search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
dnsmasq: update to 2.73 (23.06.2015)
[tomato.git] / release / src / router / dnsmasq / src / forward.c
blob506454a62a8c79a6fed80e90379ff3375f4ffa5c
1 /* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
2
3 This program is free software; you can redistribute it and/or modify
4 it under the terms of the GNU General Public License as published by
5 the Free Software Foundation; version 2 dated June, 1991, or
6 (at your option) version 3 dated 29 June, 2007.
7
8 This program is distributed in the hope that it will be useful,
9 but WITHOUT ANY WARRANTY; without even the implied warranty of
10 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 GNU General Public License for more details.
12
13 You should have received a copy of the GNU General Public License
14 along with this program. If not, see <http://www.gnu.org/licenses/>.
15 */
16
17 #include "dnsmasq.h"
18
19 static struct frec *lookup_frec(unsigned short id, void *hash);
20 static struct frec *lookup_frec_by_sender(unsigned short id,
21 union mysockaddr *addr,
22 void *hash);
23 static unsigned short get_id(void);
24 static void free_frec(struct frec *f);
25
26 #ifdef HAVE_DNSSEC
27 static int tcp_key_recurse(time_t now, int status, struct dns_header *header, size_t n,
28 int class, char *name, char *keyname, struct server *server, int *keycount);
29 static int do_check_sign(struct frec *forward, int status, time_t now, char *name, char *keyname);
30 static int send_check_sign(struct frec *forward, time_t now, struct dns_header *header, size_t plen,
31 char *name, char *keyname);
32 #endif
33
34
35 /* Send a UDP packet with its source address set as "source"
36 unless nowild is true, when we just send it with the kernel default */
37 int send_from(int fd, int nowild, char *packet, size_t len,
38 union mysockaddr *to, struct all_addr *source,
39 unsigned int iface)
40 {
41 struct msghdr msg;
42 struct iovec iov[1];
43 union {
44 struct cmsghdr align; /* this ensures alignment */
45 #if defined(HAVE_LINUX_NETWORK)
46 char control[CMSG_SPACE(sizeof(struct in_pktinfo))];
47 #elif defined(IP_SENDSRCADDR)
48 char control[CMSG_SPACE(sizeof(struct in_addr))];
49 #endif
50 #ifdef HAVE_IPV6
51 char control6[CMSG_SPACE(sizeof(struct in6_pktinfo))];
52 #endif
53 } control_u;
54
55 iov[0].iov_base = packet;
56 iov[0].iov_len = len;
57
58 msg.msg_control = NULL;
59 msg.msg_controllen = 0;
60 msg.msg_flags = 0;
61 msg.msg_name = to;
62 msg.msg_namelen = sa_len(to);
63 msg.msg_iov = iov;
64 msg.msg_iovlen = 1;
65
66 if (!nowild)
67 {
68 struct cmsghdr *cmptr;
69 msg.msg_control = &control_u;
70 msg.msg_controllen = sizeof(control_u);
71 cmptr = CMSG_FIRSTHDR(&msg);
72
73 if (to->sa.sa_family == AF_INET)
74 {
75 #if defined(HAVE_LINUX_NETWORK)
76 struct in_pktinfo p;
77 p.ipi_ifindex = 0;
78 p.ipi_spec_dst = source->addr.addr4;
79 memcpy(CMSG_DATA(cmptr), &p, sizeof(p));
80 msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo));
81 cmptr->cmsg_level = IPPROTO_IP;
82 cmptr->cmsg_type = IP_PKTINFO;
83 #elif defined(IP_SENDSRCADDR)
84 memcpy(CMSG_DATA(cmptr), &(source->addr.addr4), sizeof(source->addr.addr4));
85 msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_addr));
86 cmptr->cmsg_level = IPPROTO_IP;
87 cmptr->cmsg_type = IP_SENDSRCADDR;
88 #endif
89 }
90 else
91 #ifdef HAVE_IPV6
92 {
93 struct in6_pktinfo p;
94 p.ipi6_ifindex = iface; /* Need iface for IPv6 to handle link-local addrs */
95 p.ipi6_addr = source->addr.addr6;
96 memcpy(CMSG_DATA(cmptr), &p, sizeof(p));
97 msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo));
98 cmptr->cmsg_type = daemon->v6pktinfo;
99 cmptr->cmsg_level = IPPROTO_IPV6;
100 }
101 #else
102 (void)iface; /* eliminate warning */
103 #endif
104 }
105
106 while (retry_send(sendmsg(fd, &msg, 0)));
107
108 /* If interface is still in DAD, EINVAL results - ignore that. */
109 if (errno != 0 && errno != EINVAL)
110 {
111 my_syslog(LOG_ERR, _("failed to send packet: %s"), strerror(errno));
112 return 0;
113 }
114
115 return 1;
116 }
117
118 static unsigned int search_servers(time_t now, struct all_addr **addrpp,
119 unsigned int qtype, char *qdomain, int *type, char **domain, int *norebind)
120
121 {
122 /* If the query ends in the domain in one of our servers, set
123 domain to point to that name. We find the largest match to allow both
124 domain.org and sub.domain.org to exist. */
125
126 unsigned int namelen = strlen(qdomain);
127 unsigned int matchlen = 0;
128 struct server *serv;
129 unsigned int flags = 0;
130
131 for (serv = daemon->servers; serv; serv=serv->next)
132 /* domain matches take priority over NODOTS matches */
133 if ((serv->flags & SERV_FOR_NODOTS) && *type != SERV_HAS_DOMAIN && !strchr(qdomain, '.') && namelen != 0)
134 {
135 unsigned int sflag = serv->addr.sa.sa_family == AF_INET ? F_IPV4 : F_IPV6;
136 *type = SERV_FOR_NODOTS;
137 if (serv->flags & SERV_NO_ADDR)
138 flags = F_NXDOMAIN;
139 else if (serv->flags & SERV_LITERAL_ADDRESS)
140 {
141 if (sflag & qtype)
142 {
143 flags = sflag;
144 if (serv->addr.sa.sa_family == AF_INET)
145 *addrpp = (struct all_addr *)&serv->addr.in.sin_addr;
146 #ifdef HAVE_IPV6
147 else
148 *addrpp = (struct all_addr *)&serv->addr.in6.sin6_addr;
149 #endif
150 }
151 else if (!flags || (flags & F_NXDOMAIN))
152 flags = F_NOERR;
153 }
154 }
155 else if (serv->flags & SERV_HAS_DOMAIN)
156 {
157 unsigned int domainlen = strlen(serv->domain);
158 char *matchstart = qdomain + namelen - domainlen;
159 if (namelen >= domainlen &&
160 hostname_isequal(matchstart, serv->domain) &&
161 (domainlen == 0 || namelen == domainlen || *(matchstart-1) == '.' ))
162 {
163 if (serv->flags & SERV_NO_REBIND)
164 *norebind = 1;
165 else
166 {
167 unsigned int sflag = serv->addr.sa.sa_family == AF_INET ? F_IPV4 : F_IPV6;
168 /* implement priority rules for --address and --server for same domain.
169 --address wins if the address is for the correct AF
170 --server wins otherwise. */
171 if (domainlen != 0 && domainlen == matchlen)
172 {
173 if ((serv->flags & SERV_LITERAL_ADDRESS))
174 {
175 if (!(sflag & qtype) && flags == 0)
176 continue;
177 }
178 else
179 {
180 if (flags & (F_IPV4 | F_IPV6))
181 continue;
182 }
183 }
184
185 if (domainlen >= matchlen)
186 {
187 *type = serv->flags & (SERV_HAS_DOMAIN | SERV_USE_RESOLV | SERV_NO_REBIND);
188 *domain = serv->domain;
189 matchlen = domainlen;
190 if (serv->flags & SERV_NO_ADDR)
191 flags = F_NXDOMAIN;
192 else if (serv->flags & SERV_LITERAL_ADDRESS)
193 {
194 if (sflag & qtype)
195 {
196 flags = sflag;
197 if (serv->addr.sa.sa_family == AF_INET)
198 *addrpp = (struct all_addr *)&serv->addr.in.sin_addr;
199 #ifdef HAVE_IPV6
200 else
201 *addrpp = (struct all_addr *)&serv->addr.in6.sin6_addr;
202 #endif
203 }
204 else if (!flags || (flags & F_NXDOMAIN))
205 flags = F_NOERR;
206 }
207 else
208 flags = 0;
209 }
210 }
211 }
212 }
213
214 if (flags == 0 && !(qtype & F_QUERY) &&
215 option_bool(OPT_NODOTS_LOCAL) && !strchr(qdomain, '.') && namelen != 0)
216 /* don't forward A or AAAA queries for simple names, except the empty name */
217 flags = F_NOERR;
218
219 if (flags == F_NXDOMAIN && check_for_local_domain(qdomain, now))
220 flags = F_NOERR;
221
222 if (flags)
223 {
224 int logflags = 0;
225
226 if (flags == F_NXDOMAIN || flags == F_NOERR)
227 logflags = F_NEG | qtype;
228
229 log_query(logflags | flags | F_CONFIG | F_FORWARD, qdomain, *addrpp, NULL);
230 }
231 else if ((*type) & SERV_USE_RESOLV)
232 {
233 *type = 0; /* use normal servers for this domain */
234 *domain = NULL;
235 }
236 return flags;
237 }
238
239 static int forward_query(int udpfd, union mysockaddr *udpaddr,
240 struct all_addr *dst_addr, unsigned int dst_iface,
241 struct dns_header *header, size_t plen, time_t now,
242 struct frec *forward, int ad_reqd, int do_bit)
243 {
244 char *domain = NULL;
245 int type = 0, norebind = 0;
246 struct all_addr *addrp = NULL;
247 unsigned int flags = 0;
248 struct server *start = NULL;
249 #ifdef HAVE_DNSSEC
250 void *hash = hash_questions(header, plen, daemon->namebuff);
251 #else
252 unsigned int crc = questions_crc(header, plen, daemon->namebuff);
253 void *hash = &crc;
254 #endif
255 unsigned int gotname = extract_request(header, plen, daemon->namebuff, NULL);
256 unsigned char *pheader;
257
258 (void)do_bit;
259
260 /* may be no servers available. */
261 if (!daemon->servers)
262 forward = NULL;
263 else if (forward || (hash && (forward = lookup_frec_by_sender(ntohs(header->id), udpaddr, hash))))
264 {
265 /* If we didn't get an answer advertising a maximal packet in EDNS,
266 fall back to 1280, which should work everywhere on IPv6.
