1 /* Copyright (c) 2007-2008, The Tor Project, Inc. */
2 /* See LICENSE for licensing information */
5 * \file dnsserv.c \brief Implements client-side DNS proxy server code. Note:
6 * this is the DNS Server code, not the Server DNS code. Confused? This code
7 * runs on client-side, and acts as a DNS server. The code in dns.c, on the
8 * other hand, runs on Tor servers, and acts as a DNS client.
14 /** Helper function: called by evdns whenever the client sends a request to our
15 * DNSPort. We need to eventually answer the request <b>req</b>.
18 evdns_server_callback(struct evdns_server_request
*req
, void *_data
)
20 edge_connection_t
*conn
;
22 struct evdns_server_question
*q
= NULL
;
23 struct sockaddr_storage addr
;
28 int err
= DNS_ERR_NONE
;
32 tor_assert(_data
== NULL
);
33 log_info(LD_APP
, "Got a new DNS request!");
35 req
->flags
|= 0x80; /* set RA */
37 /* First, check whether the requesting address matches our SOCKSPolicy. */
38 if ((addrlen
= evdns_server_request_get_requesting_addr(req
,
39 (struct sockaddr
*)&addr
, (socklen_t
)sizeof(addr
))) < 0) {
40 log_warn(LD_APP
, "Couldn't get requesting address.");
41 evdns_server_request_respond(req
, DNS_ERR_SERVERFAILED
);
45 sa
= (struct sockaddr
*) &addr
;
46 if (tor_addr_from_sockaddr(&tor_addr
, sa
, &port
)<0) {
47 log_warn(LD_APP
, "Requesting address wasn't recognized.");
48 evdns_server_request_respond(req
, DNS_ERR_SERVERFAILED
);
52 if (!socks_policy_permits_address(&tor_addr
)) {
53 log_warn(LD_APP
, "Rejecting DNS request from disallowed IP.");
54 evdns_server_request_respond(req
, DNS_ERR_REFUSED
);
58 /* Now, let's find the first actual question of a type we can answer in this
59 * DNS request. It makes us a little noncompliant to act like this; we
60 * should fix that eventually if it turns out to make a difference for
62 if (req
->nquestions
== 0) {
63 log_info(LD_APP
, "No questions in DNS request; sending back nil reply.");
64 evdns_server_request_respond(req
, 0);
67 if (req
->nquestions
> 1) {
68 log_info(LD_APP
, "Got a DNS request with more than one question; I only "
69 "handle one question at a time for now. Skipping the extras.");
71 for (i
= 0; i
< req
->nquestions
; ++i
) {
72 if (req
->questions
[i
]->class != EVDNS_CLASS_INET
)
74 switch (req
->questions
[i
]->type
) {
77 q
= req
->questions
[i
];
83 log_info(LD_APP
, "None of the questions we got were ones we're willing "
84 "to support. Sending NODATA.");
85 evdns_server_request_respond(req
, DNS_ERR_NONE
);
88 if (q
->type
== EVDNS_TYPE_A
) {
89 /* Refuse any attempt to resolve a noconnect address, right now. */
90 if (hostname_is_noconnect_address(q
->name
)) {
91 err
= DNS_ERR_REFUSED
;
94 tor_assert(q
->type
== EVDNS_TYPE_PTR
);
97 /* Make sure the name isn't too long: This should be impossible, I think. */
98 if (err
== DNS_ERR_NONE
&& strlen(q
->name
) > MAX_SOCKS_ADDR_LEN
-1)
101 if (err
!= DNS_ERR_NONE
) {
102 /* We got an error? Then send back an answer immediately; we're done. */
103 evdns_server_request_respond(req
, err
);
107 /* Make a new dummy AP connection, and attach the request to it. */
108 conn
= edge_connection_new(CONN_TYPE_AP
