Simon Kelley | c8e8f5c | 2021-01-24 21:59:37 +0000 | [diff] [blame] | 1 | /* dnsmasq is Copyright (c) 2000-2021 Simon Kelley |
Simon Kelley | 9e4abcb | 2004-01-22 19:47:41 +0000 | [diff] [blame] | 2 | |
| 3 | This program is free software; you can redistribute it and/or modify |
| 4 | it under the terms of the GNU General Public License as published by |
Simon Kelley | 824af85 | 2008-02-12 20:43:05 +0000 | [diff] [blame] | 5 | the Free Software Foundation; version 2 dated June, 1991, or |
| 6 | (at your option) version 3 dated 29 June, 2007. |
| 7 | |
Simon Kelley | 9e4abcb | 2004-01-22 19:47:41 +0000 | [diff] [blame] | 8 | This program is distributed in the hope that it will be useful, |
| 9 | but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 10 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 11 | GNU General Public License for more details. |
Simon Kelley | 824af85 | 2008-02-12 20:43:05 +0000 | [diff] [blame] | 12 | |
Simon Kelley | 73a08a2 | 2009-02-05 20:28:08 +0000 | [diff] [blame] | 13 | You should have received a copy of the GNU General Public License |
| 14 | along with this program. If not, see <http://www.gnu.org/licenses/>. |
Simon Kelley | 9e4abcb | 2004-01-22 19:47:41 +0000 | [diff] [blame] | 15 | */ |
| 16 | |
Simon Kelley | 9e4abcb | 2004-01-22 19:47:41 +0000 | [diff] [blame] | 17 | #include "dnsmasq.h" |
| 18 | |
Simon Kelley | 74d4fcd | 2021-03-15 21:59:51 +0000 | [diff] [blame] | 19 | static struct frec *lookup_frec(unsigned short id, int fd, void *hash); |
Simon Kelley | 15b60dd | 2020-11-18 18:34:55 +0000 | [diff] [blame] | 20 | static struct frec *lookup_frec_by_query(void *hash, unsigned int flags); |
| 21 | |
Simon Kelley | 8a9be9e | 2014-01-25 23:17:21 +0000 | [diff] [blame] | 22 | static unsigned short get_id(void); |
Simon Kelley | 1a6bca8 | 2008-07-11 11:11:42 +0100 | [diff] [blame] | 23 | static void free_frec(struct frec *f); |
Simon Kelley | 9e4abcb | 2004-01-22 19:47:41 +0000 | [diff] [blame] | 24 | |
Simon Kelley | 824af85 | 2008-02-12 20:43:05 +0000 | [diff] [blame] | 25 | /* Send a UDP packet with its source address set as "source" |
Simon Kelley | 44a2a31 | 2004-03-10 20:04:35 +0000 | [diff] [blame] | 26 | unless nowild is true, when we just send it with the kernel default */ |
Simon Kelley | 29689cf | 2012-03-22 14:01:00 +0000 | [diff] [blame] | 27 | int send_from(int fd, int nowild, char *packet, size_t len, |
Simon Kelley | cc921df | 2019-01-02 22:48:59 +0000 | [diff] [blame] | 28 | union mysockaddr *to, union all_addr *source, |
Simon Kelley | 50303b1 | 2012-04-04 22:13:17 +0100 | [diff] [blame] | 29 | unsigned int iface) |
Simon Kelley | 9e4abcb | 2004-01-22 19:47:41 +0000 | [diff] [blame] | 30 | { |
Simon Kelley | 44a2a31 | 2004-03-10 20:04:35 +0000 | [diff] [blame] | 31 | struct msghdr msg; |
| 32 | struct iovec iov[1]; |
Simon Kelley | 44a2a31 | 2004-03-10 20:04:35 +0000 | [diff] [blame] | 33 | union { |
| 34 | struct cmsghdr align; /* this ensures alignment */ |
Simon Kelley | 5e9e0ef | 2006-04-17 14:24:29 +0100 | [diff] [blame] | 35 | #if defined(HAVE_LINUX_NETWORK) |
Simon Kelley | 44a2a31 | 2004-03-10 20:04:35 +0000 | [diff] [blame] | 36 | char control[CMSG_SPACE(sizeof(struct in_pktinfo))]; |
| 37 | #elif defined(IP_SENDSRCADDR) |
| 38 | char control[CMSG_SPACE(sizeof(struct in_addr))]; |
| 39 | #endif |
Simon Kelley | 44a2a31 | 2004-03-10 20:04:35 +0000 | [diff] [blame] | 40 | char control6[CMSG_SPACE(sizeof(struct in6_pktinfo))]; |
Simon Kelley | 44a2a31 | 2004-03-10 20:04:35 +0000 | [diff] [blame] | 41 | } control_u; |
Simon Kelley | feba5c1 | 2004-07-27 20:28:58 +0100 | [diff] [blame] | 42 | |
Simon Kelley | 44a2a31 | 2004-03-10 20:04:35 +0000 | [diff] [blame] | 43 | iov[0].iov_base = packet; |
| 44 | iov[0].iov_len = len; |
| 45 | |
Simon Kelley | feba5c1 | 2004-07-27 20:28:58 +0100 | [diff] [blame] | 46 | msg.msg_control = NULL; |
| 47 | msg.msg_controllen = 0; |
Simon Kelley | 44a2a31 | 2004-03-10 20:04:35 +0000 | [diff] [blame] | 48 | msg.msg_flags = 0; |
| 49 | msg.msg_name = to; |
| 50 | msg.msg_namelen = sa_len(to); |
| 51 | msg.msg_iov = iov; |
| 52 | msg.msg_iovlen = 1; |
Simon Kelley | feba5c1 | 2004-07-27 20:28:58 +0100 | [diff] [blame] | 53 | |
Simon Kelley | 26128d2 | 2004-11-14 16:43:54 +0000 | [diff] [blame] | 54 | if (!nowild) |
Simon Kelley | feba5c1 | 2004-07-27 20:28:58 +0100 | [diff] [blame] | 55 | { |
Simon Kelley | 26128d2 | 2004-11-14 16:43:54 +0000 | [diff] [blame] | 56 | struct cmsghdr *cmptr; |
Simon Kelley | feba5c1 | 2004-07-27 20:28:58 +0100 | [diff] [blame] | 57 | msg.msg_control = &control_u; |
| 58 | msg.msg_controllen = sizeof(control_u); |
Simon Kelley | 26128d2 | 2004-11-14 16:43:54 +0000 | [diff] [blame] | 59 | cmptr = CMSG_FIRSTHDR(&msg); |
Simon Kelley | 44a2a31 | 2004-03-10 20:04:35 +0000 | [diff] [blame] | 60 | |
Simon Kelley | 26128d2 | 2004-11-14 16:43:54 +0000 | [diff] [blame] | 61 | if (to->sa.sa_family == AF_INET) |
| 62 | { |
Simon Kelley | 5e9e0ef | 2006-04-17 14:24:29 +0100 | [diff] [blame] | 63 | #if defined(HAVE_LINUX_NETWORK) |
Simon Kelley | 8ef5ada | 2010-06-03 19:42:45 +0100 | [diff] [blame] | 64 | struct in_pktinfo p; |
| 65 | p.ipi_ifindex = 0; |
Simon Kelley | cc921df | 2019-01-02 22:48:59 +0000 | [diff] [blame] | 66 | p.ipi_spec_dst = source->addr4; |
Jérémie Courrèges-Anglas | c6cc455 | 2019-03-22 10:56:13 +0100 | [diff] [blame] | 67 | msg.msg_controllen = CMSG_SPACE(sizeof(struct in_pktinfo)); |
Simon Kelley | 8ef5ada | 2010-06-03 19:42:45 +0100 | [diff] [blame] | 68 | memcpy(CMSG_DATA(cmptr), &p, sizeof(p)); |
Jérémie Courrèges-Anglas | c6cc455 | 2019-03-22 10:56:13 +0100 | [diff] [blame] | 69 | cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo)); |
Simon Kelley | c72daea | 2012-01-05 21:33:27 +0000 | [diff] [blame] | 70 | cmptr->cmsg_level = IPPROTO_IP; |
Simon Kelley | 26128d2 | 2004-11-14 16:43:54 +0000 | [diff] [blame] | 71 | cmptr->cmsg_type = IP_PKTINFO; |
| 72 | #elif defined(IP_SENDSRCADDR) |
Jérémie Courrèges-Anglas | c6cc455 | 2019-03-22 10:56:13 +0100 | [diff] [blame] | 73 | msg.msg_controllen = CMSG_SPACE(sizeof(struct in_addr)); |
Simon Kelley | cc921df | 2019-01-02 22:48:59 +0000 | [diff] [blame] | 74 | memcpy(CMSG_DATA(cmptr), &(source->addr4), sizeof(source->addr4)); |
Jérémie Courrèges-Anglas | c6cc455 | 2019-03-22 10:56:13 +0100 | [diff] [blame] | 75 | cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_addr)); |
Simon Kelley | 26128d2 | 2004-11-14 16:43:54 +0000 | [diff] [blame] | 76 | cmptr->cmsg_level = IPPROTO_IP; |
| 77 | cmptr->cmsg_type = IP_SENDSRCADDR; |
Simon Kelley | 44a2a31 | 2004-03-10 20:04:35 +0000 | [diff] [blame] | 78 | #endif |
Simon Kelley | 26128d2 | 2004-11-14 16:43:54 +0000 | [diff] [blame] | 79 | } |
Simon Kelley | 26128d2 | 2004-11-14 16:43:54 +0000 | [diff] [blame] | 80 | else |
| 81 | { |
Simon Kelley | 8ef5ada | 2010-06-03 19:42:45 +0100 | [diff] [blame] | 82 | struct in6_pktinfo p; |
| 83 | p.ipi6_ifindex = iface; /* Need iface for IPv6 to handle link-local addrs */ |
Simon Kelley | cc921df | 2019-01-02 22:48:59 +0000 | [diff] [blame] | 84 | p.ipi6_addr = source->addr6; |
Jérémie Courrèges-Anglas | c6cc455 | 2019-03-22 10:56:13 +0100 | [diff] [blame] | 85 | msg.msg_controllen = CMSG_SPACE(sizeof(struct in6_pktinfo)); |
Simon Kelley | 8ef5ada | 2010-06-03 19:42:45 +0100 | [diff] [blame] | 86 | memcpy(CMSG_DATA(cmptr), &p, sizeof(p)); |
Jérémie Courrèges-Anglas | c6cc455 | 2019-03-22 10:56:13 +0100 | [diff] [blame] | 87 | cmptr->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo)); |
Simon Kelley | 316e273 | 2010-01-22 20:16:09 +0000 | [diff] [blame] | 88 | cmptr->cmsg_type = daemon->v6pktinfo; |
Simon Kelley | c72daea | 2012-01-05 21:33:27 +0000 | [diff] [blame] | 89 | cmptr->cmsg_level = IPPROTO_IPV6; |
Simon Kelley | 26128d2 | 2004-11-14 16:43:54 +0000 | [diff] [blame] | 90 | } |
Simon Kelley | 26128d2 | 2004-11-14 16:43:54 +0000 | [diff] [blame] | 91 | } |
Simon Kelley | feba5c1 | 2004-07-27 20:28:58 +0100 | [diff] [blame] | 92 | |
Simon Kelley | ff841eb | 2015-03-11 21:36:30 +0000 | [diff] [blame] | 93 | while (retry_send(sendmsg(fd, &msg, 0))); |
| 94 | |
Brad Smith | ea3c60a | 2020-03-08 14:53:59 +0000 | [diff] [blame] | 95 | if (errno != 0) |
Simon Kelley | feba5c1 | 2004-07-27 20:28:58 +0100 | [diff] [blame] | 96 | { |
Brad Smith | ea3c60a | 2020-03-08 14:53:59 +0000 | [diff] [blame] | 97 | #ifdef HAVE_LINUX_NETWORK |
| 98 | /* If interface is still in DAD, EINVAL results - ignore that. */ |
| 99 | if (errno != EINVAL) |
| 100 | my_syslog(LOG_ERR, _("failed to send packet: %s"), strerror(errno)); |
| 101 | #endif |
Simon Kelley | 29689cf | 2012-03-22 14:01:00 +0000 | [diff] [blame] | 102 | return 0; |
Simon Kelley | feba5c1 | 2004-07-27 20:28:58 +0100 | [diff] [blame] | 103 | } |
Simon Kelley | 29d28dd | 2012-12-03 14:05:59 +0000 | [diff] [blame] | 104 | |
Simon Kelley | 29689cf | 2012-03-22 14:01:00 +0000 | [diff] [blame] | 105 | return 1; |
Simon Kelley | 44a2a31 | 2004-03-10 20:04:35 +0000 | [diff] [blame] | 106 | } |
| 107 | |
Simon Kelley | cc921df | 2019-01-02 22:48:59 +0000 | [diff] [blame] | 108 | static unsigned int search_servers(time_t now, union all_addr **addrpp, unsigned int qtype, |
Simon Kelley | 367341f | 2016-01-12 15:58:23 +0000 | [diff] [blame] | 109 | char *qdomain, int *type, char **domain, int *norebind) |
Simon Kelley | feba5c1 | 2004-07-27 20:28:58 +0100 | [diff] [blame] | 110 | |
| 111 | { |
| 112 | /* If the query ends in the domain in one of our servers, set |
| 113 | domain to point to that name. We find the largest match to allow both |
| 114 | domain.org and sub.domain.org to exist. */ |
| 115 | |
| 116 | unsigned int namelen = strlen(qdomain); |
| 117 | unsigned int matchlen = 0; |
| 118 | struct server *serv; |
Simon Kelley | 28866e9 | 2011-02-14 20:19:14 +0000 | [diff] [blame] | 119 | unsigned int flags = 0; |
Simon Kelley | cc921df | 2019-01-02 22:48:59 +0000 | [diff] [blame] | 120 | static union all_addr zero; |
Simon Kelley | feba5c1 | 2004-07-27 20:28:58 +0100 | [diff] [blame] | 121 | |
Simon Kelley | 3be3454 | 2004-09-11 19:12:13 +0100 | [diff] [blame] | 122 | for (serv = daemon->servers; serv; serv=serv->next) |
Simon Kelley | 09f3b2c | 2017-05-09 01:34:02 +0100 | [diff] [blame] | 123 | if (qtype == F_DNSSECOK && !(serv->flags & SERV_DO_DNSSEC)) |
| 124 | continue; |
Simon Kelley | feba5c1 | 2004-07-27 20:28:58 +0100 | [diff] [blame] | 125 | /* domain matches take priority over NODOTS matches */ |
Simon Kelley | 09f3b2c | 2017-05-09 01:34:02 +0100 | [diff] [blame] | 126 | else if ((serv->flags & SERV_FOR_NODOTS) && *type != SERV_HAS_DOMAIN && !strchr(qdomain, '.') && namelen != 0) |
Simon Kelley | feba5c1 | 2004-07-27 20:28:58 +0100 | [diff] [blame] | 127 | { |
Simon Kelley | 28866e9 | 2011-02-14 20:19:14 +0000 | [diff] [blame] | 128 | unsigned int sflag = serv->addr.sa.sa_family == AF_INET ? F_IPV4 : F_IPV6; |
Simon Kelley | feba5c1 | 2004-07-27 20:28:58 +0100 | [diff] [blame] | 129 | *type = SERV_FOR_NODOTS; |
Sung Pae | a914d0a | 2019-12-30 17:07:37 -0600 | [diff] [blame] | 130 | if ((serv->flags & SERV_NO_REBIND) && norebind) |
| 131 | *norebind = 1; |
| 132 | else if (serv->flags & SERV_NO_ADDR) |
Simon Kelley | 36717ee | 2004-09-20 19:20:58 +0100 | [diff] [blame] | 133 | flags = F_NXDOMAIN; |
Simon Kelley | da8b651 | 2018-09-03 23:18:36 +0100 | [diff] [blame] | 134 | else if (serv->flags & SERV_LITERAL_ADDRESS) |
Simon Kelley | 36717ee | 2004-09-20 19:20:58 +0100 | [diff] [blame] | 135 | { |
Simon Kelley | da8b651 | 2018-09-03 23:18:36 +0100 | [diff] [blame] | 136 | /* literal address = '#' -> return all-zero address for IPv4 and IPv6 */ |
| 137 | if ((serv->flags & SERV_USE_RESOLV) && (qtype & (F_IPV6 | F_IPV4))) |
| 138 | { |
| 139 | memset(&zero, 0, sizeof(zero)); |
| 140 | flags = qtype; |
| 141 | *addrpp = &zero; |
| 142 | } |
| 143 | else if (sflag & qtype) |
Simon Kelley | 36717ee | 2004-09-20 19:20:58 +0100 | [diff] [blame] | 144 | { |
| 145 | flags = sflag; |
| 146 | if (serv->addr.sa.sa_family == AF_INET) |
Simon Kelley | cc921df | 2019-01-02 22:48:59 +0000 | [diff] [blame] | 147 | *addrpp = (union all_addr *)&serv->addr.in.sin_addr; |
Simon Kelley | 36717ee | 2004-09-20 19:20:58 +0100 | [diff] [blame] | 148 | else |
Simon Kelley | cc921df | 2019-01-02 22:48:59 +0000 | [diff] [blame] | 149 | *addrpp = (union all_addr *)&serv->addr.in6.sin6_addr; |
Simon Kelley | 36717ee | 2004-09-20 19:20:58 +0100 | [diff] [blame] | 150 | } |
Simon Kelley | 824af85 | 2008-02-12 20:43:05 +0000 | [diff] [blame] | 151 | else if (!flags || (flags & F_NXDOMAIN)) |
Simon Kelley | 36717ee | 2004-09-20 19:20:58 +0100 | [diff] [blame] | 152 | flags = F_NOERR; |
| 153 | } |
Simon Kelley | feba5c1 | 2004-07-27 20:28:58 +0100 | [diff] [blame] | 154 | } |
| 155 | else if (serv->flags & SERV_HAS_DOMAIN) |
| 156 | { |
| 157 | unsigned int domainlen = strlen(serv->domain); |
Simon Kelley | b8187c8 | 2005-11-26 21:46:27 +0000 | [diff] [blame] | 158 | char *matchstart = qdomain + namelen - domainlen; |
Simon Kelley | feba5c1 | 2004-07-27 20:28:58 +0100 | [diff] [blame] | 159 | if (namelen >= domainlen && |
Simon Kelley | b8187c8 | 2005-11-26 21:46:27 +0000 | [diff] [blame] | 160 | hostname_isequal(matchstart, serv->domain) && |
Simon Kelley | 8ef5ada | 2010-06-03 19:42:45 +0100 | [diff] [blame] | 161 | (domainlen == 0 || namelen == domainlen || *(matchstart-1) == '.' )) |
Simon Kelley | feba5c1 | 2004-07-27 20:28:58 +0100 | [diff] [blame] | 162 | { |
Simon Kelley | 92be34a | 2016-01-16 18:39:54 +0000 | [diff] [blame] | 163 | if ((serv->flags & SERV_NO_REBIND) && norebind) |
Simon Kelley | 8ef5ada | 2010-06-03 19:42:45 +0100 | [diff] [blame] | 164 | *norebind = 1; |
Simon Kelley | 28866e9 | 2011-02-14 20:19:14 +0000 | [diff] [blame] | 165 | else |
Simon Kelley | feba5c1 | 2004-07-27 20:28:58 +0100 | [diff] [blame] | 166 | { |
Simon Kelley | 28866e9 | 2011-02-14 20:19:14 +0000 | [diff] [blame] | 167 | unsigned int sflag = serv->addr.sa.sa_family == AF_INET ? F_IPV4 : F_IPV6; |
| 168 | /* implement priority rules for --address and --server for same domain. |
| 169 | --address wins if the address is for the correct AF |
| 170 | --server wins otherwise. */ |
| 171 | if (domainlen != 0 && domainlen == matchlen) |
Simon Kelley | 36717ee | 2004-09-20 19:20:58 +0100 | [diff] [blame] | 172 | { |
Simon Kelley | 28866e9 | 2011-02-14 20:19:14 +0000 | [diff] [blame] | 173 | if ((serv->flags & SERV_LITERAL_ADDRESS)) |
Simon Kelley | 8ef5ada | 2010-06-03 19:42:45 +0100 | [diff] [blame] | 174 | { |
Simon Kelley | 28866e9 | 2011-02-14 20:19:14 +0000 | [diff] [blame] | 175 | if (!(sflag & qtype) && flags == 0) |
| 176 | continue; |
Simon Kelley | 8ef5ada | 2010-06-03 19:42:45 +0100 | [diff] [blame] | 177 | } |
Simon Kelley | 28866e9 | 2011-02-14 20:19:14 +0000 | [diff] [blame] | 178 | else |
| 179 | { |
| 180 | if (flags & (F_IPV4 | F_IPV6)) |
| 181 | continue; |
| 182 | } |
Simon Kelley | 36717ee | 2004-09-20 19:20:58 +0100 | [diff] [blame] | 183 | } |
Simon Kelley | 28866e9 | 2011-02-14 20:19:14 +0000 | [diff] [blame] | 184 | |
| 185 | if (domainlen >= matchlen) |
| 186 | { |
Simon Kelley | 367341f | 2016-01-12 15:58:23 +0000 | [diff] [blame] | 187 | *type = serv->flags & (SERV_HAS_DOMAIN | SERV_USE_RESOLV | SERV_NO_REBIND | SERV_DO_DNSSEC); |
Simon Kelley | 28866e9 | 2011-02-14 20:19:14 +0000 | [diff] [blame] | 188 | *domain = serv->domain; |
| 189 | matchlen = domainlen; |
| 190 | if (serv->flags & SERV_NO_ADDR) |
| 191 | flags = F_NXDOMAIN; |
| 192 | else if (serv->flags & SERV_LITERAL_ADDRESS) |
| 193 | { |
Simon Kelley | da8b651 | 2018-09-03 23:18:36 +0100 | [diff] [blame] | 194 | /* literal address = '#' -> return all-zero address for IPv4 and IPv6 */ |
| 195 | if ((serv->flags & SERV_USE_RESOLV) && (qtype & (F_IPV6 | F_IPV4))) |
| 196 | { |
| 197 | memset(&zero, 0, sizeof(zero)); |
| 198 | flags = qtype; |
| 199 | *addrpp = &zero; |
| 200 | } |
| 201 | else if (sflag & qtype) |
Simon Kelley | 28866e9 | 2011-02-14 20:19:14 +0000 | [diff] [blame] | 202 | { |
| 203 | flags = sflag; |
| 204 | if (serv->addr.sa.sa_family == AF_INET) |
Simon Kelley | cc921df | 2019-01-02 22:48:59 +0000 | [diff] [blame] | 205 | *addrpp = (union all_addr *)&serv->addr.in.sin_addr; |
Simon Kelley | 28866e9 | 2011-02-14 20:19:14 +0000 | [diff] [blame] | 206 | else |
Simon Kelley | cc921df | 2019-01-02 22:48:59 +0000 | [diff] [blame] | 207 | *addrpp = (union all_addr *)&serv->addr.in6.sin6_addr; |
Simon Kelley | 28866e9 | 2011-02-14 20:19:14 +0000 | [diff] [blame] | 208 | } |
| 209 | else if (!flags || (flags & F_NXDOMAIN)) |
| 210 | flags = F_NOERR; |
| 211 | } |
| 212 | else |
| 213 | flags = 0; |
| 214 | } |
| 215 | } |
Simon Kelley | 8ef5ada | 2010-06-03 19:42:45 +0100 | [diff] [blame] | 216 | } |
Simon Kelley | feba5c1 | 2004-07-27 20:28:58 +0100 | [diff] [blame] | 217 | } |
Simon Kelley | 8ef5ada | 2010-06-03 19:42:45 +0100 | [diff] [blame] | 218 | |
Simon Kelley | bf05f8f | 2017-05-09 22:37:46 +0100 | [diff] [blame] | 219 | if (flags == 0 && !(qtype & (F_QUERY | F_DNSSECOK)) && |
Simon Kelley | 28866e9 | 2011-02-14 20:19:14 +0000 | [diff] [blame] | 220 | option_bool(OPT_NODOTS_LOCAL) && !strchr(qdomain, '.') && namelen != 0) |
Simon Kelley | 7de060b | 2011-08-26 17:24:52 +0100 | [diff] [blame] | 221 | /* don't forward A or AAAA queries for simple names, except the empty name */ |
| 222 | flags = F_NOERR; |
Simon Kelley | 8ef5ada | 2010-06-03 19:42:45 +0100 | [diff] [blame] | 223 | |
Simon Kelley | 5aabfc7 | 2007-08-29 11:24:47 +0100 | [diff] [blame] | 224 | if (flags == F_NXDOMAIN && check_for_local_domain(qdomain, now)) |
Simon Kelley | c1bb850 | 2004-08-11 18:40:17 +0100 | [diff] [blame] | 225 | flags = F_NOERR; |
Simon Kelley | feba5c1 | 2004-07-27 20:28:58 +0100 | [diff] [blame] | 226 | |
Simon Kelley | 824af85 | 2008-02-12 20:43:05 +0000 | [diff] [blame] | 227 | if (flags) |
| 228 | { |
Simon Kelley | c346f61 | 2018-09-04 21:14:18 +0100 | [diff] [blame] | 229 | if (flags == F_NXDOMAIN || flags == F_NOERR) |
| 230 | log_query(flags | qtype | F_NEG | F_CONFIG | F_FORWARD, qdomain, NULL, NULL); |
| 231 | else |
| 232 | { |
| 233 | /* handle F_IPV4 and F_IPV6 set on ANY query to 0.0.0.0/:: domain. */ |
| 234 | if (flags & F_IPV4) |
| 235 | log_query((flags | F_CONFIG | F_FORWARD) & ~F_IPV6, qdomain, *addrpp, NULL); |
Simon Kelley | c346f61 | 2018-09-04 21:14:18 +0100 | [diff] [blame] | 236 | if (flags & F_IPV6) |
| 237 | log_query((flags | F_CONFIG | F_FORWARD) & ~F_IPV4, qdomain, *addrpp, NULL); |
