As an exit node, scrub the IP address to which we are exiting in the logs. Bugfix...
[tor/rransom.git] / src / or / dnsserv.c
blob36d072110de0fe0205e614fbdddf1dce53945013
1 /* Copyright (c) 2007-2008, The Tor Project, Inc. */
2 /* See LICENSE for licensing information */
4 /**
5 * \file dnsserv.c \brief Implements client-side DNS proxy server code. Note:
6 * this is the DNS Server code, not the Server DNS code. Confused? This code
7 * runs on client-side, and acts as a DNS server. The code in dns.c, on the
8 * other hand, runs on Tor servers, and acts as a DNS client.
9 **/
11 #include "or.h"
12 #include "eventdns.h"
14 /** Helper function: called by evdns whenever the client sends a request to our
15 * DNSPort. We need to eventually answer the request <b>req</b>.
17 static void
18 evdns_server_callback(struct evdns_server_request *req, void *_data)
20 edge_connection_t *conn;
21 int i = 0;
22 struct evdns_server_question *q = NULL;
23 struct sockaddr_storage addr;
24 struct sockaddr *sa;
25 int addrlen;
26 tor_addr_t tor_addr;
27 uint16_t port;
28 int err = DNS_ERR_NONE;
29 char *q_name;
31 tor_assert(req);
32 tor_assert(_data == NULL);
33 log_info(LD_APP, "Got a new DNS request!");
35 req->flags |= 0x80; /* set RA */
37 /* First, check whether the requesting address matches our SOCKSPolicy. */
38 if ((addrlen = evdns_server_request_get_requesting_addr(req,
39 (struct sockaddr*)&addr, (socklen_t)sizeof(addr))) < 0) {
40 log_warn(LD_APP, "Couldn't get requesting address.");
41 evdns_server_request_respond(req, DNS_ERR_SERVERFAILED);
42 return;
44 (void) addrlen;
45 sa = (struct sockaddr*) &addr;
46 if (tor_addr_from_sockaddr(&tor_addr, sa, &port)<0) {
47 log_warn(LD_APP, "Requesting address wasn't recognized.");
48 evdns_server_request_respond(req, DNS_ERR_SERVERFAILED);
49 return;
52 if (!socks_policy_permits_address(&tor_addr)) {
53 log_warn(LD_APP, "Rejecting DNS request from disallowed IP.");
54 evdns_server_request_respond(req, DNS_ERR_REFUSED);
55 return;
58 /* Now, let's find the first actual question of a type we can answer in this
59 * DNS request. It makes us a little noncompliant to act like this; we
60 * should fix that eventually if it turns out to make a difference for
61 * anybody. */
62 if (req->nquestions == 0) {
63 log_info(LD_APP, "No questions in DNS request; sending back nil reply.");
64 evdns_server_request_respond(req, 0);
65 return;
67 if (req->nquestions > 1) {
68 log_info(LD_APP, "Got a DNS request with more than one question; I only "
69 "handle one question at a time for now. Skipping the extras.");
71 for (i = 0; i < req->nquestions; ++i) {
72 if (req->questions[i]->class != EVDNS_CLASS_INET)
73 continue;
74 switch (req->questions[i]->type) {
75 case EVDNS_TYPE_A:
76 case EVDNS_TYPE_PTR:
77 q = req->questions[i];
78 default:
79 break;
82 if (!q) {
83 log_info(LD_APP, "None of the questions we got were ones we're willing "
84 "to support. Sending NODATA.");
85 evdns_server_request_respond(req, DNS_ERR_NONE);
86 return;
88 if (q->type == EVDNS_TYPE_A) {
89 /* Refuse any attempt to resolve a noconnect address, right now. */
90 if (hostname_is_noconnect_address(q->name)) {
91 err = DNS_ERR_REFUSED;
93 } else {
94 tor_assert(q->type == EVDNS_TYPE_PTR);
97 /* Make sure the name isn't too long: This should be impossible, I think. */
98 if (err == DNS_ERR_NONE && strlen(q->name) > MAX_SOCKS_ADDR_LEN-1)
99 err = DNS_ERR_FORMAT;
101 if (err != DNS_ERR_NONE) {
