]>
git.ipfire.org Git - people/ms/dnsmasq.git/blob - src/forward.c
1 /* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
3 This program is free software; you can redistribute it and/or modify
4 it under the terms of the GNU General Public License as published by
5 the Free Software Foundation; version 2 dated June, 1991, or
6 (at your option) version 3 dated 29 June, 2007.
8 This program is distributed in the hope that it will be useful,
9 but WITHOUT ANY WARRANTY; without even the implied warranty of
10 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 GNU General Public License for more details.
13 You should have received a copy of the GNU General Public License
14 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 static struct frec
*lookup_frec(unsigned short id
, void *hash
);
20 static struct frec
*lookup_frec_by_sender(unsigned short id
,
21 union mysockaddr
*addr
,
23 static unsigned short get_id(void);
24 static void free_frec(struct frec
*f
);
27 static int tcp_key_recurse(time_t now
, int status
, struct dns_header
*header
, size_t n
,
28 int class, char *name
, char *keyname
, struct server
*server
, int *keycount
);
29 static int do_check_sign(struct frec
*forward
, int status
, time_t now
, char *name
, char *keyname
);
30 static int send_check_sign(struct frec
*forward
, time_t now
, struct dns_header
*header
, size_t plen
,
31 char *name
, char *keyname
);
35 /* Send a UDP packet with its source address set as "source"
36 unless nowild is true, when we just send it with the kernel default */
37 int send_from(int fd
, int nowild
, char *packet
, size_t len
,
38 union mysockaddr
*to
, struct all_addr
*source
,
44 struct cmsghdr align
; /* this ensures alignment */
45 #if defined(HAVE_LINUX_NETWORK)
46 char control
[CMSG_SPACE(sizeof(struct in_pktinfo
))];
47 #elif defined(IP_SENDSRCADDR)
48 char control
[CMSG_SPACE(sizeof(struct in_addr
))];
51 char control6
[CMSG_SPACE(sizeof(struct in6_pktinfo
))];
55 iov
[0].iov_base
= packet
;
58 msg
.msg_control
= NULL
;
59 msg
.msg_controllen
= 0;
62 msg
.msg_namelen
= sa_len(to
);
68 struct cmsghdr
*cmptr
;
69 msg
.msg_control
= &control_u
;
70 msg
.msg_controllen
= sizeof(control_u
);
71 cmptr
= CMSG_FIRSTHDR(&msg
);
73 if (to
->sa
.sa_family
== AF_INET
)
75 #if defined(HAVE_LINUX_NETWORK)
78 p
.ipi_spec_dst
= source
->addr
.addr4
;
79 memcpy(CMSG_DATA(cmptr
), &p
, sizeof(p
));
80 msg
.msg_controllen
= cmptr
->cmsg_len
= CMSG_LEN(sizeof(struct in_pktinfo
));
81 cmptr
->cmsg_level
= IPPROTO_IP
;
82 cmptr
->cmsg_type
= IP_PKTINFO
;
83 #elif defined(IP_SENDSRCADDR)
84 memcpy(CMSG_DATA(cmptr
), &(source
->addr
.addr4
), sizeof(source
->addr
.addr4
));
85 msg
.msg_controllen
= cmptr
->cmsg_len
= CMSG_LEN(sizeof(struct in_addr
));
86 cmptr
->cmsg_level
= IPPROTO_IP
;
87 cmptr
->cmsg_type
= IP_SENDSRCADDR
;
94 p
.ipi6_ifindex
= iface
; /* Need iface for IPv6 to handle link-local addrs */
95 p
.ipi6_addr
= source
->addr
.addr6
;
96 memcpy(CMSG_DATA(cmptr
), &p
, sizeof(p
));
97 msg
.msg_controllen
= cmptr
->cmsg_len
= CMSG_LEN(sizeof(struct in6_pktinfo
));
98 cmptr
->cmsg_type
= daemon
->v6pktinfo
;
99 cmptr
->cmsg_level
= IPPROTO_IPV6
;
102 (void)iface
; /* eliminate warning */
106 while (retry_send(sendmsg(fd
, &msg
, 0)));
108 /* If interface is still in DAD, EINVAL results - ignore that. */
109 if (errno
!= 0 && errno
!= EINVAL
)
111 my_syslog(LOG_ERR
, _("failed to send packet: %s"), strerror(errno
));
118 static unsigned int search_servers(time_t now
, struct all_addr
**addrpp
,
119 unsigned int qtype
, char *qdomain
, int *type
, char **domain
, int *norebind
)
122 /* If the query ends in the domain in one of our servers, set
123 domain to point to that name. We find the largest match to allow both
124 domain.org and sub.domain.org to exist. */
126 unsigned int namelen
= strlen(qdomain
);
127 unsigned int matchlen
= 0;
129 unsigned int flags
= 0;
131 for (serv
= daemon
->servers
; serv
; serv
=serv
->next
)
132 /* domain matches take priority over NODOTS matches */
133 if ((serv
->flags
& SERV_FOR_NODOTS
) && *type
!= SERV_HAS_DOMAIN
&& !strchr(qdomain
, '.') && namelen
!= 0)
135 unsigned int sflag
= serv
->addr
.sa
.sa_family
== AF_INET
? F_IPV4
: F_IPV6
;
136 *type
= SERV_FOR_NODOTS
;
137 if (serv
->flags
& SERV_NO_ADDR
)
139 else if (serv
->flags
& SERV_LITERAL_ADDRESS
)
144 if (serv
->addr
.sa
.sa_family
== AF_INET
)
145 *addrpp
= (struct all_addr
*)&serv
->addr
.in
.sin_addr
;
148 *addrpp
= (struct all_addr
*)&serv
->addr
.in6
.sin6_addr
;
151 else if (!flags
|| (flags
& F_NXDOMAIN
))
155 else if (serv
->flags
& SERV_HAS_DOMAIN
)
157 unsigned int domainlen
= strlen(serv
->domain
);
158 char *matchstart
= qdomain
+ namelen
- domainlen
;
159 if (namelen
>= domainlen
&&
160 hostname_isequal(matchstart
, serv
->domain
) &&
161 (domainlen
== 0 || namelen
== domainlen
|| *(matchstart
-1) == '.' ))
163 if (serv
->flags
& SERV_NO_REBIND
)
167 unsigned int sflag
= serv
->addr
.sa
.sa_family
== AF_INET
? F_IPV4
: F_IPV6
;
168 /* implement priority rules for --address and --server for same domain.
169 --address wins if the address is for the correct AF
170 --server wins otherwise. */
171 if (domainlen
!= 0 && domainlen
== matchlen
)
173 if ((serv
->flags
& SERV_LITERAL_ADDRESS
))
175 if (!(sflag
& qtype
) && flags
== 0)
180 if (flags
& (F_IPV4
| F_IPV6
))
185 if (domainlen
>= matchlen
)
187 *type
= serv
->flags
& (SERV_HAS_DOMAIN
| SERV_USE_RESOLV
| SERV_NO_REBIND
);
188 *domain
= serv
->domain
;
189 matchlen
= domainlen
;
190 if (serv
->flags
& SERV_NO_ADDR
)
192 else if (serv
->flags
& SERV_LITERAL_ADDRESS
)
197 if (serv
->addr
.sa
.sa_family
== AF_INET
)
198 *addrpp
= (struct all_addr
*)&serv
->addr
.in
.sin_addr
;
201 *addrpp
= (struct all_addr
*)&serv
->addr
.in6
.sin6_addr
;
204 else if (!flags
|| (flags
& F_NXDOMAIN
))
214 if (flags
== 0 && !(qtype
& F_QUERY
) &&
215 option_bool(OPT_NODOTS_LOCAL
) && !strchr(qdomain
, '.') && namelen
!= 0)
216 /* don't forward A or AAAA queries for simple names, except the empty name */
219 if (flags
== F_NXDOMAIN
&& check_for_local_domain(qdomain
, now
))
226 if (flags
== F_NXDOMAIN
|| flags
== F_NOERR
)
227 logflags
= F_NEG
| qtype
;
229 log_query(logflags
| flags
| F_CONFIG
| F_FORWARD
, qdomain
, *addrpp
, NULL
);
231 else if ((*type
) & SERV_USE_RESOLV
)
233 *type
= 0; /* use normal servers for this domain */
239 static int forward_query(int udpfd
, union mysockaddr
*udpaddr
,
240 struct all_addr
*dst_addr
, unsigned int dst_iface
,
241 struct dns_header
*header
, size_t plen
, time_t now
,
242 struct frec
*forward
, int ad_reqd
, int do_bit
)
245 int type
= 0, norebind
= 0;
246 struct all_addr
*addrp
= NULL
;
247 unsigned int flags
= 0;
248 struct server
*start
= NULL
;
250 void *hash
= hash_questions(header
, plen
, daemon
->namebuff
);
252 unsigned int crc
= questions_crc(header
, plen
, daemon
->namebuff
);
255 unsigned int gotname
= extract_request(header
, plen
, daemon
->namebuff
, NULL
);
259 /* may be no servers available. */
260 if (!daemon
->servers
)
262 else if (forward
|| (hash
&& (forward
= lookup_frec_by_sender(ntohs(header
->id
), udpaddr
, hash
))))
265 /* If we've already got an answer to this query, but we're awaiting keys for validation,
266 there's no point retrying the query, retry the key query instead...... */
267 if (forward
->blocking_query
)
271 while (forward
->blocking_query
)
