1 /* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
3 This program is free software; you can redistribute it and/or modify
4 it under the terms of the GNU General Public License as published by
5 the Free Software Foundation; version 2 dated June, 1991, or
6 (at your option) version 3 dated 29 June, 2007.
8 This program is distributed in the hope that it will be useful,
9 but WITHOUT ANY WARRANTY; without even the implied warranty of
10 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 GNU General Public License for more details.
13 You should have received a copy of the GNU General Public License
14 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 int extract_name(struct dns_header
*header
, size_t plen
, unsigned char **pp
,
20 char *name
, int isExtract
, int extrabytes
)
22 unsigned char *cp
= (unsigned char *)name
, *p
= *pp
, *p1
= NULL
;
23 unsigned int j
, l
, namelen
= 0, hops
= 0;
31 unsigned int label_type
;
33 if (!CHECK_LEN(header
, p
, plen
, 1))
39 /* check that there are the correct no of bytes after the name */
40 if (!CHECK_LEN(header
, p
, plen
, extrabytes
))
45 if (cp
!= (unsigned char *)name
)
47 *cp
= 0; /* terminate: lose final period */
52 if (p1
) /* we jumped via compression */
60 label_type
= l
& 0xc0;
62 if (label_type
== 0xc0) /* pointer */
64 if (!CHECK_LEN(header
, p
, plen
, 1))
71 if (!p1
) /* first jump, save location to go back to */
74 hops
++; /* break malicious infinite loops */
78 p
= l
+ (unsigned char *)header
;
80 else if (label_type
== 0x80)
81 return 0; /* reserved */
82 else if (label_type
== 0x40)
84 unsigned int count
, digs
;
87 return 0; /* we only understand bitstrings */
90 return 0; /* Cannot compare bitsrings */
95 digs
= ((count
-1)>>2)+1;
97 /* output is \[x<hex>/siz]. which is digs+6/7/8 chars */
103 if (namelen
+1 >= MAXDNAME
)
106 if (!CHECK_LEN(header
, p
, plen
, (count
-1)>>3))
112 for (j
=0; j
<digs
; j
++)
120 *cp
++ = dig
< 10 ? dig
+ '0' : dig
+ 'A' - 10;
122 cp
+= sprintf((char *)cp
, "/%d]", count
);
123 /* do this here to overwrite the zero char from sprintf */
127 { /* label_type = 0 -> label. */
129 if (namelen
+1 >= MAXDNAME
)
131 if (!CHECK_LEN(header
, p
, plen
, l
))
134 for(j
=0; j
<l
; j
++, p
++)
137 unsigned char c
= *p
;
139 if (option_bool(OPT_DNSSEC_VALID
))
141 if (c
== 0 || c
== '.' || c
== NAME_ESCAPE
)
151 if (c
!= 0 && c
!= '.')
158 unsigned char c1
= *cp
, c2
= *p
;
165 if (c1
>= 'A' && c1
<= 'Z')
168 if (option_bool(OPT_DNSSEC_VALID
) && c1
== NAME_ESCAPE
)
172 if (c2
>= 'A' && c2
<= 'Z')
182 else if (*cp
!= 0 && *cp
++ != '.')
188 /* Max size of input string (for IPv6) is 75 chars.) */
189 #define MAXARPANAME 75
190 int in_arpa_name_2_addr(char *namein
, struct all_addr
*addrp
)
193 char name
[MAXARPANAME
+1], *cp1
;
194 unsigned char *addr
= (unsigned char *)addrp
;
195 char *lastchunk
= NULL
, *penchunk
= NULL
;
197 if (strlen(namein
) > MAXARPANAME
)
200 memset(addrp
, 0, sizeof(struct all_addr
));
202 /* turn name into a series of asciiz strings */
203 /* j counts no of labels */
204 for(j
= 1,cp1
= name
; *namein
; cp1
++, namein
++)
207 penchunk
= lastchunk
;
220 if (hostname_isequal(lastchunk
, "arpa") && hostname_isequal(penchunk
, "in-addr"))
223 /* address arives as a name of the form
224 www.xxx.yyy.zzz.in-addr.arpa
225 some of the low order address octets might be missing
226 and should be set to zero. */
227 for (cp1
= name
; cp1
!= penchunk
; cp1
+= strlen(cp1
)+1)
229 /* check for digits only (weeds out things like
230 50.0/24.67.28.64.in-addr.arpa which are used
231 as CNAME targets according to RFC 2317 */
233 for (cp
= cp1
; *cp
; cp
++)
234 if (!isdigit((unsigned char)*cp
))
246 else if (hostname_isequal(penchunk
, "ip6") &&
247 (hostname_isequal(lastchunk
, "int") || hostname_isequal(lastchunk
, "arpa")))
250 Address arrives as 0.1.2.3.4.5.6.7.8.9.a.b.c.d.e.f.ip6.[int|arpa]
251 or \[xfedcba9876543210fedcba9876543210/128].ip6.[int|arpa]
253 Note that most of these the various reprentations are obsolete and
254 left-over from the many DNS-for-IPv6 wars. We support all the formats
255 that we can since there is no reason not to.
258 if (*name
== '\\' && *(name
+1) == '[' &&
259 (*(name
+2) == 'x' || *(name
+2) == 'X'))
261 for (j
= 0, cp1
= name
+3; *cp1
&& isxdigit((unsigned char) *cp1
) && j
< 32; cp1
++, j
++)
267 addr
[j
/2] |= strtol(xdig
, NULL
, 16);
269 addr
[j
/2] = strtol(xdig
, NULL
, 16) << 4;
272 if (*cp1
== '/' && j
== 32)
277 for (cp1
= name
; cp1
!= penchunk
; cp1
+= strlen(cp1
)+1)
279 if (*(cp1
+1) || !isxdigit((unsigned char)*cp1
))
282 for (j
= sizeof(struct all_addr
)-1; j
>0; j
--)
283 addr
[j
] = (addr
[j
] >> 4) | (addr
[j
-1] << 4);
284 addr
[0] = (addr
[0] >> 4) | (strtol(cp1
, NULL
, 16) << 4);
295 unsigned char *skip_name(unsigned char *ansp
, struct dns_header
*header
, size_t plen
, int extrabytes
)
299 unsigned int label_type
;
301 if (!CHECK_LEN(header
, ansp
, plen
, 1))
304 label_type
= (*ansp
) & 0xc0;
306 if (label_type
== 0xc0)
308 /* pointer for compression. */
312 else if (label_type
== 0x80)
313 return NULL
; /* reserved */
314 else if (label_type
== 0x40)
316 /* Extended label type */
319 if (!CHECK_LEN(header
, ansp
, plen
, 2))
322 if (((*ansp
++) & 0x3f) != 1)
323 return NULL
; /* we only understand bitstrings */
325 count
= *(ansp
++); /* Bits in bitstring */
327 if (count
== 0) /* count == 0 means 256 bits */
330 ansp
+= ((count
-1)>>3)+1;
333 { /* label type == 0 Bottom six bits is length */
334 unsigned int len
= (*ansp
++) & 0x3f;
336 if (!ADD_RDLEN(header
, ansp
, plen
, len
))
340 break; /* zero length label marks the end. */
344 if (!CHECK_LEN(header
, ansp
, plen
, extrabytes
))
350 unsigned char *skip_questions(struct dns_header
*header
, size_t plen
)
353 unsigned char *ansp
= (unsigned char *)(header
+1);
355 for (q
= ntohs(header
->qdcount
); q
!= 0; q
--)
357 if (!(ansp
= skip_name(ansp
, header
, plen
, 4)))
359 ansp
+= 4; /* class and type */
365 unsigned char *skip_section(unsigned char *ansp
, int count
, struct dns_header
*header
, size_t plen
)
369 for (i
= 0; i
< count
; i
++)
371 if (!(ansp
= skip_name(ansp
, header
, plen
, 10)))
373 ansp
+= 8; /* type, class, TTL */
374 GETSHORT(rdlen
, ansp
);
375 if (!ADD_RDLEN(header
, ansp
, plen
, rdlen
))
382 /* CRC the question section. This is used to safely detect query
383 retransmision and to detect answers to questions we didn't ask, which
384 might be poisoning attacks. Note that we decode the name rather
385 than CRC the raw bytes, since replies might be compressed differently.
