1 /* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
3 This program is free software; you can redistribute it and/or modify
4 it under the terms of the GNU General Public License as published by
5 the Free Software Foundation; version 2 dated June, 1991, or
6 (at your option) version 3 dated 29 June, 2007.
8 This program is distributed in the hope that it will be useful,
9 but WITHOUT ANY WARRANTY; without even the implied warranty of
10 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 GNU General Public License for more details.
13 You should have received a copy of the GNU General Public License
14 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 /* isExtract == 2 -> DNSSEC mode, no bitstrings, no ascii checks. */
20 int extract_name(struct dns_header
*header
, size_t plen
, unsigned char **pp
,
21 char *name
, int isExtract
, int extrabytes
)
23 unsigned char *cp
= (unsigned char *)name
, *p
= *pp
, *p1
= NULL
;
24 unsigned int j
, l
, hops
= 0;
32 unsigned int label_type
;
34 if (!CHECK_LEN(header
, p
, plen
, 1))
40 /* check that there are the correct no of bytes after the name */
41 if (!CHECK_LEN(header
, p
, plen
, extrabytes
))
46 if (cp
!= (unsigned char *)name
)
48 *cp
= 0; /* terminate: lose final period */
53 if (p1
) /* we jumped via compression */
61 label_type
= l
& 0xc0;
63 if (label_type
== 0xc0) /* pointer */
65 if (!CHECK_LEN(header
, p
, plen
, 1))
72 if (!p1
) /* first jump, save location to go back to */
75 hops
++; /* break malicious infinite loops */
79 p
= l
+ (unsigned char *)header
;
81 else if (label_type
== 0x80)
82 return 0; /* reserved */
83 else if (label_type
== 0x40)
85 unsigned int count
, digs
;
88 return 0; /* we only understand bitstrings */
91 return 0; /* Cannot compare bitsrings */
96 digs
= ((count
-1)>>2)+1;
98 /* output is \[x<hex>/siz]. which is digs+9 chars */
99 if (cp
- (unsigned char *)name
+ digs
+ 9 >= MAXDNAME
)
101 if (!CHECK_LEN(header
, p
, plen
, (count
-1)>>3))
107 for (j
=0; j
<digs
; j
++)
115 *cp
++ = dig
< 10 ? dig
+ '0' : dig
+ 'A' - 10;
117 cp
+= sprintf((char *)cp
, "/%d]", count
);
118 /* do this here to overwrite the zero char from sprintf */
122 { /* label_type = 0 -> label. */
123 if (cp
- (unsigned char *)name
+ l
+ 1 >= MAXDNAME
)
125 if (!CHECK_LEN(header
, p
, plen
, l
))
128 for(j
=0; j
<l
; j
++, p
++)
131 unsigned char c
= *p
;
132 if ((isExtract
== 2 || (isascii(c
) && !iscntrl(c
))) && c
!= '.')
139 unsigned char c1
= *cp
, c2
= *p
;
146 if (c1
>= 'A' && c1
<= 'Z')
148 if (c2
>= 'A' && c2
<= 'Z')
158 else if (*cp
!= 0 && *cp
++ != '.')
164 /* Max size of input string (for IPv6) is 75 chars.) */
165 #define MAXARPANAME 75
166 int in_arpa_name_2_addr(char *namein
, struct all_addr
*addrp
)
169 char name
[MAXARPANAME
+1], *cp1
;
170 unsigned char *addr
= (unsigned char *)addrp
;
171 char *lastchunk
= NULL
, *penchunk
= NULL
;
173 if (strlen(namein
) > MAXARPANAME
)
176 memset(addrp
, 0, sizeof(struct all_addr
));
178 /* turn name into a series of asciiz strings */
179 /* j counts no of labels */
180 for(j
= 1,cp1
= name
; *namein
; cp1
++, namein
++)
183 penchunk
= lastchunk
;
196 if (hostname_isequal(lastchunk
, "arpa") && hostname_isequal(penchunk
, "in-addr"))
199 /* address arives as a name of the form
200 www.xxx.yyy.zzz.in-addr.arpa
201 some of the low order address octets might be missing
202 and should be set to zero. */
203 for (cp1
= name
; cp1
!= penchunk
; cp1
+= strlen(cp1
)+1)
205 /* check for digits only (weeds out things like
206 50.0/24.67.28.64.in-addr.arpa which are used
207 as CNAME targets according to RFC 2317 */
209 for (cp
= cp1
; *cp
; cp
++)
210 if (!isdigit((unsigned char)*cp
))
222 else if (hostname_isequal(penchunk
, "ip6") &&
223 (hostname_isequal(lastchunk
, "int") || hostname_isequal(lastchunk
, "arpa")))
226 Address arrives as 0.1.2.3.4.5.6.7.8.9.a.b.c.d.e.f.ip6.[int|arpa]
227 or \[xfedcba9876543210fedcba9876543210/128].ip6.[int|arpa]
229 Note that most of these the various reprentations are obsolete and
230 left-over from the many DNS-for-IPv6 wars. We support all the formats
231 that we can since there is no reason not to.
234 if (*name
== '\\' && *(name
+1) == '[' &&
235 (*(name
+2) == 'x' || *(name
+2) == 'X'))
237 for (j
= 0, cp1
= name
+3; *cp1
&& isxdigit((unsigned char) *cp1
) && j
< 32; cp1
++, j
++)
243 addr
[j
/2] |= strtol(xdig
, NULL
, 16);
245 addr
[j
/2] = strtol(xdig
, NULL
, 16) << 4;
248 if (*cp1
== '/' && j
== 32)
253 for (cp1
= name
; cp1
!= penchunk
; cp1
+= strlen(cp1
)+1)
255 if (*(cp1
+1) || !isxdigit((unsigned char)*cp1
))
258 for (j
= sizeof(struct all_addr
)-1; j
>0; j
--)
259 addr
[j
] = (addr
[j
] >> 4) | (addr
[j
-1] << 4);
260 addr
[0] = (addr
[0] >> 4) | (strtol(cp1
, NULL
, 16) << 4);
271 unsigned char *skip_name(unsigned char *ansp
, struct dns_header
*header
, size_t plen
, int extrabytes
)
275 unsigned int label_type
;
277 if (!CHECK_LEN(header
, ansp
, plen
, 1))
280 label_type
= (*ansp
) & 0xc0;
282 if (label_type
== 0xc0)
284 /* pointer for compression. */
288 else if (label_type
== 0x80)
289 return NULL
; /* reserved */
290 else if (label_type
== 0x40)
292 /* Extended label type */
295 if (!CHECK_LEN(header
, ansp
, plen
, 2))
298 if (((*ansp
++) & 0x3f) != 1)
299 return NULL
; /* we only understand bitstrings */
301 count
= *(ansp
++); /* Bits in bitstring */
303 if (count
== 0) /* count == 0 means 256 bits */
306 ansp
+= ((count
-1)>>3)+1;
309 { /* label type == 0 Bottom six bits is length */
310 unsigned int len
= (*ansp
++) & 0x3f;
312 if (!ADD_RDLEN(header
, ansp
, plen
, len
))
316 break; /* zero length label marks the end. */
320 if (!CHECK_LEN(header
, ansp
, plen
, extrabytes
))
326 unsigned char *skip_questions(struct dns_header
*header
, size_t plen
)
329 unsigned char *ansp
= (unsigned char *)(header
+1);
331 for (q
= ntohs(header
->qdcount
); q
!= 0; q
--)
333 if (!(ansp
= skip_name(ansp
, header
, plen
, 4)))
335 ansp
+= 4; /* class and type */
341 unsigned char *skip_section(unsigned char *ansp
, int count
, struct dns_header
*header
, size_t plen
)
345 for (i
= 0; i
< count
; i
++)
347 if (!(ansp
= skip_name(ansp
, header
, plen
, 10)))
349 ansp
+= 8; /* type, class, TTL */
350 GETSHORT(rdlen
, ansp
);
351 if (!ADD_RDLEN(header
, ansp
, plen
, rdlen
))
358 /* CRC the question section. This is used to safely detect query
359 retransmision and to detect answers to questions we didn't ask, which
360 might be poisoning attacks. Note that we decode the name rather
361 than CRC the raw bytes, since replies might be compressed differently.
