search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
dnsmasq: update to 2.73 (23.06.2015)
[tomato.git] / release / src / router / dnsmasq / src / rfc1035.c
blob56647b02ab4d7bcb3ac531ecd1db8bcf09be1747
1 /* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
2
3 This program is free software; you can redistribute it and/or modify
4 it under the terms of the GNU General Public License as published by
5 the Free Software Foundation; version 2 dated June, 1991, or
6 (at your option) version 3 dated 29 June, 2007.
7
8 This program is distributed in the hope that it will be useful,
9 but WITHOUT ANY WARRANTY; without even the implied warranty of
10 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 GNU General Public License for more details.
12
13 You should have received a copy of the GNU General Public License
14 along with this program. If not, see <http://www.gnu.org/licenses/>.
15 */
16
17 #include "dnsmasq.h"
18
19 int extract_name(struct dns_header *header, size_t plen, unsigned char **pp,
20 char *name, int isExtract, int extrabytes)
21 {
22 unsigned char *cp = (unsigned char *)name, *p = *pp, *p1 = NULL;
23 unsigned int j, l, namelen = 0, hops = 0;
24 int retvalue = 1;
25
26 if (isExtract)
27 *cp = 0;
28
29 while (1)
30 {
31 unsigned int label_type;
32
33 if (!CHECK_LEN(header, p, plen, 1))
34 return 0;
35
36 if ((l = *p++) == 0)
37 /* end marker */
38 {
39 /* check that there are the correct no of bytes after the name */
40 if (!CHECK_LEN(header, p, plen, extrabytes))
41 return 0;
42
43 if (isExtract)
44 {
45 if (cp != (unsigned char *)name)
46 cp--;
47 *cp = 0; /* terminate: lose final period */
48 }
49 else if (*cp != 0)
50 retvalue = 2;
51
52 if (p1) /* we jumped via compression */
53 *pp = p1;
54 else
55 *pp = p;
56
57 return retvalue;
58 }
59
60 label_type = l & 0xc0;
61
62 if (label_type == 0xc0) /* pointer */
63 {
64 if (!CHECK_LEN(header, p, plen, 1))
65 return 0;
66
67 /* get offset */
68 l = (l&0x3f) << 8;
69 l |= *p++;
70
71 if (!p1) /* first jump, save location to go back to */
72 p1 = p;
73
74 hops++; /* break malicious infinite loops */
75 if (hops > 255)
76 return 0;
77
78 p = l + (unsigned char *)header;
79 }
80 else if (label_type == 0x00)
81 { /* label_type = 0 -> label. */
82 namelen += l + 1; /* include period */
83 if (namelen >= MAXDNAME)
84 return 0;
85 if (!CHECK_LEN(header, p, plen, l))
86 return 0;
87
88 for(j=0; j<l; j++, p++)
89 if (isExtract)
90 {
91 unsigned char c = *p;
92 #ifdef HAVE_DNSSEC
93 if (option_bool(OPT_DNSSEC_VALID))
94 {
95 if (c == 0 || c == '.' || c == NAME_ESCAPE)
96 {
97 *cp++ = NAME_ESCAPE;
98 *cp++ = c+1;
99 }
100 else
101 *cp++ = c;
102 }
103 else
104 #endif
105 if (c != 0 && c != '.')
106 *cp++ = c;
107 else
108 return 0;
109 }
110 else
111 {
112 unsigned char c1 = *cp, c2 = *p;
113
114 if (c1 == 0)
115 retvalue = 2;
116 else
117 {
118 cp++;
119 if (c1 >= 'A' && c1 <= 'Z')
120 c1 += 'a' - 'A';
121 #ifdef HAVE_DNSSEC
122 if (option_bool(OPT_DNSSEC_VALID) && c1 == NAME_ESCAPE)
123 c1 = (*cp++)-1;
124 #endif
125
126 if (c2 >= 'A' && c2 <= 'Z')
127 c2 += 'a' - 'A';
128
129 if (c1 != c2)
130 retvalue = 2;
131 }
132 }
133
134 if (isExtract)
135 *cp++ = '.';
136 else if (*cp != 0 && *cp++ != '.')
137 retvalue = 2;
138 }
139 else
140 return 0; /* label types 0x40 and 0x80 not supported */
141 }
142 }
143
144 /* Max size of input string (for IPv6) is 75 chars.) */
145 #define MAXARPANAME 75
146 int in_arpa_name_2_addr(char *namein, struct all_addr *addrp)
147 {
148 int j;
149 char name[MAXARPANAME+1], *cp1;
150 unsigned char *addr = (unsigned char *)addrp;
151 char *lastchunk = NULL, *penchunk = NULL;
152
153 if (strlen(namein) > MAXARPANAME)
154 return 0;
155
156 memset(addrp, 0, sizeof(struct all_addr));
157
158 /* turn name into a series of asciiz strings */
159 /* j counts no of labels */
160 for(j = 1,cp1 = name; *namein; cp1++, namein++)
161 if (*namein == '.')
162 {
163 penchunk = lastchunk;
164 lastchunk = cp1 + 1;
165 *cp1 = 0;
166 j++;
167 }
168 else
169 *cp1 = *namein;
170
171 *cp1 = 0;
172
173 if (j<3)
174 return 0;
175
176 if (hostname_isequal(lastchunk, "arpa") && hostname_isequal(penchunk, "in-addr"))
177 {
178 /* IP v4 */
179 /* address arives as a name of the form
180 www.xxx.yyy.zzz.in-addr.arpa
181 some of the low order address octets might be missing
182 and should be set to zero. */
183 for (cp1 = name; cp1 != penchunk; cp1 += strlen(cp1)+1)
184 {
185 /* check for digits only (weeds out things like
186 50.0/24.67.28.64.in-addr.arpa which are used
187 as CNAME targets according to RFC 2317 */
188 char *cp;
189 for (cp = cp1; *cp; cp++)
190 if (!isdigit((unsigned char)*cp))
191 return 0;
192
193 addr[3] = addr[2];
194 addr[2] = addr[1];
195 addr[1] = addr[0];
196 addr[0] = atoi(cp1);
197 }
198
199 return F_IPV4;
200 }
201 #ifdef HAVE_IPV6
202 else if (hostname_isequal(penchunk, "ip6") &&
203 (hostname_isequal(lastchunk, "int") || hostname_isequal(lastchunk, "arpa")))
204 {
205 /* IP v6:
206 Address arrives as 0.1.2.3.4.5.6.7.8.9.a.b.c.d.e.f.ip6.[int|arpa]
207 or \[xfedcba9876543210fedcba9876543210/128].ip6.[int|arpa]
208
209 Note that most of these the various reprentations are obsolete and
210 left-over from the many DNS-for-IPv6 wars. We support all the formats
211 that we can since there is no reason not to.
212 */
213
214 if (*name == '\\' && *(name+1) == '[' &&
215 (*(name+2) == 'x' || *(name+2) == 'X'))
216 {
217 for (j = 0, cp1 = name+3; *cp1 && isxdigit((unsigned char) *cp1) && j < 32; cp1++, j++)
218 {
219 char xdig[2];
220 xdig[0] = *cp1;
221 xdig[1] = 0;
222 if (j%2)
223 addr[j/2] |= strtol(xdig, NULL, 16);
224 else
225 addr[j/2] = strtol(xdig, NULL, 16) << 4;
226 }
227
228 if (*cp1 == '/' && j == 32)
229 return F_IPV6;
230 }
231 else
232 {
233 for (cp1 = name; cp1 != penchunk; cp1 += strlen(cp1)+1)
234 {
235 if (*(cp1+1) || !isxdigit((unsigned char)*cp1))
236 return 0;
237
238 for (j = sizeof(struct all_addr)-1; j>0; j--)
239 addr[j] = (addr[j] >> 4) | (addr[j-1] << 4);
240 addr[0] = (addr[0] >> 4) | (strtol(cp1, NULL, 16) << 4);
241 }
242
243 return F_IPV6;
244 }
245 }
246 #endif
247
248 return 0;
249 }
250
251 unsigned char *skip_name(unsigned char *ansp, struct dns_header *header, size_t plen, int extrabytes)
252 {
253 while(1)
254 {
255 unsigned int label_type;
256
257 if (!CHECK_LEN(header, ansp, plen, 1))
258 return NULL;
259
260 label_type = (*ansp) & 0xc0;
261
262 if (label_type == 0xc0)
263 {
264 /* pointer for compression. */
265 ansp += 2;
266 break;
267 }
268 else if (label_type == 0x80)
269 return NULL; /* reserved */
270 else if (label_type == 0x40)
271 {
272 /* Extended label type */
273 unsigned int count;
274
275 if (!CHECK_LEN(header, ansp, plen, 2))
276 return NULL;
277
278 if (((*ansp++) & 0x3f) != 1)
279 return NULL; /* we only understand bitstrings */
280
281 count = *(ansp++); /* Bits in bitstring */
282
283 if (count == 0) /* count == 0 means 256 bits */
284 ansp += 32;
285 else
286 ansp += ((count-1)>>3)+1;
287 }
288 else
289 { /* label type == 0 Bottom six bits is length */
290 unsigned int len = (*ansp++) & 0x3f;
291
292 if (!ADD_RDLEN(header, ansp, plen, len))
293 return NULL;
294
295 if (len == 0)
296 break; /* zero length label marks the end. */
297 }
298 }
299
300 if (!CHECK_LEN(header, ansp, plen, extrabytes))
301 return NULL;
302
303 return ansp;
304 }
305
306 unsigned char *skip_questions(struct dns_header *header, size_t plen)
307 {
308 int q;
309 unsigned char *ansp = (unsigned char *)(header+1);
310
311 for (q = ntohs(header->qdcount); q != 0; q--)
312 {
313 if (!(ansp = skip_name(ansp, header, plen, 4)))
314 return NULL;
315 ansp += 4; /* class and type */
316 }
317
318 return ansp;
319 }
320
321 unsigned char *skip_section(unsigned char *ansp, int count, struct dns_header *header, size_t plen)
322 {
323 int i, rdlen;
324
325 for (i = 0; i < count; i++)
326 {
327 if (!(ansp = skip_name(ansp, header, plen, 10)))
328 return NULL;
329 ansp += 8; /* type, class, TTL */
330 GETSHORT(rdlen, ansp);
331 if (!ADD_RDLEN(header, ansp, plen, rdlen))
332 return NULL;
333 }
334
335 return ansp;
336 }
337
338 /* CRC the question section. This is used to safely detect query
339 retransmision and to detect answers to questions we didn't ask, which
340 might be poisoning attacks. Note that we decode the name rather
341 than CRC the raw bytes, since replies might be compressed differently.