386 We ignore case in the names for the same reason. Return all-ones
387 if there is not question section. */
389 unsigned int questions_crc(struct dns_header
*header
, size_t plen
, char *name
)
392 unsigned int crc
= 0xffffffff;
393 unsigned char *p1
, *p
= (unsigned char *)(header
+1);
395 for (q
= ntohs(header
->qdcount
); q
!= 0; q
--)
397 if (!extract_name(header
, plen
, &p
, name
, 1, 4))
398 return crc
; /* bad packet */
400 for (p1
= (unsigned char *)name
; *p1
; p1
++)
405 if (c
>= 'A' && c
<= 'Z')
410 crc
= crc
& 0x80000000 ? (crc
<< 1) ^ 0x04c11db7 : crc
<< 1;
413 /* CRC the class and type as well */
414 for (p1
= p
; p1
< p
+4; p1
++)
419 crc
= crc
& 0x80000000 ? (crc
<< 1) ^ 0x04c11db7 : crc
<< 1;
423 if (!CHECK_LEN(header
, p
, plen
, 0))
424 return crc
; /* bad packet */
431 size_t resize_packet(struct dns_header
*header
, size_t plen
, unsigned char *pheader
, size_t hlen
)
433 unsigned char *ansp
= skip_questions(header
, plen
);
435 /* if packet is malformed, just return as-is. */
439 if (!(ansp
= skip_section(ansp
, ntohs(header
->ancount
) + ntohs(header
->nscount
) + ntohs(header
->arcount
),
443 /* restore pseudoheader */
444 if (pheader
&& ntohs(header
->arcount
) == 0)
446 /* must use memmove, may overlap */
447 memmove(ansp
, pheader
, hlen
);
448 header
->arcount
= htons(1);
452 return ansp
- (unsigned char *)header
;
455 unsigned char *find_pseudoheader(struct dns_header
*header
, size_t plen
, size_t *len
, unsigned char **p
, int *is_sign
)
457 /* See if packet has an RFC2671 pseudoheader, and if so return a pointer to it.
458 also return length of pseudoheader in *len and pointer to the UDP size in *p
459 Finally, check to see if a packet is signed. If it is we cannot change a single bit before
460 forwarding. We look for SIG and TSIG in the addition section, and TKEY queries (for GSS-TSIG) */
462 int i
, arcount
= ntohs(header
->arcount
);
463 unsigned char *ansp
= (unsigned char *)(header
+1);
464 unsigned short rdlen
, type
, class;
465 unsigned char *ret
= NULL
;
471 if (OPCODE(header
) == QUERY
)
473 for (i
= ntohs(header
->qdcount
); i
!= 0; i
--)
475 if (!(ansp
= skip_name(ansp
, header
, plen
, 4)))
478 GETSHORT(type
, ansp
);
479 GETSHORT(class, ansp
);
481 if (class == C_IN
&& type
== T_TKEY
)
488 if (!(ansp
= skip_questions(header
, plen
)))
495 if (!(ansp
= skip_section(ansp
, ntohs(header
->ancount
) + ntohs(header
->nscount
), header
, plen
)))
498 for (i
= 0; i
< arcount
; i
++)
500 unsigned char *save
, *start
= ansp
;
501 if (!(ansp
= skip_name(ansp
, header
, plen
, 10)))
504 GETSHORT(type
, ansp
);
506 GETSHORT(class, ansp
);
508 GETSHORT(rdlen
, ansp
);
509 if (!ADD_RDLEN(header
, ansp
, plen
, rdlen
))
530 unsigned char *limit
;
531 struct dns_header
*header
;
533 union mysockaddr
*l3
;
536 static size_t add_pseudoheader(struct dns_header
*header
, size_t plen
, unsigned char *limit
,
537 int optno
, unsigned char *opt
, size_t optlen
, int set_do
)
539 unsigned char *lenp
, *datap
, *p
;
542 if (!(p
= find_pseudoheader(header
, plen
, NULL
, NULL
, &is_sign
)))
547 /* We are adding the pseudoheader */
548 if (!(p
= skip_questions(header
, plen
)) ||
549 !(p
= skip_section(p
,
550 ntohs(header
->ancount
) + ntohs(header
->nscount
) + ntohs(header
->arcount
),
553 *p
++ = 0; /* empty name */
555 PUTSHORT(daemon
->edns_pktsz
, p
); /* max packet length */
556 PUTSHORT(0, p
); /* extended RCODE and version */
557 PUTSHORT(set_do
? 0x8000 : 0, p
); /* DO flag */
559 PUTSHORT(0, p
); /* RDLEN */
561 if (((ssize_t
)optlen
) > (limit
- (p
+ 4)))
562 return plen
; /* Too big */
563 header
->arcount
= htons(ntohs(header
->arcount
) + 1);
569 unsigned short code
, len
, flags
;
571 /* Must be at the end, if exists */
572 if (ntohs(header
->arcount
) != 1 ||
574 (!(p
= skip_name(p
, header
, plen
, 10))))
577 p
+= 6; /* skip UDP length and RCODE */
582 PUTSHORT(flags
| 0x8000, p
);
587 if (!CHECK_LEN(header
, p
, plen
, rdlen
))
588 return plen
; /* bad packet */
591 /* no option to add */
595 /* check if option already there */
596 for (i
= 0; i
+ 4 < rdlen
; i
+= len
+ 4)
605 if (((ssize_t
)optlen
) > (limit
- (p
+ 4)))
606 return plen
; /* Too big */
613 memcpy(p
, opt
, optlen
);
617 PUTSHORT(p
- datap
, lenp
);
618 return p
- (unsigned char *)header
;
622 static int filter_mac(int family
, char *addrp
, char *mac
, size_t maclen
, void *parmv
)
624 struct macparm
*parm
= parmv
;
627 if (family
== parm
->l3
->sa
.sa_family
)
629 if (family
== AF_INET
&& memcmp(&parm
->l3
->in
.sin_addr
, addrp
, INADDRSZ
) == 0)
633 if (family
== AF_INET6
&& memcmp(&parm
->l3
->in6
.sin6_addr
, addrp
, IN6ADDRSZ
) == 0)
639 return 1; /* continue */
641 parm
->plen
= add_pseudoheader(parm
->header
, parm
->plen
, parm
->limit
, EDNS0_OPTION_MAC
, (unsigned char *)mac
, maclen
, 0);
646 size_t add_mac(struct dns_header
*header
, size_t plen
, char *limit
, union mysockaddr
*l3
)
650 /* Must have an existing pseudoheader as the only ar-record,
651 or have no ar-records. Must also not be signed */
653 if (ntohs(header
->arcount
) > 1)
656 parm
.header
= header
;
657 parm
.limit
= (unsigned char *)limit
;
661 iface_enumerate(AF_UNSPEC
, &parm
, filter_mac
);
668 u8 source_netmask
, scope_netmask
;
676 static size_t calc_subnet_opt(struct subnet_opt
*opt
, union mysockaddr
*source
)