362 We ignore case in the names for the same reason. Return all-ones
363 if there is not question section. */
365 unsigned int questions_crc(struct dns_header
*header
, size_t plen
, char *name
)
368 unsigned int crc
= 0xffffffff;
369 unsigned char *p1
, *p
= (unsigned char *)(header
+1);
371 for (q
= ntohs(header
->qdcount
); q
!= 0; q
--)
373 if (!extract_name(header
, plen
, &p
, name
, 1, 4))
374 return crc
; /* bad packet */
376 for (p1
= (unsigned char *)name
; *p1
; p1
++)
381 if (c
>= 'A' && c
<= 'Z')
386 crc
= crc
& 0x80000000 ? (crc
<< 1) ^ 0x04c11db7 : crc
<< 1;
389 /* CRC the class and type as well */
390 for (p1
= p
; p1
< p
+4; p1
++)
395 crc
= crc
& 0x80000000 ? (crc
<< 1) ^ 0x04c11db7 : crc
<< 1;
399 if (!CHECK_LEN(header
, p
, plen
, 0))
400 return crc
; /* bad packet */
407 size_t resize_packet(struct dns_header
*header
, size_t plen
, unsigned char *pheader
, size_t hlen
)
409 unsigned char *ansp
= skip_questions(header
, plen
);
411 /* if packet is malformed, just return as-is. */
415 if (!(ansp
= skip_section(ansp
, ntohs(header
->ancount
) + ntohs(header
->nscount
) + ntohs(header
->arcount
),
419 /* restore pseudoheader */
420 if (pheader
&& ntohs(header
->arcount
) == 0)
422 /* must use memmove, may overlap */
423 memmove(ansp
, pheader
, hlen
);
424 header
->arcount
= htons(1);
428 return ansp
- (unsigned char *)header
;
431 unsigned char *find_pseudoheader(struct dns_header
*header
, size_t plen
, size_t *len
, unsigned char **p
, int *is_sign
)
433 /* See if packet has an RFC2671 pseudoheader, and if so return a pointer to it.
434 also return length of pseudoheader in *len and pointer to the UDP size in *p
435 Finally, check to see if a packet is signed. If it is we cannot change a single bit before
436 forwarding. We look for SIG and TSIG in the addition section, and TKEY queries (for GSS-TSIG) */
438 int i
, arcount
= ntohs(header
->arcount
);
439 unsigned char *ansp
= (unsigned char *)(header
+1);
440 unsigned short rdlen
, type
, class;
441 unsigned char *ret
= NULL
;
447 if (OPCODE(header
) == QUERY
)
449 for (i
= ntohs(header
->qdcount
); i
!= 0; i
--)
451 if (!(ansp
= skip_name(ansp
, header
, plen
, 4)))
454 GETSHORT(type
, ansp
);
455 GETSHORT(class, ansp
);
457 if (class == C_IN
&& type
== T_TKEY
)
464 if (!(ansp
= skip_questions(header
, plen
)))
471 if (!(ansp
= skip_section(ansp
, ntohs(header
->ancount
) + ntohs(header
->nscount
), header
, plen
)))
474 for (i
= 0; i
< arcount
; i
++)
476 unsigned char *save
, *start
= ansp
;
477 if (!(ansp
= skip_name(ansp
, header
, plen
, 10)))
480 GETSHORT(type
, ansp
);
482 GETSHORT(class, ansp
);
484 GETSHORT(rdlen
, ansp
);
485 if (!ADD_RDLEN(header
, ansp
, plen
, rdlen
))
506 unsigned char *limit
;
507 struct dns_header
*header
;
509 union mysockaddr
*l3
;
512 static size_t add_pseudoheader(struct dns_header
*header
, size_t plen
, unsigned char *limit
,
513 int optno
, unsigned char *opt
, size_t optlen
, int set_do
)
515 unsigned char *lenp
, *datap
, *p
;
518 if (!(p
= find_pseudoheader(header
, plen
, NULL
, NULL
, &is_sign
)))
523 /* We are adding the pseudoheader */
524 if (!(p
= skip_questions(header
, plen
)) ||
525 !(p
= skip_section(p
,
526 ntohs(header
->ancount
) + ntohs(header
->nscount
) + ntohs(header
->arcount
),
529 *p
++ = 0; /* empty name */
531 PUTSHORT(daemon
->edns_pktsz
, p
); /* max packet length */
532 PUTSHORT(0, p
); /* extended RCODE and version */
533 PUTSHORT(set_do
? 0x8000 : 0, p
); /* DO flag */
535 PUTSHORT(0, p
); /* RDLEN */
537 if (((ssize_t
)optlen
) > (limit
- (p
+ 4)))
538 return plen
; /* Too big */
539 header
->arcount
= htons(ntohs(header
->arcount
) + 1);
545 unsigned short code
, len
, flags
;
547 /* Must be at the end, if exists */
548 if (ntohs(header
->arcount
) != 1 ||
550 (!(p
= skip_name(p
, header
, plen
, 10))))
553 p
+= 6; /* skip UDP length and RCODE */
558 PUTSHORT(flags
| 0x8000, p
);
563 if (!CHECK_LEN(header
, p
, plen
, rdlen
))
564 return plen
; /* bad packet */
567 /* no option to add */
571 /* check if option already there */
572 for (i
= 0; i
+ 4 < rdlen
; i
+= len
+ 4)
581 if (((ssize_t
)optlen
) > (limit
- (p
+ 4)))
582 return plen
; /* Too big */
589 memcpy(p
, opt
, optlen
);
593 PUTSHORT(p
- datap
, lenp
);
594 return p
- (unsigned char *)header
;
598 static int filter_mac(int family
, char *addrp
, char *mac
, size_t maclen
, void *parmv
)
600 struct macparm
*parm
= parmv
;
603 if (family
== parm
->l3
->sa
.sa_family
)
605 if (family
== AF_INET
&& memcmp(&parm
->l3
->in
.sin_addr
, addrp
, INADDRSZ
) == 0)
609 if (family
== AF_INET6
&& memcmp(&parm
->l3
->in6
.sin6_addr
, addrp
, IN6ADDRSZ
) == 0)
615 return 1; /* continue */
617 parm
->plen
= add_pseudoheader(parm
->header
, parm
->plen
, parm
->limit
, EDNS0_OPTION_MAC
, (unsigned char *)mac
, maclen
, 0);
622 size_t add_mac(struct dns_header
*header
, size_t plen
, char *limit
, union mysockaddr
*l3
)
626 /* Must have an existing pseudoheader as the only ar-record,
627 or have no ar-records. Must also not be signed */
629 if (ntohs(header
->arcount
) > 1)
632 parm
.header
= header
;
633 parm
.limit
= (unsigned char *)limit
;
637 iface_enumerate(AF_UNSPEC
, &parm
, filter_mac
);
644 u8 source_netmask
, scope_netmask
;
652 static size_t calc_subnet_opt(struct subnet_opt
*opt
, union mysockaddr
*source
)