267 If that generates an answer, it will become the new default
268 for this server */
269 forward->flags |= FREC_TEST_PKTSZ;
270
271 #ifdef HAVE_DNSSEC
272 /* If we've already got an answer to this query, but we're awaiting keys for validation,
273 there's no point retrying the query, retry the key query instead...... */
274 if (forward->blocking_query)
275 {
276 int fd;
277
278 forward->flags &= ~FREC_TEST_PKTSZ;
279
280 while (forward->blocking_query)
281 forward = forward->blocking_query;
282
283 forward->flags |= FREC_TEST_PKTSZ;
284
285 blockdata_retrieve(forward->stash, forward->stash_len, (void *)header);
286 plen = forward->stash_len;
287
288 if (find_pseudoheader(header, plen, NULL, &pheader, NULL))
289 PUTSHORT((forward->flags & FREC_TEST_PKTSZ) ? SAFE_PKTSZ : forward->sentto->edns_pktsz, pheader);
290
291 if (forward->sentto->addr.sa.sa_family == AF_INET)
292 log_query(F_NOEXTRA | F_DNSSEC | F_IPV4, "retry", (struct all_addr *)&forward->sentto->addr.in.sin_addr, "dnssec");
293 #ifdef HAVE_IPV6
294 else
295 log_query(F_NOEXTRA | F_DNSSEC | F_IPV6, "retry", (struct all_addr *)&forward->sentto->addr.in6.sin6_addr, "dnssec");
296 #endif
297
298 if (forward->sentto->sfd)
299 fd = forward->sentto->sfd->fd;
300 else
301 {
302 #ifdef HAVE_IPV6
303 if (forward->sentto->addr.sa.sa_family == AF_INET6)
304 fd = forward->rfd6->fd;
305 else
306 #endif
307 fd = forward->rfd4->fd;
308 }
309
310 while (retry_send( sendto(fd, (char *)header, plen, 0,
311 &forward->sentto->addr.sa,
312 sa_len(&forward->sentto->addr))));
313
314 return 1;
315 }
316 #endif
317
318 /* retry on existing query, send to all available servers */
319 domain = forward->sentto->domain;
320 forward->sentto->failed_queries++;
321 if (!option_bool(OPT_ORDER))
322 {
323 forward->forwardall = 1;
324 daemon->last_server = NULL;
325 }
326 type = forward->sentto->flags & SERV_TYPE;
327 if (!(start = forward->sentto->next))
328 start = daemon->servers; /* at end of list, recycle */
329 header->id = htons(forward->new_id);
330 }
331 else
332 {
333 if (gotname)
334 flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind);
335
336 if (!flags && !(forward = get_new_frec(now, NULL, 0)))
337 /* table full - server failure. */
338 flags = F_NEG;
339
340 if (forward)
341 {
342 forward->source = *udpaddr;
343 forward->dest = *dst_addr;
344 forward->iface = dst_iface;
345 forward->orig_id = ntohs(header->id);
346 forward->new_id = get_id();
347 forward->fd = udpfd;
348 memcpy(forward->hash, hash, HASH_SIZE);
349 forward->forwardall = 0;
350 forward->flags = 0;
351 if (norebind)
352 forward->flags |= FREC_NOREBIND;
353 if (header->hb4 & HB4_CD)
354 forward->flags |= FREC_CHECKING_DISABLED;
355 if (ad_reqd)
356 forward->flags |= FREC_AD_QUESTION;
357 #ifdef HAVE_DNSSEC
358 forward->work_counter = DNSSEC_WORK;
359 if (do_bit)
360 forward->flags |= FREC_DO_QUESTION;
361 #endif
362
363 header->id = htons(forward->new_id);
364
365 /* In strict_order mode, always try servers in the order
366 specified in resolv.conf, if a domain is given
367 always try all the available servers,
368 otherwise, use the one last known to work. */
369
370 if (type == 0)
371 {
372 if (option_bool(OPT_ORDER))
373 start = daemon->servers;
374 else if (!(start = daemon->last_server) ||
375 daemon->forwardcount++ > FORWARD_TEST ||
376 difftime(now, daemon->forwardtime) > FORWARD_TIME)
377 {
378 start = daemon->servers;
379 forward->forwardall = 1;
380 daemon->forwardcount = 0;
381 daemon->forwardtime = now;
382 }
383 }
384 else
385 {
386 start = daemon->servers;
387 if (!option_bool(OPT_ORDER))
388 forward->forwardall = 1;
389 }
390 }
391 }
392
393 /* check for send errors here (no route to host)
394 if we fail to send to all nameservers, send back an error
395 packet straight away (helps modem users when offline) */
396
397 if (!flags && forward)
398 {
399 struct server *firstsentto = start;
400 int forwarded = 0;
401
402 /* If a query is retried, use the log_id for the retry when logging the answer. */
403 forward->log_id = daemon->log_id;
404
405 if (option_bool(OPT_ADD_MAC))
406 plen = add_mac(header, plen, ((char *) header) + daemon->packet_buff_sz, &forward->source);
407
408 if (option_bool(OPT_CLIENT_SUBNET))
409 {
410 size_t new = add_source_addr(header, plen, ((char *) header) + daemon->packet_buff_sz, &forward->source);
411 if (new != plen)
412 {
413 plen = new;
414 forward->flags |= FREC_HAS_SUBNET;
415 }
416 }
417
418 #ifdef HAVE_DNSSEC
419 if (option_bool(OPT_DNSSEC_VALID))
420 {
421 size_t new_plen = add_do_bit(header, plen, ((char *) header) + daemon->packet_buff_sz);
422
423 /* For debugging, set Checking Disabled, otherwise, have the upstream check too,
424 this allows it to select auth servers when one is returning bad data. */
425 if (option_bool(OPT_DNSSEC_DEBUG))
426 header->hb4 |= HB4_CD;
427
428 if (new_plen != plen)
429 forward->flags |= FREC_ADDED_PHEADER;
430
431 plen = new_plen;
432 }
433 #endif
434
435 while (1)
436 {
437 /* only send to servers dealing with our domain.
438 domain may be NULL, in which case server->domain
439 must be NULL also. */
440
441 if (type == (start->flags & SERV_TYPE) &&
442 (type != SERV_HAS_DOMAIN || hostname_isequal(domain, start->domain)) &&
443 !(start->flags & (SERV_LITERAL_ADDRESS | SERV_LOOP)))
444 {
445 int fd;
446
447 /* find server socket to use, may need to get random one. */
448 if (start->sfd)
449 fd = start->sfd->fd;
450 else
451 {
452 #ifdef HAVE_IPV6
453 if (start->addr.sa.sa_family == AF_INET6)
454 {
455 if (!forward->rfd6 &&
456 !(forward->rfd6 = allocate_rfd(AF_INET6)))
457 break;
458 daemon->rfd_save = forward->rfd6;
459 fd = forward->rfd6->fd;
460 }
461 else
462 #endif
463 {
464 if (!forward->rfd4 &&
465 !(forward->rfd4 = allocate_rfd(AF_INET)))
466 break;
467 daemon->rfd_save = forward->rfd4;
468 fd = forward->rfd4->fd;
469 }
470
471 #ifdef HAVE_CONNTRACK
472 /* Copy connection mark of incoming query to outgoing connection. */
473 if (option_bool(OPT_CONNTRACK))
474 {
475 unsigned int mark;
476 if (get_incoming_mark(&forward->source, &forward->dest, 0, &mark))
477 setsockopt(fd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int));
478 }
479 #endif
480 }
481
482 if (find_pseudoheader(header, plen, NULL, &pheader, NULL))
483 PUTSHORT((forward->flags & FREC_TEST_PKTSZ) ? SAFE_PKTSZ : start->edns_pktsz, pheader);
484
485 if (retry_send(sendto(fd, (char *)header, plen, 0,
486 &start->addr.sa,
487 sa_len(&start->addr))))
488 continue;
489
490 if (errno == 0)
491 {
492 /* Keep info in case we want to re-send this packet */
493 daemon->srv_save = start;
494 daemon->packet_len = plen;
495
496 if (!gotname)
497 strcpy(daemon->namebuff, "query");
498 if (start->addr.sa.sa_family == AF_INET)
499 log_query(F_SERVER | F_IPV4 | F_FORWARD, daemon->namebuff,
500 (struct all_addr *)&start->addr.in.sin_addr, NULL);
501 #ifdef HAVE_IPV6
502 else
503 log_query(F_SERVER | F_IPV6 | F_FORWARD, daemon->namebuff,
504 (struct all_addr *)&start->addr.in6.sin6_addr, NULL);
505 #endif
506 start->queries++;
507 forwarded = 1;
508 forward->sentto = start;
509 if (!forward->forwardall)
510 break;
511 forward->forwardall++;
512 }
513 }
514
515 if (!(start = start->next))
516 start = daemon->servers;
517
518 if (start == firstsentto)
519 break;
520 }
521
522 if (forwarded)
523 return 1;
524
525 /* could not send on, prepare to return */
526 header->id = htons(forward->orig_id);
527 free_frec(forward); /* cancel */
528 }
529
530 /* could not send on, return empty answer or address if known for whole domain */
531 if (udpfd != -1)
532 {
533 plen = setup_reply(header, plen, addrp, flags, daemon->local_ttl);
534 send_from(udpfd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND), (char *)header, plen, udpaddr, dst_addr, dst_iface);
535 }
536
537 return 0;
538 }
539
540 static size_t process_reply(struct dns_header *header, time_t now, struct server *server, size_t n, int check_rebind,
541 int no_cache, int cache_secure, int bogusanswer, int ad_reqd, int do_bit, int added_pheader,
542 int check_subnet, union mysockaddr *query_source)
543 {
544 unsigned char *pheader, *sizep;
545 char **sets = 0;
546 int munged = 0, is_sign;
547 size_t plen;
548
549 (void)ad_reqd;
550 (void)do_bit;
551 (void)bogusanswer;
552
553 #ifdef HAVE_IPSET
554 if (daemon->ipsets && extract_request(header, n, daemon->namebuff, NULL))
555 {
556 /* Similar algorithm to search_servers. */
557 struct ipsets *ipset_pos;
558 unsigned int namelen = strlen(daemon->namebuff);
559 unsigned int matchlen = 0;
560 for (ipset_pos = daemon->ipsets; ipset_pos; ipset_pos = ipset_pos->next)
561 {
562 unsigned int domainlen = strlen(ipset_pos->domain);
563 char *matchstart = daemon->namebuff + namelen - domainlen;
564 if (namelen >= domainlen && hostname_isequal(matchstart, ipset_pos->domain) &&
565 (domainlen == 0 || namelen == domainlen || *(matchstart - 1) == '.' ) &&
566 domainlen >= matchlen)
567 {
568 matchlen = domainlen;
569 sets = ipset_pos->sets;
570 }
571 }
572 }
573 #endif
574
575 /* If upstream is advertising a larger UDP packet size