678 /* http://tools.ietf.org/html/draft-vandergaast-edns-client-subnet-02 */
684 if (source
->sa
.sa_family
== AF_INET6
)
686 opt
->family
= htons(2);
687 opt
->source_netmask
= daemon
->addr6_netmask
;
688 addrp
= &source
->in6
.sin6_addr
;
693 opt
->family
= htons(1);
694 opt
->source_netmask
= daemon
->addr4_netmask
;
695 addrp
= &source
->in
.sin_addr
;
698 opt
->scope_netmask
= 0;
701 if (opt
->source_netmask
!= 0)
703 len
= ((opt
->source_netmask
- 1) >> 3) + 1;
704 memcpy(opt
->addr
, addrp
, len
);
705 if (opt
->source_netmask
& 7)
706 opt
->addr
[len
-1] &= 0xff << (8 - (opt
->source_netmask
& 7));
712 size_t add_source_addr(struct dns_header
*header
, size_t plen
, char *limit
, union mysockaddr
*source
)
714 /* http://tools.ietf.org/html/draft-vandergaast-edns-client-subnet-02 */
717 struct subnet_opt opt
;
719 len
= calc_subnet_opt(&opt
, source
);
720 return add_pseudoheader(header
, plen
, (unsigned char *)limit
, EDNS0_OPTION_CLIENT_SUBNET
, (unsigned char *)&opt
, len
, 0);
724 size_t add_do_bit(struct dns_header
*header
, size_t plen
, char *limit
)
726 return add_pseudoheader(header
, plen
, (unsigned char *)limit
, 0, NULL
, 0, 1);
730 int check_source(struct dns_header
*header
, size_t plen
, unsigned char *pseudoheader
, union mysockaddr
*peer
)
732 /* Section 9.2, Check that subnet option in reply matches. */
736 struct subnet_opt opt
;
740 calc_len
= calc_subnet_opt(&opt
, peer
);
742 if (!(p
= skip_name(pseudoheader
, header
, plen
, 10)))
745 p
+= 8; /* skip UDP length and RCODE */
748 if (!CHECK_LEN(header
, p
, plen
, rdlen
))
749 return 1; /* bad packet */
751 /* check if option there */
752 for (i
= 0; i
+ 4 < rdlen
; i
+= len
+ 4)
756 if (code
== EDNS0_OPTION_CLIENT_SUBNET
)
758 /* make sure this doesn't mismatch. */
759 opt
.scope_netmask
= p
[3];
760 if (len
!= calc_len
|| memcmp(p
, &opt
, len
) != 0)
769 /* is addr in the non-globally-routed IP space? */
770 int private_net(struct in_addr addr
, int ban_localhost
)
772 in_addr_t ip_addr
= ntohl(addr
.s_addr
);
775 (((ip_addr
& 0xFF000000) == 0x7F000000) && ban_localhost
) /* 127.0.0.0/8 (loopback) */ ||
776 ((ip_addr
& 0xFFFF0000) == 0xC0A80000) /* 192.168.0.0/16 (private) */ ||
777 ((ip_addr
& 0xFF000000) == 0x0A000000) /* 10.0.0.0/8 (private) */ ||
778 ((ip_addr
& 0xFFF00000) == 0xAC100000) /* 172.16.0.0/12 (private) */ ||
779 ((ip_addr
& 0xFFFF0000) == 0xA9FE0000) /* 169.254.0.0/16 (zeroconf) */ ;
782 static unsigned char *do_doctor(unsigned char *p
, int count
, struct dns_header
*header
, size_t qlen
, char *name
, int *doctored
)
784 int i
, qtype
, qclass
, rdlen
;
786 for (i
= count
; i
!= 0; i
--)
788 if (name
&& option_bool(OPT_LOG
))
790 if (!extract_name(header
, qlen
, &p
, name
, 1, 10))
793 else if (!(p
= skip_name(p
, header
, qlen
, 10)))
794 return 0; /* bad packet */
801 if (qclass
== C_IN
&& qtype
== T_A
)
803 struct doctor
*doctor
;
806 if (!CHECK_LEN(header
, p
, qlen
, INADDRSZ
))
810 memcpy(&addr
, p
, INADDRSZ
);
812 for (doctor
= daemon
->doctors
; doctor
; doctor
= doctor
->next
)
814 if (doctor
->end
.s_addr
== 0)
816 if (!is_same_net(doctor
->in
, addr
, doctor
->mask
))
819 else if (ntohl(doctor
->in
.s_addr
) > ntohl(addr
.s_addr
) ||
820 ntohl(doctor
->end
.s_addr
) < ntohl(addr
.s_addr
))
823 addr
.s_addr
&= ~doctor
->mask
.s_addr
;
824 addr
.s_addr
|= (doctor
->out
.s_addr
& doctor
->mask
.s_addr
);
825 /* Since we munged the data, the server it came from is no longer authoritative */
826 header
->hb3
&= ~HB3_AA
;
828 memcpy(p
, &addr
, INADDRSZ
);
832 else if (qtype
== T_TXT
&& name
&& option_bool(OPT_LOG
))
834 unsigned char *p1
= p
;
835 if (!CHECK_LEN(header
, p1
, qlen
, rdlen
))
837 while ((p1
- p
) < rdlen
)
839 unsigned int i
, len
= *p1
;
840 unsigned char *p2
= p1
;
841 /* make counted string zero-term and sanitise */
842 for (i
= 0; i
< len
; i
++)
844 if (!isprint((int)*(p2
+1)))
851 my_syslog(LOG_INFO
, "reply %s is %s", name
, p1
);
853 memmove(p1
+ 1, p1
, i
);
859 if (!ADD_RDLEN(header
, p
, qlen
, rdlen
))
860 return 0; /* bad packet */
866 static int find_soa(struct dns_header
*header
, size_t qlen
, char *name
, int *doctored
)
869 int qtype
, qclass
, rdlen
;
870 unsigned long ttl
, minttl
= ULONG_MAX
;
871 int i
, found_soa
= 0;
873 /* first move to NS section and find TTL from any SOA section */
874 if (!(p
= skip_questions(header
, qlen
)) ||
875 !(p
= do_doctor(p
, ntohs(header
->ancount
), header
, qlen
, name
, doctored
)))
876 return 0; /* bad packet */
878 for (i
= ntohs(header
->nscount
); i
!= 0; i
--)
880 if (!(p
= skip_name(p
, header
, qlen
, 10)))
881 return 0; /* bad packet */
888 if ((qclass
== C_IN
) && (qtype
== T_SOA
))
895 if (!(p
= skip_name(p
, header
, qlen
, 0)))
898 if (!(p
= skip_name(p
, header
, qlen
, 20)))
900 p
+= 16; /* SERIAL REFRESH RETRY EXPIRE */
902 GETLONG(ttl
, p
); /* minTTL */
906 else if (!ADD_RDLEN(header
, p
, qlen
, rdlen
))
907 return 0; /* bad packet */
910 /* rewrite addresses in additional section too */
911 if (!do_doctor(p
, ntohs(header
->arcount
), header
, qlen
, NULL
, doctored
))
915 minttl
= daemon
->neg_ttl
;
920 /* Note that the following code can create CNAME chains that don't point to a real record,
921 either because of lack of memory, or lack of SOA records. These are treated by the cache code as
922 expired and cleaned out that way.
