-/* dnsmasq is Copyright (c) 2000-2014 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
void *hash);
static unsigned short get_id(void);
static void free_frec(struct frec *f);
-static struct randfd *allocate_rfd(int family);
+
+#ifdef HAVE_DNSSEC
+static int tcp_key_recurse(time_t now, int status, struct dns_header *header, size_t n,
+ int class, char *name, char *keyname, struct server *server, int *keycount);
+static int do_check_sign(struct frec *forward, int status, time_t now, char *name, char *keyname);
+static int send_check_sign(struct frec *forward, time_t now, struct dns_header *header, size_t plen,
+ char *name, char *keyname);
+#endif
+
/* Send a UDP packet with its source address set as "source"
unless nowild is true, when we just send it with the kernel default */
#endif
}
- while (sendmsg(fd, &msg, 0) == -1)
+ while (retry_send(sendmsg(fd, &msg, 0)));
+
+ /* If interface is still in DAD, EINVAL results - ignore that. */
+ if (errno != 0 && errno != EINVAL)
{
- if (retry_send())
- continue;
-
- /* If interface is still in DAD, EINVAL results - ignore that. */
- if (errno == EINVAL)
- break;
-
my_syslog(LOG_ERR, _("failed to send packet: %s"), strerror(errno));
return 0;
}
static int forward_query(int udpfd, union mysockaddr *udpaddr,
struct all_addr *dst_addr, unsigned int dst_iface,
struct dns_header *header, size_t plen, time_t now,
- struct frec *forward, int ad_reqd)
+ struct frec *forward, int ad_reqd, int do_bit)
{
char *domain = NULL;
int type = 0, norebind = 0;
void *hash = &crc;
#endif
unsigned int gotname = extract_request(header, plen, daemon->namebuff, NULL);
+ unsigned char *pheader;
+
+ (void)do_bit;
/* may be no servers available. */
if (!daemon->servers)
forward = NULL;
else if (forward || (hash && (forward = lookup_frec_by_sender(ntohs(header->id), udpaddr, hash))))
{
+ /* If we didn't get an answer advertising a maximal packet in EDNS,
+ fall back to 1280, which should work everywhere on IPv6.
+ If that generates an answer, it will become the new default
+ for this server */
+ forward->flags |= FREC_TEST_PKTSZ;
+
#ifdef HAVE_DNSSEC
/* If we've already got an answer to this query, but we're awaiting keys for validation,
there's no point retrying the query, retry the key query instead...... */
if (forward->blocking_query)
{
int fd;
-
+
+ forward->flags &= ~FREC_TEST_PKTSZ;
+
while (forward->blocking_query)
forward = forward->blocking_query;
+
+ forward->flags |= FREC_TEST_PKTSZ;
blockdata_retrieve(forward->stash, forward->stash_len, (void *)header);
plen = forward->stash_len;
- if (forward->sentto->addr.sa.sa_family)
- log_query(F_DNSSEC | F_IPV4, "retry", (struct all_addr *)&forward->sentto->addr.in.sin_addr, "dnssec");
+ if (find_pseudoheader(header, plen, NULL, &pheader, NULL))
+ PUTSHORT((forward->flags & FREC_TEST_PKTSZ) ? SAFE_PKTSZ : forward->sentto->edns_pktsz, pheader);
+
+ if (forward->sentto->addr.sa.sa_family == AF_INET)
+ log_query(F_NOEXTRA | F_DNSSEC | F_IPV4, "retry", (struct all_addr *)&forward->sentto->addr.in.sin_addr, "dnssec");
#ifdef HAVE_IPV6
else
- log_query(F_DNSSEC | F_IPV6, "retry", (struct all_addr *)&forward->sentto->addr.in6.sin6_addr, "dnssec");
+ log_query(F_NOEXTRA | F_DNSSEC | F_IPV6, "retry", (struct all_addr *)&forward->sentto->addr.in6.sin6_addr, "dnssec");
#endif
if (forward->sentto->sfd)
fd = forward->rfd4->fd;
}
- while (sendto(fd, (char *)header, plen, 0,
- &forward->sentto->addr.sa,
- sa_len(&forward->sentto->addr)) == -1 && retry_send());
+ while (retry_send( sendto(fd, (char *)header, plen, 0,
+ &forward->sentto->addr.sa,
+ sa_len(&forward->sentto->addr))));
return 1;
}
forward->flags |= FREC_AD_QUESTION;
#ifdef HAVE_DNSSEC
forward->work_counter = DNSSEC_WORK;
+ if (do_bit)
+ forward->flags |= FREC_DO_QUESTION;
#endif
-
+
header->id = htons(forward->new_id);
/* In strict_order mode, always try servers in the order
struct server *firstsentto = start;
int forwarded = 0;
+ /* If a query is retried, use the log_id for the retry when logging the answer. */
+ forward->log_id = daemon->log_id;
+
if (option_bool(OPT_ADD_MAC))
plen = add_mac(header, plen, ((char *) header) + daemon->packet_buff_sz, &forward->source);
#ifdef HAVE_DNSSEC
if (option_bool(OPT_DNSSEC_VALID))
{
- plen = add_do_bit(header, plen, ((char *) header) + daemon->packet_buff_sz);
+ size_t new_plen = add_do_bit(header, plen, ((char *) header) + daemon->packet_buff_sz);
+
/* For debugging, set Checking Disabled, otherwise, have the upstream check too,
this allows it to select auth servers when one is returning bad data. */
if (option_bool(OPT_DNSSEC_DEBUG))
header->hb4 |= HB4_CD;
+
+ if (new_plen != plen)
+ forward->flags |= FREC_ADDED_PHEADER;
+
+ plen = new_plen;
}
#endif
-
+
while (1)
{
/* only send to servers dealing with our domain.