Simon Kelley | c346f61 | 2018-09-04 21:14:18 +0100 | [diff] [blame] | 238 | } |
Simon Kelley | 824af85 | 2008-02-12 20:43:05 +0000 | [diff] [blame] | 239 | } |
Simon Kelley | 8ef5ada | 2010-06-03 19:42:45 +0100 | [diff] [blame] | 240 | else if ((*type) & SERV_USE_RESOLV) |
| 241 | { |
| 242 | *type = 0; /* use normal servers for this domain */ |
| 243 | *domain = NULL; |
| 244 | } |
Simon Kelley | feba5c1 | 2004-07-27 20:28:58 +0100 | [diff] [blame] | 245 | return flags; |
| 246 | } |
Simon Kelley | 44a2a31 | 2004-03-10 20:04:35 +0000 | [diff] [blame] | 247 | |
Petr Menšík | 6c0bf79 | 2021-03-18 00:07:45 +0100 | [diff] [blame] | 248 | #ifdef HAVE_CONNTRACK |
| 249 | static void set_outgoing_mark(struct frec *forward, int fd) |
| 250 | { |
| 251 | /* Copy connection mark of incoming query to outgoing connection. */ |
| 252 | unsigned int mark; |
| 253 | if (get_incoming_mark(&forward->frec_src.source, &forward->frec_src.dest, 0, &mark)) |
| 254 | setsockopt(fd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int)); |
| 255 | } |
| 256 | #endif |
| 257 | |
| 258 | static void log_query_mysockaddr(unsigned int flags, char *name, union mysockaddr *addr, char *arg) |
| 259 | { |
| 260 | if (addr->sa.sa_family == AF_INET) |
| 261 | log_query(flags | F_IPV4, name, (union all_addr *)&addr->in.sin_addr, arg); |
| 262 | else |
| 263 | log_query(flags | F_IPV6, name, (union all_addr *)&addr->in6.sin6_addr, arg); |
| 264 | } |
| 265 | |
Petr Menšík | 51f7bc9 | 2021-03-18 01:05:43 +0100 | [diff] [blame] | 266 | static void server_send(struct server *server, int fd, |
| 267 | const void *header, size_t plen, int flags) |
| 268 | { |
| 269 | while (retry_send(sendto(fd, header, plen, flags, |
| 270 | &server->addr.sa, |
| 271 | sa_len(&server->addr)))); |
| 272 | } |
| 273 | |
| 274 | #ifdef HAVE_DNSSEC |
| 275 | static void server_send_log(struct server *server, int fd, |
| 276 | const void *header, size_t plen, int dumpflags, |
| 277 | unsigned int logflags, char *name, char *arg) |
| 278 | { |
| 279 | #ifdef HAVE_DUMPFILE |
| 280 | dump_packet(dumpflags, (void *)header, (size_t)plen, NULL, &server->addr); |
| 281 | #endif |
| 282 | log_query_mysockaddr(logflags, name, &server->addr, arg); |
| 283 | server_send(server, fd, header, plen, 0); |
| 284 | } |
| 285 | #endif |
| 286 | |
Petr Menšík | e10a923 | 2021-03-15 11:20:49 +0100 | [diff] [blame] | 287 | static int server_test_type(const struct server *server, |
| 288 | const char *domain, int type, int extratype) |
| 289 | { |
| 290 | return (type == (server->flags & (SERV_TYPE | extratype)) && |
| 291 | (type != SERV_HAS_DOMAIN || hostname_isequal(domain, server->domain)) && |
| 292 | !(server->flags & (SERV_LITERAL_ADDRESS | SERV_LOOP))); |
| 293 | } |
| 294 | |
Simon Kelley | 824af85 | 2008-02-12 20:43:05 +0000 | [diff] [blame] | 295 | static int forward_query(int udpfd, union mysockaddr *udpaddr, |
Simon Kelley | cc921df | 2019-01-02 22:48:59 +0000 | [diff] [blame] | 296 | union all_addr *dst_addr, unsigned int dst_iface, |
Simon Kelley | 83349b8 | 2014-02-10 21:02:01 +0000 | [diff] [blame] | 297 | struct dns_header *header, size_t plen, time_t now, |
Simon Kelley | 613ad15 | 2014-02-25 23:02:28 +0000 | [diff] [blame] | 298 | struct frec *forward, int ad_reqd, int do_bit) |
Simon Kelley | 9e4abcb | 2004-01-22 19:47:41 +0000 | [diff] [blame] | 299 | { |
Simon Kelley | 9e4abcb | 2004-01-22 19:47:41 +0000 | [diff] [blame] | 300 | char *domain = NULL; |
Simon Kelley | 367341f | 2016-01-12 15:58:23 +0000 | [diff] [blame] | 301 | int type = SERV_DO_DNSSEC, norebind = 0; |
Simon Kelley | cc921df | 2019-01-02 22:48:59 +0000 | [diff] [blame] | 302 | union all_addr *addrp = NULL; |
Simon Kelley | 28866e9 | 2011-02-14 20:19:14 +0000 | [diff] [blame] | 303 | unsigned int flags = 0; |
Simon Kelley | 15b60dd | 2020-11-18 18:34:55 +0000 | [diff] [blame] | 304 | unsigned int fwd_flags = 0; |
Simon Kelley | de37951 | 2004-06-22 20:23:33 +0100 | [diff] [blame] | 305 | struct server *start = NULL; |
Simon Kelley | 8a9be9e | 2014-01-25 23:17:21 +0000 | [diff] [blame] | 306 | void *hash = hash_questions(header, plen, daemon->namebuff); |
Simon Kelley | 2d76586 | 2020-11-12 22:06:07 +0000 | [diff] [blame] | 307 | #ifdef HAVE_DNSSEC |
Simon Kelley | 367341f | 2016-01-12 15:58:23 +0000 | [diff] [blame] | 308 | int do_dnssec = 0; |
Simon Kelley | 8a9be9e | 2014-01-25 23:17:21 +0000 | [diff] [blame] | 309 | #endif |
Simon Kelley | 1682d15 | 2018-08-03 20:38:18 +0100 | [diff] [blame] | 310 | unsigned int gotname = extract_request(header, plen, daemon->namebuff, NULL); |
| 311 | unsigned char *oph = find_pseudoheader(header, plen, NULL, NULL, NULL, NULL); |
| 312 | (void)do_bit; |
Simon Kelley | 15b60dd | 2020-11-18 18:34:55 +0000 | [diff] [blame] | 313 | |
| 314 | if (header->hb4 & HB4_CD) |
| 315 | fwd_flags |= FREC_CHECKING_DISABLED; |
| 316 | if (ad_reqd) |
| 317 | fwd_flags |= FREC_AD_QUESTION; |
| 318 | if (oph) |
| 319 | fwd_flags |= FREC_HAS_PHEADER; |
| 320 | #ifdef HAVE_DNSSEC |
| 321 | if (do_bit) |
| 322 | fwd_flags |= FREC_DO_QUESTION; |
| 323 | #endif |
| 324 | |
Simon Kelley | 305cb79 | 2021-02-18 21:35:09 +0000 | [diff] [blame] | 325 | /* Check for retry on existing query */ |
| 326 | if (!forward && (forward = lookup_frec_by_query(hash, fwd_flags))) |
Simon Kelley | 141a26f | 2021-02-17 23:56:32 +0000 | [diff] [blame] | 327 | { |
Simon Kelley | 305cb79 | 2021-02-18 21:35:09 +0000 | [diff] [blame] | 328 | struct frec_src *src; |
Simon Kelley | 141a26f | 2021-02-17 23:56:32 +0000 | [diff] [blame] | 329 | |
Simon Kelley | 305cb79 | 2021-02-18 21:35:09 +0000 | [diff] [blame] | 330 | for (src = &forward->frec_src; src; src = src->next) |
| 331 | if (src->orig_id == ntohs(header->id) && |
| 332 | sockaddr_isequal(&src->source, udpaddr)) |
| 333 | break; |
| 334 | |
| 335 | /* Existing query, but from new source, just add this |
| 336 | client to the list that will get the reply.*/ |
| 337 | if (!src) |
| 338 | { |
Simon Kelley | 141a26f | 2021-02-17 23:56:32 +0000 | [diff] [blame] | 339 | /* Note whine_malloc() zeros memory. */ |
| 340 | if (!daemon->free_frec_src && |
| 341 | daemon->frec_src_count < daemon->ftabsize && |
| 342 | (daemon->free_frec_src = whine_malloc(sizeof(struct frec_src)))) |
| 343 | { |
| 344 | daemon->frec_src_count++; |
| 345 | daemon->free_frec_src->next = NULL; |
| 346 | } |
| 347 | |
| 348 | /* If we've been spammed with many duplicates, just drop the query. */ |
| 349 | if (!daemon->free_frec_src) |
| 350 | return 0; |
| 351 | |
Simon Kelley | 305cb79 | 2021-02-18 21:35:09 +0000 | [diff] [blame] | 352 | src = daemon->free_frec_src; |
| 353 | daemon->free_frec_src = src->next; |
| 354 | src->next = forward->frec_src.next; |
| 355 | forward->frec_src.next = src; |
| 356 | src->orig_id = ntohs(header->id); |
| 357 | src->source = *udpaddr; |
| 358 | src->dest = *dst_addr; |
| 359 | src->log_id = daemon->log_id; |
| 360 | src->iface = dst_iface; |
| 361 | src->fd = udpfd; |
Simon Kelley | 141a26f | 2021-02-17 23:56:32 +0000 | [diff] [blame] | 362 | } |
| 363 | } |
| 364 | |
| 365 | /* retry existing query */ |
| 366 | if (forward) |
Simon Kelley | 9e4abcb | 2004-01-22 19:47:41 +0000 | [diff] [blame] | 367 | { |
Simon Kelley | a77cec8 | 2015-05-08 16:25:38 +0100 | [diff] [blame] | 368 | /* If we didn't get an answer advertising a maximal packet in EDNS, |
| 369 | fall back to 1280, which should work everywhere on IPv6. |
| 370 | If that generates an answer, it will become the new default |
| 371 | for this server */ |
| 372 | forward->flags |= FREC_TEST_PKTSZ; |
| 373 | |
Simon Kelley | e0c0ad3 | 2014-01-16 22:42:07 +0000 | [diff] [blame] | 374 | #ifdef HAVE_DNSSEC |
Simon Kelley | dac7431 | 2014-02-13 16:43:49 +0000 | [diff] [blame] | 375 | /* If we've already got an answer to this query, but we're awaiting keys for validation, |
Simon Kelley | e0c0ad3 | 2014-01-16 22:42:07 +0000 | [diff] [blame] | 376 | there's no point retrying the query, retry the key query instead...... */ |
| 377 | if (forward->blocking_query) |
| 378 | { |
Simon Kelley | fa14bec | 2015-12-20 17:12:16 +0000 | [diff] [blame] | 379 | int fd, is_sign; |
| 380 | unsigned char *pheader; |
Simon Kelley | a77cec8 | 2015-05-08 16:25:38 +0100 | [diff] [blame] | 381 | |
| 382 | forward->flags &= ~FREC_TEST_PKTSZ; |
| 383 | |
Simon Kelley | e0c0ad3 | 2014-01-16 22:42:07 +0000 | [diff] [blame] | 384 | while (forward->blocking_query) |
| 385 | forward = forward->blocking_query; |
Simon Kelley | a77cec8 | 2015-05-08 16:25:38 +0100 | [diff] [blame] | 386 | |
Simon Kelley | e0c0ad3 | 2014-01-16 22:42:07 +0000 | [diff] [blame] | 387 | blockdata_retrieve(forward->stash, forward->stash_len, (void *)header); |
| 388 | plen = forward->stash_len; |
| 389 | |
Simon Kelley | c1a4e25 | 2018-01-19 22:00:05 +0000 | [diff] [blame] | 390 | forward->flags |= FREC_TEST_PKTSZ; |
Simon Kelley | 5bb88f0 | 2015-12-21 16:23:47 +0000 | [diff] [blame] | 391 | if (find_pseudoheader(header, plen, NULL, &pheader, &is_sign, NULL) && !is_sign) |
Simon Kelley | fa14bec | 2015-12-20 17:12:16 +0000 | [diff] [blame] | 392 | PUTSHORT(SAFE_PKTSZ, pheader); |
Simon Kelley | c1a4e25 | 2018-01-19 22:00:05 +0000 | [diff] [blame] | 393 | |
Simon Kelley | 74d4fcd | 2021-03-15 21:59:51 +0000 | [diff] [blame] | 394 | if ((fd = allocate_rfd(&forward->rfds, forward->sentto)) != -1) |
Petr Menšík | 51f7bc9 | 2021-03-18 01:05:43 +0100 | [diff] [blame] | 395 | server_send_log(forward->sentto, fd, header, plen, |
| 396 | DUMP_SEC_QUERY, |
| 397 | F_NOEXTRA | F_DNSSEC, "retry", "dnssec"); |
| 398 | |
Simon Kelley | e0c0ad3 | 2014-01-16 22:42:07 +0000 | [diff] [blame] | 399 | return 1; |
| 400 | } |
| 401 | #endif |
| 402 | |
Simon Kelley | de37951 | 2004-06-22 20:23:33 +0100 | [diff] [blame] | 403 | /* retry on existing query, send to all available servers */ |
Simon Kelley | 9e4abcb | 2004-01-22 19:47:41 +0000 | [diff] [blame] | 404 | domain = forward->sentto->domain; |
Simon Kelley | 824af85 | 2008-02-12 20:43:05 +0000 | [diff] [blame] | 405 | forward->sentto->failed_queries++; |
Simon Kelley | 28866e9 | 2011-02-14 20:19:14 +0000 | [diff] [blame] | 406 | if (!option_bool(OPT_ORDER)) |
Simon Kelley | de37951 | 2004-06-22 20:23:33 +0100 | [diff] [blame] | 407 | { |
Simon Kelley | 0a85254 | 2005-03-23 20:28:59 +0000 | [diff] [blame] | 408 | forward->forwardall = 1; |
Simon Kelley | 3be3454 | 2004-09-11 19:12:13 +0100 | [diff] [blame] | 409 | daemon->last_server = NULL; |
Simon Kelley | de37951 | 2004-06-22 20:23:33 +0100 | [diff] [blame] | 410 | } |
Simon Kelley | 9e4abcb | 2004-01-22 19:47:41 +0000 | [diff] [blame] | 411 | type = forward->sentto->flags & SERV_TYPE; |
Simon Kelley | 367341f | 2016-01-12 15:58:23 +0000 | [diff] [blame] | 412 | #ifdef HAVE_DNSSEC |
| 413 | do_dnssec = forward->sentto->flags & SERV_DO_DNSSEC; |
| 414 | #endif |
| 415 | |
Simon Kelley | de37951 | 2004-06-22 20:23:33 +0100 | [diff] [blame] | 416 | if (!(start = forward->sentto->next)) |
Simon Kelley | 3be3454 | 2004-09-11 19:12:13 +0100 | [diff] [blame] | 417 | start = daemon->servers; /* at end of list, recycle */ |
Simon Kelley | 9e4abcb | 2004-01-22 19:47:41 +0000 | [diff] [blame] | 418 | header->id = htons(forward->new_id); |
| 419 | } |
| 420 | else |
| 421 | { |
Simon Kelley | 141a26f | 2021-02-17 23:56:32 +0000 | [diff] [blame] | 422 | /* new query */ |
| 423 | |
Simon Kelley | 9e4abcb | 2004-01-22 19:47:41 +0000 | [diff] [blame] | 424 | if (gotname) |
Simon Kelley | 8ef5ada | 2010-06-03 19:42:45 +0100 | [diff] [blame] | 425 | flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind); |
Simon Kelley | 9e4abcb | 2004-01-22 19:47:41 +0000 | [diff] [blame] | 426 | |
Simon Kelley | 367341f | 2016-01-12 15:58:23 +0000 | [diff] [blame] | 427 | #ifdef HAVE_DNSSEC |
| 428 | do_dnssec = type & SERV_DO_DNSSEC; |
Simon Kelley | f7443d7 | 2016-01-19 20:29:57 +0000 | [diff] [blame] | 429 | #endif |
| 430 | type &= ~SERV_DO_DNSSEC; |
Simon Kelley | 15b60dd | 2020-11-18 18:34:55 +0000 | [diff] [blame] | 431 | |
Simon Kelley | 141a26f | 2021-02-17 23:56:32 +0000 | [diff] [blame] | 432 | /* may be no servers available. */ |
Simon Kelley | d05dd58 | 2016-01-19 21:23:30 +0000 | [diff] [blame] | 433 | if (daemon->servers && !flags) |
Simon Kelley | 8caf3d7 | 2020-04-04 17:00:32 +0100 | [diff] [blame] | 434 | forward = get_new_frec(now, NULL, NULL); |
Simon Kelley | d05dd58 | 2016-01-19 21:23:30 +0000 | [diff] [blame] | 435 | /* table full - flags == 0, return REFUSED */ |
Simon Kelley | 9e4abcb | 2004-01-22 19:47:41 +0000 | [diff] [blame] | 436 | |
| 437 | if (forward) |
| 438 | { |
Simon Kelley | 15b60dd | 2020-11-18 18:34:55 +0000 | [diff] [blame] | 439 | forward->frec_src.source = *udpaddr; |
| 440 | forward->frec_src.orig_id = ntohs(header->id); |
| 441 | forward->frec_src.dest = *dst_addr; |
| 442 | forward->frec_src.iface = dst_iface; |
Simon Kelley | 6a6e06f | 2020-12-04 18:35:11 +0000 | [diff] [blame] | 443 | forward->frec_src.next = NULL; |
Simon Kelley | 04490bf | 2021-01-22 16:49:12 +0000 | [diff] [blame] | 444 | forward->frec_src.fd = udpfd; |
Simon Kelley | 8a9be9e | 2014-01-25 23:17:21 +0000 | [diff] [blame] | 445 | forward->new_id = get_id(); |
Simon Kelley | 8a9be9e | 2014-01-25 23:17:21 +0000 | [diff] [blame] | 446 | memcpy(forward->hash, hash, HASH_SIZE); |
Simon Kelley | 0a85254 | 2005-03-23 20:28:59 +0000 | [diff] [blame] | 447 | forward->forwardall = 0; |
Simon Kelley | 15b60dd | 2020-11-18 18:34:55 +0000 | [diff] [blame] | 448 | forward->flags = fwd_flags; |
Simon Kelley | 28866e9 | 2011-02-14 20:19:14 +0000 | [diff] [blame] | 449 | if (norebind) |
| 450 | forward->flags |= FREC_NOREBIND; |
Simon Kelley | 572b41e | 2011-02-18 18:11:18 +0000 | [diff] [blame] | 451 | if (header->hb4 & HB4_CD) |
Simon Kelley | 28866e9 | 2011-02-14 20:19:14 +0000 | [diff] [blame] | 452 | forward->flags |= FREC_CHECKING_DISABLED; |
Simon Kelley | 83349b8 | 2014-02-10 21:02:01 +0000 | [diff] [blame] | 453 | if (ad_reqd) |
| 454 | forward->flags |= FREC_AD_QUESTION; |
Simon Kelley | 7fa836e | 2014-02-10 20:11:24 +0000 | [diff] [blame] | 455 | #ifdef HAVE_DNSSEC |
| 456 | forward->work_counter = DNSSEC_WORK; |
Simon Kelley | 613ad15 | 2014-02-25 23:02:28 +0000 | [diff] [blame] | 457 | if (do_bit) |
| 458 | forward->flags |= FREC_DO_QUESTION; |
Simon Kelley | 7fa836e | 2014-02-10 20:11:24 +0000 | [diff] [blame] | 459 | #endif |
Simon Kelley | 613ad15 | 2014-02-25 23:02:28 +0000 | [diff] [blame] | 460 | |
Simon Kelley | 28866e9 | 2011-02-14 20:19:14 +0000 | [diff] [blame] | 461 | header->id = htons(forward->new_id); |
| 462 | |
Simon Kelley | 8ef5ada | 2010-06-03 19:42:45 +0100 | [diff] [blame] | 463 | /* In strict_order mode, always try servers in the order |
| 464 | specified in resolv.conf, if a domain is given |
| 465 | always try all the available servers, |
Simon Kelley | 9e4abcb | 2004-01-22 19:47:41 +0000 | [diff] [blame] | 466 | otherwise, use the one last known to work. */ |
| 467 | |
Simon Kelley | 8ef5ada | 2010-06-03 19:42:45 +0100 | [diff] [blame] | 468 | if (type == 0) |
| 469 | { |
Simon Kelley | 28866e9 | 2011-02-14 20:19:14 +0000 | [diff] [blame] | 470 | if (option_bool(OPT_ORDER)) |
Simon Kelley | 8ef5ada | 2010-06-03 19:42:45 +0100 | [diff] [blame] | 471 | start = daemon->servers; |
| 472 | else if (!(start = daemon->last_server) || |
| 473 | daemon->forwardcount++ > FORWARD_TEST || |
| 474 | difftime(now, daemon->forwardtime) > FORWARD_TIME) |
| 475 | { |
| 476 | start = daemon->servers; |
| 477 | forward->forwardall = 1; |
| 478 | daemon->forwardcount = 0; |
| 479 | daemon->forwardtime = now; |
| 480 | } |
| 481 | } |
| 482 | else |
Simon Kelley | de37951 | 2004-06-22 20:23:33 +0100 | [diff] [blame] | 483 | { |
Simon Kelley | 3be3454 | 2004-09-11 19:12:13 +0100 | [diff] [blame] | 484 | start = daemon->servers; |
Simon Kelley | 28866e9 | 2011-02-14 20:19:14 +0000 | [diff] [blame] | 485 | if (!option_bool(OPT_ORDER)) |
Simon Kelley | 8ef5ada | 2010-06-03 19:42:45 +0100 | [diff] [blame] | 486 | forward->forwardall = 1; |
Simon Kelley | de37951 | 2004-06-22 20:23:33 +0100 | [diff] [blame] | 487 | } |
Simon Kelley | 9e4abcb | 2004-01-22 19:47:41 +0000 | [diff] [blame] | 488 | } |
| 489 | } |
Simon Kelley | feba5c1 | 2004-07-27 20:28:58 +0100 | [diff] [blame] | 490 | |
Simon Kelley | 9e4abcb | 2004-01-22 19:47:41 +0000 | [diff] [blame] | 491 | /* check for send errors here (no route to host) |
| 492 | if we fail to send to all nameservers, send back an error |
| 493 | packet straight away (helps modem users when offline) */ |
| 494 | |
| 495 | if (!flags && forward) |
| 496 | { |
Simon Kelley | de37951 | 2004-06-22 20:23:33 +0100 | [diff] [blame] | 497 | struct server *firstsentto = start; |
Simon Kelley | 25e63f1 | 2020-11-25 21:17:52 +0000 | [diff] [blame] | 498 | int subnet, cacheable, forwarded = 0; |
Simon Kelley | d3a8b39 | 2015-12-23 12:27:37 +0000 | [diff] [blame] | 499 | size_t edns0_len; |
Simon Kelley | c1a4e25 | 2018-01-19 22:00:05 +0000 | [diff] [blame] | 500 | unsigned char *pheader; |
| 501 | |
Simon Kelley | 25cf5e3 | 2015-01-09 15:53:03 +0000 | [diff] [blame] | 502 | /* If a query is retried, use the log_id for the retry when logging the answer. */ |
Simon Kelley | 15b60dd | 2020-11-18 18:34:55 +0000 | [diff] [blame] | 503 | forward->frec_src.log_id = daemon->log_id; |
Simon Kelley | 25cf5e3 | 2015-01-09 15:53:03 +0000 | [diff] [blame] | 504 | |
Simon Kelley | 25e63f1 | 2020-11-25 21:17:52 +0000 | [diff] [blame] | 505 | plen = add_edns0_config(header, plen, ((unsigned char *)header) + PACKETSZ, &forward->frec_src.source, now, &subnet, &cacheable); |
Simon Kelley | 33702ab | 2015-12-28 23:17:15 +0000 | [diff] [blame] | 506 | |
Simon Kelley | 6fd5d79 | 2017-10-13 22:26:40 +0100 | [diff] [blame] | 507 | if (subnet) |
| 508 | forward->flags |= FREC_HAS_SUBNET; |
Simon Kelley | 25e63f1 | 2020-11-25 21:17:52 +0000 | [diff] [blame] | 509 | |
| 510 | if (!cacheable) |
| 511 | forward->flags |= FREC_NO_CACHE; |
| 512 | |
Simon Kelley | 3a23715 | 2013-12-12 12:15:50 +0000 | [diff] [blame] | 513 | #ifdef HAVE_DNSSEC |
Simon Kelley | 367341f | 2016-01-12 15:58:23 +0000 | [diff] [blame] | 514 | if (option_bool(OPT_DNSSEC_VALID) && do_dnssec) |
Simon Kelley | 0fc2f31 | 2014-01-08 10:26:58 +0000 | [diff] [blame] | 515 | { |
Simon Kelley | 6fd5d79 | 2017-10-13 22:26:40 +0100 | [diff] [blame] | 516 | plen = add_do_bit(header, plen, ((unsigned char *) header) + PACKETSZ); |
| 517 | |
