auth_dns
)
1177 int checking_disabled
, check_subnet
, no_cache_dnssec
= 0, cache_secure
= 0;
1179 unsigned short qtype
;
1180 unsigned int gotname
;
1181 unsigned char c1
, c2
;
1182 /* Max TCP packet + slop + size */
1183 unsigned char *packet
= whine_malloc(65536 + MAXDNAME
+ RRFIXEDSZ
+ sizeof(u16
));
1184 unsigned char *payload
= &packet
[2];
1185 /* largest field in header is 16-bits, so this is still sufficiently aligned */
1186 struct dns_header
*header
= (struct dns_header
*)payload
;
1187 u16
*length
= (u16
*)packet
;
1188 struct server
*last_server
;
1189 struct in_addr dst_addr_4
;
1190 union mysockaddr peer_addr
;
1191 socklen_t peer_len
= sizeof(union mysockaddr
);
1193 if (getpeername(confd
, (struct sockaddr
*)&peer_addr
, &peer_len
) == -1)
1199 !read_write(confd
, &c1
, 1, 1) || !read_write(confd
, &c2
, 1, 1) ||
1200 !(size
= c1
<< 8 | c2
) ||
1201 !read_write(confd
, payload
, size
, 1))
1204 if (size
< (int)sizeof(struct dns_header
))
1209 /* save state of "cd" flag in query */
1210 if ((checking_disabled
= header
->hb4
& HB4_CD
))
1211 no_cache_dnssec
= 1;
1213 /* RFC 4035: sect 4.6 para 2 */
1214 header
->hb4
&= ~HB4_AD
;
1216 if ((gotname
= extract_request(header
, (unsigned int)size
, daemon
->namebuff
, &qtype
)))
1220 struct auth_zone
*zone
;
1222 querystr(auth_dns
? "auth" : "query", types
, qtype
);
1224 if (peer_addr
.sa
.sa_family
== AF_INET
)
1225 log_query(F_QUERY
| F_IPV4
| F_FORWARD
, daemon
->namebuff
,
1226 (struct all_addr
*)&peer_addr
.in
.sin_addr
, types
);
1229 log_query(F_QUERY
| F_IPV6
| F_FORWARD
, daemon
->namebuff
,
1230 (struct all_addr
*)&peer_addr
.in6
.sin6_addr
, types
);
1234 /* find queries for zones we're authoritative for, and answer them directly */
1236 for (zone
= daemon
->auth_zones
; zone
; zone
= zone
->next
)
1237 if (in_zone(zone
, daemon
->namebuff
, NULL
))
1246 if (local_addr
->sa
.sa_family
== AF_INET
)
1247 dst_addr_4
= local_addr
->in
.sin_addr
;
1249 dst_addr_4
.s_addr
= 0;
1253 m
= answer_auth(header
, ((char *) header
) + 65536, (size_t)size
, now
, &peer_addr
, local_auth
);
1257 /* m > 0 if answered from cache */
1258 m
= answer_request(header
, ((char *) header
) + 65536, (size_t)size
,
1259 dst_addr_4
, netmask
, now
);
1261 /* Do this by steam now we're not in the select() loop */
1262 check_log_writer(NULL
);
1266 unsigned int flags
= 0;
1267 struct all_addr
*addrp
= NULL
;
1269 char *domain
= NULL
;
1271 if (option_bool(OPT_ADD_MAC
))
1272 size
= add_mac(header
, size
, ((char *) header
) + 65536, &peer_addr
);
1274 if (option_bool(OPT_CLIENT_SUBNET
))
1276 size_t new = add_source_addr(header
, size
, ((char *) header
) + 65536, &peer_addr
);
1285 flags
= search_servers(now
, &addrp
, gotname
, daemon
->namebuff
, &type
, &domain
, &norebind
);
1287 if (type
!= 0 || option_bool(OPT_ORDER
) || !daemon
->last_server
)
1288 last_server
= daemon
->servers
;
1290 last_server
= daemon
->last_server
;
1292 if (!flags
&& last_server
)
1294 struct server
*firstsendto
= NULL
;
1295 unsigned int crc
= questions_crc(header
, (unsigned int)size
, daemon
->namebuff
);
1297 /* Loop round available servers until we succeed in connecting to one.