272 forward
= forward
->blocking_query
;
274 blockdata_retrieve(forward
->stash
, forward
->stash_len
, (void *)header
);
275 plen
= forward
->stash_len
;
277 if (forward
->sentto
->addr
.sa
.sa_family
== AF_INET
)
278 log_query(F_NOEXTRA
| F_DNSSEC
| F_IPV4
, "retry", (struct all_addr
*)&forward
->sentto
->addr
.in
.sin_addr
, "dnssec");
281 log_query(F_NOEXTRA
| F_DNSSEC
| F_IPV6
, "retry", (struct all_addr
*)&forward
->sentto
->addr
.in6
.sin6_addr
, "dnssec");
284 if (forward
->sentto
->sfd
)
285 fd
= forward
->sentto
->sfd
->fd
;
289 if (forward
->sentto
->addr
.sa
.sa_family
== AF_INET6
)
290 fd
= forward
->rfd6
->fd
;
293 fd
= forward
->rfd4
->fd
;
296 while (retry_send( sendto(fd
, (char *)header
, plen
, 0,
297 &forward
->sentto
->addr
.sa
,
298 sa_len(&forward
->sentto
->addr
))));
304 /* retry on existing query, send to all available servers */
305 domain
= forward
->sentto
->domain
;
306 forward
->sentto
->failed_queries
++;
307 if (!option_bool(OPT_ORDER
))
309 forward
->forwardall
= 1;
310 daemon
->last_server
= NULL
;
312 type
= forward
->sentto
->flags
& SERV_TYPE
;
313 if (!(start
= forward
->sentto
->next
))
314 start
= daemon
->servers
; /* at end of list, recycle */
315 header
->id
= htons(forward
->new_id
);
320 flags
= search_servers(now
, &addrp
, gotname
, daemon
->namebuff
, &type
, &domain
, &norebind
);
322 if (!flags
&& !(forward
= get_new_frec(now
, NULL
, 0)))
323 /* table full - server failure. */
328 forward
->source
= *udpaddr
;
329 forward
->dest
= *dst_addr
;
330 forward
->iface
= dst_iface
;
331 forward
->orig_id
= ntohs(header
->id
);
332 forward
->new_id
= get_id();
334 memcpy(forward
->hash
, hash
, HASH_SIZE
);
335 forward
->forwardall
= 0;
338 forward
->flags
|= FREC_NOREBIND
;
339 if (header
->hb4
& HB4_CD
)
340 forward
->flags
|= FREC_CHECKING_DISABLED
;
342 forward
->flags
|= FREC_AD_QUESTION
;
344 forward
->work_counter
= DNSSEC_WORK
;
346 forward
->flags
|= FREC_DO_QUESTION
;
349 header
->id
= htons(forward
->new_id
);
351 /* In strict_order mode, always try servers in the order
352 specified in resolv.conf, if a domain is given
353 always try all the available servers,
354 otherwise, use the one last known to work. */
358 if (option_bool(OPT_ORDER
))
359 start
= daemon
->servers
;
360 else if (!(start
= daemon
->last_server
) ||
361 daemon
->forwardcount
++ > FORWARD_TEST
||
362 difftime(now
, daemon
->forwardtime
) > FORWARD_TIME
)
364 start
= daemon
->servers
;
365 forward
->forwardall
= 1;
366 daemon
->forwardcount
= 0;
367 daemon
->forwardtime
= now
;
372 start
= daemon
->servers
;
373 if (!option_bool(OPT_ORDER
))
374 forward
->forwardall
= 1;
379 /* check for send errors here (no route to host)
380 if we fail to send to all nameservers, send back an error
381 packet straight away (helps modem users when offline) */
383 if (!flags
&& forward
)
385 struct server
*firstsentto
= start
;
388 /* If a query is retried, use the log_id for the retry when logging the answer. */
389 forward
->log_id
= daemon
->log_id
;
391 if (option_bool(OPT_ADD_MAC
))
392 plen
= add_mac(header
, plen
, ((char *) header
) + daemon
->packet_buff_sz
, &forward
->source
);
394 if (option_bool(OPT_CLIENT_SUBNET
))
396 size_t new = add_source_addr(header
, plen
, ((char *) header
) + daemon
->packet_buff_sz
, &forward
->source
);
400 forward
->flags
|= FREC_HAS_SUBNET
;
405 if (option_bool(OPT_DNSSEC_VALID
))
407 size_t new_plen
= add_do_bit(header
, plen
, ((char *) header
) + daemon
->packet_buff_sz
);
409 /* For debugging, set Checking Disabled, otherwise, have the upstream check too,
410 this allows it to select auth servers when one is returning bad data. */
411 if (option_bool(OPT_DNSSEC_DEBUG
))
412 header
->hb4
|= HB4_CD
;
414 if (new_plen
!= plen
)
415 forward
->flags
|= FREC_ADDED_PHEADER
;
423 /* only send to servers dealing with our domain.
424 domain may be NULL, in which case server->domain
425 must be NULL also. */
427 if (type
== (start
->flags
& SERV_TYPE
) &&
428 (type
!= SERV_HAS_DOMAIN
|| hostname_isequal(domain
, start
->domain
)) &&
429 !(start
->flags
& (SERV_LITERAL_ADDRESS
| SERV_LOOP
)))
433 /* find server socket to use, may need to get random one. */
439 if (start
->addr
.sa
.sa_family
== AF_INET6
)
441 if (!forward
->rfd6
&&
442 !(forward
->rfd6
= allocate_rfd(AF_INET6
)))
444 daemon
->rfd_save
= forward
->rfd6
;
445 fd
= forward
->rfd6
->fd
;
450 if (!forward
->rfd4
&&
451 !(forward
->rfd4
= allocate_rfd(AF_INET
)))
453 daemon
->rfd_save
= forward
->rfd4
;
454 fd
= forward
->rfd4
->fd
;
457 #ifdef HAVE_CONNTRACK
458 /* Copy connection mark of incoming query to outgoing connection. */
459 if (option_bool(OPT_CONNTRACK
))
462 if (get_incoming_mark(&forward
->source
, &forward
->dest
, 0, &mark
))
463 setsockopt(fd
, SOL_SOCKET
, SO_MARK
, &mark
, sizeof(unsigned int));
468 if (retry_send(sendto(fd
, (char *)header
, plen
, 0,
470 sa_len(&start
->addr
))))
475 /* Keep info in case we want to re-send this packet */
476 daemon
->srv_save
= start
;
477 daemon
->packet_len
= plen
;
480 strcpy(daemon
->namebuff
, "query");
481 if (start
->addr
.sa
.sa_family
== AF_INET
)
482 log_query(F_SERVER
| F_IPV4
| F_FORWARD
, daemon
->namebuff
,
483 (struct all_addr
*)&start
->addr
.in
.sin_addr
, NULL
);
486 log_query(F_SERVER
| F_IPV6
| F_FORWARD
, daemon
->namebuff
,
487 (struct all_addr
*)&start
->addr
.in6
.sin6_addr
, NULL
);
491 forward
->sentto
= start
;
492 if (!forward
->forwardall
)
494 forward
->forwardall
++;
498 if (!(start
= start
->next
))
499 start
= daemon
->servers
;
501 if (start
== firstsentto
)
508 /* could not send on, prepare to return */
509 header
->id
= htons(forward
->orig_id
);
510 free_frec(forward
); /* cancel */
513 /* could not send on, return empty answer or address if known for whole domain */
516 plen
= setup_reply(header
, plen
, addrp
, flags
, daemon
->local_ttl
);
517 send_from(udpfd
, option_bool(OPT_NOWILD
) || option_bool(OPT_CLEVERBIND
), (char *)header
, plen
, udpaddr
, dst_addr
, dst_iface
);
523 static size_t process_reply(struct dns_header
*header
, time_t now
, struct server
*server
, size_t n
, int check_rebind
,
524 int no_cache
, int cache_secure
, int bogusanswer
, int ad_reqd
, int do_bit
, int added_pheader
,
525 int check_subnet
, union mysockaddr
*query_source
)
527 unsigned char *pheader
, *sizep
;
529 int munged
= 0, is_sign
;
537 if (daemon
->ipsets
&& extract_request(header
, n
, daemon
->namebuff
, NULL
))
539 /* Similar algorithm to search_servers. */
540 struct ipsets
*ipset_pos
;
541 unsigned int namelen
= strlen(daemon
->namebuff
);
542 unsigned int matchlen
= 0;
543 for (ipset_pos
= daemon
->ipsets
; ipset_pos
; ipset_pos
= ipset_pos
->next
)
545 unsigned int domainlen
= strlen(ipset_pos
->domain
);
546 char *matchstart
= daemon
->namebuff
+ namelen
- domainlen
;
547 if (namelen
>= domainlen
&& hostname_isequal(matchstart
, ipset_pos
->domain
) &&
548 (domainlen
== 0 || namelen
== domainlen
|| *(matchstart
- 1) == '.' ) &&
549 domainlen
>= matchlen
)
551 matchlen
= domainlen
;
552 sets
= ipset_pos
->sets
;
558 /* If upstream is advertising a larger UDP packet size
559 than we allow, trim it so that we don't get overlarge
560 requests for the client. We can't do this for signed packets. */
562 if ((pheader
= find_pseudoheader(header
, n
, &plen
, &sizep
, &is_sign
)))
564 unsigned short udpsz
;
565 unsigned char *psave