if (type == (start->flags & SERV_TYPE) &&
(type != SERV_HAS_DOMAIN || hostname_isequal(domain, start->domain)) &&
- !(start->flags & SERV_LITERAL_ADDRESS))
+ !(start->flags & (SERV_LITERAL_ADDRESS | SERV_LOOP)))
{
int fd;
}
#endif
}
+
+ if (find_pseudoheader(header, plen, NULL, &pheader, NULL))
+ PUTSHORT((forward->flags & FREC_TEST_PKTSZ) ? SAFE_PKTSZ : start->edns_pktsz, pheader);
- if (sendto(fd, (char *)header, plen, 0,
- &start->addr.sa,
- sa_len(&start->addr)) == -1)
- {
- if (retry_send())
- continue;
- }
- else
+ if (retry_send(sendto(fd, (char *)header, plen, 0,
+ &start->addr.sa,
+ sa_len(&start->addr))))
+ continue;
+
+ if (errno == 0)
{
/* Keep info in case we want to re-send this packet */
daemon->srv_save = start;
}
static size_t process_reply(struct dns_header *header, time_t now, struct server *server, size_t n, int check_rebind,
- int no_cache, int cache_secure, int ad_reqd, int check_subnet, union mysockaddr *query_source)
+ int no_cache, int cache_secure, int bogusanswer, int ad_reqd, int do_bit, int added_pheader,
+ int check_subnet, union mysockaddr *query_source)
{
unsigned char *pheader, *sizep;
char **sets = 0;
size_t plen;
(void)ad_reqd;
+ (void)do_bit;
+ (void)bogusanswer;
#ifdef HAVE_IPSET
- /* Similar algorithm to search_servers. */
- struct ipsets *ipset_pos;
- unsigned int namelen = strlen(daemon->namebuff);
- unsigned int matchlen = 0;
- for (ipset_pos = daemon->ipsets; ipset_pos; ipset_pos = ipset_pos->next)
+ if (daemon->ipsets && extract_request(header, n, daemon->namebuff, NULL))
{
- unsigned int domainlen = strlen(ipset_pos->domain);
- char *matchstart = daemon->namebuff + namelen - domainlen;
- if (namelen >= domainlen && hostname_isequal(matchstart, ipset_pos->domain) &&
- (domainlen == 0 || namelen == domainlen || *(matchstart - 1) == '.' ) &&
- domainlen >= matchlen)
+ /* Similar algorithm to search_servers. */
+ struct ipsets *ipset_pos;
+ unsigned int namelen = strlen(daemon->namebuff);
+ unsigned int matchlen = 0;
+ for (ipset_pos = daemon->ipsets; ipset_pos; ipset_pos = ipset_pos->next)
{
- matchlen = domainlen;
- sets = ipset_pos->sets;
+ unsigned int domainlen = strlen(ipset_pos->domain);
+ char *matchstart = daemon->namebuff + namelen - domainlen;
+ if (namelen >= domainlen && hostname_isequal(matchstart, ipset_pos->domain) &&
+ (domainlen == 0 || namelen == domainlen || *(matchstart - 1) == '.' ) &&
+ domainlen >= matchlen)
+ {
+ matchlen = domainlen;
+ sets = ipset_pos->sets;
+ }
}
}
#endif
my_syslog(LOG_WARNING, _("discarding DNS reply: subnet option mismatch"));
return 0;
}
+
+ if (added_pheader)
+ {
+ pheader = 0;
+ header->arcount = htons(0);
+ }
}
/* RFC 4035 sect 4.6 para 3 */
header->hb4 &= ~HB4_AD;
if (OPCODE(header) != QUERY || (RCODE(header) != NOERROR && RCODE(header) != NXDOMAIN))
- return n;
+ return resize_packet(header, n, pheader, plen);
/* Complain loudly if the upstream server is non-recursive. */
if (!(header->hb4 & HB4_RA) && RCODE(header) == NOERROR && ntohs(header->ancount) == 0 &&
}
#ifdef HAVE_DNSSEC
- if (no_cache && !(header->hb4 & HB4_CD))
+ if (bogusanswer && !(header->hb4 & HB4_CD))
{
if (!option_bool(OPT_DNSSEC_DEBUG))
{
if (!(header->hb4 & HB4_CD) && ad_reqd && cache_secure)
header->hb4 |= HB4_AD;
+
+ /* If the requestor didn't set the DO bit, don't return DNSSEC info. */
+ if (!do_bit)
+ n = filter_rrsigs(header, n);
#endif
/* do this after extract_addresses. Ensure NODATA reply and remove
header->ancount = htons(0);
header->nscount = htons(0);
header->arcount = htons(0);
+ header->hb3 &= ~HB3_TC;
}
/* the bogus-nxdomain stuff, doctor and NXDOMAIN->NODATA munging can all elide
serveraddr.in6.sin6_flowinfo = 0;
#endif
+ header = (struct dns_header *)daemon->packet;
+
+ if (n < (int)sizeof(struct dns_header) || !(header->hb3 & HB3_QR))
+ return;
+
/* spoof check: answer must come from known server, */
for (server = daemon->servers; server; server = server->next)
if (!(server->flags & (SERV_LITERAL_ADDRESS | SERV_NO_ADDR)) &&
sockaddr_isequal(&server->addr, &serveraddr))
break;
-
- header = (struct dns_header *)daemon->packet;
-
+
+ if (!server)
+ return;
+
#ifdef HAVE_DNSSEC
hash = hash_questions(header, n, daemon->namebuff);
#else
crc = questions_crc(header, n, daemon->namebuff);
#endif
- if (!server ||
- n < (int)sizeof(struct dns_header) || !(header->hb3 & HB3_QR) ||
- !(forward = lookup_frec(ntohs(header->id), hash)))
+ if (!(forward = lookup_frec(ntohs(header->id), hash)))
+ return;
+
+ /* log_query gets called indirectly all over the place, so
+ pass these in global variables - sorry. */
+ daemon->log_display_id = forward->log_id;
+ daemon->log_source_addr = &forward->source;
+
+ if (daemon->ignore_addr && RCODE(header) == NOERROR &&
+ check_for_ignored_address(header, n, daemon->ignore_addr))
return;
- if ((RCODE(header) == SERVFAIL || RCODE(header) == REFUSED) &&
+ if (RCODE(header) == REFUSED &&
!option_bool(OPT_ORDER) &&
forward->forwardall == 0)
/* for broken servers, attempt to send to another one. */
if ((nn = resize_packet(header, (size_t)n, pheader, plen)))
{
header->hb3 &= ~(HB3_QR | HB3_TC);
- forward_query(-1, NULL, NULL, 0, header, nn, now, forward, 0);
+ forward_query(-1, NULL, NULL, 0, header, nn, now, forward, 0, 0);
return;
}
}
}
server = forward->sentto;
-
if ((forward->sentto->flags & SERV_TYPE) == 0)
{
- if (RCODE(header) == SERVFAIL || RCODE(header) == REFUSED)
+ if (RCODE(header) == REFUSED)
server = NULL;
else
{
if (!option_bool(OPT_ALL_SERVERS))
daemon->last_server = server;
}
-
+
+ /* We tried resending to this server with a smaller maximum size and got an answer.