923 Return 1 if we reject an address because it look like part of dns-rebinding attack. */
924 int extract_addresses(struct dns_header
*header
, size_t qlen
, char *name
, time_t now
,
925 char **ipsets
, int is_sign
, int check_rebind
, int no_cache_dnssec
, int secure
, int *doctored
)
927 unsigned char *p
, *p1
, *endrr
, *namep
;
928 int i
, j
, qtype
, qclass
, aqtype
, aqclass
, ardlen
, res
, searched_soa
= 0;
929 unsigned long ttl
= 0;
930 struct all_addr addr
;
934 (void)ipsets
; /* unused */
937 cache_start_insert();
939 /* find_soa is needed for dns_doctor and logging side-effects, so don't call it lazily if there are any. */
940 if (daemon
->doctors
|| option_bool(OPT_LOG
) || option_bool(OPT_DNSSEC_VALID
))
943 ttl
= find_soa(header
, qlen
, name
, doctored
);
945 if (*doctored
&& secure
)
950 /* go through the questions. */
951 p
= (unsigned char *)(header
+1);
953 for (i
= ntohs(header
->qdcount
); i
!= 0; i
--)
955 int found
= 0, cname_count
= CNAME_CHAIN
;
956 struct crec
*cpp
= NULL
;
957 int flags
= RCODE(header
) == NXDOMAIN
? F_NXDOMAIN
: 0;
958 int secflag
= secure
? F_DNSSECOK
: 0;
959 unsigned long cttl
= ULONG_MAX
, attl
;
962 if (!extract_name(header
, qlen
, &p
, name
, 1, 4))
963 return 0; /* bad packet */
971 /* PTRs: we chase CNAMEs here, since we have no way to
972 represent them in the cache. */
975 int name_encoding
= in_arpa_name_2_addr(name
, &addr
);
980 if (!(flags
& F_NXDOMAIN
))
983 if (!(p1
= skip_questions(header
, qlen
)))
986 for (j
= ntohs(header
->ancount
); j
!= 0; j
--)
988 unsigned char *tmp
= namep
;
989 /* the loop body overwrites the original name, so get it back here. */
990 if (!extract_name(header
, qlen
, &tmp
, name
, 1, 0) ||
991 !(res
= extract_name(header
, qlen
, &p1
, name
, 0, 10)))
992 return 0; /* bad packet */
994 GETSHORT(aqtype
, p1
);
995 GETSHORT(aqclass
, p1
);
997 if ((daemon
->max_ttl
!= 0) && (attl
> daemon
->max_ttl
) && !is_sign
)
1000 PUTLONG(daemon
->max_ttl
, p1
);
1002 GETSHORT(ardlen
, p1
);
1005 /* TTL of record is minimum of CNAMES and PTR */
1009 if (aqclass
== C_IN
&& res
!= 2 && (aqtype
== T_CNAME
|| aqtype
== T_PTR
))
1011 if (!extract_name(header
, qlen
, &p1
, name
, 1, 0))
1014 if (aqtype
== T_CNAME
)
1016 if (!cname_count
-- || secure
)
1017 return 0; /* looped CNAMES, or DNSSEC, which we can't cache. */
1021 cache_insert(name
, &addr
, now
, cttl
, name_encoding
| secflag
| F_REVERSE
);
1026 if (!CHECK_LEN(header
, p1
, qlen
, 0))
1027 return 0; /* bad packet */
1031 if (!found
&& !option_bool(OPT_NO_NEG
))
1036 ttl
= find_soa(header
, qlen
, NULL
, doctored
);
1039 cache_insert(NULL
, &addr
, now
, ttl
, name_encoding
| F_REVERSE
| F_NEG
| flags
| secflag
);
1044 /* everything other than PTR */
1054 else if (qtype
== T_AAAA
)
1056 addrlen
= IN6ADDRSZ
;
1064 if (!(p1
= skip_questions(header
, qlen
)))
1067 for (j
= ntohs(header
->ancount
); j
!= 0; j
--)
1069 if (!(res
= extract_name(header
, qlen
, &p1
, name
, 0, 10)))
1070 return 0; /* bad packet */
1072 GETSHORT(aqtype
, p1
);
1073 GETSHORT(aqclass
, p1
);
1075 if ((daemon
->max_ttl
!= 0) && (attl
> daemon
->max_ttl
) && !is_sign
)
1078 PUTLONG(daemon
->max_ttl
, p1
);
1080 GETSHORT(ardlen
, p1
);
1083 if (aqclass
== C_IN
&& res
!= 2 && (aqtype
== T_CNAME
|| aqtype
== qtype
))
1085 if (aqtype
== T_CNAME
)
1088 return 0; /* looped CNAMES */
1089 newc
= cache_insert(name
, NULL
, now
, attl
, F_CNAME
| F_FORWARD
| secflag
);
1092 newc
->addr
.cname
.target
.cache
= NULL
;
1093 /* anything other than zero, to avoid being mistaken for CNAME to interface-name */
1094 newc
->addr
.cname
.uid
= 1;
1097 cpp
->addr
.cname
.target
.cache
= newc
;
1098 cpp
->addr
.cname
.uid
= newc
->uid
;
1106 if (!extract_name(header
, qlen
, &p1
, name
, 1, 0))
1110 else if (!(flags
& F_NXDOMAIN
))
1114 /* copy address into aligned storage */
1115 if (!CHECK_LEN(header
, p1
, qlen
, addrlen
))
1116 return 0; /* bad packet */
1117 memcpy(&addr
, p1
, addrlen
);
1119 /* check for returned address in private space */
1122 private_net(addr
.addr
.addr4
, !option_bool(OPT_LOCAL_REBIND
)))
1126 if (ipsets
&& (flags
& (F_IPV4
| F_IPV6
)))
1128 ipsets_cur
= ipsets
;
1131 log_query((flags
& (F_IPV4
| F_IPV6
)) | F_IPSET
, name
, &addr
, *ipsets_cur
);
1132 add_to_ipset(*ipsets_cur
++, &addr
, flags
, 0);
1137 newc
= cache_insert(name
, &addr
, now
, attl
, flags
| F_FORWARD
| secflag
);
1140 cpp
->addr
.cname
.target
.cache
= newc
;
1141 cpp
->addr
.cname
.uid
= newc
->uid
;
1148 if (!CHECK_LEN(header
, p1
, qlen
, 0))
1149 return 0; /* bad packet */
1152 if (!found
&& !option_bool(OPT_NO_NEG
))
1157 ttl
= find_soa(header
, qlen
, NULL
, doctored
);
1159 /* If there's no SOA to get the TTL from, but there is a CNAME
1160 pointing at this, inherit its TTL */
1163 newc
= cache_insert(name
, NULL
, now
, ttl
? ttl
: cttl
, F_FORWARD
| F_NEG
| flags
| secflag
);
1166 cpp
->addr
.cname
.target
.cache
= newc
;
1167 cpp
->addr
.cname
.uid
= newc
->uid
;
1174 /* Don't put stuff from a truncated packet into the cache.
1175 Don't cache replies from non-recursive nameservers, since we may get a
1176 reply containing a CNAME but not its target, even though the target
1178 if (!(header
->hb3
& HB3_TC
) &&
1179 !(header
->hb4
& HB4_CD
) &&
1180 (header
->hb4
& HB4_RA
) &&
1187 /* If the packet holds exactly one query
1188 return F_IPV4 or F_IPV6 and leave the name from the query in name */
1189 unsigned int extract_request(struct dns_header
*header
, size_t qlen
, char *name
, unsigned short *typep
)
1191 unsigned char *p
= (unsigned char *)(header
+1);
1197 if (ntohs(header
->qdcount
) != 1 || OPCODE(header
) != QUERY
)
1198 return 0; /* must be exactly one query. */
1200 if (!extract_name(header
, qlen
, &p
, name
, 1, 4))
1201 return 0; /* bad packet */
1204 GETSHORT(qclass
, p
);
1213 if (qtype
== T_AAAA
)
1216 return F_IPV4
| F_IPV6
;
1223 size_t setup_reply(struct dns_header
*header
, size_t qlen
,
1224 struct all_addr
*addrp
, unsigned int flags
, unsigned long ttl
)
1228 if (!(p
= skip_questions(header
, qlen
)))
1231 /* clear authoritative and truncated flags, set QR flag */
1232 header
->hb3
= (header
->hb3
& ~(HB3_AA
| HB3_TC
)) | HB3_QR
;
1234 header
->hb4
|= HB4_RA
;
1236 header
->nscount
= htons(0);
1237 header
->arcount
= htons(0);
1238 header
->ancount
= htons(0); /* no answers unless changed below */
1240 SET_RCODE(header
, SERVFAIL
); /* couldn't get memory */
1241 else if (flags
== F_NOERR
)
1242 SET_RCODE(header
, NOERROR
); /* empty domain */
1243 else if (flags
== F_NXDOMAIN
)
1244 SET_RCODE(header
, NXDOMAIN
);
1245 else if (flags
== F_IPV4
)
1246 { /* we know the address */
1247 SET_RCODE(header
, NOERROR
);
1248 header
->ancount
= htons(1);
1249 header
->hb3
|= HB3_AA
;
1250 add_resource_record(header
, NULL
, NULL
, sizeof(struct dns_header
), &p
, ttl
, NULL
, T_A
, C_IN
, "4", addrp
);
1253 else if (flags
== F_IPV6
)
1255 SET_RCODE(header
, NOERROR
);
1256 header
->ancount
= htons(1);
1257 header
->hb3
|= HB3_AA
;
1258 add_resource_record(header
, NULL
, NULL
, sizeof(struct dns_header
), &p
, ttl
, NULL
, T_AAAA
, C_IN
, "6", addrp
);
1261 else /* nowhere to forward to */
1262 SET_RCODE(header
, REFUSED
);
1264 return p
- (unsigned char *)header
;
1267 /* check if name matches local names ie from /etc/hosts or DHCP or local mx names. */
1268 int check_for_local_domain(char *name
, time_t now
)
1271 struct mx_srv_record
*mx
;
1272 struct txt_record
*txt
;
1273 struct interface_name
*intr
;
1274 struct ptr_record
*ptr
;
1275 struct naptr
*naptr
;
1277 /* Note: the call to cache_find_by_name is intended to find any record which matches
1278 ie A, AAAA, CNAME, DS. Because RRSIG records are marked by setting both F_DS and F_DNSKEY,
1279 cache_find_by name ordinarily only returns records with an exact match on those bits (ie
1280 for the call below, only DS records). The F_NSIGMATCH bit changes this behaviour */
1282 if ((crecp
= cache_find_by_name(NULL
, name
, now
, F_IPV4
| F_IPV6
| F_CNAME
| F_DS
| F_NO_RR
| F_NSIGMATCH
)) &&
1283 (crecp
->flags
& (F_HOSTS
| F_DHCP
| F_CONFIG
)))
1286 for (naptr
= daemon
->naptr
; naptr
; naptr
= naptr
->next
)
1287 if (hostname_isequal(name
, naptr
->name
))
1290 for (mx
= daemon
->mxnames
; mx
; mx
= mx
->next
)
1291 if (hostname_isequal(name
, mx
->name
))
1294 for (txt
= daemon
->txt
; txt
; txt
= txt
->next
)
1295 if (hostname_isequal(name
, txt
->name
))
1298 for (intr
= daemon
->int_names
; intr
; intr
= intr
->next
)
1299 if (hostname_isequal(name
, intr
->name
))
1302 for (ptr
= daemon
->ptr
; ptr
; ptr
= ptr
->next
)
1303 if (hostname_isequal(name
, ptr
->name
))
1309 /* Is the packet a reply with the answer address equal to addr?