654 /* http://tools.ietf.org/html/draft-vandergaast-edns-client-subnet-02 */
660 if (source
->sa
.sa_family
== AF_INET6
)
662 opt
->family
= htons(2);
663 opt
->source_netmask
= daemon
->addr6_netmask
;
664 addrp
= &source
->in6
.sin6_addr
;
669 opt
->family
= htons(1);
670 opt
->source_netmask
= daemon
->addr4_netmask
;
671 addrp
= &source
->in
.sin_addr
;
674 opt
->scope_netmask
= 0;
677 if (opt
->source_netmask
!= 0)
679 len
= ((opt
->source_netmask
- 1) >> 3) + 1;
680 memcpy(opt
->addr
, addrp
, len
);
681 if (opt
->source_netmask
& 7)
682 opt
->addr
[len
-1] &= 0xff << (8 - (opt
->source_netmask
& 7));
688 size_t add_source_addr(struct dns_header
*header
, size_t plen
, char *limit
, union mysockaddr
*source
)
690 /* http://tools.ietf.org/html/draft-vandergaast-edns-client-subnet-02 */
693 struct subnet_opt opt
;
695 len
= calc_subnet_opt(&opt
, source
);
696 return add_pseudoheader(header
, plen
, (unsigned char *)limit
, EDNS0_OPTION_CLIENT_SUBNET
, (unsigned char *)&opt
, len
, 0);
700 size_t add_do_bit(struct dns_header
*header
, size_t plen
, char *limit
)
702 return add_pseudoheader(header
, plen
, (unsigned char *)limit
, 0, NULL
, 0, 1);
706 int check_source(struct dns_header
*header
, size_t plen
, unsigned char *pseudoheader
, union mysockaddr
*peer
)
708 /* Section 9.2, Check that subnet option in reply matches. */
712 struct subnet_opt opt
;
716 calc_len
= calc_subnet_opt(&opt
, peer
);
718 if (!(p
= skip_name(pseudoheader
, header
, plen
, 10)))
721 p
+= 8; /* skip UDP length and RCODE */
724 if (!CHECK_LEN(header
, p
, plen
, rdlen
))
725 return 1; /* bad packet */
727 /* check if option there */
728 for (i
= 0; i
+ 4 < rdlen
; i
+= len
+ 4)
732 if (code
== EDNS0_OPTION_CLIENT_SUBNET
)
734 /* make sure this doesn't mismatch. */
735 opt
.scope_netmask
= p
[3];
736 if (len
!= calc_len
|| memcmp(p
, &opt
, len
) != 0)
745 /* is addr in the non-globally-routed IP space? */
746 int private_net(struct in_addr addr
, int ban_localhost
)
748 in_addr_t ip_addr
= ntohl(addr
.s_addr
);
751 (((ip_addr
& 0xFF000000) == 0x7F000000) && ban_localhost
) /* 127.0.0.0/8 (loopback) */ ||
752 ((ip_addr
& 0xFFFF0000) == 0xC0A80000) /* 192.168.0.0/16 (private) */ ||
753 ((ip_addr
& 0xFF000000) == 0x0A000000) /* 10.0.0.0/8 (private) */ ||
754 ((ip_addr
& 0xFFF00000) == 0xAC100000) /* 172.16.0.0/12 (private) */ ||
755 ((ip_addr
& 0xFFFF0000) == 0xA9FE0000) /* 169.254.0.0/16 (zeroconf) */ ;
758 static unsigned char *do_doctor(unsigned char *p
, int count
, struct dns_header
*header
, size_t qlen
, char *name
, int *doctored
)
760 int i
, qtype
, qclass
, rdlen
;
762 for (i
= count
; i
!= 0; i
--)
764 if (name
&& option_bool(OPT_LOG
))
766 if (!extract_name(header
, qlen
, &p
, name
, 1, 10))
769 else if (!(p
= skip_name(p
, header
, qlen
, 10)))
770 return 0; /* bad packet */
777 if (qclass
== C_IN
&& qtype
== T_A
)
779 struct doctor
*doctor
;
782 if (!CHECK_LEN(header
, p
, qlen
, INADDRSZ
))
786 memcpy(&addr
, p
, INADDRSZ
);
788 for (doctor
= daemon
->doctors
; doctor
; doctor
= doctor
->next
)
790 if (doctor
->end
.s_addr
== 0)
792 if (!is_same_net(doctor
->in
, addr
, doctor
->mask
))
795 else if (ntohl(doctor
->in
.s_addr
) > ntohl(addr
.s_addr
) ||
796 ntohl(doctor
->end
.s_addr
) < ntohl(addr
.s_addr
))
799 addr
.s_addr
&= ~doctor
->mask
.s_addr
;
800 addr
.s_addr
|= (doctor
->out
.s_addr
& doctor
->mask
.s_addr
);
801 /* Since we munged the data, the server it came from is no longer authoritative */
802 header
->hb3
&= ~HB3_AA
;
804 memcpy(p
, &addr
, INADDRSZ
);
808 else if (qtype
== T_TXT
&& name
&& option_bool(OPT_LOG
))
810 unsigned char *p1
= p
;
811 if (!CHECK_LEN(header
, p1
, qlen
, rdlen
))
813 while ((p1
- p
) < rdlen
)
815 unsigned int i
, len
= *p1
;
816 unsigned char *p2
= p1
;
817 /* make counted string zero-term and sanitise */
818 for (i
= 0; i
< len
; i
++)
820 if (!isprint((int)*(p2
+1)))
827 my_syslog(LOG_INFO
, "reply %s is %s", name
, p1
);
829 memmove(p1
+ 1, p1
, i
);
835 if (!ADD_RDLEN(header
, p
, qlen
, rdlen
))
836 return 0; /* bad packet */
842 static int find_soa(struct dns_header
*header
, size_t qlen
, char *name
, int *doctored
)
845 int qtype
, qclass
, rdlen
;
846 unsigned long ttl
, minttl
= ULONG_MAX
;
847 int i
, found_soa
= 0;
849 /* first move to NS section and find TTL from any SOA section */
850 if (!(p
= skip_questions(header
, qlen
)) ||
851 !(p
= do_doctor(p
, ntohs(header
->ancount
), header
, qlen
, name
, doctored
)))
852 return 0; /* bad packet */
854 for (i
= ntohs(header
->nscount
); i
!= 0; i
--)
856 if (!(p
= skip_name(p
, header
, qlen
, 10)))
857 return 0; /* bad packet */
864 if ((qclass
== C_IN
) && (qtype
== T_SOA
))
871 if (!(p
= skip_name(p
, header
, qlen
, 0)))
874 if (!(p
= skip_name(p
, header
, qlen
, 20)))
876 p
+= 16; /* SERIAL REFRESH RETRY EXPIRE */
878 GETLONG(ttl
, p
); /* minTTL */
882 else if (!ADD_RDLEN(header
, p
, qlen
, rdlen
))
883 return 0; /* bad packet */
886 /* rewrite addresses in additional section too */
887 if (!do_doctor(p
, ntohs(header
->arcount
), header
, qlen
, NULL
, doctored
))
891 minttl
= daemon
->neg_ttl
;
896 /* Note that the following code can create CNAME chains that don't point to a real record,
897 either because of lack of memory, or lack of SOA records. These are treated by the cache code as
898 expired and cleaned out that way.