+ Make that permanent. To avoid reduxing the packet size for an single dropped packet,
+ only do this when we get a truncated answer, or one larger than the safe size. */
+ if (server && (forward->flags & FREC_TEST_PKTSZ) &&
+ ((header->hb3 & HB3_TC) || n >= SAFE_PKTSZ))
+ server->edns_pktsz = SAFE_PKTSZ;
+
/* If the answer is an error, keep the forward record in place in case
we get a good reply from another server. Kill it when we've
had replies from all to avoid filling the forwarding table when
everything is broken */
- if (forward->forwardall == 0 || --forward->forwardall == 1 ||
- (RCODE(header) != REFUSED && RCODE(header) != SERVFAIL))
+ if (forward->forwardall == 0 || --forward->forwardall == 1 || RCODE(header) != SERVFAIL)
{
- int check_rebind = 0, no_cache_dnssec = 0, cache_secure = 0;
+ int check_rebind = 0, no_cache_dnssec = 0, cache_secure = 0, bogusanswer = 0;
if (option_bool(OPT_NO_REBIND))
check_rebind = !(forward->flags & FREC_NOREBIND);
no_cache_dnssec = 1;
#ifdef HAVE_DNSSEC
- if (option_bool(OPT_DNSSEC_VALID) && !(forward->flags & FREC_CHECKING_DISABLED))
+ if (server && option_bool(OPT_DNSSEC_VALID) && !(forward->flags & FREC_CHECKING_DISABLED))
{
int status;
else if (forward->flags & FREC_DNSKEY_QUERY)
status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
else if (forward->flags & FREC_DS_QUERY)
- status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
+ {
+ status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
+ /* Provably no DS, everything below is insecure, even if signatures are offered */
+ if (status == STAT_NO_DS)
+ /* We only cache sigs when we've validated a reply.
+ Avoid caching a reply with sigs if there's a vaildated break in the
+ DS chain, so we don't return replies from cache missing sigs. */
+ status = STAT_INSECURE_DS;
+ else if (status == STAT_NO_NS)
+ status = STAT_BOGUS;
+ }
+ else if (forward->flags & FREC_CHECK_NOSIGN)
+ {
+ status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
+ if (status != STAT_NEED_KEY)
+ status = do_check_sign(forward, status, now, daemon->namebuff, daemon->keyname);
+ }
else
- status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class);
-
+ {
+ status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class, NULL, NULL);
+ if (status == STAT_NO_SIG)
+ {
+ if (option_bool(OPT_DNSSEC_NO_SIGN))
+ status = send_check_sign(forward, now, header, n, daemon->namebuff, daemon->keyname);
+ else
+ status = STAT_INSECURE;
+ }
+ }
/* Can't validate, as we're missing key data. Put this
answer aside, whilst we get that. */
- if (status == STAT_NEED_DS || status == STAT_NEED_KEY)
+ if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG || status == STAT_NEED_KEY)
{
struct frec *new, *orig;
*new = *forward; /* copy everything, then overwrite */
new->next = next;
new->blocking_query = NULL;
+ new->sentto = server;
new->rfd4 = NULL;
+ new->orig_domain = NULL;
#ifdef HAVE_IPV6
new->rfd6 = NULL;
#endif
- new->flags &= ~(FREC_DNSKEY_QUERY | FREC_DS_QUERY);
+ new->flags &= ~(FREC_DNSKEY_QUERY | FREC_DS_QUERY | FREC_CHECK_NOSIGN);
new->dependent = forward; /* to find query awaiting new one. */
forward->blocking_query = new; /* for garbage cleaning */
{
new->flags |= FREC_DNSKEY_QUERY;
nn = dnssec_generate_query(header, ((char *) header) + daemon->packet_buff_sz,
- daemon->keyname, forward->class, T_DNSKEY, &server->addr);
+ daemon->keyname, forward->class, T_DNSKEY, &server->addr, server->edns_pktsz);
}
else
{
- new->flags |= FREC_DS_QUERY;
+ if (status == STAT_NEED_DS_NEG)
+ new->flags |= FREC_CHECK_NOSIGN;
+ else
+ new->flags |= FREC_DS_QUERY;
nn = dnssec_generate_query(header,((char *) header) + daemon->packet_buff_sz,
- daemon->keyname, forward->class, T_DS, &server->addr);
+ daemon->keyname, forward->class, T_DS, &server->addr, server->edns_pktsz);
}
if ((hash = hash_questions(header, nn, daemon->namebuff)))
memcpy(new->hash, hash, HASH_SIZE);
new->new_id = get_id();
header->id = htons(new->new_id);
/* Save query for retransmission */
- new->stash = blockdata_alloc((char *)header, nn);
+ if (!(new->stash = blockdata_alloc((char *)header, nn)))
+ return;
+
new->stash_len = nn;
/* Don't resend this. */
if (fd != -1)
{
- while (sendto(fd, (char *)header, nn, 0, &server->addr.sa, sa_len(&server->addr)) == -1 && retry_send());
+ while (retry_send(sendto(fd, (char *)header, nn, 0,
+ &server->addr.sa,
+ sa_len(&server->addr))));
server->queries++;
}
if (forward->flags & FREC_DNSKEY_QUERY)
status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
else if (forward->flags & FREC_DS_QUERY)
- status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
+ {
+ status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
+ /* Provably no DS, everything below is insecure, even if signatures are offered */
+ if (status == STAT_NO_DS)
+ /* We only cache sigs when we've validated a reply.