Simon Kelley | 5b3bf92 | 2014-01-25 17:03:07 +0000 | [diff] [blame] | 518 | /* For debugging, set Checking Disabled, otherwise, have the upstream check too, |
| 519 | this allows it to select auth servers when one is returning bad data. */ |
| 520 | if (option_bool(OPT_DNSSEC_DEBUG)) |
| 521 | header->hb4 |= HB4_CD; |
Simon Kelley | 613ad15 | 2014-02-25 23:02:28 +0000 | [diff] [blame] | 522 | |
Simon Kelley | 0fc2f31 | 2014-01-08 10:26:58 +0000 | [diff] [blame] | 523 | } |
Simon Kelley | 3a23715 | 2013-12-12 12:15:50 +0000 | [diff] [blame] | 524 | #endif |
Simon Kelley | d3a8b39 | 2015-12-23 12:27:37 +0000 | [diff] [blame] | 525 | |
Simon Kelley | c1a4e25 | 2018-01-19 22:00:05 +0000 | [diff] [blame] | 526 | if (find_pseudoheader(header, plen, &edns0_len, &pheader, NULL, NULL)) |
Simon Kelley | 6fd5d79 | 2017-10-13 22:26:40 +0100 | [diff] [blame] | 527 | { |
| 528 | /* If there wasn't a PH before, and there is now, we added it. */ |
| 529 | if (!oph) |
| 530 | forward->flags |= FREC_ADDED_PHEADER; |
| 531 | |
| 532 | /* If we're sending an EDNS0 with any options, we can't recreate the query from a reply. */ |
| 533 | if (edns0_len > 11) |
| 534 | forward->flags |= FREC_HAS_EXTRADATA; |
Simon Kelley | c1a4e25 | 2018-01-19 22:00:05 +0000 | [diff] [blame] | 535 | |
| 536 | /* Reduce udp size on retransmits. */ |
| 537 | if (forward->flags & FREC_TEST_PKTSZ) |
| 538 | PUTSHORT(SAFE_PKTSZ, pheader); |
Simon Kelley | 6fd5d79 | 2017-10-13 22:26:40 +0100 | [diff] [blame] | 539 | } |
Simon Kelley | a77cec8 | 2015-05-08 16:25:38 +0100 | [diff] [blame] | 540 | |
Simon Kelley | 9e4abcb | 2004-01-22 19:47:41 +0000 | [diff] [blame] | 541 | while (1) |
| 542 | { |
Simon Kelley | 74d4fcd | 2021-03-15 21:59:51 +0000 | [diff] [blame] | 543 | int fd; |
| 544 | |
Simon Kelley | 9e4abcb | 2004-01-22 19:47:41 +0000 | [diff] [blame] | 545 | /* only send to servers dealing with our domain. |
| 546 | domain may be NULL, in which case server->domain |
| 547 | must be NULL also. */ |
| 548 | |
Petr Menšík | e10a923 | 2021-03-15 11:20:49 +0100 | [diff] [blame] | 549 | if (server_test_type(start, domain, type, 0) && |
Simon Kelley | 74d4fcd | 2021-03-15 21:59:51 +0000 | [diff] [blame] | 550 | ((fd = allocate_rfd(&forward->rfds, start)) != -1)) |
Simon Kelley | 9e4abcb | 2004-01-22 19:47:41 +0000 | [diff] [blame] | 551 | { |
Simon Kelley | 74d4fcd | 2021-03-15 21:59:51 +0000 | [diff] [blame] | 552 | |
Simon Kelley | 7de060b | 2011-08-26 17:24:52 +0100 | [diff] [blame] | 553 | #ifdef HAVE_CONNTRACK |
Simon Kelley | 74d4fcd | 2021-03-15 21:59:51 +0000 | [diff] [blame] | 554 | /* Copy connection mark of incoming query to outgoing connection. */ |
| 555 | if (option_bool(OPT_CONNTRACK)) |
Petr Menšík | 6c0bf79 | 2021-03-18 00:07:45 +0100 | [diff] [blame] | 556 | set_outgoing_mark(forward, fd); |
Simon Kelley | 74d4fcd | 2021-03-15 21:59:51 +0000 | [diff] [blame] | 557 | #endif |
Simon Kelley | 1a6bca8 | 2008-07-11 11:11:42 +0100 | [diff] [blame] | 558 | |
Simon Kelley | fa14bec | 2015-12-20 17:12:16 +0000 | [diff] [blame] | 559 | #ifdef HAVE_DNSSEC |
Simon Kelley | 5bb88f0 | 2015-12-21 16:23:47 +0000 | [diff] [blame] | 560 | if (option_bool(OPT_DNSSEC_VALID) && (forward->flags & FREC_ADDED_PHEADER)) |
Simon Kelley | fa14bec | 2015-12-20 17:12:16 +0000 | [diff] [blame] | 561 | { |
| 562 | /* Difficult one here. If our client didn't send EDNS0, we will have set the UDP |
| 563 | packet size to 512. But that won't provide space for the RRSIGS in many cases. |
| 564 | The RRSIGS will be stripped out before the answer goes back, so the packet should |
| 565 | shrink again. So, if we added a do-bit, bump the udp packet size to the value |
Simon Kelley | 5aa5f0f | 2015-12-21 17:20:35 +0000 | [diff] [blame] | 566 | known to be OK for this server. We check returned size after stripping and set |
| 567 | the truncated bit if it's still too big. */ |
Simon Kelley | fa14bec | 2015-12-20 17:12:16 +0000 | [diff] [blame] | 568 | unsigned char *pheader; |
| 569 | int is_sign; |
Simon Kelley | 5bb88f0 | 2015-12-21 16:23:47 +0000 | [diff] [blame] | 570 | if (find_pseudoheader(header, plen, NULL, &pheader, &is_sign, NULL) && !is_sign) |
Simon Kelley | fa14bec | 2015-12-20 17:12:16 +0000 | [diff] [blame] | 571 | PUTSHORT(start->edns_pktsz, pheader); |
| 572 | } |
| 573 | #endif |
| 574 | |
Simon Kelley | ff841eb | 2015-03-11 21:36:30 +0000 | [diff] [blame] | 575 | if (retry_send(sendto(fd, (char *)header, plen, 0, |
| 576 | &start->addr.sa, |
| 577 | sa_len(&start->addr)))) |
| 578 | continue; |
| 579 | |
| 580 | if (errno == 0) |
Simon Kelley | 9e4abcb | 2004-01-22 19:47:41 +0000 | [diff] [blame] | 581 | { |
Simon Kelley | 6b17335 | 2018-05-08 18:32:14 +0100 | [diff] [blame] | 582 | #ifdef HAVE_DUMPFILE |
| 583 | dump_packet(DUMP_UP_QUERY, (void *)header, plen, NULL, &start->addr); |
| 584 | #endif |
| 585 | |
Simon Kelley | cdeda28 | 2006-03-16 20:16:06 +0000 | [diff] [blame] | 586 | /* Keep info in case we want to re-send this packet */ |
| 587 | daemon->srv_save = start; |
| 588 | daemon->packet_len = plen; |
Simon Kelley | 74d4fcd | 2021-03-15 21:59:51 +0000 | [diff] [blame] | 589 | daemon->fd_save = fd; |
Simon Kelley | cdeda28 | 2006-03-16 20:16:06 +0000 | [diff] [blame] | 590 | |
Simon Kelley | de37951 | 2004-06-22 20:23:33 +0100 | [diff] [blame] | 591 | if (!gotname) |
Simon Kelley | 3be3454 | 2004-09-11 19:12:13 +0100 | [diff] [blame] | 592 | strcpy(daemon->namebuff, "query"); |
Petr Menšík | 6c0bf79 | 2021-03-18 00:07:45 +0100 | [diff] [blame] | 593 | log_query_mysockaddr(F_SERVER | F_FORWARD, daemon->namebuff, |
| 594 | &start->addr, NULL); |
Simon Kelley | 824af85 | 2008-02-12 20:43:05 +0000 | [diff] [blame] | 595 | start->queries++; |
Simon Kelley | de37951 | 2004-06-22 20:23:33 +0100 | [diff] [blame] | 596 | forwarded = 1; |
| 597 | forward->sentto = start; |
Simon Kelley | 0a85254 | 2005-03-23 20:28:59 +0000 | [diff] [blame] | 598 | if (!forward->forwardall) |
Simon Kelley | de37951 | 2004-06-22 20:23:33 +0100 | [diff] [blame] | 599 | break; |
Simon Kelley | 0a85254 | 2005-03-23 20:28:59 +0000 | [diff] [blame] | 600 | forward->forwardall++; |
Simon Kelley | 9e4abcb | 2004-01-22 19:47:41 +0000 | [diff] [blame] | 601 | } |
Simon Kelley | 74d4fcd | 2021-03-15 21:59:51 +0000 | [diff] [blame] | 602 | } |
Simon Kelley | 9e4abcb | 2004-01-22 19:47:41 +0000 | [diff] [blame] | 603 | |
Simon Kelley | de37951 | 2004-06-22 20:23:33 +0100 | [diff] [blame] | 604 | if (!(start = start->next)) |
Simon Kelley | 3be3454 | 2004-09-11 19:12:13 +0100 | [diff] [blame] | 605 | start = daemon->servers; |
Simon Kelley | 9e4abcb | 2004-01-22 19:47:41 +0000 | [diff] [blame] | 606 | |
Simon Kelley | de37951 | 2004-06-22 20:23:33 +0100 | [diff] [blame] | 607 | if (start == firstsentto) |
Simon Kelley | 9e4abcb | 2004-01-22 19:47:41 +0000 | [diff] [blame] | 608 | break; |
| 609 | } |
| 610 | |
Simon Kelley | de37951 | 2004-06-22 20:23:33 +0100 | [diff] [blame] | 611 | if (forwarded) |
Simon Kelley | 824af85 | 2008-02-12 20:43:05 +0000 | [diff] [blame] | 612 | return 1; |
Simon Kelley | de37951 | 2004-06-22 20:23:33 +0100 | [diff] [blame] | 613 | |
Simon Kelley | 9e4abcb | 2004-01-22 19:47:41 +0000 | [diff] [blame] | 614 | /* could not send on, prepare to return */ |
Simon Kelley | 15b60dd | 2020-11-18 18:34:55 +0000 | [diff] [blame] | 615 | header->id = htons(forward->frec_src.orig_id); |
Simon Kelley | 1a6bca8 | 2008-07-11 11:11:42 +0100 | [diff] [blame] | 616 | free_frec(forward); /* cancel */ |
Simon Kelley | 9e4abcb | 2004-01-22 19:47:41 +0000 | [diff] [blame] | 617 | } |
| 618 | |
| 619 | /* could not send on, return empty answer or address if known for whole domain */ |
Simon Kelley | b8187c8 | 2005-11-26 21:46:27 +0000 | [diff] [blame] | 620 | if (udpfd != -1) |
| 621 | { |
Simon Kelley | cdeda28 | 2006-03-16 20:16:06 +0000 | [diff] [blame] | 622 | plen = setup_reply(header, plen, addrp, flags, daemon->local_ttl); |
Simon Kelley | 1682d15 | 2018-08-03 20:38:18 +0100 | [diff] [blame] | 623 | if (oph) |
| 624 | plen = add_pseudoheader(header, plen, ((unsigned char *) header) + PACKETSZ, daemon->edns_pktsz, 0, NULL, 0, do_bit, 0); |
Simon Kelley | 54dd393 | 2012-06-20 11:23:38 +0100 | [diff] [blame] | 625 | send_from(udpfd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND), (char *)header, plen, udpaddr, dst_addr, dst_iface); |
Simon Kelley | b8187c8 | 2005-11-26 21:46:27 +0000 | [diff] [blame] | 626 | } |
| 627 | |
Simon Kelley | 824af85 | 2008-02-12 20:43:05 +0000 | [diff] [blame] | 628 | return 0; |
Simon Kelley | 9e4abcb | 2004-01-22 19:47:41 +0000 | [diff] [blame] | 629 | } |
| 630 | |
Simon Kelley | ed4c076 | 2013-10-08 20:46:34 +0100 | [diff] [blame] | 631 | static size_t process_reply(struct dns_header *header, time_t now, struct server *server, size_t n, int check_rebind, |
Simon Kelley | fe3992f | 2015-04-03 21:25:05 +0100 | [diff] [blame] | 632 | int no_cache, int cache_secure, int bogusanswer, int ad_reqd, int do_bit, int added_pheader, |
| 633 | int check_subnet, union mysockaddr *query_source) |
Simon Kelley | feba5c1 | 2004-07-27 20:28:58 +0100 | [diff] [blame] | 634 | { |
Simon Kelley | 36717ee | 2004-09-20 19:20:58 +0100 | [diff] [blame] | 635 | unsigned char *pheader, *sizep; |
Jason A. Donenfeld | 13d86c7 | 2013-02-22 18:20:53 +0000 | [diff] [blame] | 636 | char **sets = 0; |
Simon Kelley | 832af0b | 2007-01-21 20:01:28 +0000 | [diff] [blame] | 637 | int munged = 0, is_sign; |
Simon Kelley | 07ed585 | 2018-05-04 21:52:22 +0100 | [diff] [blame] | 638 | unsigned int rcode = RCODE(header); |
Simon Kelley | cdeda28 | 2006-03-16 20:16:06 +0000 | [diff] [blame] | 639 | size_t plen; |
Simon Kelley | a6004d7 | 2017-10-25 17:48:19 +0100 | [diff] [blame] | 640 | |
Simon Kelley | 83349b8 | 2014-02-10 21:02:01 +0000 | [diff] [blame] | 641 | (void)ad_reqd; |
Simon Kelley | 982faf4 | 2015-04-03 21:42:30 +0100 | [diff] [blame] | 642 | (void)do_bit; |
| 643 | (void)bogusanswer; |
Simon Kelley | 83349b8 | 2014-02-10 21:02:01 +0000 | [diff] [blame] | 644 | |
Jason A. Donenfeld | 13d86c7 | 2013-02-22 18:20:53 +0000 | [diff] [blame] | 645 | #ifdef HAVE_IPSET |
Simon Kelley | 82a14af | 2014-04-13 20:48:57 +0100 | [diff] [blame] | 646 | if (daemon->ipsets && extract_request(header, n, daemon->namebuff, NULL)) |
Jason A. Donenfeld | 13d86c7 | 2013-02-22 18:20:53 +0000 | [diff] [blame] | 647 | { |
Simon Kelley | 82a14af | 2014-04-13 20:48:57 +0100 | [diff] [blame] | 648 | /* Similar algorithm to search_servers. */ |
| 649 | struct ipsets *ipset_pos; |
| 650 | unsigned int namelen = strlen(daemon->namebuff); |
| 651 | unsigned int matchlen = 0; |
| 652 | for (ipset_pos = daemon->ipsets; ipset_pos; ipset_pos = ipset_pos->next) |
Simon Kelley | 6c0cb85 | 2014-01-17 14:40:46 +0000 | [diff] [blame] | 653 | { |
Simon Kelley | 82a14af | 2014-04-13 20:48:57 +0100 | [diff] [blame] | 654 | unsigned int domainlen = strlen(ipset_pos->domain); |
| 655 | char *matchstart = daemon->namebuff + namelen - domainlen; |
| 656 | if (namelen >= domainlen && hostname_isequal(matchstart, ipset_pos->domain) && |
| 657 | (domainlen == 0 || namelen == domainlen || *(matchstart - 1) == '.' ) && |
| 658 | domainlen >= matchlen) |
| 659 | { |
| 660 | matchlen = domainlen; |
| 661 | sets = ipset_pos->sets; |
| 662 | } |
Simon Kelley | 6c0cb85 | 2014-01-17 14:40:46 +0000 | [diff] [blame] | 663 | } |
Jason A. Donenfeld | 13d86c7 | 2013-02-22 18:20:53 +0000 | [diff] [blame] | 664 | } |
| 665 | #endif |
Simon Kelley | 25e63f1 | 2020-11-25 21:17:52 +0000 | [diff] [blame] | 666 | |
Simon Kelley | 5bb88f0 | 2015-12-21 16:23:47 +0000 | [diff] [blame] | 667 | if ((pheader = find_pseudoheader(header, n, &plen, &sizep, &is_sign, NULL))) |
Simon Kelley | feba5c1 | 2004-07-27 20:28:58 +0100 | [diff] [blame] | 668 | { |
Simon Kelley | 07ed585 | 2018-05-04 21:52:22 +0100 | [diff] [blame] | 669 | /* Get extended RCODE. */ |
| 670 | rcode |= sizep[2] << 4; |
| 671 | |
Simon Kelley | ed4c076 | 2013-10-08 20:46:34 +0100 | [diff] [blame] | 672 | if (check_subnet && !check_source(header, plen, pheader, query_source)) |
| 673 | { |
| 674 | my_syslog(LOG_WARNING, _("discarding DNS reply: subnet option mismatch")); |
| 675 | return 0; |
| 676 | } |
Simon Kelley | 613ad15 | 2014-02-25 23:02:28 +0000 | [diff] [blame] | 677 | |
Simon Kelley | fa14bec | 2015-12-20 17:12:16 +0000 | [diff] [blame] | 678 | if (!is_sign) |
Simon Kelley | 613ad15 | 2014-02-25 23:02:28 +0000 | [diff] [blame] | 679 | { |
Simon Kelley | fa14bec | 2015-12-20 17:12:16 +0000 | [diff] [blame] | 680 | if (added_pheader) |
| 681 | { |
| 682 | /* client didn't send EDNS0, we added one, strip it off before returning answer. */ |
| 683 | n = rrfilter(header, n, 0); |
| 684 | pheader = NULL; |
| 685 | } |
| 686 | else |
| 687 | { |
Simon Kelley | 33702ab | 2015-12-28 23:17:15 +0000 | [diff] [blame] | 688 | unsigned short udpsz; |
| 689 | |
Simon Kelley | fa14bec | 2015-12-20 17:12:16 +0000 | [diff] [blame] | 690 | /* If upstream is advertising a larger UDP packet size |
| 691 | than we allow, trim it so that we don't get overlarge |
| 692 | requests for the client. We can't do this for signed packets. */ |
Simon Kelley | fa14bec | 2015-12-20 17:12:16 +0000 | [diff] [blame] | 693 | GETSHORT(udpsz, sizep); |
| 694 | if (udpsz > daemon->edns_pktsz) |
Simon Kelley | 33702ab | 2015-12-28 23:17:15 +0000 | [diff] [blame] | 695 | { |
| 696 | sizep -= 2; |
| 697 | PUTSHORT(daemon->edns_pktsz, sizep); |
| 698 | } |
| 699 | |
| 700 | #ifdef HAVE_DNSSEC |
| 701 | /* If the client didn't set the do bit, but we did, reset it. */ |
| 702 | if (option_bool(OPT_DNSSEC_VALID) && !do_bit) |
| 703 | { |
| 704 | unsigned short flags; |
| 705 | sizep += 2; /* skip RCODE */ |
| 706 | GETSHORT(flags, sizep); |
| 707 | flags &= ~0x8000; |
| 708 | sizep -= 2; |
| 709 | PUTSHORT(flags, sizep); |
| 710 | } |
| 711 | #endif |
Simon Kelley | fa14bec | 2015-12-20 17:12:16 +0000 | [diff] [blame] | 712 | } |
Simon Kelley | 613ad15 | 2014-02-25 23:02:28 +0000 | [diff] [blame] | 713 | } |
Simon Kelley | feba5c1 | 2004-07-27 20:28:58 +0100 | [diff] [blame] | 714 | } |
Simon Kelley | 83349b8 | 2014-02-10 21:02:01 +0000 | [diff] [blame] | 715 | |
Simon Kelley | 28866e9 | 2011-02-14 20:19:14 +0000 | [diff] [blame] | 716 | /* RFC 4035 sect 4.6 para 3 */ |
Giovanni Bajo | 237724c | 2012-04-05 02:46:52 +0200 | [diff] [blame] | 717 | if (!is_sign && !option_bool(OPT_DNSSEC_PROXY)) |
Simon Kelley | 795501b | 2014-01-08 18:11:55 +0000 | [diff] [blame] | 718 | header->hb4 &= ~HB4_AD; |
Simon Kelley | 3a23715 | 2013-12-12 12:15:50 +0000 | [diff] [blame] | 719 | |
Simon Kelley | 07ed585 | 2018-05-04 21:52:22 +0100 | [diff] [blame] | 720 | if (OPCODE(header) != QUERY) |
Simon Kelley | 8938ae0 | 2014-05-01 17:46:25 +0100 | [diff] [blame] | 721 | return resize_packet(header, n, pheader, plen); |
Simon Kelley | 07ed585 | 2018-05-04 21:52:22 +0100 | [diff] [blame] | 722 | |
| 723 | if (rcode != NOERROR && rcode != NXDOMAIN) |
| 724 | { |
Simon Kelley | cc921df | 2019-01-02 22:48:59 +0000 | [diff] [blame] | 725 | union all_addr a; |
| 726 | a.log.rcode = rcode; |
Simon Kelley | 07ed585 | 2018-05-04 21:52:22 +0100 | [diff] [blame] | 727 | log_query(F_UPSTREAM | F_RCODE, "error", &a, NULL); |
| 728 | |
| 729 | return resize_packet(header, n, pheader, plen); |
| 730 | } |
Simon Kelley | 36717ee | 2004-09-20 19:20:58 +0100 | [diff] [blame] | 731 | |
Simon Kelley | 0a85254 | 2005-03-23 20:28:59 +0000 | [diff] [blame] | 732 | /* Complain loudly if the upstream server is non-recursive. */ |
Simon Kelley | 07ed585 | 2018-05-04 21:52:22 +0100 | [diff] [blame] | 733 | if (!(header->hb4 & HB4_RA) && rcode == NOERROR && |
Simon Kelley | 0a85254 | 2005-03-23 20:28:59 +0000 | [diff] [blame] | 734 | server && !(server->flags & SERV_WARNED_RECURSIVE)) |
| 735 | { |
Petr Mensik | 51cdd1a | 2019-07-04 20:28:08 +0200 | [diff] [blame] | 736 | (void)prettyprint_addr(&server->addr, daemon->namebuff); |
Simon Kelley | f2621c7 | 2007-04-29 19:47:21 +0100 | [diff] [blame] | 737 | my_syslog(LOG_WARNING, _("nameserver %s refused to do a recursive query"), daemon->namebuff); |
Simon Kelley | 28866e9 | 2011-02-14 20:19:14 +0000 | [diff] [blame] | 738 | if (!option_bool(OPT_LOG)) |
Simon Kelley | 0a85254 | 2005-03-23 20:28:59 +0000 | [diff] [blame] | 739 | server->flags |= SERV_WARNED_RECURSIVE; |
| 740 | } |
Giovanni Bajo | e292e93 | 2012-04-22 14:32:02 +0200 | [diff] [blame] | 741 | |
Simon Kelley | 07ed585 | 2018-05-04 21:52:22 +0100 | [diff] [blame] | 742 | if (daemon->bogus_addr && rcode != NXDOMAIN && |
Simon Kelley | 9eaa91b | 2021-03-17 20:31:06 +0000 | [diff] [blame] | 743 | check_for_bogus_wildcard(header, n, daemon->namebuff, now)) |
Simon Kelley | feba5c1 | 2004-07-27 20:28:58 +0100 | [diff] [blame] | 744 | { |
Simon Kelley | fd9fa48 | 2004-10-21 20:24:00 +0100 | [diff] [blame] | 745 | munged = 1; |
Simon Kelley | 572b41e | 2011-02-18 18:11:18 +0000 | [diff] [blame] | 746 | SET_RCODE(header, NXDOMAIN); |
| 747 | header->hb3 &= ~HB3_AA; |
Simon Kelley | 6938f34 | 2014-01-26 22:47:39 +0000 | [diff] [blame] | 748 | cache_secure = 0; |
Simon Kelley | 36717ee | 2004-09-20 19:20:58 +0100 | [diff] [blame] | 749 | } |
Simon Kelley | fd9fa48 | 2004-10-21 20:24:00 +0100 | [diff] [blame] | 750 | else |
Simon Kelley | 36717ee | 2004-09-20 19:20:58 +0100 | [diff] [blame] | 751 | { |
Simon Kelley | 6938f34 | 2014-01-26 22:47:39 +0000 | [diff] [blame] | 752 | int doctored = 0; |
| 753 | |
Simon Kelley | 07ed585 | 2018-05-04 21:52:22 +0100 | [diff] [blame] | 754 | if (rcode == NXDOMAIN && |
Simon Kelley | fd9fa48 | 2004-10-21 20:24:00 +0100 | [diff] [blame] | 755 | extract_request(header, n, daemon->namebuff, NULL) && |
Simon Kelley | 5aabfc7 | 2007-08-29 11:24:47 +0100 | [diff] [blame] | 756 | check_for_local_domain(daemon->namebuff, now)) |
Simon Kelley | feba5c1 | 2004-07-27 20:28:58 +0100 | [diff] [blame] | 757 | { |
Simon Kelley | 36717ee | 2004-09-20 19:20:58 +0100 | [diff] [blame] | 758 | /* if we forwarded a query for a locally known name (because it was for |
| 759 | an unknown type) and the answer is NXDOMAIN, convert that to NODATA, |
| 760 | since we know that the domain exists, even if upstream doesn't */ |
Simon Kelley | fd9fa48 | 2004-10-21 20:24:00 +0100 | [diff] [blame] | 761 | munged = 1; |
Simon Kelley | 572b41e | 2011-02-18 18:11:18 +0000 | [diff] [blame] | 762 | header->hb3 |= HB3_AA; |
| 763 | SET_RCODE(header, NOERROR); |
Simon Kelley | 6938f34 | 2014-01-26 22:47:39 +0000 | [diff] [blame] | 764 | cache_secure = 0; |