= sizep
;
567 GETSHORT(udpsz
, sizep
);
569 if (!is_sign
&& udpsz
> daemon
->edns_pktsz
)
570 PUTSHORT(daemon
->edns_pktsz
, psave
);
572 if (check_subnet
&& !check_source(header
, plen
, pheader
, query_source
))
574 my_syslog(LOG_WARNING
, _("discarding DNS reply: subnet option mismatch"));
581 header
->arcount
= htons(0);
585 /* RFC 4035 sect 4.6 para 3 */
586 if (!is_sign
&& !option_bool(OPT_DNSSEC_PROXY
))
587 header
->hb4
&= ~HB4_AD
;
589 if (OPCODE(header
) != QUERY
|| (RCODE(header
) != NOERROR
&& RCODE(header
) != NXDOMAIN
))
590 return resize_packet(header
, n
, pheader
, plen
);
592 /* Complain loudly if the upstream server is non-recursive. */
593 if (!(header
->hb4
& HB4_RA
) && RCODE(header
) == NOERROR
&& ntohs(header
->ancount
) == 0 &&
594 server
&& !(server
->flags
& SERV_WARNED_RECURSIVE
))
596 prettyprint_addr(&server
->addr
, daemon
->namebuff
);
597 my_syslog(LOG_WARNING
, _("nameserver %s refused to do a recursive query"), daemon
->namebuff
);
598 if (!option_bool(OPT_LOG
))
599 server
->flags
|= SERV_WARNED_RECURSIVE
;
602 if (daemon
->bogus_addr
&& RCODE(header
) != NXDOMAIN
&&
603 check_for_bogus_wildcard(header
, n
, daemon
->namebuff
, daemon
->bogus_addr
, now
))
606 SET_RCODE(header
, NXDOMAIN
);
607 header
->hb3
&= ~HB3_AA
;
614 if (RCODE(header
) == NXDOMAIN
&&
615 extract_request(header
, n
, daemon
->namebuff
, NULL
) &&
616 check_for_local_domain(daemon
->namebuff
, now
))
618 /* if we forwarded a query for a locally known name (because it was for
619 an unknown type) and the answer is NXDOMAIN, convert that to NODATA,
620 since we know that the domain exists, even if upstream doesn't */
622 header
->hb3
|= HB3_AA
;
623 SET_RCODE(header
, NOERROR
);
627 if (extract_addresses(header
, n
, daemon
->namebuff
, now
, sets
, is_sign
, check_rebind
, no_cache
, cache_secure
, &doctored
))
629 my_syslog(LOG_WARNING
, _("possible DNS-rebind attack detected: %s"), daemon
->namebuff
);
639 if (bogusanswer
&& !(header
->hb4
& HB4_CD
))
641 if (!option_bool(OPT_DNSSEC_DEBUG
))
643 /* Bogus reply, turn into SERVFAIL */
644 SET_RCODE(header
, SERVFAIL
);
649 if (option_bool(OPT_DNSSEC_VALID
))
650 header
->hb4
&= ~HB4_AD
;
652 if (!(header
->hb4
& HB4_CD
) && ad_reqd
&& cache_secure
)
653 header
->hb4
|= HB4_AD
;
655 /* If the requestor didn't set the DO bit, don't return DNSSEC info. */
657 n
= filter_rrsigs(header
, n
);
660 /* do this after extract_addresses. Ensure NODATA reply and remove
665 header
->ancount
= htons(0);
666 header
->nscount
= htons(0);
667 header
->arcount
= htons(0);
668 header
->hb3
&= ~HB3_TC
;
671 /* the bogus-nxdomain stuff, doctor and NXDOMAIN->NODATA munging can all elide
672 sections of the packet. Find the new length here and put back pseudoheader
673 if it was removed. */
674 return resize_packet(header
, n
, pheader
, plen
);
677 /* sets new last_server */
678 void reply_query(int fd
, int family
, time_t now
)
680 /* packet from peer server, extract data for cache, and send to
681 original requester */
682 struct dns_header
*header
;
683 union mysockaddr serveraddr
;
684 struct frec
*forward
;
685 socklen_t addrlen
= sizeof(serveraddr
);
686 ssize_t n
= recvfrom(fd
, daemon
->packet
, daemon
->packet_buff_sz
, 0, &serveraddr
.sa
, &addrlen
);
688 struct server
*server
;
694 /* packet buffer overwritten */
695 daemon
->srv_save
= NULL
;
697 /* Determine the address of the server replying so that we can mark that as good */
698 serveraddr
.sa
.sa_family
= family
;
700 if (serveraddr
.sa
.sa_family
== AF_INET6
)
701 serveraddr
.in6
.sin6_flowinfo
= 0;
704 header
= (struct dns_header
*)daemon
->packet
;
706 if (n
< (int)sizeof(struct dns_header
) || !(header
->hb3
& HB3_QR
))
709 /* spoof check: answer must come from known server, */
710 for (server
= daemon
->servers
; server
; server
= server
->next
)
711 if (!(server
->flags
& (SERV_LITERAL_ADDRESS
| SERV_NO_ADDR
)) &&
712 sockaddr_isequal(&server
->addr
, &serveraddr
))
719 hash
= hash_questions(header
, n
, daemon
->namebuff
);
722 crc
= questions_crc(header
, n
, daemon
->namebuff
);
725 if (!(forward
= lookup_frec(ntohs(header
->id
), hash
)))
728 /* log_query gets called indirectly all over the place, so
729 pass these in global variables - sorry. */
730 daemon
->log_display_id
= forward
->log_id
;
731 daemon
->log_source_addr
= &forward
->source
;
733 if (daemon
->ignore_addr
&& RCODE(header
) == NOERROR
&&
734 check_for_ignored_address(header
, n
, daemon
->ignore_addr
))
737 if (RCODE(header
) == REFUSED
&&
738 !option_bool(OPT_ORDER
) &&
739 forward
->forwardall
== 0)
740 /* for broken servers, attempt to send to another one. */
742 unsigned char *pheader
;
746 /* recreate query from reply */
747 pheader
= find_pseudoheader(header
, (size_t)n
, &plen
, NULL
, &is_sign
);
750 header
->ancount
= htons(0);
751 header
->nscount
= htons(0);
752 header
->arcount
= htons(0);
753 if ((nn
= resize_packet(header
, (size_t)n
, pheader
, plen
)))
755 header
->hb3
&= ~(HB3_QR
| HB3_TC
);
756 forward_query(-1, NULL
, NULL
, 0, header
, nn
, now
, forward
, 0, 0);
762 server
= forward
->sentto
;
764 if ((forward
->sentto
->flags
& SERV_TYPE
) == 0)
766 if (RCODE(header
) == REFUSED
)
770 struct server
*last_server
;
772 /* find good server by address if possible, otherwise assume the last one we sent to */
773 for (last_server
= daemon
->servers
; last_server
; last_server
= last_server
->next
)
774 if (!(last_server
->flags
& (SERV_LITERAL_ADDRESS
| SERV_HAS_DOMAIN
| SERV_FOR_NODOTS
| SERV_NO_ADDR
)) &&
775 sockaddr_isequal(&last_server
->addr
, &serveraddr
))
777 server
= last_server
;
781 if (!option_bool(OPT_ALL_SERVERS
))
782 daemon
->last_server
= server
;
785 /* If the answer is an error, keep the forward record in place in case
786 we get a good reply from another server. Kill it when we've
787 had replies from all to avoid filling the forwarding table when
788 everything is broken */
789 if (forward
->forwardall
== 0 || --forward
->forwardall
== 1 || RCODE(header
) != SERVFAIL
)
791 int check_rebind
= 0, no_cache_dnssec
= 0, cache_secure
= 0, bogusanswer
= 0;
793 if (option_bool(OPT_NO_REBIND
))
794 check_rebind
= !(forward
->flags
& FREC_NOREBIND
);
796 /* Don't cache replies where DNSSEC validation was turned off, either
797 the upstream server told us so, or the original query specified it. */
798 if ((header
->hb4
& HB4_CD
) || (forward
->flags
& FREC_CHECKING_DISABLED
))
802 if (server
&& option_bool(OPT_DNSSEC_VALID
) && !(forward
->flags
& FREC_CHECKING_DISABLED
))
806 /* We've had a reply already, which we're validating. Ignore this duplicate */
807 if (forward
->blocking_query
)
810 if (header
->hb3
& HB3_TC
)
812 /* Truncated answer can't be validated.
813 If this is an answer to a DNSSEC-generated query, we still
814 need to get the client to retry over TCP, so return
815 an answer with the TC bit set, even if the actual answer fits.
817 status
= STAT_TRUNCATED
;
819 else if (forward
->flags
& FREC_DNSKEY_QUERY
)
820 status
= dnssec_validate_by_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
821 else if (forward
->flags
& FREC_DS_QUERY
)
823 status
= dnssec_validate_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
824 /* Provably no DS, everything below is insecure, even if signatures are offered */
825 if (status
== STAT_NO_DS
)
826 /* We only cache sigs when we've validated a reply.