+ Avoid caching a reply with sigs if there's a vaildated break in the
+ DS chain, so we don't return replies from cache missing sigs. */
+ status = STAT_INSECURE_DS;
+ else if (status == STAT_NO_NS)
+ status = STAT_BOGUS;
+ }
+ else if (forward->flags & FREC_CHECK_NOSIGN)
+ {
+ status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
+ if (status != STAT_NEED_KEY)
+ status = do_check_sign(forward, status, now, daemon->namebuff, daemon->keyname);
+ }
else
- status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class);
-
- if (status == STAT_NEED_DS || status == STAT_NEED_KEY)
+ {
+ status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class, NULL, NULL);
+ if (status == STAT_NO_SIG)
+ {
+ if (option_bool(OPT_DNSSEC_NO_SIGN))
+ status = send_check_sign(forward, now, header, n, daemon->namebuff, daemon->keyname);
+ else
+ status = STAT_INSECURE;
+ }
+ }
+
+ if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG || status == STAT_NEED_KEY)
goto anotherkey;
}
}
+ no_cache_dnssec = 0;
+
+ if (status == STAT_INSECURE_DS)
+ {
+ /* We only cache sigs when we've validated a reply.
+ Avoid caching a reply with sigs if there's a vaildated break in the
+ DS chain, so we don't return replies from cache missing sigs. */
+ status = STAT_INSECURE;
+ no_cache_dnssec = 1;
+ }
+
if (status == STAT_TRUNCATED)
header->hb3 |= HB3_TC;
else
{
- char *result;
+ char *result, *domain = "result";
if (forward->work_counter == 0)
- result = "ABANDONED";
+ {
+ result = "ABANDONED";
+ status = STAT_BOGUS;
+ }
else
result = (status == STAT_SECURE ? "SECURE" : (status == STAT_INSECURE ? "INSECURE" : "BOGUS"));
- log_query(F_KEYTAG | F_SECSTAT, "result", NULL, result);
+ if (status == STAT_BOGUS && extract_request(header, n, daemon->namebuff, NULL))
+ domain = daemon->namebuff;
+
+ log_query(F_KEYTAG | F_SECSTAT, domain, NULL, result);
}
- no_cache_dnssec = 0;
-
if (status == STAT_SECURE)
cache_secure = 1;
else if (status == STAT_BOGUS)
- no_cache_dnssec = 1;
+ {
+ no_cache_dnssec = 1;
+ bogusanswer = 1;
+ }
}
#endif
else
header->hb4 &= ~HB4_CD;
- if ((nn = process_reply(header, now, server, (size_t)n, check_rebind, no_cache_dnssec, cache_secure,
- forward->flags & FREC_AD_QUESTION, forward->flags & FREC_HAS_SUBNET, &forward->source)))
+ if ((nn = process_reply(header, now, server, (size_t)n, check_rebind, no_cache_dnssec, cache_secure, bogusanswer,
+ forward->flags & FREC_AD_QUESTION, forward->flags & FREC_DO_QUESTION,
+ forward->flags & FREC_ADDED_PHEADER, forward->flags & FREC_HAS_SUBNET, &forward->source)))
{
header->id = htons(forward->orig_id);
header->hb4 |= HB4_RA; /* recursion if available */
/* packet buffer overwritten */
daemon->srv_save = NULL;
- dst_addr_4.s_addr = 0;
+ dst_addr_4.s_addr = dst_addr.addr.addr4.s_addr = 0;
netmask.s_addr = 0;
if (option_bool(OPT_NOWILD) && listen->iface)
if (listen->family == AF_INET)
{
- dst_addr_4 = listen->iface->addr.in.sin_addr;
+ dst_addr_4 = dst_addr.addr.addr4 = listen->iface->addr.in.sin_addr;
netmask = listen->iface->netmask;
}
}
return;
source_addr.sa.sa_family = listen->family;
+
+ if (listen->family == AF_INET)
+ {
+ /* Source-port == 0 is an error, we can't send back to that.