, AF_INET
);
109 conn
->_base
.state
= AP_CONN_STATE_RESOLVE_WAIT
;
110 conn
->is_dns_request
= 1;
112 tor_addr_copy(&TO_CONN(conn
)->addr
, &tor_addr
);
113 TO_CONN(conn
)->port
= port
;
114 TO_CONN(conn
)->address
= tor_dup_addr(&tor_addr
);
116 if (q
->type
== EVDNS_TYPE_A
)
117 conn
->socks_request
->command
= SOCKS_COMMAND_RESOLVE
;
119 conn
->socks_request
->command
= SOCKS_COMMAND_RESOLVE_PTR
;
121 strlcpy(conn
->socks_request
->address
, q
->name
,
122 sizeof(conn
->socks_request
->address
));
124 conn
->dns_server_request
= req
;
126 if (connection_add(TO_CONN(conn
)) < 0) {
127 log_warn(LD_APP
, "Couldn't register dummy connection for DNS request");
128 evdns_server_request_respond(req
, DNS_ERR_SERVERFAILED
);
129 connection_free(TO_CONN(conn
));
133 control_event_stream_status(conn
, STREAM_EVENT_NEW
, 0);
135 /* Now, throw the connection over to get rewritten (which will answer it
136 * immediately if it's in the cache, or completely bogus, or automapped),
137 * and then attached to a circuit. */
138 log_info(LD_APP
, "Passing request for %s to rewrite_and_attach.",
139 escaped_safe_str(q
->name
));
140 q_name
= tor_strdup(q
->name
); /* q could be freed in rewrite_and_attach */
141 connection_ap_handshake_rewrite_and_attach(conn
, NULL
, NULL
);
142 /* Now, the connection is marked if it was bad. */
144 log_info(LD_APP
, "Passed request for %s to rewrite_and_attach.",
145 escaped_safe_str(q_name
));
149 /** Helper function: called whenever the client sends a resolve request to our
150 * controller. We need to eventually answer the request <b>req</b>.
151 * Returns 0 if the controller will be getting (or has gotten) an event in
152 * response; -1 if we couldn't launch the request.
155 dnsserv_launch_request(const char *name
, int reverse
)
157 edge_connection_t
*conn
;
160 /* Make a new dummy AP connection, and attach the request to it. */
161 conn
= edge_connection_new(CONN_TYPE_AP
, AF_INET
);
162 conn
->_base
.state
= AP_CONN_STATE_RESOLVE_WAIT
;
165 conn
->socks_request
->command
= SOCKS_COMMAND_RESOLVE_PTR
;
167 conn
->socks_request
->command
= SOCKS_COMMAND_RESOLVE
;
169 conn
->is_dns_request
= 1;
171 strlcpy(conn
->socks_request
->address
, name
,
172 sizeof(conn
->socks_request
->address
));
174 if (connection_add(TO_CONN(conn
))<0) {
175 log_warn(LD_APP
, "Couldn't register dummy connection for RESOLVE request");
176 connection_free(TO_CONN(conn
));
180 /* Now, throw the connection over to get rewritten (which will answer it
181 * immediately if it's in the cache, or completely bogus, or automapped),
182 * and then attached to a circuit. */
183 log_info(LD_APP
, "Passing request for %s to rewrite_and_attach.",
184 escaped_safe_str(name
));
185 q_name
= tor_strdup(name
); /* q could be freed in rewrite_and_attach */
186 connection_ap_handshake_rewrite_and_attach(conn
, NULL
, NULL
);
187 /* Now, the connection is marked if it was bad. */
189 log_info(LD_APP
, "Passed request for %s to rewrite_and_attach.",
190 escaped_safe_str(q_name
));
195 /** If there is a pending request on <b>conn</b> that's waiting for an answer,
