1 /* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
3 This program is free software; you can redistribute it and/or modify
4 it under the terms of the GNU General Public License as published by
5 the Free Software Foundation; version 2 dated June, 1991, or
6 (at your option) version 3 dated 29 June, 2007.
8 This program is distributed in the hope that it will be useful,
9 but WITHOUT ANY WARRANTY; without even the implied warranty of
10 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 GNU General Public License for more details.
13 You should have received a copy of the GNU General Public License
14 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 int extract_name(struct dns_header
*header
, size_t plen
, unsigned char **pp
,
20 char *name
, int isExtract
, int extrabytes
)
22 unsigned char *cp
= (unsigned char *)name
, *p
= *pp
, *p1
= NULL
;
23 unsigned int j
, l
, namelen
= 0, hops
= 0;
31 unsigned int label_type
;
33 if (!CHECK_LEN(header
, p
, plen
, 1))
39 /* check that there are the correct no of bytes after the name */
40 if (!CHECK_LEN(header
, p
, plen
, extrabytes
))
45 if (cp
!= (unsigned char *)name
)
47 *cp
= 0; /* terminate: lose final period */
52 if (p1
) /* we jumped via compression */
60 label_type
= l
& 0xc0;
62 if (label_type
== 0xc0) /* pointer */
64 if (!CHECK_LEN(header
, p
, plen
, 1))
71 if (!p1
) /* first jump, save location to go back to */
74 hops
++; /* break malicious infinite loops */
78 p
= l
+ (unsigned char *)header
;
80 else if (label_type
== 0x00)
81 { /* label_type = 0 -> label. */
82 namelen
+= l
+ 1; /* include period */
83 if (namelen
>= MAXDNAME
)
85 if (!CHECK_LEN(header
, p
, plen
, l
))
88 for(j
=0; j
<l
; j
++, p
++)
93 if (option_bool(OPT_DNSSEC_VALID
))
95 if (c
== 0 || c
== '.' || c
== NAME_ESCAPE
)
105 if (c
!= 0 && c
!= '.')
112 unsigned char c1
= *cp
, c2
= *p
;
119 if (c1
>= 'A' && c1
<= 'Z')
122 if (option_bool(OPT_DNSSEC_VALID
) && c1
== NAME_ESCAPE
)
126 if (c2
>= 'A' && c2
<= 'Z')
136 else if (*cp
!= 0 && *cp
++ != '.')
140 return 0; /* label types 0x40 and 0x80 not supported */
144 /* Max size of input string (for IPv6) is 75 chars.) */
145 #define MAXARPANAME 75
146 int in_arpa_name_2_addr(char *namein
, struct all_addr
*addrp
)
149 char name
[MAXARPANAME
+1], *cp1
;
150 unsigned char *addr
= (unsigned char *)addrp
;
151 char *lastchunk
= NULL
, *penchunk
= NULL
;
153 if (strlen(namein
) > MAXARPANAME
)
156 memset(addrp
, 0, sizeof(struct all_addr
));
158 /* turn name into a series of asciiz strings */
159 /* j counts no of labels */
160 for(j
= 1,cp1
= name
; *namein
; cp1
++, namein
++)
163 penchunk
= lastchunk
;
176 if (hostname_isequal(lastchunk
, "arpa") && hostname_isequal(penchunk
, "in-addr"))
179 /* address arives as a name of the form
180 www.xxx.yyy.zzz.in-addr.arpa
181 some of the low order address octets might be missing
182 and should be set to zero. */
183 for (cp1
= name
; cp1
!= penchunk
; cp1
+= strlen(cp1
)+1)
185 /* check for digits only (weeds out things like
186 50.0/24.67.28.64.in-addr.arpa which are used
187 as CNAME targets according to RFC 2317 */
189 for (cp
= cp1
; *cp
; cp
++)
190 if (!isdigit((unsigned char)*cp
))
202 else if (hostname_isequal(penchunk
, "ip6") &&
203 (hostname_isequal(lastchunk
, "int") || hostname_isequal(lastchunk
, "arpa")))
206 Address arrives as 0.1.2.3.4.5.6.7.8.9.a.b.c.d.e.f.ip6.[int|arpa]
207 or \[xfedcba9876543210fedcba9876543210/128].ip6.[int|arpa]
209 Note that most of these the various reprentations are obsolete and
210 left-over from the many DNS-for-IPv6 wars. We support all the formats
211 that we can since there is no reason not to.
214 if (*name
== '\\' && *(name
+1) == '[' &&
215 (*(name
+2) == 'x' || *(name
+2) == 'X'))
217 for (j
= 0, cp1
= name
+3; *cp1
&& isxdigit((unsigned char) *cp1
) && j
< 32; cp1
++, j
++)
223 addr
[j
/2] |= strtol(xdig
, NULL
, 16);
225 addr
[j
/2] = strtol(xdig
, NULL
, 16) << 4;
228 if (*cp1
== '/' && j
== 32)
233 for (cp1
= name
; cp1
!= penchunk
; cp1
+= strlen(cp1
)+1)
235 if (*(cp1
+1) || !isxdigit((unsigned char)*cp1
))
238 for (j
= sizeof(struct all_addr
)-1; j
>0; j
--)
239 addr
[j
] = (addr
[j
] >> 4) | (addr
[j
-1] << 4);
240 addr
[0] = (addr
[0] >> 4) | (strtol(cp1
, NULL
, 16) << 4);
251 unsigned char *skip_name(unsigned char *ansp
, struct dns_header
*header
, size_t plen
, int extrabytes
)
255 unsigned int label_type
;
257 if (!CHECK_LEN(header
, ansp
, plen
, 1))
260 label_type
= (*ansp
) & 0xc0;
262 if (label_type
== 0xc0)
264 /* pointer for compression. */
268 else if (label_type
== 0x80)
269 return NULL
; /* reserved */
270 else if (label_type
== 0x40)
272 /* Extended label type */
275 if (!CHECK_LEN(header
, ansp
, plen
, 2))
278 if (((*ansp
++) & 0x3f) != 1)
279 return NULL
; /* we only understand bitstrings */
281 count
= *(ansp
++); /* Bits in bitstring */
283 if (count
== 0) /* count == 0 means 256 bits */
286 ansp
+= ((count
-1)>>3)+1;
289 { /* label type == 0 Bottom six bits is length */
290 unsigned int len
= (*ansp
++) & 0x3f;
292 if (!ADD_RDLEN(header
, ansp
, plen
, len
))
296 break; /* zero length label marks the end. */
300 if (!CHECK_LEN(header
, ansp
, plen
, extrabytes
))
306 unsigned char *skip_questions(struct dns_header
*header
, size_t plen
)
309 unsigned char *ansp
= (unsigned char *)(header
+1);
311 for (q
= ntohs(header
->qdcount
); q
!= 0; q
--)
313 if (!(ansp
= skip_name(ansp
, header
, plen
, 4)))
315 ansp
+= 4; /* class and type */
321 unsigned char *skip_section(unsigned char *ansp
, int count
, struct dns_header
*header
, size_t plen
)
325 for (i
= 0; i
< count
; i
++)
327 if (!(ansp
= skip_name(ansp
, header
, plen
, 10)))
329 ansp
+= 8; /* type, class, TTL */
330 GETSHORT(rdlen
, ansp
);
331 if (!ADD_RDLEN(header
, ansp
, plen
, rdlen
))
338 /* CRC the question section. This is used to safely detect query
339 retransmision and to detect answers to questions we didn't ask, which
340 might be poisoning attacks. Note that we decode the name rather
341 than CRC the raw bytes, since replies might be compressed differently.