827 Avoid caching a reply with sigs if there's a vaildated break in the
828 DS chain, so we don't return replies from cache missing sigs. */
829 status
= STAT_INSECURE_DS
;
830 else if (status
== STAT_NO_NS
)
833 else if (forward
->flags
& FREC_CHECK_NOSIGN
)
835 status
= dnssec_validate_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
836 if (status
!= STAT_NEED_KEY
)
837 status
= do_check_sign(forward
, status
, now
, daemon
->namebuff
, daemon
->keyname
);
841 status
= dnssec_validate_reply(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, &forward
->class, NULL
, NULL
);
842 if (status
== STAT_NO_SIG
)
844 if (option_bool(OPT_DNSSEC_NO_SIGN
))
845 status
= send_check_sign(forward
, now
, header
, n
, daemon
->namebuff
, daemon
->keyname
);
847 status
= STAT_INSECURE
;
850 /* Can't validate, as we're missing key data. Put this
851 answer aside, whilst we get that. */
852 if (status
== STAT_NEED_DS
|| status
== STAT_NEED_DS_NEG
|| status
== STAT_NEED_KEY
)
854 struct frec
*new, *orig
;
856 /* Free any saved query */
858 blockdata_free(forward
->stash
);
860 /* Now save reply pending receipt of key data */
861 if (!(forward
->stash
= blockdata_alloc((char *)header
, n
)))
863 forward
->stash_len
= n
;
866 /* Find the original query that started it all.... */
867 for (orig
= forward
; orig
->dependent
; orig
= orig
->dependent
);
869 if (--orig
->work_counter
== 0 || !(new = get_new_frec(now
, NULL
, 1)))
870 status
= STAT_INSECURE
;
874 struct frec
*next
= new->next
;
875 *new = *forward
; /* copy everything, then overwrite */
877 new->blocking_query
= NULL
;
878 new->sentto
= server
;
880 new->orig_domain
= NULL
;
884 new->flags
&= ~(FREC_DNSKEY_QUERY
| FREC_DS_QUERY
| FREC_CHECK_NOSIGN
);
886 new->dependent
= forward
; /* to find query awaiting new one. */
887 forward
->blocking_query
= new; /* for garbage cleaning */
888 /* validate routines leave name of required record in daemon->keyname */
889 if (status
== STAT_NEED_KEY
)
891 new->flags
|= FREC_DNSKEY_QUERY
;
892 nn
= dnssec_generate_query(header
, ((char *) header
) + daemon
->packet_buff_sz
,
893 daemon
->keyname
, forward
->class, T_DNSKEY
, &server
->addr
);
897 if (status
== STAT_NEED_DS_NEG
)
898 new->flags
|= FREC_CHECK_NOSIGN
;
900 new->flags
|= FREC_DS_QUERY
;
901 nn
= dnssec_generate_query(header
,((char *) header
) + daemon
->packet_buff_sz
,
902 daemon
->keyname
, forward
->class, T_DS
, &server
->addr
);
904 if ((hash
= hash_questions(header
, nn
, daemon
->namebuff
)))
905 memcpy(new->hash
, hash
, HASH_SIZE
);
906 new->new_id
= get_id();
907 header
->id
= htons(new->new_id
);
908 /* Save query for retransmission */
909 if (!(new->stash
= blockdata_alloc((char *)header
, nn
)))
914 /* Don't resend this. */
915 daemon
->srv_save
= NULL
;
918 fd
= server
->sfd
->fd
;
923 if (server
->addr
.sa
.sa_family
== AF_INET6
)
925 if (new->rfd6
|| (new->rfd6
= allocate_rfd(AF_INET6
)))
931 if (new->rfd4
|| (new->rfd4
= allocate_rfd(AF_INET
)))
938 while (retry_send(sendto(fd
, (char *)header
, nn
, 0,
940 sa_len(&server
->addr
))));
948 /* Ok, we reached far enough up the chain-of-trust that we can validate something.
949 Now wind back down, pulling back answers which wouldn't previously validate
950 and validate them with the new data. Note that if an answer needs multiple
951 keys to validate, we may find another key is needed, in which case we set off
952 down another branch of the tree. Once we get to the original answer
953 (FREC_DNSSEC_QUERY not set) and it validates, return it to the original requestor. */
954 while (forward
->dependent
)
956 struct frec
*prev
= forward
->dependent
;
959 forward
->blocking_query
= NULL
; /* already gone */
960 blockdata_retrieve(forward
->stash
, forward
->stash_len
, (void *)header
);
961 n
= forward
->stash_len
;
963 if (status
== STAT_SECURE
)
965 if (forward
->flags
& FREC_DNSKEY_QUERY
)
966 status
= dnssec_validate_by_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
967 else if (forward
->flags
& FREC_DS_QUERY
)
969 status
= dnssec_validate_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
970 /* Provably no DS, everything below is insecure, even if signatures are offered */
971 if (status
== STAT_NO_DS
)
972 /* We only cache sigs when we've validated a reply.
973 Avoid caching a reply with sigs if there's a vaildated break in the
974 DS chain, so we don't return replies from cache missing sigs. */
975 status
= STAT_INSECURE_DS
;
976 else if (status
== STAT_NO_NS
)
979 else if (forward
->flags
& FREC_CHECK_NOSIGN
)
981 status
= dnssec_validate_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
982 if (status
!= STAT_NEED_KEY
)
983 status
= do_check_sign(forward
, status
, now
, daemon
->namebuff
, daemon
->keyname
);
987 status
= dnssec_validate_reply(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, &forward
->class, NULL
, NULL
);
988 if (status
== STAT_NO_SIG
)
990 if (option_bool(OPT_DNSSEC_NO_SIGN
))
991 status
= send_check_sign(forward
, now
, header
, n
, daemon
->namebuff
, daemon
->keyname
);
993 status
= STAT_INSECURE
;
997 if (status
== STAT_NEED_DS
|| status
== STAT_NEED_DS_NEG
|| status
== STAT_NEED_KEY
)
1002 no_cache_dnssec
= 0;
1004 if (status
== STAT_INSECURE_DS
)
1006 /* We only cache sigs when we've validated a reply.
1007 Avoid caching a reply with sigs if there's a vaildated break in the
1008 DS chain, so we don't return replies from cache missing sigs. */
1009 status
= STAT_INSECURE
;
1010 no_cache_dnssec
= 1;
1013 if (status
== STAT_TRUNCATED
)
1014 header
->hb3
|= HB3_TC
;
1017 char *result
, *domain
= "result";
1019 if (forward
->work_counter
== 0)
1021 result
= "ABANDONED";
1022 status
= STAT_BOGUS
;
1025 result
= (status
== STAT_SECURE
? "SECURE" : (status
== STAT_INSECURE
? "INSECURE" : "BOGUS"));
1027 if (status
== STAT_BOGUS
&& extract_request(header
, n
, daemon
->namebuff
, NULL
))
1028 domain
= daemon
->namebuff
;
1030 log_query(F_KEYTAG
| F_SECSTAT
, domain
, NULL
, result
);
1033 if (status
== STAT_SECURE
)
1035 else if (status
== STAT_BOGUS
)
1037 no_cache_dnssec
= 1;
1043 /* restore CD bit to the value in the query */
1044 if (forward
->flags
& FREC_CHECKING_DISABLED
)
1045 header
->hb4
|= HB4_CD
;
1047 header
->hb4
&= ~HB4_CD
;
1049 if ((nn
= process_reply(header
, now
, server
, (size_t)n
, check_rebind
, no_cache_dnssec
, cache_secure
, bogusanswer
,
1050 forward
->flags
& FREC_AD_QUESTION
, forward
->flags
& FREC_DO_QUESTION
,
1051 forward
->flags
& FREC_ADDED_PHEADER
, forward
->flags
& FREC_HAS_SUBNET
, &forward
->source
)))
1053 header
->id
= htons(forward
->orig_id
);
1054 header
->hb4
|= HB4_RA
; /* recursion if available */
1055 send_from(forward
->fd
, option_bool(OPT_NOWILD
) || option_bool (OPT_CLEVERBIND
), daemon
->packet
, nn
,
1056 &forward
->source
, &forward
->dest
, forward
->iface
);
1058 free_frec(forward
); /* cancel */
1063 void receive_query(struct listener
*listen
, time_t now
)
1065 struct dns_header
*header
= (struct dns_header
*)daemon
->packet
;
1066 union mysockaddr source_addr
;
1067 unsigned short type
;
1068 struct all_addr dst_addr
;
1069 struct in_addr netmask
, dst_addr_4
;
1072 int if_index
= 0, auth_dns
= 0;
1076 struct iovec iov
[1];
1078 struct cmsghdr
*cmptr
;
1080 struct cmsghdr align
; /* this ensures alignment */
1082 char control6
[CMSG_SPACE(sizeof(struct in6_pktinfo
))];
1084 #if defined(HAVE_LINUX_NETWORK)
1085 char control
[CMSG_SPACE(sizeof(struct in_pktinfo
))];
1086 #elif defined(IP_RECVDSTADDR) && defined(HAVE_SOLARIS_NETWORK)
1087 char control
[CMSG_SPACE(sizeof(struct in_addr
)) +
1088 CMSG_SPACE(sizeof(unsigned int))];
1089 #elif defined(IP_RECVDSTADDR)
1090 char control
[CMSG_SPACE(sizeof(struct in_addr
)) +
1091 CMSG_SPACE(sizeof(struct sockaddr_dl
))];
1095 /* Can always get recvd interface for IPv6 */
1096 int check_dst
= !option_bool(OPT_NOWILD
) || listen
->family
== AF_INET6
;
1098 int check_dst
= !option_bool(OPT_NOWILD
);
1101 /* packet buffer overwritten */
1102 daemon
->srv_save
= NULL
;
1104 dst_addr_4
.s_addr
= dst_addr
.addr
.addr4
.s_addr
= 0;
1107 if (option_bool(OPT_NOWILD
) && listen
->iface
)
1109 auth_dns
= listen
->iface
->dns_auth
;
1111 if (listen
->family
== AF_INET
)
1113 dst_addr_4
= dst_addr
.addr
.addr4
= listen
->iface
->addr
.in
.sin_addr
;
1114 netmask
= listen
->iface
->netmask
;
1118 iov
[0].iov_base
= daemon
->packet
;
1119 iov
[0].iov_len
= daemon
->edns_pktsz
;
1121 msg
.msg_control
= control_u
.control
;
1122 msg
.msg_controllen
= sizeof(control_u
);
1124 msg
.msg_name
= &source_addr
;
1125 msg
.msg_namelen
= sizeof(source_addr
);
1129 if ((n
= recvmsg(listen
->fd
, &msg
, 0)) == -1)
1132 if (n
< (int)sizeof(struct dns_header
) ||
1133 (msg
.msg_flags
& MSG_TRUNC
) ||
1134 (header
->hb3
& HB3_QR
))
1137 source_addr
.sa
.sa_family
= listen
->family
;
1139 if (listen
->family
== AF_INET
)
1141 /* Source-port == 0 is an error, we can't send back to that.