342 We ignore case in the names for the same reason. Return all-ones
343 if there is not question section. */
344 #ifndef HAVE_DNSSEC
345 unsigned int questions_crc(struct dns_header *header, size_t plen, char *name)
346 {
347 int q;
348 unsigned int crc = 0xffffffff;
349 unsigned char *p1, *p = (unsigned char *)(header+1);
350
351 for (q = ntohs(header->qdcount); q != 0; q--)
352 {
353 if (!extract_name(header, plen, &p, name, 1, 4))
354 return crc; /* bad packet */
355
356 for (p1 = (unsigned char *)name; *p1; p1++)
357 {
358 int i = 8;
359 char c = *p1;
360
361 if (c >= 'A' && c <= 'Z')
362 c += 'a' - 'A';
363
364 crc ^= c << 24;
365 while (i--)
366 crc = crc & 0x80000000 ? (crc << 1) ^ 0x04c11db7 : crc << 1;
367 }
368
369 /* CRC the class and type as well */
370 for (p1 = p; p1 < p+4; p1++)
371 {
372 int i = 8;
373 crc ^= *p1 << 24;
374 while (i--)
375 crc = crc & 0x80000000 ? (crc << 1) ^ 0x04c11db7 : crc << 1;
376 }
377
378 p += 4;
379 if (!CHECK_LEN(header, p, plen, 0))
380 return crc; /* bad packet */
381 }
382
383 return crc;
384 }
385 #endif
386
387 size_t resize_packet(struct dns_header *header, size_t plen, unsigned char *pheader, size_t hlen)
388 {
389 unsigned char *ansp = skip_questions(header, plen);
390
391 /* if packet is malformed, just return as-is. */
392 if (!ansp)
393 return plen;
394
395 if (!(ansp = skip_section(ansp, ntohs(header->ancount) + ntohs(header->nscount) + ntohs(header->arcount),
396 header, plen)))
397 return plen;
398
399 /* restore pseudoheader */
400 if (pheader && ntohs(header->arcount) == 0)
401 {
402 /* must use memmove, may overlap */
403 memmove(ansp, pheader, hlen);
404 header->arcount = htons(1);
405 ansp += hlen;
406 }
407
408 return ansp - (unsigned char *)header;
409 }
410
411 unsigned char *find_pseudoheader(struct dns_header *header, size_t plen, size_t *len, unsigned char **p, int *is_sign)
412 {
413 /* See if packet has an RFC2671 pseudoheader, and if so return a pointer to it.
414 also return length of pseudoheader in *len and pointer to the UDP size in *p
415 Finally, check to see if a packet is signed. If it is we cannot change a single bit before
416 forwarding. We look for SIG and TSIG in the addition section, and TKEY queries (for GSS-TSIG) */
417
418 int i, arcount = ntohs(header->arcount);
419 unsigned char *ansp = (unsigned char *)(header+1);
420 unsigned short rdlen, type, class;
421 unsigned char *ret = NULL;
422
423 if (is_sign)
424 {
425 *is_sign = 0;
426
427 if (OPCODE(header) == QUERY)
428 {
429 for (i = ntohs(header->qdcount); i != 0; i--)
430 {
431 if (!(ansp = skip_name(ansp, header, plen, 4)))
432 return NULL;
433
434 GETSHORT(type, ansp);
435 GETSHORT(class, ansp);
436
437 if (class == C_IN && type == T_TKEY)
438 *is_sign = 1;
439 }
440 }
441 }
442 else
443 {
444 if (!(ansp = skip_questions(header, plen)))
445 return NULL;
446 }
447
448 if (arcount == 0)
449 return NULL;
450
451 if (!(ansp = skip_section(ansp, ntohs(header->ancount) + ntohs(header->nscount), header, plen)))
452 return NULL;
453
454 for (i = 0; i < arcount; i++)
455 {
456 unsigned char *save, *start = ansp;
457 if (!(ansp = skip_name(ansp, header, plen, 10)))
458 return NULL;
459
460 GETSHORT(type, ansp);
461 save = ansp;
462 GETSHORT(class, ansp);
463 ansp += 4; /* TTL */
464 GETSHORT(rdlen, ansp);
465 if (!ADD_RDLEN(header, ansp, plen, rdlen))
466 return NULL;
467 if (type == T_OPT)
468 {
469 if (len)
470 *len = ansp - start;
471 if (p)
472 *p = save;
473 ret = start;
474 }
475 else if (is_sign &&
476 i == arcount - 1 &&
477 class == C_ANY &&
478 type == T_TSIG)
479 *is_sign = 1;
480 }
481
482 return ret;
483 }
484
485 struct macparm {
486 unsigned char *limit;
487 struct dns_header *header;
488 size_t plen;
489 union mysockaddr *l3;
490 };
491
492 static size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *limit,
493 int optno, unsigned char *opt, size_t optlen, int set_do)
494 {
495 unsigned char *lenp, *datap, *p;
496 int rdlen, is_sign;
497
498 if (!(p = find_pseudoheader(header, plen, NULL, NULL, &is_sign)))
499 {
500 if (is_sign)
501 return plen;
502
503 /* We are adding the pseudoheader */
504 if (!(p = skip_questions(header, plen)) ||
505 !(p = skip_section(p,
506 ntohs(header->ancount) + ntohs(header->nscount) + ntohs(header->arcount),
507 header, plen)))
508 return plen;
509 *p++ = 0; /* empty name */
510 PUTSHORT(T_OPT, p);
511 PUTSHORT(SAFE_PKTSZ, p); /* max packet length, this will be overwritten */
512 PUTSHORT(0, p); /* extended RCODE and version */
513 PUTSHORT(set_do ? 0x8000 : 0, p); /* DO flag */
514 lenp = p;
515 PUTSHORT(0, p); /* RDLEN */
516 rdlen = 0;
517 if (((ssize_t)optlen) > (limit - (p + 4)))
518 return plen; /* Too big */
519 header->arcount = htons(ntohs(header->arcount) + 1);
520 datap = p;
521 }
522 else
523 {
524 int i;
525 unsigned short code, len, flags;
526
527 /* Must be at the end, if exists */
528 if (ntohs(header->arcount) != 1 ||
529 is_sign ||
530 (!(p = skip_name(p, header, plen, 10))))
531 return plen;
532
533 p += 6; /* skip UDP length and RCODE */
534 GETSHORT(flags, p);
535 if (set_do)
536 {
537 p -=2;
538 PUTSHORT(flags | 0x8000, p);
539 }
540
541 lenp = p;
542 GETSHORT(rdlen, p);
543 if (!CHECK_LEN(header, p, plen, rdlen))
544 return plen; /* bad packet */
545 datap = p;
546
547 /* no option to add */
548 if (optno == 0)
549 return plen;
550
551 /* check if option already there */
552 for (i = 0; i + 4 < rdlen; i += len + 4)
553 {
554 GETSHORT(code, p);
555 GETSHORT(len, p);
556 if (code == optno)
557 return plen;
558 p += len;
559 }
560
561 if (((ssize_t)optlen) > (limit - (p + 4)))
562 return plen; /* Too big */
563 }
564
565 if (optno != 0)
566 {
567 PUTSHORT(optno, p);
568 PUTSHORT(optlen, p);
569 memcpy(p, opt, optlen);
570 p += optlen;
571 }
572
573 PUTSHORT(p - datap, lenp);
574 return p - (unsigned char *)header;
575
576 }
577
578 static int filter_mac(int family, char *addrp, char *mac, size_t maclen, void *parmv)
579 {
580 struct macparm *parm = parmv;
581 int match = 0;
582
583 if (family == parm->l3->sa.sa_family)
584 {
585 if (family == AF_INET && memcmp(&parm->l3->in.sin_addr, addrp, INADDRSZ) == 0)
586 match = 1;
587 #ifdef HAVE_IPV6
588 else
589 if (family == AF_INET6 && memcmp(&parm->l3->in6.sin6_addr, addrp, IN6ADDRSZ) == 0)
590 match = 1;
591 #endif
592 }
593
594 if (!match)
595 return 1; /* continue */
596
597 parm->plen = add_pseudoheader(parm->header, parm->plen, parm->limit, EDNS0_OPTION_MAC, (unsigned char *)mac, maclen, 0);
598
599 return 0; /* done */
600 }
601
602 size_t add_mac(struct dns_header *header, size_t plen, char *limit, union mysockaddr *l3)
603 {
604 struct macparm parm;
605
606 /* Must have an existing pseudoheader as the only ar-record,
607 or have no ar-records. Must also not be signed */
608
609 if (ntohs(header->arcount) > 1)
610 return plen;
611
612 parm.header = header;
613 parm.limit = (unsigned char *)limit;
614 parm.plen = plen;
615 parm.l3 = l3;
616