Simon Kelley | 36717ee | 2004-09-20 19:20:58 +0100 | [diff] [blame] | 765 | } |
Simon Kelley | 832af0b | 2007-01-21 20:01:28 +0000 | [diff] [blame] | 766 | |
Simon Kelley | 373e917 | 2017-12-01 22:40:56 +0000 | [diff] [blame] | 767 | if (extract_addresses(header, n, daemon->namebuff, now, sets, is_sign, check_rebind, no_cache, cache_secure, &doctored)) |
Simon Kelley | 824af85 | 2008-02-12 20:43:05 +0000 | [diff] [blame] | 768 | { |
Simon Kelley | 8ef5ada | 2010-06-03 19:42:45 +0100 | [diff] [blame] | 769 | my_syslog(LOG_WARNING, _("possible DNS-rebind attack detected: %s"), daemon->namebuff); |
Simon Kelley | 824af85 | 2008-02-12 20:43:05 +0000 | [diff] [blame] | 770 | munged = 1; |
Simon Kelley | 6938f34 | 2014-01-26 22:47:39 +0000 | [diff] [blame] | 771 | cache_secure = 0; |
Simon Kelley | 824af85 | 2008-02-12 20:43:05 +0000 | [diff] [blame] | 772 | } |
Simon Kelley | 6938f34 | 2014-01-26 22:47:39 +0000 | [diff] [blame] | 773 | |
| 774 | if (doctored) |
| 775 | cache_secure = 0; |
Simon Kelley | feba5c1 | 2004-07-27 20:28:58 +0100 | [diff] [blame] | 776 | } |
Simon Kelley | fd9fa48 | 2004-10-21 20:24:00 +0100 | [diff] [blame] | 777 | |
Simon Kelley | a25720a | 2014-01-14 23:13:55 +0000 | [diff] [blame] | 778 | #ifdef HAVE_DNSSEC |
Simon Kelley | 33702ab | 2015-12-28 23:17:15 +0000 | [diff] [blame] | 779 | if (bogusanswer && !(header->hb4 & HB4_CD) && !option_bool(OPT_DNSSEC_DEBUG)) |
Simon Kelley | a25720a | 2014-01-14 23:13:55 +0000 | [diff] [blame] | 780 | { |
Simon Kelley | 33702ab | 2015-12-28 23:17:15 +0000 | [diff] [blame] | 781 | /* Bogus reply, turn into SERVFAIL */ |
| 782 | SET_RCODE(header, SERVFAIL); |
| 783 | munged = 1; |
Simon Kelley | a25720a | 2014-01-14 23:13:55 +0000 | [diff] [blame] | 784 | } |
Simon Kelley | 6938f34 | 2014-01-26 22:47:39 +0000 | [diff] [blame] | 785 | |
| 786 | if (option_bool(OPT_DNSSEC_VALID)) |
Simon Kelley | fa14bec | 2015-12-20 17:12:16 +0000 | [diff] [blame] | 787 | { |
| 788 | header->hb4 &= ~HB4_AD; |
| 789 | |
| 790 | if (!(header->hb4 & HB4_CD) && ad_reqd && cache_secure) |
| 791 | header->hb4 |= HB4_AD; |
| 792 | |
| 793 | /* If the requestor didn't set the DO bit, don't return DNSSEC info. */ |
| 794 | if (!do_bit) |
| 795 | n = rrfilter(header, n, 1); |
| 796 | } |
Simon Kelley | a25720a | 2014-01-14 23:13:55 +0000 | [diff] [blame] | 797 | #endif |
| 798 | |
Simon Kelley | fd9fa48 | 2004-10-21 20:24:00 +0100 | [diff] [blame] | 799 | /* do this after extract_addresses. Ensure NODATA reply and remove |
| 800 | nameserver info. */ |
| 801 | |
| 802 | if (munged) |
| 803 | { |
| 804 | header->ancount = htons(0); |
| 805 | header->nscount = htons(0); |
| 806 | header->arcount = htons(0); |
Simon Kelley | 150162b | 2015-03-27 09:58:26 +0000 | [diff] [blame] | 807 | header->hb3 &= ~HB3_TC; |
Simon Kelley | fd9fa48 | 2004-10-21 20:24:00 +0100 | [diff] [blame] | 808 | } |
| 809 | |
Simon Kelley | 36717ee | 2004-09-20 19:20:58 +0100 | [diff] [blame] | 810 | /* the bogus-nxdomain stuff, doctor and NXDOMAIN->NODATA munging can all elide |
| 811 | sections of the packet. Find the new length here and put back pseudoheader |
| 812 | if it was removed. */ |
| 813 | return resize_packet(header, n, pheader, plen); |
Simon Kelley | feba5c1 | 2004-07-27 20:28:58 +0100 | [diff] [blame] | 814 | } |
| 815 | |
Simon Kelley | 3be3454 | 2004-09-11 19:12:13 +0100 | [diff] [blame] | 816 | /* sets new last_server */ |
Simon Kelley | 74d4fcd | 2021-03-15 21:59:51 +0000 | [diff] [blame] | 817 | void reply_query(int fd, time_t now) |
Simon Kelley | 9e4abcb | 2004-01-22 19:47:41 +0000 | [diff] [blame] | 818 | { |
| 819 | /* packet from peer server, extract data for cache, and send to |
| 820 | original requester */ |
Simon Kelley | 572b41e | 2011-02-18 18:11:18 +0000 | [diff] [blame] | 821 | struct dns_header *header; |
Simon Kelley | de37951 | 2004-06-22 20:23:33 +0100 | [diff] [blame] | 822 | union mysockaddr serveraddr; |
Simon Kelley | 832af0b | 2007-01-21 20:01:28 +0000 | [diff] [blame] | 823 | struct frec *forward; |
Simon Kelley | de37951 | 2004-06-22 20:23:33 +0100 | [diff] [blame] | 824 | socklen_t addrlen = sizeof(serveraddr); |
Simon Kelley | 60b6806 | 2014-01-08 12:10:28 +0000 | [diff] [blame] | 825 | ssize_t n = recvfrom(fd, daemon->packet, daemon->packet_buff_sz, 0, &serveraddr.sa, &addrlen); |
Simon Kelley | cdeda28 | 2006-03-16 20:16:06 +0000 | [diff] [blame] | 826 | size_t nn; |
Simon Kelley | 1a6bca8 | 2008-07-11 11:11:42 +0100 | [diff] [blame] | 827 | struct server *server; |
Simon Kelley | 8a9be9e | 2014-01-25 23:17:21 +0000 | [diff] [blame] | 828 | void *hash; |
Simon Kelley | 8a9be9e | 2014-01-25 23:17:21 +0000 | [diff] [blame] | 829 | |
Simon Kelley | cdeda28 | 2006-03-16 20:16:06 +0000 | [diff] [blame] | 830 | /* packet buffer overwritten */ |
| 831 | daemon->srv_save = NULL; |
Simon Kelley | 74d4fcd | 2021-03-15 21:59:51 +0000 | [diff] [blame] | 832 | |
Simon Kelley | de37951 | 2004-06-22 20:23:33 +0100 | [diff] [blame] | 833 | /* Determine the address of the server replying so that we can mark that as good */ |
Simon Kelley | 74d4fcd | 2021-03-15 21:59:51 +0000 | [diff] [blame] | 834 | if (serveraddr.sa.sa_family == AF_INET6) |
Simon Kelley | 5e9e0ef | 2006-04-17 14:24:29 +0100 | [diff] [blame] | 835 | serveraddr.in6.sin6_flowinfo = 0; |
Simon Kelley | 9e4abcb | 2004-01-22 19:47:41 +0000 | [diff] [blame] | 836 | |
Simon Kelley | 490f907 | 2014-03-24 22:04:42 +0000 | [diff] [blame] | 837 | header = (struct dns_header *)daemon->packet; |
Simon Kelley | 6b17335 | 2018-05-08 18:32:14 +0100 | [diff] [blame] | 838 | |
Simon Kelley | 490f907 | 2014-03-24 22:04:42 +0000 | [diff] [blame] | 839 | if (n < (int)sizeof(struct dns_header) || !(header->hb3 & HB3_QR)) |
| 840 | return; |
| 841 | |
Simon Kelley | 1a6bca8 | 2008-07-11 11:11:42 +0100 | [diff] [blame] | 842 | /* spoof check: answer must come from known server, */ |
| 843 | for (server = daemon->servers; server; server = server->next) |
| 844 | if (!(server->flags & (SERV_LITERAL_ADDRESS | SERV_NO_ADDR)) && |
| 845 | sockaddr_isequal(&server->addr, &serveraddr)) |
| 846 | break; |
Simon Kelley | 490f907 | 2014-03-24 22:04:42 +0000 | [diff] [blame] | 847 | |
| 848 | if (!server) |
| 849 | return; |
Simon Kelley | c1a4e25 | 2018-01-19 22:00:05 +0000 | [diff] [blame] | 850 | |
| 851 | /* If sufficient time has elapsed, try and expand UDP buffer size again. */ |
| 852 | if (difftime(now, server->pktsz_reduced) > UDP_TEST_TIME) |
| 853 | server->edns_pktsz = daemon->edns_pktsz; |
| 854 | |
Simon Kelley | 8a9be9e | 2014-01-25 23:17:21 +0000 | [diff] [blame] | 855 | hash = hash_questions(header, n, daemon->namebuff); |
Simon Kelley | fd9fa48 | 2004-10-21 20:24:00 +0100 | [diff] [blame] | 856 | |
Simon Kelley | 74d4fcd | 2021-03-15 21:59:51 +0000 | [diff] [blame] | 857 | if (!(forward = lookup_frec(ntohs(header->id), fd, hash))) |
Simon Kelley | 1a6bca8 | 2008-07-11 11:11:42 +0100 | [diff] [blame] | 858 | return; |
Simon Kelley | 490f907 | 2014-03-24 22:04:42 +0000 | [diff] [blame] | 859 | |
Simon Kelley | 6b17335 | 2018-05-08 18:32:14 +0100 | [diff] [blame] | 860 | #ifdef HAVE_DUMPFILE |
| 861 | dump_packet((forward->flags & (FREC_DNSKEY_QUERY | FREC_DS_QUERY)) ? DUMP_SEC_REPLY : DUMP_UP_REPLY, |
| 862 | (void *)header, n, &serveraddr, NULL); |
| 863 | #endif |
Simon Kelley | a0088e8 | 2018-05-10 21:43:14 +0100 | [diff] [blame] | 864 | |
Simon Kelley | 25cf5e3 | 2015-01-09 15:53:03 +0000 | [diff] [blame] | 865 | /* log_query gets called indirectly all over the place, so |
| 866 | pass these in global variables - sorry. */ |
Simon Kelley | 15b60dd | 2020-11-18 18:34:55 +0000 | [diff] [blame] | 867 | daemon->log_display_id = forward->frec_src.log_id; |
| 868 | daemon->log_source_addr = &forward->frec_src.source; |
Simon Kelley | 25cf5e3 | 2015-01-09 15:53:03 +0000 | [diff] [blame] | 869 | |
Glen Huang | 32fc6db | 2014-12-27 15:28:12 +0000 | [diff] [blame] | 870 | if (daemon->ignore_addr && RCODE(header) == NOERROR && |
Simon Kelley | 9eaa91b | 2021-03-17 20:31:06 +0000 | [diff] [blame] | 871 | check_for_ignored_address(header, n)) |
Glen Huang | 32fc6db | 2014-12-27 15:28:12 +0000 | [diff] [blame] | 872 | return; |
| 873 | |
Simon Kelley | d3a8b39 | 2015-12-23 12:27:37 +0000 | [diff] [blame] | 874 | /* Note: if we send extra options in the EDNS0 header, we can't recreate |
| 875 | the query from the reply. */ |
Simon Kelley | 34e26e1 | 2018-05-10 20:54:57 +0100 | [diff] [blame] | 876 | if ((RCODE(header) == REFUSED || RCODE(header) == SERVFAIL) && |
Simon Kelley | d3a8b39 | 2015-12-23 12:27:37 +0000 | [diff] [blame] | 877 | forward->forwardall == 0 && |
| 878 | !(forward->flags & FREC_HAS_EXTRADATA)) |
Simon Kelley | 1a6bca8 | 2008-07-11 11:11:42 +0100 | [diff] [blame] | 879 | /* for broken servers, attempt to send to another one. */ |
Simon Kelley | 9e4abcb | 2004-01-22 19:47:41 +0000 | [diff] [blame] | 880 | { |
Simon Kelley | 1a6bca8 | 2008-07-11 11:11:42 +0100 | [diff] [blame] | 881 | unsigned char *pheader; |
| 882 | size_t plen; |
| 883 | int is_sign; |
Simon Kelley | ef3d137 | 2017-12-05 22:37:29 +0000 | [diff] [blame] | 884 | |
Simon Kelley | 1f60a18 | 2018-05-11 16:44:16 +0100 | [diff] [blame] | 885 | #ifdef HAVE_DNSSEC |
Simon Kelley | a0088e8 | 2018-05-10 21:43:14 +0100 | [diff] [blame] | 886 | if (forward->flags & (FREC_DNSKEY_QUERY | FREC_DS_QUERY)) |
| 887 | { |
Simon Kelley | 1f60a18 | 2018-05-11 16:44:16 +0100 | [diff] [blame] | 888 | struct server *start; |
| 889 | |
Simon Kelley | a0088e8 | 2018-05-10 21:43:14 +0100 | [diff] [blame] | 890 | blockdata_retrieve(forward->stash, forward->stash_len, (void *)header); |
| 891 | plen = forward->stash_len; |
| 892 | |
| 893 | forward->forwardall = 2; /* only retry once */ |
Simon Kelley | 1f60a18 | 2018-05-11 16:44:16 +0100 | [diff] [blame] | 894 | start = forward->sentto; |
| 895 | |
| 896 | /* for non-domain specific servers, see if we can find another to try. */ |
| 897 | if ((forward->sentto->flags & SERV_TYPE) == 0) |
| 898 | while (1) |
| 899 | { |
| 900 | if (!(start = start->next)) |
| 901 | start = daemon->servers; |
| 902 | if (start == forward->sentto) |
| 903 | break; |
| 904 | |
| 905 | if ((start->flags & SERV_TYPE) == 0 && |
| 906 | (start->flags & SERV_DO_DNSSEC)) |
| 907 | break; |
| 908 | } |
| 909 | |
| 910 | |
Petr Menšík | 51f7bc9 | 2021-03-18 01:05:43 +0100 | [diff] [blame] | 911 | if ((fd = allocate_rfd(&forward->rfds, start)) != -1) |
| 912 | server_send_log(start, fd, header, plen, |
| 913 | DUMP_SEC_QUERY, |
| 914 | F_NOEXTRA | F_DNSSEC, "retry", "dnssec"); |
Simon Kelley | a0088e8 | 2018-05-10 21:43:14 +0100 | [diff] [blame] | 915 | return; |
| 916 | } |
Simon Kelley | 1f60a18 | 2018-05-11 16:44:16 +0100 | [diff] [blame] | 917 | #endif |
| 918 | |
Simon Kelley | ef3d137 | 2017-12-05 22:37:29 +0000 | [diff] [blame] | 919 | /* In strict order mode, there must be a server later in the chain |
| 920 | left to send to, otherwise without the forwardall mechanism, |
| 921 | code further on will cycle around the list forwever if they |
| 922 | all return REFUSED. Note that server is always non-NULL before |
| 923 | this executes. */ |
| 924 | if (option_bool(OPT_ORDER)) |
| 925 | for (server = forward->sentto->next; server; server = server->next) |
| 926 | if (!(server->flags & (SERV_LITERAL_ADDRESS | SERV_HAS_DOMAIN | SERV_FOR_NODOTS | SERV_NO_ADDR | SERV_LOOP))) |
| 927 | break; |
| 928 | |
Simon Kelley | 1a6bca8 | 2008-07-11 11:11:42 +0100 | [diff] [blame] | 929 | /* recreate query from reply */ |
Simon Kelley | 5bb88f0 | 2015-12-21 16:23:47 +0000 | [diff] [blame] | 930 | pheader = find_pseudoheader(header, (size_t)n, &plen, NULL, &is_sign, NULL); |
Simon Kelley | ef3d137 | 2017-12-05 22:37:29 +0000 | [diff] [blame] | 931 | if (!is_sign && server) |
Simon Kelley | 832af0b | 2007-01-21 20:01:28 +0000 | [diff] [blame] | 932 | { |
Simon Kelley | 1a6bca8 | 2008-07-11 11:11:42 +0100 | [diff] [blame] | 933 | header->ancount = htons(0); |
| 934 | header->nscount = htons(0); |
| 935 | header->arcount = htons(0); |
| 936 | if ((nn = resize_packet(header, (size_t)n, pheader, plen))) |
| 937 | { |
swigger | bd7bfa2 | 2015-06-01 20:54:59 +0100 | [diff] [blame] | 938 | header->hb3 &= ~(HB3_QR | HB3_AA | HB3_TC); |
Simon Kelley | fa14bec | 2015-12-20 17:12:16 +0000 | [diff] [blame] | 939 | header->hb4 &= ~(HB4_RA | HB4_RCODE | HB4_CD | HB4_AD); |
Simon Kelley | 1801a29 | 2016-01-17 21:53:57 +0000 | [diff] [blame] | 940 | if (forward->flags & FREC_CHECKING_DISABLED) |
Simon Kelley | fa14bec | 2015-12-20 17:12:16 +0000 | [diff] [blame] | 941 | header->hb4 |= HB4_CD; |
Simon Kelley | 1801a29 | 2016-01-17 21:53:57 +0000 | [diff] [blame] | 942 | if (forward->flags & FREC_AD_QUESTION) |
Simon Kelley | fa14bec | 2015-12-20 17:12:16 +0000 | [diff] [blame] | 943 | header->hb4 |= HB4_AD; |
| 944 | if (forward->flags & FREC_DO_QUESTION) |
Simon Kelley | 33702ab | 2015-12-28 23:17:15 +0000 | [diff] [blame] | 945 | add_do_bit(header, nn, (unsigned char *)pheader + plen); |
Simon Kelley | fa14bec | 2015-12-20 17:12:16 +0000 | [diff] [blame] | 946 | forward_query(-1, NULL, NULL, 0, header, nn, now, forward, forward->flags & FREC_AD_QUESTION, forward->flags & FREC_DO_QUESTION); |
Simon Kelley | 1a6bca8 | 2008-07-11 11:11:42 +0100 | [diff] [blame] | 947 | return; |
| 948 | } |
| 949 | } |
| 950 | } |
Simon Kelley | 3a23715 | 2013-12-12 12:15:50 +0000 | [diff] [blame] | 951 | |
| 952 | server = forward->sentto; |
Simon Kelley | 1a6bca8 | 2008-07-11 11:11:42 +0100 | [diff] [blame] | 953 | if ((forward->sentto->flags & SERV_TYPE) == 0) |
| 954 | { |
Simon Kelley | 51967f9 | 2014-03-25 21:07:00 +0000 | [diff] [blame] | 955 | if (RCODE(header) == REFUSED) |
Simon Kelley | 1a6bca8 | 2008-07-11 11:11:42 +0100 | [diff] [blame] | 956 | server = NULL; |
| 957 | else |
| 958 | { |
| 959 | struct server *last_server; |
Simon Kelley | 832af0b | 2007-01-21 20:01:28 +0000 | [diff] [blame] | 960 | |
Simon Kelley | 1a6bca8 | 2008-07-11 11:11:42 +0100 | [diff] [blame] | 961 | /* find good server by address if possible, otherwise assume the last one we sent to */ |
| 962 | for (last_server = daemon->servers; last_server; last_server = last_server->next) |
| 963 | if (!(last_server->flags & (SERV_LITERAL_ADDRESS | SERV_HAS_DOMAIN | SERV_FOR_NODOTS | SERV_NO_ADDR)) && |
| 964 | sockaddr_isequal(&last_server->addr, &serveraddr)) |
| 965 | { |
| 966 | server = last_server; |
| 967 | break; |
| 968 | } |
| 969 | } |
Simon Kelley | 28866e9 | 2011-02-14 20:19:14 +0000 | [diff] [blame] | 970 | if (!option_bool(OPT_ALL_SERVERS)) |
Simon Kelley | 1a6bca8 | 2008-07-11 11:11:42 +0100 | [diff] [blame] | 971 | daemon->last_server = server; |
| 972 | } |
Simon Kelley | a77cec8 | 2015-05-08 16:25:38 +0100 | [diff] [blame] | 973 | |
| 974 | /* We tried resending to this server with a smaller maximum size and got an answer. |
Ville Skyttä | faaf306 | 2018-01-14 17:32:52 +0000 | [diff] [blame] | 975 | Make that permanent. To avoid reduxing the packet size for a single dropped packet, |
Simon Kelley | 86fa104 | 2015-05-10 13:50:59 +0100 | [diff] [blame] | 976 | only do this when we get a truncated answer, or one larger than the safe size. */ |
Simon Kelley | 04db148 | 2019-10-11 23:22:17 +0100 | [diff] [blame] | 977 | if (forward->sentto->edns_pktsz > SAFE_PKTSZ && (forward->flags & FREC_TEST_PKTSZ) && |
Simon Kelley | 86fa104 | 2015-05-10 13:50:59 +0100 | [diff] [blame] | 978 | ((header->hb3 & HB3_TC) || n >= SAFE_PKTSZ)) |
Simon Kelley | 22dee51 | 2017-10-13 22:54:00 +0100 | [diff] [blame] | 979 | { |
Simon Kelley | 04db148 | 2019-10-11 23:22:17 +0100 | [diff] [blame] | 980 | forward->sentto->edns_pktsz = SAFE_PKTSZ; |
| 981 | forward->sentto->pktsz_reduced = now; |
Petr Mensik | 51cdd1a | 2019-07-04 20:28:08 +0200 | [diff] [blame] | 982 | (void)prettyprint_addr(&forward->sentto->addr, daemon->addrbuff); |
Simon Kelley | ebedcba | 2017-10-29 20:54:17 +0000 | [diff] [blame] | 983 | my_syslog(LOG_WARNING, _("reducing DNS packet size for nameserver %s to %d"), daemon->addrbuff, SAFE_PKTSZ); |
Simon Kelley | 22dee51 | 2017-10-13 22:54:00 +0100 | [diff] [blame] | 984 | } |
Simon Kelley | c1a4e25 | 2018-01-19 22:00:05 +0000 | [diff] [blame] | 985 | |
| 986 | |
Simon Kelley | 1a6bca8 | 2008-07-11 11:11:42 +0100 | [diff] [blame] | 987 | /* If the answer is an error, keep the forward record in place in case |
| 988 | we get a good reply from another server. Kill it when we've |
| 989 | had replies from all to avoid filling the forwarding table when |
| 990 | everything is broken */ |
Simon Kelley | 122392e | 2018-10-31 22:24:02 +0000 | [diff] [blame] | 991 | if (forward->forwardall == 0 || --forward->forwardall == 1 || RCODE(header) != REFUSED) |
Simon Kelley | 1a6bca8 | 2008-07-11 11:11:42 +0100 | [diff] [blame] | 992 | { |
Simon Kelley | fe3992f | 2015-04-03 21:25:05 +0100 | [diff] [blame] | 993 | int check_rebind = 0, no_cache_dnssec = 0, cache_secure = 0, bogusanswer = 0; |
Simon Kelley | a6004d7 | 2017-10-25 17:48:19 +0100 | [diff] [blame] | 994 | |
Simon Kelley | 3a23715 | 2013-12-12 12:15:50 +0000 | [diff] [blame] | 995 | if (option_bool(OPT_NO_REBIND)) |
| 996 | check_rebind = !(forward->flags & FREC_NOREBIND); |
Simon Kelley | 8ef5ada | 2010-06-03 19:42:45 +0100 | [diff] [blame] | 997 | |
Simon Kelley | 3a23715 | 2013-12-12 12:15:50 +0000 | [diff] [blame] | 998 | /* Don't cache replies where DNSSEC validation was turned off, either |
| 999 | the upstream server told us so, or the original query specified it. */ |
| 1000 | if ((header->hb4 & HB4_CD) || (forward->flags & FREC_CHECKING_DISABLED)) |
| 1001 | no_cache_dnssec = 1; |
| 1002 | |
| 1003 | #ifdef HAVE_DNSSEC |
Simon Kelley | 04db148 | 2019-10-11 23:22:17 +0100 | [diff] [blame] | 1004 | if ((forward->sentto->flags & SERV_DO_DNSSEC) && |
Simon Kelley | 5757371 | 2016-01-11 22:50:00 +0000 | [diff] [blame] | 1005 | option_bool(OPT_DNSSEC_VALID) && !(forward->flags & FREC_CHECKING_DISABLED)) |
Simon Kelley | 3a23715 | 2013-12-12 12:15:50 +0000 | [diff] [blame] | 1006 | { |
Simon Kelley | 9a31b68 | 2015-12-15 10:20:39 +0000 | [diff] [blame] | 1007 | int status = 0; |
Simon Kelley | 0fc2f31 | 2014-01-08 10:26:58 +0000 | [diff] [blame] | 1008 | |
| 1009 | /* We've had a reply already, which we're validating. Ignore this duplicate */ |
Simon Kelley | e0c0ad3 | 2014-01-16 22:42:07 +0000 | [diff] [blame] | 1010 | if (forward->blocking_query) |
Simon Kelley | 0fc2f31 | 2014-01-08 10:26:58 +0000 | [diff] [blame] | 1011 | return; |