576 than we allow, trim it so that we don't get overlarge
577 requests for the client. We can't do this for signed packets. */
578
579 if ((pheader = find_pseudoheader(header, n, &plen, &sizep, &is_sign)))
580 {
581 unsigned short udpsz;
582 unsigned char *psave = sizep;
583
584 GETSHORT(udpsz, sizep);
585
586 if (!is_sign && udpsz > daemon->edns_pktsz)
587 PUTSHORT(daemon->edns_pktsz, psave);
588
589 if (check_subnet && !check_source(header, plen, pheader, query_source))
590 {
591 my_syslog(LOG_WARNING, _("discarding DNS reply: subnet option mismatch"));
592 return 0;
593 }
594
595 if (added_pheader)
596 {
597 pheader = 0;
598 header->arcount = htons(0);
599 }
600 }
601
602 /* RFC 4035 sect 4.6 para 3 */
603 if (!is_sign && !option_bool(OPT_DNSSEC_PROXY))
604 header->hb4 &= ~HB4_AD;
605
606 if (OPCODE(header) != QUERY || (RCODE(header) != NOERROR && RCODE(header) != NXDOMAIN))
607 return resize_packet(header, n, pheader, plen);
608
609 /* Complain loudly if the upstream server is non-recursive. */
610 if (!(header->hb4 & HB4_RA) && RCODE(header) == NOERROR && ntohs(header->ancount) == 0 &&
611 server && !(server->flags & SERV_WARNED_RECURSIVE))
612 {
613 prettyprint_addr(&server->addr, daemon->namebuff);
614 my_syslog(LOG_WARNING, _("nameserver %s refused to do a recursive query"), daemon->namebuff);
615 if (!option_bool(OPT_LOG))
616 server->flags |= SERV_WARNED_RECURSIVE;
617 }
618
619 if (daemon->bogus_addr && RCODE(header) != NXDOMAIN &&
620 check_for_bogus_wildcard(header, n, daemon->namebuff, daemon->bogus_addr, now))
621 {
622 munged = 1;
623 SET_RCODE(header, NXDOMAIN);
624 header->hb3 &= ~HB3_AA;
625 cache_secure = 0;
626 }
627 else
628 {
629 int doctored = 0;
630
631 if (RCODE(header) == NXDOMAIN &&
632 extract_request(header, n, daemon->namebuff, NULL) &&
633 check_for_local_domain(daemon->namebuff, now))
634 {
635 /* if we forwarded a query for a locally known name (because it was for
636 an unknown type) and the answer is NXDOMAIN, convert that to NODATA,
637 since we know that the domain exists, even if upstream doesn't */
638 munged = 1;
639 header->hb3 |= HB3_AA;
640 SET_RCODE(header, NOERROR);
641 cache_secure = 0;
642 }
643
644 if (extract_addresses(header, n, daemon->namebuff, now, sets, is_sign, check_rebind, no_cache, cache_secure, &doctored))
645 {
646 my_syslog(LOG_WARNING, _("possible DNS-rebind attack detected: %s"), daemon->namebuff);
647 munged = 1;
648 cache_secure = 0;
649 }
650
651 if (doctored)
652 cache_secure = 0;
653 }
654
655 #ifdef HAVE_DNSSEC
656 if (bogusanswer && !(header->hb4 & HB4_CD))
657 {
658 if (!option_bool(OPT_DNSSEC_DEBUG))
659 {
660 /* Bogus reply, turn into SERVFAIL */
661 SET_RCODE(header, SERVFAIL);
662 munged = 1;
663 }
664 }
665
666 if (option_bool(OPT_DNSSEC_VALID))
667 header->hb4 &= ~HB4_AD;
668
669 if (!(header->hb4 & HB4_CD) && ad_reqd && cache_secure)
670 header->hb4 |= HB4_AD;
671
672 /* If the requestor didn't set the DO bit, don't return DNSSEC info. */
673 if (!do_bit)
674 n = filter_rrsigs(header, n);
675 #endif
676
677 /* do this after extract_addresses. Ensure NODATA reply and remove
678 nameserver info. */
679
680 if (munged)
681 {
682 header->ancount = htons(0);
683 header->nscount = htons(0);
684 header->arcount = htons(0);
685 header->hb3 &= ~HB3_TC;
686 }
687
688 /* the bogus-nxdomain stuff, doctor and NXDOMAIN->NODATA munging can all elide
689 sections of the packet. Find the new length here and put back pseudoheader
690 if it was removed. */
691 return resize_packet(header, n, pheader, plen);
692 }
693
694 /* sets new last_server */
695 void reply_query(int fd, int family, time_t now)
696 {
697 /* packet from peer server, extract data for cache, and send to
698 original requester */
699 struct dns_header *header;
700 union mysockaddr serveraddr;
701 struct frec *forward;
702 socklen_t addrlen = sizeof(serveraddr);
703 ssize_t n = recvfrom(fd, daemon->packet, daemon->packet_buff_sz, 0, &serveraddr.sa, &addrlen);
704 size_t nn;
705 struct server *server;
706 void *hash;
707 #ifndef HAVE_DNSSEC
708 unsigned int crc;
709 #endif
710
711 /* packet buffer overwritten */
712 daemon->srv_save = NULL;
713
714 /* Determine the address of the server replying so that we can mark that as good */
715 serveraddr.sa.sa_family = family;
716 #ifdef HAVE_IPV6
717 if (serveraddr.sa.sa_family == AF_INET6)
718 serveraddr.in6.sin6_flowinfo = 0;
719 #endif
720
721 header = (struct dns_header *)daemon->packet;
722
723 if (n < (int)sizeof(struct dns_header) || !(header->hb3 & HB3_QR))
724 return;
725
726 /* spoof check: answer must come from known server, */
727 for (server = daemon->servers; server; server = server->next)
728 if (!(server->flags & (SERV_LITERAL_ADDRESS | SERV_NO_ADDR)) &&
729 sockaddr_isequal(&server->addr, &serveraddr))
730 break;
731
732 if (!server)
733 return;
734
735 #ifdef HAVE_DNSSEC
736 hash = hash_questions(header, n, daemon->namebuff);
737 #else
738 hash = &crc;
739 crc = questions_crc(header, n, daemon->namebuff);
740 #endif
741
742 if (!(forward = lookup_frec(ntohs(header->id), hash)))
743 return;
744
745 /* log_query gets called indirectly all over the place, so
746 pass these in global variables - sorry. */
747 daemon->log_display_id = forward->log_id;
748 daemon->log_source_addr = &forward->source;
749
750 if (daemon->ignore_addr && RCODE(header) == NOERROR &&
751 check_for_ignored_address(header, n, daemon->ignore_addr))
752 return;
753
754 if (RCODE(header) == REFUSED &&
755 !option_bool(OPT_ORDER) &&
756 forward->forwardall == 0)
757 /* for broken servers, attempt to send to another one. */
758 {
759 unsigned char *pheader;
760 size_t plen;
761 int is_sign;
762
763 /* recreate query from reply */
764 pheader = find_pseudoheader(header, (size_t)n, &plen, NULL, &is_sign);
765 if (!is_sign)
766 {
767 header->ancount = htons(0);
768 header->nscount = htons(0);
769 header->arcount = htons(0);
770 if ((nn = resize_packet(header, (size_t)n, pheader, plen)))
771 {
772 header->hb3 &= ~(HB3_QR | HB3_AA | HB3_TC);
773 header->hb4 &= ~(HB4_RA | HB4_RCODE);
774 forward_query(-1, NULL, NULL, 0, header, nn, now, forward, 0, 0);
775 return;
776 }
777 }
778 }
779
780 server = forward->sentto;
781 if ((forward->sentto->flags & SERV_TYPE) == 0)
782 {
783 if (RCODE(header) == REFUSED)
784 server = NULL;
785 else
786 {
787 struct server *last_server;
788
789 /* find good server by address if possible, otherwise assume the last one we sent to */
790 for (last_server = daemon->servers; last_server; last_server = last_server->next)
791 if (!(last_server->flags & (SERV_LITERAL_ADDRESS | SERV_HAS_DOMAIN | SERV_FOR_NODOTS | SERV_NO_ADDR)) &&
792 sockaddr_isequal(&last_server->addr, &serveraddr))
793 {
794 server = last_server;
795 break;
796 }
797 }
798 if (!option_bool(OPT_ALL_SERVERS))
799 daemon->last_server = server;
800 }
801
802 /* We tried resending to this server with a smaller maximum size and got an answer.
803 Make that permanent. To avoid reduxing the packet size for an single dropped packet,
804 only do this when we get a truncated answer, or one larger than the safe size. */
805 if (server && (forward->flags & FREC_TEST_PKTSZ) &&
806 ((header->hb3 & HB3_TC) || n >= SAFE_PKTSZ))
807 server->edns_pktsz = SAFE_PKTSZ;
808
809 /* If the answer is an error, keep the forward record in place in case
810 we get a good reply from another server. Kill it when we've
811 had replies from all to avoid filling the forwarding table when
812 everything is broken */
813 if (forward->forwardall == 0 || --forward->forwardall == 1 || RCODE(header) != SERVFAIL)
814 {
815 int check_rebind = 0, no_cache_dnssec = 0, cache_secure = 0, bogusanswer = 0;
816
817 if (option_bool(OPT_NO_REBIND))
818 check_rebind = !(forward->flags & FREC_NOREBIND);
819
820 /* Don't cache replies where DNSSEC validation was turned off, either
821 the upstream server told us so, or the original query specified it. */
822 if ((header->hb4 & HB4_CD) || (forward->flags & FREC_CHECKING_DISABLED))
823 no_cache_dnssec = 1;
824
825 #ifdef HAVE_DNSSEC
826 if (server && option_bool(OPT_DNSSEC_VALID) && !(forward->flags & FREC_CHECKING_DISABLED))
827 {
828 int status;
829
830 /* We've had a reply already, which we're validating. Ignore this duplicate */
831 if (forward->blocking_query)
832 return;
833
834 if (header->hb3 & HB3_TC)
835 {
836 /* Truncated answer can't be validated.
837 If this is an answer to a DNSSEC-generated query, we still
838 need to get the client to retry over TCP, so return
839 an answer with the TC bit set, even if the actual answer fits.
840 */
841 status = STAT_TRUNCATED;
842 }
843 else if (forward->flags & FREC_DNSKEY_QUERY)
844 status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
845 else if (forward->flags & FREC_DS_QUERY)
846 {
847 status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
848 /* Provably no DS, everything below is insecure, even if signatures are offered */
849 if (status == STAT_NO_DS)
850 /* We only cache sigs when we've validated a reply.