617 iface_enumerate(AF_UNSPEC, &parm, filter_mac);
618
619 return parm.plen;
620 }
621
622 struct subnet_opt {
623 u16 family;
624 u8 source_netmask, scope_netmask;
625 #ifdef HAVE_IPV6
626 u8 addr[IN6ADDRSZ];
627 #else
628 u8 addr[INADDRSZ];
629 #endif
630 };
631
632 static size_t calc_subnet_opt(struct subnet_opt *opt, union mysockaddr *source)
633 {
634 /* http://tools.ietf.org/html/draft-vandergaast-edns-client-subnet-02 */
635
636 int len;
637 void *addrp;
638
639 #ifdef HAVE_IPV6
640 if (source->sa.sa_family == AF_INET6)
641 {
642 opt->family = htons(2);
643 opt->source_netmask = daemon->addr6_netmask;
644 addrp = &source->in6.sin6_addr;
645 }
646 else
647 #endif
648 {
649 opt->family = htons(1);
650 opt->source_netmask = daemon->addr4_netmask;
651 addrp = &source->in.sin_addr;
652 }
653
654 opt->scope_netmask = 0;
655 len = 0;
656
657 if (opt->source_netmask != 0)
658 {
659 len = ((opt->source_netmask - 1) >> 3) + 1;
660 memcpy(opt->addr, addrp, len);
661 if (opt->source_netmask & 7)
662 opt->addr[len-1] &= 0xff << (8 - (opt->source_netmask & 7));
663 }
664
665 return len + 4;
666 }
667
668 size_t add_source_addr(struct dns_header *header, size_t plen, char *limit, union mysockaddr *source)
669 {
670 /* http://tools.ietf.org/html/draft-vandergaast-edns-client-subnet-02 */
671
672 int len;
673 struct subnet_opt opt;
674
675 len = calc_subnet_opt(&opt, source);
676 return add_pseudoheader(header, plen, (unsigned char *)limit, EDNS0_OPTION_CLIENT_SUBNET, (unsigned char *)&opt, len, 0);
677 }
678
679 #ifdef HAVE_DNSSEC
680 size_t add_do_bit(struct dns_header *header, size_t plen, char *limit)
681 {
682 return add_pseudoheader(header, plen, (unsigned char *)limit, 0, NULL, 0, 1);
683 }
684 #endif
685
686 int check_source(struct dns_header *header, size_t plen, unsigned char *pseudoheader, union mysockaddr *peer)
687 {
688 /* Section 9.2, Check that subnet option in reply matches. */
689
690
691 int len, calc_len;
692 struct subnet_opt opt;
693 unsigned char *p;
694 int code, i, rdlen;
695
696 calc_len = calc_subnet_opt(&opt, peer);
697
698 if (!(p = skip_name(pseudoheader, header, plen, 10)))
699 return 1;
700
701 p += 8; /* skip UDP length and RCODE */
702
703 GETSHORT(rdlen, p);
704 if (!CHECK_LEN(header, p, plen, rdlen))
705 return 1; /* bad packet */
706
707 /* check if option there */
708 for (i = 0; i + 4 < rdlen; i += len + 4)
709 {
710 GETSHORT(code, p);
711 GETSHORT(len, p);
712 if (code == EDNS0_OPTION_CLIENT_SUBNET)
713 {
714 /* make sure this doesn't mismatch. */
715 opt.scope_netmask = p[3];
716 if (len != calc_len || memcmp(p, &opt, len) != 0)
717 return 0;
718 }
719 p += len;
720 }
721
722 return 1;
723 }
724
725 /* is addr in the non-globally-routed IP space? */
726 int private_net(struct in_addr addr, int ban_localhost)
727 {
728 in_addr_t ip_addr = ntohl(addr.s_addr);
729
730 return
731 (((ip_addr & 0xFF000000) == 0x7F000000) && ban_localhost) /* 127.0.0.0/8 (loopback) */ ||
732 ((ip_addr & 0xFFFF0000) == 0xC0A80000) /* 192.168.0.0/16 (private) */ ||
733 ((ip_addr & 0xFF000000) == 0x0A000000) /* 10.0.0.0/8 (private) */ ||
734 ((ip_addr & 0xFFF00000) == 0xAC100000) /* 172.16.0.0/12 (private) */ ||
735 ((ip_addr & 0xFFFF0000) == 0xA9FE0000) /* 169.254.0.0/16 (zeroconf) */ ;
736 }
737
738 static unsigned char *do_doctor(unsigned char *p, int count, struct dns_header *header, size_t qlen, char *name, int *doctored)
739 {
740 int i, qtype, qclass, rdlen;
741
742 for (i = count; i != 0; i--)
743 {
744 if (name && option_bool(OPT_LOG))
745 {
746 if (!extract_name(header, qlen, &p, name, 1, 10))
747 return 0;
748 }
749 else if (!(p = skip_name(p, header, qlen, 10)))
750 return 0; /* bad packet */
751
752 GETSHORT(qtype, p);
753 GETSHORT(qclass, p);
754 p += 4; /* ttl */
755 GETSHORT(rdlen, p);
756
757 if (qclass == C_IN && qtype == T_A)
758 {
759 struct doctor *doctor;
760 struct in_addr addr;
761
762 if (!CHECK_LEN(header, p, qlen, INADDRSZ))
763 return 0;
764
765 /* alignment */
766 memcpy(&addr, p, INADDRSZ);
767
768 for (doctor = daemon->doctors; doctor; doctor = doctor->next)
769 {
770 if (doctor->end.s_addr == 0)
771 {
772 if (!is_same_net(doctor->in, addr, doctor->mask))
773 continue;
774 }
775 else if (ntohl(doctor->in.s_addr) > ntohl(addr.s_addr) ||
776 ntohl(doctor->end.s_addr) < ntohl(addr.s_addr))
777 continue;
778
779 addr.s_addr &= ~doctor->mask.s_addr;
780 addr.s_addr |= (doctor->out.s_addr & doctor->mask.s_addr);
781 /* Since we munged the data, the server it came from is no longer authoritative */
782 header->hb3 &= ~HB3_AA;
783 *doctored = 1;
784 memcpy(p, &addr, INADDRSZ);
785 break;
786 }
787 }
788 else if (qtype == T_TXT && name && option_bool(OPT_LOG))
789 {
790 unsigned char *p1 = p;
791 if (!CHECK_LEN(header, p1, qlen, rdlen))
792 return 0;
793 while ((p1 - p) < rdlen)
794 {
795 unsigned int i, len = *p1;
796 unsigned char *p2 = p1;
797 /* make counted string zero-term and sanitise */
798 for (i = 0; i < len; i++)
799 {
800 if (!isprint((int)*(p2+1)))
801 break;
802
803 *p2 = *(p2+1);
804 p2++;
805 }
806 *p2 = 0;
807 my_syslog(LOG_INFO, "reply %s is %s", name, p1);
808 /* restore */
809 memmove(p1 + 1, p1, i);
810 *p1 = len;
811 p1 += len+1;
812 }
813 }
814
815 if (!ADD_RDLEN(header, p, qlen, rdlen))
816 return 0; /* bad packet */
817 }
818
819 return p;
820 }
821
822 static int find_soa(struct dns_header *header, size_t qlen, char *name, int *doctored)
823 {
824 unsigned char *p;
825 int qtype, qclass, rdlen;
826 unsigned long ttl, minttl = ULONG_MAX;
827 int i, found_soa = 0;
828
829 /* first move to NS section and find TTL from any SOA section */
830 if (!(p = skip_questions(header, qlen)) ||
831 !(p = do_doctor(p, ntohs(header->ancount), header, qlen, name, doctored)))
832 return 0; /* bad packet */
833
834 for (i = ntohs(header->nscount); i != 0; i--)
835 {
836 if (!(p = skip_name(p, header, qlen, 10)))
837 return 0; /* bad packet */
838
839 GETSHORT(qtype, p);
840 GETSHORT(qclass, p);
841 GETLONG(ttl, p);
842 GETSHORT(rdlen, p);
843
844 if ((qclass == C_IN) && (qtype == T_SOA))
845 {
846 found_soa = 1;
847 if (ttl < minttl)
848 minttl = ttl;
849
850 /* MNAME */
851 if (!(p = skip_name(p, header, qlen, 0)))
852 return 0;
853 /* RNAME */
854 if (!(p = skip_name(p, header, qlen, 20)))
855 return 0;
856 p += 16; /* SERIAL REFRESH RETRY EXPIRE */
857
858 GETLONG(ttl, p); /* minTTL */
859 if (ttl < minttl)
860 minttl = ttl;
861 }
862 else if (!ADD_RDLEN(header, p, qlen, rdlen))
863 return 0; /* bad packet */
864 }
865
866 /* rewrite addresses in additional section too */
867 if (!do_doctor(p, ntohs(header->arcount), header, qlen, NULL, doctored))
868 return 0;
869
870 if (!found_soa)
871 minttl = daemon->neg_ttl;
872
873 return minttl;
874 }
875
876 /* Note that the following code can create CNAME chains that don't point to a real record,
877 either because of lack of memory, or lack of SOA records. These are treated by the cache code as
878 expired and cleaned out that way.