+ http://www.ietf.org/mail-archive/web/dnsop/current/msg11441.html */
+ if (source_addr.in.sin_port == 0)
+ return;
+ }
#ifdef HAVE_IPV6
- if (listen->family == AF_INET6)
- source_addr.in6.sin6_flowinfo = 0;
+ else
+ {
+ /* Source-port == 0 is an error, we can't send back to that. */
+ if (source_addr.in6.sin6_port == 0)
+ return;
+ source_addr.in6.sin6_flowinfo = 0;
+ }
#endif
-
+
+ /* We can be configured to only accept queries from at-most-one-hop-away addresses. */
+ if (option_bool(OPT_LOCAL_SERVICE))
+ {
+ struct addrlist *addr;
+#ifdef HAVE_IPV6
+ if (listen->family == AF_INET6)
+ {
+ for (addr = daemon->interface_addrs; addr; addr = addr->next)
+ if ((addr->flags & ADDRLIST_IPV6) &&
+ is_same_net6(&addr->addr.addr.addr6, &source_addr.in6.sin6_addr, addr->prefixlen))
+ break;
+ }
+ else
+#endif
+ {
+ struct in_addr netmask;
+ for (addr = daemon->interface_addrs; addr; addr = addr->next)
+ {
+ netmask.s_addr = htonl(~(in_addr_t)0 << (32 - addr->prefixlen));
+ if (!(addr->flags & ADDRLIST_IPV6) &&
+ is_same_net(addr->addr.addr.addr4, source_addr.in.sin_addr, netmask))
+ break;
+ }
+ }
+ if (!addr)
+ {
+ static int warned = 0;
+ if (!warned)
+ {
+ my_syslog(LOG_WARNING, _("Ignoring query from non-local network"));
+ warned = 1;
+ }
+ return;
+ }
+ }
+
if (check_dst)
{
struct ifreq ifr;
dst_addr_4.s_addr = 0;
}
}
+
+ /* log_query gets called indirectly all over the place, so
+ pass these in global variables - sorry. */
+ daemon->log_display_id = ++daemon->log_id;
+ daemon->log_source_addr = &source_addr;
if (extract_request(header, (size_t)n, daemon->namebuff, &type))
{
break;
}
#endif
+
+#ifdef HAVE_LOOP
+ /* Check for forwarding loop */
+ if (detect_loop(daemon->namebuff, type))
+ return;
+#endif
}
#ifdef HAVE_AUTH
else
#endif
{
- int ad_reqd;
+ int ad_reqd, do_bit;
m = answer_request(header, ((char *) header) + daemon->packet_buff_sz, (size_t)n,
- dst_addr_4, netmask, now, &ad_reqd);
+ dst_addr_4, netmask, now, &ad_reqd, &do_bit);
if (m >= 1)
{
daemon->local_answer++;
}
else if (forward_query(listen->fd, &source_addr, &dst_addr, if_index,
- header, (size_t)n, now, NULL, ad_reqd))
+ header, (size_t)n, now, NULL, ad_reqd, do_bit))
daemon->queries_forwarded++;
else
daemon->local_answer++;
}
#ifdef HAVE_DNSSEC
+
+/* UDP: we've got an unsigned answer, return STAT_INSECURE if we can prove there's no DS
+ and therefore the answer shouldn't be signed, or STAT_BOGUS if it should be, or
+ STAT_NEED_DS_NEG and keyname if we need to do the query. */
+static int send_check_sign(struct frec *forward, time_t now, struct dns_header *header, size_t plen,
+ char *name, char *keyname)
+{
+ int status = dnssec_chase_cname(now, header, plen, name, keyname);
+
+ if (status != STAT_INSECURE)
+ return status;
+
+ /* Store the domain we're trying to check. */
+ forward->name_start = strlen(name);
+ forward->name_len = forward->name_start + 1;
+ if (!(forward->orig_domain = blockdata_alloc(name, forward->name_len)))
+ return STAT_BOGUS;
+
+ return do_check_sign(forward, 0, now, name, keyname);
+}
+
+/* We either have a a reply (header non-NULL, or we need to start by looking in the cache */
+static int do_check_sign(struct frec *forward, int status, time_t now, char *name, char *keyname)
+{
+ /* get domain we're checking back from blockdata store, it's stored on the original query. */
+ while (forward->dependent)
+ forward = forward->dependent;
+
+ blockdata_retrieve(forward->orig_domain, forward->name_len, name);
+
+ while (1)
+ {
+ char *p;
+
+ if (status == 0)
+ {
+ struct crec *crecp;
+
+ /* Haven't received answer, see if in cache */
+ if (!(crecp = cache_find_by_name(NULL, &name[forward->name_start], now, F_DS)))
+ {
+ /* put name of DS record we're missing into keyname */
+ strcpy(keyname, &name[forward->name_start]);
+ /* and wait for reply to arrive */
+ return STAT_NEED_DS_NEG;
+ }
+
+ /* F_DNSSECOK misused in DS cache records to non-existance of NS record */
+ if (!(crecp->flags & F_NEG))
+ status = STAT_SECURE;
+ else if (crecp->flags & F_DNSSECOK)
+ status = STAT_NO_DS;
+ else
+ status = STAT_NO_NS;
+ }
+
+ /* Have entered non-signed part of DNS tree. */
+ if (status == STAT_NO_DS)
+ return STAT_INSECURE;
+
+ if (status == STAT_BOGUS)
+ return STAT_BOGUS;
+
+ /* There's a proven DS record, or we're within a zone, where there doesn't need
+ to be a DS record. Add a name and try again.
+ If we've already tried the whole name, then fail */
+
+ if (forward->name_start == 0)
+ return STAT_BOGUS;
+
+ for (p = &name[forward->name_start-2]; (*p != '.') && (p != name); p--);
+
+ if (p != name)
+ p++;
+
+ forward->name_start = p - name;
+ status = 0; /* force to cache when we iterate. */
+ }
+}
+
+/* Move down from the root, until we find a signed non-existance of a DS, in which case
+ an unsigned answer is OK, or we find a signed DS, in which case there should be
+ a signature, and the answer is BOGUS */
+static int tcp_check_for_unsigned_zone(time_t now, struct dns_header *header, size_t plen, int class, char *name,
+ char *keyname, struct server *server, int *keycount)
+{
+ size_t m;
+ unsigned char *packet, *payload;
+ u16 *length;
+ int status, name_len;
+ struct blockdata *block;
+
+ char *name_start;
+
+ /* Get first insecure entry in CNAME chain */
+ status = tcp_key_recurse(now, STAT_CHASE_CNAME, header, plen, class, name, keyname, server, keycount);
+ if (status == STAT_BOGUS)
+ return STAT_BOGUS;
+
+ if (!(packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16))))
+ return STAT_BOGUS;
+
+ payload = &packet[2];
+ header = (struct dns_header *)payload;
+ length = (u16 *)packet;
+
+ /* Stash the name away, since the buffer will be trashed when we recurse */
+ name_len = strlen(name) + 1;
+ name_start = name + name_len - 1;
+
+ if (!(block = blockdata_alloc(name, name_len)))
+ {
+ free(packet);
+ return STAT_BOGUS;
+ }
+
+ while (1)
+ {
+ unsigned char c1, c2;
+ struct crec *crecp;
+
+ if (--(*keycount) == 0)
+ {
+ free(packet);
+ blockdata_free(block);
+ return STAT_BOGUS;
+ }
+
+ while ((crecp = cache_find_by_name(NULL, name_start, now, F_DS)))
+ {
+ if ((crecp->flags & F_NEG) && (crecp->flags & F_DNSSECOK))
+ {
+ /* Found a secure denial of DS - delegation is indeed insecure */
+ free(packet);
+ blockdata_free(block);
+ return STAT_INSECURE;
+ }
+
+ /* Here, either there's a secure DS, or no NS and no DS, and therefore no delegation.
