Reset the TCP connection when garbage is received

When invalid DNS message is received, there was a handling mechanism for
DoH that would be called to return proper HTTP response.

Reuse this mechanism and reset the TCP connection when the client is
blackholed, DNS message is completely bogus or the ns_client receives
response instead of query.

diff --git a/lib/isc/netmgr/netmgr-int.h b/lib/isc/netmgr/netmgr-int.h
index 188d90340e20c850320cfb5d8e7fd932262a0911..4f8db118ea3fc0904ec85f25131aeb43d65cc464 100644 (file)
--- a/lib/isc/netmgr/netmgr-int.h
+++ b/lib/isc/netmgr/netmgr-int.h
@@ -1247,6 +1247,12 @@ isc__nmsocket_shutdown(isc_nmsocket_t *sock);
  * callbacks.
  */
 
+void
+isc__nmsocket_reset(isc_nmsocket_t *sock);
+/*%<
+ * Reset and close the socket.
+ */
+
 bool
 isc__nmsocket_active(isc_nmsocket_t *sock);
 /*%<

diff --git a/lib/isc/netmgr/netmgr.c b/lib/isc/netmgr/netmgr.c
index ddcfe23276e2647c3a84be2459e3c5681b9b8ba8..409838befd81aacacc69f41ebcb3fbab9f88afea 100644 (file)
--- a/lib/isc/netmgr/netmgr.c
+++ b/lib/isc/netmgr/netmgr.c
@@ -1835,9 +1835,6 @@ isc__nmhandle_detach(isc_nmhandle_t **handlep FLARG) {
        }
 }
 
-void
-isc__nmsocket_shutdown(isc_nmsocket_t *sock);
-
 static void
 nmhandle_detach_cb(isc_nmhandle_t **handlep FLARG) {
        isc_nmsocket_t *sock = NULL;
@@ -2085,11 +2082,7 @@ isc__nmsocket_writetimeout_cb(uv_timer_t *timer) {
        int r = uv_timer_stop(&sock->write_timer);
        UV_RUNTIME_CHECK(uv_timer_stop, r);
 
-       /* The shutdown will be handled in the respective close functions */
-       r = uv_tcp_close_reset(&sock->uv_handle.tcp, NULL);
-       UV_RUNTIME_CHECK(uv_tcp_close_reset, r);
-
-       isc__nmsocket_shutdown(sock);
+       isc__nmsocket_reset(sock);
 }
 
 void
@@ -2902,6 +2895,32 @@ isc__nm_async_detach(isc__networker_t *worker, isc__netievent_t *ev0) {
        nmhandle_detach_cb(&ievent->handle FLARG_PASS);
 }
 
+void
+isc__nmsocket_reset(isc_nmsocket_t *sock) {
+       REQUIRE(VALID_NMSOCK(sock));
+
+       switch (sock->type) {
+       case isc_nm_tcpdnssocket:
+       case isc_nm_tlsdnssocket:
+               REQUIRE(sock->parent == NULL);
+               break;
+       default:
+               INSIST(0);
+               ISC_UNREACHABLE();
+               break;
+       }
+
+       if (!uv_is_closing(&sock->uv_handle.handle)) {
+               /*
+                * The real shutdown will be handled in the respective
+                * close functions.
+                */
+               int r = uv_tcp_close_reset(&sock->uv_handle.tcp, NULL);
+               UV_RUNTIME_CHECK(uv_tcp_close_reset, r);
+       }
+       isc__nmsocket_shutdown(sock);
+}
+
 void
 isc__nmsocket_shutdown(isc_nmsocket_t *sock) {
        REQUIRE(VALID_NMSOCK(sock));
@@ -3467,25 +3486,26 @@ isc_nm_sequential(isc_nmhandle_t *handle) {
 
 void
 isc_nm_bad_request(isc_nmhandle_t *handle) {
-       isc_nmsocket_t *sock;
+       isc_nmsocket_t *sock = NULL;
 
        REQUIRE(VALID_NMHANDLE(handle));
        REQUIRE(VALID_NMSOCK(handle->sock));
 
        sock = handle->sock;
-       switch (sock->type) {
-#if HAVE_LIBNGHTTP2
-       case isc_nm_httpsocket:
-               isc__nm_http_bad_request(handle);
-               break;
-#endif /* HAVE_LIBNGHTTP2 */
 
+       switch (sock->type) {
        case isc_nm_udpsocket:
+               return;
        case isc_nm_tcpdnssocket:
        case isc_nm_tlsdnssocket:
+               REQUIRE(sock->parent == NULL);
+               isc__nmsocket_reset(sock);
                return;
-               break;
-
+#if HAVE_LIBNGHTTP2
+       case isc_nm_httpsocket:
+               isc__nm_http_bad_request(handle);
+               return;
+#endif /* HAVE_LIBNGHTTP2 */
        case isc_nm_tcpsocket:
 #if HAVE_LIBNGHTTP2
        case isc_nm_tlssocket:

diff --git a/lib/ns/client.c b/lib/ns/client.c
index e48eb56322163a4c8cc19c0c5c98a22c54f99356..214c83fedf1a581e22255537a67ae2d2e5e2ff14 100644 (file)
--- a/lib/ns/client.c
+++ b/lib/ns/client.c
@@ -1822,6 +1822,9 @@ ns__client_request(isc_nmhandle_t *handle, isc_result_t eresult,
                 * There isn't enough header to determine whether
                 * this was a request or a response.  Drop it.
                 */
+               ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+                             NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(10),
+                             "dropped request: invalid message header");
                isc_nm_bad_request(handle);
                return;
        }
@@ -1838,7 +1841,9 @@ ns__client_request(isc_nmhandle_t *handle, isc_result_t eresult,
         * If it's a TCP response, discard it here.
         */
        if ((flags & DNS_MESSAGEFLAG_QR) != 0) {
-               CTRACE("unexpected response");
+               ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+                             NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(10),
+                             "dropped request: unexpected response");
                isc_nm_bad_request(handle);
                return;
        }