879 Return 1 if we reject an address because it look like part of dns-rebinding attack. */
880 int extract_addresses(struct dns_header *header, size_t qlen, char *name, time_t now,
881 char **ipsets, int is_sign, int check_rebind, int no_cache_dnssec, int secure, int *doctored)
882 {
883 unsigned char *p, *p1, *endrr, *namep;
884 int i, j, qtype, qclass, aqtype, aqclass, ardlen, res, searched_soa = 0;
885 unsigned long ttl = 0;
886 struct all_addr addr;
887 #ifdef HAVE_IPSET
888 char **ipsets_cur;
889 #else
890 (void)ipsets; /* unused */
891 #endif
892
893 cache_start_insert();
894
895 /* find_soa is needed for dns_doctor and logging side-effects, so don't call it lazily if there are any. */
896 if (daemon->doctors || option_bool(OPT_LOG) || option_bool(OPT_DNSSEC_VALID))
897 {
898 searched_soa = 1;
899 ttl = find_soa(header, qlen, name, doctored);
900 #ifdef HAVE_DNSSEC
901 if (*doctored && secure)
902 return 0;
903 #endif
904 }
905
906 /* go through the questions. */
907 p = (unsigned char *)(header+1);
908
909 for (i = ntohs(header->qdcount); i != 0; i--)
910 {
911 int found = 0, cname_count = CNAME_CHAIN;
912 struct crec *cpp = NULL;
913 int flags = RCODE(header) == NXDOMAIN ? F_NXDOMAIN : 0;
914 int secflag = secure ? F_DNSSECOK : 0;
915 unsigned long cttl = ULONG_MAX, attl;
916
917 namep = p;
918 if (!extract_name(header, qlen, &p, name, 1, 4))
919 return 0; /* bad packet */
920
921 GETSHORT(qtype, p);
922 GETSHORT(qclass, p);
923
924 if (qclass != C_IN)
925 continue;
926
927 /* PTRs: we chase CNAMEs here, since we have no way to
928 represent them in the cache. */
929 if (qtype == T_PTR)
930 {
931 int name_encoding = in_arpa_name_2_addr(name, &addr);
932
933 if (!name_encoding)
934 continue;
935
936 if (!(flags & F_NXDOMAIN))
937 {
938 cname_loop:
939 if (!(p1 = skip_questions(header, qlen)))
940 return 0;
941
942 for (j = ntohs(header->ancount); j != 0; j--)
943 {
944 unsigned char *tmp = namep;
945 /* the loop body overwrites the original name, so get it back here. */
946 if (!extract_name(header, qlen, &tmp, name, 1, 0) ||
947 !(res = extract_name(header, qlen, &p1, name, 0, 10)))
948 return 0; /* bad packet */
949
950 GETSHORT(aqtype, p1);
951 GETSHORT(aqclass, p1);
952 GETLONG(attl, p1);
953 if ((daemon->max_ttl != 0) && (attl > daemon->max_ttl) && !is_sign)
954 {
955 (p1) -= 4;
956 PUTLONG(daemon->max_ttl, p1);
957 }
958 GETSHORT(ardlen, p1);
959 endrr = p1+ardlen;
960
961 /* TTL of record is minimum of CNAMES and PTR */
962 if (attl < cttl)
963 cttl = attl;
964
965 if (aqclass == C_IN && res != 2 && (aqtype == T_CNAME || aqtype == T_PTR))
966 {
967 if (!extract_name(header, qlen, &p1, name, 1, 0))
968 return 0;
969
970 if (aqtype == T_CNAME)
971 {
972 if (!cname_count-- || secure)
973 return 0; /* looped CNAMES, or DNSSEC, which we can't cache. */
974 goto cname_loop;
975 }
976
977 cache_insert(name, &addr, now, cttl, name_encoding | secflag | F_REVERSE);
978 found = 1;
979 }
980
981 p1 = endrr;
982 if (!CHECK_LEN(header, p1, qlen, 0))
983 return 0; /* bad packet */
984 }
985 }
986
987 if (!found && !option_bool(OPT_NO_NEG))
988 {
989 if (!searched_soa)
990 {
991 searched_soa = 1;
992 ttl = find_soa(header, qlen, NULL, doctored);
993 }
994 if (ttl)
995 cache_insert(NULL, &addr, now, ttl, name_encoding | F_REVERSE | F_NEG | flags | secflag);
996 }
997 }
998 else
999 {
1000 /* everything other than PTR */
1001 struct crec *newc;
1002 int addrlen;
1003
1004 if (qtype == T_A)
1005 {
1006 addrlen = INADDRSZ;
1007 flags |= F_IPV4;
1008 }
1009 #ifdef HAVE_IPV6
1010 else if (qtype == T_AAAA)
1011 {
1012 addrlen = IN6ADDRSZ;
1013 flags |= F_IPV6;
1014 }
1015 #endif
1016 else
1017 continue;
1018
1019 cname_loop1:
1020 if (!(p1 = skip_questions(header, qlen)))
1021 return 0;
1022
1023 for (j = ntohs(header->ancount); j != 0; j--)
1024 {
1025 if (!(res = extract_name(header, qlen, &p1, name, 0, 10)))
1026 return 0; /* bad packet */
1027
1028 GETSHORT(aqtype, p1);
1029 GETSHORT(aqclass, p1);
1030 GETLONG(attl, p1);
1031 if ((daemon->max_ttl != 0) && (attl > daemon->max_ttl) && !is_sign)
1032 {
1033 (p1) -= 4;
1034 PUTLONG(daemon->max_ttl, p1);
1035 }
1036 GETSHORT(ardlen, p1);
1037 endrr = p1+ardlen;
1038
1039 if (aqclass == C_IN && res != 2 && (aqtype == T_CNAME || aqtype == qtype))
1040 {
1041 if (aqtype == T_CNAME)
1042 {
1043 if (!cname_count--)
1044 return 0; /* looped CNAMES */
1045 newc = cache_insert(name, NULL, now, attl, F_CNAME | F_FORWARD | secflag);
1046 if (newc)
1047 {
1048 newc->addr.cname.target.cache = NULL;
1049 /* anything other than zero, to avoid being mistaken for CNAME to interface-name */
1050 newc->addr.cname.uid = 1;
1051 if (cpp)
1052 {
1053 cpp->addr.cname.target.cache = newc;
1054 cpp->addr.cname.uid = newc->uid;
1055 }
1056 }
1057
1058 cpp = newc;
1059 if (attl < cttl)
1060 cttl = attl;
1061
1062 if (!extract_name(header, qlen, &p1, name, 1, 0))
1063 return 0;
1064 goto cname_loop1;
1065 }
1066 else if (!(flags & F_NXDOMAIN))
1067 {
1068 found = 1;
1069
1070 /* copy address into aligned storage */
1071 if (!CHECK_LEN(header, p1, qlen, addrlen))
1072 return 0; /* bad packet */
1073 memcpy(&addr, p1, addrlen);
1074
1075 /* check for returned address in private space */
1076 if (check_rebind)
1077 {
1078 if ((flags & F_IPV4) &&
1079 private_net(addr.addr.addr4, !option_bool(OPT_LOCAL_REBIND)))
1080 return 1;
1081
1082 #ifdef HAVE_IPV6
1083 if ((flags & F_IPV6) &&
1084 IN6_IS_ADDR_V4MAPPED(&addr.addr.addr6))
1085 {
1086 struct in_addr v4;
1087 v4.s_addr = ((const uint32_t *) (&addr.addr.addr6))[3];
1088 if (private_net(v4, !option_bool(OPT_LOCAL_REBIND)))
1089 return 1;
1090 }
1091 #endif
1092 }
1093
1094 #ifdef HAVE_IPSET
1095 if (ipsets && (flags & (F_IPV4 | F_IPV6)))
1096 {
1097 ipsets_cur = ipsets;
1098 while (*ipsets_cur)
1099 {
1100 log_query((flags & (F_IPV4 | F_IPV6)) | F_IPSET, name, &addr, *ipsets_cur);
1101 add_to_ipset(*ipsets_cur++, &addr, flags, 0);
1102 }
1103 }
1104 #endif
1105
1106 newc = cache_insert(name, &addr, now, attl, flags | F_FORWARD | secflag);
1107 if (newc && cpp)
1108 {
1109 cpp->addr.cname.target.cache = newc;
1110 cpp->addr.cname.uid = newc->uid;
1111 }
1112 cpp = NULL;
1113 }
1114 }
1115
1116 p1 = endrr;
1117 if (!CHECK_LEN(header, p1, qlen, 0))
1118 return 0; /* bad packet */
1119 }
1120
1121 if (!found && !option_bool(OPT_NO_NEG))
1122 {
1123 if (!searched_soa)
1124 {
1125 searched_soa = 1;
1126 ttl = find_soa(header, qlen, NULL, doctored);
1127 }
1128 /* If there's no SOA to get the TTL from, but there is a CNAME
1129 pointing at this, inherit its TTL */
1130 if (ttl || cpp)
1131 {
1132 newc = cache_insert(name, NULL, now, ttl ? ttl : cttl, F_FORWARD | F_NEG | flags | secflag);
1133 if (newc && cpp)
1134 {
1135 cpp->addr.cname.target.cache = newc;
1136 cpp->addr.cname.uid = newc->uid;
1137 }
1138 }
1139 }
1140 }
1141 }
1142
1143 /* Don't put stuff from a truncated packet into the cache.
1144 Don't cache replies from non-recursive nameservers, since we may get a
1145 reply containing a CNAME but not its target, even though the target
1146 does exist. */
1147 if (!(header->hb3 & HB3_TC) &&
1148 !(header->hb4 & HB4_CD) &&
1149 (header->hb4 & HB4_RA) &&
1150 !no_cache_dnssec)
1151 cache_end_insert();
1152
1153 return 0;
1154 }
1155
1156 /* If the packet holds exactly one query
1157 return F_IPV4 or F_IPV6 and leave the name from the query in name */
1158 unsigned int extract_request(struct dns_header *header, size_t qlen, char *name, unsigned short *typep)
1159 {
1160 unsigned char *p = (unsigned char *)(header+1);
1161 int qtype, qclass;
1162
1163 if (typep)
1164 *typep = 0;
1165
1166 if (ntohs(header->qdcount) != 1 || OPCODE(header) != QUERY)
1167 return 0; /* must be exactly one query. */
1168
1169 if (!extract_name(header, qlen, &p, name, 1, 4))
1170 return 0; /* bad packet */
1171
1172 GETSHORT(qtype, p);
1173 GETSHORT(qclass, p);
1174
1175 if (typep)
1176 *typep = qtype;
1177
1178 if (qclass == C_IN)
1179 {
1180 if (qtype == T_A)
1181 return F_IPV4;
1182 if (qtype == T_AAAA)
1183 return F_IPV6;
1184 if (qtype == T_ANY)
1185 return F_IPV4 | F_IPV6;
1186 }
1187
1188 return F_QUERY;
1189 }
1190
1191
1192 size_t setup_reply(struct dns_header *header, size_t qlen,
1193 struct all_addr *addrp, unsigned int flags, unsigned long ttl)
1194 {
1195 unsigned char *p;
1196
1197 if (!(p = skip_questions(header, qlen)))
1198 return 0;
1199
1200 /* clear authoritative and truncated flags, set QR flag */
1201 header->hb3 = (header->hb3 & ~(HB3_AA | HB3_TC)) | HB3_QR;
1202 /* set RA flag */
1203 header->hb4 |= HB4_RA;
1204
1205 header->nscount = htons(0);
1206 header->arcount = htons(0);
1207 header->ancount = htons(0); /* no answers unless changed below */
1208 if (flags == F_NEG)
1209 SET_RCODE(header, SERVFAIL); /* couldn't get memory */
1210 else if (flags == F_NOERR)
1211 SET_RCODE(header, NOERROR); /* empty domain */
1212 else if (flags == F_NXDOMAIN)
1213 SET_RCODE(header, NXDOMAIN);
1214 else if (flags == F_IPV4)
1215 { /* we know the address */
1216 SET_RCODE(header, NOERROR);
1217 header->ancount = htons(1);
1218 header->hb3 |= HB3_AA;
1219 add_resource_record(header, NULL, NULL, sizeof(struct dns_header), &p, ttl, NULL, T_A, C_IN, "4", addrp);
1220 }
1221 #ifdef HAVE_IPV6
1222 else if (flags == F_IPV6)
1223 {
1224 SET_RCODE(header, NOERROR);
1225 header->ancount = htons(1);
1226 header->hb3 |= HB3_AA;
1227 add_resource_record(header, NULL, NULL, sizeof(struct dns_header), &p, ttl, NULL, T_AAAA, C_IN, "6", addrp);
1228 }
1229 #endif
1230 else /* nowhere to forward to */
1231 SET_RCODE(header, REFUSED);
1232
1233 return p - (unsigned char *)header;
1234 }
1235
1236 /* check if name matches local names ie from /etc/hosts or DHCP or local mx names. */
1237 int check_for_local_domain(char *name, time_t now)
1238 {
1239 struct crec *crecp;
1240 struct mx_srv_record *mx;
1241 struct txt_record *txt;
1242 struct interface_name *intr;
1243 struct ptr_record *ptr;
1244 struct naptr *naptr;
1245
1246 /* Note: the call to cache_find_by_name is intended to find any record which matches
1247 ie A, AAAA, CNAME, DS. Because RRSIG records are marked by setting both F_DS and F_DNSKEY,
1248 cache_find_by name ordinarily only returns records with an exact match on those bits (ie
1249 for the call below, only DS records). The F_NSIGMATCH bit changes this behaviour */
1250
1251 if ((crecp = cache_find_by_name(NULL, name, now, F_IPV4 | F_IPV6 | F_CNAME | F_DS | F_NO_RR | F_NSIGMATCH)) &&
1252 (crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)))
1253 return 1;
1254
1255 for (naptr = daemon->naptr; naptr; naptr = naptr->next)
1256 if (hostname_isequal(name, naptr->name))
1257 return 1;
1258
1259 for (mx = daemon->mxnames; mx; mx = mx->next)
1260 if (hostname_isequal(name, mx->name))
1261 return 1;
1262
1263 for (txt = daemon->txt; txt; txt = txt->next)
1264 if (hostname_isequal(name, txt->name))
1265 return 1;
1266
1267 for (intr = daemon->int_names; intr; intr = intr->next)
1268 if (hostname_isequal(name, intr->name))
1269 return 1;
1270
1271 for (ptr = daemon->ptr; ptr; ptr = ptr->next)
1272 if (hostname_isequal(name, ptr->name))
1273 return 1;
1274
1275 return 0;
1276 }
1277
1278 /* Is the packet a reply with the answer address equal to addr?