899 Return 1 if we reject an address because it look like part of dns-rebinding attack. */
900 int extract_addresses(struct dns_header
*header
, size_t qlen
, char *name
, time_t now
,
901 char **ipsets
, int is_sign
, int check_rebind
, int no_cache_dnssec
, int secure
, int *doctored
)
903 unsigned char *p
, *p1
, *endrr
, *namep
;
904 int i
, j
, qtype
, qclass
, aqtype
, aqclass
, ardlen
, res
, searched_soa
= 0;
905 unsigned long ttl
= 0;
906 struct all_addr addr
;
910 (void)ipsets
; /* unused */
913 cache_start_insert();
915 /* find_soa is needed for dns_doctor and logging side-effects, so don't call it lazily if there are any. */
916 if (daemon
->doctors
|| option_bool(OPT_LOG
) || option_bool(OPT_DNSSEC_VALID
))
919 ttl
= find_soa(header
, qlen
, name
, doctored
);
921 if (*doctored
&& secure
)
926 /* go through the questions. */
927 p
= (unsigned char *)(header
+1);
929 for (i
= ntohs(header
->qdcount
); i
!= 0; i
--)
931 int found
= 0, cname_count
= CNAME_CHAIN
;
932 struct crec
*cpp
= NULL
;
933 int flags
= RCODE(header
) == NXDOMAIN
? F_NXDOMAIN
: 0;
934 int secflag
= secure
? F_DNSSECOK
: 0;
935 unsigned long cttl
= ULONG_MAX
, attl
;
938 if (!extract_name(header
, qlen
, &p
, name
, 1, 4))
939 return 0; /* bad packet */
947 /* PTRs: we chase CNAMEs here, since we have no way to
948 represent them in the cache. */
951 int name_encoding
= in_arpa_name_2_addr(name
, &addr
);
956 if (!(flags
& F_NXDOMAIN
))
959 if (!(p1
= skip_questions(header
, qlen
)))
962 for (j
= ntohs(header
->ancount
); j
!= 0; j
--)
964 unsigned char *tmp
= namep
;
965 /* the loop body overwrites the original name, so get it back here. */
966 if (!extract_name(header
, qlen
, &tmp
, name
, 1, 0) ||
967 !(res
= extract_name(header
, qlen
, &p1
, name
, 0, 10)))
968 return 0; /* bad packet */
970 GETSHORT(aqtype
, p1
);
971 GETSHORT(aqclass
, p1
);
973 if ((daemon
->max_ttl
!= 0) && (attl
> daemon
->max_ttl
) && !is_sign
)
976 PUTLONG(daemon
->max_ttl
, p1
);
978 GETSHORT(ardlen
, p1
);
981 /* TTL of record is minimum of CNAMES and PTR */
985 if (aqclass
== C_IN
&& res
!= 2 && (aqtype
== T_CNAME
|| aqtype
== T_PTR
))
987 if (!extract_name(header
, qlen
, &p1
, name
, 1, 0))
990 if (aqtype
== T_CNAME
)
992 if (!cname_count
-- || secure
)
993 return 0; /* looped CNAMES, or DNSSEC, which we can't cache. */
997 cache_insert(name
, &addr
, now
, cttl
, name_encoding
| secflag
| F_REVERSE
);
1002 if (!CHECK_LEN(header
, p1
, qlen
, 0))
1003 return 0; /* bad packet */
1007 if (!found
&& !option_bool(OPT_NO_NEG
))
1012 ttl
= find_soa(header
, qlen
, NULL
, doctored
);
1015 cache_insert(NULL
, &addr
, now
, ttl
, name_encoding
| F_REVERSE
| F_NEG
| flags
| secflag
);
1020 /* everything other than PTR */
1030 else if (qtype
== T_AAAA
)
1032 addrlen
= IN6ADDRSZ
;
1040 if (!(p1
= skip_questions(header
, qlen
)))
1043 for (j
= ntohs(header
->ancount
); j
!= 0; j
--)
1045 if (!(res
= extract_name(header
, qlen
, &p1
, name
, 0, 10)))
1046 return 0; /* bad packet */
1048 GETSHORT(aqtype
, p1
);
1049 GETSHORT(aqclass
, p1
);
1051 if ((daemon
->max_ttl
!= 0) && (attl
> daemon
->max_ttl
) && !is_sign
)
1054 PUTLONG(daemon
->max_ttl
, p1
);
1056 GETSHORT(ardlen
, p1
);
1059 if (aqclass
== C_IN
&& res
!= 2 && (aqtype
== T_CNAME
|| aqtype
== qtype
))
1061 if (aqtype
== T_CNAME
)
1064 return 0; /* looped CNAMES */
1065 newc
= cache_insert(name
, NULL
, now
, attl
, F_CNAME
| F_FORWARD
| secflag
);
1068 newc
->addr
.cname
.target
.cache
= NULL
;
1069 /* anything other than zero, to avoid being mistaken for CNAME to interface-name */
1070 newc
->addr
.cname
.uid
= 1;
1073 cpp
->addr
.cname
.target
.cache
= newc
;
1074 cpp
->addr
.cname
.uid
= newc
->uid
;
1082 if (!extract_name(header
, qlen
, &p1
, name
, 1, 0))
1086 else if (!(flags
& F_NXDOMAIN
))
1090 /* copy address into aligned storage */
1091 if (!CHECK_LEN(header
, p1
, qlen
, addrlen
))
1092 return 0; /* bad packet */
1093 memcpy(&addr
, p1
, addrlen
);
1095 /* check for returned address in private space */
1098 private_net(addr
.addr
.addr4
, !option_bool(OPT_LOCAL_REBIND
)))
1102 if (ipsets
&& (flags
& (F_IPV4
| F_IPV6
)))
1104 ipsets_cur
= ipsets
;
1107 log_query((flags
& (F_IPV4
| F_IPV6
)) | F_IPSET
, name
, &addr
, *ipsets_cur
);
1108 add_to_ipset(*ipsets_cur
++, &addr
, flags
, 0);
1113 newc
= cache_insert(name
, &addr
, now
, attl
, flags
| F_FORWARD
| secflag
);
1116 cpp
->addr
.cname
.target
.cache
= newc
;
1117 cpp
->addr
.cname
.uid
= newc
->uid
;
1124 if (!CHECK_LEN(header
, p1
, qlen
, 0))
1125 return 0; /* bad packet */
1128 if (!found
&& !option_bool(OPT_NO_NEG
))
1133 ttl
= find_soa(header
, qlen
, NULL
, doctored
);
1135 /* If there's no SOA to get the TTL from, but there is a CNAME
1136 pointing at this, inherit its TTL */
1139 newc
= cache_insert(name
, NULL
, now
, ttl
? ttl
: cttl
, F_FORWARD
| F_NEG
| flags
| secflag
);
1142 cpp
->addr
.cname
.target
.cache
= newc
;
1143 cpp
->addr
.cname
.uid
= newc
->uid
;
1150 /* Don't put stuff from a truncated packet into the cache.
1151 Don't cache replies from non-recursive nameservers, since we may get a
1152 reply containing a CNAME but not its target, even though the target
1154 if (!(header
->hb3
& HB3_TC
) &&
1155 !(header
->hb4
& HB4_CD
) &&
1156 (header
->hb4
& HB4_RA
) &&
1163 /* If the packet holds exactly one query
1164 return F_IPV4 or F_IPV6 and leave the name from the query in name */
1165 unsigned int extract_request(struct dns_header
*header
, size_t qlen
, char *name
, unsigned short *typep
)
1167 unsigned char *p
= (unsigned char *)(header
+1);
1173 if (ntohs(header
->qdcount
) != 1 || OPCODE(header
) != QUERY
)
1174 return 0; /* must be exactly one query. */
1176 if (!extract_name(header
, qlen
, &p
, name
, 1, 4))
1177 return 0; /* bad packet */
1180 GETSHORT(qclass
, p
);
1189 if (qtype
== T_AAAA
)
1192 return F_IPV4
| F_IPV6
;
1199 size_t setup_reply(struct dns_header
*header
, size_t qlen
,
1200 struct all_addr
*addrp
, unsigned int flags
, unsigned long ttl
)
1202 unsigned char *p
= skip_questions(header
, qlen
);
1204 /* clear authoritative and truncated flags, set QR flag */
1205 header
->hb3
= (header
->hb3
& ~(HB3_AA
| HB3_TC
)) | HB3_QR
;
1207 header
->hb4
|= HB4_RA
;
1209 header
->nscount
= htons(0);
1210 header
->arcount
= htons(0);
1211 header
->ancount
= htons(0); /* no answers unless changed below */
1213 SET_RCODE(header
, SERVFAIL
); /* couldn't get memory */
1214 else if (flags
== F_NOERR
)
1215 SET_RCODE(header
, NOERROR
); /* empty domain */
1216 else if (flags
== F_NXDOMAIN
)
1217 SET_RCODE(header
, NXDOMAIN
);
1218 else if (p
&& flags
== F_IPV4
)
1219 { /* we know the address */
1220 SET_RCODE(header
, NOERROR
);
1221 header
->ancount
= htons(1);
1222 header
->hb3
|= HB3_AA
;
1223 add_resource_record(header
, NULL
, NULL
, sizeof(struct dns_header
), &p
, ttl
, NULL
, T_A
, C_IN
, "4", addrp
);
1226 else if (p
&& flags
== F_IPV6
)
1228 SET_RCODE(header
, NOERROR
);
1229 header
->ancount
= htons(1);
1230 header
->hb3
|= HB3_AA
;
1231 add_resource_record(header
, NULL
, NULL
, sizeof(struct dns_header
), &p
, ttl
, NULL
, T_AAAA
, C_IN
, "6", addrp
);
1234 else /* nowhere to forward to */
1235 SET_RCODE(header
, REFUSED
);
1237 return p
- (unsigned char *)header
;
1240 /* check if name matches local names ie from /etc/hosts or DHCP or local mx names. */
1241 int check_for_local_domain(char *name
, time_t now
)
1244 struct mx_srv_record
*mx
;
1245 struct txt_record
*txt
;
1246 struct interface_name
*intr
;
1247 struct ptr_record
*ptr
;
1248 struct naptr
*naptr
;
1250 /* Note: the call to cache_find_by_name is intended to find any record which matches
1251 ie A, AAAA, CNAME, DS. Because RRSIG records are marked by setting both F_DS and F_DNSKEY,
1252 cache_find_by name ordinarily only returns records with an exact match on those bits (ie
1253 for the call below, only DS records). The F_NSIGMATCH bit changes this behaviour */
1255 if ((crecp
= cache_find_by_name(NULL
, name
, now
, F_IPV4
| F_IPV6
| F_CNAME
| F_DS
| F_NO_RR
| F_NSIGMATCH
)) &&
1256 (crecp
->flags
& (F_HOSTS
| F_DHCP
| F_CONFIG
)))
1259 for (naptr
= daemon
->naptr
; naptr
; naptr
= naptr
->next
)
1260 if (hostname_isequal(name
, naptr
->name
))
1263 for (mx
= daemon
->mxnames
; mx
; mx
= mx
->next
)
1264 if (hostname_isequal(name
, mx
->name
))
1267 for (txt
= daemon
->txt
; txt
; txt
= txt
->next
)
1268 if (hostname_isequal(name
, txt
->name
))
1271 for (intr
= daemon
->int_names
; intr
; intr
= intr
->next
)
1272 if (hostname_isequal(name
, intr
->name
))
1275 for (ptr
= daemon
->ptr
; ptr
; ptr
= ptr
->next
)
1276 if (hostname_isequal(name
, ptr
->name
))
1282 /* Is the packet a reply with the answer address equal to addr?