1298 Note that this code subtley ensures that consecutive queries on this connection
1299 which can go to the same server, do so. */
1303 firstsendto
= last_server
;
1306 if (!(last_server
= last_server
->next
))
1307 last_server
= daemon
->servers
;
1309 if (last_server
== firstsendto
)
1313 /* server for wrong domain */
1314 if (type
!= (last_server
->flags
& SERV_TYPE
) ||
1315 (type
== SERV_HAS_DOMAIN
&& !hostname_isequal(domain
, last_server
->domain
)))
1318 if (last_server
->tcpfd
== -1)
1320 if ((last_server
->tcpfd
= socket(last_server
->addr
.sa
.sa_family
, SOCK_STREAM
, 0)) == -1)
1323 if ((!local_bind(last_server
->tcpfd
, &last_server
->source_addr
, last_server
->interface
, 1) ||
1324 connect(last_server
->tcpfd
, &last_server
->addr
.sa
, sa_len(&last_server
->addr
)) == -1))
1326 close(last_server
->tcpfd
);
1327 last_server
->tcpfd
= -1;
1332 if (option_bool(OPT_DNSSEC_VALID
))
1334 size
= add_do_bit(header
, size
, ((char *) header
) + 65536);
1335 header
->hb4
|= HB4_CD
;
1339 #ifdef HAVE_CONNTRACK
1340 /* Copy connection mark of incoming query to outgoing connection. */
1341 if (option_bool(OPT_CONNTRACK
))
1344 struct all_addr local
;
1346 if (local_addr
->sa
.sa_family
== AF_INET6
)
1347 local
.addr
.addr6
= local_addr
->in6
.sin6_addr
;
1350 local
.addr
.addr4
= local_addr
->in
.sin_addr
;
1352 if (get_incoming_mark(&peer_addr
, &local
, 1, &mark
))
1353 setsockopt(last_server
->tcpfd
, SOL_SOCKET
, SO_MARK
, &mark
, sizeof(unsigned int));
1358 *length
= htons(size
);
1360 if (!read_write(last_server
->tcpfd
, packet
, size
+ sizeof(u16
), 0) ||
1361 !read_write(last_server
->tcpfd
, &c1
, 1, 1) ||
1362 !read_write(last_server
->tcpfd
, &c2
, 1, 1) ||
1363 !read_write(last_server
->tcpfd
, payload
, (c1
<< 8) | c2
, 1))
1365 close(last_server
->tcpfd
);
1366 last_server
->tcpfd
= -1;
1373 strcpy(daemon
->namebuff
, "query");
1374 if (last_server
->addr
.sa
.sa_family
== AF_INET
)
1375 log_query(F_SERVER
| F_IPV4
| F_FORWARD
, daemon
->namebuff
,
1376 (struct all_addr
*)&last_server
->addr
.in
.sin_addr
, NULL
);
1379 log_query(F_SERVER
| F_IPV6
| F_FORWARD
, daemon
->namebuff
,
1380 (struct all_addr
*)&last_server
->addr
.in6
.sin6_addr
, NULL
);
1384 if (option_bool(OPT_DNSSEC_VALID
) && !checking_disabled
)
1388 status
= dnssec_validate_reply(now
, header
, m
, daemon
->namebuff
, daemon
->keyname
, &class);
1390 if (status
== STAT_NEED_DS
|| status
== STAT_NEED_KEY
)
1392 if ((status
= tcp_key_recurse(now
, status
, class, daemon
->keyname
, last_server
)) == STAT_SECURE
)
1393 status
= dnssec_validate_reply(now
, header
, m
, daemon
->namebuff
, daemon
->keyname
, &class);
1396 log_query(F_KEYTAG
| F_SECSTAT
, "result", NULL
,
1397 status
== STAT_SECURE
? "SECURE" : (status
== STAT_INSECURE
? "INSECURE" : "BOGUS"));
1399 if (status
== STAT_BOGUS
)
1400 no_cache_dnssec
= 1;
1402 if (status
== STAT_SECURE
)
1407 /* restore CD bit to the value in the query */
1408 if (checking_disabled
)
1409 header
->hb4
|= HB4_CD
;
1411 header
->hb4
&= ~HB4_CD
;
1413 /* There's no point in updating the cache, since this process will exit and
1414 lose the information after a few queries. We make this call for the alias and
1415 bogus-nxdomain side-effects. */
1416 /* If the crc of the question section doesn't match the crc we sent, then
1417 someone might be attempting to insert bogus values into the cache by
1418 sending replies containing questions and bogus answers. */
1419 if (crc
== questions_crc(header
, (unsigned int)m
, daemon
->namebuff
))
1420 m
= process_reply(header
, now
, last_server
, (unsigned int)m
,
1421 option_bool(OPT_NO_REBIND
) && !norebind
, no_cache_dnssec
,
1422 cache_secure
, check_subnet
, &peer_addr
);
1428 /* In case of local answer or no connections made. */
1430 m
= setup_reply(header
, (unsigned int)size
, addrp
, flags
, daemon
->local_ttl
);
1434 check_log_writer(NULL
);
1438 if (m
== 0 || !read_write(confd
, packet
, m
+ sizeof(u16
), 0))
1443 static struct frec
*allocate_frec(time_t now