196 * send back an error and free the request. */
198 dnsserv_reject_request(edge_connection_t
*conn
)
200 if (conn
->dns_server_request
) {
201 evdns_server_request_respond(conn
->dns_server_request
,
202 DNS_ERR_SERVERFAILED
);
203 conn
->dns_server_request
= NULL
;
207 /** Look up the original name that corresponds to 'addr' in req. We use this
208 * to preserve case in order to facilitate people using 0x20-hacks to avoid
211 evdns_get_orig_address(const struct evdns_server_request
*req
,
212 int rtype
, const char *addr
)
217 case RESOLVED_TYPE_IPV4
:
220 case RESOLVED_TYPE_HOSTNAME
:
221 type
= EVDNS_TYPE_PTR
;
223 case RESOLVED_TYPE_IPV6
:
224 type
= EVDNS_TYPE_AAAA
;
227 tor_fragile_assert();
231 for (i
= 0; i
< req
->nquestions
; ++i
) {
232 const struct evdns_server_question
*q
= req
->questions
[i
];
233 if (q
->type
== type
&& !strcasecmp(q
->name
, addr
))
239 /** Tell the dns request waiting for an answer on <b>conn</b> that we have an
240 * answer of type <b>answer_type</b> (RESOLVE_TYPE_IPV4/IPV6/ERR), of length
241 * <b>answer_len</b>, in <b>answer</b>, with TTL <b>ttl</b>. Doesn't do
242 * any caching; that's handled elsewhere. */
244 dnsserv_resolved(edge_connection_t
*conn
,
250 struct evdns_server_request
*req
= conn
->dns_server_request
;
252 int err
= DNS_ERR_NONE
;
255 name
= evdns_get_orig_address(req
, answer_type
,
256 conn
->socks_request
->address
);
258 /* XXXX Re-do; this is dumb. */
262 /* The evdns interface is: add a bunch of reply items (corresponding to one
263 * or more of the questions in the request); then, call
264 * evdns_server_request_respond. */
265 if (answer_type
== RESOLVED_TYPE_IPV6
) {
266 log_info(LD_APP
, "Got an IPv6 answer; that's not implemented.");
267 err
= DNS_ERR_NOTIMPL
;
268 } else if (answer_type
== RESOLVED_TYPE_IPV4
&& answer_len
== 4 &&
269 conn
->socks_request
->command
== SOCKS_COMMAND_RESOLVE
) {
270 evdns_server_request_add_a_reply(req
,
272 1, (char*)answer
, ttl
);
273 } else if (answer_type
== RESOLVED_TYPE_HOSTNAME
&&
274 conn
->socks_request
->command
== SOCKS_COMMAND_RESOLVE_PTR
) {
275 char *ans
= tor_strndup(answer
, answer_len
);
276 evdns_server_request_add_ptr_reply(req
, NULL
,
280 } else if (answer_type
== RESOLVED_TYPE_ERROR
) {
281 err
= DNS_ERR_NOTEXIST
;
282 } else { /* answer_type == RESOLVED_TYPE_ERROR_TRANSIENT */
283 err
= DNS_ERR_SERVERFAILED
;
286 evdns_server_request_respond(req
, err
);
288 conn
->dns_server_request
= NULL
;
291 /** Set up the evdns server port for the UDP socket on <b>conn</b>, which
292 * must be an AP_DNS_LISTENER */
294 dnsserv_configure_listener(connection_t
*conn
)
297 tor_assert(conn
->s
>= 0);
298 tor_assert(conn
->type
== CONN_TYPE_AP_DNS_LISTENER
);
300 conn
->dns_server_port
= evdns_add_server_port(conn
->s
, 0,
301 evdns_server_callback
, NULL
);
304 /** Free the evdns server port for <b>conn</b>, which must be an
305 * AP_DNS_LISTENER. */
307 dnsserv_close_listener(connection_t
*conn
)
310 tor_assert(conn
->type
== CONN_TYPE_AP_DNS_LISTENER
);
312 if (conn
->dns_server_port
) {
313 evdns_close_server_port(conn
->dns_server_port
);
314 conn
->dns_server_port
= NULL
;