+ Add another label and continue. */
+
+ if (name_start == name)
+ {
+ free(packet);
+ blockdata_free(block);
+ return STAT_BOGUS; /* run out of labels */
+ }
+
+ name_start -= 2;
+ while (*name_start != '.' && name_start != name)
+ name_start--;
+ if (name_start != name)
+ name_start++;
+ }
+
+ /* Can't find it in the cache, have to send a query */
+
+ m = dnssec_generate_query(header, ((char *) header) + 65536, name_start, class, T_DS, &server->addr, server->edns_pktsz);
+
+ *length = htons(m);
+
+ if (read_write(server->tcpfd, packet, m + sizeof(u16), 0) &&
+ read_write(server->tcpfd, &c1, 1, 1) &&
+ read_write(server->tcpfd, &c2, 1, 1) &&
+ read_write(server->tcpfd, payload, (c1 << 8) | c2, 1))
+ {
+ m = (c1 << 8) | c2;
+
+ /* Note this trashes all three name workspaces */
+ status = tcp_key_recurse(now, STAT_NEED_DS_NEG, header, m, class, name, keyname, server, keycount);
+
+ if (status == STAT_NO_DS)
+ {
+ /* Found a secure denial of DS - delegation is indeed insecure */
+ free(packet);
+ blockdata_free(block);
+ return STAT_INSECURE;
+ }
+
+ if (status == STAT_BOGUS)
+ {
+ free(packet);
+ blockdata_free(block);
+ return STAT_BOGUS;
+ }
+
+ /* Here, either there's a secure DS, or no NS and no DS, and therefore no delegation.
+ Add another label and continue. */
+
+ /* Get name we're checking back. */
+ blockdata_retrieve(block, name_len, name);
+
+ if (name_start == name)
+ {
+ free(packet);
+ blockdata_free(block);
+ return STAT_BOGUS; /* run out of labels */
+ }
+
+ name_start -= 2;
+ while (*name_start != '.' && name_start != name)
+ name_start--;
+ if (name_start != name)
+ name_start++;
+ }
+ else
+ {
+ /* IO failure */
+ free(packet);
+ blockdata_free(block);
+ return STAT_BOGUS; /* run out of labels */
+ }
+ }
+}
+
static int tcp_key_recurse(time_t now, int status, struct dns_header *header, size_t n,
int class, char *name, char *keyname, struct server *server, int *keycount)
{
if (status == STAT_NEED_KEY)
new_status = dnssec_validate_by_ds(now, header, n, name, keyname, class);
- else if (status == STAT_NEED_DS)
- new_status = dnssec_validate_ds(now, header, n, name, keyname, class);
- else
- new_status = dnssec_validate_reply(now, header, n, name, keyname, &class);
-
+ else if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG)
+ {
+ new_status = dnssec_validate_ds(now, header, n, name, keyname, class);
+ if (status == STAT_NEED_DS)
+ {
+ if (new_status == STAT_NO_DS)
+ new_status = STAT_INSECURE_DS;
+ else if (new_status == STAT_NO_NS)
+ new_status = STAT_BOGUS;
+ }
+ }
+ else if (status == STAT_CHASE_CNAME)
+ new_status = dnssec_chase_cname(now, header, n, name, keyname);
+ else
+ {
+ new_status = dnssec_validate_reply(now, header, n, name, keyname, &class, NULL, NULL);
+
+ if (new_status == STAT_NO_SIG)
+ {
+ if (option_bool(OPT_DNSSEC_NO_SIGN))
+ new_status = tcp_check_for_unsigned_zone(now, header, n, class, name, keyname, server, keycount);
+ else
+ new_status = STAT_INSECURE;
+ }
+ }
+
/* Can't validate because we need a key/DS whose name now in keyname.
Make query for same, and recurse to validate */
if (new_status == STAT_NEED_DS || new_status == STAT_NEED_KEY)
another_tcp_key:
m = dnssec_generate_query(new_header, ((char *) new_header) + 65536, keyname, class,
- new_status == STAT_NEED_KEY ? T_DNSKEY : T_DS, &server->addr);
+ new_status == STAT_NEED_KEY ? T_DNSKEY : T_DS, &server->addr, server->edns_pktsz);
*length = htons(m);
{
m = (c1 << 8) | c2;
- if (tcp_key_recurse(now, new_status, new_header, m, class, name, keyname, server, keycount) == STAT_SECURE)
+ new_status = tcp_key_recurse(now, new_status, new_header, m, class, name, keyname, server, keycount);
+
+ if (new_status == STAT_SECURE)
{
/* Reached a validated record, now try again at this level.