102 /* We got an error? Then send back an answer immediately; we're done. */
103 evdns_server_request_respond(req, err);
104 return;
107 /* Make a new dummy AP connection, and attach the request to it. */
108 conn = edge_connection_new(CONN_TYPE_AP, AF_INET);
109 conn->_base.state = AP_CONN_STATE_RESOLVE_WAIT;
110 conn->is_dns_request = 1;
112 tor_addr_copy(&TO_CONN(conn)->addr, &tor_addr);
113 TO_CONN(conn)->port = port;
114 TO_CONN(conn)->address = tor_dup_addr(&tor_addr);
116 if (q->type == EVDNS_TYPE_A)
117 conn->socks_request->command = SOCKS_COMMAND_RESOLVE;
118 else
119 conn->socks_request->command = SOCKS_COMMAND_RESOLVE_PTR;
121 strlcpy(conn->socks_request->address, q->name,
122 sizeof(conn->socks_request->address));
124 conn->dns_server_request = req;
126 if (connection_add(TO_CONN(conn)) < 0) {
127 log_warn(LD_APP, "Couldn't register dummy connection for DNS request");
128 evdns_server_request_respond(req, DNS_ERR_SERVERFAILED);
129 connection_free(TO_CONN(conn));
130 return;
133 control_event_stream_status(conn, STREAM_EVENT_NEW, 0);
135 /* Now, throw the connection over to get rewritten (which will answer it
136 * immediately if it's in the cache, or completely bogus, or automapped),
137 * and then attached to a circuit. */
138 log_info(LD_APP, "Passing request for %s to rewrite_and_attach.",
139 escaped_safe_str(q->name));
140 q_name = tor_strdup(q->name); /* q could be freed in rewrite_and_attach */
141 connection_ap_handshake_rewrite_and_attach(conn, NULL, NULL);
142 /* Now, the connection is marked if it was bad. */
144 log_info(LD_APP, "Passed request for %s to rewrite_and_attach.",
145 escaped_safe_str(q_name));
146 tor_free(q_name);
149 /** Helper function: called whenever the client sends a resolve request to our
150 * controller. We need to eventually answer the request <b>req</b>.
151 * Returns 0 if the controller will be getting (or has gotten) an event in
152 * response; -1 if we couldn't launch the request.
155 dnsserv_launch_request(const char *name, int reverse)
157 edge_connection_t *conn;
158 char *q_name;
160 /* Make a new dummy AP connection, and attach the request to it. */
161 conn = edge_connection_new(CONN_TYPE_AP, AF_INET);
162 conn->_base.state = AP_CONN_STATE_RESOLVE_WAIT;
164 if (reverse)
165 conn->socks_request->command = SOCKS_COMMAND_RESOLVE_PTR;
166 else
167 conn->socks_request->command = SOCKS_COMMAND_RESOLVE;
169 conn->is_dns_request = 1;
171 strlcpy(conn->socks_request->address, name,
172 sizeof(conn->socks_request->address));
174 if (connection_add(TO_CONN(conn))<0) {
175 log_warn(LD_APP, "Couldn't register dummy connection for RESOLVE request");
176 connection_free(TO_CONN(conn));
177 return -1;
180 /* Now, throw the connection over to get rewritten (which will answer it
181 * immediately if it's in the cache, or completely bogus, or automapped),
182 * and then attached to a circuit. */
183 log_info(LD_APP, "Passing request for %s to rewrite_and_attach.",
184 escaped_safe_str(name));
185 q_name = tor_strdup(name); /* q could be freed in rewrite_and_attach */
186 connection_ap_handshake_rewrite_and_attach(conn, NULL, NULL);
187 /* Now, the connection is marked if it was bad. */
189 log_info(LD_APP, "Passed request for %s to rewrite_and_attach.",
190 escaped_safe_str(q_name));
191 tor_free(q_name);
192 return 0;
195 /** If there is a pending request on <b>conn</b> that's waiting for an answer,
196 * send back an error and free the request. */
197 void
198 dnsserv_reject_request(edge_connection_t *conn)