)
1447 if ((f
= (struct frec
*)whine_malloc(sizeof(struct frec
))))
1449 f
->next
= daemon
->frec_list
;
1458 f
->blocking_query
= NULL
;
1460 daemon
->frec_list
= f
;
1466 static struct randfd
*allocate_rfd(int family
)
1468 static int finger
= 0;
1471 /* limit the number of sockets we have open to avoid starvation of
1472 (eg) TFTP. Once we have a reasonable number, randomness should be OK */
1474 for (i
= 0; i
< RANDOM_SOCKS
; i
++)
1475 if (daemon
->randomsocks
[i
].refcount
== 0)
1477 if ((daemon
->randomsocks
[i
].fd
= random_sock(family
)) == -1)
1480 daemon
->randomsocks
[i
].refcount
= 1;
1481 daemon
->randomsocks
[i
].family
= family
;
1482 return &daemon
->randomsocks
[i
];
1485 /* No free ones or cannot get new socket, grab an existing one */
1486 for (i
= 0; i
< RANDOM_SOCKS
; i
++)
1488 int j
= (i
+finger
) % RANDOM_SOCKS
;
1489 if (daemon
->randomsocks
[j
].refcount
!= 0 &&
1490 daemon
->randomsocks
[j
].family
== family
&&
1491 daemon
->randomsocks
[j
].refcount
!= 0xffff)
1494 daemon
->randomsocks
[j
].refcount
++;
1495 return &daemon
->randomsocks
[j
];
1499 return NULL
; /* doom */
1501 static void free_frec(struct frec
*f
)
1503 if (f
->rfd4
&& --(f
->rfd4
->refcount
) == 0)
1511 if (f
->rfd6
&& --(f
->rfd6
->refcount
) == 0)
1520 blockdata_free(f
->stash
);
1524 /* Anything we're waiting on is pointless now, too */
1525 if (f
->blocking_query
)
1526 free_frec(f
->blocking_query
);
1527 f
->blocking_query
= NULL
;
1532 /* if wait==NULL return a free or older than TIMEOUT record.
1533 else return *wait zero if one available, or *wait is delay to
1534 when the oldest in-use record will expire. Impose an absolute
1535 limit of 4*TIMEOUT before we wipe things (for random sockets).
1536 If force is set, always return a result, even if we have
1537 to allocate above the limit. */
1538 struct frec
*get_new_frec(time_t now
, int *wait
, int force
)
1540 struct frec
*f
, *oldest
, *target
;
1546 for (f
= daemon
->frec_list
, oldest
= NULL
, target
= NULL
, count
= 0; f
; f
= f
->next
, count
++)
1551 if (difftime(now
, f
->time
) >= 4*TIMEOUT
)
1557 if (!oldest
|| difftime(f
->time
, oldest
->time
) <= 0)
1567 /* can't find empty one, use oldest if there is one
1568 and it's older than timeout */
1569 if (oldest
&& ((int)difftime(now
, oldest
->time
)) >= TIMEOUT
)
1571 /* keep stuff for twice timeout if we can by allocating a new
1573 if (difftime(now
, oldest
->time
) < 2*TIMEOUT
&&
1574 count
<= daemon
->ftabsize
&&
1575 (f
= allocate_frec(now
)))
1586 /* none available, calculate time 'till oldest record expires */
1587 if (!force
&& count
> daemon
->ftabsize
)
1589 static time_t last_log
= 0;
1592 *wait
= oldest
->time
+ (time_t)TIMEOUT
- now
;
1594 if ((int)difftime(now
, last_log
) > 5)
1597 my_syslog(LOG_WARNING
, _("Maximum number of concurrent DNS queries reached (max: %d)"), daemon
->ftabsize
);
1603 if (!(f
= allocate_frec(now
)) && wait
)
1604 /* wait one second on malloc failure */
1607 return f
; /* OK if malloc fails and this is NULL */
1610 /* crc is all-ones if not known. */
1611 static struct frec
*lookup_frec(unsigned short id
, unsigned int crc
)
1615 for(f
= daemon
->frec_list
; f
; f
= f
->next
)
1616 if (f
->sentto
&& f
->new_id
== id
&&
1617 (f
->crc
== crc
|| crc
== 0xffffffff))
1623 static struct frec
*lookup_frec_by_sender(unsigned short id
,
1624 union mysockaddr
*addr
,
1629 for(f
= daemon
->frec_list
; f
; f
= f
->next
)
1633 sockaddr_isequal(&f
->source
, addr
))
1639 /* A server record is going away, remove references to it */
1640 void server_gone(struct server
*server
)
1644 for (f
= daemon
->frec_list
; f
; f
= f
->next
)
1645 if (f
->sentto
&& f
->sentto
== server
)
1648 if (daemon
->last_server
== server
)
1649 daemon
->last_server
= NULL
;
1651 if (daemon
->srv_save
== server
)
1652 daemon
->srv_save
= NULL
;
1655 /* return unique random ids. */
1656 static unsigned short get_id(unsigned int crc
)
1658 unsigned short ret
= 0;
1662 while (lookup_frec(ret
, crc
));