1142 http://www.ietf.org/mail-archive/web/dnsop/current/msg11441.html */
1143 if (source_addr
.in
.sin_port
== 0)
1149 /* Source-port == 0 is an error, we can't send back to that. */
1150 if (source_addr
.in6
.sin6_port
== 0)
1152 source_addr
.in6
.sin6_flowinfo
= 0;
1156 /* We can be configured to only accept queries from at-most-one-hop-away addresses. */
1157 if (option_bool(OPT_LOCAL_SERVICE
))
1159 struct addrlist
*addr
;
1161 if (listen
->family
== AF_INET6
)
1163 for (addr
= daemon
->interface_addrs
; addr
; addr
= addr
->next
)
1164 if ((addr
->flags
& ADDRLIST_IPV6
) &&
1165 is_same_net6(&addr
->addr
.addr
.addr6
, &source_addr
.in6
.sin6_addr
, addr
->prefixlen
))
1171 struct in_addr netmask
;
1172 for (addr
= daemon
->interface_addrs
; addr
; addr
= addr
->next
)
1174 netmask
.s_addr
= htonl(~(in_addr_t
)0 << (32 - addr
->prefixlen
));
1175 if (!(addr
->flags
& ADDRLIST_IPV6
) &&
1176 is_same_net(addr
->addr
.addr
.addr4
, source_addr
.in
.sin_addr
, netmask
))
1182 static int warned
= 0;
1185 my_syslog(LOG_WARNING
, _("Ignoring query from non-local network"));
1196 if (msg
.msg_controllen
< sizeof(struct cmsghdr
))
1199 #if defined(HAVE_LINUX_NETWORK)
1200 if (listen
->family
== AF_INET
)
1201 for (cmptr
= CMSG_FIRSTHDR(&msg
); cmptr
; cmptr
= CMSG_NXTHDR(&msg
, cmptr
))
1202 if (cmptr
->cmsg_level
== IPPROTO_IP
&& cmptr
->cmsg_type
== IP_PKTINFO
)
1206 struct in_pktinfo
*p
;
1208 p
.c
= CMSG_DATA(cmptr
);
1209 dst_addr_4
= dst_addr
.addr
.addr4
= p
.p
->ipi_spec_dst
;
1210 if_index
= p
.p
->ipi_ifindex
;
1212 #elif defined(IP_RECVDSTADDR) && defined(IP_RECVIF)
1213 if (listen
->family
== AF_INET
)
1215 for (cmptr
= CMSG_FIRSTHDR(&msg
); cmptr
; cmptr
= CMSG_NXTHDR(&msg
, cmptr
))
1221 #ifndef HAVE_SOLARIS_NETWORK
1222 struct sockaddr_dl
*s
;
1225 p
.c
= CMSG_DATA(cmptr
);
1226 if (cmptr
->cmsg_level
== IPPROTO_IP
&& cmptr
->cmsg_type
== IP_RECVDSTADDR
)
1227 dst_addr_4
= dst_addr
.addr
.addr4
= *(p
.a
);
1228 else if (cmptr
->cmsg_level
== IPPROTO_IP
&& cmptr
->cmsg_type
== IP_RECVIF
)
1229 #ifdef HAVE_SOLARIS_NETWORK
1232 if_index
= p
.s
->sdl_index
;
1239 if (listen
->family
== AF_INET6
)
1241 for (cmptr
= CMSG_FIRSTHDR(&msg
); cmptr
; cmptr
= CMSG_NXTHDR(&msg
, cmptr
))
1242 if (cmptr
->cmsg_level
== IPPROTO_IPV6
&& cmptr
->cmsg_type
== daemon
->v6pktinfo
)
1246 struct in6_pktinfo
*p
;
1248 p
.c
= CMSG_DATA(cmptr
);
1250 dst_addr
.addr
.addr6
= p
.p
->ipi6_addr
;
1251 if_index
= p
.p
->ipi6_ifindex
;
1256 /* enforce available interface configuration */
1258 if (!indextoname(listen
->fd
, if_index
, ifr
.ifr_name
))
1261 if (!iface_check(listen
->family
, &dst_addr
, ifr
.ifr_name
, &auth_dns
))
1263 if (!option_bool(OPT_CLEVERBIND
))
1264 enumerate_interfaces(0);
1265 if (!loopback_exception(listen
->fd
, listen
->family
, &dst_addr
, ifr
.ifr_name
) &&
1266 !label_exception(if_index
, listen
->family
, &dst_addr
))
1270 if (listen
->family
== AF_INET
&& option_bool(OPT_LOCALISE
))
1274 /* get the netmask of the interface whch has the address we were sent to.
1275 This is no neccessarily the interface we arrived on. */
1277 for (iface
= daemon
->interfaces
; iface
; iface
= iface
->next
)
1278 if (iface
->addr
.sa
.sa_family
== AF_INET
&&
1279 iface
->addr
.in
.sin_addr
.s_addr
== dst_addr_4
.s_addr
)
1282 /* interface may be new */
1283 if (!iface
&& !option_bool(OPT_CLEVERBIND
))
1284 enumerate_interfaces(0);
1286 for (iface
= daemon
->interfaces
; iface
; iface
= iface
->next
)
1287 if (iface
->addr
.sa
.sa_family
== AF_INET
&&
1288 iface
->addr
.in
.sin_addr
.s_addr
== dst_addr_4
.s_addr
)
1291 /* If we failed, abandon localisation */
1293 netmask
= iface
->netmask
;
1295 dst_addr_4
.s_addr
= 0;
1299 /* log_query gets called indirectly all over the place, so
1300 pass these in global variables - sorry. */
1301 daemon
->log_display_id
= ++daemon
->log_id
;
1302 daemon
->log_source_addr
= &source_addr
;
1304 if (extract_request(header
, (size_t)n
, daemon
->namebuff
, &type
))
1307 struct auth_zone
*zone
;
1309 char *types
= querystr(auth_dns
? "auth" : "query", type
);
1311 if (listen
->family
== AF_INET
)
1312 log_query(F_QUERY
| F_IPV4
| F_FORWARD
, daemon
->namebuff
,
1313 (struct all_addr
*)&source_addr
.in
.sin_addr
, types
);
1316 log_query(F_QUERY
| F_IPV6
| F_FORWARD
, daemon
->namebuff
,
1317 (struct all_addr
*)&source_addr
.in6
.sin6_addr
, types
);
1321 /* find queries for zones we're authoritative for, and answer them directly */
1323 for (zone
= daemon
->auth_zones
; zone
; zone
= zone
->next
)
1324 if (in_zone(zone
, daemon
->namebuff
, NULL
))
1333 /* Check for forwarding loop */
1334 if (detect_loop(daemon
->namebuff
, type
))
1342 m
= answer_auth(header
, ((char *) header
) + daemon
->packet_buff_sz
, (size_t)n
, now
, &source_addr
, local_auth
);
1345 send_from(listen
->fd
, option_bool(OPT_NOWILD
) || option_bool(OPT_CLEVERBIND
),
1346 (char *)header
, m
, &source_addr
, &dst_addr
, if_index
);
1347 daemon
->auth_answer
++;
1353 int ad_reqd
, do_bit
;
1354 m
= answer_request(header
, ((char *) header
) + daemon
->packet_buff_sz
, (size_t)n
,
1355 dst_addr_4
, netmask
, now
, &ad_reqd
, &do_bit
);
1359 send_from(listen
->fd
, option_bool(OPT_NOWILD
) || option_bool(OPT_CLEVERBIND
),
1360 (char *)header
, m
, &source_addr
, &dst_addr
, if_index
);
1361 daemon
->local_answer
++;
1363 else if (forward_query(listen
->fd
, &source_addr
, &dst_addr
, if_index
,
1364 header
, (size_t)n
, now
, NULL
, ad_reqd
, do_bit
))
1365 daemon
->queries_forwarded
++;
1367 daemon
->local_answer
++;
1373 /* UDP: we've got an unsigned answer, return STAT_INSECURE if we can prove there's no DS
1374 and therefore the answer shouldn't be signed, or STAT_BOGUS if it should be, or
1375 STAT_NEED_DS_NEG and keyname if we need to do the query. */
1376 static int send_check_sign(struct frec
*forward
, time_t now
, struct dns_header
*header
, size_t plen
,
1377 char *name
, char *keyname
)
1379 int status
= dnssec_chase_cname(now
, header
, plen
, name
, keyname
);
1381 if (status
!= STAT_INSECURE
)
1384 /* Store the domain we're trying to check. */
1385 forward
->name_start
= strlen(name
);
1386 forward
->name_len
= forward
->name_start
+ 1;
1387 if (!(forward
->orig_domain
= blockdata_alloc(name
, forward
->name_len
)))
1390 return do_check_sign(forward
, 0, now
, name
, keyname
);
1393 /* We either have a a reply (header non-NULL, or we need to start by looking in the cache */
1394 static int do_check_sign(struct frec
*forward
, int status
, time_t now
, char *name
, char *keyname
)
1396 /* get domain we're checking back from blockdata store, it's stored on the original query. */
1397 while (forward
->dependent
)
1398 forward
= forward
->dependent
;
1400 blockdata_retrieve(forward
->orig_domain
, forward
->name_len
, name
);
1410 /* Haven't received answer, see if in cache */
1411 if (!(crecp
= cache_find_by_name(NULL
, &name
[forward
->name_start
], now
, F_DS
)))
1413 /* put name of DS record we're missing into keyname */
1414 strcpy(keyname
, &name
[forward
->name_start
]);
1415 /* and wait for reply to arrive */
1416 return STAT_NEED_DS_NEG
;
1419 /* F_DNSSECOK misused in DS cache records to non-existance of NS record */
1420 if (!(crecp
->flags
& F_NEG
))
1421 status
= STAT_SECURE
;
1422 else if (crecp
->flags
& F_DNSSECOK
)
1423 status
= STAT_NO_DS
;
1425 status
= STAT_NO_NS
;
1428 /* Have entered non-signed part of DNS tree. */
1429 if (status
== STAT_NO_DS
)
1430 return STAT_INSECURE
;
1432 if (status
== STAT_BOGUS
)
1435 /* There's a proven DS record, or we're within a zone, where there doesn't need
1436 to be a DS record. Add a name and try again.