Note that we may get ANOTHER NEED_* if an answer needs more than one key.
if (status == STAT_NEED_KEY)
new_status = dnssec_validate_by_ds(now, header, n, name, keyname, class);
- else if (status == STAT_NEED_DS)
- new_status = dnssec_validate_ds(now, header, n, name, keyname, class);
- else
- new_status = dnssec_validate_reply(now, header, n, name, keyname, &class);
-
+ else if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG)
+ {
+ new_status = dnssec_validate_ds(now, header, n, name, keyname, class);
+ if (status == STAT_NEED_DS)
+ {
+ if (new_status == STAT_NO_DS)
+ new_status = STAT_INSECURE_DS;
+ else if (new_status == STAT_NO_NS)
+ new_status = STAT_BOGUS; /* Validated no DS */
+ }
+ }
+ else if (status == STAT_CHASE_CNAME)
+ new_status = dnssec_chase_cname(now, header, n, name, keyname);
+ else
+ {
+ new_status = dnssec_validate_reply(now, header, n, name, keyname, &class, NULL, NULL);
+
+ if (new_status == STAT_NO_SIG)
+ {
+ if (option_bool(OPT_DNSSEC_NO_SIGN))
+ new_status = tcp_check_for_unsigned_zone(now, header, n, class, name, keyname, server, keycount);
+ else
+ new_status = STAT_INSECURE;
+ }
+ }
+
if (new_status == STAT_NEED_DS || new_status == STAT_NEED_KEY)
goto another_tcp_key;
}
}
-
+
free(packet);
}
-
return new_status;
}
#endif
#ifdef HAVE_AUTH
int local_auth = 0;
#endif
- int checking_disabled, ad_question, check_subnet, no_cache_dnssec = 0, cache_secure = 0;
+ int checking_disabled, ad_question, do_bit, added_pheader = 0;
+ int check_subnet, no_cache_dnssec = 0, cache_secure = 0, bogusanswer = 0;
size_t m;
unsigned short qtype;
unsigned int gotname;
struct in_addr dst_addr_4;
union mysockaddr peer_addr;
socklen_t peer_len = sizeof(union mysockaddr);
-
+ int query_count = 0;
+
if (getpeername(confd, (struct sockaddr *)&peer_addr, &peer_len) == -1)
return packet;
+
+ /* We can be configured to only accept queries from at-most-one-hop-away addresses. */
+ if (option_bool(OPT_LOCAL_SERVICE))
+ {
+ struct addrlist *addr;
+#ifdef HAVE_IPV6
+ if (peer_addr.sa.sa_family == AF_INET6)
+ {
+ for (addr = daemon->interface_addrs; addr; addr = addr->next)
+ if ((addr->flags & ADDRLIST_IPV6) &&
+ is_same_net6(&addr->addr.addr.addr6, &peer_addr.in6.sin6_addr, addr->prefixlen))
+ break;
+ }
+ else
+#endif
+ {
+ struct in_addr netmask;
+ for (addr = daemon->interface_addrs; addr; addr = addr->next)
+ {
+ netmask.s_addr = htonl(~(in_addr_t)0 << (32 - addr->prefixlen));
+ if (!(addr->flags & ADDRLIST_IPV6) &&
+ is_same_net(addr->addr.addr.addr4, peer_addr.in.sin_addr, netmask))
+ break;
+ }
+ }
+ if (!addr)
+ {
+ my_syslog(LOG_WARNING, _("Ignoring query from non-local network"));
+ return packet;
+ }
+ }
while (1)
{
- if (!packet ||
+ if (query_count == TCP_MAX_QUERIES ||
+ !packet ||
!read_write(confd, &c1, 1, 1) || !read_write(confd, &c2, 1, 1) ||
!(size = c1 << 8 | c2) ||
!read_write(confd, payload, size, 1))
if (size < (int)sizeof(struct dns_header))
continue;
+ query_count++;
+
+ /* log_query gets called indirectly all over the place, so
+ pass these in global variables - sorry. */
+ daemon->log_display_id = ++daemon->log_id;
+ daemon->log_source_addr = &peer_addr;
+
check_subnet = 0;
/* save state of "cd" flag in query */
{
/* m > 0 if answered from cache */
m = answer_request(header, ((char *) header) + 65536, (size_t)size,
- dst_addr_4, netmask, now, &ad_question);
+ dst_addr_4, netmask, now, &ad_question, &do_bit);
/* Do this by steam now we're not in the select() loop */
check_log_writer(NULL);
struct server *firstsendto = NULL;
#ifdef HAVE_DNSSEC
unsigned char *newhash, hash[HASH_SIZE];
- if ((newhash = hash_questions(header, (unsigned int)size, daemon->keyname)))
+ if ((newhash = hash_questions(header, (unsigned int)size, daemon->namebuff)))
memcpy(hash, newhash, HASH_SIZE);
+ else
+ memset(hash, 0, HASH_SIZE);
#else
unsigned int crc = questions_crc(header, (unsigned int)size, daemon->namebuff);
#endif
/* server for wrong domain */
if (type != (last_server->flags & SERV_TYPE) ||
- (type == SERV_HAS_DOMAIN && !hostname_isequal(domain, last_server->domain)))
+ (type == SERV_HAS_DOMAIN && !hostname_isequal(domain, last_server->domain)) ||
+ (last_server->flags & (SERV_LITERAL_ADDRESS | SERV_LOOP)))
continue;
if (last_server->tcpfd == -1)
if ((last_server->tcpfd = socket(last_server->addr.sa.sa_family, SOCK_STREAM, 0)) == -1)
continue;
- if ((!local_bind(last_server->tcpfd, &last_server->source_addr, last_server->interface, 1) ||
- connect(last_server->tcpfd, &last_server->addr.sa, sa_len(&last_server->addr)) == -1))
- {
- close(last_server->tcpfd);
- last_server->tcpfd = -1;
- continue;
- }
-
-#ifdef HAVE_DNSSEC
- if (option_bool(OPT_DNSSEC_VALID))
- {
- size = add_do_bit(header, size, ((char *) header) + 65536);