1310 If so mung is into an NXDOMAIN reply and also put that information
1312 int check_for_bogus_wildcard(struct dns_header
*header
, size_t qlen
, char *name
,
1313 struct bogus_addr
*baddr
, time_t now
)
1316 int i
, qtype
, qclass
, rdlen
;
1318 struct bogus_addr
*baddrp
;
1320 /* skip over questions */
1321 if (!(p
= skip_questions(header
, qlen
)))
1322 return 0; /* bad packet */
1324 for (i
= ntohs(header
->ancount
); i
!= 0; i
--)
1326 if (!extract_name(header
, qlen
, &p
, name
, 1, 10))
1327 return 0; /* bad packet */
1330 GETSHORT(qclass
, p
);
1334 if (qclass
== C_IN
&& qtype
== T_A
)
1336 if (!CHECK_LEN(header
, p
, qlen
, INADDRSZ
))
1339 for (baddrp
= baddr
; baddrp
; baddrp
= baddrp
->next
)
1340 if (memcmp(&baddrp
->addr
, p
, INADDRSZ
) == 0)
1342 /* Found a bogus address. Insert that info here, since there no SOA record
1343 to get the ttl from in the normal processing */
1344 cache_start_insert();
1345 cache_insert(name
, NULL
, now
, ttl
, F_IPV4
| F_FORWARD
| F_NEG
| F_NXDOMAIN
);
1352 if (!ADD_RDLEN(header
, p
, qlen
, rdlen
))
1359 int check_for_ignored_address(struct dns_header
*header
, size_t qlen
, struct bogus_addr
*baddr
)
1362 int i
, qtype
, qclass
, rdlen
;
1363 struct bogus_addr
*baddrp
;
1365 /* skip over questions */
1366 if (!(p
= skip_questions(header
, qlen
)))
1367 return 0; /* bad packet */
1369 for (i
= ntohs(header
->ancount
); i
!= 0; i
--)
1371 if (!(p
= skip_name(p
, header
, qlen
, 10)))
1372 return 0; /* bad packet */
1375 GETSHORT(qclass
, p
);
1379 if (qclass
== C_IN
&& qtype
== T_A
)
1381 if (!CHECK_LEN(header
, p
, qlen
, INADDRSZ
))
1384 for (baddrp
= baddr
; baddrp
; baddrp
= baddrp
->next
)
1385 if (memcmp(&baddrp
->addr
, p
, INADDRSZ
) == 0)
1389 if (!ADD_RDLEN(header
, p
, qlen
, rdlen
))
1396 int add_resource_record(struct dns_header
*header
, char *limit
, int *truncp
, int nameoffset
, unsigned char **pp
,
1397 unsigned long ttl
, int *offset
, unsigned short type
, unsigned short class, char *format
, ...)
1400 unsigned char *sav
, *p
= *pp
;
1402 unsigned short usval
;
1406 if (truncp
&& *truncp
)
1409 va_start(ap
, format
); /* make ap point to 1st unamed argument */
1413 PUTSHORT(nameoffset
| 0xc000, p
);
1417 char *name
= va_arg(ap
, char *);
1419 p
= do_rfc1035_name(p
, name
);
1422 PUTSHORT(-nameoffset
| 0xc000, p
);
1430 PUTLONG(ttl
, p
); /* TTL */
1432 sav
= p
; /* Save pointer to RDLength field */
1433 PUTSHORT(0, p
); /* Placeholder RDLength */
1435 for (; *format
; format
++)
1440 sval
= va_arg(ap
, char *);
1441 memcpy(p
, sval
, IN6ADDRSZ
);
1447 sval
= va_arg(ap
, char *);
1448 memcpy(p
, sval
, INADDRSZ
);
1453 usval
= va_arg(ap
, int);
1458 usval
= va_arg(ap
, int);
1463 lval
= va_arg(ap
, long);
1468 /* get domain-name answer arg and store it in RDATA field */
1470 *offset
= p
- (unsigned char *)header
;
1471 p
= do_rfc1035_name(p
, va_arg(ap
, char *));
1476 usval
= va_arg(ap
, int);
1477 sval
= va_arg(ap
, char *);
1479 memcpy(p
, sval
, usval
);
1484 sval
= va_arg(ap
, char *);
1485 usval
= sval
? strlen(sval
) : 0;
1488 *p
++ = (unsigned char)usval
;
1489 memcpy(p
, sval
, usval
);
1494 va_end(ap
); /* clean up variable argument pointer */
1497 PUTSHORT(j
, sav
); /* Now, store real RDLength */
1499 /* check for overflow of buffer */
1500 if (limit
&& ((unsigned char *)limit
- p
) < 0)
1511 static unsigned long crec_ttl(struct crec
*crecp
, time_t now
)
1513 /* Return 0 ttl for DHCP entries, which might change
1514 before the lease expires. */
1516 if (crecp
->flags
& (F_IMMORTAL
| F_DHCP
))
1517 return daemon
->local_ttl
;
1519 /* Return the Max TTL value if it is lower then the actual TTL */
1520 if (daemon
->max_ttl
== 0 || ((unsigned)(crecp
->ttd
- now
) < daemon
->max_ttl
))
1521 return crecp
->ttd
- now
;
1523 return daemon
->max_ttl
;
1527 /* return zero if we can't answer from cache, or packet size if we can */
1528 size_t answer_request(struct dns_header
*header
, char *limit
, size_t qlen
,
1529 struct in_addr local_addr
, struct in_addr local_netmask
,
1530 time_t now
, int *ad_reqd
, int *do_bit
)
1532 char *name
= daemon
->namebuff
;
1533 unsigned char *p
, *ansp
, *pheader
;
1534 unsigned int qtype
, qclass
;
1535 struct all_addr addr
;
1537 unsigned short flag
;
1538 int q
, ans
, anscount
= 0, addncount
= 0;
1539 int dryrun
= 0, sec_reqd
= 0, have_pseudoheader
= 0;
1542 int nxdomain
= 0, auth
= 1, trunc
= 0, sec_data
= 1;
1543 struct mx_srv_record
*rec
;
1546 /* Don't return AD set if checking disabled. */
1547 if (header
->hb4
& HB4_CD
)
1551 *ad_reqd
= header
->hb4
& HB4_AD
;
1554 /* If there is an RFC2671 pseudoheader then it will be overwritten by
1555 partial replies, so we have to do a dry run to see if we can answer
1556 the query. We check to see if the do bit is set, if so we always
1557 forward rather than answering from the cache, which doesn't include
1558 security information, unless we're in DNSSEC validation mode. */
1560 if (find_pseudoheader(header
, qlen
, NULL
, &pheader
, &is_sign
))
1562 unsigned short udpsz
, flags
;
1563 unsigned char *psave
= pheader
;
1565 have_pseudoheader
= 1;
1567 GETSHORT(udpsz
, pheader
);
1568 pheader
+= 2; /* ext_rcode */
1569 GETSHORT(flags
, pheader
);
1571 if ((sec_reqd
= flags
& 0x8000))
1572 *do_bit
= 1;/* do bit */
1575 /* If our client is advertising a larger UDP packet size
1576 than we allow, trim it so that we don't get an overlarge
1577 response from upstream */
1579 if (!is_sign
&& (udpsz
> daemon
->edns_pktsz
))
1580 PUTSHORT(daemon
->edns_pktsz
, psave
);
1585 if (ntohs(header
->qdcount
) == 0 || OPCODE(header
) != QUERY
)
1588 for (rec
= daemon
->mxnames