342 We ignore case in the names for the same reason. Return all-ones
343 if there is not question section. */
345 unsigned int questions_crc(struct dns_header
*header
, size_t plen
, char *name
)
348 unsigned int crc
= 0xffffffff;
349 unsigned char *p1
, *p
= (unsigned char *)(header
+1);
351 for (q
= ntohs(header
->qdcount
); q
!= 0; q
--)
353 if (!extract_name(header
, plen
, &p
, name
, 1, 4))
354 return crc
; /* bad packet */
356 for (p1
= (unsigned char *)name
; *p1
; p1
++)
361 if (c
>= 'A' && c
<= 'Z')
366 crc
= crc
& 0x80000000 ? (crc
<< 1) ^ 0x04c11db7 : crc
<< 1;
369 /* CRC the class and type as well */
370 for (p1
= p
; p1
< p
+4; p1
++)
375 crc
= crc
& 0x80000000 ? (crc
<< 1) ^ 0x04c11db7 : crc
<< 1;
379 if (!CHECK_LEN(header
, p
, plen
, 0))
380 return crc
; /* bad packet */
387 size_t resize_packet(struct dns_header
*header
, size_t plen
, unsigned char *pheader
, size_t hlen
)
389 unsigned char *ansp
= skip_questions(header
, plen
);
391 /* if packet is malformed, just return as-is. */
395 if (!(ansp
= skip_section(ansp
, ntohs(header
->ancount
) + ntohs(header
->nscount
) + ntohs(header
->arcount
),
399 /* restore pseudoheader */
400 if (pheader
&& ntohs(header
->arcount
) == 0)
402 /* must use memmove, may overlap */
403 memmove(ansp
, pheader
, hlen
);
404 header
->arcount
= htons(1);
408 return ansp
- (unsigned char *)header
;
411 unsigned char *find_pseudoheader(struct dns_header
*header
, size_t plen
, size_t *len
, unsigned char **p
, int *is_sign
)
413 /* See if packet has an RFC2671 pseudoheader, and if so return a pointer to it.
414 also return length of pseudoheader in *len and pointer to the UDP size in *p
415 Finally, check to see if a packet is signed. If it is we cannot change a single bit before
416 forwarding. We look for SIG and TSIG in the addition section, and TKEY queries (for GSS-TSIG) */
418 int i
, arcount
= ntohs(header
->arcount
);
419 unsigned char *ansp
= (unsigned char *)(header
+1);
420 unsigned short rdlen
, type
, class;
421 unsigned char *ret
= NULL
;
427 if (OPCODE(header
) == QUERY
)
429 for (i
= ntohs(header
->qdcount
); i
!= 0; i
--)
431 if (!(ansp
= skip_name(ansp
, header
, plen
, 4)))
434 GETSHORT(type
, ansp
);
435 GETSHORT(class, ansp
);
437 if (class == C_IN
&& type
== T_TKEY
)
444 if (!(ansp
= skip_questions(header
, plen
)))
451 if (!(ansp
= skip_section(ansp
, ntohs(header
->ancount
) + ntohs(header
->nscount
), header
, plen
)))
454 for (i
= 0; i
< arcount
; i
++)
456 unsigned char *save
, *start
= ansp
;
457 if (!(ansp
= skip_name(ansp
, header
, plen
, 10)))
460 GETSHORT(type
, ansp
);
462 GETSHORT(class, ansp
);
464 GETSHORT(rdlen
, ansp
);
465 if (!ADD_RDLEN(header
, ansp
, plen
, rdlen
))
486 unsigned char *limit
;
487 struct dns_header
*header
;
489 union mysockaddr
*l3
;
492 static size_t add_pseudoheader(struct dns_header
*header
, size_t plen
, unsigned char *limit
,
493 int optno
, unsigned char *opt
, size_t optlen
, int set_do
)
495 unsigned char *lenp
, *datap
, *p
;
498 if (!(p
= find_pseudoheader(header
, plen
, NULL
, NULL
, &is_sign
)))
503 /* We are adding the pseudoheader */
504 if (!(p
= skip_questions(header
, plen
)) ||
505 !(p
= skip_section(p
,
506 ntohs(header
->ancount
) + ntohs(header
->nscount
) + ntohs(header
->arcount
),
509 *p
++ = 0; /* empty name */
511 PUTSHORT(SAFE_PKTSZ
, p
); /* max packet length, this will be overwritten */
512 PUTSHORT(0, p
); /* extended RCODE and version */
513 PUTSHORT(set_do
? 0x8000 : 0, p
); /* DO flag */
515 PUTSHORT(0, p
); /* RDLEN */
517 if (((ssize_t
)optlen
) > (limit
- (p
+ 4)))
518 return plen
; /* Too big */
519 header
->arcount
= htons(ntohs(header
->arcount
) + 1);
525 unsigned short code
, len
, flags
;
527 /* Must be at the end, if exists */
528 if (ntohs(header
->arcount
) != 1 ||
530 (!(p
= skip_name(p
, header
, plen
, 10))))
533 p
+= 6; /* skip UDP length and RCODE */
538 PUTSHORT(flags
| 0x8000, p
);
543 if (!CHECK_LEN(header
, p
, plen
, rdlen
))
544 return plen
; /* bad packet */
547 /* no option to add */
551 /* check if option already there */
552 for (i
= 0; i
+ 4 < rdlen
; i
+= len
+ 4)
561 if (((ssize_t
)optlen
) > (limit
- (p
+ 4)))
562 return plen
; /* Too big */
569 memcpy(p
, opt
, optlen
);
573 PUTSHORT(p
- datap
, lenp
);
574 return p
- (unsigned char *)header
;
578 static int filter_mac(int family
, char *addrp
, char *mac
, size_t maclen
, void *parmv
)
580 struct macparm
*parm
= parmv
;
583 if (family
== parm
->l3
->sa
.sa_family
)
585 if (family
== AF_INET
&& memcmp(&parm
->l3
->in
.sin_addr
, addrp
, INADDRSZ
) == 0)
589 if (family
== AF_INET6
&& memcmp(&parm
->l3
->in6
.sin6_addr
, addrp
, IN6ADDRSZ
) == 0)
595 return 1; /* continue */
597 parm
->plen
= add_pseudoheader(parm
->header
, parm
->plen
, parm
->limit
, EDNS0_OPTION_MAC
, (unsigned char *)mac
, maclen
, 0);
602 size_t add_mac(struct dns_header
*header
, size_t plen
, char *limit
, union mysockaddr
*l3
)
606 /* Must have an existing pseudoheader as the only ar-record,
607 or have no ar-records. Must also not be signed */
609 if (ntohs(header
->arcount
) > 1)
612 parm
.header
= header
;
613 parm
.limit
= (unsigned char *)limit
;
617 iface_enumerate(AF_UNSPEC
, &parm
, filter_mac
);
624 u8 source_netmask
, scope_netmask
;
632 static size_t calc_subnet_opt(struct subnet_opt
*opt
, union mysockaddr
*source
)