1279 If so mung is into an NXDOMAIN reply and also put that information
1280 in the cache. */
1281 int check_for_bogus_wildcard(struct dns_header *header, size_t qlen, char *name,
1282 struct bogus_addr *baddr, time_t now)
1283 {
1284 unsigned char *p;
1285 int i, qtype, qclass, rdlen;
1286 unsigned long ttl;
1287 struct bogus_addr *baddrp;
1288
1289 /* skip over questions */
1290 if (!(p = skip_questions(header, qlen)))
1291 return 0; /* bad packet */
1292
1293 for (i = ntohs(header->ancount); i != 0; i--)
1294 {
1295 if (!extract_name(header, qlen, &p, name, 1, 10))
1296 return 0; /* bad packet */
1297
1298 GETSHORT(qtype, p);
1299 GETSHORT(qclass, p);
1300 GETLONG(ttl, p);
1301 GETSHORT(rdlen, p);
1302
1303 if (qclass == C_IN && qtype == T_A)
1304 {
1305 if (!CHECK_LEN(header, p, qlen, INADDRSZ))
1306 return 0;
1307
1308 for (baddrp = baddr; baddrp; baddrp = baddrp->next)
1309 if (memcmp(&baddrp->addr, p, INADDRSZ) == 0)
1310 {
1311 /* Found a bogus address. Insert that info here, since there no SOA record
1312 to get the ttl from in the normal processing */
1313 cache_start_insert();
1314 cache_insert(name, NULL, now, ttl, F_IPV4 | F_FORWARD | F_NEG | F_NXDOMAIN);
1315 cache_end_insert();
1316
1317 return 1;
1318 }
1319 }
1320
1321 if (!ADD_RDLEN(header, p, qlen, rdlen))
1322 return 0;
1323 }
1324
1325 return 0;
1326 }
1327
1328 int check_for_ignored_address(struct dns_header *header, size_t qlen, struct bogus_addr *baddr)
1329 {
1330 unsigned char *p;
1331 int i, qtype, qclass, rdlen;
1332 struct bogus_addr *baddrp;
1333
1334 /* skip over questions */
1335 if (!(p = skip_questions(header, qlen)))
1336 return 0; /* bad packet */
1337
1338 for (i = ntohs(header->ancount); i != 0; i--)
1339 {
1340 if (!(p = skip_name(p, header, qlen, 10)))
1341 return 0; /* bad packet */
1342
1343 GETSHORT(qtype, p);
1344 GETSHORT(qclass, p);
1345 p += 4; /* TTL */
1346 GETSHORT(rdlen, p);
1347
1348 if (qclass == C_IN && qtype == T_A)
1349 {
1350 if (!CHECK_LEN(header, p, qlen, INADDRSZ))
1351 return 0;
1352
1353 for (baddrp = baddr; baddrp; baddrp = baddrp->next)
1354 if (memcmp(&baddrp->addr, p, INADDRSZ) == 0)
1355 return 1;
1356 }
1357
1358 if (!ADD_RDLEN(header, p, qlen, rdlen))
1359 return 0;
1360 }
1361
1362 return 0;
1363 }
1364
1365 int add_resource_record(struct dns_header *header, char *limit, int *truncp, int nameoffset, unsigned char **pp,
1366 unsigned long ttl, int *offset, unsigned short type, unsigned short class, char *format, ...)
1367 {
1368 va_list ap;
1369 unsigned char *sav, *p = *pp;
1370 int j;
1371 unsigned short usval;
1372 long lval;
1373 char *sval;
1374
1375 if (truncp && *truncp)
1376 return 0;
1377
1378 va_start(ap, format); /* make ap point to 1st unamed argument */
1379
1380 if (nameoffset > 0)
1381 {
1382 PUTSHORT(nameoffset | 0xc000, p);
1383 }
1384 else
1385 {
1386 char *name = va_arg(ap, char *);
1387 if (name)
1388 p = do_rfc1035_name(p, name);
1389 if (nameoffset < 0)
1390 {
1391 PUTSHORT(-nameoffset | 0xc000, p);
1392 }
1393 else
1394 *p++ = 0;
1395 }
1396
1397 PUTSHORT(type, p);
1398 PUTSHORT(class, p);
1399 PUTLONG(ttl, p); /* TTL */
1400
1401 sav = p; /* Save pointer to RDLength field */
1402 PUTSHORT(0, p); /* Placeholder RDLength */
1403
1404 for (; *format; format++)
1405 switch (*format)
1406 {
1407 #ifdef HAVE_IPV6
1408 case '6':
1409 sval = va_arg(ap, char *);
1410 memcpy(p, sval, IN6ADDRSZ);
1411 p += IN6ADDRSZ;
1412 break;
1413 #endif
1414
1415 case '4':
1416 sval = va_arg(ap, char *);
1417 memcpy(p, sval, INADDRSZ);
1418 p += INADDRSZ;
1419 break;
1420
1421 case 'b':
1422 usval = va_arg(ap, int);
1423 *p++ = usval;
1424 break;
1425
1426 case 's':
1427 usval = va_arg(ap, int);
1428 PUTSHORT(usval, p);
1429 break;
1430
1431 case 'l':
1432 lval = va_arg(ap, long);
1433 PUTLONG(lval, p);
1434 break;
1435
1436 case 'd':
1437 /* get domain-name answer arg and store it in RDATA field */
1438 if (offset)
1439 *offset = p - (unsigned char *)header;
1440 p = do_rfc1035_name(p, va_arg(ap, char *));
1441 *p++ = 0;
1442 break;
1443
1444 case 't':
1445 usval = va_arg(ap, int);
1446 sval = va_arg(ap, char *);
1447 if (usval != 0)
1448 memcpy(p, sval, usval);
1449 p += usval;
1450 break;
1451
1452 case 'z':
1453 sval = va_arg(ap, char *);
1454 usval = sval ? strlen(sval) : 0;
1455 if (usval > 255)
1456 usval = 255;
1457 *p++ = (unsigned char)usval;
1458 memcpy(p, sval, usval);
1459 p += usval;
1460 break;
1461 }
1462
1463 va_end(ap); /* clean up variable argument pointer */
1464
1465 j = p - sav - 2;
1466 PUTSHORT(j, sav); /* Now, store real RDLength */
1467
1468 /* check for overflow of buffer */
1469 if (limit && ((unsigned char *)limit - p) < 0)
1470 {
1471 if (truncp)
1472 *truncp = 1;
1473 return 0;
1474 }
1475
1476 *pp = p;
1477 return 1;
1478 }
1479
1480 static unsigned long crec_ttl(struct crec *crecp, time_t now)
1481 {
1482 /* Return 0 ttl for DHCP entries, which might change
1483 before the lease expires. */
1484
1485 if (crecp->flags & (F_IMMORTAL | F_DHCP))
1486 return daemon->local_ttl;
1487
1488 /* Return the Max TTL value if it is lower then the actual TTL */
1489 if (daemon->max_ttl == 0 || ((unsigned)(crecp->ttd - now) < daemon->max_ttl))
1490 return crecp->ttd - now;
1491 else
1492 return daemon->max_ttl;
1493 }
1494
1495
1496 /* return zero if we can't answer from cache, or packet size if we can */
1497 size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
1498 struct in_addr local_addr, struct in_addr local_netmask,
1499 time_t now, int *ad_reqd, int *do_bit)
1500 {
1501 char *name = daemon->namebuff;
1502 unsigned char *p, *ansp, *pheader;
1503 unsigned int qtype, qclass;
1504 struct all_addr addr;
1505 int nameoffset;
1506 unsigned short flag;
1507 int q, ans, anscount = 0, addncount = 0;
1508 int dryrun = 0, sec_reqd = 0, have_pseudoheader = 0;
1509 struct crec *crecp;
1510 int nxdomain = 0, auth = 1, trunc = 0, sec_data = 1;
1511 struct mx_srv_record *rec;
1512 size_t len;
1513
1514 /* Don't return AD set if checking disabled. */
1515 if (header->hb4 & HB4_CD)
1516 sec_data = 0;
1517
1518 /* RFC 6840 5.7 */
1519 *ad_reqd = header->hb4 & HB4_AD;
1520 *do_bit = 0;
1521
1522 /* If there is an RFC2671 pseudoheader then it will be overwritten by
1523 partial replies, so we have to do a dry run to see if we can answer
1524 the query. We check to see if the do bit is set, if so we always
1525 forward rather than answering from the cache, which doesn't include
1526 security information, unless we're in DNSSEC validation mode. */
1527
1528 if (find_pseudoheader(header, qlen, NULL, &pheader, NULL))
1529 {
1530 unsigned short flags;
1531
1532 have_pseudoheader = 1;
1533
1534 pheader += 4; /* udp size, ext_rcode */
1535 GETSHORT(flags, pheader);
1536
1537 if ((sec_reqd = flags & 0x8000))
1538 *do_bit = 1;/* do bit */
1539
1540 *ad_reqd = 1;
1541 dryrun = 1;
1542 }
1543
1544 if (ntohs(header->qdcount) == 0 || OPCODE(header) != QUERY )
1545 return 0;
1546
1547 for (rec = daemon->mxnames; rec; rec = rec->next)
1548 rec->offset = 0;
1549
1550 rerun:
1551 /* determine end of question section (we put answers there) */
1552 if (!(ansp = skip_questions(header, qlen)))
1553 return 0; /* bad packet */
1554