851 Avoid caching a reply with sigs if there's a vaildated break in the
852 DS chain, so we don't return replies from cache missing sigs. */
853 status = STAT_INSECURE_DS;
854 else if (status == STAT_NO_NS || status == STAT_NO_SIG)
855 status = STAT_BOGUS;
856 }
857 else if (forward->flags & FREC_CHECK_NOSIGN)
858 {
859 status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
860 if (status != STAT_NEED_KEY)
861 status = do_check_sign(forward, status, now, daemon->namebuff, daemon->keyname);
862 }
863 else
864 {
865 status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class, NULL, NULL);
866 if (status == STAT_NO_SIG)
867 {
868 if (option_bool(OPT_DNSSEC_NO_SIGN))
869 status = send_check_sign(forward, now, header, n, daemon->namebuff, daemon->keyname);
870 else
871 status = STAT_INSECURE;
872 }
873 }
874 /* Can't validate, as we're missing key data. Put this
875 answer aside, whilst we get that. */
876 if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG || status == STAT_NEED_KEY)
877 {
878 struct frec *new, *orig;
879
880 /* Free any saved query */
881 if (forward->stash)
882 blockdata_free(forward->stash);
883
884 /* Now save reply pending receipt of key data */
885 if (!(forward->stash = blockdata_alloc((char *)header, n)))
886 return;
887 forward->stash_len = n;
888
889 anotherkey:
890 /* Find the original query that started it all.... */
891 for (orig = forward; orig->dependent; orig = orig->dependent);
892
893 if (--orig->work_counter == 0 || !(new = get_new_frec(now, NULL, 1)))
894 status = STAT_INSECURE;
895 else
896 {
897 int fd;
898 struct frec *next = new->next;
899 *new = *forward; /* copy everything, then overwrite */
900 new->next = next;
901 new->blocking_query = NULL;
902 new->sentto = server;
903 new->rfd4 = NULL;
904 new->orig_domain = NULL;
905 #ifdef HAVE_IPV6
906 new->rfd6 = NULL;
907 #endif
908 new->flags &= ~(FREC_DNSKEY_QUERY | FREC_DS_QUERY | FREC_CHECK_NOSIGN);
909
910 new->dependent = forward; /* to find query awaiting new one. */
911 forward->blocking_query = new; /* for garbage cleaning */
912 /* validate routines leave name of required record in daemon->keyname */
913 if (status == STAT_NEED_KEY)
914 {
915 new->flags |= FREC_DNSKEY_QUERY;
916 nn = dnssec_generate_query(header, ((char *) header) + daemon->packet_buff_sz,
917 daemon->keyname, forward->class, T_DNSKEY, &server->addr, server->edns_pktsz);
918 }
919 else
920 {
921 if (status == STAT_NEED_DS_NEG)
922 new->flags |= FREC_CHECK_NOSIGN;
923 else
924 new->flags |= FREC_DS_QUERY;
925 nn = dnssec_generate_query(header,((char *) header) + daemon->packet_buff_sz,
926 daemon->keyname, forward->class, T_DS, &server->addr, server->edns_pktsz);
927 }
928 if ((hash = hash_questions(header, nn, daemon->namebuff)))
929 memcpy(new->hash, hash, HASH_SIZE);
930 new->new_id = get_id();
931 header->id = htons(new->new_id);
932 /* Save query for retransmission */
933 if (!(new->stash = blockdata_alloc((char *)header, nn)))
934 return;
935
936 new->stash_len = nn;
937
938 /* Don't resend this. */
939 daemon->srv_save = NULL;
940
941 if (server->sfd)
942 fd = server->sfd->fd;
943 else
944 {
945 fd = -1;
946 #ifdef HAVE_IPV6
947 if (server->addr.sa.sa_family == AF_INET6)
948 {
949 if (new->rfd6 || (new->rfd6 = allocate_rfd(AF_INET6)))
950 fd = new->rfd6->fd;
951 }
952 else
953 #endif
954 {
955 if (new->rfd4 || (new->rfd4 = allocate_rfd(AF_INET)))
956 fd = new->rfd4->fd;
957 }
958 }
959
960 if (fd != -1)
961 {
962 while (retry_send(sendto(fd, (char *)header, nn, 0,
963 &server->addr.sa,
964 sa_len(&server->addr))));
965 server->queries++;
966 }
967
968 return;
969 }
970 }
971
972 /* Ok, we reached far enough up the chain-of-trust that we can validate something.
973 Now wind back down, pulling back answers which wouldn't previously validate
974 and validate them with the new data. Note that if an answer needs multiple
975 keys to validate, we may find another key is needed, in which case we set off
976 down another branch of the tree. Once we get to the original answer
977 (FREC_DNSSEC_QUERY not set) and it validates, return it to the original requestor. */
978 while (forward->dependent)
979 {
980 struct frec *prev = forward->dependent;
981 free_frec(forward);
982 forward = prev;
983 forward->blocking_query = NULL; /* already gone */
984 blockdata_retrieve(forward->stash, forward->stash_len, (void *)header);
985 n = forward->stash_len;
986
987 if (status == STAT_SECURE)
988 {
989 if (forward->flags & FREC_DNSKEY_QUERY)
990 status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
991 else if (forward->flags & FREC_DS_QUERY)
992 {
993 status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
994 /* Provably no DS, everything below is insecure, even if signatures are offered */
995 if (status == STAT_NO_DS)
996 /* We only cache sigs when we've validated a reply.
997 Avoid caching a reply with sigs if there's a vaildated break in the
998 DS chain, so we don't return replies from cache missing sigs. */
999 status = STAT_INSECURE_DS;
1000 else if (status == STAT_NO_NS || status == STAT_NO_SIG)
1001 status = STAT_BOGUS;
1002 }
1003 else if (forward->flags & FREC_CHECK_NOSIGN)
1004 {
1005 status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
1006 if (status != STAT_NEED_KEY)
1007 status = do_check_sign(forward, status, now, daemon->namebuff, daemon->keyname);
1008 }
1009 else
1010 {
1011 status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class, NULL, NULL);
1012 if (status == STAT_NO_SIG)
1013 {
1014 if (option_bool(OPT_DNSSEC_NO_SIGN))
1015 status = send_check_sign(forward, now, header, n, daemon->namebuff, daemon->keyname);
1016 else
1017 status = STAT_INSECURE;
1018 }
1019 }
1020
1021 if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG || status == STAT_NEED_KEY)
1022 goto anotherkey;
1023 }
1024 }
1025
1026 no_cache_dnssec = 0;
1027
1028 if (status == STAT_INSECURE_DS)
1029 {
1030 /* We only cache sigs when we've validated a reply.
1031 Avoid caching a reply with sigs if there's a vaildated break in the
1032 DS chain, so we don't return replies from cache missing sigs. */
1033 status = STAT_INSECURE;
1034 no_cache_dnssec = 1;
1035 }
1036
1037 if (status == STAT_TRUNCATED)
1038 header->hb3 |= HB3_TC;
1039 else
1040 {
1041 char *result, *domain = "result";
1042
1043 if (forward->work_counter == 0)
1044 {
1045 result = "ABANDONED";
1046 status = STAT_BOGUS;
1047 }
1048 else
1049 result = (status == STAT_SECURE ? "SECURE" : (status == STAT_INSECURE ? "INSECURE" : "BOGUS"));
1050
1051 if (status == STAT_BOGUS && extract_request(header, n, daemon->namebuff, NULL))
1052 domain = daemon->namebuff;
1053
1054 log_query(F_KEYTAG | F_SECSTAT, domain, NULL, result);
1055 }
1056
1057 if (status == STAT_SECURE)
1058 cache_secure = 1;
1059 else if (status == STAT_BOGUS)
1060 {
1061 no_cache_dnssec = 1;
1062 bogusanswer = 1;
1063 }
1064 }
1065 #endif
1066
1067 /* restore CD bit to the value in the query */
1068 if (forward->flags & FREC_CHECKING_DISABLED)
1069 header->hb4 |= HB4_CD;
1070 else
1071 header->hb4 &= ~HB4_CD;
1072
1073 if ((nn = process_reply(header, now, server, (size_t)n, check_rebind, no_cache_dnssec, cache_secure, bogusanswer,
1074 forward->flags & FREC_AD_QUESTION, forward->flags & FREC_DO_QUESTION,
1075 forward->flags & FREC_ADDED_PHEADER, forward->flags & FREC_HAS_SUBNET, &forward->source)))
1076 {
1077 header->id = htons(forward->orig_id);
1078 header->hb4 |= HB4_RA; /* recursion if available */
1079 send_from(forward->fd, option_bool(OPT_NOWILD) || option_bool (OPT_CLEVERBIND), daemon->packet, nn,
1080 &forward->source, &forward->dest, forward->iface);
1081 }
1082 free_frec(forward); /* cancel */
1083 }
1084 }
1085
1086
1087 void receive_query(struct listener *listen, time_t now)
1088 {
1089 struct dns_header *header = (struct dns_header *)daemon->packet;
1090 union mysockaddr source_addr;
1091 unsigned short type;
1092 struct all_addr dst_addr;
1093 struct in_addr netmask, dst_addr_4;
1094 size_t m;
1095 ssize_t n;
1096 int if_index = 0, auth_dns = 0;
1097 #ifdef HAVE_AUTH
1098 int local_auth = 0;
1099 #endif
1100 struct iovec iov[1];
1101 struct msghdr msg;
1102 struct cmsghdr *cmptr;
1103 union {
1104 struct cmsghdr align; /* this ensures alignment */
1105 #ifdef HAVE_IPV6
1106 char control6[CMSG_SPACE(sizeof(struct in6_pktinfo))];
1107 #endif
1108 #if defined(HAVE_LINUX_NETWORK)
1109 char control[CMSG_SPACE(sizeof(struct in_pktinfo))];
1110 #elif defined(IP_RECVDSTADDR) && defined(HAVE_SOLARIS_NETWORK)
1111 char control[CMSG_SPACE(sizeof(struct in_addr)) +
1112 CMSG_SPACE(sizeof(unsigned int))];
1113 #elif defined(IP_RECVDSTADDR)
1114 char control[CMSG_SPACE(sizeof(struct in_addr)) +
1115 CMSG_SPACE(sizeof(struct sockaddr_dl))];
1116 #endif
1117 } control_u;
1118 #ifdef HAVE_IPV6
1119 /* Can always get recvd interface for IPv6 */
1120 int check_dst = !option_bool(OPT_NOWILD) || listen->family == AF_INET6;
1121 #else
1122 int check_dst = !option_bool(OPT_NOWILD);
1123 #endif
1124
1125 /* packet buffer overwritten */
1126 daemon->srv_save = NULL;
1127
1128 dst_addr_4.s_addr = dst_addr.addr.addr4.s_addr = 0;
1129 netmask.s_addr = 0;
1130
1131 if (option_bool(OPT_NOWILD) && listen->iface)
1132 {
1133 auth_dns = listen->iface->dns_auth;
1134
1135 if (listen->family == AF_INET)
1136 {
1137 dst_addr_4 = dst_addr.addr.addr4 = listen->iface->addr.in.sin_addr;
1138 netmask = listen->iface->netmask;
1139 }
1140 }
1141
1142 iov[0].iov_base = daemon->packet;
1143 iov[0].iov_len = daemon->edns_pktsz;
1144
1145 msg.msg_control = control_u.control;
1146 msg.msg_controllen = sizeof(control_u);
1147 msg.msg_flags = 0;
1148 msg.msg_name = &source_addr;
1149 msg.msg_namelen = sizeof(source_addr);
1150 msg.msg_iov = iov;
1151 msg.msg_iovlen = 1;
1152
1153 if ((n = recvmsg(listen->fd, &msg, 0)) == -1)
1154 return;
1155
1156 if (n < (int)sizeof(struct dns_header) ||
1157 (msg.msg_flags & MSG_TRUNC) ||
1158 (header->hb3 & HB3_QR))
1159 return;
1160
1161 source_addr.sa.sa_family = listen->family;
1162
1163 if (listen->family == AF_INET)
1164 {
1165 /* Source-port == 0 is an error, we can't send back to that.