634 /* http://tools.ietf.org/html/draft-vandergaast-edns-client-subnet-02 */
640 if (source
->sa
.sa_family
== AF_INET6
)
642 opt
->family
= htons(2);
643 opt
->source_netmask
= daemon
->addr6_netmask
;
644 addrp
= &source
->in6
.sin6_addr
;
649 opt
->family
= htons(1);
650 opt
->source_netmask
= daemon
->addr4_netmask
;
651 addrp
= &source
->in
.sin_addr
;
654 opt
->scope_netmask
= 0;
657 if (opt
->source_netmask
!= 0)
659 len
= ((opt
->source_netmask
- 1) >> 3) + 1;
660 memcpy(opt
->addr
, addrp
, len
);
661 if (opt
->source_netmask
& 7)
662 opt
->addr
[len
-1] &= 0xff << (8 - (opt
->source_netmask
& 7));
668 size_t add_source_addr(struct dns_header
*header
, size_t plen
, char *limit
, union mysockaddr
*source
)
670 /* http://tools.ietf.org/html/draft-vandergaast-edns-client-subnet-02 */
673 struct subnet_opt opt
;
675 len
= calc_subnet_opt(&opt
, source
);
676 return add_pseudoheader(header
, plen
, (unsigned char *)limit
, EDNS0_OPTION_CLIENT_SUBNET
, (unsigned char *)&opt
, len
, 0);
680 size_t add_do_bit(struct dns_header
*header
, size_t plen
, char *limit
)
682 return add_pseudoheader(header
, plen
, (unsigned char *)limit
, 0, NULL
, 0, 1);
686 int check_source(struct dns_header
*header
, size_t plen
, unsigned char *pseudoheader
, union mysockaddr
*peer
)
688 /* Section 9.2, Check that subnet option in reply matches. */
692 struct subnet_opt opt
;
696 calc_len
= calc_subnet_opt(&opt
, peer
);
698 if (!(p
= skip_name(pseudoheader
, header
, plen
, 10)))
701 p
+= 8; /* skip UDP length and RCODE */
704 if (!CHECK_LEN(header
, p
, plen
, rdlen
))
705 return 1; /* bad packet */
707 /* check if option there */
708 for (i
= 0; i
+ 4 < rdlen
; i
+= len
+ 4)
712 if (code
== EDNS0_OPTION_CLIENT_SUBNET
)
714 /* make sure this doesn't mismatch. */
715 opt
.scope_netmask
= p
[3];
716 if (len
!= calc_len
|| memcmp(p
, &opt
, len
) != 0)
725 /* is addr in the non-globally-routed IP space? */
726 int private_net(struct in_addr addr
, int ban_localhost
)
728 in_addr_t ip_addr
= ntohl(addr
.s_addr
);
731 (((ip_addr
& 0xFF000000) == 0x7F000000) && ban_localhost
) /* 127.0.0.0/8 (loopback) */ ||
732 ((ip_addr
& 0xFFFF0000) == 0xC0A80000) /* 192.168.0.0/16 (private) */ ||
733 ((ip_addr
& 0xFF000000) == 0x0A000000) /* 10.0.0.0/8 (private) */ ||
734 ((ip_addr
& 0xFFF00000) == 0xAC100000) /* 172.16.0.0/12 (private) */ ||
735 ((ip_addr
& 0xFFFF0000) == 0xA9FE0000) /* 169.254.0.0/16 (zeroconf) */ ;
738 static unsigned char *do_doctor(unsigned char *p
, int count
, struct dns_header
*header
, size_t qlen
, char *name
, int *doctored
)
740 int i
, qtype
, qclass
, rdlen
;
742 for (i
= count
; i
!= 0; i
--)
744 if (name
&& option_bool(OPT_LOG
))
746 if (!extract_name(header
, qlen
, &p
, name
, 1, 10))
749 else if (!(p
= skip_name(p
, header
, qlen
, 10)))
750 return 0; /* bad packet */
757 if (qclass
== C_IN
&& qtype
== T_A
)
759 struct doctor
*doctor
;
762 if (!CHECK_LEN(header
, p
, qlen
, INADDRSZ
))
766 memcpy(&addr
, p
, INADDRSZ
);
768 for (doctor
= daemon
->doctors
; doctor
; doctor
= doctor
->next
)
770 if (doctor
->end
.s_addr
== 0)
772 if (!is_same_net(doctor
->in
, addr
, doctor
->mask
))
775 else if (ntohl(doctor
->in
.s_addr
) > ntohl(addr
.s_addr
) ||
776 ntohl(doctor
->end
.s_addr
) < ntohl(addr
.s_addr
))
779 addr
.s_addr
&= ~doctor
->mask
.s_addr
;
780 addr
.s_addr
|= (doctor
->out
.s_addr
& doctor
->mask
.s_addr
);
781 /* Since we munged the data, the server it came from is no longer authoritative */
782 header
->hb3
&= ~HB3_AA
;
784 memcpy(p
, &addr
, INADDRSZ
);
788 else if (qtype
== T_TXT
&& name
&& option_bool(OPT_LOG
))
790 unsigned char *p1
= p
;
791 if (!CHECK_LEN(header
, p1
, qlen
, rdlen
))
793 while ((p1
- p
) < rdlen
)
795 unsigned int i
, len
= *p1
;
796 unsigned char *p2
= p1
;
797 /* make counted string zero-term and sanitise */
798 for (i
= 0; i
< len
; i
++)
800 if (!isprint((int)*(p2
+1)))
807 my_syslog(LOG_INFO
, "reply %s is %s", name
, p1
);
809 memmove(p1
+ 1, p1
, i
);
815 if (!ADD_RDLEN(header
, p
, qlen
, rdlen
))
816 return 0; /* bad packet */
822 static int find_soa(struct dns_header
*header
, size_t qlen
, char *name
, int *doctored
)
825 int qtype
, qclass
, rdlen
;
826 unsigned long ttl
, minttl
= ULONG_MAX
;
827 int i
, found_soa
= 0;
829 /* first move to NS section and find TTL from any SOA section */
830 if (!(p
= skip_questions(header
, qlen
)) ||
831 !(p
= do_doctor(p
, ntohs(header
->ancount
), header
, qlen
, name
, doctored
)))
832 return 0; /* bad packet */
834 for (i
= ntohs(header
->nscount
); i
!= 0; i
--)
836 if (!(p
= skip_name(p
, header
, qlen
, 10)))
837 return 0; /* bad packet */
844 if ((qclass
== C_IN
) && (qtype
== T_SOA
))
851 if (!(p
= skip_name(p
, header
, qlen
, 0)))
854 if (!(p
= skip_name(p
, header
, qlen
, 20)))
856 p
+= 16; /* SERIAL REFRESH RETRY EXPIRE */
858 GETLONG(ttl
, p
); /* minTTL */
862 else if (!ADD_RDLEN(header
, p
, qlen
, rdlen
))
863 return 0; /* bad packet */
866 /* rewrite addresses in additional section too */
867 if (!do_doctor(p
, ntohs(header
->arcount
), header
, qlen
, NULL
, doctored
))
871 minttl
= daemon
->neg_ttl
;
876 /* Note that the following code can create CNAME chains that don't point to a real record,
877 either because of lack of memory, or lack of SOA records. These are treated by the cache code as
878 expired and cleaned out that way.