1283 If so mung is into an NXDOMAIN reply and also put that information
1285 int check_for_bogus_wildcard(struct dns_header
*header
, size_t qlen
, char *name
,
1286 struct bogus_addr
*baddr
, time_t now
)
1289 int i
, qtype
, qclass
, rdlen
;
1291 struct bogus_addr
*baddrp
;
1293 /* skip over questions */
1294 if (!(p
= skip_questions(header
, qlen
)))
1295 return 0; /* bad packet */
1297 for (i
= ntohs(header
->ancount
); i
!= 0; i
--)
1299 if (!extract_name(header
, qlen
, &p
, name
, 1, 10))
1300 return 0; /* bad packet */
1303 GETSHORT(qclass
, p
);
1307 if (qclass
== C_IN
&& qtype
== T_A
)
1309 if (!CHECK_LEN(header
, p
, qlen
, INADDRSZ
))
1312 for (baddrp
= baddr
; baddrp
; baddrp
= baddrp
->next
)
1313 if (memcmp(&baddrp
->addr
, p
, INADDRSZ
) == 0)
1315 /* Found a bogus address. Insert that info here, since there no SOA record
1316 to get the ttl from in the normal processing */
1317 cache_start_insert();
1318 cache_insert(name
, NULL
, now
, ttl
, F_IPV4
| F_FORWARD
| F_NEG
| F_NXDOMAIN
);
1325 if (!ADD_RDLEN(header
, p
, qlen
, rdlen
))
1332 int check_for_ignored_address(struct dns_header
*header
, size_t qlen
, struct bogus_addr
*baddr
)
1335 int i
, qtype
, qclass
, rdlen
;
1336 struct bogus_addr
*baddrp
;
1338 /* skip over questions */
1339 if (!(p
= skip_questions(header
, qlen
)))
1340 return 0; /* bad packet */
1342 for (i
= ntohs(header
->ancount
); i
!= 0; i
--)
1344 if (!(p
= skip_name(p
, header
, qlen
, 10)))
1345 return 0; /* bad packet */
1348 GETSHORT(qclass
, p
);
1352 if (qclass
== C_IN
&& qtype
== T_A
)
1354 if (!CHECK_LEN(header
, p
, qlen
, INADDRSZ
))
1357 for (baddrp
= baddr
; baddrp
; baddrp
= baddrp
->next
)
1358 if (memcmp(&baddrp
->addr
, p
, INADDRSZ
) == 0)
1362 if (!ADD_RDLEN(header
, p
, qlen
, rdlen
))
1369 int add_resource_record(struct dns_header
*header
, char *limit
, int *truncp
, int nameoffset
, unsigned char **pp
,
1370 unsigned long ttl
, int *offset
, unsigned short type
, unsigned short class, char *format
, ...)
1373 unsigned char *sav
, *p
= *pp
;
1375 unsigned short usval
;
1379 if (truncp
&& *truncp
)
1382 va_start(ap
, format
); /* make ap point to 1st unamed argument */
1386 PUTSHORT(nameoffset
| 0xc000, p
);
1390 char *name
= va_arg(ap
, char *);
1392 p
= do_rfc1035_name(p
, name
);
1395 PUTSHORT(-nameoffset
| 0xc000, p
);
1403 PUTLONG(ttl
, p
); /* TTL */
1405 sav
= p
; /* Save pointer to RDLength field */
1406 PUTSHORT(0, p
); /* Placeholder RDLength */
1408 for (; *format
; format
++)
1413 sval
= va_arg(ap
, char *);
1414 memcpy(p
, sval
, IN6ADDRSZ
);
1420 sval
= va_arg(ap
, char *);
1421 memcpy(p
, sval
, INADDRSZ
);
1426 usval
= va_arg(ap
, int);
1431 usval
= va_arg(ap
, int);
1436 lval
= va_arg(ap
, long);
1441 /* get domain-name answer arg and store it in RDATA field */
1443 *offset
= p
- (unsigned char *)header
;
1444 p
= do_rfc1035_name(p
, va_arg(ap
, char *));
1449 usval
= va_arg(ap
, int);
1450 sval
= va_arg(ap
, char *);
1452 memcpy(p
, sval
, usval
);
1457 sval
= va_arg(ap
, char *);
1458 usval
= sval
? strlen(sval
) : 0;
1461 *p
++ = (unsigned char)usval
;
1462 memcpy(p
, sval
, usval
);
1467 va_end(ap
); /* clean up variable argument pointer */
1470 PUTSHORT(j
, sav
); /* Now, store real RDLength */
1472 /* check for overflow of buffer */
1473 if (limit
&& ((unsigned char *)limit
- p
) < 0)
1484 static unsigned long crec_ttl(struct crec
*crecp
, time_t now
)
1486 /* Return 0 ttl for DHCP entries, which might change
1487 before the lease expires. */
1489 if (crecp
->flags
& (F_IMMORTAL
| F_DHCP
))
1490 return daemon
->local_ttl
;
1492 /* Return the Max TTL value if it is lower then the actual TTL */
1493 if (daemon
->max_ttl
== 0 || ((unsigned)(crecp
->ttd
- now
) < daemon
->max_ttl
))
1494 return crecp
->ttd
- now
;
1496 return daemon
->max_ttl
;
1500 /* return zero if we can't answer from cache, or packet size if we can */
1501 size_t answer_request(struct dns_header
*header
, char *limit
, size_t qlen
,
1502 struct in_addr local_addr
, struct in_addr local_netmask
,
1503 time_t now
, int *ad_reqd
, int *do_bit
)
1505 char *name
= daemon
->namebuff
;
1506 unsigned char *p
, *ansp
, *pheader
;
1507 unsigned int qtype
, qclass
;
1508 struct all_addr addr
;
1510 unsigned short flag
;
1511 int q
, ans
, anscount
= 0, addncount
= 0;
1512 int dryrun
= 0, sec_reqd
= 0, have_pseudoheader
= 0;
1515 int nxdomain
= 0, auth
= 1, trunc
= 0, sec_data
= 1;
1516 struct mx_srv_record
*rec
;
1519 /* Don't return AD set if checking disabled. */
1520 if (header
->hb4
& HB4_CD
)
1524 *ad_reqd
= header
->hb4
& HB4_AD
;
1527 /* If there is an RFC2671 pseudoheader then it will be overwritten by
1528 partial replies, so we have to do a dry run to see if we can answer
1529 the query. We check to see if the do bit is set, if so we always
1530 forward rather than answering from the cache, which doesn't include
1531 security information, unless we're in DNSSEC validation mode. */
1533 if (find_pseudoheader(header
, qlen
, NULL
, &pheader
, &is_sign
))
1535 unsigned short udpsz
, flags
;
1536 unsigned char *psave
= pheader
;
1538 have_pseudoheader
= 1;
1540 GETSHORT(udpsz
, pheader
);
1541 pheader
+= 2; /* ext_rcode */
1542 GETSHORT(flags
, pheader
);
1544 if ((sec_reqd
= flags
& 0x8000))
1545 *do_bit
= 1;/* do bit */
1548 /* If our client is advertising a larger UDP packet size
1549 than we allow, trim it so that we don't get an overlarge
1550 response from upstream */
1552 if (!is_sign
&& (udpsz
> daemon
->edns_pktsz
))
1553 PUTSHORT(daemon
->edns_pktsz
, psave
);
1558 if (ntohs(header
->qdcount
) == 0 || OPCODE(header
) != QUERY
)
1561 for (rec