Simon Kelley | 9a31b68 | 2015-12-15 10:20:39 +0000 | [diff] [blame] | 1012 | |
| 1013 | /* Truncated answer can't be validated. |
Simon Kelley | 09f3b2c | 2017-05-09 01:34:02 +0100 | [diff] [blame] | 1014 | If this is an answer to a DNSSEC-generated query, we still |
| 1015 | need to get the client to retry over TCP, so return |
| 1016 | an answer with the TC bit set, even if the actual answer fits. |
| 1017 | */ |
Simon Kelley | 9a31b68 | 2015-12-15 10:20:39 +0000 | [diff] [blame] | 1018 | if (header->hb3 & HB3_TC) |
| 1019 | status = STAT_TRUNCATED; |
| 1020 | |
| 1021 | while (1) |
Simon Kelley | 00a5b5d | 2014-02-28 18:10:55 +0000 | [diff] [blame] | 1022 | { |
Simon Kelley | 9a31b68 | 2015-12-15 10:20:39 +0000 | [diff] [blame] | 1023 | /* As soon as anything returns BOGUS, we stop and unwind, to do otherwise |
| 1024 | would invite infinite loops, since the answers to DNSKEY and DS queries |
| 1025 | will not be cached, so they'll be repeated. */ |
| 1026 | if (status != STAT_BOGUS && status != STAT_TRUNCATED && status != STAT_ABANDONED) |
Simon Kelley | 00a5b5d | 2014-02-28 18:10:55 +0000 | [diff] [blame] | 1027 | { |
Simon Kelley | 9a31b68 | 2015-12-15 10:20:39 +0000 | [diff] [blame] | 1028 | if (forward->flags & FREC_DNSKEY_QUERY) |
| 1029 | status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class); |
| 1030 | else if (forward->flags & FREC_DS_QUERY) |
| 1031 | status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class); |
Simon Kelley | 00a5b5d | 2014-02-28 18:10:55 +0000 | [diff] [blame] | 1032 | else |
Simon Kelley | 9a31b68 | 2015-12-15 10:20:39 +0000 | [diff] [blame] | 1033 | status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class, |
Simon Kelley | 203ce0a | 2019-10-12 21:41:20 +0100 | [diff] [blame] | 1034 | !option_bool(OPT_DNSSEC_IGN_NS) && (forward->sentto->flags & SERV_DO_DNSSEC), |
Simon Kelley | fef2f1c | 2019-08-29 21:59:00 +0100 | [diff] [blame] | 1035 | NULL, NULL, NULL); |
Simon Kelley | 6b17335 | 2018-05-08 18:32:14 +0100 | [diff] [blame] | 1036 | #ifdef HAVE_DUMPFILE |
| 1037 | if (status == STAT_BOGUS) |
| 1038 | dump_packet((forward->flags & (FREC_DNSKEY_QUERY | FREC_DS_QUERY)) ? DUMP_SEC_BOGUS : DUMP_BOGUS, |
| 1039 | header, (size_t)n, &serveraddr, NULL); |
| 1040 | #endif |
Simon Kelley | 00a5b5d | 2014-02-28 18:10:55 +0000 | [diff] [blame] | 1041 | } |
Simon Kelley | 0fc2f31 | 2014-01-08 10:26:58 +0000 | [diff] [blame] | 1042 | |
Simon Kelley | 9a31b68 | 2015-12-15 10:20:39 +0000 | [diff] [blame] | 1043 | /* Can't validate, as we're missing key data. Put this |
| 1044 | answer aside, whilst we get that. */ |
| 1045 | if (status == STAT_NEED_DS || status == STAT_NEED_KEY) |
Simon Kelley | 3a23715 | 2013-12-12 12:15:50 +0000 | [diff] [blame] | 1046 | { |
Simon Kelley | 9a31b68 | 2015-12-15 10:20:39 +0000 | [diff] [blame] | 1047 | struct frec *new, *orig; |
Simon Kelley | 9d63304 | 2013-12-13 15:36:55 +0000 | [diff] [blame] | 1048 | |
Simon Kelley | 9a31b68 | 2015-12-15 10:20:39 +0000 | [diff] [blame] | 1049 | /* Free any saved query */ |
| 1050 | if (forward->stash) |
| 1051 | blockdata_free(forward->stash); |
| 1052 | |
| 1053 | /* Now save reply pending receipt of key data */ |
| 1054 | if (!(forward->stash = blockdata_alloc((char *)header, n))) |
Simon Kelley | 97e618a | 2015-01-07 21:55:43 +0000 | [diff] [blame] | 1055 | return; |
Simon Kelley | 9a31b68 | 2015-12-15 10:20:39 +0000 | [diff] [blame] | 1056 | forward->stash_len = n; |
Simon Kelley | e0c0ad3 | 2014-01-16 22:42:07 +0000 | [diff] [blame] | 1057 | |
Simon Kelley | 9a31b68 | 2015-12-15 10:20:39 +0000 | [diff] [blame] | 1058 | /* Find the original query that started it all.... */ |
| 1059 | for (orig = forward; orig->dependent; orig = orig->dependent); |
Simon Kelley | 7fa836e | 2014-02-10 20:11:24 +0000 | [diff] [blame] | 1060 | |
Simon Kelley | 8caf3d7 | 2020-04-04 17:00:32 +0100 | [diff] [blame] | 1061 | /* Make sure we don't expire and free the orig frec during the |
| 1062 | allocation of a new one. */ |
| 1063 | if (--orig->work_counter == 0 || !(new = get_new_frec(now, NULL, orig))) |
Simon Kelley | 9a31b68 | 2015-12-15 10:20:39 +0000 | [diff] [blame] | 1064 | status = STAT_ABANDONED; |
Simon Kelley | e0c0ad3 | 2014-01-16 22:42:07 +0000 | [diff] [blame] | 1065 | else |
Simon Kelley | 3a23715 | 2013-12-12 12:15:50 +0000 | [diff] [blame] | 1066 | { |
Simon Kelley | e1791f3 | 2018-10-06 23:23:23 +0100 | [diff] [blame] | 1067 | int querytype, fd, type = SERV_DO_DNSSEC; |
Simon Kelley | 9a31b68 | 2015-12-15 10:20:39 +0000 | [diff] [blame] | 1068 | struct frec *next = new->next; |
Simon Kelley | 92be34a | 2016-01-16 18:39:54 +0000 | [diff] [blame] | 1069 | char *domain; |
| 1070 | |
Simon Kelley | 9a31b68 | 2015-12-15 10:20:39 +0000 | [diff] [blame] | 1071 | *new = *forward; /* copy everything, then overwrite */ |
| 1072 | new->next = next; |
| 1073 | new->blocking_query = NULL; |
Simon Kelley | 92be34a | 2016-01-16 18:39:54 +0000 | [diff] [blame] | 1074 | |
| 1075 | /* Find server to forward to. This will normally be the |
| 1076 | same as for the original query, but may be another if |
| 1077 | servers for domains are involved. */ |
Simon Kelley | 09f3b2c | 2017-05-09 01:34:02 +0100 | [diff] [blame] | 1078 | if (search_servers(now, NULL, F_DNSSECOK, daemon->keyname, &type, &domain, NULL) == 0) |
Simon Kelley | 92be34a | 2016-01-16 18:39:54 +0000 | [diff] [blame] | 1079 | { |
Simon Kelley | 203ce0a | 2019-10-12 21:41:20 +0100 | [diff] [blame] | 1080 | struct server *start, *new_server = NULL; |
| 1081 | start = server = forward->sentto; |
Simon Kelley | 09f3b2c | 2017-05-09 01:34:02 +0100 | [diff] [blame] | 1082 | |
| 1083 | while (1) |
| 1084 | { |
Petr Menšík | 8f9bd61 | 2021-03-27 23:16:09 +0000 | [diff] [blame] | 1085 | if (server_test_type(start, domain, type, SERV_DO_DNSSEC)) |
Simon Kelley | 09f3b2c | 2017-05-09 01:34:02 +0100 | [diff] [blame] | 1086 | { |
| 1087 | new_server = start; |
| 1088 | if (server == start) |
| 1089 | { |
| 1090 | new_server = NULL; |
| 1091 | break; |
| 1092 | } |
| 1093 | } |
| 1094 | |
| 1095 | if (!(start = start->next)) |
| 1096 | start = daemon->servers; |
| 1097 | if (start == server) |
| 1098 | break; |
| 1099 | } |
| 1100 | |
| 1101 | if (new_server) |
| 1102 | server = new_server; |
Simon Kelley | 92be34a | 2016-01-16 18:39:54 +0000 | [diff] [blame] | 1103 | } |
Simon Kelley | 09f3b2c | 2017-05-09 01:34:02 +0100 | [diff] [blame] | 1104 | |
Simon Kelley | 9a31b68 | 2015-12-15 10:20:39 +0000 | [diff] [blame] | 1105 | new->sentto = server; |
Simon Kelley | 74d4fcd | 2021-03-15 21:59:51 +0000 | [diff] [blame] | 1106 | new->rfds = NULL; |
Simon Kelley | 15b60dd | 2020-11-18 18:34:55 +0000 | [diff] [blame] | 1107 | new->frec_src.next = NULL; |
Simon Kelley | a0088e8 | 2018-05-10 21:43:14 +0100 | [diff] [blame] | 1108 | new->flags &= ~(FREC_DNSKEY_QUERY | FREC_DS_QUERY | FREC_HAS_EXTRADATA); |
| 1109 | new->forwardall = 0; |
Simon Kelley | 9a31b68 | 2015-12-15 10:20:39 +0000 | [diff] [blame] | 1110 | |
| 1111 | new->dependent = forward; /* to find query awaiting new one. */ |
| 1112 | forward->blocking_query = new; /* for garbage cleaning */ |
| 1113 | /* validate routines leave name of required record in daemon->keyname */ |
| 1114 | if (status == STAT_NEED_KEY) |
Simon Kelley | 7fa836e | 2014-02-10 20:11:24 +0000 | [diff] [blame] | 1115 | { |
Simon Kelley | 9a31b68 | 2015-12-15 10:20:39 +0000 | [diff] [blame] | 1116 | new->flags |= FREC_DNSKEY_QUERY; |
Simon Kelley | e1791f3 | 2018-10-06 23:23:23 +0100 | [diff] [blame] | 1117 | querytype = T_DNSKEY; |
Simon Kelley | f1668d2 | 2014-01-08 16:53:27 +0000 | [diff] [blame] | 1118 | } |
Simon Kelley | 9a31b68 | 2015-12-15 10:20:39 +0000 | [diff] [blame] | 1119 | else |
| 1120 | { |
| 1121 | new->flags |= FREC_DS_QUERY; |
Simon Kelley | e1791f3 | 2018-10-06 23:23:23 +0100 | [diff] [blame] | 1122 | querytype = T_DS; |
Simon Kelley | 9a31b68 | 2015-12-15 10:20:39 +0000 | [diff] [blame] | 1123 | } |
Simon Kelley | e1791f3 | 2018-10-06 23:23:23 +0100 | [diff] [blame] | 1124 | |
| 1125 | nn = dnssec_generate_query(header,((unsigned char *) header) + server->edns_pktsz, |
| 1126 | daemon->keyname, forward->class, querytype, server->edns_pktsz); |
| 1127 | |
Simon Kelley | 2d76586 | 2020-11-12 22:06:07 +0000 | [diff] [blame] | 1128 | memcpy(new->hash, hash_questions(header, nn, daemon->namebuff), HASH_SIZE); |
Simon Kelley | 9a31b68 | 2015-12-15 10:20:39 +0000 | [diff] [blame] | 1129 | new->new_id = get_id(); |
| 1130 | header->id = htons(new->new_id); |
| 1131 | /* Save query for retransmission */ |
| 1132 | new->stash = blockdata_alloc((char *)header, nn); |
| 1133 | new->stash_len = nn; |
| 1134 | |
| 1135 | /* Don't resend this. */ |
| 1136 | daemon->srv_save = NULL; |
| 1137 | |
Simon Kelley | 74d4fcd | 2021-03-15 21:59:51 +0000 | [diff] [blame] | 1138 | if ((fd = allocate_rfd(&new->rfds, server)) != -1) |
Simon Kelley | 9a31b68 | 2015-12-15 10:20:39 +0000 | [diff] [blame] | 1139 | { |
Simon Kelley | f344dbc | 2016-01-18 18:04:17 +0000 | [diff] [blame] | 1140 | #ifdef HAVE_CONNTRACK |
Simon Kelley | f344dbc | 2016-01-18 18:04:17 +0000 | [diff] [blame] | 1141 | if (option_bool(OPT_CONNTRACK)) |
Petr Menšík | 6c0bf79 | 2021-03-18 00:07:45 +0100 | [diff] [blame] | 1142 | set_outgoing_mark(orig, fd); |
Simon Kelley | f344dbc | 2016-01-18 18:04:17 +0000 | [diff] [blame] | 1143 | #endif |
Petr Menšík | 51f7bc9 | 2021-03-18 01:05:43 +0100 | [diff] [blame] | 1144 | server_send_log(server, fd, header, nn, DUMP_SEC_QUERY, |
| 1145 | F_NOEXTRA | F_DNSSEC, daemon->keyname, |
| 1146 | querystr("dnssec-query", querytype)); |
Simon Kelley | 9a31b68 | 2015-12-15 10:20:39 +0000 | [diff] [blame] | 1147 | server->queries++; |
| 1148 | } |
| 1149 | } |
Simon Kelley | 7fa836e | 2014-02-10 20:11:24 +0000 | [diff] [blame] | 1150 | return; |
Simon Kelley | 3a23715 | 2013-12-12 12:15:50 +0000 | [diff] [blame] | 1151 | } |
Simon Kelley | 3a23715 | 2013-12-12 12:15:50 +0000 | [diff] [blame] | 1152 | |
Simon Kelley | 9a31b68 | 2015-12-15 10:20:39 +0000 | [diff] [blame] | 1153 | /* Validated original answer, all done. */ |
| 1154 | if (!forward->dependent) |
| 1155 | break; |
| 1156 | |
Josh Soref | 730c674 | 2017-02-06 16:14:04 +0000 | [diff] [blame] | 1157 | /* validated subsidiary query, (and cached result) |
Simon Kelley | 9a31b68 | 2015-12-15 10:20:39 +0000 | [diff] [blame] | 1158 | pop that and return to the previous query we were working on. */ |
Simon Kelley | 0744ca6 | 2014-01-25 16:40:15 +0000 | [diff] [blame] | 1159 | struct frec *prev = forward->dependent; |
| 1160 | free_frec(forward); |
| 1161 | forward = prev; |
| 1162 | forward->blocking_query = NULL; /* already gone */ |
| 1163 | blockdata_retrieve(forward->stash, forward->stash_len, (void *)header); |
| 1164 | n = forward->stash_len; |
Simon Kelley | 3a23715 | 2013-12-12 12:15:50 +0000 | [diff] [blame] | 1165 | } |
Simon Kelley | 9a31b68 | 2015-12-15 10:20:39 +0000 | [diff] [blame] | 1166 | |
Simon Kelley | 5d3b87a | 2014-01-20 11:57:23 +0000 | [diff] [blame] | 1167 | |
Simon Kelley | fe3992f | 2015-04-03 21:25:05 +0100 | [diff] [blame] | 1168 | no_cache_dnssec = 0; |
Simon Kelley | fe3992f | 2015-04-03 21:25:05 +0100 | [diff] [blame] | 1169 | |
Simon Kelley | 5d3b87a | 2014-01-20 11:57:23 +0000 | [diff] [blame] | 1170 | if (status == STAT_TRUNCATED) |
Simon Kelley | 0744ca6 | 2014-01-25 16:40:15 +0000 | [diff] [blame] | 1171 | header->hb3 |= HB3_TC; |
Simon Kelley | 5d3b87a | 2014-01-20 11:57:23 +0000 | [diff] [blame] | 1172 | else |
Simon Kelley | 7fa836e | 2014-02-10 20:11:24 +0000 | [diff] [blame] | 1173 | { |
Simon Kelley | 554b580 | 2015-04-17 22:50:20 +0100 | [diff] [blame] | 1174 | char *result, *domain = "result"; |
Simon Kelley | 7fa836e | 2014-02-10 20:11:24 +0000 | [diff] [blame] | 1175 | |
Simon Kelley | 9a31b68 | 2015-12-15 10:20:39 +0000 | [diff] [blame] | 1176 | if (status == STAT_ABANDONED) |
Simon Kelley | 150162b | 2015-03-27 09:58:26 +0000 | [diff] [blame] | 1177 | { |
| 1178 | result = "ABANDONED"; |
| 1179 | status = STAT_BOGUS; |
| 1180 | } |
Simon Kelley | 7fa836e | 2014-02-10 20:11:24 +0000 | [diff] [blame] | 1181 | else |
| 1182 | result = (status == STAT_SECURE ? "SECURE" : (status == STAT_INSECURE ? "INSECURE" : "BOGUS")); |
| 1183 | |
Simon Kelley | 554b580 | 2015-04-17 22:50:20 +0100 | [diff] [blame] | 1184 | if (status == STAT_BOGUS && extract_request(header, n, daemon->namebuff, NULL)) |
| 1185 | domain = daemon->namebuff; |
Simon Kelley | 9a31b68 | 2015-12-15 10:20:39 +0000 | [diff] [blame] | 1186 | |
Simon Kelley | 07ed585 | 2018-05-04 21:52:22 +0100 | [diff] [blame] | 1187 | log_query(F_SECSTAT, domain, NULL, result); |
Simon Kelley | 7fa836e | 2014-02-10 20:11:24 +0000 | [diff] [blame] | 1188 | } |
Simon Kelley | 5d3b87a | 2014-01-20 11:57:23 +0000 | [diff] [blame] | 1189 | |
Simon Kelley | 3a23715 | 2013-12-12 12:15:50 +0000 | [diff] [blame] | 1190 | if (status == STAT_SECURE) |
| 1191 | cache_secure = 1; |
Simon Kelley | 3a23715 | 2013-12-12 12:15:50 +0000 | [diff] [blame] | 1192 | else if (status == STAT_BOGUS) |
Simon Kelley | fe3992f | 2015-04-03 21:25:05 +0100 | [diff] [blame] | 1193 | { |
| 1194 | no_cache_dnssec = 1; |
| 1195 | bogusanswer = 1; |
| 1196 | } |
Simon Kelley | 3a23715 | 2013-12-12 12:15:50 +0000 | [diff] [blame] | 1197 | } |
Simon Kelley | 04db148 | 2019-10-11 23:22:17 +0100 | [diff] [blame] | 1198 | |
Simon Kelley | 6b17335 | 2018-05-08 18:32:14 +0100 | [diff] [blame] | 1199 | #endif |
| 1200 | |
Simon Kelley | 83349b8 | 2014-02-10 21:02:01 +0000 | [diff] [blame] | 1201 | /* restore CD bit to the value in the query */ |
| 1202 | if (forward->flags & FREC_CHECKING_DISABLED) |
| 1203 | header->hb4 |= HB4_CD; |
| 1204 | else |
| 1205 | header->hb4 &= ~HB4_CD; |
Simon Kelley | 25e63f1 | 2020-11-25 21:17:52 +0000 | [diff] [blame] | 1206 | |
| 1207 | /* Never cache answers which are contingent on the source or MAC address EDSN0 option, |
| 1208 | since the cache is ignorant of such things. */ |
| 1209 | if (forward->flags & FREC_NO_CACHE) |
| 1210 | no_cache_dnssec = 1; |
Simon Kelley | 3a23715 | 2013-12-12 12:15:50 +0000 | [diff] [blame] | 1211 | |
Simon Kelley | f344dbc | 2016-01-18 18:04:17 +0000 | [diff] [blame] | 1212 | if ((nn = process_reply(header, now, forward->sentto, (size_t)n, check_rebind, no_cache_dnssec, cache_secure, bogusanswer, |
Simon Kelley | 613ad15 | 2014-02-25 23:02:28 +0000 | [diff] [blame] | 1213 | forward->flags & FREC_AD_QUESTION, forward->flags & FREC_DO_QUESTION, |
Simon Kelley | 15b60dd | 2020-11-18 18:34:55 +0000 | [diff] [blame] | 1214 | forward->flags & FREC_ADDED_PHEADER, forward->flags & FREC_HAS_SUBNET, &forward->frec_src.source))) |
Simon Kelley | 832af0b | 2007-01-21 20:01:28 +0000 | [diff] [blame] | 1215 | { |
Simon Kelley | 15b60dd | 2020-11-18 18:34:55 +0000 | [diff] [blame] | 1216 | struct frec_src *src; |
| 1217 | |
| 1218 | header->id = htons(forward->frec_src.orig_id); |
Simon Kelley | 572b41e | 2011-02-18 18:11:18 +0000 | [diff] [blame] | 1219 | header->hb4 |= HB4_RA; /* recursion if available */ |
Simon Kelley | 5aa5f0f | 2015-12-21 17:20:35 +0000 | [diff] [blame] | 1220 | #ifdef HAVE_DNSSEC |
| 1221 | /* We added an EDNSO header for the purpose of getting DNSSEC RRs, and set the value of the UDP payload size |
Simon Kelley | 6fd5d79 | 2017-10-13 22:26:40 +0100 | [diff] [blame] | 1222 | greater than the no-EDNS0-implied 512 to have space for the RRSIGS. If, having stripped them and the EDNS0 |
Simon Kelley | 5aa5f0f | 2015-12-21 17:20:35 +0000 | [diff] [blame] | 1223 | header, the answer is still bigger than 512, truncate it and mark it so. The client then retries with TCP. */ |
| 1224 | if (option_bool(OPT_DNSSEC_VALID) && (forward->flags & FREC_ADDED_PHEADER) && (nn > PACKETSZ)) |
| 1225 | { |
| 1226 | header->ancount = htons(0); |
| 1227 | header->nscount = htons(0); |
| 1228 | header->arcount = htons(0); |
| 1229 | header->hb3 |= HB3_TC; |
| 1230 | nn = resize_packet(header, nn, NULL, 0); |
| 1231 | } |
| 1232 | #endif |
Simon Kelley | 6b17335 | 2018-05-08 18:32:14 +0100 | [diff] [blame] | 1233 | |
Simon Kelley | 15b60dd | 2020-11-18 18:34:55 +0000 | [diff] [blame] | 1234 | for (src = &forward->frec_src; src; src = src->next) |
| 1235 | { |
| 1236 | header->id = htons(src->orig_id); |
| 1237 | |
Simon Kelley | 6b17335 | 2018-05-08 18:32:14 +0100 | [diff] [blame] | 1238 | #ifdef HAVE_DUMPFILE |
Simon Kelley | 15b60dd | 2020-11-18 18:34:55 +0000 | [diff] [blame] | 1239 | dump_packet(DUMP_REPLY, daemon->packet, (size_t)nn, NULL, &src->source); |
Simon Kelley | 6b17335 | 2018-05-08 18:32:14 +0100 | [diff] [blame] | 1240 | #endif |
Simon Kelley | 15b60dd | 2020-11-18 18:34:55 +0000 | [diff] [blame] | 1241 | |
Simon Kelley | 04490bf | 2021-01-22 16:49:12 +0000 | [diff] [blame] | 1242 | send_from(src->fd, option_bool(OPT_NOWILD) || option_bool (OPT_CLEVERBIND), daemon->packet, nn, |
Simon Kelley | 15b60dd | 2020-11-18 18:34:55 +0000 | [diff] [blame] | 1243 | &src->source, &src->dest, src->iface); |
| 1244 | |
| 1245 | if (option_bool(OPT_EXTRALOG) && src != &forward->frec_src) |
| 1246 | { |
| 1247 | daemon->log_display_id = src->log_id; |
| 1248 | daemon->log_source_addr = &src->source; |
| 1249 | log_query(F_UPSTREAM, "query", NULL, "duplicate"); |
| 1250 | } |
| 1251 | } |
Simon Kelley | 832af0b | 2007-01-21 20:01:28 +0000 | [diff] [blame] | 1252 | } |
Simon Kelley | 15b60dd | 2020-11-18 18:34:55 +0000 | [diff] [blame] | 1253 | |
Simon Kelley | 1a6bca8 | 2008-07-11 11:11:42 +0100 | [diff] [blame] | 1254 | free_frec(forward); /* cancel */ |
Simon Kelley | 9e4abcb | 2004-01-22 19:47:41 +0000 | [diff] [blame] | 1255 | } |
Simon Kelley | 9e4abcb | 2004-01-22 19:47:41 +0000 | [diff] [blame] | 1256 | } |
Simon Kelley | 44a2a31 | 2004-03-10 20:04:35 +0000 | [diff] [blame] | 1257 | |
Simon Kelley | 1a6bca8 | 2008-07-11 11:11:42 +0100 | [diff] [blame] | 1258 | |
Simon Kelley | 5aabfc7 | 2007-08-29 11:24:47 +0100 | [diff] [blame] | 1259 | void receive_query(struct listener *listen, time_t now) |
Simon Kelley | 44a2a31 | 2004-03-10 20:04:35 +0000 | [diff] [blame] | 1260 | { |
Simon Kelley | 572b41e | 2011-02-18 18:11:18 +0000 | [diff] [blame] | 1261 | struct dns_header *header = (struct dns_header *)daemon->packet; |
Simon Kelley | 44a2a31 | 2004-03-10 20:04:35 +0000 | [diff] [blame] | 1262 | union mysockaddr source_addr; |
Simon Kelley | fa14bec | 2015-12-20 17:12:16 +0000 | [diff] [blame] | 1263 | unsigned char *pheader; |