1437 If we've already tried the whole name, then fail */
1439 if (forward
->name_start
== 0)
1442 for (p
= &name
[forward
->name_start
-2]; (*p
!= '.') && (p
!= name
); p
--);
1447 forward
->name_start
= p
- name
;
1448 status
= 0; /* force to cache when we iterate. */
1452 /* Move down from the root, until we find a signed non-existance of a DS, in which case
1453 an unsigned answer is OK, or we find a signed DS, in which case there should be
1454 a signature, and the answer is BOGUS */
1455 static int tcp_check_for_unsigned_zone(time_t now
, struct dns_header
*header
, size_t plen
, int class, char *name
,
1456 char *keyname
, struct server
*server
, int *keycount
)
1459 unsigned char *packet
, *payload
;
1461 int status
, name_len
;
1462 struct blockdata
*block
;
1466 /* Get first insecure entry in CNAME chain */
1467 status
= tcp_key_recurse(now
, STAT_CHASE_CNAME
, header
, plen
, class, name
, keyname
, server
, keycount
);
1468 if (status
== STAT_BOGUS
)
1471 if (!(packet
= whine_malloc(65536 + MAXDNAME
+ RRFIXEDSZ
+ sizeof(u16
))))
1474 payload
= &packet
[2];
1475 header
= (struct dns_header
*)payload
;
1476 length
= (u16
*)packet
;
1478 /* Stash the name away, since the buffer will be trashed when we recurse */
1479 name_len
= strlen(name
) + 1;
1480 name_start
= name
+ name_len
- 1;
1482 if (!(block
= blockdata_alloc(name
, name_len
)))
1490 unsigned char c1
, c2
;
1493 if (--(*keycount
) == 0)
1496 blockdata_free(block
);
1500 while ((crecp
= cache_find_by_name(NULL
, name_start
, now
, F_DS
)))
1502 if ((crecp
->flags
& F_NEG
) && (crecp
->flags
& F_DNSSECOK
))
1504 /* Found a secure denial of DS - delegation is indeed insecure */
1506 blockdata_free(block
);
1507 return STAT_INSECURE
;
1510 /* Here, either there's a secure DS, or no NS and no DS, and therefore no delegation.
1511 Add another label and continue. */
1513 if (name_start
== name
)
1516 blockdata_free(block
);
1517 return STAT_BOGUS
; /* run out of labels */
1521 while (*name_start
!= '.' && name_start
!= name
)
1523 if (name_start
!= name
)
1527 /* Can't find it in the cache, have to send a query */
1529 m
= dnssec_generate_query(header
, ((char *) header
) + 65536, name_start
, class, T_DS
, &server
->addr
);
1533 if (read_write(server
->tcpfd
, packet
, m
+ sizeof(u16
), 0) &&
1534 read_write(server
->tcpfd
, &c1
, 1, 1) &&
1535 read_write(server
->tcpfd
, &c2
, 1, 1) &&
1536 read_write(server
->tcpfd
, payload
, (c1
<< 8) | c2
, 1))
1540 /* Note this trashes all three name workspaces */
1541 status
= tcp_key_recurse(now
, STAT_NEED_DS_NEG
, header
, m
, class, name
, keyname
, server
, keycount
);
1543 if (status
== STAT_NO_DS
)
1545 /* Found a secure denial of DS - delegation is indeed insecure */
1547 blockdata_free(block
);
1548 return STAT_INSECURE
;
1551 if (status
== STAT_BOGUS
)
1554 blockdata_free(block
);
1558 /* Here, either there's a secure DS, or no NS and no DS, and therefore no delegation.
1559 Add another label and continue. */
1561 /* Get name we're checking back. */
1562 blockdata_retrieve(block
, name_len
, name
);
1564 if (name_start
== name
)
1567 blockdata_free(block
);
1568 return STAT_BOGUS
; /* run out of labels */
1572 while (*name_start
!= '.' && name_start
!= name
)
1574 if (name_start
!= name
)
1581 blockdata_free(block
);
1582 return STAT_BOGUS
; /* run out of labels */
1587 static int tcp_key_recurse(time_t now
, int status
, struct dns_header
*header
, size_t n
,
1588 int class, char *name
, char *keyname
, struct server
*server
, int *keycount
)
1590 /* Recurse up the key heirarchy */
1593 /* limit the amount of work we do, to avoid cycling forever on loops in the DNS */
1594 if (--(*keycount
) == 0)
1595 return STAT_INSECURE
;
1597 if (status
== STAT_NEED_KEY
)
1598 new_status
= dnssec_validate_by_ds(now
, header
, n
, name
, keyname
, class);
1599 else if (status
== STAT_NEED_DS
|| status
== STAT_NEED_DS_NEG
)
1601 new_status
= dnssec_validate_ds(now
, header
, n
, name
, keyname
, class);
1602 if (status
== STAT_NEED_DS
)
1604 if (new_status
== STAT_NO_DS
)
1605 new_status
= STAT_INSECURE_DS
;
1606 else if (new_status
== STAT_NO_NS
)
1607 new_status
= STAT_BOGUS
;
1610 else if (status
== STAT_CHASE_CNAME
)
1611 new_status
= dnssec_chase_cname(now
, header
, n
, name
, keyname
);
1614 new_status
= dnssec_validate_reply(now
, header
, n
, name
, keyname
, &class, NULL
, NULL
);
1616 if (new_status
== STAT_NO_SIG
)
1618 if (option_bool(OPT_DNSSEC_NO_SIGN
))
1619 new_status
= tcp_check_for_unsigned_zone(now
, header
, n
, class, name
, keyname
, server
, keycount
);
1621 new_status
= STAT_INSECURE
;
1625 /* Can't validate because we need a key/DS whose name now in keyname.
1626 Make query for same, and recurse to validate */
1627 if (new_status
== STAT_NEED_DS
|| new_status
== STAT_NEED_KEY
)
1630 unsigned char *packet
= whine_malloc(65536 + MAXDNAME
+ RRFIXEDSZ
+ sizeof(u16
));
1631 unsigned char *payload
= &packet
[2];
1632 struct dns_header
*new_header
= (struct dns_header
*)payload
;
1633 u16
*length
= (u16
*)packet
;
1634 unsigned char c1
, c2
;
1637 return STAT_INSECURE
;
1640 m
= dnssec_generate_query(new_header
, ((char *) new_header
) + 65536, keyname
, class,
1641 new_status
== STAT_NEED_KEY
? T_DNSKEY
: T_DS
, &server
->addr
);
1645 if (!read_write(server
->tcpfd
, packet
, m
+ sizeof(u16
), 0) ||
1646 !read_write(server
->tcpfd
, &c1
, 1, 1) ||
1647 !read_write(server
->tcpfd
, &c2
, 1, 1) ||
1648 !read_write(server
->tcpfd
, payload
, (c1
<< 8) | c2
, 1))
1649 new_status
= STAT_INSECURE
;
1654 new_status
= tcp_key_recurse(now
, new_status
, new_header
, m
, class, name
, keyname
, server
, keycount
);
1656 if (new_status
== STAT_SECURE
)
1658 /* Reached a validated record, now try again at this level.