1555 /* now process each question, answers go in RRs after the question */
1556 p = (unsigned char *)(header+1);
1557
1558 for (q = ntohs(header->qdcount); q != 0; q--)
1559 {
1560 /* save pointer to name for copying into answers */
1561 nameoffset = p - (unsigned char *)header;
1562
1563 /* now extract name as .-concatenated string into name */
1564 if (!extract_name(header, qlen, &p, name, 1, 4))
1565 return 0; /* bad packet */
1566
1567 GETSHORT(qtype, p);
1568 GETSHORT(qclass, p);
1569
1570 /* Don't filter RRSIGS from answers to ANY queries, even if do-bit
1571 not set. */
1572 if (qtype == T_ANY)
1573 *do_bit = 1;
1574
1575 ans = 0; /* have we answered this question */
1576
1577 if (qtype == T_TXT || qtype == T_ANY)
1578 {
1579 struct txt_record *t;
1580 for(t = daemon->txt; t ; t = t->next)
1581 {
1582 if (t->class == qclass && hostname_isequal(name, t->name))
1583 {
1584 ans = 1;
1585 if (!dryrun)
1586 {
1587 unsigned long ttl = daemon->local_ttl;
1588 int ok = 1;
1589 log_query(F_CONFIG | F_RRNAME, name, NULL, "<TXT>");
1590 /* Dynamically generate stat record */
1591 if (t->stat != 0)
1592 {
1593 ttl = 0;
1594 if (!cache_make_stat(t))
1595 ok = 0;
1596 }
1597
1598 if (ok && add_resource_record(header, limit, &trunc, nameoffset, &ansp,
1599 ttl, NULL,
1600 T_TXT, t->class, "t", t->len, t->txt))
1601 anscount++;
1602
1603 }
1604 }
1605 }
1606 }
1607
1608 #ifdef HAVE_DNSSEC
1609 if (option_bool(OPT_DNSSEC_VALID) && (qtype == T_DNSKEY || qtype == T_DS))
1610 {
1611 int gotone = 0;
1612 struct blockdata *keydata;
1613
1614 /* Do we have RRSIG? Can't do DS or DNSKEY otherwise. */
1615 if (sec_reqd)
1616 {
1617 crecp = NULL;
1618 while ((crecp = cache_find_by_name(crecp, name, now, F_DNSKEY | F_DS)))
1619 if (crecp->uid == qclass && crecp->addr.sig.type_covered == qtype)
1620 break;
1621 }
1622
1623 if (!sec_reqd || crecp)
1624 {
1625 if (qtype == T_DS)
1626 {
1627 crecp = NULL;
1628 while ((crecp = cache_find_by_name(crecp, name, now, F_DS)))
1629 if (crecp->uid == qclass)
1630 {
1631 gotone = 1;
1632 if (!dryrun)
1633 {
1634 if (crecp->flags & F_NEG)
1635 {
1636 if (crecp->flags & F_NXDOMAIN)
1637 nxdomain = 1;
1638 log_query(F_UPSTREAM, name, NULL, "no DS");
1639 }
1640 else if ((keydata = blockdata_retrieve(crecp->addr.ds.keydata, crecp->addr.ds.keylen, NULL)))
1641 {
1642 struct all_addr a;
1643 a.addr.keytag = crecp->addr.ds.keytag;
1644 log_query(F_KEYTAG | (crecp->flags & F_CONFIG), name, &a, "DS keytag %u");
1645 if (add_resource_record(header, limit, &trunc, nameoffset, &ansp,
1646 crec_ttl(crecp, now), &nameoffset,
1647 T_DS, qclass, "sbbt",
1648 crecp->addr.ds.keytag, crecp->addr.ds.algo,
1649 crecp->addr.ds.digest, crecp->addr.ds.keylen, keydata))
1650 anscount++;
1651
1652 }
1653 }
1654 }
1655 }
1656 else /* DNSKEY */
1657 {
1658 crecp = NULL;
1659 while ((crecp = cache_find_by_name(crecp, name, now, F_DNSKEY)))
1660 if (crecp->uid == qclass)
1661 {
1662 gotone = 1;
1663 if (!dryrun && (keydata = blockdata_retrieve(crecp->addr.key.keydata, crecp->addr.key.keylen, NULL)))
1664 {
1665 struct all_addr a;
1666 a.addr.keytag = crecp->addr.key.keytag;
1667 log_query(F_KEYTAG | (crecp->flags & F_CONFIG), name, &a, "DNSKEY keytag %u");
1668 if (add_resource_record(header, limit, &trunc, nameoffset, &ansp,
1669 crec_ttl(crecp, now), &nameoffset,
1670 T_DNSKEY, qclass, "sbbt",
1671 crecp->addr.key.flags, 3, crecp->addr.key.algo, crecp->addr.key.keylen, keydata))
1672 anscount++;
1673 }
1674 }
1675 }
1676 }
1677
1678 /* Now do RRSIGs */
1679 if (gotone)
1680 {
1681 ans = 1;
1682 auth = 0;
1683 if (!dryrun && sec_reqd)
1684 {
1685 crecp = NULL;
1686 while ((crecp = cache_find_by_name(crecp, name, now, F_DNSKEY | F_DS)))
1687 if (crecp->uid == qclass && crecp->addr.sig.type_covered == qtype &&
1688 (keydata = blockdata_retrieve(crecp->addr.sig.keydata, crecp->addr.sig.keylen, NULL)))
1689 {
1690 add_resource_record(header, limit, &trunc, nameoffset, &ansp,
1691 crec_ttl(crecp, now), &nameoffset,
1692 T_RRSIG, qclass, "t", crecp->addr.sig.keylen, keydata);
1693 anscount++;
1694 }
1695 }
1696 }
1697 }
1698 #endif
1699
1700 if (qclass == C_IN)
1701 {
1702 struct txt_record *t;
1703
1704 for (t = daemon->rr; t; t = t->next)
1705 if ((t->class == qtype || qtype == T_ANY) && hostname_isequal(name, t->name))
1706 {
1707 ans = 1;
1708 if (!dryrun)
1709 {
1710 log_query(F_CONFIG | F_RRNAME, name, NULL, "<RR>");
1711 if (add_resource_record(header, limit, &trunc, nameoffset, &ansp,
1712 daemon->local_ttl, NULL,
1713 t->class, C_IN, "t", t->len, t->txt))
1714 anscount ++;
1715 }
1716 }
1717
1718 if (qtype == T_PTR || qtype == T_ANY)
1719 {
1720 /* see if it's w.z.y.z.in-addr.arpa format */
1721 int is_arpa = in_arpa_name_2_addr(name, &addr);
1722 struct ptr_record *ptr;
1723 struct interface_name* intr = NULL;
1724
1725 for (ptr = daemon->ptr; ptr; ptr = ptr->next)
1726 if (hostname_isequal(name, ptr->name))
1727 break;
1728
1729 if (is_arpa == F_IPV4)
1730 for (intr = daemon->int_names; intr; intr = intr->next)
1731 {
1732 struct addrlist *addrlist;
1733
1734 for (addrlist = intr->addr; addrlist; addrlist = addrlist->next)
1735 if (!(addrlist->flags & ADDRLIST_IPV6) && addr.addr.addr4.s_addr == addrlist->addr.addr.addr4.s_addr)
1736 break;
1737
1738 if (addrlist)
1739 break;
1740 else
1741 while (intr->next && strcmp(intr->intr, intr->next->intr) == 0)
1742 intr = intr->next;
1743 }
1744 #ifdef HAVE_IPV6
1745 else if (is_arpa == F_IPV6)
1746 for (intr = daemon->int_names; intr; intr = intr->next)
1747 {
1748 struct addrlist *addrlist;
1749
1750 for (addrlist = intr->addr; addrlist; addrlist = addrlist->next)
1751 if ((addrlist->flags & ADDRLIST_IPV6) && IN6_ARE_ADDR_EQUAL(&addr.addr.addr6, &addrlist->addr.addr.addr6))
1752 break;
1753
1754 if (addrlist)
1755 break;
1756 else
1757 while (intr->next && strcmp(intr->intr, intr->next->intr) == 0)
1758 intr = intr->next;
1759 }
1760 #endif
1761
1762 if (intr)
1763 {
1764 ans = 1;
1765 if (!dryrun)
1766 {
1767 log_query(is_arpa | F_REVERSE | F_CONFIG, intr->name, &addr, NULL);
1768 if (add_resource_record(header, limit, &trunc, nameoffset, &ansp,
1769 daemon->local_ttl, NULL,
1770 T_PTR, C_IN, "d", intr->name))
1771 anscount++;
1772 }
1773 }
1774 else if (ptr)
1775 {
1776 ans = 1;
1777 if (!dryrun)
1778 {
1779 log_query(F_CONFIG | F_RRNAME, name, NULL, "<PTR>");
1780 for (ptr = daemon->ptr; ptr; ptr = ptr->next)
1781 if (hostname_isequal(name, ptr->name) &&
1782 add_resource_record(header, limit, &trunc, nameoffset, &ansp,
1783 daemon->local_ttl, NULL,
1784 T_PTR, C_IN, "d", ptr->ptr))
1785 anscount++;
1786
1787 }
1788 }
1789 else if ((crecp = cache_find_by_addr(NULL, &addr, now, is_arpa)))
1790 {
1791 if (!(crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) && sec_reqd)
1792 {
1793 if (!option_bool(OPT_DNSSEC_VALID) || ((crecp->flags & F_NEG) && (crecp->flags & F_DNSSECOK)))
1794 crecp = NULL;
1795 #ifdef HAVE_DNSSEC
1796 else if (crecp->flags & F_DNSSECOK)
1797 {
1798 int gotsig = 0;
1799 struct crec *rr_crec = NULL;
1800
1801 while ((rr_crec = cache_find_by_name(rr_crec, name, now, F_DS | F_DNSKEY)))
1802 {
1803 if (rr_crec->addr.sig.type_covered == T_PTR && rr_crec->uid == C_IN)
1804 {