1166 http://www.ietf.org/mail-archive/web/dnsop/current/msg11441.html */
1167 if (source_addr.in.sin_port == 0)
1168 return;
1169 }
1170 #ifdef HAVE_IPV6
1171 else
1172 {
1173 /* Source-port == 0 is an error, we can't send back to that. */
1174 if (source_addr.in6.sin6_port == 0)
1175 return;
1176 source_addr.in6.sin6_flowinfo = 0;
1177 }
1178 #endif
1179
1180 /* We can be configured to only accept queries from at-most-one-hop-away addresses. */
1181 if (option_bool(OPT_LOCAL_SERVICE))
1182 {
1183 struct addrlist *addr;
1184 #ifdef HAVE_IPV6
1185 if (listen->family == AF_INET6)
1186 {
1187 for (addr = daemon->interface_addrs; addr; addr = addr->next)
1188 if ((addr->flags & ADDRLIST_IPV6) &&
1189 is_same_net6(&addr->addr.addr.addr6, &source_addr.in6.sin6_addr, addr->prefixlen))
1190 break;
1191 }
1192 else
1193 #endif
1194 {
1195 struct in_addr netmask;
1196 for (addr = daemon->interface_addrs; addr; addr = addr->next)
1197 {
1198 netmask.s_addr = htonl(~(in_addr_t)0 << (32 - addr->prefixlen));
1199 if (!(addr->flags & ADDRLIST_IPV6) &&
1200 is_same_net(addr->addr.addr.addr4, source_addr.in.sin_addr, netmask))
1201 break;
1202 }
1203 }
1204 if (!addr)
1205 {
1206 static int warned = 0;
1207 if (!warned)
1208 {
1209 my_syslog(LOG_WARNING, _("Ignoring query from non-local network"));
1210 warned = 1;
1211 }
1212 return;
1213 }
1214 }
1215
1216 if (check_dst)
1217 {
1218 struct ifreq ifr;
1219
1220 if (msg.msg_controllen < sizeof(struct cmsghdr))
1221 return;
1222
1223 #if defined(HAVE_LINUX_NETWORK)
1224 if (listen->family == AF_INET)
1225 for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
1226 if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_PKTINFO)
1227 {
1228 union {
1229 unsigned char *c;
1230 struct in_pktinfo *p;
1231 } p;
1232 p.c = CMSG_DATA(cmptr);
1233 dst_addr_4 = dst_addr.addr.addr4 = p.p->ipi_spec_dst;
1234 if_index = p.p->ipi_ifindex;
1235 }
1236 #elif defined(IP_RECVDSTADDR) && defined(IP_RECVIF)
1237 if (listen->family == AF_INET)
1238 {
1239 for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
1240 {
1241 union {
1242 unsigned char *c;
1243 unsigned int *i;
1244 struct in_addr *a;
1245 #ifndef HAVE_SOLARIS_NETWORK
1246 struct sockaddr_dl *s;
1247 #endif
1248 } p;
1249 p.c = CMSG_DATA(cmptr);
1250 if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVDSTADDR)
1251 dst_addr_4 = dst_addr.addr.addr4 = *(p.a);
1252 else if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVIF)
1253 #ifdef HAVE_SOLARIS_NETWORK
1254 if_index = *(p.i);
1255 #else
1256 if_index = p.s->sdl_index;
1257 #endif
1258 }
1259 }
1260 #endif
1261
1262 #ifdef HAVE_IPV6
1263 if (listen->family == AF_INET6)
1264 {
1265 for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
1266 if (cmptr->cmsg_level == IPPROTO_IPV6 && cmptr->cmsg_type == daemon->v6pktinfo)
1267 {
1268 union {
1269 unsigned char *c;
1270 struct in6_pktinfo *p;
1271 } p;
1272 p.c = CMSG_DATA(cmptr);
1273
1274 dst_addr.addr.addr6 = p.p->ipi6_addr;
1275 if_index = p.p->ipi6_ifindex;
1276 }
1277 }
1278 #endif
1279
1280 /* enforce available interface configuration */
1281
1282 if (!indextoname(listen->fd, if_index, ifr.ifr_name))
1283 return;
1284
1285 if (!iface_check(listen->family, &dst_addr, ifr.ifr_name, &auth_dns))
1286 {
1287 if (!option_bool(OPT_CLEVERBIND))
1288 enumerate_interfaces(0);
1289 if (!loopback_exception(listen->fd, listen->family, &dst_addr, ifr.ifr_name) &&
1290 !label_exception(if_index, listen->family, &dst_addr))
1291 return;
1292 }
1293
1294 if (listen->family == AF_INET && option_bool(OPT_LOCALISE))
1295 {
1296 struct irec *iface;
1297
1298 /* get the netmask of the interface whch has the address we were sent to.
1299 This is no neccessarily the interface we arrived on. */
1300
1301 for (iface = daemon->interfaces; iface; iface = iface->next)
1302 if (iface->addr.sa.sa_family == AF_INET &&
1303 iface->addr.in.sin_addr.s_addr == dst_addr_4.s_addr)
1304 break;
1305
1306 /* interface may be new */
1307 if (!iface && !option_bool(OPT_CLEVERBIND))
1308 enumerate_interfaces(0);
1309
1310 for (iface = daemon->interfaces; iface; iface = iface->next)
1311 if (iface->addr.sa.sa_family == AF_INET &&
1312 iface->addr.in.sin_addr.s_addr == dst_addr_4.s_addr)
1313 break;
1314
1315 /* If we failed, abandon localisation */
1316 if (iface)
1317 netmask = iface->netmask;
1318 else
1319 dst_addr_4.s_addr = 0;
1320 }
1321 }
1322
1323 /* log_query gets called indirectly all over the place, so
1324 pass these in global variables - sorry. */
1325 daemon->log_display_id = ++daemon->log_id;
1326 daemon->log_source_addr = &source_addr;
1327
1328 if (extract_request(header, (size_t)n, daemon->namebuff, &type))
1329 {
1330 #ifdef HAVE_AUTH
1331 struct auth_zone *zone;
1332 #endif
1333 char *types = querystr(auth_dns ? "auth" : "query", type);
1334
1335 if (listen->family == AF_INET)
1336 log_query(F_QUERY | F_IPV4 | F_FORWARD, daemon->namebuff,
1337 (struct all_addr *)&source_addr.in.sin_addr, types);
1338 #ifdef HAVE_IPV6
1339 else
1340 log_query(F_QUERY | F_IPV6 | F_FORWARD, daemon->namebuff,
1341 (struct all_addr *)&source_addr.in6.sin6_addr, types);
1342 #endif
1343
1344 #ifdef HAVE_AUTH
1345 /* find queries for zones we're authoritative for, and answer them directly */
1346 if (!auth_dns)
1347 for (zone = daemon->auth_zones; zone; zone = zone->next)
1348 if (in_zone(zone, daemon->namebuff, NULL))
1349 {
1350 auth_dns = 1;
1351 local_auth = 1;
1352 break;
1353 }
1354 #endif
1355
1356 #ifdef HAVE_LOOP
1357 /* Check for forwarding loop */
1358 if (detect_loop(daemon->namebuff, type))
1359 return;
1360 #endif
1361 }
1362
1363 #ifdef HAVE_AUTH
1364 if (auth_dns)
1365 {
1366 m = answer_auth(header, ((char *) header) + daemon->packet_buff_sz, (size_t)n, now, &source_addr, local_auth);
1367 if (m >= 1)
1368 {
1369 send_from(listen->fd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND),
1370 (char *)header, m, &source_addr, &dst_addr, if_index);
1371 daemon->auth_answer++;
1372 }
1373 }
1374 else
1375 #endif
1376 {
1377 int ad_reqd, do_bit;
1378 m = answer_request(header, ((char *) header) + daemon->packet_buff_sz, (size_t)n,
1379 dst_addr_4, netmask, now, &ad_reqd, &do_bit);
1380
1381 if (m >= 1)
1382 {
1383 send_from(listen->fd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND),
1384 (char *)header, m, &source_addr, &dst_addr, if_index);
1385 daemon->local_answer++;
1386 }
1387 else if (forward_query(listen->fd, &source_addr, &dst_addr, if_index,
1388 header, (size_t)n, now, NULL, ad_reqd, do_bit))
1389 daemon->queries_forwarded++;
1390 else
1391 daemon->local_answer++;
1392 }
1393 }
1394
1395 #ifdef HAVE_DNSSEC
1396
1397 /* UDP: we've got an unsigned answer, return STAT_INSECURE if we can prove there's no DS
1398 and therefore the answer shouldn't be signed, or STAT_BOGUS if it should be, or
1399 STAT_NEED_DS_NEG and keyname if we need to do the query. */
1400 static int send_check_sign(struct frec *forward, time_t now, struct dns_header *header, size_t plen,
1401 char *name, char *keyname)
1402 {
1403 int status = dnssec_chase_cname(now, header, plen, name, keyname);
1404
1405 if (status != STAT_INSECURE)
1406 return status;
1407
1408 /* Store the domain we're trying to check. */
1409 forward->name_start = strlen(name);
1410 forward->name_len = forward->name_start + 1;
1411 if (!(forward->orig_domain = blockdata_alloc(name, forward->name_len)))
1412 return STAT_BOGUS;
1413
1414 return do_check_sign(forward, 0, now, name, keyname);
1415 }
1416
1417 /* We either have a a reply (header non-NULL, or we need to start by looking in the cache */
1418 static int do_check_sign(struct frec *forward, int status, time_t now, char *name, char *keyname)
1419 {
1420 /* get domain we're checking back from blockdata store, it's stored on the original query. */
1421 while (forward->dependent)
1422 forward = forward->dependent;
1423
1424 blockdata_retrieve(forward->orig_domain, forward->name_len, name);
1425
1426 while (1)
1427 {
1428 char *p;
1429
1430 if (status == 0)
1431 {
1432 struct crec *crecp;
1433
1434 /* Haven't received answer, see if in cache */
1435 if (!(crecp = cache_find_by_name(NULL, &name[forward->name_start], now, F_DS)))
1436 {
1437 /* put name of DS record we're missing into keyname */
1438 strcpy(keyname, &name[forward->name_start]);
1439 /* and wait for reply to arrive */
1440 return STAT_NEED_DS_NEG;
1441 }
1442
1443 /* F_DNSSECOK misused in DS cache records to non-existance of NS record */
1444 if (!(crecp->flags & F_NEG))
1445 status = STAT_SECURE;
1446 else if (crecp->flags & F_DNSSECOK)
1447 status = STAT_NO_DS;
1448 else
1449 status = STAT_NO_NS;
1450 }
1451
1452 /* Have entered non-signed part of DNS tree. */
1453 if (status == STAT_NO_DS)
1454 return STAT_INSECURE;
1455
1456 if (status == STAT_BOGUS)
1457 return STAT_BOGUS;
1458
1459 if (status == STAT_NO_SIG && *keyname != 0)
1460 {
1461 /* There is a validated CNAME chain that doesn't end in a DS record. Start.