1659 Note that we may get ANOTHER NEED_* if an answer needs more than one key.
1660 If so, go round again. */
1662 if (status
== STAT_NEED_KEY
)
1663 new_status
= dnssec_validate_by_ds(now
, header
, n
, name
, keyname
, class);
1664 else if (status
== STAT_NEED_DS
|| status
== STAT_NEED_DS_NEG
)
1666 new_status
= dnssec_validate_ds(now
, header
, n
, name
, keyname
, class);
1667 if (status
== STAT_NEED_DS
)
1669 if (new_status
== STAT_NO_DS
)
1670 new_status
= STAT_INSECURE_DS
;
1671 else if (new_status
== STAT_NO_NS
)
1672 new_status
= STAT_BOGUS
; /* Validated no DS */
1675 else if (status
== STAT_CHASE_CNAME
)
1676 new_status
= dnssec_chase_cname(now
, header
, n
, name
, keyname
);
1679 new_status
= dnssec_validate_reply(now
, header
, n
, name
, keyname
, &class, NULL
, NULL
);
1681 if (new_status
== STAT_NO_SIG
)
1683 if (option_bool(OPT_DNSSEC_NO_SIGN
))
1684 new_status
= tcp_check_for_unsigned_zone(now
, header
, n
, class, name
, keyname
, server
, keycount
);
1686 new_status
= STAT_INSECURE
;
1690 if (new_status
== STAT_NEED_DS
|| new_status
== STAT_NEED_KEY
)
1691 goto another_tcp_key
;
1702 /* The daemon forks before calling this: it should deal with one connection,
1703 blocking as neccessary, and then return. Note, need to be a bit careful
1704 about resources for debug mode, when the fork is suppressed: that's
1705 done by the caller. */
1706 unsigned char *tcp_request(int confd
, time_t now
,
1707 union mysockaddr
*local_addr
, struct in_addr netmask
, int auth_dns
)
1714 int checking_disabled
, ad_question
, do_bit
, added_pheader
= 0;
1715 int check_subnet
, no_cache_dnssec
= 0, cache_secure
= 0, bogusanswer
= 0;
1717 unsigned short qtype
;
1718 unsigned int gotname
;
1719 unsigned char c1
, c2
;
1720 /* Max TCP packet + slop + size */
1721 unsigned char *packet
= whine_malloc(65536 + MAXDNAME
+ RRFIXEDSZ
+ sizeof(u16
));
1722 unsigned char *payload
= &packet
[2];
1723 /* largest field in header is 16-bits, so this is still sufficiently aligned */
1724 struct dns_header
*header
= (struct dns_header
*)payload
;
1725 u16
*length
= (u16
*)packet
;
1726 struct server
*last_server
;
1727 struct in_addr dst_addr_4
;
1728 union mysockaddr peer_addr
;
1729 socklen_t peer_len
= sizeof(union mysockaddr
);
1730 int query_count
= 0;
1732 if (getpeername(confd
, (struct sockaddr
*)&peer_addr
, &peer_len
) == -1)
1735 /* We can be configured to only accept queries from at-most-one-hop-away addresses. */
1736 if (option_bool(OPT_LOCAL_SERVICE
))
1738 struct addrlist
*addr
;
1740 if (peer_addr
.sa
.sa_family
== AF_INET6
)
1742 for (addr
= daemon
->interface_addrs
; addr
; addr
= addr
->next
)
1743 if ((addr
->flags
& ADDRLIST_IPV6
) &&
1744 is_same_net6(&addr
->addr
.addr
.addr6
, &peer_addr
.in6
.sin6_addr
, addr
->prefixlen
))
1750 struct in_addr netmask
;
1751 for (addr
= daemon
->interface_addrs
; addr
; addr
= addr
->next
)
1753 netmask
.s_addr
= htonl(~(in_addr_t
)0 << (32 - addr
->prefixlen
));
1754 if (!(addr
->flags
& ADDRLIST_IPV6
) &&
1755 is_same_net(addr
->addr
.addr
.addr4
, peer_addr
.in
.sin_addr
, netmask
))
1761 my_syslog(LOG_WARNING
, _("Ignoring query from non-local network"));
1768 if (query_count
== TCP_MAX_QUERIES
||
1770 !read_write(confd
, &c1
, 1, 1) || !read_write(confd
, &c2
, 1, 1) ||
1771 !(size
= c1
<< 8 | c2
) ||
1772 !read_write(confd
, payload
, size
, 1))
1775 if (size
< (int)sizeof(struct dns_header
))
1780 /* log_query gets called indirectly all over the place, so
1781 pass these in global variables - sorry. */
1782 daemon
->log_display_id
= ++daemon
->log_id
;
1783 daemon
->log_source_addr
= &peer_addr
;
1787 /* save state of "cd" flag in query */
1788 if ((checking_disabled
= header
->hb4
& HB4_CD
))
1789 no_cache_dnssec
= 1;
1791 if ((gotname
= extract_request(header
, (unsigned int)size
, daemon
->namebuff
, &qtype
)))
1794 struct auth_zone
*zone
;
1796 char *types
= querystr(auth_dns
? "auth" : "query", qtype
);
1798 if (peer_addr
.sa
.sa_family
== AF_INET
)
1799 log_query(F_QUERY
| F_IPV4
| F_FORWARD
, daemon
->namebuff
,
1800 (struct all_addr
*)&peer_addr
.in
.sin_addr
, types
);
1803 log_query(F_QUERY
| F_IPV6
| F_FORWARD
, daemon
->namebuff
,
1804 (struct all_addr
*)&peer_addr
.in6
.sin6_addr
, types
);
1808 /* find queries for zones we're authoritative for, and answer them directly */
1810 for (zone
= daemon
->auth_zones
; zone
; zone
= zone
->next
)
1811 if (in_zone(zone
, daemon
->namebuff
, NULL
))
1820 if (local_addr
->sa
.sa_family
== AF_INET
)
1821 dst_addr_4
= local_addr
->in
.sin_addr
;
1823 dst_addr_4
.s_addr
= 0;
1827 m
= answer_auth(header
, ((char *) header
) + 65536, (size_t)size
, now
, &peer_addr
, local_auth
);
1831 /* m > 0 if answered from cache */
1832 m
= answer_request(header
, ((char *) header
) + 65536, (size_t)size
,
1833 dst_addr_4
, netmask
, now
, &ad_question
, &do_bit
);
1835 /* Do this by steam now we're not in the select() loop */
1836 check_log_writer(NULL
);
1840 unsigned int flags
= 0;
1841 struct all_addr
*addrp
= NULL
;
1843 char *domain
= NULL
;
1845 if (option_bool(OPT_ADD_MAC
))
1846 size
= add_mac(header
, size
, ((char *) header
) + 65536, &peer_addr
);
1848 if (option_bool(OPT_CLIENT_SUBNET
))
1850 size_t new = add_source_addr(header
, size
, ((char *) header
) + 65536, &peer_addr
);
1859 flags
= search_servers(now
, &addrp
, gotname
, daemon
->namebuff
, &type
, &domain
, &norebind
);
1861 if (type
!= 0 || option_bool(OPT_ORDER
) || !daemon
->last_server
)
1862 last_server
= daemon
->servers
;
1864 last_server
= daemon
->last_server
;
1866 if (!flags
&& last_server
)
1868 struct server
*firstsendto
= NULL
;
1870 unsigned char *newhash
, hash
[HASH_SIZE
];
1871 if ((newhash
= hash_questions(header
, (unsigned int)size
, daemon
->namebuff
)))
1872 memcpy(hash
, newhash
, HASH_SIZE
);
1874 memset(hash
, 0, HASH_SIZE
);
1876 unsigned int crc
= questions_crc(header
, (unsigned int)size
, daemon
->namebuff
);
1878 /* Loop round available servers until we succeed in connecting to one.
1879 Note that this code subtley ensures that consecutive queries on this connection
1880 which can go to the same server, do so. */
1884 firstsendto
= last_server
;
1887 if (!(last_server
= last_server
->next
))
1888 last_server
= daemon
->servers
;
1890 if (last_server
== firstsendto
)
1894 /* server for wrong domain */
1895 if (type
!= (last_server
->flags
& SERV_TYPE
) ||
1896 (type
== SERV_HAS_DOMAIN
&& !hostname_isequal(domain
, last_server
->domain
)) ||
1897 (last_server
->flags
& (SERV_LITERAL_ADDRESS
| SERV_LOOP
)))
1900 if (last_server
->tcpfd
== -1)
1902 if ((last_server
->tcpfd
= socket(last_server
->addr
.sa
.sa_family
, SOCK_STREAM
, 0)) == -1)
1905 #ifdef HAVE_CONNTRACK
1906 /* Copy connection mark of incoming query to outgoing connection. */
1907 if (option_bool(OPT_CONNTRACK
))
1910 struct all_addr local
;
1912 if (local_addr
->sa
.sa_family
== AF_INET6
)
1913 local
.addr
.addr6
= local_addr
->in6
.sin6_addr
;
1916 local
.addr
.addr4
= local_addr
->in
.sin_addr
;
1918 if (get_incoming_mark(&peer_addr
, &local
, 1, &mark
))
1919 setsockopt(last_server
->tcpfd
, SOL_SOCKET
, SO_MARK
, &mark
, sizeof(unsigned int));
1923 if ((!local_bind(last_server
->tcpfd
, &last_server
->source_addr
, last_server
->interface
, 1) ||
1924 connect(last_server
->tcpfd
, &last_server
->addr
.sa
, sa_len(&last_server
->addr
)) == -1))
1926 close(last_server
->tcpfd
);
1927 last_server
->tcpfd
= -1;
1932 if (option_bool(OPT_DNSSEC_VALID
))
1934 size_t new_size
= add_do_bit(header
, size
, ((char *) header
) + 65536);
1936 /* For debugging, set Checking Disabled, otherwise, have the upstream check too,
1937 this allows it to select auth servers when one is returning bad data. */
1938 if (option_bool(OPT_DNSSEC_DEBUG
))
1939 header
->hb4
|= HB4_CD
;
1941 if (size
!= new_size
)
1949 *length
= htons(size
);
1951 /* get query name again for logging - may have been overwritten */
1952 if (!(gotname
= extract_request(header
, (unsigned int)size
, daemon
->namebuff
, &qtype
)))
1953 strcpy(daemon
->namebuff
, "query");
1955 if (!read_write(last_server
->tcpfd
, packet
, size
+ sizeof(u16
), 0) ||
1956 !read_write(last_server
->tcpfd
, &c1
, 1, 1) ||
1957 !read_write(last_server
->tcpfd
, &c2
, 1, 1) ||
1958 !read_write(last_server
->tcpfd
, payload
, (c1
<< 8) | c2
, 1))
1960 close(last_server
->tcpfd
);
1961 last_server
->tcpfd
= -1;
1967 if (last_server
->addr
.sa
.sa_family
== AF_INET
)
1968 log_query(F_SERVER
| F_IPV4
| F_FORWARD
, daemon
->namebuff
,
1969 (struct all_addr
*)&last_server
->addr
.in
.sin_addr
, NULL
);
1972 log_query(F_SERVER
| F_IPV6
| F_FORWARD
, daemon
->namebuff
,
1973 (struct all_addr
*)&last_server
->addr
.in6
.sin6_addr
, NULL
);
1977 if (option_bool(OPT_DNSSEC_VALID
) && !checking_disabled
)
1979 int keycount
= DNSSEC_WORK
; /* Limit to number of DNSSEC questions, to catch loops and avoid filling cache. */
1980 int status
= tcp_key_recurse(now
, STAT_TRUNCATED
, header
, m
, 0, daemon
->namebuff
, daemon
->keyname
, last_server
, &keycount
);
1981 char *result
, *domain
= "result";
1983 if (status
== STAT_INSECURE_DS
)
1985 /* We only cache sigs when we've validated a reply.