= daemon
->mxnames
; rec
; rec
= rec
->next
)
1565 /* determine end of question section (we put answers there) */
1566 if (!(ansp
= skip_questions(header
, qlen
)))
1567 return 0; /* bad packet */
1569 /* now process each question, answers go in RRs after the question */
1570 p
= (unsigned char *)(header
+1);
1572 for (q
= ntohs(header
->qdcount
); q
!= 0; q
--)
1574 /* save pointer to name for copying into answers */
1575 nameoffset
= p
- (unsigned char *)header
;
1577 /* now extract name as .-concatenated string into name */
1578 if (!extract_name(header
, qlen
, &p
, name
, 1, 4))
1579 return 0; /* bad packet */
1582 GETSHORT(qclass
, p
);
1584 ans
= 0; /* have we answered this question */
1586 if (qtype
== T_TXT
|| qtype
== T_ANY
)
1588 struct txt_record
*t
;
1589 for(t
= daemon
->txt
; t
; t
= t
->next
)
1591 if (t
->class == qclass
&& hostname_isequal(name
, t
->name
))
1596 unsigned long ttl
= daemon
->local_ttl
;
1598 log_query(F_CONFIG
| F_RRNAME
, name
, NULL
, "<TXT>");
1599 /* Dynamically generate stat record */
1603 if (!cache_make_stat(t
))
1607 if (ok
&& add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
1609 T_TXT
, t
->class, "t", t
->len
, t
->txt
))
1618 if (option_bool(OPT_DNSSEC_VALID
) && (qtype
== T_DNSKEY
|| qtype
== T_DS
))
1621 struct blockdata
*keydata
;
1623 /* Do we have RRSIG? Can't do DS or DNSKEY otherwise. */
1627 while ((crecp
= cache_find_by_name(crecp
, name
, now
, F_DNSKEY
| F_DS
)))
1628 if (crecp
->uid
== qclass
&& crecp
->addr
.sig
.type_covered
== qtype
)
1632 if (!sec_reqd
|| crecp
)
1637 while ((crecp
= cache_find_by_name(crecp
, name
, now
, F_DS
)))
1638 if (crecp
->uid
== qclass
)
1643 if (crecp
->flags
& F_NEG
)
1645 if (crecp
->flags
& F_NXDOMAIN
)
1647 log_query(F_UPSTREAM
, name
, NULL
, "no DS");
1649 else if ((keydata
= blockdata_retrieve(crecp
->addr
.ds
.keydata
, crecp
->addr
.ds
.keylen
, NULL
)))
1652 a
.addr
.keytag
= crecp
->addr
.ds
.keytag
;
1653 log_query(F_KEYTAG
| (crecp
->flags
& F_CONFIG
), name
, &a
, "DS keytag %u");
1654 if (add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
1655 crec_ttl(crecp
, now
), &nameoffset
,
1656 T_DS
, qclass
, "sbbt",
1657 crecp
->addr
.ds
.keytag
, crecp
->addr
.ds
.algo
,
1658 crecp
->addr
.ds
.digest
, crecp
->addr
.ds
.keylen
, keydata
))
1668 while ((crecp
= cache_find_by_name(crecp
, name
, now
, F_DNSKEY
)))
1669 if (crecp
->uid
== qclass
)
1672 if (!dryrun
&& (keydata
= blockdata_retrieve(crecp
->addr
.key
.keydata
, crecp
->addr
.key
.keylen
, NULL
)))
1675 a
.addr
.keytag
= crecp
->addr
.key
.keytag
;
1676 log_query(F_KEYTAG
| (crecp
->flags
& F_CONFIG
), name
, &a
, "DNSKEY keytag %u");
1677 if (add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
1678 crec_ttl(crecp
, now
), &nameoffset
,
1679 T_DNSKEY
, qclass
, "sbbt",
1680 crecp
->addr
.key
.flags
, 3, crecp
->addr
.key
.algo
, crecp
->addr
.key
.keylen
, keydata
))
1692 if (!dryrun
&& sec_reqd
)
1695 while ((crecp
= cache_find_by_name(crecp
, name
, now
, F_DNSKEY
| F_DS
)))
1696 if (crecp
->uid
== qclass
&& crecp
->addr
.sig
.type_covered
== qtype
&&
1697 (keydata
= blockdata_retrieve(crecp
->addr
.sig
.keydata
, crecp
->addr
.sig
.keylen
, NULL
)))
1699 add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
1700 crec_ttl(crecp
, now
), &nameoffset
,
1701 T_RRSIG
, qclass
, "t", crecp
->addr
.sig
.keylen
, keydata
);
1711 struct txt_record
*t
;
1713 for (t
= daemon
->rr
; t
; t
= t
->next
)
1714 if ((t
->class == qtype
|| qtype
== T_ANY
) && hostname_isequal(name
, t
->name
))
1719 log_query(F_CONFIG
| F_RRNAME
, name
, NULL
, "<RR>");
1720 if (add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
1721 daemon
->local_ttl
, NULL
,
1722 t
->class, C_IN
, "t", t
->len
, t
->txt
))
1727 if (qtype
== T_PTR
|| qtype
== T_ANY
)
1729 /* see if it's w.z.y.z.in-addr.arpa format */
1730 int is_arpa
= in_arpa_name_2_addr(name
, &addr
);
1731 struct ptr_record
*ptr
;
1732 struct interface_name
* intr
= NULL
;
1734 for (ptr
= daemon
->ptr
; ptr
; ptr
= ptr
->next
)
1735 if (hostname_isequal(name
, ptr
->name
))
1738 if (is_arpa
== F_IPV4
)
1739 for (intr
= daemon
->int_names
; intr
; intr
= intr
->next
)
1741 struct addrlist
*addrlist
;
1743 for (addrlist
= intr
->addr
; addrlist
; addrlist
= addrlist
->next
)
1744 if (!(addrlist
->flags
& ADDRLIST_IPV6
) && addr
.addr
.addr4
.s_addr
== addrlist
->addr
.addr
.addr4
.s_addr
)
1750 while (intr
->next
&& strcmp(intr
->intr
, intr
->next
->intr
) == 0)
1754 else if (is_arpa
== F_IPV6
)
1755 for (intr
= daemon
->int_names
; intr
; intr
= intr
->next
)
1757 struct addrlist
*addrlist
;
1759 for (addrlist
= intr
->addr
; addrlist
; addrlist
= addrlist
->next
)
1760 if ((addrlist
->flags
& ADDRLIST_IPV6
) && IN6_ARE_ADDR_EQUAL(&addr
.addr
.addr6
, &addrlist
->addr
.addr
.addr6
))
1766 while (intr
->next
&& strcmp(intr
->intr
, intr
->next
->intr
) == 0)
1776 log_query(is_arpa
| F_REVERSE
| F_CONFIG
, intr
->name
, &addr
, NULL
);
1777 if (add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
1778 daemon
->local_ttl
, NULL
,
1779 T_PTR
, C_IN
, "d", intr
->name
))
1788 log_query(F_CONFIG
| F_RRNAME
, name
, NULL
, "<PTR>");
1789 for (ptr
= daemon
->ptr
; ptr
; ptr
= ptr
->next
)
1790 if (hostname_isequal(name
, ptr
->name
) &&
1791 add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
1792 daemon
->local_ttl
, NULL
,
1793 T_PTR
, C_IN
, "d", ptr
->ptr
))
1798 else if ((crecp
= cache_find_by_addr(NULL
, &addr
, now
, is_arpa
)))
1800 if (!(crecp
->flags
& (F_HOSTS
| F_DHCP
| F_CONFIG
)) && sec_reqd
)
1802 if (!option_bool(OPT_DNSSEC_VALID
) || ((crecp
->flags
& F_NEG
) && (crecp
->flags