| 1264 | unsigned short type, udp_size = PACKETSZ; /* default if no EDNS0 */ |
Simon Kelley | cc921df | 2019-01-02 22:48:59 +0000 | [diff] [blame] | 1265 | union all_addr dst_addr; |
Simon Kelley | f6b7dc4 | 2005-01-23 12:06:08 +0000 | [diff] [blame] | 1266 | struct in_addr netmask, dst_addr_4; |
Simon Kelley | cdeda28 | 2006-03-16 20:16:06 +0000 | [diff] [blame] | 1267 | size_t m; |
| 1268 | ssize_t n; |
Simon Kelley | fa14bec | 2015-12-20 17:12:16 +0000 | [diff] [blame] | 1269 | int if_index = 0, auth_dns = 0, do_bit = 0, have_pseudoheader = 0; |
Vladislav Grishenko | 3b19596 | 2013-11-26 11:08:21 +0000 | [diff] [blame] | 1270 | #ifdef HAVE_AUTH |
| 1271 | int local_auth = 0; |
| 1272 | #endif |
Simon Kelley | 44a2a31 | 2004-03-10 20:04:35 +0000 | [diff] [blame] | 1273 | struct iovec iov[1]; |
| 1274 | struct msghdr msg; |
| 1275 | struct cmsghdr *cmptr; |
Simon Kelley | 44a2a31 | 2004-03-10 20:04:35 +0000 | [diff] [blame] | 1276 | union { |
| 1277 | struct cmsghdr align; /* this ensures alignment */ |
Simon Kelley | 44a2a31 | 2004-03-10 20:04:35 +0000 | [diff] [blame] | 1278 | char control6[CMSG_SPACE(sizeof(struct in6_pktinfo))]; |
Simon Kelley | 5e9e0ef | 2006-04-17 14:24:29 +0100 | [diff] [blame] | 1279 | #if defined(HAVE_LINUX_NETWORK) |
Simon Kelley | 44a2a31 | 2004-03-10 20:04:35 +0000 | [diff] [blame] | 1280 | char control[CMSG_SPACE(sizeof(struct in_pktinfo))]; |
Simon Kelley | 824af85 | 2008-02-12 20:43:05 +0000 | [diff] [blame] | 1281 | #elif defined(IP_RECVDSTADDR) && defined(HAVE_SOLARIS_NETWORK) |
| 1282 | char control[CMSG_SPACE(sizeof(struct in_addr)) + |
| 1283 | CMSG_SPACE(sizeof(unsigned int))]; |
Simon Kelley | 44a2a31 | 2004-03-10 20:04:35 +0000 | [diff] [blame] | 1284 | #elif defined(IP_RECVDSTADDR) |
| 1285 | char control[CMSG_SPACE(sizeof(struct in_addr)) + |
| 1286 | CMSG_SPACE(sizeof(struct sockaddr_dl))]; |
| 1287 | #endif |
| 1288 | } control_u; |
Petr Menšík | 1c1b925 | 2019-07-15 17:16:44 +0200 | [diff] [blame] | 1289 | int family = listen->addr.sa.sa_family; |
Simon Kelley | 2329bef | 2013-12-03 13:41:16 +0000 | [diff] [blame] | 1290 | /* Can always get recvd interface for IPv6 */ |
Petr Menšík | 1c1b925 | 2019-07-15 17:16:44 +0200 | [diff] [blame] | 1291 | int check_dst = !option_bool(OPT_NOWILD) || family == AF_INET6; |
Simon Kelley | 2329bef | 2013-12-03 13:41:16 +0000 | [diff] [blame] | 1292 | |
Simon Kelley | cdeda28 | 2006-03-16 20:16:06 +0000 | [diff] [blame] | 1293 | /* packet buffer overwritten */ |
| 1294 | daemon->srv_save = NULL; |
Simon Kelley | 74d4fcd | 2021-03-15 21:59:51 +0000 | [diff] [blame] | 1295 | |
Simon Kelley | cc921df | 2019-01-02 22:48:59 +0000 | [diff] [blame] | 1296 | dst_addr_4.s_addr = dst_addr.addr4.s_addr = 0; |
Simon Kelley | 4f7b304 | 2012-11-28 21:27:02 +0000 | [diff] [blame] | 1297 | netmask.s_addr = 0; |
| 1298 | |
Simon Kelley | 7e5664b | 2013-04-05 16:57:41 +0100 | [diff] [blame] | 1299 | if (option_bool(OPT_NOWILD) && listen->iface) |
Simon Kelley | f6b7dc4 | 2005-01-23 12:06:08 +0000 | [diff] [blame] | 1300 | { |
Simon Kelley | 4f7b304 | 2012-11-28 21:27:02 +0000 | [diff] [blame] | 1301 | auth_dns = listen->iface->dns_auth; |
| 1302 | |
Petr Menšík | 1c1b925 | 2019-07-15 17:16:44 +0200 | [diff] [blame] | 1303 | if (family == AF_INET) |
Simon Kelley | 4f7b304 | 2012-11-28 21:27:02 +0000 | [diff] [blame] | 1304 | { |
Simon Kelley | cc921df | 2019-01-02 22:48:59 +0000 | [diff] [blame] | 1305 | dst_addr_4 = dst_addr.addr4 = listen->iface->addr.in.sin_addr; |
Simon Kelley | 4f7b304 | 2012-11-28 21:27:02 +0000 | [diff] [blame] | 1306 | netmask = listen->iface->netmask; |
| 1307 | } |
Simon Kelley | f6b7dc4 | 2005-01-23 12:06:08 +0000 | [diff] [blame] | 1308 | } |
Simon Kelley | 4f7b304 | 2012-11-28 21:27:02 +0000 | [diff] [blame] | 1309 | |
Simon Kelley | 3be3454 | 2004-09-11 19:12:13 +0100 | [diff] [blame] | 1310 | iov[0].iov_base = daemon->packet; |
| 1311 | iov[0].iov_len = daemon->edns_pktsz; |
Simon Kelley | 44a2a31 | 2004-03-10 20:04:35 +0000 | [diff] [blame] | 1312 | |
| 1313 | msg.msg_control = control_u.control; |
| 1314 | msg.msg_controllen = sizeof(control_u); |
| 1315 | msg.msg_flags = 0; |
| 1316 | msg.msg_name = &source_addr; |
| 1317 | msg.msg_namelen = sizeof(source_addr); |
| 1318 | msg.msg_iov = iov; |
| 1319 | msg.msg_iovlen = 1; |
| 1320 | |
Simon Kelley | de37951 | 2004-06-22 20:23:33 +0100 | [diff] [blame] | 1321 | if ((n = recvmsg(listen->fd, &msg, 0)) == -1) |
Simon Kelley | 3be3454 | 2004-09-11 19:12:13 +0100 | [diff] [blame] | 1322 | return; |
Simon Kelley | 44a2a31 | 2004-03-10 20:04:35 +0000 | [diff] [blame] | 1323 | |
Simon Kelley | 572b41e | 2011-02-18 18:11:18 +0000 | [diff] [blame] | 1324 | if (n < (int)sizeof(struct dns_header) || |
Simon Kelley | 5e9e0ef | 2006-04-17 14:24:29 +0100 | [diff] [blame] | 1325 | (msg.msg_flags & MSG_TRUNC) || |
Simon Kelley | 572b41e | 2011-02-18 18:11:18 +0000 | [diff] [blame] | 1326 | (header->hb3 & HB3_QR)) |
Simon Kelley | 3be3454 | 2004-09-11 19:12:13 +0100 | [diff] [blame] | 1327 | return; |
Simon Kelley | 63437ff | 2017-09-06 22:34:21 +0100 | [diff] [blame] | 1328 | |
| 1329 | /* Clear buffer beyond request to avoid risk of |
| 1330 | information disclosure. */ |
| 1331 | memset(daemon->packet + n, 0, daemon->edns_pktsz - n); |
Simon Kelley | 44a2a31 | 2004-03-10 20:04:35 +0000 | [diff] [blame] | 1332 | |
Petr Menšík | 1c1b925 | 2019-07-15 17:16:44 +0200 | [diff] [blame] | 1333 | source_addr.sa.sa_family = family; |
Simon Kelley | 2a7a2b8 | 2014-03-22 19:18:06 +0000 | [diff] [blame] | 1334 | |
Petr Menšík | 1c1b925 | 2019-07-15 17:16:44 +0200 | [diff] [blame] | 1335 | if (family == AF_INET) |
Simon Kelley | 2a7a2b8 | 2014-03-22 19:18:06 +0000 | [diff] [blame] | 1336 | { |
| 1337 | /* Source-port == 0 is an error, we can't send back to that. |
| 1338 | http://www.ietf.org/mail-archive/web/dnsop/current/msg11441.html */ |
| 1339 | if (source_addr.in.sin_port == 0) |
| 1340 | return; |
| 1341 | } |
Simon Kelley | 2a7a2b8 | 2014-03-22 19:18:06 +0000 | [diff] [blame] | 1342 | else |
| 1343 | { |
| 1344 | /* Source-port == 0 is an error, we can't send back to that. */ |
| 1345 | if (source_addr.in6.sin6_port == 0) |
| 1346 | return; |
| 1347 | source_addr.in6.sin6_flowinfo = 0; |
| 1348 | } |
Simon Kelley | 2a7a2b8 | 2014-03-22 19:18:06 +0000 | [diff] [blame] | 1349 | |
Simon Kelley | c8a8048 | 2014-03-05 14:29:54 +0000 | [diff] [blame] | 1350 | /* We can be configured to only accept queries from at-most-one-hop-away addresses. */ |
| 1351 | if (option_bool(OPT_LOCAL_SERVICE)) |
| 1352 | { |
| 1353 | struct addrlist *addr; |
Simon Kelley | ee87504 | 2018-10-23 22:10:17 +0100 | [diff] [blame] | 1354 | |
Petr Menšík | 1c1b925 | 2019-07-15 17:16:44 +0200 | [diff] [blame] | 1355 | if (family == AF_INET6) |
Simon Kelley | c8a8048 | 2014-03-05 14:29:54 +0000 | [diff] [blame] | 1356 | { |
| 1357 | for (addr = daemon->interface_addrs; addr; addr = addr->next) |
| 1358 | if ((addr->flags & ADDRLIST_IPV6) && |
Simon Kelley | cc921df | 2019-01-02 22:48:59 +0000 | [diff] [blame] | 1359 | is_same_net6(&addr->addr.addr6, &source_addr.in6.sin6_addr, addr->prefixlen)) |
Simon Kelley | c8a8048 | 2014-03-05 14:29:54 +0000 | [diff] [blame] | 1360 | break; |
| 1361 | } |
| 1362 | else |
Simon Kelley | c8a8048 | 2014-03-05 14:29:54 +0000 | [diff] [blame] | 1363 | { |
| 1364 | struct in_addr netmask; |
| 1365 | for (addr = daemon->interface_addrs; addr; addr = addr->next) |
| 1366 | { |
Richard Genoud | 15b1b7e | 2014-09-17 21:12:00 +0100 | [diff] [blame] | 1367 | netmask.s_addr = htonl(~(in_addr_t)0 << (32 - addr->prefixlen)); |
Simon Kelley | c8a8048 | 2014-03-05 14:29:54 +0000 | [diff] [blame] | 1368 | if (!(addr->flags & ADDRLIST_IPV6) && |
Simon Kelley | cc921df | 2019-01-02 22:48:59 +0000 | [diff] [blame] | 1369 | is_same_net(addr->addr.addr4, source_addr.in.sin_addr, netmask)) |
Simon Kelley | c8a8048 | 2014-03-05 14:29:54 +0000 | [diff] [blame] | 1370 | break; |
| 1371 | } |
| 1372 | } |
| 1373 | if (!addr) |
| 1374 | { |
Simon Kelley | 0c8584e | 2014-03-12 20:12:56 +0000 | [diff] [blame] | 1375 | static int warned = 0; |
| 1376 | if (!warned) |
| 1377 | { |
| 1378 | my_syslog(LOG_WARNING, _("Ignoring query from non-local network")); |
| 1379 | warned = 1; |
| 1380 | } |
Simon Kelley | c8a8048 | 2014-03-05 14:29:54 +0000 | [diff] [blame] | 1381 | return; |
| 1382 | } |
| 1383 | } |
| 1384 | |
Simon Kelley | 2329bef | 2013-12-03 13:41:16 +0000 | [diff] [blame] | 1385 | if (check_dst) |
Simon Kelley | 44a2a31 | 2004-03-10 20:04:35 +0000 | [diff] [blame] | 1386 | { |
Simon Kelley | 8a911cc | 2004-03-16 18:35:52 +0000 | [diff] [blame] | 1387 | struct ifreq ifr; |
| 1388 | |
Simon Kelley | 26128d2 | 2004-11-14 16:43:54 +0000 | [diff] [blame] | 1389 | if (msg.msg_controllen < sizeof(struct cmsghdr)) |
| 1390 | return; |
| 1391 | |
Simon Kelley | 5e9e0ef | 2006-04-17 14:24:29 +0100 | [diff] [blame] | 1392 | #if defined(HAVE_LINUX_NETWORK) |
Petr Menšík | 1c1b925 | 2019-07-15 17:16:44 +0200 | [diff] [blame] | 1393 | if (family == AF_INET) |
Simon Kelley | 26128d2 | 2004-11-14 16:43:54 +0000 | [diff] [blame] | 1394 | for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr)) |
Simon Kelley | c72daea | 2012-01-05 21:33:27 +0000 | [diff] [blame] | 1395 | if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_PKTINFO) |
Simon Kelley | 26128d2 | 2004-11-14 16:43:54 +0000 | [diff] [blame] | 1396 | { |
Simon Kelley | 8ef5ada | 2010-06-03 19:42:45 +0100 | [diff] [blame] | 1397 | union { |
| 1398 | unsigned char *c; |
| 1399 | struct in_pktinfo *p; |
| 1400 | } p; |
| 1401 | p.c = CMSG_DATA(cmptr); |
Simon Kelley | cc921df | 2019-01-02 22:48:59 +0000 | [diff] [blame] | 1402 | dst_addr_4 = dst_addr.addr4 = p.p->ipi_spec_dst; |
Simon Kelley | 8ef5ada | 2010-06-03 19:42:45 +0100 | [diff] [blame] | 1403 | if_index = p.p->ipi_ifindex; |
Simon Kelley | 26128d2 | 2004-11-14 16:43:54 +0000 | [diff] [blame] | 1404 | } |
| 1405 | #elif defined(IP_RECVDSTADDR) && defined(IP_RECVIF) |
Petr Menšík | 1c1b925 | 2019-07-15 17:16:44 +0200 | [diff] [blame] | 1406 | if (family == AF_INET) |
Simon Kelley | 26128d2 | 2004-11-14 16:43:54 +0000 | [diff] [blame] | 1407 | { |
| 1408 | for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr)) |
Simon Kelley | 8ef5ada | 2010-06-03 19:42:45 +0100 | [diff] [blame] | 1409 | { |
| 1410 | union { |
| 1411 | unsigned char *c; |
| 1412 | unsigned int *i; |
| 1413 | struct in_addr *a; |
| 1414 | #ifndef HAVE_SOLARIS_NETWORK |
| 1415 | struct sockaddr_dl *s; |
Simon Kelley | 824af85 | 2008-02-12 20:43:05 +0000 | [diff] [blame] | 1416 | #endif |
Simon Kelley | 8ef5ada | 2010-06-03 19:42:45 +0100 | [diff] [blame] | 1417 | } p; |
| 1418 | p.c = CMSG_DATA(cmptr); |
| 1419 | if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVDSTADDR) |
Simon Kelley | cc921df | 2019-01-02 22:48:59 +0000 | [diff] [blame] | 1420 | dst_addr_4 = dst_addr.addr4 = *(p.a); |
Simon Kelley | 8ef5ada | 2010-06-03 19:42:45 +0100 | [diff] [blame] | 1421 | else if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVIF) |
| 1422 | #ifdef HAVE_SOLARIS_NETWORK |
| 1423 | if_index = *(p.i); |
| 1424 | #else |
| 1425 | if_index = p.s->sdl_index; |
| 1426 | #endif |
| 1427 | } |
Simon Kelley | 26128d2 | 2004-11-14 16:43:54 +0000 | [diff] [blame] | 1428 | } |
| 1429 | #endif |
| 1430 | |
Petr Menšík | 1c1b925 | 2019-07-15 17:16:44 +0200 | [diff] [blame] | 1431 | if (family == AF_INET6) |
Simon Kelley | 26128d2 | 2004-11-14 16:43:54 +0000 | [diff] [blame] | 1432 | { |
| 1433 | for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr)) |
Simon Kelley | c72daea | 2012-01-05 21:33:27 +0000 | [diff] [blame] | 1434 | if (cmptr->cmsg_level == IPPROTO_IPV6 && cmptr->cmsg_type == daemon->v6pktinfo) |
Simon Kelley | 26128d2 | 2004-11-14 16:43:54 +0000 | [diff] [blame] | 1435 | { |
Simon Kelley | 8ef5ada | 2010-06-03 19:42:45 +0100 | [diff] [blame] | 1436 | union { |
| 1437 | unsigned char *c; |
| 1438 | struct in6_pktinfo *p; |
| 1439 | } p; |
| 1440 | p.c = CMSG_DATA(cmptr); |
| 1441 | |
Simon Kelley | cc921df | 2019-01-02 22:48:59 +0000 | [diff] [blame] | 1442 | dst_addr.addr6 = p.p->ipi6_addr; |
Simon Kelley | 8ef5ada | 2010-06-03 19:42:45 +0100 | [diff] [blame] | 1443 | if_index = p.p->ipi6_ifindex; |
Simon Kelley | 26128d2 | 2004-11-14 16:43:54 +0000 | [diff] [blame] | 1444 | } |
| 1445 | } |
Simon Kelley | 26128d2 | 2004-11-14 16:43:54 +0000 | [diff] [blame] | 1446 | |
| 1447 | /* enforce available interface configuration */ |
| 1448 | |
Simon Kelley | e25db1f | 2013-01-29 22:10:26 +0000 | [diff] [blame] | 1449 | if (!indextoname(listen->fd, if_index, ifr.ifr_name)) |
Simon Kelley | 832af0b | 2007-01-21 20:01:28 +0000 | [diff] [blame] | 1450 | return; |
| 1451 | |
Petr Menšík | 1c1b925 | 2019-07-15 17:16:44 +0200 | [diff] [blame] | 1452 | if (!iface_check(family, &dst_addr, ifr.ifr_name, &auth_dns)) |
Simon Kelley | e25db1f | 2013-01-29 22:10:26 +0000 | [diff] [blame] | 1453 | { |
| 1454 | if (!option_bool(OPT_CLEVERBIND)) |
Simon Kelley | 115ac3e | 2013-05-20 11:28:32 +0100 | [diff] [blame] | 1455 | enumerate_interfaces(0); |
Petr Menšík | 1c1b925 | 2019-07-15 17:16:44 +0200 | [diff] [blame] | 1456 | if (!loopback_exception(listen->fd, family, &dst_addr, ifr.ifr_name) && |
| 1457 | !label_exception(if_index, family, &dst_addr)) |
Simon Kelley | e25db1f | 2013-01-29 22:10:26 +0000 | [diff] [blame] | 1458 | return; |
| 1459 | } |
| 1460 | |
Petr Menšík | 1c1b925 | 2019-07-15 17:16:44 +0200 | [diff] [blame] | 1461 | if (family == AF_INET && option_bool(OPT_LOCALISE)) |
Simon Kelley | 552af8b | 2012-02-29 20:10:31 +0000 | [diff] [blame] | 1462 | { |
| 1463 | struct irec *iface; |
| 1464 | |
Josh Soref | 730c674 | 2017-02-06 16:14:04 +0000 | [diff] [blame] | 1465 | /* get the netmask of the interface which has the address we were sent to. |
klemens | 43517fc | 2017-02-19 15:53:37 +0000 | [diff] [blame] | 1466 | This is no necessarily the interface we arrived on. */ |
Simon Kelley | 552af8b | 2012-02-29 20:10:31 +0000 | [diff] [blame] | 1467 | |
| 1468 | for (iface = daemon->interfaces; iface; iface = iface->next) |
| 1469 | if (iface->addr.sa.sa_family == AF_INET && |
| 1470 | iface->addr.in.sin_addr.s_addr == dst_addr_4.s_addr) |
| 1471 | break; |
| 1472 | |
| 1473 | /* interface may be new */ |
Simon Kelley | e25db1f | 2013-01-29 22:10:26 +0000 | [diff] [blame] | 1474 | if (!iface && !option_bool(OPT_CLEVERBIND)) |
Simon Kelley | 115ac3e | 2013-05-20 11:28:32 +0100 | [diff] [blame] | 1475 | enumerate_interfaces(0); |
Simon Kelley | 552af8b | 2012-02-29 20:10:31 +0000 | [diff] [blame] | 1476 | |
| 1477 | for (iface = daemon->interfaces; iface; iface = iface->next) |
| 1478 | if (iface->addr.sa.sa_family == AF_INET && |
| 1479 | iface->addr.in.sin_addr.s_addr == dst_addr_4.s_addr) |
| 1480 | break; |
| 1481 | |
| 1482 | /* If we failed, abandon localisation */ |
| 1483 | if (iface) |
| 1484 | netmask = iface->netmask; |
| 1485 | else |
| 1486 | dst_addr_4.s_addr = 0; |
| 1487 | } |
Simon Kelley | 44a2a31 | 2004-03-10 20:04:35 +0000 | [diff] [blame] | 1488 | } |
Simon Kelley | 25cf5e3 | 2015-01-09 15:53:03 +0000 | [diff] [blame] | 1489 | |
| 1490 | /* log_query gets called indirectly all over the place, so |
| 1491 | pass these in global variables - sorry. */ |
| 1492 | daemon->log_display_id = ++daemon->log_id; |
| 1493 | daemon->log_source_addr = &source_addr; |
Simon Kelley | 6b17335 | 2018-05-08 18:32:14 +0100 | [diff] [blame] | 1494 | |
| 1495 | #ifdef HAVE_DUMPFILE |
| 1496 | dump_packet(DUMP_QUERY, daemon->packet, (size_t)n, &source_addr, NULL); |
| 1497 | #endif |
| 1498 | |
Simon Kelley | cdeda28 | 2006-03-16 20:16:06 +0000 | [diff] [blame] | 1499 | if (extract_request(header, (size_t)n, daemon->namebuff, &type)) |
Simon Kelley | 44a2a31 | 2004-03-10 20:04:35 +0000 | [diff] [blame] | 1500 | { |
Simon Kelley | b485ed9 | 2013-10-18 22:00:39 +0100 | [diff] [blame] | 1501 | #ifdef HAVE_AUTH |
| 1502 | struct auth_zone *zone; |
| 1503 | #endif |
Simon Kelley | 610e782 | 2014-02-06 14:45:17 +0000 | [diff] [blame] | 1504 | char *types = querystr(auth_dns ? "auth" : "query", type); |
Petr Menšík | 6c0bf79 | 2021-03-18 00:07:45 +0100 | [diff] [blame] | 1505 | |
| 1506 | log_query_mysockaddr(F_QUERY | F_FORWARD, daemon->namebuff, |
| 1507 | &source_addr, types); |
Simon Kelley | 44a2a31 | 2004-03-10 20:04:35 +0000 | [diff] [blame] | 1508 | |
Simon Kelley | 4820dce | 2012-12-18 18:30:30 +0000 | [diff] [blame] | 1509 | #ifdef HAVE_AUTH |
Simon Kelley | b485ed9 | 2013-10-18 22:00:39 +0100 | [diff] [blame] | 1510 | /* find queries for zones we're authoritative for, and answer them directly */ |
Simon Kelley | 3a3965a | 2015-08-09 17:45:06 +0100 | [diff] [blame] | 1511 | if (!auth_dns && !option_bool(OPT_LOCALISE)) |
Simon Kelley | 6008bdb | 2013-10-21 21:47:03 +0100 | [diff] [blame] | 1512 | for (zone = daemon->auth_zones; zone; zone = zone->next) |
| 1513 | if (in_zone(zone, daemon->namebuff, NULL)) |
| 1514 | { |
| 1515 | auth_dns = 1; |
| 1516 | local_auth = 1; |
| 1517 | break; |
| 1518 | } |
Simon Kelley | b485ed9 | 2013-10-18 22:00:39 +0100 | [diff] [blame] | 1519 | #endif |
Simon Kelley | b5ea1cc | 2014-07-29 16:34:14 +0100 | [diff] [blame] | 1520 | |
| 1521 | #ifdef HAVE_LOOP |
| 1522 | /* Check for forwarding loop */ |
| 1523 | if (detect_loop(daemon->namebuff, type)) |
| 1524 | return; |
| 1525 | #endif |
Simon Kelley | b485ed9 | 2013-10-18 22:00:39 +0100 | [diff] [blame] | 1526 | } |
| 1527 | |
Simon Kelley | 5bb88f0 | 2015-12-21 16:23:47 +0000 | [diff] [blame] | 1528 | if (find_pseudoheader(header, (size_t)n, NULL, &pheader, NULL, NULL)) |
Simon Kelley | fa14bec | 2015-12-20 17:12:16 +0000 | [diff] [blame] | 1529 | { |
| 1530 | unsigned short flags; |
| 1531 | |
| 1532 | have_pseudoheader = 1; |
| 1533 | GETSHORT(udp_size, pheader); |
| 1534 | pheader += 2; /* ext_rcode */ |
| 1535 | GETSHORT(flags, pheader); |
| 1536 | |
| 1537 | if (flags & 0x8000) |
| 1538 | do_bit = 1;/* do bit */ |
| 1539 | |
| 1540 | /* If the client provides an EDNS0 UDP size, use that to limit our reply. |
| 1541 | (bounded by the maximum configured). If no EDNS0, then it |
| 1542 | defaults to 512 */ |
| 1543 | if (udp_size > daemon->edns_pktsz) |
| 1544 | udp_size = daemon->edns_pktsz; |
Simon Kelley | a3303e1 | 2017-09-07 20:45:00 +0100 | [diff] [blame] | 1545 | else if (udp_size < PACKETSZ) |
| 1546 | udp_size = PACKETSZ; /* Sanity check - can't reduce below default. RFC 6891 6.2.3 */ |