1805 char *sigdata = blockdata_retrieve(rr_crec->addr.sig.keydata, rr_crec->addr.sig.keylen, NULL);
1806 gotsig = 1;
1807
1808 if (!dryrun &&
1809 add_resource_record(header, limit, &trunc, nameoffset, &ansp,
1810 rr_crec->ttd - now, &nameoffset,
1811 T_RRSIG, C_IN, "t", crecp->addr.sig.keylen, sigdata))
1812 anscount++;
1813 }
1814 }
1815
1816 if (!gotsig)
1817 crecp = NULL;
1818 }
1819 #endif
1820 }
1821
1822 if (crecp)
1823 {
1824 do
1825 {
1826 /* don't answer wildcard queries with data not from /etc/hosts or dhcp leases */
1827 if (qtype == T_ANY && !(crecp->flags & (F_HOSTS | F_DHCP)))
1828 continue;
1829
1830 if (!(crecp->flags & F_DNSSECOK))
1831 sec_data = 0;
1832
1833 if (crecp->flags & F_NEG)
1834 {
1835 ans = 1;
1836 auth = 0;
1837 if (crecp->flags & F_NXDOMAIN)
1838 nxdomain = 1;
1839 if (!dryrun)
1840 log_query(crecp->flags & ~F_FORWARD, name, &addr, NULL);
1841 }
1842 else if ((crecp->flags & (F_HOSTS | F_DHCP)) || !sec_reqd || option_bool(OPT_DNSSEC_VALID))
1843 {
1844 ans = 1;
1845 if (!(crecp->flags & (F_HOSTS | F_DHCP)))
1846 auth = 0;
1847 if (!dryrun)
1848 {
1849 log_query(crecp->flags & ~F_FORWARD, cache_get_name(crecp), &addr,
1850 record_source(crecp->uid));
1851
1852 if (add_resource_record(header, limit, &trunc, nameoffset, &ansp,
1853 crec_ttl(crecp, now), NULL,
1854 T_PTR, C_IN, "d", cache_get_name(crecp)))
1855 anscount++;
1856 }
1857 }
1858 } while ((crecp = cache_find_by_addr(crecp, &addr, now, is_arpa)));
1859 }
1860 }
1861 else if (is_rev_synth(is_arpa, &addr, name))
1862 {
1863 ans = 1;
1864 if (!dryrun)
1865 {
1866 log_query(F_CONFIG | F_REVERSE | is_arpa, name, &addr, NULL);
1867
1868 if (add_resource_record(header, limit, &trunc, nameoffset, &ansp,
1869 daemon->local_ttl, NULL,
1870 T_PTR, C_IN, "d", name))
1871 anscount++;
1872 }
1873 }
1874 else if (is_arpa == F_IPV4 &&
1875 option_bool(OPT_BOGUSPRIV) &&
1876 private_net(addr.addr.addr4, 1))
1877 {
1878 /* if not in cache, enabled and private IPV4 address, return NXDOMAIN */
1879 ans = 1;
1880 nxdomain = 1;
1881 if (!dryrun)
1882 log_query(F_CONFIG | F_REVERSE | F_IPV4 | F_NEG | F_NXDOMAIN,
1883 name, &addr, NULL);
1884 }
1885 }
1886
1887 for (flag = F_IPV4; flag; flag = (flag == F_IPV4) ? F_IPV6 : 0)
1888 {
1889 unsigned short type = T_A;
1890 struct interface_name *intr;
1891
1892 if (flag == F_IPV6)
1893 #ifdef HAVE_IPV6
1894 type = T_AAAA;
1895 #else
1896 break;
1897 #endif
1898
1899 if (qtype != type && qtype != T_ANY)
1900 continue;
1901
1902 /* Check for "A for A" queries; be rather conservative
1903 about what looks like dotted-quad. */
1904 if (qtype == T_A)
1905 {
1906 char *cp;
1907 unsigned int i, a;
1908 int x;
1909
1910 for (cp = name, i = 0, a = 0; *cp; i++)
1911 {
1912 if (!isdigit((unsigned char)*cp) || (x = strtol(cp, &cp, 10)) > 255)
1913 {
1914 i = 5;
1915 break;
1916 }
1917
1918 a = (a << 8) + x;
1919
1920 if (*cp == '.')
1921 cp++;
1922 }
1923
1924 if (i == 4)
1925 {
1926 ans = 1;
1927 if (!dryrun)
1928 {
1929 addr.addr.addr4.s_addr = htonl(a);
1930 log_query(F_FORWARD | F_CONFIG | F_IPV4, name, &addr, NULL);
1931 if (add_resource_record(header, limit, &trunc, nameoffset, &ansp,
1932 daemon->local_ttl, NULL, type, C_IN, "4", &addr))
1933 anscount++;
1934 }
1935 continue;
1936 }
1937 }
1938
1939 /* interface name stuff */
1940 intname_restart:
1941 for (intr = daemon->int_names; intr; intr = intr->next)
1942 if (hostname_isequal(name, intr->name))
1943 break;
1944
1945 if (intr)
1946 {
1947 struct addrlist *addrlist;
1948 int gotit = 0;
1949
1950 enumerate_interfaces(0);
1951
1952 for (intr = daemon->int_names; intr; intr = intr->next)
1953 if (hostname_isequal(name, intr->name))
1954 {
1955 for (addrlist = intr->addr; addrlist; addrlist = addrlist->next)
1956 #ifdef HAVE_IPV6
1957 if (((addrlist->flags & ADDRLIST_IPV6) ? T_AAAA : T_A) == type)
1958 #endif
1959 {
1960 #ifdef HAVE_IPV6
1961 if (addrlist->flags & ADDRLIST_REVONLY)
1962 continue;
1963 #endif
1964 ans = 1;
1965 if (!dryrun)
1966 {
1967 gotit = 1;
1968 log_query(F_FORWARD | F_CONFIG | flag, name, &addrlist->addr, NULL);
1969 if (add_resource_record(header, limit, &trunc, nameoffset, &ansp,
1970 daemon->local_ttl, NULL, type, C_IN,
1971 type == T_A ? "4" : "6", &addrlist->addr))
1972 anscount++;
1973 }
1974 }
1975 }
1976
1977 if (!dryrun && !gotit)
1978 log_query(F_FORWARD | F_CONFIG | flag | F_NEG, name, NULL, NULL);
1979
1980 continue;
1981 }
1982
1983 cname_restart:
1984 if ((crecp = cache_find_by_name(NULL, name, now, flag | F_CNAME | (dryrun ? F_NO_RR : 0))))
1985 {
1986 int localise = 0;
1987
1988 /* See if a putative address is on the network from which we recieved
1989 the query, is so we'll filter other answers. */
1990 if (local_addr.s_addr != 0 && option_bool(OPT_LOCALISE) && flag == F_IPV4)
1991 {
1992 struct crec *save = crecp;
1993 do {
1994 if ((crecp->flags & F_HOSTS) &&
1995 is_same_net(*((struct in_addr *)&crecp->addr), local_addr, local_netmask))
1996 {
1997 localise = 1;
1998 break;
1999 }
2000 } while ((crecp = cache_find_by_name(crecp, name, now, flag | F_CNAME)));
2001 crecp = save;
2002 }
2003
2004 /* If the client asked for DNSSEC and we can't provide RRSIGs, either
2005 because we've not doing DNSSEC or the cached answer is signed by negative,
2006 don't answer from the cache, forward instead. */
2007 if (!(crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) && sec_reqd)
2008 {
2009 if (!option_bool(OPT_DNSSEC_VALID) || ((crecp->flags & F_NEG) && (crecp->flags & F_DNSSECOK)))
2010 crecp = NULL;
2011 #ifdef HAVE_DNSSEC
2012 else if (crecp->flags & F_DNSSECOK)
2013 {
2014 /* We're returning validated data, need to return the RRSIG too. */
2015 struct crec *rr_crec = NULL;
2016 int sigtype = type;
2017 /* The signature may have expired even though the data is still in cache,
2018 forward instead of answering from cache if so. */
2019 int gotsig = 0;
2020
2021 if (crecp->flags & F_CNAME)
2022 sigtype = T_CNAME;
2023
2024 while ((rr_crec = cache_find_by_name(rr_crec, name, now, F_DS | F_DNSKEY)))
2025 {
2026 if (rr_crec->addr.sig.type_covered == sigtype && rr_crec->uid == C_IN)
2027 {
2028 char *sigdata = blockdata_retrieve(rr_crec->addr.sig.keydata, rr_crec->addr.sig.keylen, NULL);
2029 gotsig = 1;
2030
2031 if (!dryrun &&
2032 add_resource_record(header, limit, &trunc, nameoffset, &ansp,
2033 rr_crec->ttd - now, &nameoffset,
2034 T_RRSIG, C_IN, "t", rr_crec->addr.sig.keylen, sigdata))
2035 anscount++;
2036 }
2037 }
2038
2039 if (!gotsig)
2040 crecp = NULL;
2041 }
2042 #endif
2043 }
2044
2045 if (crecp)
2046 do
2047 {
2048 /* don't answer wildcard queries with data not from /etc/hosts
2049 or DHCP leases */
2050 if (qtype == T_ANY && !(crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)))
2051 break;
2052
2053 if (!(crecp->flags & F_DNSSECOK))
2054 sec_data = 0;
2055
2056 if (crecp->flags & F_CNAME)
2057 {
2058 char *cname_target = cache_get_cname_target(crecp);
2059
2060 if (!dryrun)
2061 {
2062 log_query(crecp->flags, name, NULL, record_source(crecp->uid));
2063 if (add_resource_record(header, limit, &trunc, nameoffset, &ansp,
2064 crec_ttl(crecp, now), &nameoffset,
2065 T_CNAME, C_IN, "d", cname_target))
2066 anscount++;
2067 }
2068
2069 strcpy(name, cname_target);
2070 /* check if target interface_name */