; rec
; rec
= rec
->next
)
1592 /* determine end of question section (we put answers there) */
1593 if (!(ansp
= skip_questions(header
, qlen
)))
1594 return 0; /* bad packet */
1596 /* now process each question, answers go in RRs after the question */
1597 p
= (unsigned char *)(header
+1);
1599 for (q
= ntohs(header
->qdcount
); q
!= 0; q
--)
1601 /* save pointer to name for copying into answers */
1602 nameoffset
= p
- (unsigned char *)header
;
1604 /* now extract name as .-concatenated string into name */
1605 if (!extract_name(header
, qlen
, &p
, name
, 1, 4))
1606 return 0; /* bad packet */
1609 GETSHORT(qclass
, p
);
1611 /* Don't filter RRSIGS from answers to ANY queries, even if do-bit
1616 ans
= 0; /* have we answered this question */
1618 if (qtype
== T_TXT
|| qtype
== T_ANY
)
1620 struct txt_record
*t
;
1621 for(t
= daemon
->txt
; t
; t
= t
->next
)
1623 if (t
->class == qclass
&& hostname_isequal(name
, t
->name
))
1628 unsigned long ttl
= daemon
->local_ttl
;
1630 log_query(F_CONFIG
| F_RRNAME
, name
, NULL
, "<TXT>");
1631 /* Dynamically generate stat record */
1635 if (!cache_make_stat(t
))
1639 if (ok
&& add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
1641 T_TXT
, t
->class, "t", t
->len
, t
->txt
))
1650 if (option_bool(OPT_DNSSEC_VALID
) && (qtype
== T_DNSKEY
|| qtype
== T_DS
))
1653 struct blockdata
*keydata
;
1655 /* Do we have RRSIG? Can't do DS or DNSKEY otherwise. */
1659 while ((crecp
= cache_find_by_name(crecp
, name
, now
, F_DNSKEY
| F_DS
)))
1660 if (crecp
->uid
== qclass
&& crecp
->addr
.sig
.type_covered
== qtype
)
1664 if (!sec_reqd
|| crecp
)
1669 while ((crecp
= cache_find_by_name(crecp
, name
, now
, F_DS
)))
1670 if (crecp
->uid
== qclass
)
1675 if (crecp
->flags
& F_NEG
)
1677 if (crecp
->flags
& F_NXDOMAIN
)
1679 log_query(F_UPSTREAM
, name
, NULL
, "no DS");
1681 else if ((keydata
= blockdata_retrieve(crecp
->addr
.ds
.keydata
, crecp
->addr
.ds
.keylen
, NULL
)))
1684 a
.addr
.keytag
= crecp
->addr
.ds
.keytag
;
1685 log_query(F_KEYTAG
| (crecp
->flags
& F_CONFIG
), name
, &a
, "DS keytag %u");
1686 if (add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
1687 crec_ttl(crecp
, now
), &nameoffset
,
1688 T_DS
, qclass
, "sbbt",
1689 crecp
->addr
.ds
.keytag
, crecp
->addr
.ds
.algo
,
1690 crecp
->addr
.ds
.digest
, crecp
->addr
.ds
.keylen
, keydata
))
1700 while ((crecp
= cache_find_by_name(crecp
, name
, now
, F_DNSKEY
)))
1701 if (crecp
->uid
== qclass
)
1704 if (!dryrun
&& (keydata
= blockdata_retrieve(crecp
->addr
.key
.keydata
, crecp
->addr
.key
.keylen
, NULL
)))
1707 a
.addr
.keytag
= crecp
->addr
.key
.keytag
;
1708 log_query(F_KEYTAG
| (crecp
->flags
& F_CONFIG
), name
, &a
, "DNSKEY keytag %u");
1709 if (add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
1710 crec_ttl(crecp
, now
), &nameoffset
,
1711 T_DNSKEY
, qclass
, "sbbt",
1712 crecp
->addr
.key
.flags
, 3, crecp
->addr
.key
.algo
, crecp
->addr
.key
.keylen
, keydata
))
1724 if (!dryrun
&& sec_reqd
)
1727 while ((crecp
= cache_find_by_name(crecp
, name
, now
, F_DNSKEY
| F_DS
)))
1728 if (crecp
->uid
== qclass
&& crecp
->addr
.sig
.type_covered
== qtype
&&
1729 (keydata
= blockdata_retrieve(crecp
->addr
.sig
.keydata
, crecp
->addr
.sig
.keylen
, NULL
)))
1731 add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
1732 crec_ttl(crecp
, now
), &nameoffset
,
1733 T_RRSIG
, qclass
, "t", crecp
->addr
.sig
.keylen
, keydata
);
1743 struct txt_record
*t
;
1745 for (t
= daemon
->rr
; t
; t
= t
->next
)
1746 if ((t
->class == qtype
|| qtype
== T_ANY
) && hostname_isequal(name
, t
->name
))
1751 log_query(F_CONFIG
| F_RRNAME
, name
, NULL
, "<RR>");
1752 if (add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
1753 daemon
->local_ttl
, NULL
,
1754 t
->class, C_IN
, "t", t
->len
, t
->txt
))
1759 if (qtype
== T_PTR
|| qtype
== T_ANY
)
1761 /* see if it's w.z.y.z.in-addr.arpa format */
1762 int is_arpa
= in_arpa_name_2_addr(name
, &addr
);
1763 struct ptr_record
*ptr
;
1764 struct interface_name
* intr
= NULL
;
1766 for (ptr
= daemon
->ptr
; ptr
; ptr
= ptr
->next
)
1767 if (hostname_isequal(name
, ptr
->name
))
1770 if (is_arpa
== F_IPV4
)
1771 for (intr
= daemon
->int_names
; intr
; intr
= intr
->next
)
1773 struct addrlist
*addrlist
;
1775 for (addrlist
= intr
->addr
; addrlist
; addrlist
= addrlist
->next
)
1776 if (!(addrlist
->flags
& ADDRLIST_IPV6
) && addr
.addr
.addr4
.s_addr
== addrlist
->addr
.addr
.addr4
.s_addr
)
1782 while (intr
->next
&& strcmp(intr
->intr
, intr
->next
->intr
) == 0)
1786 else if (is_arpa
== F_IPV6
)
1787 for (intr
= daemon
->int_names
; intr
; intr
= intr
->next
)
1789 struct addrlist
*addrlist
;
1791 for (addrlist
= intr
->addr
; addrlist
; addrlist
= addrlist
->next
)
1792 if ((addrlist
->flags
& ADDRLIST_IPV6
) && IN6_ARE_ADDR_EQUAL(&addr
.addr
.addr6
, &addrlist
->addr
.addr
.addr6
))
1798 while (intr
->next
&& strcmp(intr
->intr
, intr
->next
->intr
) == 0)
1808 log_query(is_arpa
| F_REVERSE
| F_CONFIG
, intr
->name
, &addr
, NULL
);
1809 if (add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
1810 daemon
->local_ttl
, NULL
,
1811 T_PTR
, C_IN
, "d", intr
->name
))
1820 log_query(F_CONFIG
| F_RRNAME
, name
, NULL
, "<PTR>");
1821 for (ptr
= daemon
->ptr
; ptr
; ptr
= ptr
->next
)
1822 if (hostname_isequal(name
, ptr
->name
) &&
1823 add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
1824 daemon
->local_ttl
, NULL
,
1825 T_PTR
, C_IN
, "d", ptr
->ptr
))
1830 else if ((crecp
= cache_find_by_addr(NULL
, &addr
, now
, is_arpa
)))
1832 if (!(crecp
->flags
& (F_HOSTS
| F_DHCP
| F_CONFIG
)) && sec_reqd
)
1834 if (!option_bool(OPT_DNSSEC_VALID
) || ((crecp