Simon Kelley | fa14bec | 2015-12-20 17:12:16 +0000 | [diff] [blame] | 1547 | } |
| 1548 | |
Simon Kelley | b485ed9 | 2013-10-18 22:00:39 +0100 | [diff] [blame] | 1549 | #ifdef HAVE_AUTH |
Simon Kelley | 4f7b304 | 2012-11-28 21:27:02 +0000 | [diff] [blame] | 1550 | if (auth_dns) |
Simon Kelley | 824af85 | 2008-02-12 20:43:05 +0000 | [diff] [blame] | 1551 | { |
Simon Kelley | fa14bec | 2015-12-20 17:12:16 +0000 | [diff] [blame] | 1552 | m = answer_auth(header, ((char *) header) + udp_size, (size_t)n, now, &source_addr, |
| 1553 | local_auth, do_bit, have_pseudoheader); |
Simon Kelley | 4f7b304 | 2012-11-28 21:27:02 +0000 | [diff] [blame] | 1554 | if (m >= 1) |
Simon Kelley | b485ed9 | 2013-10-18 22:00:39 +0100 | [diff] [blame] | 1555 | { |
| 1556 | send_from(listen->fd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND), |
| 1557 | (char *)header, m, &source_addr, &dst_addr, if_index); |
Julian Kornberger | aba8bbb | 2018-07-21 21:55:08 +0100 | [diff] [blame] | 1558 | daemon->metrics[METRIC_DNS_AUTH_ANSWERED]++; |
Simon Kelley | b485ed9 | 2013-10-18 22:00:39 +0100 | [diff] [blame] | 1559 | } |
Simon Kelley | 824af85 | 2008-02-12 20:43:05 +0000 | [diff] [blame] | 1560 | } |
Simon Kelley | 44a2a31 | 2004-03-10 20:04:35 +0000 | [diff] [blame] | 1561 | else |
Simon Kelley | 4820dce | 2012-12-18 18:30:30 +0000 | [diff] [blame] | 1562 | #endif |
Simon Kelley | 4f7b304 | 2012-11-28 21:27:02 +0000 | [diff] [blame] | 1563 | { |
Simon Kelley | fa14bec | 2015-12-20 17:12:16 +0000 | [diff] [blame] | 1564 | int ad_reqd = do_bit; |
| 1565 | /* RFC 6840 5.7 */ |
| 1566 | if (header->hb4 & HB4_AD) |
| 1567 | ad_reqd = 1; |
| 1568 | |
| 1569 | m = answer_request(header, ((char *) header) + udp_size, (size_t)n, |
| 1570 | dst_addr_4, netmask, now, ad_reqd, do_bit, have_pseudoheader); |
Simon Kelley | 4f7b304 | 2012-11-28 21:27:02 +0000 | [diff] [blame] | 1571 | |
| 1572 | if (m >= 1) |
| 1573 | { |
| 1574 | send_from(listen->fd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND), |
| 1575 | (char *)header, m, &source_addr, &dst_addr, if_index); |
Julian Kornberger | aba8bbb | 2018-07-21 21:55:08 +0100 | [diff] [blame] | 1576 | daemon->metrics[METRIC_DNS_LOCAL_ANSWERED]++; |
Simon Kelley | 4f7b304 | 2012-11-28 21:27:02 +0000 | [diff] [blame] | 1577 | } |
| 1578 | else if (forward_query(listen->fd, &source_addr, &dst_addr, if_index, |
Simon Kelley | 613ad15 | 2014-02-25 23:02:28 +0000 | [diff] [blame] | 1579 | header, (size_t)n, now, NULL, ad_reqd, do_bit)) |
Julian Kornberger | aba8bbb | 2018-07-21 21:55:08 +0100 | [diff] [blame] | 1580 | daemon->metrics[METRIC_DNS_QUERIES_FORWARDED]++; |
Simon Kelley | 4f7b304 | 2012-11-28 21:27:02 +0000 | [diff] [blame] | 1581 | else |
Julian Kornberger | aba8bbb | 2018-07-21 21:55:08 +0100 | [diff] [blame] | 1582 | daemon->metrics[METRIC_DNS_LOCAL_ANSWERED]++; |
Simon Kelley | 4f7b304 | 2012-11-28 21:27:02 +0000 | [diff] [blame] | 1583 | } |
Simon Kelley | 44a2a31 | 2004-03-10 20:04:35 +0000 | [diff] [blame] | 1584 | } |
| 1585 | |
Simon Kelley | 7d7b7b3 | 2014-01-08 15:53:35 +0000 | [diff] [blame] | 1586 | #ifdef HAVE_DNSSEC |
Josh Soref | 730c674 | 2017-02-06 16:14:04 +0000 | [diff] [blame] | 1587 | /* Recurse up the key hierarchy */ |
Simon Kelley | 7fa836e | 2014-02-10 20:11:24 +0000 | [diff] [blame] | 1588 | static int tcp_key_recurse(time_t now, int status, struct dns_header *header, size_t n, |
Simon Kelley | f344dbc | 2016-01-18 18:04:17 +0000 | [diff] [blame] | 1589 | int class, char *name, char *keyname, struct server *server, |
| 1590 | int have_mark, unsigned int mark, int *keycount) |
Simon Kelley | 7d7b7b3 | 2014-01-08 15:53:35 +0000 | [diff] [blame] | 1591 | { |
Simon Kelley | 7d7b7b3 | 2014-01-08 15:53:35 +0000 | [diff] [blame] | 1592 | int new_status; |
Simon Kelley | 9a31b68 | 2015-12-15 10:20:39 +0000 | [diff] [blame] | 1593 | unsigned char *packet = NULL; |
Simon Kelley | 9a31b68 | 2015-12-15 10:20:39 +0000 | [diff] [blame] | 1594 | unsigned char *payload = NULL; |
| 1595 | struct dns_header *new_header = NULL; |
| 1596 | u16 *length = NULL; |
Simon Kelley | 361dfe5 | 2017-02-10 21:12:30 +0000 | [diff] [blame] | 1597 | |
Simon Kelley | 9a31b68 | 2015-12-15 10:20:39 +0000 | [diff] [blame] | 1598 | while (1) |
Simon Kelley | 00a5b5d | 2014-02-28 18:10:55 +0000 | [diff] [blame] | 1599 | { |
Simon Kelley | f344dbc | 2016-01-18 18:04:17 +0000 | [diff] [blame] | 1600 | int type = SERV_DO_DNSSEC; |
| 1601 | char *domain; |
| 1602 | size_t m; |
| 1603 | unsigned char c1, c2; |
Simon Kelley | 361dfe5 | 2017-02-10 21:12:30 +0000 | [diff] [blame] | 1604 | struct server *firstsendto = NULL; |
| 1605 | |
Simon Kelley | 9a31b68 | 2015-12-15 10:20:39 +0000 | [diff] [blame] | 1606 | /* limit the amount of work we do, to avoid cycling forever on loops in the DNS */ |
| 1607 | if (--(*keycount) == 0) |
| 1608 | new_status = STAT_ABANDONED; |
| 1609 | else if (status == STAT_NEED_KEY) |
| 1610 | new_status = dnssec_validate_by_ds(now, header, n, name, keyname, class); |
| 1611 | else if (status == STAT_NEED_DS) |
| 1612 | new_status = dnssec_validate_ds(now, header, n, name, keyname, class); |
| 1613 | else |
James Bottomley | e33b487 | 2017-03-17 21:44:10 +0000 | [diff] [blame] | 1614 | new_status = dnssec_validate_reply(now, header, n, name, keyname, &class, |
Simon Kelley | a691853 | 2018-04-15 16:20:52 +0100 | [diff] [blame] | 1615 | !option_bool(OPT_DNSSEC_IGN_NS) && (server->flags & SERV_DO_DNSSEC), |
Simon Kelley | fef2f1c | 2019-08-29 21:59:00 +0100 | [diff] [blame] | 1616 | NULL, NULL, NULL); |
Simon Kelley | 00a5b5d | 2014-02-28 18:10:55 +0000 | [diff] [blame] | 1617 | |
Simon Kelley | 9a31b68 | 2015-12-15 10:20:39 +0000 | [diff] [blame] | 1618 | if (new_status != STAT_NEED_DS && new_status != STAT_NEED_KEY) |
| 1619 | break; |
Simon Kelley | 00a5b5d | 2014-02-28 18:10:55 +0000 | [diff] [blame] | 1620 | |
Simon Kelley | 9a31b68 | 2015-12-15 10:20:39 +0000 | [diff] [blame] | 1621 | /* Can't validate because we need a key/DS whose name now in keyname. |
| 1622 | Make query for same, and recurse to validate */ |
Simon Kelley | 7fa836e | 2014-02-10 20:11:24 +0000 | [diff] [blame] | 1623 | if (!packet) |
Simon Kelley | 9a31b68 | 2015-12-15 10:20:39 +0000 | [diff] [blame] | 1624 | { |
| 1625 | packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16)); |
| 1626 | payload = &packet[2]; |
| 1627 | new_header = (struct dns_header *)payload; |
| 1628 | length = (u16 *)packet; |
| 1629 | } |
| 1630 | |
| 1631 | if (!packet) |
| 1632 | { |
| 1633 | new_status = STAT_ABANDONED; |
| 1634 | break; |
| 1635 | } |
Simon Kelley | e1791f3 | 2018-10-06 23:23:23 +0100 | [diff] [blame] | 1636 | |
Simon Kelley | 33702ab | 2015-12-28 23:17:15 +0000 | [diff] [blame] | 1637 | m = dnssec_generate_query(new_header, ((unsigned char *) new_header) + 65536, keyname, class, |
Simon Kelley | e1791f3 | 2018-10-06 23:23:23 +0100 | [diff] [blame] | 1638 | new_status == STAT_NEED_KEY ? T_DNSKEY : T_DS, server->edns_pktsz); |
Simon Kelley | 7d7b7b3 | 2014-01-08 15:53:35 +0000 | [diff] [blame] | 1639 | |
Simon Kelley | 7fa836e | 2014-02-10 20:11:24 +0000 | [diff] [blame] | 1640 | *length = htons(m); |
Simon Kelley | f344dbc | 2016-01-18 18:04:17 +0000 | [diff] [blame] | 1641 | |
| 1642 | /* Find server to forward to. This will normally be the |
| 1643 | same as for the original query, but may be another if |
| 1644 | servers for domains are involved. */ |
Simon Kelley | 09f3b2c | 2017-05-09 01:34:02 +0100 | [diff] [blame] | 1645 | if (search_servers(now, NULL, F_DNSSECOK, keyname, &type, &domain, NULL) != 0) |
Simon Kelley | 7d7b7b3 | 2014-01-08 15:53:35 +0000 | [diff] [blame] | 1646 | { |
Simon Kelley | 9a31b68 | 2015-12-15 10:20:39 +0000 | [diff] [blame] | 1647 | new_status = STAT_ABANDONED; |
| 1648 | break; |
Simon Kelley | 7d7b7b3 | 2014-01-08 15:53:35 +0000 | [diff] [blame] | 1649 | } |
Simon Kelley | 361dfe5 | 2017-02-10 21:12:30 +0000 | [diff] [blame] | 1650 | |
Simon Kelley | 361dfe5 | 2017-02-10 21:12:30 +0000 | [diff] [blame] | 1651 | while (1) |
| 1652 | { |
Simon Kelley | 608aa9f | 2019-03-10 22:44:15 +0000 | [diff] [blame] | 1653 | int data_sent = 0; |
| 1654 | |
Simon Kelley | 361dfe5 | 2017-02-10 21:12:30 +0000 | [diff] [blame] | 1655 | if (!firstsendto) |
| 1656 | firstsendto = server; |
| 1657 | else |
| 1658 | { |
| 1659 | if (!(server = server->next)) |
| 1660 | server = daemon->servers; |
| 1661 | if (server == firstsendto) |
| 1662 | { |
| 1663 | /* can't find server to accept our query. */ |
| 1664 | new_status = STAT_ABANDONED; |
| 1665 | break; |
| 1666 | } |
| 1667 | } |
| 1668 | |
Petr Menšík | e10a923 | 2021-03-15 11:20:49 +0100 | [diff] [blame] | 1669 | if (!server_test_type(server, domain, type, SERV_DO_DNSSEC)) |
Simon Kelley | 361dfe5 | 2017-02-10 21:12:30 +0000 | [diff] [blame] | 1670 | continue; |
Simon Kelley | e1791f3 | 2018-10-06 23:23:23 +0100 | [diff] [blame] | 1671 | |
| 1672 | retry: |
| 1673 | /* may need to make new connection. */ |
| 1674 | if (server->tcpfd == -1) |
| 1675 | { |
| 1676 | if ((server->tcpfd = socket(server->addr.sa.sa_family, SOCK_STREAM, 0)) == -1) |
| 1677 | continue; /* No good, next server */ |
| 1678 | |
Simon Kelley | 09f3b2c | 2017-05-09 01:34:02 +0100 | [diff] [blame] | 1679 | #ifdef HAVE_CONNTRACK |
Simon Kelley | e1791f3 | 2018-10-06 23:23:23 +0100 | [diff] [blame] | 1680 | /* Copy connection mark of incoming query to outgoing connection. */ |
| 1681 | if (have_mark) |
| 1682 | setsockopt(server->tcpfd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int)); |
Simon Kelley | 09f3b2c | 2017-05-09 01:34:02 +0100 | [diff] [blame] | 1683 | #endif |
Simon Kelley | e1791f3 | 2018-10-06 23:23:23 +0100 | [diff] [blame] | 1684 | |
Simon Kelley | 608aa9f | 2019-03-10 22:44:15 +0000 | [diff] [blame] | 1685 | if (!local_bind(server->tcpfd, &server->source_addr, server->interface, 0, 1)) |
| 1686 | { |
| 1687 | close(server->tcpfd); |
| 1688 | server->tcpfd = -1; |
| 1689 | continue; /* No good, next server */ |
| 1690 | } |
| 1691 | |
| 1692 | #ifdef MSG_FASTOPEN |
Petr Menšík | 51f7bc9 | 2021-03-18 01:05:43 +0100 | [diff] [blame] | 1693 | server_send(server, server->tcpfd, packet, m + sizeof(u16), MSG_FASTOPEN); |
| 1694 | |
Simon Kelley | 608aa9f | 2019-03-10 22:44:15 +0000 | [diff] [blame] | 1695 | if (errno == 0) |
| 1696 | data_sent = 1; |
| 1697 | #endif |
| 1698 | |
| 1699 | if (!data_sent && connect(server->tcpfd, &server->addr.sa, sa_len(&server->addr)) == -1) |
Simon Kelley | e1791f3 | 2018-10-06 23:23:23 +0100 | [diff] [blame] | 1700 | { |
| 1701 | close(server->tcpfd); |
| 1702 | server->tcpfd = -1; |
| 1703 | continue; /* No good, next server */ |
| 1704 | } |
| 1705 | |
| 1706 | server->flags &= ~SERV_GOT_TCP; |
| 1707 | } |
Simon Kelley | 361dfe5 | 2017-02-10 21:12:30 +0000 | [diff] [blame] | 1708 | |
Simon Kelley | 608aa9f | 2019-03-10 22:44:15 +0000 | [diff] [blame] | 1709 | if ((!data_sent && !read_write(server->tcpfd, packet, m + sizeof(u16), 0)) || |
Simon Kelley | 361dfe5 | 2017-02-10 21:12:30 +0000 | [diff] [blame] | 1710 | !read_write(server->tcpfd, &c1, 1, 1) || |
| 1711 | !read_write(server->tcpfd, &c2, 1, 1) || |
| 1712 | !read_write(server->tcpfd, payload, (c1 << 8) | c2, 1)) |
| 1713 | { |
| 1714 | close(server->tcpfd); |
| 1715 | server->tcpfd = -1; |
| 1716 | /* We get data then EOF, reopen connection to same server, |
| 1717 | else try next. This avoids DoS from a server which accepts |
| 1718 | connections and then closes them. */ |
| 1719 | if (server->flags & SERV_GOT_TCP) |
| 1720 | goto retry; |
| 1721 | else |
| 1722 | continue; |
| 1723 | } |
Simon Kelley | e1791f3 | 2018-10-06 23:23:23 +0100 | [diff] [blame] | 1724 | |
Petr Menšík | 6c0bf79 | 2021-03-18 00:07:45 +0100 | [diff] [blame] | 1725 | log_query_mysockaddr(F_NOEXTRA | F_DNSSEC, keyname, &server->addr, |
| 1726 | querystr("dnssec-query", new_status == STAT_NEED_KEY ? T_DNSKEY : T_DS)); |
Simon Kelley | e1791f3 | 2018-10-06 23:23:23 +0100 | [diff] [blame] | 1727 | |
Simon Kelley | 361dfe5 | 2017-02-10 21:12:30 +0000 | [diff] [blame] | 1728 | server->flags |= SERV_GOT_TCP; |
| 1729 | |
| 1730 | m = (c1 << 8) | c2; |
| 1731 | new_status = tcp_key_recurse(now, new_status, new_header, m, class, name, keyname, server, have_mark, mark, keycount); |
| 1732 | break; |
| 1733 | } |
Simon Kelley | 9a31b68 | 2015-12-15 10:20:39 +0000 | [diff] [blame] | 1734 | |
| 1735 | if (new_status != STAT_OK) |
| 1736 | break; |
Simon Kelley | 7d7b7b3 | 2014-01-08 15:53:35 +0000 | [diff] [blame] | 1737 | } |
Simon Kelley | 361dfe5 | 2017-02-10 21:12:30 +0000 | [diff] [blame] | 1738 | |
Simon Kelley | 9a31b68 | 2015-12-15 10:20:39 +0000 | [diff] [blame] | 1739 | if (packet) |
| 1740 | free(packet); |
| 1741 | |
Simon Kelley | 7d7b7b3 | 2014-01-08 15:53:35 +0000 | [diff] [blame] | 1742 | return new_status; |
| 1743 | } |
| 1744 | #endif |
| 1745 | |
| 1746 | |
Simon Kelley | feba5c1 | 2004-07-27 20:28:58 +0100 | [diff] [blame] | 1747 | /* The daemon forks before calling this: it should deal with one connection, |
Josh Soref | 730c674 | 2017-02-06 16:14:04 +0000 | [diff] [blame] | 1748 | blocking as necessary, and then return. Note, need to be a bit careful |
Simon Kelley | feba5c1 | 2004-07-27 20:28:58 +0100 | [diff] [blame] | 1749 | about resources for debug mode, when the fork is suppressed: that's |
| 1750 | done by the caller. */ |
Simon Kelley | 5aabfc7 | 2007-08-29 11:24:47 +0100 | [diff] [blame] | 1751 | unsigned char *tcp_request(int confd, time_t now, |
Simon Kelley | 4f7b304 | 2012-11-28 21:27:02 +0000 | [diff] [blame] | 1752 | union mysockaddr *local_addr, struct in_addr netmask, int auth_dns) |
Simon Kelley | feba5c1 | 2004-07-27 20:28:58 +0100 | [diff] [blame] | 1753 | { |
Simon Kelley | 28866e9 | 2011-02-14 20:19:14 +0000 | [diff] [blame] | 1754 | size_t size = 0; |
| 1755 | int norebind = 0; |
Vladislav Grishenko | 3b19596 | 2013-11-26 11:08:21 +0000 | [diff] [blame] | 1756 | #ifdef HAVE_AUTH |
Simon Kelley | 19b1689 | 2013-10-20 10:19:39 +0100 | [diff] [blame] | 1757 | int local_auth = 0; |
Vladislav Grishenko | 3b19596 | 2013-11-26 11:08:21 +0000 | [diff] [blame] | 1758 | #endif |
Simon Kelley | fa14bec | 2015-12-20 17:12:16 +0000 | [diff] [blame] | 1759 | int checking_disabled, do_bit, added_pheader = 0, have_pseudoheader = 0; |
Simon Kelley | 25e63f1 | 2020-11-25 21:17:52 +0000 | [diff] [blame] | 1760 | int check_subnet, cacheable, no_cache_dnssec = 0, cache_secure = 0, bogusanswer = 0; |
Simon Kelley | cdeda28 | 2006-03-16 20:16:06 +0000 | [diff] [blame] | 1761 | size_t m; |
Simon Kelley | ee86ce6 | 2012-12-07 11:54:46 +0000 | [diff] [blame] | 1762 | unsigned short qtype; |
| 1763 | unsigned int gotname; |
Simon Kelley | feba5c1 | 2004-07-27 20:28:58 +0100 | [diff] [blame] | 1764 | unsigned char c1, c2; |
Simon Kelley | 4b5ea12 | 2013-04-22 10:18:26 +0100 | [diff] [blame] | 1765 | /* Max TCP packet + slop + size */ |
| 1766 | unsigned char *packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16)); |
| 1767 | unsigned char *payload = &packet[2]; |
| 1768 | /* largest field in header is 16-bits, so this is still sufficiently aligned */ |
| 1769 | struct dns_header *header = (struct dns_header *)payload; |
| 1770 | u16 *length = (u16 *)packet; |
Simon Kelley | 3be3454 | 2004-09-11 19:12:13 +0100 | [diff] [blame] | 1771 | struct server *last_server; |
Simon Kelley | 7de060b | 2011-08-26 17:24:52 +0100 | [diff] [blame] | 1772 | struct in_addr dst_addr_4; |
| 1773 | union mysockaddr peer_addr; |
| 1774 | socklen_t peer_len = sizeof(union mysockaddr); |
Simon Kelley | 25cf5e3 | 2015-01-09 15:53:03 +0000 | [diff] [blame] | 1775 | int query_count = 0; |
Simon Kelley | fa14bec | 2015-12-20 17:12:16 +0000 | [diff] [blame] | 1776 | unsigned char *pheader; |
Simon Kelley | f344dbc | 2016-01-18 18:04:17 +0000 | [diff] [blame] | 1777 | unsigned int mark = 0; |
| 1778 | int have_mark = 0; |
Simon Kelley | 25cf5e3 | 2015-01-09 15:53:03 +0000 | [diff] [blame] | 1779 | |
Simon Kelley | d05dd58 | 2016-01-19 21:23:30 +0000 | [diff] [blame] | 1780 | (void)mark; |
| 1781 | (void)have_mark; |
| 1782 | |
Simon Kelley | 7de060b | 2011-08-26 17:24:52 +0100 | [diff] [blame] | 1783 | if (getpeername(confd, (struct sockaddr *)&peer_addr, &peer_len) == -1) |
| 1784 | return packet; |
Simon Kelley | f344dbc | 2016-01-18 18:04:17 +0000 | [diff] [blame] | 1785 | |
| 1786 | #ifdef HAVE_CONNTRACK |
| 1787 | /* Get connection mark of incoming query to set on outgoing connections. */ |
| 1788 | if (option_bool(OPT_CONNTRACK)) |
| 1789 | { |
Simon Kelley | cc921df | 2019-01-02 22:48:59 +0000 | [diff] [blame] | 1790 | union all_addr local; |
Simon Kelley | ee87504 | 2018-10-23 22:10:17 +0100 | [diff] [blame] | 1791 | |
Simon Kelley | f344dbc | 2016-01-18 18:04:17 +0000 | [diff] [blame] | 1792 | if (local_addr->sa.sa_family == AF_INET6) |
Simon Kelley | cc921df | 2019-01-02 22:48:59 +0000 | [diff] [blame] | 1793 | local.addr6 = local_addr->in6.sin6_addr; |
Simon Kelley | f344dbc | 2016-01-18 18:04:17 +0000 | [diff] [blame] | 1794 | else |
Simon Kelley | cc921df | 2019-01-02 22:48:59 +0000 | [diff] [blame] | 1795 | local.addr4 = local_addr->in.sin_addr; |
Simon Kelley | f344dbc | 2016-01-18 18:04:17 +0000 | [diff] [blame] | 1796 | |
| 1797 | have_mark = get_incoming_mark(&peer_addr, &local, 1, &mark); |
| 1798 | } |
| 1799 | #endif |
| 1800 | |
Simon Kelley | c8a8048 | 2014-03-05 14:29:54 +0000 | [diff] [blame] | 1801 | /* We can be configured to only accept queries from at-most-one-hop-away addresses. */ |
| 1802 | if (option_bool(OPT_LOCAL_SERVICE)) |
| 1803 | { |
| 1804 | struct addrlist *addr; |
Simon Kelley | ee87504 | 2018-10-23 22:10:17 +0100 | [diff] [blame] | 1805 | |
Simon Kelley | c8a8048 | 2014-03-05 14:29:54 +0000 | [diff] [blame] | 1806 | if (peer_addr.sa.sa_family == AF_INET6) |
| 1807 | { |
| 1808 | for (addr = daemon->interface_addrs; addr; addr = addr->next) |
| 1809 | if ((addr->flags & ADDRLIST_IPV6) && |
Simon Kelley | cc921df | 2019-01-02 22:48:59 +0000 | [diff] [blame] | 1810 | is_same_net6(&addr->addr.addr6, &peer_addr.in6.sin6_addr, addr->prefixlen)) |
Simon Kelley | c8a8048 | 2014-03-05 14:29:54 +0000 | [diff] [blame] | 1811 | break; |
| 1812 | } |
| 1813 | else |
Simon Kelley | c8a8048 | 2014-03-05 14:29:54 +0000 | [diff] [blame] | 1814 | { |
| 1815 | struct in_addr netmask; |
| 1816 | for (addr = daemon->interface_addrs; addr; addr = addr->next) |
| 1817 | { |