879 Return 1 if we reject an address because it look like part of dns-rebinding attack. */
880 int extract_addresses(struct dns_header
*header
, size_t qlen
, char *name
, time_t now
,
881 char **ipsets
, int is_sign
, int check_rebind
, int no_cache_dnssec
, int secure
, int *doctored
)
883 unsigned char *p
, *p1
, *endrr
, *namep
;
884 int i
, j
, qtype
, qclass
, aqtype
, aqclass
, ardlen
, res
, searched_soa
= 0;
885 unsigned long ttl
= 0;
886 struct all_addr addr
;
890 (void)ipsets
; /* unused */
893 cache_start_insert();
895 /* find_soa is needed for dns_doctor and logging side-effects, so don't call it lazily if there are any. */
896 if (daemon
->doctors
|| option_bool(OPT_LOG
) || option_bool(OPT_DNSSEC_VALID
))
899 ttl
= find_soa(header
, qlen
, name
, doctored
);
901 if (*doctored
&& secure
)
906 /* go through the questions. */
907 p
= (unsigned char *)(header
+1);
909 for (i
= ntohs(header
->qdcount
); i
!= 0; i
--)
911 int found
= 0, cname_count
= CNAME_CHAIN
;
912 struct crec
*cpp
= NULL
;
913 int flags
= RCODE(header
) == NXDOMAIN
? F_NXDOMAIN
: 0;
914 int secflag
= secure
? F_DNSSECOK
: 0;
915 unsigned long cttl
= ULONG_MAX
, attl
;
918 if (!extract_name(header
, qlen
, &p
, name
, 1, 4))
919 return 0; /* bad packet */
927 /* PTRs: we chase CNAMEs here, since we have no way to
928 represent them in the cache. */
931 int name_encoding
= in_arpa_name_2_addr(name
, &addr
);
936 if (!(flags
& F_NXDOMAIN
))
939 if (!(p1
= skip_questions(header
, qlen
)))
942 for (j
= ntohs(header
->ancount
); j
!= 0; j
--)
944 unsigned char *tmp
= namep
;
945 /* the loop body overwrites the original name, so get it back here. */
946 if (!extract_name(header
, qlen
, &tmp
, name
, 1, 0) ||
947 !(res
= extract_name(header
, qlen
, &p1
, name
, 0, 10)))
948 return 0; /* bad packet */
950 GETSHORT(aqtype
, p1
);
951 GETSHORT(aqclass
, p1
);
953 if ((daemon
->max_ttl
!= 0) && (attl
> daemon
->max_ttl
) && !is_sign
)
956 PUTLONG(daemon
->max_ttl
, p1
);
958 GETSHORT(ardlen
, p1
);
961 /* TTL of record is minimum of CNAMES and PTR */
965 if (aqclass
== C_IN
&& res
!= 2 && (aqtype
== T_CNAME
|| aqtype
== T_PTR
))
967 if (!extract_name(header
, qlen
, &p1
, name
, 1, 0))
970 if (aqtype
== T_CNAME
)
972 if (!cname_count
-- || secure
)
973 return 0; /* looped CNAMES, or DNSSEC, which we can't cache. */
977 cache_insert(name
, &addr
, now
, cttl
, name_encoding
| secflag
| F_REVERSE
);
982 if (!CHECK_LEN(header
, p1
, qlen
, 0))
983 return 0; /* bad packet */
987 if (!found
&& !option_bool(OPT_NO_NEG
))
992 ttl
= find_soa(header
, qlen
, NULL
, doctored
);
995 cache_insert(NULL
, &addr
, now
, ttl
, name_encoding
| F_REVERSE
| F_NEG
| flags
| secflag
);
1000 /* everything other than PTR */
1010 else if (qtype
== T_AAAA
)
1012 addrlen
= IN6ADDRSZ
;
1020 if (!(p1
= skip_questions(header
, qlen
)))
1023 for (j
= ntohs(header
->ancount
); j
!= 0; j
--)
1025 if (!(res
= extract_name(header
, qlen
, &p1
, name
, 0, 10)))
1026 return 0; /* bad packet */
1028 GETSHORT(aqtype
, p1
);
1029 GETSHORT(aqclass
, p1
);
1031 if ((daemon
->max_ttl
!= 0) && (attl
> daemon
->max_ttl
) && !is_sign
)
1034 PUTLONG(daemon
->max_ttl
, p1
);
1036 GETSHORT(ardlen
, p1
);
1039 if (aqclass
== C_IN
&& res
!= 2 && (aqtype
== T_CNAME
|| aqtype
== qtype
))
1041 if (aqtype
== T_CNAME
)
1044 return 0; /* looped CNAMES */
1045 newc
= cache_insert(name
, NULL
, now
, attl
, F_CNAME
| F_FORWARD
| secflag
);
1048 newc
->addr
.cname
.target
.cache
= NULL
;
1049 /* anything other than zero, to avoid being mistaken for CNAME to interface-name */
1050 newc
->addr
.cname
.uid
= 1;
1053 cpp
->addr
.cname
.target
.cache
= newc
;
1054 cpp
->addr
.cname
.uid
= newc
->uid
;
1062 if (!extract_name(header
, qlen
, &p1
, name
, 1, 0))
1066 else if (!(flags
& F_NXDOMAIN
))
1070 /* copy address into aligned storage */
1071 if (!CHECK_LEN(header
, p1
, qlen
, addrlen
))
1072 return 0; /* bad packet */
1073 memcpy(&addr
, p1
, addrlen
);
1075 /* check for returned address in private space */
1078 if ((flags
& F_IPV4
) &&
1079 private_net(addr
.addr
.addr4
, !option_bool(OPT_LOCAL_REBIND
)))
1083 if ((flags
& F_IPV6
) &&
1084 IN6_IS_ADDR_V4MAPPED(&addr
.addr
.addr6
))
1087 v4
.s_addr
= ((const uint32_t *) (&addr
.addr
.addr6
))[3];
1088 if (private_net(v4
, !option_bool(OPT_LOCAL_REBIND
)))
1095 if (ipsets
&& (flags
& (F_IPV4
| F_IPV6
)))
1097 ipsets_cur
= ipsets
;
1100 log_query((flags
& (F_IPV4
| F_IPV6
)) | F_IPSET
, name
, &addr
, *ipsets_cur
);
1101 add_to_ipset(*ipsets_cur
++, &addr
, flags
, 0);
1106 newc
= cache_insert(name
, &addr
, now
, attl
, flags
| F_FORWARD
| secflag
);
1109 cpp
->addr
.cname
.target
.cache
= newc
;
1110 cpp
->addr
.cname
.uid
= newc
->uid
;
1117 if (!CHECK_LEN(header
, p1
, qlen
, 0))
1118 return 0; /* bad packet */
1121 if (!found
&& !option_bool(OPT_NO_NEG
))
1126 ttl
= find_soa(header
, qlen
, NULL
, doctored
);
1128 /* If there's no SOA to get the TTL from, but there is a CNAME
1129 pointing at this, inherit its TTL */
1132 newc
= cache_insert(name
, NULL
, now
, ttl
? ttl
: cttl
, F_FORWARD
| F_NEG
| flags
| secflag
);
1135 cpp
->addr
.cname
.target
.cache
= newc
;
1136 cpp
->addr
.cname
.uid
= newc
->uid
;
1143 /* Don't put stuff from a truncated packet into the cache.
1144 Don't cache replies from non-recursive nameservers, since we may get a
1145 reply containing a CNAME but not its target, even though the target
1147 if (!(header
->hb3
& HB3_TC
) &&
1148 !(header
->hb4
& HB4_CD
) &&
1149 (header
->hb4
& HB4_RA
) &&
1156 /* If the packet holds exactly one query
1157 return F_IPV4 or F_IPV6 and leave the name from the query in name */
1158 unsigned int extract_request(struct dns_header
*header
, size_t qlen
, char *name
, unsigned short *typep
)
1160 unsigned char *p
= (unsigned char *)(header
+1);
1166 if (ntohs(header
->qdcount
) != 1 || OPCODE(header
) != QUERY
)
1167 return 0; /* must be exactly one query. */
1169 if (!extract_name(header
, qlen
, &p
, name
, 1, 4))
1170 return 0; /* bad packet */
1173 GETSHORT(qclass
, p
);
1182 if (qtype
== T_AAAA
)
1185 return F_IPV4
| F_IPV6
;
1192 size_t setup_reply(struct dns_header
*header
, size_t qlen
,
1193 struct all_addr
*addrp
, unsigned int flags
, unsigned long ttl
)
1197 if (!(p
= skip_questions(header
, qlen
)))
1200 /* clear authoritative and truncated flags, set QR flag */
1201 header
->hb3
= (header
->hb3
& ~(HB3_AA
| HB3_TC
)) | HB3_QR
;
1203 header
->hb4
|= HB4_RA
;
1205 header
->nscount
= htons(0);
1206 header
->arcount
= htons(0);
1207 header
->ancount
= htons(0); /* no answers unless changed below */
1209 SET_RCODE(header
, SERVFAIL
); /* couldn't get memory */
1210 else if (flags
== F_NOERR
)
1211 SET_RCODE(header
, NOERROR
); /* empty domain */
1212 else if (flags
== F_NXDOMAIN
)
1213 SET_RCODE(header
, NXDOMAIN
);
1214 else if (flags
== F_IPV4
)
1215 { /* we know the address */
1216 SET_RCODE(header
, NOERROR
);
1217 header
->ancount
= htons(1);
1218 header
->hb3
|= HB3_AA
;
1219 add_resource_record(header
, NULL
, NULL
, sizeof(struct dns_header
), &p
, ttl
, NULL
, T_A
, C_IN
, "4", addrp
);
1222 else if (flags
== F_IPV6
)
1224 SET_RCODE(header
, NOERROR
);
1225 header
->ancount
= htons(1);
1226 header
->hb3
|= HB3_AA
;
1227 add_resource_record(header
, NULL
, NULL
, sizeof(struct dns_header
), &p
, ttl
, NULL
, T_AAAA
, C_IN
, "6", addrp
);
1230 else /* nowhere to forward to */
1231 SET_RCODE(header
, REFUSED
);
1233 return p
- (unsigned char *)header
;
1236 /* check if name matches local names ie from /etc/hosts or DHCP or local mx names. */
1237 int check_for_local_domain(char *name
, time_t now
)
1240 struct mx_srv_record
*mx
;
1241 struct txt_record
*txt
;
1242 struct interface_name
*intr
;
1243 struct ptr_record
*ptr
;
1244 struct naptr
*naptr
;
1246 /* Note: the call to cache_find_by_name is intended to find any record which matches
1247 ie A, AAAA, CNAME, DS. Because RRSIG records are marked by setting both F_DS and F_DNSKEY,
1248 cache_find_by name ordinarily only returns records with an exact match on those bits (ie
1249 for the call below, only DS records). The F_NSIGMATCH bit changes this behaviour */
1251 if ((crecp
= cache_find_by_name(NULL
, name
, now
, F_IPV4
| F_IPV6
| F_CNAME
| F_DS
| F_NO_RR
| F_NSIGMATCH
)) &&
1252 (crecp
->flags
& (F_HOSTS
| F_DHCP
| F_CONFIG
)))
1255 for (naptr
= daemon
->naptr
; naptr
; naptr
= naptr
->next
)
1256 if (hostname_isequal(name
, naptr
->name
))
1259 for (mx
= daemon
->mxnames
; mx
; mx
= mx
->next
)
1260 if (hostname_isequal(name
, mx
->name
))
1263 for (txt
= daemon
->txt
; txt
; txt
= txt
->next
)
1264 if (hostname_isequal(name
, txt
->name
))
1267 for (intr
= daemon
->int_names
; intr
; intr
= intr
->next
)
1268 if (hostname_isequal(name
, intr
->name
))
1271 for (ptr
= daemon
->ptr
; ptr
; ptr
= ptr
->next
)
1272 if (hostname_isequal(name
, ptr
->name
))
1278 /* Is the packet a reply with the answer address equal to addr?