1462 the search again in that domain. */
1463 blockdata_free(forward->orig_domain);
1464 forward->name_start = strlen(keyname);
1465 forward->name_len = forward->name_start + 1;
1466 if (!(forward->orig_domain = blockdata_alloc(keyname, forward->name_len)))
1467 return STAT_BOGUS;
1468
1469 strcpy(name, keyname);
1470 status = 0; /* force to cache when we iterate. */
1471 continue;
1472 }
1473
1474 /* There's a proven DS record, or we're within a zone, where there doesn't need
1475 to be a DS record. Add a name and try again..
1476 If we've already tried the whole name, then fail */
1477
1478 if (forward->name_start == 0)
1479 return STAT_BOGUS;
1480
1481 for (p = &name[forward->name_start-2]; (*p != '.') && (p != name); p--);
1482
1483 if (p != name)
1484 p++;
1485
1486 forward->name_start = p - name;
1487 status = 0; /* force to cache when we iterate. */
1488 }
1489 }
1490
1491 /* Move down from the root, until we find a signed non-existance of a DS, in which case
1492 an unsigned answer is OK, or we find a signed DS, in which case there should be
1493 a signature, and the answer is BOGUS */
1494 static int tcp_check_for_unsigned_zone(time_t now, struct dns_header *header, size_t plen, int class, char *name,
1495 char *keyname, struct server *server, int *keycount)
1496 {
1497 size_t m;
1498 unsigned char *packet, *payload;
1499 u16 *length;
1500 unsigned char *p = (unsigned char *)(header+1);
1501 int status, name_len;
1502 struct blockdata *block;
1503
1504 char *name_start;
1505
1506 /* Get first insecure entry in CNAME chain */
1507 status = tcp_key_recurse(now, STAT_CHASE_CNAME, header, plen, class, name, keyname, server, keycount);
1508 if (status == STAT_BOGUS)
1509 return STAT_BOGUS;
1510
1511 if (!(packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16))))
1512 return STAT_BOGUS;
1513
1514 payload = &packet[2];
1515 header = (struct dns_header *)payload;
1516 length = (u16 *)packet;
1517
1518 /* Stash the name away, since the buffer will be trashed when we recurse */
1519 name_len = strlen(name) + 1;
1520 name_start = name + name_len - 1;
1521
1522 if (!(block = blockdata_alloc(name, name_len)))
1523 {
1524 free(packet);
1525 return STAT_BOGUS;
1526 }
1527
1528 while (1)
1529 {
1530 unsigned char c1, c2;
1531
1532 struct crec *crecp;
1533
1534 if (--(*keycount) == 0)
1535 {
1536 free(packet);
1537 blockdata_free(block);
1538 return STAT_BOGUS;
1539 }
1540
1541 while (crecp = cache_find_by_name(NULL, name_start, now, F_DS))
1542 {
1543 if ((crecp->flags & F_NEG) && (crecp->flags & F_DNSSECOK))
1544 {
1545 /* Found a secure denial of DS - delegation is indeed insecure */
1546 free(packet);
1547 blockdata_free(block);
1548 return STAT_INSECURE;
1549 }
1550
1551 /* Here, either there's a secure DS, or no NS and no DS, and therefore no delegation.
1552 Add another label and continue. */
1553
1554 if (name_start == name)
1555 {
1556 free(packet);
1557 blockdata_free(block);
1558 return STAT_BOGUS; /* run out of labels */
1559 }
1560
1561 name_start -= 2;
1562 while (*name_start != '.' && name_start != name)
1563 name_start--;
1564 if (name_start != name)
1565 name_start++;
1566 }
1567
1568 /* Can't find it in the cache, have to send a query */
1569
1570 m = dnssec_generate_query(header, ((char *) header) + 65536, name_start, class, T_DS, &server->addr, server->edns_pktsz);
1571
1572 *length = htons(m);
1573
1574 if (read_write(server->tcpfd, packet, m + sizeof(u16), 0) &&
1575 read_write(server->tcpfd, &c1, 1, 1) &&
1576 read_write(server->tcpfd, &c2, 1, 1) &&
1577 read_write(server->tcpfd, payload, (c1 << 8) | c2, 1))
1578 {
1579 m = (c1 << 8) | c2;
1580
1581 /* Note this trashes all three name workspaces */
1582 status = tcp_key_recurse(now, STAT_NEED_DS_NEG, header, m, class, name, keyname, server, keycount);
1583
1584 if (status == STAT_NO_DS)
1585 {
1586 /* Found a secure denial of DS - delegation is indeed insecure */
1587 free(packet);
1588 blockdata_free(block);
1589 return STAT_INSECURE;
1590 }
1591
1592 if (status == STAT_NO_SIG && *keyname != 0)
1593 {
1594 /* There is a validated CNAME chain that doesn't end in a DS record. Start.
1595 the search again in that domain. */
1596 blockdata_free(block);
1597 name_len = strlen(keyname) + 1;
1598 name_start = name + name_len - 1;
1599
1600 if (!(block = blockdata_alloc(keyname, name_len)))
1601 return STAT_BOGUS;
1602
1603 strcpy(name, keyname);
1604 continue;
1605 }
1606
1607 if (status == STAT_BOGUS)
1608 {
1609 free(packet);
1610 blockdata_free(block);
1611 return STAT_BOGUS;
1612 }
1613
1614 /* Here, either there's a secure DS, or no NS and no DS, and therefore no delegation.
1615 Add another label and continue. */
1616
1617 /* Get name we're checking back. */
1618 blockdata_retrieve(block, name_len, name);
1619
1620 if (name_start == name)
1621 {
1622 free(packet);
1623 blockdata_free(block);
1624 return STAT_BOGUS; /* run out of labels */
1625 }
1626
1627 name_start -= 2;
1628 while (*name_start != '.' && name_start != name)
1629 name_start--;
1630 if (name_start != name)
1631 name_start++;
1632 }
1633 else
1634 {
1635 /* IO failure */
1636 free(packet);
1637 blockdata_free(block);
1638 return STAT_BOGUS; /* run out of labels */
1639 }
1640 }
1641 }
1642
1643 static int tcp_key_recurse(time_t now, int status, struct dns_header *header, size_t n,
1644 int class, char *name, char *keyname, struct server *server, int *keycount)
1645 {
1646 /* Recurse up the key heirarchy */
1647 int new_status;
1648
1649 /* limit the amount of work we do, to avoid cycling forever on loops in the DNS */
1650 if (--(*keycount) == 0)
1651 return STAT_INSECURE;
1652
1653 if (status == STAT_NEED_KEY)
1654 new_status = dnssec_validate_by_ds(now, header, n, name, keyname, class);
1655 else if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG)
1656 {
1657 new_status = dnssec_validate_ds(now, header, n, name, keyname, class);
1658 if (status == STAT_NEED_DS)
1659 {
1660 if (new_status == STAT_NO_DS)
1661 new_status = STAT_INSECURE_DS;
1662 else if (new_status == STAT_NO_NS || new_status == STAT_NO_SIG)
1663 new_status = STAT_BOGUS;
1664 }
1665 }
1666 else if (status == STAT_CHASE_CNAME)
1667 new_status = dnssec_chase_cname(now, header, n, name, keyname);
1668 else
1669 {
1670 new_status = dnssec_validate_reply(now, header, n, name, keyname, &class, NULL, NULL);
1671
1672 if (new_status == STAT_NO_SIG)
1673 {
1674 if (option_bool(OPT_DNSSEC_NO_SIGN))
1675 new_status = tcp_check_for_unsigned_zone(now, header, n, class, name, keyname, server, keycount);
1676 else
1677 new_status = STAT_INSECURE;
1678 }
1679 }
1680
1681 /* Can't validate because we need a key/DS whose name now in keyname.
1682 Make query for same, and recurse to validate */
1683 if (new_status == STAT_NEED_DS || new_status == STAT_NEED_KEY)
1684 {
1685 size_t m;
1686 unsigned char *packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16));
1687 unsigned char *payload = &packet[2];
1688 struct dns_header *new_header = (struct dns_header *)payload;
1689 u16 *length = (u16 *)packet;
1690 unsigned char c1, c2;
1691
1692 if (!packet)
1693 return STAT_INSECURE;
1694
1695 another_tcp_key:
1696 m = dnssec_generate_query(new_header, ((char *) new_header) + 65536, keyname, class,
1697 new_status == STAT_NEED_KEY ? T_DNSKEY : T_DS, &server->addr, server->edns_pktsz);
1698
1699 *length = htons(m);
1700
1701 if (!read_write(server->tcpfd, packet, m + sizeof(u16), 0) ||
1702 !read_write(server->tcpfd, &c1, 1, 1) ||
1703 !read_write(server->tcpfd, &c2, 1, 1) ||
1704 !read_write(server->tcpfd, payload, (c1 << 8) | c2, 1))
1705 new_status = STAT_INSECURE;
1706 else
1707 {
1708 m = (c1 << 8) | c2;
1709
1710 new_status = tcp_key_recurse(now, new_status, new_header, m, class, name, keyname, server, keycount);
1711
1712 if (new_status == STAT_SECURE)
1713 {
1714 /* Reached a validated record, now try again at this level.