->flags
& F_NEG
) && (crecp
->flags
& F_DNSSECOK
)))
1837 else if (crecp
->flags
& F_DNSSECOK
)
1840 struct crec
*rr_crec
= NULL
;
1842 while ((rr_crec
= cache_find_by_name(rr_crec
, name
, now
, F_DS
| F_DNSKEY
)))
1844 if (rr_crec
->addr
.sig
.type_covered
== T_PTR
&& rr_crec
->uid
== C_IN
)
1846 char *sigdata
= blockdata_retrieve(rr_crec
->addr
.sig
.keydata
, rr_crec
->addr
.sig
.keylen
, NULL
);
1850 add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
1851 rr_crec
->ttd
- now
, &nameoffset
,
1852 T_RRSIG
, C_IN
, "t", crecp
->addr
.sig
.keylen
, sigdata
))
1867 /* don't answer wildcard queries with data not from /etc/hosts or dhcp leases */
1868 if (qtype
== T_ANY
&& !(crecp
->flags
& (F_HOSTS
| F_DHCP
)))
1871 if (!(crecp
->flags
& F_DNSSECOK
))
1874 if (crecp
->flags
& F_NEG
)
1878 if (crecp
->flags
& F_NXDOMAIN
)
1881 log_query(crecp
->flags
& ~F_FORWARD
, name
, &addr
, NULL
);
1883 else if ((crecp
->flags
& (F_HOSTS
| F_DHCP
)) || !sec_reqd
|| option_bool(OPT_DNSSEC_VALID
))
1886 if (!(crecp
->flags
& (F_HOSTS
| F_DHCP
)))
1890 log_query(crecp
->flags
& ~F_FORWARD
, cache_get_name(crecp
), &addr
,
1891 record_source(crecp
->uid
));
1893 if (add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
1894 crec_ttl(crecp
, now
), NULL
,
1895 T_PTR
, C_IN
, "d", cache_get_name(crecp
)))
1899 } while ((crecp
= cache_find_by_addr(crecp
, &addr
, now
, is_arpa
)));
1902 else if (is_rev_synth(is_arpa
, &addr
, name
))
1907 log_query(F_CONFIG
| F_REVERSE
| is_arpa
, name
, &addr
, NULL
);
1909 if (add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
1910 daemon
->local_ttl
, NULL
,
1911 T_PTR
, C_IN
, "d", name
))
1915 else if (is_arpa
== F_IPV4
&&
1916 option_bool(OPT_BOGUSPRIV
) &&
1917 private_net(addr
.addr
.addr4
, 1))
1919 /* if not in cache, enabled and private IPV4 address, return NXDOMAIN */
1923 log_query(F_CONFIG
| F_REVERSE
| F_IPV4
| F_NEG
| F_NXDOMAIN
,
1928 for (flag
= F_IPV4
; flag
; flag
= (flag
== F_IPV4
) ? F_IPV6
: 0)
1930 unsigned short type
= T_A
;
1931 struct interface_name
*intr
;
1940 if (qtype
!= type
&& qtype
!= T_ANY
)
1943 /* Check for "A for A" queries; be rather conservative
1944 about what looks like dotted-quad. */
1951 for (cp
= name
, i
= 0, a
= 0; *cp
; i
++)
1953 if (!isdigit((unsigned char)*cp
) || (x
= strtol(cp
, &cp
, 10)) > 255)
1970 addr
.addr
.addr4
.s_addr
= htonl(a
);
1971 log_query(F_FORWARD
| F_CONFIG
| F_IPV4
, name
, &addr
, NULL
);
1972 if (add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
1973 daemon
->local_ttl
, NULL
, type
, C_IN
, "4", &addr
))
1980 /* interface name stuff */
1982 for (intr
= daemon
->int_names
; intr
; intr
= intr
->next
)
1983 if (hostname_isequal(name
, intr
->name
))
1988 struct addrlist
*addrlist
;
1991 enumerate_interfaces(0);
1993 for (intr
= daemon
->int_names
; intr
; intr
= intr
->next
)
1994 if (hostname_isequal(name
, intr
->name
))
1996 for (addrlist
= intr
->addr
; addrlist
; addrlist
= addrlist
->next
)
1998 if (((addrlist
->flags
& ADDRLIST_IPV6
) ? T_AAAA
: T_A
) == type
)
2002 if (addrlist
->flags
& ADDRLIST_REVONLY
)
2009 log_query(F_FORWARD
| F_CONFIG
| flag
, name
, &addrlist
->addr
, NULL
);
2010 if (add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
2011 daemon
->local_ttl
, NULL
, type
, C_IN
,
2012 type
== T_A
? "4" : "6", &addrlist
->addr
))
2018 if (!dryrun
&& !gotit
)
2019 log_query(F_FORWARD
| F_CONFIG
| flag
| F_NEG
, name
, NULL
, NULL
);
2025 if ((crecp
= cache_find_by_name(NULL
, name
, now
, flag
| F_CNAME
| (dryrun
? F_NO_RR
: 0))))
2029 /* See if a putative address is on the network from which we recieved
2030 the query, is so we'll filter other answers. */
2031 if (local_addr
.s_addr
!= 0 && option_bool(OPT_LOCALISE
) && flag
== F_IPV4
)
2033 struct crec
*save
= crecp
;
2035 if ((crecp
->flags
& F_HOSTS
) &&
2036 is_same_net(*((struct in_addr
*)&crecp
->addr
), local_addr
, local_netmask
))
2041 } while ((crecp
= cache_find_by_name(crecp
, name
, now
, flag
| F_CNAME
)));
2045 /* If the client asked for DNSSEC and we can't provide RRSIGs, either
2046 because we've not doing DNSSEC or the cached answer is signed by negative,
2047 don't answer from the cache, forward instead. */
2048 if (!(crecp
->flags
& (F_HOSTS
| F_DHCP
| F_CONFIG
)) && sec_reqd
)
2050 if (!option_bool(OPT_DNSSEC_VALID
) || ((crecp
->flags
& F_NEG
) && (crecp
->flags
& F_DNSSECOK
)))
2053 else if (crecp
->flags
& F_DNSSECOK
)
2055 /* We're returning validated data, need to return the RRSIG too. */
2056 struct crec
*rr_crec
= NULL
;
2058 /* The signature may have expired even though the data is still in cache,
2059 forward instead of answering from cache if so. */
2062 if (crecp
->flags
& F_CNAME
)
2065 while ((rr_crec
= cache_find_by_name(rr_crec
, name
, now
, F_DS
| F_DNSKEY
)))
2067 if (rr_crec
->addr
.sig
.type_covered
== sigtype
&& rr_crec
->uid
== C_IN
)
2069 char *sigdata
= blockdata_retrieve(rr_crec
->addr
.sig
.keydata
, rr_crec
->addr
.sig
.keylen
, NULL
);
2073 add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
2074 rr_crec
->ttd
- now
, &nameoffset
,
2075 T_RRSIG
, C_IN
, "t", rr_crec
->addr
.sig
.keylen
, sigdata
))
2089 /* don't answer wildcard queries with data not from /etc/hosts
2091 if (qtype
== T_ANY
&& !(crecp
->flags
& (F_HOSTS
| F_DHCP
| F_CONFIG
)))
2094 if (!(crecp
->flags
& F_DNSSECOK
))
2097 if (crecp
->flags
& F_CNAME
)
2099 char *cname_target
= cache_get_cname_target(crecp
);
2103 log_query(crecp
->flags
, name
, NULL
, record_source(crecp
->uid
));
2104 if (add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
2105 crec_ttl(crecp
, now
), &nameoffset
,
2106 T_CNAME
, C_IN