1279 If so mung is into an NXDOMAIN reply and also put that information
1281 int check_for_bogus_wildcard(struct dns_header
*header
, size_t qlen
, char *name
,
1282 struct bogus_addr
*baddr
, time_t now
)
1285 int i
, qtype
, qclass
, rdlen
;
1287 struct bogus_addr
*baddrp
;
1289 /* skip over questions */
1290 if (!(p
= skip_questions(header
, qlen
)))
1291 return 0; /* bad packet */
1293 for (i
= ntohs(header
->ancount
); i
!= 0; i
--)
1295 if (!extract_name(header
, qlen
, &p
, name
, 1, 10))
1296 return 0; /* bad packet */
1299 GETSHORT(qclass
, p
);
1303 if (qclass
== C_IN
&& qtype
== T_A
)
1305 if (!CHECK_LEN(header
, p
, qlen
, INADDRSZ
))
1308 for (baddrp
= baddr
; baddrp
; baddrp
= baddrp
->next
)
1309 if (memcmp(&baddrp
->addr
, p
, INADDRSZ
) == 0)
1311 /* Found a bogus address. Insert that info here, since there no SOA record
1312 to get the ttl from in the normal processing */
1313 cache_start_insert();
1314 cache_insert(name
, NULL
, now
, ttl
, F_IPV4
| F_FORWARD
| F_NEG
| F_NXDOMAIN
);
1321 if (!ADD_RDLEN(header
, p
, qlen
, rdlen
))
1328 int check_for_ignored_address(struct dns_header
*header
, size_t qlen
, struct bogus_addr
*baddr
)
1331 int i
, qtype
, qclass
, rdlen
;
1332 struct bogus_addr
*baddrp
;
1334 /* skip over questions */
1335 if (!(p
= skip_questions(header
, qlen
)))
1336 return 0; /* bad packet */
1338 for (i
= ntohs(header
->ancount
); i
!= 0; i
--)
1340 if (!(p
= skip_name(p
, header
, qlen
, 10)))
1341 return 0; /* bad packet */
1344 GETSHORT(qclass
, p
);
1348 if (qclass
== C_IN
&& qtype
== T_A
)
1350 if (!CHECK_LEN(header
, p
, qlen
, INADDRSZ
))
1353 for (baddrp
= baddr
; baddrp
; baddrp
= baddrp
->next
)
1354 if (memcmp(&baddrp
->addr
, p
, INADDRSZ
) == 0)
1358 if (!ADD_RDLEN(header
, p
, qlen
, rdlen
))
1365 int add_resource_record(struct dns_header
*header
, char *limit
, int *truncp
, int nameoffset
, unsigned char **pp
,
1366 unsigned long ttl
, int *offset
, unsigned short type
, unsigned short class, char *format
, ...)
1369 unsigned char *sav
, *p
= *pp
;
1371 unsigned short usval
;
1375 if (truncp
&& *truncp
)
1378 va_start(ap
, format
); /* make ap point to 1st unamed argument */
1382 PUTSHORT(nameoffset
| 0xc000, p
);
1386 char *name
= va_arg(ap
, char *);
1388 p
= do_rfc1035_name(p
, name
);
1391 PUTSHORT(-nameoffset
| 0xc000, p
);
1399 PUTLONG(ttl
, p
); /* TTL */
1401 sav
= p
; /* Save pointer to RDLength field */
1402 PUTSHORT(0, p
); /* Placeholder RDLength */
1404 for (; *format
; format
++)
1409 sval
= va_arg(ap
, char *);
1410 memcpy(p
, sval
, IN6ADDRSZ
);
1416 sval
= va_arg(ap
, char *);
1417 memcpy(p
, sval
, INADDRSZ
);
1422 usval
= va_arg(ap
, int);
1427 usval
= va_arg(ap
, int);
1432 lval
= va_arg(ap
, long);
1437 /* get domain-name answer arg and store it in RDATA field */
1439 *offset
= p
- (unsigned char *)header
;
1440 p
= do_rfc1035_name(p
, va_arg(ap
, char *));
1445 usval
= va_arg(ap
, int);
1446 sval
= va_arg(ap
, char *);
1448 memcpy(p
, sval
, usval
);
1453 sval
= va_arg(ap
, char *);
1454 usval
= sval
? strlen(sval
) : 0;
1457 *p
++ = (unsigned char)usval
;
1458 memcpy(p
, sval
, usval
);
1463 va_end(ap
); /* clean up variable argument pointer */
1466 PUTSHORT(j
, sav
); /* Now, store real RDLength */
1468 /* check for overflow of buffer */
1469 if (limit
&& ((unsigned char *)limit
- p
) < 0)
1480 static unsigned long crec_ttl(struct crec
*crecp
, time_t now
)
1482 /* Return 0 ttl for DHCP entries, which might change
1483 before the lease expires. */
1485 if (crecp
->flags
& (F_IMMORTAL
| F_DHCP
))
1486 return daemon
->local_ttl
;
1488 /* Return the Max TTL value if it is lower then the actual TTL */
1489 if (daemon
->max_ttl
== 0 || ((unsigned)(crecp
->ttd
- now
) < daemon
->max_ttl
))
1490 return crecp
->ttd
- now
;
1492 return daemon
->max_ttl
;
1496 /* return zero if we can't answer from cache, or packet size if we can */
1497 size_t answer_request(struct dns_header
*header
, char *limit
, size_t qlen
,
1498 struct in_addr local_addr
, struct in_addr local_netmask
,
1499 time_t now
, int *ad_reqd
, int *do_bit
)
1501 char *name
= daemon
->namebuff
;
1502 unsigned char *p
, *ansp
, *pheader
;
1503 unsigned int qtype
, qclass
;
1504 struct all_addr addr
;
1506 unsigned short flag
;
1507 int q
, ans
, anscount
= 0, addncount
= 0;
1508 int dryrun
= 0, sec_reqd
= 0, have_pseudoheader
= 0;
1510 int nxdomain
= 0, auth
= 1, trunc
= 0, sec_data
= 1;
1511 struct mx_srv_record
*rec
;
1514 /* Don't return AD set if checking disabled. */
1515 if (header
->hb4
& HB4_CD
)
1519 *ad_reqd
= header
->hb4
& HB4_AD
;
1522 /* If there is an RFC2671 pseudoheader then it will be overwritten by
1523 partial replies, so we have to do a dry run to see if we can answer
1524 the query. We check to see if the do bit is set, if so we always
1525 forward rather than answering from the cache, which doesn't include
1526 security information, unless we're in DNSSEC validation mode. */
1528 if (find_pseudoheader(header
, qlen
, NULL
, &pheader
, NULL
))
1530 unsigned short flags
;
1532 have_pseudoheader
= 1;
1534 pheader
+= 4; /* udp size, ext_rcode */
1535 GETSHORT(flags
, pheader
);
1537 if ((sec_reqd
= flags
& 0x8000))
1538 *do_bit
= 1;/* do bit */
1544 if (ntohs(header
->qdcount
) == 0 || OPCODE(header
) != QUERY
)
1547 for (rec
= daemon
->mxnames
; rec
; rec
= rec
->next
)
1551 /* determine end of question section (we put answers there) */
1552 if (!(ansp
= skip_questions(header
, qlen
)))
1553 return 0; /* bad packet */
1555 /* now process each question, answers go in RRs after the question */