1715 Note that we may get ANOTHER NEED_* if an answer needs more than one key.
1716 If so, go round again. */
1717
1718 if (status == STAT_NEED_KEY)
1719 new_status = dnssec_validate_by_ds(now, header, n, name, keyname, class);
1720 else if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG)
1721 {
1722 new_status = dnssec_validate_ds(now, header, n, name, keyname, class);
1723 if (status == STAT_NEED_DS)
1724 {
1725 if (new_status == STAT_NO_DS)
1726 new_status = STAT_INSECURE_DS;
1727 else if (new_status == STAT_NO_NS || new_status == STAT_NO_SIG)
1728 new_status = STAT_BOGUS; /* Validated no DS */
1729 }
1730 }
1731 else if (status == STAT_CHASE_CNAME)
1732 new_status = dnssec_chase_cname(now, header, n, name, keyname);
1733 else
1734 {
1735 new_status = dnssec_validate_reply(now, header, n, name, keyname, &class, NULL, NULL);
1736
1737 if (new_status == STAT_NO_SIG)
1738 {
1739 if (option_bool(OPT_DNSSEC_NO_SIGN))
1740 new_status = tcp_check_for_unsigned_zone(now, header, n, class, name, keyname, server, keycount);
1741 else
1742 new_status = STAT_INSECURE;
1743 }
1744 }
1745
1746 if (new_status == STAT_NEED_DS || new_status == STAT_NEED_KEY)
1747 goto another_tcp_key;
1748 }
1749 }
1750
1751 free(packet);
1752 }
1753 return new_status;
1754 }
1755 #endif
1756
1757
1758 /* The daemon forks before calling this: it should deal with one connection,
1759 blocking as neccessary, and then return. Note, need to be a bit careful
1760 about resources for debug mode, when the fork is suppressed: that's
1761 done by the caller. */
1762 unsigned char *tcp_request(int confd, time_t now,
1763 union mysockaddr *local_addr, struct in_addr netmask, int auth_dns)
1764 {
1765 size_t size = 0;
1766 int norebind = 0;
1767 #ifdef HAVE_AUTH
1768 int local_auth = 0;
1769 #endif
1770 int checking_disabled, ad_question, do_bit, added_pheader = 0;
1771 int check_subnet, no_cache_dnssec = 0, cache_secure = 0, bogusanswer = 0;
1772 size_t m;
1773 unsigned short qtype;
1774 unsigned int gotname;
1775 unsigned char c1, c2;
1776 /* Max TCP packet + slop + size */
1777 unsigned char *packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16));
1778 unsigned char *payload = &packet[2];
1779 /* largest field in header is 16-bits, so this is still sufficiently aligned */
1780 struct dns_header *header = (struct dns_header *)payload;
1781 u16 *length = (u16 *)packet;
1782 struct server *last_server;
1783 struct in_addr dst_addr_4;
1784 union mysockaddr peer_addr;
1785 socklen_t peer_len = sizeof(union mysockaddr);
1786 int query_count = 0;
1787
1788 if (getpeername(confd, (struct sockaddr *)&peer_addr, &peer_len) == -1)
1789 return packet;
1790
1791 /* We can be configured to only accept queries from at-most-one-hop-away addresses. */
1792 if (option_bool(OPT_LOCAL_SERVICE))
1793 {
1794 struct addrlist *addr;
1795 #ifdef HAVE_IPV6
1796 if (peer_addr.sa.sa_family == AF_INET6)
1797 {
1798 for (addr = daemon->interface_addrs; addr; addr = addr->next)
1799 if ((addr->flags & ADDRLIST_IPV6) &&
1800 is_same_net6(&addr->addr.addr.addr6, &peer_addr.in6.sin6_addr, addr->prefixlen))
1801 break;
1802 }
1803 else
1804 #endif
1805 {
1806 struct in_addr netmask;
1807 for (addr = daemon->interface_addrs; addr; addr = addr->next)
1808 {
1809 netmask.s_addr = htonl(~(in_addr_t)0 << (32 - addr->prefixlen));
1810 if (!(addr->flags & ADDRLIST_IPV6) &&
1811 is_same_net(addr->addr.addr.addr4, peer_addr.in.sin_addr, netmask))
1812 break;
1813 }
1814 }
1815 if (!addr)
1816 {
1817 my_syslog(LOG_WARNING, _("Ignoring query from non-local network"));
1818 return packet;
1819 }
1820 }
1821
1822 while (1)
1823 {
1824 if (query_count == TCP_MAX_QUERIES ||
1825 !packet ||
1826 !read_write(confd, &c1, 1, 1) || !read_write(confd, &c2, 1, 1) ||
1827 !(size = c1 << 8 | c2) ||
1828 !read_write(confd, payload, size, 1))
1829 return packet;
1830
1831 if (size < (int)sizeof(struct dns_header))
1832 continue;
1833
1834 query_count++;
1835
1836 /* log_query gets called indirectly all over the place, so
1837 pass these in global variables - sorry. */
1838 daemon->log_display_id = ++daemon->log_id;
1839 daemon->log_source_addr = &peer_addr;
1840
1841 check_subnet = 0;
1842
1843 /* save state of "cd" flag in query */
1844 if ((checking_disabled = header->hb4 & HB4_CD))
1845 no_cache_dnssec = 1;
1846
1847 if ((gotname = extract_request(header, (unsigned int)size, daemon->namebuff, &qtype)))
1848 {
1849 #ifdef HAVE_AUTH
1850 struct auth_zone *zone;
1851 #endif
1852 char *types = querystr(auth_dns ? "auth" : "query", qtype);
1853
1854 if (peer_addr.sa.sa_family == AF_INET)
1855 log_query(F_QUERY | F_IPV4 | F_FORWARD, daemon->namebuff,
1856 (struct all_addr *)&peer_addr.in.sin_addr, types);
1857 #ifdef HAVE_IPV6
1858 else
1859 log_query(F_QUERY | F_IPV6 | F_FORWARD, daemon->namebuff,
1860 (struct all_addr *)&peer_addr.in6.sin6_addr, types);
1861 #endif
1862
1863 #ifdef HAVE_AUTH
1864 /* find queries for zones we're authoritative for, and answer them directly */
1865 if (!auth_dns)
1866 for (zone = daemon->auth_zones; zone; zone = zone->next)
1867 if (in_zone(zone, daemon->namebuff, NULL))
1868 {
1869 auth_dns = 1;
1870 local_auth = 1;
1871 break;
1872 }
1873 #endif
1874 }
1875
1876 if (local_addr->sa.sa_family == AF_INET)
1877 dst_addr_4 = local_addr->in.sin_addr;
1878 else
1879 dst_addr_4.s_addr = 0;
1880
1881 #ifdef HAVE_AUTH
1882 if (auth_dns)
1883 m = answer_auth(header, ((char *) header) + 65536, (size_t)size, now, &peer_addr, local_auth);
1884 else
1885 #endif
1886 {
1887 /* m > 0 if answered from cache */
1888 m = answer_request(header, ((char *) header) + 65536, (size_t)size,
1889 dst_addr_4, netmask, now, &ad_question, &do_bit);
1890
1891 /* Do this by steam now we're not in the select() loop */
1892 check_log_writer(NULL);
1893
1894 if (m == 0)
1895 {
1896 unsigned int flags = 0;
1897 struct all_addr *addrp = NULL;
1898 int type = 0;
1899 char *domain = NULL;
1900
1901 if (option_bool(OPT_ADD_MAC))
1902 size = add_mac(header, size, ((char *) header) + 65536, &peer_addr);
1903
1904 if (option_bool(OPT_CLIENT_SUBNET))
1905 {
1906 size_t new = add_source_addr(header, size, ((char *) header) + 65536, &peer_addr);
1907 if (size != new)
1908 {
1909 size = new;
1910 check_subnet = 1;
1911 }
1912 }
1913
1914 if (gotname)
1915 flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind);
1916
1917 if (type != 0 || option_bool(OPT_ORDER) || !daemon->last_server)
1918 last_server = daemon->servers;
1919 else
1920 last_server = daemon->last_server;
1921
1922 if (!flags && last_server)
1923 {
1924 struct server *firstsendto = NULL;
1925 #ifdef HAVE_DNSSEC
1926 unsigned char *newhash, hash[HASH_SIZE];
1927 if ((newhash = hash_questions(header, (unsigned int)size, daemon->namebuff)))
1928 memcpy(hash, newhash, HASH_SIZE);
1929 else
1930 memset(hash, 0, HASH_SIZE);
1931 #else
1932 unsigned int crc = questions_crc(header, (unsigned int)size, daemon->namebuff);
1933 #endif
1934 /* Loop round available servers until we succeed in connecting to one.
1935 Note that this code subtley ensures that consecutive queries on this connection
1936 which can go to the same server, do so. */
1937 while (1)
1938 {
1939 if (!firstsendto)
1940 firstsendto = last_server;
1941 else
1942 {
1943 if (!(last_server = last_server->next))
1944 last_server = daemon->servers;
1945
1946 if (last_server == firstsendto)
1947 break;
1948 }
1949
1950 /* server for wrong domain */
1951 if (type != (last_server->flags & SERV_TYPE) ||
1952 (type == SERV_HAS_DOMAIN && !hostname_isequal(domain, last_server->domain)) ||
1953 (last_server->flags & (SERV_LITERAL_ADDRESS | SERV_LOOP)))
1954 continue;
1955
1956 if (last_server->tcpfd == -1)
1957 {
1958 if ((last_server->tcpfd = socket(last_server->addr.sa.sa_family, SOCK_STREAM, 0)) == -1)
1959 continue;
1960
1961 #ifdef HAVE_CONNTRACK
1962 /* Copy connection mark of incoming query to outgoing connection. */
1963 if (option_bool(OPT_CONNTRACK))
1964 {
1965 unsigned int mark;
1966 struct all_addr local;
1967 #ifdef HAVE_IPV6
1968 if (local_addr->sa.sa_family == AF_INET6)
1969 local.addr.addr6 = local_addr->in6.sin6_addr;
1970 else
1971 #endif
1972 local.addr.addr4 = local_addr->in.sin_addr;
1973
1974 if (get_incoming_mark(&peer_addr, &local, 1, &mark))
1975 setsockopt(last_server->tcpfd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int));
1976 }
1977 #endif
1978
1979 if ((!local_bind(last_server->tcpfd, &last_server->source_addr, last_server->interface, 1) ||
1980 connect(last_server->tcpfd, &last_server->addr.sa, sa_len(&last_server->addr)) == -1))
1981 {
1982 close(last_server->tcpfd);
1983 last_server->tcpfd = -1;
1984 continue;
1985 }
1986
1987 #ifdef HAVE_DNSSEC
1988 if (option_bool(OPT_DNSSEC_VALID))
1989 {
1990 size_t new_size = add_do_bit(header, size, ((char *) header) + 65536);
1991
1992 /* For debugging, set Checking Disabled, otherwise, have the upstream check too,
1993 this allows it to select auth servers when one is returning bad data. */
1994 if (option_bool(OPT_DNSSEC_DEBUG))
1995 header->hb4 |= HB4_CD;
1996
1997 if (size != new_size)
1998 added_pheader = 1;
1999
2000 size = new_size;
2001 }
2002 #endif
2003 }
2004
2005 *length = htons(size);
2006
2007 /* get query name again for logging - may have been overwritten */
2008 if (!(gotname = extract_request(header, (unsigned int)size, daemon->namebuff, &qtype)))
2009 strcpy(daemon->namebuff, "query");
2010
2011 if (!read_write(last_server->tcpfd, packet, size + sizeof(u16), 0) ||
2012 !read_write(last_server->tcpfd, &c1, 1, 1) ||
2013 !read_write(last_server->tcpfd, &c2, 1, 1) ||
2014 !read_write(last_server->tcpfd, payload, (c1 << 8) | c2, 1))
2015 {
2016 close(last_server->tcpfd);
2017 last_server->tcpfd = -1;
2018 continue;
2019 }
2020
2021 m = (c1 << 8) | c2;
2022
2023 if (last_server->addr.sa.sa_family == AF_INET)
2024 log_query(F_SERVER | F_IPV4 | F_FORWARD, daemon->namebuff,
2025 (struct all_addr *)&last_server->addr.in.sin_addr, NULL);
2026 #ifdef HAVE_IPV6
2027 else
2028 log_query(F_SERVER | F_IPV6 | F_FORWARD, daemon->namebuff,
2029 (struct all_addr *)&last_server->addr.in6.sin6_addr, NULL);
2030 #endif
2031
2032 #ifdef HAVE_DNSSEC
2033 if (option_bool(OPT_DNSSEC_VALID) && !checking_disabled)
2034 {
2035 int keycount = DNSSEC_WORK; /* Limit to number of DNSSEC questions, to catch loops and avoid filling cache. */
2036 int status = tcp_key_recurse(now, STAT_TRUNCATED, header, m, 0, daemon->namebuff, daemon->keyname, last_server, &keycount);
2037 char *result, *domain = "result";
2038
2039 if (status == STAT_INSECURE_DS)
2040 {
2041 /* We only cache sigs when we've validated a reply.