& F_DNSSECOK
)))
1805 else if (crecp
->flags
& F_DNSSECOK
)
1808 struct crec
*rr_crec
= NULL
;
1810 while ((rr_crec
= cache_find_by_name(rr_crec
, name
, now
, F_DS
| F_DNSKEY
)))
1812 if (rr_crec
->addr
.sig
.type_covered
== T_PTR
&& rr_crec
->uid
== C_IN
)
1814 char *sigdata
= blockdata_retrieve(rr_crec
->addr
.sig
.keydata
, rr_crec
->addr
.sig
.keylen
, NULL
);
1818 add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
1819 rr_crec
->ttd
- now
, &nameoffset
,
1820 T_RRSIG
, C_IN
, "t", crecp
->addr
.sig
.keylen
, sigdata
))
1835 /* don't answer wildcard queries with data not from /etc/hosts or dhcp leases */
1836 if (qtype
== T_ANY
&& !(crecp
->flags
& (F_HOSTS
| F_DHCP
)))
1839 if (!(crecp
->flags
& F_DNSSECOK
))
1842 if (crecp
->flags
& F_NEG
)
1846 if (crecp
->flags
& F_NXDOMAIN
)
1849 log_query(crecp
->flags
& ~F_FORWARD
, name
, &addr
, NULL
);
1851 else if ((crecp
->flags
& (F_HOSTS
| F_DHCP
)) || !sec_reqd
|| option_bool(OPT_DNSSEC_VALID
))
1854 if (!(crecp
->flags
& (F_HOSTS
| F_DHCP
)))
1858 log_query(crecp
->flags
& ~F_FORWARD
, cache_get_name(crecp
), &addr
,
1859 record_source(crecp
->uid
));
1861 if (add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
1862 crec_ttl(crecp
, now
), NULL
,
1863 T_PTR
, C_IN
, "d", cache_get_name(crecp
)))
1867 } while ((crecp
= cache_find_by_addr(crecp
, &addr
, now
, is_arpa
)));
1870 else if (is_rev_synth(is_arpa
, &addr
, name
))
1875 log_query(F_CONFIG
| F_REVERSE
| is_arpa
, name
, &addr
, NULL
);
1877 if (add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
1878 daemon
->local_ttl
, NULL
,
1879 T_PTR
, C_IN
, "d", name
))
1883 else if (is_arpa
== F_IPV4
&&
1884 option_bool(OPT_BOGUSPRIV
) &&
1885 private_net(addr
.addr
.addr4
, 1))
1887 /* if not in cache, enabled and private IPV4 address, return NXDOMAIN */
1891 log_query(F_CONFIG
| F_REVERSE
| F_IPV4
| F_NEG
| F_NXDOMAIN
,
1896 for (flag
= F_IPV4
; flag
; flag
= (flag
== F_IPV4
) ? F_IPV6
: 0)
1898 unsigned short type
= T_A
;
1899 struct interface_name
*intr
;
1908 if (qtype
!= type
&& qtype
!= T_ANY
)
1911 /* Check for "A for A" queries; be rather conservative
1912 about what looks like dotted-quad. */
1919 for (cp
= name
, i
= 0, a
= 0; *cp
; i
++)
1921 if (!isdigit((unsigned char)*cp
) || (x
= strtol(cp
, &cp
, 10)) > 255)
1938 addr
.addr
.addr4
.s_addr
= htonl(a
);
1939 log_query(F_FORWARD
| F_CONFIG
| F_IPV4
, name
, &addr
, NULL
);
1940 if (add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
1941 daemon
->local_ttl
, NULL
, type
, C_IN
, "4", &addr
))
1948 /* interface name stuff */
1950 for (intr
= daemon
->int_names
; intr
; intr
= intr
->next
)
1951 if (hostname_isequal(name
, intr
->name
))
1956 struct addrlist
*addrlist
;
1959 enumerate_interfaces(0);
1961 for (intr
= daemon
->int_names
; intr
; intr
= intr
->next
)
1962 if (hostname_isequal(name
, intr
->name
))
1964 for (addrlist
= intr
->addr
; addrlist
; addrlist
= addrlist
->next
)
1966 if (((addrlist
->flags
& ADDRLIST_IPV6
) ? T_AAAA
: T_A
) == type
)
1970 if (addrlist
->flags
& ADDRLIST_REVONLY
)
1977 log_query(F_FORWARD
| F_CONFIG
| flag
, name
, &addrlist
->addr
, NULL
);
1978 if (add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
1979 daemon
->local_ttl
, NULL
, type
, C_IN
,
1980 type
== T_A
? "4" : "6", &addrlist
->addr
))
1986 if (!dryrun
&& !gotit
)
1987 log_query(F_FORWARD
| F_CONFIG
| flag
| F_NEG
, name
, NULL
, NULL
);
1993 if ((crecp
= cache_find_by_name(NULL
, name
, now
, flag
| F_CNAME
| (dryrun
? F_NO_RR
: 0))))
1997 /* See if a putative address is on the network from which we recieved
1998 the query, is so we'll filter other answers. */
1999 if (local_addr
.s_addr
!= 0 && option_bool(OPT_LOCALISE
) && flag
== F_IPV4
)
2001 struct crec
*save
= crecp
;
2003 if ((crecp
->flags
& F_HOSTS
) &&
2004 is_same_net(*((struct in_addr
*)&crecp
->addr
), local_addr
, local_netmask
))
2009 } while ((crecp
= cache_find_by_name(crecp
, name
, now
, flag
| F_CNAME
)));
2013 /* If the client asked for DNSSEC and we can't provide RRSIGs, either
2014 because we've not doing DNSSEC or the cached answer is signed by negative,
2015 don't answer from the cache, forward instead. */
2016 if (!(crecp
->flags
& (F_HOSTS
| F_DHCP
| F_CONFIG
)) && sec_reqd
)
2018 if (!option_bool(OPT_DNSSEC_VALID
) || ((crecp
->flags
& F_NEG
) && (crecp
->flags
& F_DNSSECOK
)))
2021 else if (crecp
->flags
& F_DNSSECOK
)
2023 /* We're returning validated data, need to return the RRSIG too. */
2024 struct crec
*rr_crec
= NULL
;
2026 /* The signature may have expired even though the data is still in cache,
2027 forward instead of answering from cache if so. */
2030 if (crecp
->flags
& F_CNAME
)
2033 while ((rr_crec
= cache_find_by_name(rr_crec
, name
, now
, F_DS
| F_DNSKEY
)))
2035 if (rr_crec
->addr
.sig
.type_covered
== sigtype
&& rr_crec
->uid
== C_IN
)
2037 char *sigdata
= blockdata_retrieve(rr_crec
->addr
.sig
.keydata
, rr_crec
->addr
.sig
.keylen
, NULL
);
2041 add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
2042 rr_crec
->ttd
- now
, &nameoffset
,
2043 T_RRSIG
, C_IN
, "t", rr_crec
->addr
.sig
.keylen
, sigdata
))
2057 /* don't answer wildcard queries with data not from /etc/hosts
2059 if (qtype
== T_ANY
&& !(crecp
->flags
& (F_HOSTS
| F_DHCP
| F_CONFIG
)))
2062 if (!(crecp
->flags
& F_DNSSECOK
))
2065 if (crecp
->flags
& F_CNAME
)
2067 char *cname_target
= cache_get_cname_target(crecp
);
2071 log_query(crecp
->flags
, name
, NULL
, record_source(crecp
->uid
));
2072 if (add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
2073 crec_ttl(crecp
, now
), &nameoffset
,
2074 T_CNAME
, C_IN
, "d", cname_target
))