1986 Avoid caching a reply with sigs if there's a vaildated break in the
1987 DS chain, so we don't return replies from cache missing sigs. */
1988 status
= STAT_INSECURE
;
1989 no_cache_dnssec
= 1;
1994 result
= "ABANDONED";
1995 status
= STAT_BOGUS
;
1998 result
= (status
== STAT_SECURE
? "SECURE" : (status
== STAT_INSECURE
? "INSECURE" : "BOGUS"));
2000 if (status
== STAT_BOGUS
&& extract_request(header
, m
, daemon
->namebuff
, NULL
))
2001 domain
= daemon
->namebuff
;
2003 log_query(F_KEYTAG
| F_SECSTAT
, domain
, NULL
, result
);
2005 if (status
== STAT_BOGUS
)
2007 no_cache_dnssec
= 1;
2011 if (status
== STAT_SECURE
)
2016 /* restore CD bit to the value in the query */
2017 if (checking_disabled
)
2018 header
->hb4
|= HB4_CD
;
2020 header
->hb4
&= ~HB4_CD
;
2022 /* There's no point in updating the cache, since this process will exit and
2023 lose the information after a few queries. We make this call for the alias and
2024 bogus-nxdomain side-effects. */
2025 /* If the crc of the question section doesn't match the crc we sent, then
2026 someone might be attempting to insert bogus values into the cache by
2027 sending replies containing questions and bogus answers. */
2029 newhash
= hash_questions(header
, (unsigned int)m
, daemon
->namebuff
);
2030 if (!newhash
|| memcmp(hash
, newhash
, HASH_SIZE
) != 0)
2036 if (crc
!= questions_crc(header
, (unsigned int)m
, daemon
->namebuff
))
2043 m
= process_reply(header
, now
, last_server
, (unsigned int)m
,
2044 option_bool(OPT_NO_REBIND
) && !norebind
, no_cache_dnssec
, cache_secure
, bogusanswer
,
2045 ad_question
, do_bit
, added_pheader
, check_subnet
, &peer_addr
);
2051 /* In case of local answer or no connections made. */
2053 m
= setup_reply(header
, (unsigned int)size
, addrp
, flags
, daemon
->local_ttl
);
2057 check_log_writer(NULL
);
2061 if (m
== 0 || !read_write(confd
, packet
, m
+ sizeof(u16
), 0))
2066 static struct frec
*allocate_frec(time_t now
)
2070 if ((f
= (struct frec
*)whine_malloc(sizeof(struct frec
))))
2072 f
->next
= daemon
->frec_list
;
2081 f
->dependent
= NULL
;
2082 f
->blocking_query
= NULL
;
2084 f
->orig_domain
= NULL
;
2086 daemon
->frec_list
= f
;
2092 struct randfd
*allocate_rfd(int family
)
2094 static int finger
= 0;
2097 /* limit the number of sockets we have open to avoid starvation of
2098 (eg) TFTP. Once we have a reasonable number, randomness should be OK */
2100 for (i
= 0; i
< RANDOM_SOCKS
; i
++)
2101 if (daemon
->randomsocks
[i
].refcount
== 0)
2103 if ((daemon
->randomsocks
[i
].fd
= random_sock(family
)) == -1)
2106 daemon
->randomsocks
[i
].refcount
= 1;
2107 daemon
->randomsocks
[i
].family
= family
;
2108 return &daemon
->randomsocks
[i
];
2111 /* No free ones or cannot get new socket, grab an existing one */
2112 for (i
= 0; i
< RANDOM_SOCKS
; i
++)
2114 int j
= (i
+finger
) % RANDOM_SOCKS
;
2115 if (daemon
->randomsocks
[j
].refcount
!= 0 &&
2116 daemon
->randomsocks
[j
].family
== family
&&
2117 daemon
->randomsocks
[j
].refcount
!= 0xffff)
2120 daemon
->randomsocks
[j
].refcount
++;
2121 return &daemon
->randomsocks
[j
];
2125 return NULL
; /* doom */
2128 void free_rfd(struct randfd
*rfd
)
2130 if (rfd
&& --(rfd
->refcount
) == 0)
2134 static void free_frec(struct frec
*f
)
2149 blockdata_free(f
->stash
);
2155 blockdata_free(f
->orig_domain
);
2156 f
->orig_domain
= NULL
;
2159 /* Anything we're waiting on is pointless now, too */
2160 if (f
->blocking_query
)
2161 free_frec(f
->blocking_query
);
2162 f
->blocking_query
= NULL
;
2163 f
->dependent
= NULL
;
2167 /* if wait==NULL return a free or older than TIMEOUT record.
2168 else return *wait zero if one available, or *wait is delay to
2169 when the oldest in-use record will expire. Impose an absolute
2170 limit of 4*TIMEOUT before we wipe things (for random sockets).
2171 If force is set, always return a result, even if we have
2172 to allocate above the limit. */
2173 struct frec
*get_new_frec(time_t now
, int *wait
, int force
)
2175 struct frec
*f
, *oldest
, *target
;
2181 for (f
= daemon
->frec_list
, oldest
= NULL
, target
= NULL
, count
= 0; f
; f
= f
->next
, count
++)
2186 if (difftime(now
, f
->time
) >= 4*TIMEOUT
)
2192 if (!oldest
|| difftime(f
->time
, oldest
->time
) <= 0)
2202 /* can't find empty one, use oldest if there is one
2203 and it's older than timeout */
2204 if (oldest
&& ((int)difftime(now
, oldest
->time
)) >= TIMEOUT
)
2206 /* keep stuff for twice timeout if we can by allocating a new
2208 if (difftime(now
, oldest
->time
) < 2*TIMEOUT
&&
2209 count
<= daemon
->ftabsize
&&
2210 (f
= allocate_frec(now
)))
2221 /* none available, calculate time 'till oldest record expires */
2222 if (!force
&& count
> daemon
->ftabsize
)
2224 static time_t last_log
= 0;
2227 *wait
= oldest
->time
+ (time_t)TIMEOUT
- now
;
2229 if ((int)difftime(now
, last_log
) > 5)
2232 my_syslog(LOG_WARNING
, _("Maximum number of concurrent DNS queries reached (max: %d)"), daemon
->ftabsize
);
2238 if (!(f
= allocate_frec(now
)) && wait
)
2239 /* wait one second on malloc failure */
2242 return f
; /* OK if malloc fails and this is NULL */
2245 /* crc is all-ones if not known. */
2246 static struct frec
*lookup_frec(unsigned short id
, void *hash
)
2250 for(f
= daemon
->frec_list
; f
; f
= f
->next
)
2251 if (f
->sentto
&& f
->new_id
== id
&&
2252 (!hash
|| memcmp(hash
, f
->hash
, HASH_SIZE
) == 0))
2258 static struct frec
*lookup_frec_by_sender(unsigned short id
,
2259 union mysockaddr
*addr
,
2264 for(f
= daemon
->frec_list
; f
; f
= f
->next
)
2267 memcmp(hash
, f
->hash
, HASH_SIZE
) == 0 &&
2268 sockaddr_isequal(&f
->source
, addr
))
2274 /* Send query packet again, if we can. */
2277 if (daemon
->srv_save
)
2281 if (daemon
->srv_save
->sfd
)
2282 fd
= daemon
->srv_save
->sfd
->fd
;
2283 else if (daemon
->rfd_save
&& daemon
->rfd_save
->refcount
!= 0)
2284 fd
= daemon
->rfd_save
->fd
;
2288 while(retry_send(sendto(fd
, daemon
->packet
, daemon
->packet_len
, 0,
2289 &daemon
->srv_save
->addr
.sa
,
2290 sa_len(&daemon
->srv_save
->addr
))));
2294 /* A server record is going away, remove references to it */
2295 void server_gone(struct server
*server
)
2299 for (f
= daemon
->frec_list
; f
; f
= f
->next
)
2300 if (f
->sentto
&& f
->sentto
== server
)
2303 if (daemon
->last_server
== server
)
2304 daemon
->last_server
= NULL
;
2306 if (daemon
->srv_save
== server
)
2307 daemon
->srv_save
= NULL
;
2310 /* return unique random ids. */
2311 static unsigned short get_id(void)
2313 unsigned short ret
= 0;
2317 while (lookup_frec(ret
, NULL
));