200 if (conn->dns_server_request) {
201 evdns_server_request_respond(conn->dns_server_request,
202 DNS_ERR_SERVERFAILED);
203 conn->dns_server_request = NULL;
207 /** Look up the original name that corresponds to 'addr' in req. We use this
208 * to preserve case in order to facilitate people using 0x20-hacks to avoid
209 * DNS poisoning. */
210 static const char *
211 evdns_get_orig_address(const struct evdns_server_request *req,
212 int rtype, const char *addr)
214 int i, type;
216 switch (rtype) {
217 case RESOLVED_TYPE_IPV4:
218 type = EVDNS_TYPE_A;
219 break;
220 case RESOLVED_TYPE_HOSTNAME:
221 type = EVDNS_TYPE_PTR;
222 break;
223 case RESOLVED_TYPE_IPV6:
224 type = EVDNS_TYPE_AAAA;
225 break;
226 default:
227 tor_fragile_assert();
228 return addr;
231 for (i = 0; i < req->nquestions; ++i) {
232 const struct evdns_server_question *q = req->questions[i];
233 if (q->type == type && !strcasecmp(q->name, addr))
234 return q->name;
236 return addr;
239 /** Tell the dns request waiting for an answer on <b>conn</b> that we have an
240 * answer of type <b>answer_type</b> (RESOLVE_TYPE_IPV4/IPV6/ERR), of length
241 * <b>answer_len</b>, in <b>answer</b>, with TTL <b>ttl</b>. Doesn't do
242 * any caching; that's handled elsewhere. */
243 void
244 dnsserv_resolved(edge_connection_t *conn,
245 int answer_type,
246 size_t answer_len,
247 const char *answer,
248 int ttl)
250 struct evdns_server_request *req = conn->dns_server_request;
251 const char *name;
252 int err = DNS_ERR_NONE;
253 if (!req)
254 return;
255 name = evdns_get_orig_address(req, answer_type,
256 conn->socks_request->address);
258 /* XXXX Re-do; this is dumb. */
259 if (ttl < 60)
260 ttl = 60;
262 /* The evdns interface is: add a bunch of reply items (corresponding to one
263 * or more of the questions in the request); then, call
264 * evdns_server_request_respond. */
265 if (answer_type == RESOLVED_TYPE_IPV6) {
266 log_info(LD_APP, "Got an IPv6 answer; that's not implemented.");
267 err = DNS_ERR_NOTIMPL;
268 } else if (answer_type == RESOLVED_TYPE_IPV4 && answer_len == 4 &&
269 conn->socks_request->command == SOCKS_COMMAND_RESOLVE) {
270 evdns_server_request_add_a_reply(req,
271 name,
272 1, (char*)answer, ttl);
273 } else if (answer_type == RESOLVED_TYPE_HOSTNAME &&
274 conn->socks_request->command == SOCKS_COMMAND_RESOLVE_PTR) {
275 char *ans = tor_strndup(answer, answer_len);
276 evdns_server_request_add_ptr_reply(req, NULL,
277 name,
278 (char*)answer, ttl);
279 tor_free(ans);
280 } else if (answer_type == RESOLVED_TYPE_ERROR) {
281 err = DNS_ERR_NOTEXIST;
282 } else { /* answer_type == RESOLVED_TYPE_ERROR_TRANSIENT */
283 err = DNS_ERR_SERVERFAILED;
286 evdns_server_request_respond(req, err);
288 conn->dns_server_request = NULL;
291 /** Set up the evdns server port for the UDP socket on <b>conn</b>, which
292 * must be an AP_DNS_LISTENER */
293 void
294 dnsserv_configure_listener(connection_t *conn)
296 tor_assert(conn);
297 tor_assert(conn->s >= 0);
298 tor_assert(conn->type == CONN_TYPE_AP_DNS_LISTENER);
300 conn->dns_server_port = evdns_add_server_port(conn->s, 0,
301 evdns_server_callback, NULL);
304 /** Free the evdns server port for <b>conn</b>, which must be an
305 * AP_DNS_LISTENER. */
306 void
307 dnsserv_close_listener(connection_t *conn)
309 tor_assert(conn);
310 tor_assert(conn->type == CONN_TYPE_AP_DNS_LISTENER);
312 if (conn->dns_server_port) {
313 evdns_close_server_port(conn->dns_server_port);
314 conn->dns_server_port = NULL;