- /* For debugging, set Checking Disabled, otherwise, have the upstream check too,
- this allows it to select auth servers when one is returning bad data. */
- if (option_bool(OPT_DNSSEC_DEBUG))
- header->hb4 |= HB4_CD;
- }
-#endif
-
#ifdef HAVE_CONNTRACK
/* Copy connection mark of incoming query to outgoing connection. */
if (option_bool(OPT_CONNTRACK))
setsockopt(last_server->tcpfd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int));
}
#endif
+
+ if ((!local_bind(last_server->tcpfd, &last_server->source_addr, last_server->interface, 1) ||
+ connect(last_server->tcpfd, &last_server->addr.sa, sa_len(&last_server->addr)) == -1))
+ {
+ close(last_server->tcpfd);
+ last_server->tcpfd = -1;
+ continue;
+ }
+
+#ifdef HAVE_DNSSEC
+ if (option_bool(OPT_DNSSEC_VALID))
+ {
+ size_t new_size = add_do_bit(header, size, ((char *) header) + 65536);
+
+ /* For debugging, set Checking Disabled, otherwise, have the upstream check too,
+ this allows it to select auth servers when one is returning bad data. */
+ if (option_bool(OPT_DNSSEC_DEBUG))
+ header->hb4 |= HB4_CD;
+
+ if (size != new_size)
+ added_pheader = 1;
+
+ size = new_size;
+ }
+#endif
}
*length = htons(size);
+
+ /* get query name again for logging - may have been overwritten */
+ if (!(gotname = extract_request(header, (unsigned int)size, daemon->namebuff, &qtype)))
+ strcpy(daemon->namebuff, "query");
if (!read_write(last_server->tcpfd, packet, size + sizeof(u16), 0) ||
!read_write(last_server->tcpfd, &c1, 1, 1) ||
m = (c1 << 8) | c2;
- if (!gotname)
- strcpy(daemon->namebuff, "query");
if (last_server->addr.sa.sa_family == AF_INET)
log_query(F_SERVER | F_IPV4 | F_FORWARD, daemon->namebuff,
(struct all_addr *)&last_server->addr.in.sin_addr, NULL);
{
int keycount = DNSSEC_WORK; /* Limit to number of DNSSEC questions, to catch loops and avoid filling cache. */
int status = tcp_key_recurse(now, STAT_TRUNCATED, header, m, 0, daemon->namebuff, daemon->keyname, last_server, &keycount);
- char *result;
+ char *result, *domain = "result";
+ if (status == STAT_INSECURE_DS)
+ {
+ /* We only cache sigs when we've validated a reply.
+ Avoid caching a reply with sigs if there's a vaildated break in the
+ DS chain, so we don't return replies from cache missing sigs. */
+ status = STAT_INSECURE;
+ no_cache_dnssec = 1;
+ }
+
if (keycount == 0)
- result = "ABANDONED";
+ {
+ result = "ABANDONED";
+ status = STAT_BOGUS;
+ }
else
result = (status == STAT_SECURE ? "SECURE" : (status == STAT_INSECURE ? "INSECURE" : "BOGUS"));
- log_query(F_KEYTAG | F_SECSTAT, "result", NULL, result);
+ if (status == STAT_BOGUS && extract_request(header, m, daemon->namebuff, NULL))
+ domain = daemon->namebuff;
+
+ log_query(F_KEYTAG | F_SECSTAT, domain, NULL, result);
if (status == STAT_BOGUS)
- no_cache_dnssec = 1;
-
+ {
+ no_cache_dnssec = 1;
+ bogusanswer = 1;
+ }
+
if (status == STAT_SECURE)
cache_secure = 1;
}
#endif
m = process_reply(header, now, last_server, (unsigned int)m,
- option_bool(OPT_NO_REBIND) && !norebind, no_cache_dnssec,
- cache_secure, ad_question, check_subnet, &peer_addr);
+ option_bool(OPT_NO_REBIND) && !norebind, no_cache_dnssec, cache_secure, bogusanswer,
+ ad_question, do_bit, added_pheader, check_subnet, &peer_addr);
break;
}
f->dependent = NULL;
f->blocking_query = NULL;
f->stash = NULL;
+ f->orig_domain = NULL;
#endif
daemon->frec_list = f;
}
return f;
}
-static struct randfd *allocate_rfd(int family)
+struct randfd *allocate_rfd(int family)
{
static int finger = 0;
int i;
return NULL; /* doom */
}
+
+void free_rfd(struct randfd *rfd)
+{
+ if (rfd && --(rfd->refcount) == 0)
+ close(rfd->fd);
+}
+
static void free_frec(struct frec *f)
{
- if (f->rfd4 && --(f->rfd4->refcount) == 0)
- close(f->rfd4->fd);
-
+ free_rfd(f->rfd4);
f->rfd4 = NULL;
f->sentto = NULL;
f->flags = 0;
#ifdef HAVE_IPV6
- if (f->rfd6 && --(f->rfd6->refcount) == 0)
- close(f->rfd6->fd);
-
+ free_rfd(f->rfd6);
f->rfd6 = NULL;
#endif
f->stash = NULL;
}
+ if (f->orig_domain)
+ {
+ blockdata_free(f->orig_domain);
+ f->orig_domain = NULL;
+ }
+
/* Anything we're waiting on is pointless now, too */
if (f->blocking_query)
free_frec(f->blocking_query);
return NULL;
}
+
+/* Send query packet again, if we can. */
+void resend_query()
+{
+ if (daemon->srv_save)
+ {
+ int fd;
+
+ if (daemon->srv_save->sfd)
+ fd = daemon->srv_save->sfd->fd;
+ else if (daemon->rfd_save && daemon->rfd_save->refcount != 0)
+ fd = daemon->rfd_save->fd;
+ else
+ return;
+
+ while(retry_send(sendto(fd, daemon->packet, daemon->packet_len, 0,
+ &daemon->srv_save->addr.sa,
+ sa_len(&daemon->srv_save->addr))));
+ }
+}
/* A server record is going away, remove references to it */
void server_gone(struct server *server)
projects / people / ms / dnsmasq.git / blobdiff