2071 if (crecp->addr.cname.uid == SRC_INTERFACE)
2072 goto intname_restart;
2073 else
2074 goto cname_restart;
2075 }
2076
2077 if (crecp->flags & F_NEG)
2078 {
2079 /* We don't cache NSEC records, so if a DNSSEC-validated negative answer
2080 is cached and the client wants DNSSEC, forward rather than answering from the cache */
2081 if (!sec_reqd || !(crecp->flags & F_DNSSECOK))
2082 {
2083 ans = 1;
2084 auth = 0;
2085 if (crecp->flags & F_NXDOMAIN)
2086 nxdomain = 1;
2087 if (!dryrun)
2088 log_query(crecp->flags, name, NULL, NULL);
2089 }
2090 }
2091 else
2092 {
2093 /* If we are returning local answers depending on network,
2094 filter here. */
2095 if (localise &&
2096 (crecp->flags & F_HOSTS) &&
2097 !is_same_net(*((struct in_addr *)&crecp->addr), local_addr, local_netmask))
2098 continue;
2099
2100 if (!(crecp->flags & (F_HOSTS | F_DHCP)))
2101 auth = 0;
2102
2103 ans = 1;
2104 if (!dryrun)
2105 {
2106 log_query(crecp->flags & ~F_REVERSE, name, &crecp->addr.addr,
2107 record_source(crecp->uid));
2108
2109 if (add_resource_record(header, limit, &trunc, nameoffset, &ansp,
2110 crec_ttl(crecp, now), NULL, type, C_IN,
2111 type == T_A ? "4" : "6", &crecp->addr))
2112 anscount++;
2113 }
2114 }
2115 } while ((crecp = cache_find_by_name(crecp, name, now, flag | F_CNAME)));
2116 }
2117 else if (is_name_synthetic(flag, name, &addr))
2118 {
2119 ans = 1;
2120 if (!dryrun)
2121 {
2122 log_query(F_FORWARD | F_CONFIG | flag, name, &addr, NULL);
2123 if (add_resource_record(header, limit, &trunc, nameoffset, &ansp,
2124 daemon->local_ttl, NULL, type, C_IN, type == T_A ? "4" : "6", &addr))
2125 anscount++;
2126 }
2127 }
2128 }
2129
2130 if (qtype == T_CNAME || qtype == T_ANY)
2131 {
2132 if ((crecp = cache_find_by_name(NULL, name, now, F_CNAME)) &&
2133 (qtype == T_CNAME || (crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG | (dryrun ? F_NO_RR : 0)))))
2134 {
2135 if (!(crecp->flags & F_DNSSECOK))
2136 sec_data = 0;
2137
2138 ans = 1;
2139 if (!dryrun)
2140 {
2141 log_query(crecp->flags, name, NULL, record_source(crecp->uid));
2142 if (add_resource_record(header, limit, &trunc, nameoffset, &ansp,
2143 crec_ttl(crecp, now), &nameoffset,
2144 T_CNAME, C_IN, "d", cache_get_cname_target(crecp)))
2145 anscount++;
2146 }
2147 }
2148 }
2149
2150 if (qtype == T_MX || qtype == T_ANY)
2151 {
2152 int found = 0;
2153 for (rec = daemon->mxnames; rec; rec = rec->next)
2154 if (!rec->issrv && hostname_isequal(name, rec->name))
2155 {
2156 ans = found = 1;
2157 if (!dryrun)
2158 {
2159 int offset;
2160 log_query(F_CONFIG | F_RRNAME, name, NULL, "<MX>");
2161 if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->local_ttl,
2162 &offset, T_MX, C_IN, "sd", rec->weight, rec->target))
2163 {
2164 anscount++;
2165 if (rec->target)
2166 rec->offset = offset;
2167 }
2168 }
2169 }
2170
2171 if (!found && (option_bool(OPT_SELFMX) || option_bool(OPT_LOCALMX)) &&
2172 cache_find_by_name(NULL, name, now, F_HOSTS | F_DHCP | F_NO_RR))
2173 {
2174 ans = 1;
2175 if (!dryrun)
2176 {
2177 log_query(F_CONFIG | F_RRNAME, name, NULL, "<MX>");
2178 if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->local_ttl, NULL,
2179 T_MX, C_IN, "sd", 1,
2180 option_bool(OPT_SELFMX) ? name : daemon->mxtarget))
2181 anscount++;
2182 }
2183 }
2184 }
2185
2186 if (qtype == T_SRV || qtype == T_ANY)
2187 {
2188 int found = 0;
2189 struct mx_srv_record *move = NULL, **up = &daemon->mxnames;
2190
2191 for (rec = daemon->mxnames; rec; rec = rec->next)
2192 if (rec->issrv && hostname_isequal(name, rec->name))
2193 {
2194 found = ans = 1;
2195 if (!dryrun)
2196 {
2197 int offset;
2198 log_query(F_CONFIG | F_RRNAME, name, NULL, "<SRV>");
2199 if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->local_ttl,
2200 &offset, T_SRV, C_IN, "sssd",
2201 rec->priority, rec->weight, rec->srvport, rec->target))
2202 {
2203 anscount++;
2204 if (rec->target)
2205 rec->offset = offset;
2206 }
2207 }
2208
2209 /* unlink first SRV record found */
2210 if (!move)
2211 {
2212 move = rec;
2213 *up = rec->next;
2214 }
2215 else
2216 up = &rec->next;
2217 }
2218 else
2219 up = &rec->next;
2220
2221 /* put first SRV record back at the end. */
2222 if (move)
2223 {
2224 *up = move;
2225 move->next = NULL;
2226 }
2227
2228 if (!found && option_bool(OPT_FILTER) && (qtype == T_SRV || (qtype == T_ANY && strchr(name, '_'))))
2229 {
2230 ans = 1;
2231 if (!dryrun)
2232 log_query(F_CONFIG | F_NEG, name, NULL, NULL);
2233 }
2234 }
2235
2236 if (qtype == T_NAPTR || qtype == T_ANY)
2237 {
2238 struct naptr *na;
2239 for (na = daemon->naptr; na; na = na->next)
2240 if (hostname_isequal(name, na->name))
2241 {
2242 ans = 1;
2243 if (!dryrun)
2244 {
2245 log_query(F_CONFIG | F_RRNAME, name, NULL, "<NAPTR>");
2246 if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->local_ttl,
2247 NULL, T_NAPTR, C_IN, "sszzzd",
2248 na->order, na->pref, na->flags, na->services, na->regexp, na->replace))
2249 anscount++;
2250 }
2251 }
2252 }
2253
2254 if (qtype == T_MAILB)
2255 ans = 1, nxdomain = 1;
2256
2257 if (qtype == T_SOA && option_bool(OPT_FILTER))
2258 {
2259 ans = 1;
2260 if (!dryrun)
2261 log_query(F_CONFIG | F_NEG, name, &addr, NULL);
2262 }
2263 }
2264
2265 if (!ans)
2266 return 0; /* failed to answer a question */
2267 }
2268
2269 if (dryrun)
2270 {
2271 dryrun = 0;
2272 goto rerun;
2273 }
2274
2275 /* create an additional data section, for stuff in SRV and MX record replies. */
2276 for (rec = daemon->mxnames; rec; rec = rec->next)
2277 if (rec->offset != 0)
2278 {
2279 /* squash dupes */
2280 struct mx_srv_record *tmp;
2281 for (tmp = rec->next; tmp; tmp = tmp->next)
2282 if (tmp->offset != 0 && hostname_isequal(rec->target, tmp->target))
2283 tmp->offset = 0;
2284
2285 crecp = NULL;
2286 while ((crecp = cache_find_by_name(crecp, rec->target, now, F_IPV4 | F_IPV6)))
2287 {
2288 #ifdef HAVE_IPV6
2289 int type = crecp->flags & F_IPV4 ? T_A : T_AAAA;
2290 #else
2291 int type = T_A;
2292 #endif
2293 if (crecp->flags & F_NEG)
2294 continue;
2295
2296 if (add_resource_record(header, limit, NULL, rec->offset, &ansp,
2297 crec_ttl(crecp, now), NULL, type, C_IN,
2298 crecp->flags & F_IPV4 ? "4" : "6", &crecp->addr))
2299 addncount++;
2300 }
2301 }
2302
2303 /* done all questions, set up header and return length of result */
2304 /* clear authoritative and truncated flags, set QR flag */
2305 header->hb3 = (header->hb3 & ~(HB3_AA | HB3_TC)) | HB3_QR;
2306 /* set RA flag */
2307 header->hb4 |= HB4_RA;
2308
2309 /* authoritive - only hosts and DHCP derived names. */
2310 if (auth)
2311 header->hb3 |= HB3_AA;
2312
2313 /* truncation */
2314 if (trunc)
2315 header->hb3 |= HB3_TC;
2316
2317 if (nxdomain)
2318 SET_RCODE(header, NXDOMAIN);
2319 else
2320 SET_RCODE(header, NOERROR); /* no error */
2321 header->ancount = htons(anscount);
2322 header->nscount = htons(0);
2323 header->arcount = htons(addncount);
2324
2325 len = ansp - (unsigned char *)header;
2326
2327 if (have_pseudoheader)
2328 len = add_pseudoheader(header, len, (unsigned char *)limit, 0, NULL, 0, sec_reqd);
2329
2330 if (*ad_reqd && sec_data)
2331 header->hb4 |= HB4_AD;
2332 else
2333 header->hb4 &= ~HB4_AD;
2334
2335 return len;
2336 }
2337
Tomato firmware and modifications.