1556 p
= (unsigned char *)(header
+1);
1558 for (q
= ntohs(header
->qdcount
); q
!= 0; q
--)
1560 /* save pointer to name for copying into answers */
1561 nameoffset
= p
- (unsigned char *)header
;
1563 /* now extract name as .-concatenated string into name */
1564 if (!extract_name(header
, qlen
, &p
, name
, 1, 4))
1565 return 0; /* bad packet */
1568 GETSHORT(qclass
, p
);
1570 /* Don't filter RRSIGS from answers to ANY queries, even if do-bit
1575 ans
= 0; /* have we answered this question */
1577 if (qtype
== T_TXT
|| qtype
== T_ANY
)
1579 struct txt_record
*t
;
1580 for(t
= daemon
->txt
; t
; t
= t
->next
)
1582 if (t
->class == qclass
&& hostname_isequal(name
, t
->name
))
1587 unsigned long ttl
= daemon
->local_ttl
;
1589 log_query(F_CONFIG
| F_RRNAME
, name
, NULL
, "<TXT>");
1590 /* Dynamically generate stat record */
1594 if (!cache_make_stat(t
))
1598 if (ok
&& add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
1600 T_TXT
, t
->class, "t", t
->len
, t
->txt
))
1609 if (option_bool(OPT_DNSSEC_VALID
) && (qtype
== T_DNSKEY
|| qtype
== T_DS
))
1612 struct blockdata
*keydata
;
1614 /* Do we have RRSIG? Can't do DS or DNSKEY otherwise. */
1618 while ((crecp
= cache_find_by_name(crecp
, name
, now
, F_DNSKEY
| F_DS
)))
1619 if (crecp
->uid
== qclass
&& crecp
->addr
.sig
.type_covered
== qtype
)
1623 if (!sec_reqd
|| crecp
)
1628 while ((crecp
= cache_find_by_name(crecp
, name
, now
, F_DS
)))
1629 if (crecp
->uid
== qclass
)
1634 if (crecp
->flags
& F_NEG
)
1636 if (crecp
->flags
& F_NXDOMAIN
)
1638 log_query(F_UPSTREAM
, name
, NULL
, "no DS");
1640 else if ((keydata
= blockdata_retrieve(crecp
->addr
.ds
.keydata
, crecp
->addr
.ds
.keylen
, NULL
)))
1643 a
.addr
.keytag
= crecp
->addr
.ds
.keytag
;
1644 log_query(F_KEYTAG
| (crecp
->flags
& F_CONFIG
), name
, &a
, "DS keytag %u");
1645 if (add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
1646 crec_ttl(crecp
, now
), &nameoffset
,
1647 T_DS
, qclass
, "sbbt",
1648 crecp
->addr
.ds
.keytag
, crecp
->addr
.ds
.algo
,
1649 crecp
->addr
.ds
.digest
, crecp
->addr
.ds
.keylen
, keydata
))
1659 while ((crecp
= cache_find_by_name(crecp
, name
, now
, F_DNSKEY
)))
1660 if (crecp
->uid
== qclass
)
1663 if (!dryrun
&& (keydata
= blockdata_retrieve(crecp
->addr
.key
.keydata
, crecp
->addr
.key
.keylen
, NULL
)))
1666 a
.addr
.keytag
= crecp
->addr
.key
.keytag
;
1667 log_query(F_KEYTAG
| (crecp
->flags
& F_CONFIG
), name
, &a
, "DNSKEY keytag %u");
1668 if (add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
1669 crec_ttl(crecp
, now
), &nameoffset
,
1670 T_DNSKEY
, qclass
, "sbbt",
1671 crecp
->addr
.key
.flags
, 3, crecp
->addr
.key
.algo
, crecp
->addr
.key
.keylen
, keydata
))
1683 if (!dryrun
&& sec_reqd
)
1686 while ((crecp
= cache_find_by_name(crecp
, name
, now
, F_DNSKEY
| F_DS
)))
1687 if (crecp
->uid
== qclass
&& crecp
->addr
.sig
.type_covered
== qtype
&&
1688 (keydata
= blockdata_retrieve(crecp
->addr
.sig
.keydata
, crecp
->addr
.sig
.keylen
, NULL
)))
1690 add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
1691 crec_ttl(crecp
, now
), &nameoffset
,
1692 T_RRSIG
, qclass
, "t", crecp
->addr
.sig
.keylen
, keydata
);
1702 struct txt_record
*t
;
1704 for (t
= daemon
->rr
; t
; t
= t
->next
)
1705 if ((t
->class == qtype
|| qtype
== T_ANY
) && hostname_isequal(name
, t
->name
))
1710 log_query(F_CONFIG
| F_RRNAME
, name
, NULL
, "<RR>");
1711 if (add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
1712 daemon
->local_ttl
, NULL
,
1713 t
->class, C_IN
, "t", t
->len
, t
->txt
))
1718 if (qtype
== T_PTR
|| qtype
== T_ANY
)
1720 /* see if it's w.z.y.z.in-addr.arpa format */
1721 int is_arpa
= in_arpa_name_2_addr(name
, &addr
);
1722 struct ptr_record
*ptr
;
1723 struct interface_name
* intr
= NULL
;
1725 for (ptr
= daemon
->ptr
; ptr
; ptr
= ptr
->next
)
1726 if (hostname_isequal(name
, ptr
->name
))
1729 if (is_arpa
== F_IPV4
)
1730 for (intr
= daemon
->int_names
; intr
; intr
= intr
->next
)
1732 struct addrlist
*addrlist
;
1734 for (addrlist
= intr
->addr
; addrlist
; addrlist
= addrlist
->next
)
1735 if (!(addrlist
->flags
& ADDRLIST_IPV6
) && addr
.addr
.addr4
.s_addr
== addrlist
->addr
.addr
.addr4
.s_addr
)
1741 while (intr
->next
&& strcmp(intr
->intr
, intr
->next
->intr
) == 0)
1745 else if (is_arpa
== F_IPV6
)
1746 for (intr
= daemon
->int_names
; intr
; intr
= intr
->next
)
1748 struct addrlist
*addrlist
;
1750 for (addrlist
= intr
->addr
; addrlist
; addrlist
= addrlist
->next
)
1751 if ((addrlist
->flags
& ADDRLIST_IPV6
) && IN6_ARE_ADDR_EQUAL(&addr
.addr
.addr6
, &addrlist
->addr
.addr
.addr6
))
1757 while (intr
->next
&& strcmp(intr
->intr
, intr
->next
->intr
) == 0)
1767 log_query(is_arpa
| F_REVERSE
| F_CONFIG
, intr
->name
, &addr
, NULL
);
1768 if (add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
1769 daemon
->local_ttl
, NULL
,
1770 T_PTR
, C_IN
, "d", intr
->name
))
1779 log_query(F_CONFIG
| F_RRNAME
, name
, NULL
, "<PTR>");
1780 for (ptr
= daemon
->ptr
; ptr
; ptr
= ptr
->next
)
1781 if (hostname_isequal(name
, ptr
->name
) &&
1782 add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
1783 daemon
->local_ttl
, NULL
,
1784 T_PTR
, C_IN
, "d", ptr
->ptr
))
1789 else if ((crecp
= cache_find_by_addr(NULL
, &addr
, now
, is_arpa
)))
1791 if (!(crecp
->flags
& (F_HOSTS
| F_DHCP
| F_CONFIG
)) && sec_reqd
)
1793 if (!option_bool(OPT_DNSSEC_VALID
) || ((crecp
->flags
& F_NEG
) && (crecp
->flags
& F_DNSSECOK
)))
1796 else if (crecp
->flags
& F_DNSSECOK
)
1799 struct crec
*rr_crec
= NULL
;
1801 while ((rr_crec