2042 Avoid caching a reply with sigs if there's a vaildated break in the
2043 DS chain, so we don't return replies from cache missing sigs. */
2044 status = STAT_INSECURE;
2045 no_cache_dnssec = 1;
2046 }
2047
2048 if (keycount == 0)
2049 {
2050 result = "ABANDONED";
2051 status = STAT_BOGUS;
2052 }
2053 else
2054 result = (status == STAT_SECURE ? "SECURE" : (status == STAT_INSECURE ? "INSECURE" : "BOGUS"));
2055
2056 if (status == STAT_BOGUS && extract_request(header, m, daemon->namebuff, NULL))
2057 domain = daemon->namebuff;
2058
2059 log_query(F_KEYTAG | F_SECSTAT, domain, NULL, result);
2060
2061 if (status == STAT_BOGUS)
2062 {
2063 no_cache_dnssec = 1;
2064 bogusanswer = 1;
2065 }
2066
2067 if (status == STAT_SECURE)
2068 cache_secure = 1;
2069 }
2070 #endif
2071
2072 /* restore CD bit to the value in the query */
2073 if (checking_disabled)
2074 header->hb4 |= HB4_CD;
2075 else
2076 header->hb4 &= ~HB4_CD;
2077
2078 /* There's no point in updating the cache, since this process will exit and
2079 lose the information after a few queries. We make this call for the alias and
2080 bogus-nxdomain side-effects. */
2081 /* If the crc of the question section doesn't match the crc we sent, then
2082 someone might be attempting to insert bogus values into the cache by
2083 sending replies containing questions and bogus answers. */
2084 #ifdef HAVE_DNSSEC
2085 newhash = hash_questions(header, (unsigned int)m, daemon->namebuff);
2086 if (!newhash || memcmp(hash, newhash, HASH_SIZE) != 0)
2087 {
2088 m = 0;
2089 break;
2090 }
2091 #else
2092 if (crc != questions_crc(header, (unsigned int)m, daemon->namebuff))
2093 {
2094 m = 0;
2095 break;
2096 }
2097 #endif
2098
2099 m = process_reply(header, now, last_server, (unsigned int)m,
2100 option_bool(OPT_NO_REBIND) && !norebind, no_cache_dnssec, cache_secure, bogusanswer,
2101 ad_question, do_bit, added_pheader, check_subnet, &peer_addr);
2102
2103 break;
2104 }
2105 }
2106
2107 /* In case of local answer or no connections made. */
2108 if (m == 0)
2109 m = setup_reply(header, (unsigned int)size, addrp, flags, daemon->local_ttl);
2110 }
2111 }
2112
2113 check_log_writer(NULL);
2114
2115 *length = htons(m);
2116
2117 if (m == 0 || !read_write(confd, packet, m + sizeof(u16), 0))
2118 return packet;
2119 }
2120 }
2121
2122 static struct frec *allocate_frec(time_t now)
2123 {
2124 struct frec *f;
2125
2126 if ((f = (struct frec *)whine_malloc(sizeof(struct frec))))
2127 {
2128 f->next = daemon->frec_list;
2129 f->time = now;
2130 f->sentto = NULL;
2131 f->rfd4 = NULL;
2132 f->flags = 0;
2133 #ifdef HAVE_IPV6
2134 f->rfd6 = NULL;
2135 #endif
2136 #ifdef HAVE_DNSSEC
2137 f->dependent = NULL;
2138 f->blocking_query = NULL;
2139 f->stash = NULL;
2140 f->orig_domain = NULL;
2141 #endif
2142 daemon->frec_list = f;
2143 }
2144
2145 return f;
2146 }
2147
2148 struct randfd *allocate_rfd(int family)
2149 {
2150 static int finger = 0;
2151 int i;
2152
2153 /* limit the number of sockets we have open to avoid starvation of
2154 (eg) TFTP. Once we have a reasonable number, randomness should be OK */
2155
2156 for (i = 0; i < RANDOM_SOCKS; i++)
2157 if (daemon->randomsocks[i].refcount == 0)
2158 {
2159 if ((daemon->randomsocks[i].fd = random_sock(family)) == -1)
2160 break;
2161
2162 daemon->randomsocks[i].refcount = 1;
2163 daemon->randomsocks[i].family = family;
2164 return &daemon->randomsocks[i];
2165 }
2166
2167 /* No free ones or cannot get new socket, grab an existing one */
2168 for (i = 0; i < RANDOM_SOCKS; i++)
2169 {
2170 int j = (i+finger) % RANDOM_SOCKS;
2171 if (daemon->randomsocks[j].refcount != 0 &&
2172 daemon->randomsocks[j].family == family &&
2173 daemon->randomsocks[j].refcount != 0xffff)
2174 {
2175 finger = j;
2176 daemon->randomsocks[j].refcount++;
2177 return &daemon->randomsocks[j];
2178 }
2179 }
2180
2181 return NULL; /* doom */
2182 }
2183
2184 void free_rfd(struct randfd *rfd)
2185 {
2186 if (rfd && --(rfd->refcount) == 0)
2187 close(rfd->fd);
2188 }
2189
2190 static void free_frec(struct frec *f)
2191 {
2192 free_rfd(f->rfd4);
2193 f->rfd4 = NULL;
2194 f->sentto = NULL;
2195 f->flags = 0;
2196
2197 #ifdef HAVE_IPV6
2198 free_rfd(f->rfd6);
2199 f->rfd6 = NULL;
2200 #endif
2201
2202 #ifdef HAVE_DNSSEC
2203 if (f->stash)
2204 {
2205 blockdata_free(f->stash);
2206 f->stash = NULL;
2207 }
2208
2209 if (f->orig_domain)
2210 {
2211 blockdata_free(f->orig_domain);
2212 f->orig_domain = NULL;
2213 }
2214
2215 /* Anything we're waiting on is pointless now, too */
2216 if (f->blocking_query)
2217 free_frec(f->blocking_query);
2218 f->blocking_query = NULL;
2219 f->dependent = NULL;
2220 #endif
2221 }
2222
2223 /* if wait==NULL return a free or older than TIMEOUT record.
2224 else return *wait zero if one available, or *wait is delay to
2225 when the oldest in-use record will expire. Impose an absolute
2226 limit of 4*TIMEOUT before we wipe things (for random sockets).
2227 If force is set, always return a result, even if we have
2228 to allocate above the limit. */
2229 struct frec *get_new_frec(time_t now, int *wait, int force)
2230 {
2231 struct frec *f, *oldest, *target;
2232 int count;
2233
2234 if (wait)
2235 *wait = 0;
2236
2237 for (f = daemon->frec_list, oldest = NULL, target = NULL, count = 0; f; f = f->next, count++)
2238 if (!f->sentto)
2239 target = f;
2240 else
2241 {
2242 if (difftime(now, f->time) >= 4*TIMEOUT)
2243 {
2244 free_frec(f);
2245 target = f;
2246 }
2247
2248 if (!oldest || difftime(f->time, oldest->time) <= 0)
2249 oldest = f;
2250 }
2251
2252 if (target)
2253 {
2254 target->time = now;
2255 return target;
2256 }
2257
2258 /* can't find empty one, use oldest if there is one
2259 and it's older than timeout */
2260 if (oldest && ((int)difftime(now, oldest->time)) >= TIMEOUT)
2261 {
2262 /* keep stuff for twice timeout if we can by allocating a new
2263 record instead */
2264 if (difftime(now, oldest->time) < 2*TIMEOUT &&
2265 count <= daemon->ftabsize &&
2266 (f = allocate_frec(now)))
2267 return f;
2268
2269 if (!wait)
2270 {
2271 free_frec(oldest);
2272 oldest->time = now;
2273 }
2274 return oldest;
2275 }
2276
2277 /* none available, calculate time 'till oldest record expires */
2278 if (!force && count > daemon->ftabsize)
2279 {
2280 static time_t last_log = 0;
2281
2282 if (oldest && wait)
2283 *wait = oldest->time + (time_t)TIMEOUT - now;
2284
2285 if ((int)difftime(now, last_log) > 5)
2286 {
2287 last_log = now;
2288 my_syslog(LOG_WARNING, _("Maximum number of concurrent DNS queries reached (max: %d)"), daemon->ftabsize);
2289 }
2290
2291 return NULL;
2292 }
2293
2294 if (!(f = allocate_frec(now)) && wait)
2295 /* wait one second on malloc failure */
2296 *wait = 1;
2297
2298 return f; /* OK if malloc fails and this is NULL */
2299 }
2300
2301 /* crc is all-ones if not known. */
2302 static struct frec *lookup_frec(unsigned short id, void *hash)
2303 {
2304 struct frec *f;
2305
2306 for(f = daemon->frec_list; f; f = f->next)
2307 if (f->sentto && f->new_id == id &&
2308 (!hash || memcmp(hash, f->hash, HASH_SIZE) == 0))
2309 return f;
2310
2311 return NULL;
2312 }
2313
2314 static struct frec *lookup_frec_by_sender(unsigned short id,
2315 union mysockaddr *addr,
2316 void *hash)
2317 {
2318 struct frec *f;
2319
2320 for(f = daemon->frec_list; f; f = f->next)
2321 if (f->sentto &&
2322 f->orig_id == id &&
2323 memcmp(hash, f->hash, HASH_SIZE) == 0 &&
2324 sockaddr_isequal(&f->source, addr))
2325 return f;
2326
2327 return NULL;
2328 }
2329
2330 /* Send query packet again, if we can. */
2331 void resend_query()
2332 {
2333 if (daemon->srv_save)
2334 {
2335 int fd;
2336
2337 if (daemon->srv_save->sfd)
2338 fd = daemon->srv_save->sfd->fd;
2339 else if (daemon->rfd_save && daemon->rfd_save->refcount != 0)
2340 fd = daemon->rfd_save->fd;
2341 else
2342 return;
2343
2344 while(retry_send(sendto(fd, daemon->packet, daemon->packet_len, 0,
2345 &daemon->srv_save->addr.sa,
2346 sa_len(&daemon->srv_save->addr))));
2347 }
2348 }
2349
2350 /* A server record is going away, remove references to it */
2351 void server_gone(struct server *server)
2352 {
2353 struct frec *f;
2354
2355 for (f = daemon->frec_list; f; f = f->next)
2356 if (f->sentto && f->sentto == server)
2357 free_frec(f);
2358
2359 if (daemon->last_server == server)
2360 daemon->last_server = NULL;
2361
2362 if (daemon->srv_save == server)
2363 daemon->srv_save = NULL;
2364 }
2365
2366 /* return unique random ids. */
2367 static unsigned short get_id(void)
2368 {
2369 unsigned short ret = 0;
2370
2371 do
2372 ret = rand16();
2373 while (lookup_frec(ret, NULL));
2374
2375 return ret;
2376 }
2377
2378
2379
2380
2381
Tomato firmware and modifications.