2078 strcpy(name
, cname_target
);
2079 /* check if target interface_name */
2080 if (crecp
->addr
.cname
.uid
== SRC_INTERFACE
)
2081 goto intname_restart
;
2086 if (crecp
->flags
& F_NEG
)
2088 /* We don't cache NSEC records, so if a DNSSEC-validated negative answer
2089 is cached and the client wants DNSSEC, forward rather than answering from the cache */
2090 if (!sec_reqd
|| !(crecp
->flags
& F_DNSSECOK
))
2094 if (crecp
->flags
& F_NXDOMAIN
)
2097 log_query(crecp
->flags
, name
, NULL
, NULL
);
2102 /* If we are returning local answers depending on network,
2105 (crecp
->flags
& F_HOSTS
) &&
2106 !is_same_net(*((struct in_addr
*)&crecp
->addr
), local_addr
, local_netmask
))
2109 if (!(crecp
->flags
& (F_HOSTS
| F_DHCP
)))
2115 log_query(crecp
->flags
& ~F_REVERSE
, name
, &crecp
->addr
.addr
,
2116 record_source(crecp
->uid
));
2118 if (add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
2119 crec_ttl(crecp
, now
), NULL
, type
, C_IN
,
2120 type
== T_A
? "4" : "6", &crecp
->addr
))
2124 } while ((crecp
= cache_find_by_name(crecp
, name
, now
, flag
| F_CNAME
)));
2126 else if (is_name_synthetic(flag
, name
, &addr
))
2131 log_query(F_FORWARD
| F_CONFIG
| flag
, name
, &addr
, NULL
);
2132 if (add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
2133 daemon
->local_ttl
, NULL
, type
, C_IN
, type
== T_A
? "4" : "6", &addr
))
2139 if (qtype
== T_CNAME
|| qtype
== T_ANY
)
2141 if ((crecp
= cache_find_by_name(NULL
, name
, now
, F_CNAME
)) &&
2142 (qtype
== T_CNAME
|| (crecp
->flags
& (F_HOSTS
| F_DHCP
| F_CONFIG
| (dryrun
? F_NO_RR
: 0)))))
2144 if (!(crecp
->flags
& F_DNSSECOK
))
2150 log_query(crecp
->flags
, name
, NULL
, record_source(crecp
->uid
));
2151 if (add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
2152 crec_ttl(crecp
, now
), &nameoffset
,
2153 T_CNAME
, C_IN
, "d", cache_get_cname_target(crecp
)))
2159 if (qtype
== T_MX
|| qtype
== T_ANY
)
2162 for (rec
= daemon
->mxnames
; rec
; rec
= rec
->next
)
2163 if (!rec
->issrv
&& hostname_isequal(name
, rec
->name
))
2169 log_query(F_CONFIG
| F_RRNAME
, name
, NULL
, "<MX>");
2170 if (add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
, daemon
->local_ttl
,
2171 &offset
, T_MX
, C_IN
, "sd", rec
->weight
, rec
->target
))
2175 rec
->offset
= offset
;
2180 if (!found
&& (option_bool(OPT_SELFMX
) || option_bool(OPT_LOCALMX
)) &&
2181 cache_find_by_name(NULL
, name
, now
, F_HOSTS
| F_DHCP
| F_NO_RR
))
2186 log_query(F_CONFIG
| F_RRNAME
, name
, NULL
, "<MX>");
2187 if (add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
, daemon
->local_ttl
, NULL
,
2188 T_MX
, C_IN
, "sd", 1,
2189 option_bool(OPT_SELFMX
) ? name
: daemon
->mxtarget
))
2195 if (qtype
== T_SRV
|| qtype
== T_ANY
)
2198 struct mx_srv_record
*move
= NULL
, **up
= &daemon
->mxnames
;
2200 for (rec
= daemon
->mxnames
; rec
; rec
= rec
->next
)
2201 if (rec
->issrv
&& hostname_isequal(name
, rec
->name
))
2207 log_query(F_CONFIG
| F_RRNAME
, name
, NULL
, "<SRV>");
2208 if (add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
, daemon
->local_ttl
,
2209 &offset
, T_SRV
, C_IN
, "sssd",
2210 rec
->priority
, rec
->weight
, rec
->srvport
, rec
->target
))
2214 rec
->offset
= offset
;
2218 /* unlink first SRV record found */
2230 /* put first SRV record back at the end. */
2237 if (!found
&& option_bool(OPT_FILTER
) && (qtype
== T_SRV
|| (qtype
== T_ANY
&& strchr(name
, '_'))))
2241 log_query(F_CONFIG
| F_NEG
, name
, NULL
, NULL
);
2245 if (qtype
== T_NAPTR
|| qtype
== T_ANY
)
2248 for (na
= daemon
->naptr
; na
; na
= na
->next
)
2249 if (hostname_isequal(name
, na
->name
))
2254 log_query(F_CONFIG
| F_RRNAME
, name
, NULL
, "<NAPTR>");
2255 if (add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
, daemon
->local_ttl
,
2256 NULL
, T_NAPTR
, C_IN
, "sszzzd",
2257 na
->order
, na
->pref
, na
->flags
, na
->services
, na
->regexp
, na
->replace
))
2263 if (qtype
== T_MAILB
)
2264 ans
= 1, nxdomain
= 1;
2266 if (qtype
== T_SOA
&& option_bool(OPT_FILTER
))
2270 log_query(F_CONFIG
| F_NEG
, name
, &addr
, NULL
);
2275 return 0; /* failed to answer a question */
2284 /* create an additional data section, for stuff in SRV and MX record replies. */
2285 for (rec
= daemon
->mxnames
; rec
; rec
= rec
->next
)
2286 if (rec
->offset
!= 0)
2289 struct mx_srv_record
*tmp
;
2290 for (tmp
= rec
->next
; tmp
; tmp
= tmp
->next
)
2291 if (tmp
->offset
!= 0 && hostname_isequal(rec
->target
, tmp
->target
))
2295 while ((crecp
= cache_find_by_name(crecp
, rec
->target
, now
, F_IPV4
| F_IPV6
)))
2298 int type
= crecp
->flags
& F_IPV4
? T_A
: T_AAAA
;
2302 if (crecp
->flags
& F_NEG
)
2305 if (add_resource_record(header
, limit
, NULL
, rec
->offset
, &ansp
,
2306 crec_ttl(crecp
, now
), NULL
, type
, C_IN
,
2307 crecp
->flags
& F_IPV4
? "4" : "6", &crecp
->addr
))
2312 /* done all questions, set up header and return length of result */
2313 /* clear authoritative and truncated flags, set QR flag */
2314 header
->hb3
= (header
->hb3
& ~(HB3_AA
| HB3_TC
)) | HB3_QR
;
2316 header
->hb4
|= HB4_RA
;
2318 /* authoritive - only hosts and DHCP derived names. */
2320 header
->hb3
|= HB3_AA
;
2324 header
->hb3
|= HB3_TC
;
2327 SET_RCODE(header
, NXDOMAIN
);
2329 SET_RCODE(header
, NOERROR
); /* no error */
2330 header
->ancount
= htons(anscount
);
2331 header
->nscount
= htons(0);
2332 header
->arcount
= htons(addncount
);
2334 len
= ansp
- (unsigned char *)header
;
2336 if (have_pseudoheader
)
2337 len
= add_pseudoheader(header
, len
, (unsigned char *)limit
, 0, NULL
, 0, sec_reqd
);
2339 if (*ad_reqd
&& sec_data
)
2340 header
->hb4
|= HB4_AD
;
2342 header
->hb4
&= ~HB4_AD
;