= cache_find_by_name(rr_crec
, name
, now
, F_DS
| F_DNSKEY
)))
1803 if (rr_crec
->addr
.sig
.type_covered
== T_PTR
&& rr_crec
->uid
== C_IN
)
1805 char *sigdata
= blockdata_retrieve(rr_crec
->addr
.sig
.keydata
, rr_crec
->addr
.sig
.keylen
, NULL
);
1809 add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
1810 rr_crec
->ttd
- now
, &nameoffset
,
1811 T_RRSIG
, C_IN
, "t", crecp
->addr
.sig
.keylen
, sigdata
))
1826 /* don't answer wildcard queries with data not from /etc/hosts or dhcp leases */
1827 if (qtype
== T_ANY
&& !(crecp
->flags
& (F_HOSTS
| F_DHCP
)))
1830 if (!(crecp
->flags
& F_DNSSECOK
))
1833 if (crecp
->flags
& F_NEG
)
1837 if (crecp
->flags
& F_NXDOMAIN
)
1840 log_query(crecp
->flags
& ~F_FORWARD
, name
, &addr
, NULL
);
1842 else if ((crecp
->flags
& (F_HOSTS
| F_DHCP
)) || !sec_reqd
|| option_bool(OPT_DNSSEC_VALID
))
1845 if (!(crecp
->flags
& (F_HOSTS
| F_DHCP
)))
1849 log_query(crecp
->flags
& ~F_FORWARD
, cache_get_name(crecp
), &addr
,
1850 record_source(crecp
->uid
));
1852 if (add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
1853 crec_ttl(crecp
, now
), NULL
,
1854 T_PTR
, C_IN
, "d", cache_get_name(crecp
)))
1858 } while ((crecp
= cache_find_by_addr(crecp
, &addr
, now
, is_arpa
)));
1861 else if (is_rev_synth(is_arpa
, &addr
, name
))
1866 log_query(F_CONFIG
| F_REVERSE
| is_arpa
, name
, &addr
, NULL
);
1868 if (add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
1869 daemon
->local_ttl
, NULL
,
1870 T_PTR
, C_IN
, "d", name
))
1874 else if (is_arpa
== F_IPV4
&&
1875 option_bool(OPT_BOGUSPRIV
) &&
1876 private_net(addr
.addr
.addr4
, 1))
1878 /* if not in cache, enabled and private IPV4 address, return NXDOMAIN */
1882 log_query(F_CONFIG
| F_REVERSE
| F_IPV4
| F_NEG
| F_NXDOMAIN
,
1887 for (flag
= F_IPV4
; flag
; flag
= (flag
== F_IPV4
) ? F_IPV6
: 0)
1889 unsigned short type
= T_A
;
1890 struct interface_name
*intr
;
1899 if (qtype
!= type
&& qtype
!= T_ANY
)
1902 /* Check for "A for A" queries; be rather conservative
1903 about what looks like dotted-quad. */
1910 for (cp
= name
, i
= 0, a
= 0; *cp
; i
++)
1912 if (!isdigit((unsigned char)*cp
) || (x
= strtol(cp
, &cp
, 10)) > 255)
1929 addr
.addr
.addr4
.s_addr
= htonl(a
);
1930 log_query(F_FORWARD
| F_CONFIG
| F_IPV4
, name
, &addr
, NULL
);
1931 if (add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
1932 daemon
->local_ttl
, NULL
, type
, C_IN
, "4", &addr
))
1939 /* interface name stuff */
1941 for (intr
= daemon
->int_names
; intr
; intr
= intr
->next
)
1942 if (hostname_isequal(name
, intr
->name
))
1947 struct addrlist
*addrlist
;
1950 enumerate_interfaces(0);
1952 for (intr
= daemon
->int_names
; intr
; intr
= intr
->next
)
1953 if (hostname_isequal(name
, intr
->name
))
1955 for (addrlist
= intr
->addr
; addrlist
; addrlist
= addrlist
->next
)
1957 if (((addrlist
->flags
& ADDRLIST_IPV6
) ? T_AAAA
: T_A
) == type
)
1961 if (addrlist
->flags
& ADDRLIST_REVONLY
)
1968 log_query(F_FORWARD
| F_CONFIG
| flag
, name
, &addrlist
->addr
, NULL
);
1969 if (add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
1970 daemon
->local_ttl
, NULL
, type
, C_IN
,
1971 type
== T_A
? "4" : "6", &addrlist
->addr
))
1977 if (!dryrun
&& !gotit
)
1978 log_query(F_FORWARD
| F_CONFIG
| flag
| F_NEG
, name
, NULL
, NULL
);
1984 if ((crecp
= cache_find_by_name(NULL
, name
, now
, flag
| F_CNAME
| (dryrun
? F_NO_RR
: 0))))
1988 /* See if a putative address is on the network from which we recieved
1989 the query, is so we'll filter other answers. */
1990 if (local_addr
.s_addr
!= 0 && option_bool(OPT_LOCALISE
) && flag
== F_IPV4
)
1992 struct crec
*save
= crecp
;
1994 if ((crecp
->flags
& F_HOSTS
) &&
1995 is_same_net(*((struct in_addr
*)&crecp
->addr
), local_addr
, local_netmask
))
2000 } while ((crecp
= cache_find_by_name(crecp
, name
, now
, flag
| F_CNAME
)));
2004 /* If the client asked for DNSSEC and we can't provide RRSIGs, either
2005 because we've not doing DNSSEC or the cached answer is signed by negative,
2006 don't answer from the cache, forward instead. */
2007 if (!(crecp
->flags
& (F_HOSTS
| F_DHCP
| F_CONFIG
)) && sec_reqd
)
2009 if (!option_bool(OPT_DNSSEC_VALID
) || ((crecp
->flags
& F_NEG
) && (crecp
->flags
& F_DNSSECOK
)))
2012 else if (crecp
->flags
& F_DNSSECOK
)
2014 /* We're returning validated data, need to return the RRSIG too. */
2015 struct crec
*rr_crec
= NULL
;
2017 /* The signature may have expired even though the data is still in cache,
2018 forward instead of answering from cache if so. */
2021 if (crecp
->flags
& F_CNAME
)
2024 while ((rr_crec
= cache_find_by_name(rr_crec
, name
, now
, F_DS
| F_DNSKEY
)))
2026 if (rr_crec
->addr
.sig
.type_covered
== sigtype
&& rr_crec
->uid
== C_IN
)
2028 char *sigdata
= blockdata_retrieve(rr_crec
->addr
.sig
.keydata
, rr_crec
->addr
.sig
.keylen
, NULL
);
2032 add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
2033 rr_crec
->ttd
- now
, &nameoffset
,
2034 T_RRSIG
, C_IN
, "t", rr_crec
->addr
.sig
.keylen
, sigdata
))
2048 /* don't answer wildcard queries with data not from /etc/hosts
2050 if (qtype
== T_ANY
&& !(crecp
->flags
& (F_HOSTS
| F_DHCP
| F_CONFIG
)))
2053 if (!(crecp
->flags
& F_DNSSECOK
))
2056 if (crecp
->flags
& F_CNAME
)
2058 char *cname_target
= cache_get_cname_target(crecp
);
2062 log_query(crecp
->flags
, name
, NULL
, record_source(crecp
->uid
));
2063 if (add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
2064 crec_ttl(crecp
, now
), &nameoffset
,
2065 T_CNAME
, C_IN
, "d", cname_target
))
2069 strcpy(name
, cname_target
);
2070 /* check if target interface_name */