, "d", cname_target
))
2110 strcpy(name
, cname_target
);
2111 /* check if target interface_name */
2112 if (crecp
->addr
.cname
.uid
== SRC_INTERFACE
)
2113 goto intname_restart
;
2118 if (crecp
->flags
& F_NEG
)
2120 /* We don't cache NSEC records, so if a DNSSEC-validated negative answer
2121 is cached and the client wants DNSSEC, forward rather than answering from the cache */
2122 if (!sec_reqd
|| !(crecp
->flags
& F_DNSSECOK
))
2126 if (crecp
->flags
& F_NXDOMAIN
)
2129 log_query(crecp
->flags
, name
, NULL
, NULL
);
2134 /* If we are returning local answers depending on network,
2137 (crecp
->flags
& F_HOSTS
) &&
2138 !is_same_net(*((struct in_addr
*)&crecp
->addr
), local_addr
, local_netmask
))
2141 if (!(crecp
->flags
& (F_HOSTS
| F_DHCP
)))
2147 log_query(crecp
->flags
& ~F_REVERSE
, name
, &crecp
->addr
.addr
,
2148 record_source(crecp
->uid
));
2150 if (add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
2151 crec_ttl(crecp
, now
), NULL
, type
, C_IN
,
2152 type
== T_A
? "4" : "6", &crecp
->addr
))
2156 } while ((crecp
= cache_find_by_name(crecp
, name
, now
, flag
| F_CNAME
)));
2158 else if (is_name_synthetic(flag
, name
, &addr
))
2163 log_query(F_FORWARD
| F_CONFIG
| flag
, name
, &addr
, NULL
);
2164 if (add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
2165 daemon
->local_ttl
, NULL
, type
, C_IN
, type
== T_A
? "4" : "6", &addr
))
2171 if (qtype
== T_CNAME
|| qtype
== T_ANY
)
2173 if ((crecp
= cache_find_by_name(NULL
, name
, now
, F_CNAME
)) &&
2174 (qtype
== T_CNAME
|| (crecp
->flags
& (F_HOSTS
| F_DHCP
| F_CONFIG
| (dryrun
? F_NO_RR
: 0)))))
2176 if (!(crecp
->flags
& F_DNSSECOK
))
2182 log_query(crecp
->flags
, name
, NULL
, record_source(crecp
->uid
));
2183 if (add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
2184 crec_ttl(crecp
, now
), &nameoffset
,
2185 T_CNAME
, C_IN
, "d", cache_get_cname_target(crecp
)))
2191 if (qtype
== T_MX
|| qtype
== T_ANY
)
2194 for (rec
= daemon
->mxnames
; rec
; rec
= rec
->next
)
2195 if (!rec
->issrv
&& hostname_isequal(name
, rec
->name
))
2201 log_query(F_CONFIG
| F_RRNAME
, name
, NULL
, "<MX>");
2202 if (add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
, daemon
->local_ttl
,
2203 &offset
, T_MX
, C_IN
, "sd", rec
->weight
, rec
->target
))
2207 rec
->offset
= offset
;
2212 if (!found
&& (option_bool(OPT_SELFMX
) || option_bool(OPT_LOCALMX
)) &&
2213 cache_find_by_name(NULL
, name
, now
, F_HOSTS
| F_DHCP
| F_NO_RR
))
2218 log_query(F_CONFIG
| F_RRNAME
, name
, NULL
, "<MX>");
2219 if (add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
, daemon
->local_ttl
, NULL
,
2220 T_MX
, C_IN
, "sd", 1,
2221 option_bool(OPT_SELFMX
) ? name
: daemon
->mxtarget
))
2227 if (qtype
== T_SRV
|| qtype
== T_ANY
)
2230 struct mx_srv_record
*move
= NULL
, **up
= &daemon
->mxnames
;
2232 for (rec
= daemon
->mxnames
; rec
; rec
= rec
->next
)
2233 if (rec
->issrv
&& hostname_isequal(name
, rec
->name
))
2239 log_query(F_CONFIG
| F_RRNAME
, name
, NULL
, "<SRV>");
2240 if (add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
, daemon
->local_ttl
,
2241 &offset
, T_SRV
, C_IN
, "sssd",
2242 rec
->priority
, rec
->weight
, rec
->srvport
, rec
->target
))
2246 rec
->offset
= offset
;
2250 /* unlink first SRV record found */
2262 /* put first SRV record back at the end. */
2269 if (!found
&& option_bool(OPT_FILTER
) && (qtype
== T_SRV
|| (qtype
== T_ANY
&& strchr(name
, '_'))))
2273 log_query(F_CONFIG
| F_NEG
, name
, NULL
, NULL
);
2277 if (qtype
== T_NAPTR
|| qtype
== T_ANY
)
2280 for (na
= daemon
->naptr
; na
; na
= na
->next
)
2281 if (hostname_isequal(name
, na
->name
))
2286 log_query(F_CONFIG
| F_RRNAME
, name
, NULL
, "<NAPTR>");
2287 if (add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
, daemon
->local_ttl
,
2288 NULL
, T_NAPTR
, C_IN
, "sszzzd",
2289 na
->order
, na
->pref
, na
->flags
, na
->services
, na
->regexp
, na
->replace
))
2295 if (qtype
== T_MAILB
)
2296 ans
= 1, nxdomain
= 1;
2298 if (qtype
== T_SOA
&& option_bool(OPT_FILTER
))
2302 log_query(F_CONFIG
| F_NEG
, name
, &addr
, NULL
);
2307 return 0; /* failed to answer a question */
2316 /* create an additional data section, for stuff in SRV and MX record replies. */
2317 for (rec
= daemon
->mxnames
; rec
; rec
= rec
->next
)
2318 if (rec
->offset
!= 0)
2321 struct mx_srv_record
*tmp
;
2322 for (tmp
= rec
->next
; tmp
; tmp
= tmp
->next
)
2323 if (tmp
->offset
!= 0 && hostname_isequal(rec
->target
, tmp
->target
))
2327 while ((crecp
= cache_find_by_name(crecp
, rec
->target
, now
, F_IPV4
| F_IPV6
)))
2330 int type
= crecp
->flags
& F_IPV4
? T_A
: T_AAAA
;
2334 if (crecp
->flags
& F_NEG
)
2337 if (add_resource_record(header
, limit
, NULL
, rec
->offset
, &ansp
,
2338 crec_ttl(crecp
, now
), NULL
, type
, C_IN
,
2339 crecp
->flags
& F_IPV4
? "4" : "6", &crecp
->addr
))
2344 /* done all questions, set up header and return length of result */
2345 /* clear authoritative and truncated flags, set QR flag */
2346 header
->hb3
= (header
->hb3
& ~(HB3_AA
| HB3_TC
)) | HB3_QR
;
2348 header
->hb4
|= HB4_RA
;
2350 /* authoritive - only hosts and DHCP derived names. */
2352 header
->hb3
|= HB3_AA
;
2356 header
->hb3
|= HB3_TC
;
2359 SET_RCODE(header
, NXDOMAIN
);
2361 SET_RCODE(header
, NOERROR
); /* no error */
2362 header
->ancount
= htons(anscount
);
2363 header
->nscount
= htons(0);
2364 header
->arcount
= htons(addncount
);
2366 len
= ansp
- (unsigned char *)header
;
2368 if (have_pseudoheader
)
2369 len
= add_pseudoheader(header
, len
, (unsigned char *)limit
, 0, NULL
, 0, sec_reqd
);
2371 if (*ad_reqd
&& sec_data
)
2372 header
->hb4
|= HB4_AD
;
2374 header
->hb4
&= ~HB4_AD
;