2071 if (crecp
->addr
.cname
.uid
== SRC_INTERFACE
)
2072 goto intname_restart
;
2077 if (crecp
->flags
& F_NEG
)
2079 /* We don't cache NSEC records, so if a DNSSEC-validated negative answer
2080 is cached and the client wants DNSSEC, forward rather than answering from the cache */
2081 if (!sec_reqd
|| !(crecp
->flags
& F_DNSSECOK
))
2085 if (crecp
->flags
& F_NXDOMAIN
)
2088 log_query(crecp
->flags
, name
, NULL
, NULL
);
2093 /* If we are returning local answers depending on network,
2096 (crecp
->flags
& F_HOSTS
) &&
2097 !is_same_net(*((struct in_addr
*)&crecp
->addr
), local_addr
, local_netmask
))
2100 if (!(crecp
->flags
& (F_HOSTS
| F_DHCP
)))
2106 log_query(crecp
->flags
& ~F_REVERSE
, name
, &crecp
->addr
.addr
,
2107 record_source(crecp
->uid
));
2109 if (add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
2110 crec_ttl(crecp
, now
), NULL
, type
, C_IN
,
2111 type
== T_A
? "4" : "6", &crecp
->addr
))
2115 } while ((crecp
= cache_find_by_name(crecp
, name
, now
, flag
| F_CNAME
)));
2117 else if (is_name_synthetic(flag
, name
, &addr
))
2122 log_query(F_FORWARD
| F_CONFIG
| flag
, name
, &addr
, NULL
);
2123 if (add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
2124 daemon
->local_ttl
, NULL
, type
, C_IN
, type
== T_A
? "4" : "6", &addr
))
2130 if (qtype
== T_CNAME
|| qtype
== T_ANY
)
2132 if ((crecp
= cache_find_by_name(NULL
, name
, now
, F_CNAME
)) &&
2133 (qtype
== T_CNAME
|| (crecp
->flags
& (F_HOSTS
| F_DHCP
| F_CONFIG
| (dryrun
? F_NO_RR
: 0)))))
2135 if (!(crecp
->flags
& F_DNSSECOK
))
2141 log_query(crecp
->flags
, name
, NULL
, record_source(crecp
->uid
));
2142 if (add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
,
2143 crec_ttl(crecp
, now
), &nameoffset
,
2144 T_CNAME
, C_IN
, "d", cache_get_cname_target(crecp
)))
2150 if (qtype
== T_MX
|| qtype
== T_ANY
)
2153 for (rec
= daemon
->mxnames
; rec
; rec
= rec
->next
)
2154 if (!rec
->issrv
&& hostname_isequal(name
, rec
->name
))
2160 log_query(F_CONFIG
| F_RRNAME
, name
, NULL
, "<MX>");
2161 if (add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
, daemon
->local_ttl
,
2162 &offset
, T_MX
, C_IN
, "sd", rec
->weight
, rec
->target
))
2166 rec
->offset
= offset
;
2171 if (!found
&& (option_bool(OPT_SELFMX
) || option_bool(OPT_LOCALMX
)) &&
2172 cache_find_by_name(NULL
, name
, now
, F_HOSTS
| F_DHCP
| F_NO_RR
))
2177 log_query(F_CONFIG
| F_RRNAME
, name
, NULL
, "<MX>");
2178 if (add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
, daemon
->local_ttl
, NULL
,
2179 T_MX
, C_IN
, "sd", 1,
2180 option_bool(OPT_SELFMX
) ? name
: daemon
->mxtarget
))
2186 if (qtype
== T_SRV
|| qtype
== T_ANY
)
2189 struct mx_srv_record
*move
= NULL
, **up
= &daemon
->mxnames
;
2191 for (rec
= daemon
->mxnames
; rec
; rec
= rec
->next
)
2192 if (rec
->issrv
&& hostname_isequal(name
, rec
->name
))
2198 log_query(F_CONFIG
| F_RRNAME
, name
, NULL
, "<SRV>");
2199 if (add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
, daemon
->local_ttl
,
2200 &offset
, T_SRV
, C_IN
, "sssd",
2201 rec
->priority
, rec
->weight
, rec
->srvport
, rec
->target
))
2205 rec
->offset
= offset
;
2209 /* unlink first SRV record found */
2221 /* put first SRV record back at the end. */
2228 if (!found
&& option_bool(OPT_FILTER
) && (qtype
== T_SRV
|| (qtype
== T_ANY
&& strchr(name
, '_'))))
2232 log_query(F_CONFIG
| F_NEG
, name
, NULL
, NULL
);
2236 if (qtype
== T_NAPTR
|| qtype
== T_ANY
)
2239 for (na
= daemon
->naptr
; na
; na
= na
->next
)
2240 if (hostname_isequal(name
, na
->name
))
2245 log_query(F_CONFIG
| F_RRNAME
, name
, NULL
, "<NAPTR>");
2246 if (add_resource_record(header
, limit
, &trunc
, nameoffset
, &ansp
, daemon
->local_ttl
,
2247 NULL
, T_NAPTR
, C_IN
, "sszzzd",
2248 na
->order
, na
->pref
, na
->flags
, na
->services
, na
->regexp
, na
->replace
))
2254 if (qtype
== T_MAILB
)
2255 ans
= 1, nxdomain
= 1;
2257 if (qtype
== T_SOA
&& option_bool(OPT_FILTER
))
2261 log_query(F_CONFIG
| F_NEG
, name
, &addr
, NULL
);
2266 return 0; /* failed to answer a question */
2275 /* create an additional data section, for stuff in SRV and MX record replies. */
2276 for (rec
= daemon
->mxnames
; rec
; rec
= rec
->next
)
2277 if (rec
->offset
!= 0)
2280 struct mx_srv_record
*tmp
;
2281 for (tmp
= rec
->next
; tmp
; tmp
= tmp
->next
)
2282 if (tmp
->offset
!= 0 && hostname_isequal(rec
->target
, tmp
->target
))
2286 while ((crecp
= cache_find_by_name(crecp
, rec
->target
, now
, F_IPV4
| F_IPV6
)))
2289 int type
= crecp
->flags
& F_IPV4
? T_A
: T_AAAA
;
2293 if (crecp
->flags
& F_NEG
)
2296 if (add_resource_record(header
, limit
, NULL
, rec
->offset
, &ansp
,
2297 crec_ttl(crecp
, now
), NULL
, type
, C_IN
,
2298 crecp
->flags
& F_IPV4
? "4" : "6", &crecp
->addr
))
2303 /* done all questions, set up header and return length of result */
2304 /* clear authoritative and truncated flags, set QR flag */
2305 header
->hb3
= (header
->hb3
& ~(HB3_AA
| HB3_TC
)) | HB3_QR
;
2307 header
->hb4
|= HB4_RA
;
2309 /* authoritive - only hosts and DHCP derived names. */
2311 header
->hb3
|= HB3_AA
;
2315 header
->hb3
|= HB3_TC
;
2318 SET_RCODE(header
, NXDOMAIN
);
2320 SET_RCODE(header
, NOERROR
); /* no error */
2321 header
->ancount
= htons(anscount
);
2322 header
->nscount
= htons(0);
2323 header
->arcount
= htons(addncount
);
2325 len
= ansp
- (unsigned char *)header
;
2327 if (have_pseudoheader
)
2328 len
= add_pseudoheader(header
, len
, (unsigned char *)limit
, 0, NULL
, 0, sec_reqd
);
2330 if (*ad_reqd
&& sec_data
)
2331 header
->hb4
|= HB4_AD
;
2333 header
->hb4
&= ~HB4_AD
;