Richard Genoud | 15b1b7e | 2014-09-17 21:12:00 +0100 | [diff] [blame] | 1818 | netmask.s_addr = htonl(~(in_addr_t)0 << (32 - addr->prefixlen)); |
Simon Kelley | c8a8048 | 2014-03-05 14:29:54 +0000 | [diff] [blame] | 1819 | if (!(addr->flags & ADDRLIST_IPV6) && |
Simon Kelley | cc921df | 2019-01-02 22:48:59 +0000 | [diff] [blame] | 1820 | is_same_net(addr->addr.addr4, peer_addr.in.sin_addr, netmask)) |
Simon Kelley | c8a8048 | 2014-03-05 14:29:54 +0000 | [diff] [blame] | 1821 | break; |
| 1822 | } |
| 1823 | } |
| 1824 | if (!addr) |
| 1825 | { |
| 1826 | my_syslog(LOG_WARNING, _("Ignoring query from non-local network")); |
| 1827 | return packet; |
| 1828 | } |
| 1829 | } |
Simon Kelley | 7de060b | 2011-08-26 17:24:52 +0100 | [diff] [blame] | 1830 | |
Simon Kelley | feba5c1 | 2004-07-27 20:28:58 +0100 | [diff] [blame] | 1831 | while (1) |
| 1832 | { |
Simon Kelley | 25cf5e3 | 2015-01-09 15:53:03 +0000 | [diff] [blame] | 1833 | if (query_count == TCP_MAX_QUERIES || |
| 1834 | !packet || |
Simon Kelley | feba5c1 | 2004-07-27 20:28:58 +0100 | [diff] [blame] | 1835 | !read_write(confd, &c1, 1, 1) || !read_write(confd, &c2, 1, 1) || |
| 1836 | !(size = c1 << 8 | c2) || |
Simon Kelley | 4b5ea12 | 2013-04-22 10:18:26 +0100 | [diff] [blame] | 1837 | !read_write(confd, payload, size, 1)) |
Simon Kelley | feba5c1 | 2004-07-27 20:28:58 +0100 | [diff] [blame] | 1838 | return packet; |
| 1839 | |
Simon Kelley | 572b41e | 2011-02-18 18:11:18 +0000 | [diff] [blame] | 1840 | if (size < (int)sizeof(struct dns_header)) |
Simon Kelley | feba5c1 | 2004-07-27 20:28:58 +0100 | [diff] [blame] | 1841 | continue; |
Simon Kelley | 63437ff | 2017-09-06 22:34:21 +0100 | [diff] [blame] | 1842 | |
| 1843 | /* Clear buffer beyond request to avoid risk of |
| 1844 | information disclosure. */ |
| 1845 | memset(payload + size, 0, 65536 - size); |
Simon Kelley | feba5c1 | 2004-07-27 20:28:58 +0100 | [diff] [blame] | 1846 | |
Simon Kelley | 25cf5e3 | 2015-01-09 15:53:03 +0000 | [diff] [blame] | 1847 | query_count++; |
| 1848 | |
| 1849 | /* log_query gets called indirectly all over the place, so |
| 1850 | pass these in global variables - sorry. */ |
| 1851 | daemon->log_display_id = ++daemon->log_id; |
| 1852 | daemon->log_source_addr = &peer_addr; |
| 1853 | |
Simon Kelley | 28866e9 | 2011-02-14 20:19:14 +0000 | [diff] [blame] | 1854 | /* save state of "cd" flag in query */ |
Simon Kelley | 7d7b7b3 | 2014-01-08 15:53:35 +0000 | [diff] [blame] | 1855 | if ((checking_disabled = header->hb4 & HB4_CD)) |
| 1856 | no_cache_dnssec = 1; |
Simon Kelley | 28866e9 | 2011-02-14 20:19:14 +0000 | [diff] [blame] | 1857 | |
Simon Kelley | 3be3454 | 2004-09-11 19:12:13 +0100 | [diff] [blame] | 1858 | if ((gotname = extract_request(header, (unsigned int)size, daemon->namebuff, &qtype))) |
Simon Kelley | feba5c1 | 2004-07-27 20:28:58 +0100 | [diff] [blame] | 1859 | { |
Simon Kelley | b485ed9 | 2013-10-18 22:00:39 +0100 | [diff] [blame] | 1860 | #ifdef HAVE_AUTH |
| 1861 | struct auth_zone *zone; |
| 1862 | #endif |
Simon Kelley | 610e782 | 2014-02-06 14:45:17 +0000 | [diff] [blame] | 1863 | char *types = querystr(auth_dns ? "auth" : "query", qtype); |
Simon Kelley | 7de060b | 2011-08-26 17:24:52 +0100 | [diff] [blame] | 1864 | |
Petr Menšík | 6c0bf79 | 2021-03-18 00:07:45 +0100 | [diff] [blame] | 1865 | log_query_mysockaddr(F_QUERY | F_FORWARD, daemon->namebuff, |
| 1866 | &peer_addr, types); |
Simon Kelley | b485ed9 | 2013-10-18 22:00:39 +0100 | [diff] [blame] | 1867 | |
| 1868 | #ifdef HAVE_AUTH |
| 1869 | /* find queries for zones we're authoritative for, and answer them directly */ |
Simon Kelley | 3a3965a | 2015-08-09 17:45:06 +0100 | [diff] [blame] | 1870 | if (!auth_dns && !option_bool(OPT_LOCALISE)) |
Simon Kelley | 6008bdb | 2013-10-21 21:47:03 +0100 | [diff] [blame] | 1871 | for (zone = daemon->auth_zones; zone; zone = zone->next) |
| 1872 | if (in_zone(zone, daemon->namebuff, NULL)) |
| 1873 | { |
| 1874 | auth_dns = 1; |
| 1875 | local_auth = 1; |
| 1876 | break; |
| 1877 | } |
Simon Kelley | b485ed9 | 2013-10-18 22:00:39 +0100 | [diff] [blame] | 1878 | #endif |
Simon Kelley | feba5c1 | 2004-07-27 20:28:58 +0100 | [diff] [blame] | 1879 | } |
| 1880 | |
Simon Kelley | 7de060b | 2011-08-26 17:24:52 +0100 | [diff] [blame] | 1881 | if (local_addr->sa.sa_family == AF_INET) |
| 1882 | dst_addr_4 = local_addr->in.sin_addr; |
| 1883 | else |
| 1884 | dst_addr_4.s_addr = 0; |
| 1885 | |
Simon Kelley | fa14bec | 2015-12-20 17:12:16 +0000 | [diff] [blame] | 1886 | do_bit = 0; |
| 1887 | |
Simon Kelley | 5bb88f0 | 2015-12-21 16:23:47 +0000 | [diff] [blame] | 1888 | if (find_pseudoheader(header, (size_t)size, NULL, &pheader, NULL, NULL)) |
Simon Kelley | fa14bec | 2015-12-20 17:12:16 +0000 | [diff] [blame] | 1889 | { |
| 1890 | unsigned short flags; |
| 1891 | |
| 1892 | have_pseudoheader = 1; |
| 1893 | pheader += 4; /* udp_size, ext_rcode */ |
| 1894 | GETSHORT(flags, pheader); |
| 1895 | |
| 1896 | if (flags & 0x8000) |
Simon Kelley | 5bb88f0 | 2015-12-21 16:23:47 +0000 | [diff] [blame] | 1897 | do_bit = 1; /* do bit */ |
Simon Kelley | fa14bec | 2015-12-20 17:12:16 +0000 | [diff] [blame] | 1898 | } |
| 1899 | |
Simon Kelley | 4820dce | 2012-12-18 18:30:30 +0000 | [diff] [blame] | 1900 | #ifdef HAVE_AUTH |
Simon Kelley | 4f7b304 | 2012-11-28 21:27:02 +0000 | [diff] [blame] | 1901 | if (auth_dns) |
Simon Kelley | fa14bec | 2015-12-20 17:12:16 +0000 | [diff] [blame] | 1902 | m = answer_auth(header, ((char *) header) + 65536, (size_t)size, now, &peer_addr, |
| 1903 | local_auth, do_bit, have_pseudoheader); |
Simon Kelley | 4f7b304 | 2012-11-28 21:27:02 +0000 | [diff] [blame] | 1904 | else |
Simon Kelley | 4820dce | 2012-12-18 18:30:30 +0000 | [diff] [blame] | 1905 | #endif |
Simon Kelley | feba5c1 | 2004-07-27 20:28:58 +0100 | [diff] [blame] | 1906 | { |
Simon Kelley | fa14bec | 2015-12-20 17:12:16 +0000 | [diff] [blame] | 1907 | int ad_reqd = do_bit; |
| 1908 | /* RFC 6840 5.7 */ |
| 1909 | if (header->hb4 & HB4_AD) |
| 1910 | ad_reqd = 1; |
| 1911 | |
| 1912 | /* m > 0 if answered from cache */ |
| 1913 | m = answer_request(header, ((char *) header) + 65536, (size_t)size, |
| 1914 | dst_addr_4, netmask, now, ad_reqd, do_bit, have_pseudoheader); |
Simon Kelley | feba5c1 | 2004-07-27 20:28:58 +0100 | [diff] [blame] | 1915 | |
Simon Kelley | 4f7b304 | 2012-11-28 21:27:02 +0000 | [diff] [blame] | 1916 | /* Do this by steam now we're not in the select() loop */ |
Simon Kelley | b842bc9 | 2015-07-12 21:09:11 +0100 | [diff] [blame] | 1917 | check_log_writer(1); |
Simon Kelley | 4f7b304 | 2012-11-28 21:27:02 +0000 | [diff] [blame] | 1918 | |
| 1919 | if (m == 0) |
Simon Kelley | feba5c1 | 2004-07-27 20:28:58 +0100 | [diff] [blame] | 1920 | { |
Simon Kelley | 4f7b304 | 2012-11-28 21:27:02 +0000 | [diff] [blame] | 1921 | unsigned int flags = 0; |
Simon Kelley | cc921df | 2019-01-02 22:48:59 +0000 | [diff] [blame] | 1922 | union all_addr *addrp = NULL; |
Simon Kelley | f344dbc | 2016-01-18 18:04:17 +0000 | [diff] [blame] | 1923 | int type = SERV_DO_DNSSEC; |
Simon Kelley | 4f7b304 | 2012-11-28 21:27:02 +0000 | [diff] [blame] | 1924 | char *domain = NULL; |
Simon Kelley | 6fd5d79 | 2017-10-13 22:26:40 +0100 | [diff] [blame] | 1925 | unsigned char *oph = find_pseudoheader(header, size, NULL, NULL, NULL, NULL); |
Simon Kelley | ed4c076 | 2013-10-08 20:46:34 +0100 | [diff] [blame] | 1926 | |
Simon Kelley | 25e63f1 | 2020-11-25 21:17:52 +0000 | [diff] [blame] | 1927 | size = add_edns0_config(header, size, ((unsigned char *) header) + 65536, &peer_addr, now, &check_subnet, &cacheable); |
Simon Kelley | 6fd5d79 | 2017-10-13 22:26:40 +0100 | [diff] [blame] | 1928 | |
Simon Kelley | 4f7b304 | 2012-11-28 21:27:02 +0000 | [diff] [blame] | 1929 | if (gotname) |
| 1930 | flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind); |
Simon Kelley | 6fd5d79 | 2017-10-13 22:26:40 +0100 | [diff] [blame] | 1931 | |
| 1932 | #ifdef HAVE_DNSSEC |
| 1933 | if (option_bool(OPT_DNSSEC_VALID) && (type & SERV_DO_DNSSEC)) |
| 1934 | { |
| 1935 | size = add_do_bit(header, size, ((unsigned char *) header) + 65536); |
| 1936 | |
| 1937 | /* For debugging, set Checking Disabled, otherwise, have the upstream check too, |
| 1938 | this allows it to select auth servers when one is returning bad data. */ |
| 1939 | if (option_bool(OPT_DNSSEC_DEBUG)) |
| 1940 | header->hb4 |= HB4_CD; |
| 1941 | } |
| 1942 | #endif |
| 1943 | |
| 1944 | /* Check if we added a pheader on forwarding - may need to |
| 1945 | strip it from the reply. */ |
| 1946 | if (!oph && find_pseudoheader(header, size, NULL, NULL, NULL, NULL)) |
| 1947 | added_pheader = 1; |
| 1948 | |
Simon Kelley | 367341f | 2016-01-12 15:58:23 +0000 | [diff] [blame] | 1949 | type &= ~SERV_DO_DNSSEC; |
Simon Kelley | 367341f | 2016-01-12 15:58:23 +0000 | [diff] [blame] | 1950 | |
Simon Kelley | 4f7b304 | 2012-11-28 21:27:02 +0000 | [diff] [blame] | 1951 | if (type != 0 || option_bool(OPT_ORDER) || !daemon->last_server) |
| 1952 | last_server = daemon->servers; |
| 1953 | else |
| 1954 | last_server = daemon->last_server; |
| 1955 | |
| 1956 | if (!flags && last_server) |
| 1957 | { |
| 1958 | struct server *firstsendto = NULL; |
Simon Kelley | 2d76586 | 2020-11-12 22:06:07 +0000 | [diff] [blame] | 1959 | unsigned char hash[HASH_SIZE]; |
| 1960 | memcpy(hash, hash_questions(header, (unsigned int)size, daemon->namebuff), HASH_SIZE); |
| 1961 | |
Simon Kelley | 4f7b304 | 2012-11-28 21:27:02 +0000 | [diff] [blame] | 1962 | /* Loop round available servers until we succeed in connecting to one. |
Josh Soref | 730c674 | 2017-02-06 16:14:04 +0000 | [diff] [blame] | 1963 | Note that this code subtly ensures that consecutive queries on this connection |
Simon Kelley | 4f7b304 | 2012-11-28 21:27:02 +0000 | [diff] [blame] | 1964 | which can go to the same server, do so. */ |
| 1965 | while (1) |
Simon Kelley | feba5c1 | 2004-07-27 20:28:58 +0100 | [diff] [blame] | 1966 | { |
Simon Kelley | 608aa9f | 2019-03-10 22:44:15 +0000 | [diff] [blame] | 1967 | int data_sent = 0; |
| 1968 | |
Simon Kelley | 4f7b304 | 2012-11-28 21:27:02 +0000 | [diff] [blame] | 1969 | if (!firstsendto) |
| 1970 | firstsendto = last_server; |
| 1971 | else |
| 1972 | { |
| 1973 | if (!(last_server = last_server->next)) |
| 1974 | last_server = daemon->servers; |
| 1975 | |
| 1976 | if (last_server == firstsendto) |
| 1977 | break; |
| 1978 | } |
| 1979 | |
| 1980 | /* server for wrong domain */ |
Petr Menšík | e10a923 | 2021-03-15 11:20:49 +0100 | [diff] [blame] | 1981 | if (!server_test_type(last_server, domain, type, 0)) |
Simon Kelley | 7de060b | 2011-08-26 17:24:52 +0100 | [diff] [blame] | 1982 | continue; |
Simon Kelley | 361dfe5 | 2017-02-10 21:12:30 +0000 | [diff] [blame] | 1983 | |
| 1984 | retry: |
Simon Kelley | 608aa9f | 2019-03-10 22:44:15 +0000 | [diff] [blame] | 1985 | *length = htons(size); |
| 1986 | |
Simon Kelley | 4f7b304 | 2012-11-28 21:27:02 +0000 | [diff] [blame] | 1987 | if (last_server->tcpfd == -1) |
| 1988 | { |
| 1989 | if ((last_server->tcpfd = socket(last_server->addr.sa.sa_family, SOCK_STREAM, 0)) == -1) |
| 1990 | continue; |
| 1991 | |
Karl Vogel | e9828b6 | 2014-10-03 21:45:15 +0100 | [diff] [blame] | 1992 | #ifdef HAVE_CONNTRACK |
| 1993 | /* Copy connection mark of incoming query to outgoing connection. */ |
Simon Kelley | f344dbc | 2016-01-18 18:04:17 +0000 | [diff] [blame] | 1994 | if (have_mark) |
| 1995 | setsockopt(last_server->tcpfd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int)); |
Simon Kelley | 608aa9f | 2019-03-10 22:44:15 +0000 | [diff] [blame] | 1996 | #endif |
Karl Vogel | e9828b6 | 2014-10-03 21:45:15 +0100 | [diff] [blame] | 1997 | |
Simon Kelley | 608aa9f | 2019-03-10 22:44:15 +0000 | [diff] [blame] | 1998 | if ((!local_bind(last_server->tcpfd, &last_server->source_addr, last_server->interface, 0, 1))) |
| 1999 | { |
| 2000 | close(last_server->tcpfd); |
| 2001 | last_server->tcpfd = -1; |
| 2002 | continue; |
| 2003 | } |
| 2004 | |
| 2005 | #ifdef MSG_FASTOPEN |
黎醒聪 | ffa4628 | 2021-03-22 22:00:26 +0000 | [diff] [blame] | 2006 | server_send(last_server, last_server->tcpfd, packet, size + sizeof(u16), MSG_FASTOPEN); |
Petr Menšík | 51f7bc9 | 2021-03-18 01:05:43 +0100 | [diff] [blame] | 2007 | |
Simon Kelley | 608aa9f | 2019-03-10 22:44:15 +0000 | [diff] [blame] | 2008 | if (errno == 0) |
| 2009 | data_sent = 1; |
| 2010 | #endif |
| 2011 | |
| 2012 | if (!data_sent && connect(last_server->tcpfd, &last_server->addr.sa, sa_len(&last_server->addr)) == -1) |
Simon Kelley | 4f7b304 | 2012-11-28 21:27:02 +0000 | [diff] [blame] | 2013 | { |
| 2014 | close(last_server->tcpfd); |
| 2015 | last_server->tcpfd = -1; |
| 2016 | continue; |
| 2017 | } |
| 2018 | |
Simon Kelley | 361dfe5 | 2017-02-10 21:12:30 +0000 | [diff] [blame] | 2019 | last_server->flags &= ~SERV_GOT_TCP; |
Simon Kelley | 4f7b304 | 2012-11-28 21:27:02 +0000 | [diff] [blame] | 2020 | } |
| 2021 | |
Simon Kelley | 1fc0268 | 2014-04-29 12:30:18 +0100 | [diff] [blame] | 2022 | /* get query name again for logging - may have been overwritten */ |
| 2023 | if (!(gotname = extract_request(header, (unsigned int)size, daemon->namebuff, &qtype))) |
| 2024 | strcpy(daemon->namebuff, "query"); |
Simon Kelley | 4f7b304 | 2012-11-28 21:27:02 +0000 | [diff] [blame] | 2025 | |
Simon Kelley | 608aa9f | 2019-03-10 22:44:15 +0000 | [diff] [blame] | 2026 | if ((!data_sent && !read_write(last_server->tcpfd, packet, size + sizeof(u16), 0)) || |
Simon Kelley | 4f7b304 | 2012-11-28 21:27:02 +0000 | [diff] [blame] | 2027 | !read_write(last_server->tcpfd, &c1, 1, 1) || |
Simon Kelley | 7d7b7b3 | 2014-01-08 15:53:35 +0000 | [diff] [blame] | 2028 | !read_write(last_server->tcpfd, &c2, 1, 1) || |
| 2029 | !read_write(last_server->tcpfd, payload, (c1 << 8) | c2, 1)) |
Simon Kelley | 7de060b | 2011-08-26 17:24:52 +0100 | [diff] [blame] | 2030 | { |
| 2031 | close(last_server->tcpfd); |
| 2032 | last_server->tcpfd = -1; |
Simon Kelley | 361dfe5 | 2017-02-10 21:12:30 +0000 | [diff] [blame] | 2033 | /* We get data then EOF, reopen connection to same server, |
| 2034 | else try next. This avoids DoS from a server which accepts |
| 2035 | connections and then closes them. */ |
| 2036 | if (last_server->flags & SERV_GOT_TCP) |
| 2037 | goto retry; |
| 2038 | else |
| 2039 | continue; |
| 2040 | } |
Simon Kelley | 4f7b304 | 2012-11-28 21:27:02 +0000 | [diff] [blame] | 2041 | |
Simon Kelley | 361dfe5 | 2017-02-10 21:12:30 +0000 | [diff] [blame] | 2042 | last_server->flags |= SERV_GOT_TCP; |
| 2043 | |
Simon Kelley | 4f7b304 | 2012-11-28 21:27:02 +0000 | [diff] [blame] | 2044 | m = (c1 << 8) | c2; |
Petr Menšík | 6c0bf79 | 2021-03-18 00:07:45 +0100 | [diff] [blame] | 2045 | |
| 2046 | log_query_mysockaddr(F_SERVER | F_FORWARD, daemon->namebuff, |
| 2047 | &last_server->addr, NULL); |
Simon Kelley | 7d7b7b3 | 2014-01-08 15:53:35 +0000 | [diff] [blame] | 2048 | |
| 2049 | #ifdef HAVE_DNSSEC |
Simon Kelley | 367341f | 2016-01-12 15:58:23 +0000 | [diff] [blame] | 2050 | if (option_bool(OPT_DNSSEC_VALID) && !checking_disabled && (last_server->flags & SERV_DO_DNSSEC)) |
Simon Kelley | 7d7b7b3 | 2014-01-08 15:53:35 +0000 | [diff] [blame] | 2051 | { |
Simon Kelley | 7fa836e | 2014-02-10 20:11:24 +0000 | [diff] [blame] | 2052 | int keycount = DNSSEC_WORK; /* Limit to number of DNSSEC questions, to catch loops and avoid filling cache. */ |
Simon Kelley | f344dbc | 2016-01-18 18:04:17 +0000 | [diff] [blame] | 2053 | int status = tcp_key_recurse(now, STAT_OK, header, m, 0, daemon->namebuff, daemon->keyname, |
| 2054 | last_server, have_mark, mark, &keycount); |
Simon Kelley | 554b580 | 2015-04-17 22:50:20 +0100 | [diff] [blame] | 2055 | char *result, *domain = "result"; |
Simon Kelley | fe3992f | 2015-04-03 21:25:05 +0100 | [diff] [blame] | 2056 | |
Simon Kelley | 9a31b68 | 2015-12-15 10:20:39 +0000 | [diff] [blame] | 2057 | if (status == STAT_ABANDONED) |
Simon Kelley | 150162b | 2015-03-27 09:58:26 +0000 | [diff] [blame] | 2058 | { |
| 2059 | result = "ABANDONED"; |
| 2060 | status = STAT_BOGUS; |
| 2061 | } |
Simon Kelley | 7fa836e | 2014-02-10 20:11:24 +0000 | [diff] [blame] | 2062 | else |
| 2063 | result = (status == STAT_SECURE ? "SECURE" : (status == STAT_INSECURE ? "INSECURE" : "BOGUS")); |
Simon Kelley | e66b4df | 2015-04-28 20:45:57 +0100 | [diff] [blame] | 2064 | |
| 2065 | if (status == STAT_BOGUS && extract_request(header, m, daemon->namebuff, NULL)) |
| 2066 | domain = daemon->namebuff; |
Simon Kelley | 554b580 | 2015-04-17 22:50:20 +0100 | [diff] [blame] | 2067 | |
Simon Kelley | 07ed585 | 2018-05-04 21:52:22 +0100 | [diff] [blame] | 2068 | log_query(F_SECSTAT, domain, NULL, result); |
Simon Kelley | 7fa836e | 2014-02-10 20:11:24 +0000 | [diff] [blame] | 2069 | |
Simon Kelley | 7d7b7b3 | 2014-01-08 15:53:35 +0000 | [diff] [blame] | 2070 | if (status == STAT_BOGUS) |
Simon Kelley | fe3992f | 2015-04-03 21:25:05 +0100 | [diff] [blame] | 2071 | { |
| 2072 | no_cache_dnssec = 1; |
| 2073 | bogusanswer = 1; |
| 2074 | } |
| 2075 | |
Simon Kelley | 7d7b7b3 | 2014-01-08 15:53:35 +0000 | [diff] [blame] | 2076 | if (status == STAT_SECURE) |
| 2077 | cache_secure = 1; |
| 2078 | } |
| 2079 | #endif |
| 2080 | |
| 2081 | /* restore CD bit to the value in the query */ |
| 2082 | if (checking_disabled) |
| 2083 | header->hb4 |= HB4_CD; |
| 2084 | else |
| 2085 | header->hb4 &= ~HB4_CD; |
Simon Kelley | 4f7b304 | 2012-11-28 21:27:02 +0000 | [diff] [blame] | 2086 | |
| 2087 | /* There's no point in updating the cache, since this process will exit and |
| 2088 | lose the information after a few queries. We make this call for the alias and |
| 2089 | bogus-nxdomain side-effects. */ |
| 2090 | /* If the crc of the question section doesn't match the crc we sent, then |
| 2091 | someone might be attempting to insert bogus values into the cache by |
| 2092 | sending replies containing questions and bogus answers. */ |
Simon Kelley | 2d76586 | 2020-11-12 22:06:07 +0000 | [diff] [blame] | 2093 | if (memcmp(hash, hash_questions(header, (unsigned int)m, daemon->namebuff), HASH_SIZE) != 0) |
Simon Kelley | 703c7ff | 2014-01-25 23:46:23 +0000 | [diff] [blame] | 2094 | { |
| 2095 | m = 0; |
| 2096 | break; |
| 2097 | } |
Simon Kelley | 8a9be9e | 2014-01-25 23:17:21 +0000 | [diff] [blame] | 2098 | |
Simon Kelley | 25e63f1 | 2020-11-25 21:17:52 +0000 | [diff] [blame] | 2099 | /* Never cache answers which are contingent on the source or MAC address EDSN0 option, |
| 2100 | since the cache is ignorant of such things. */ |
| 2101 | if (!cacheable) |
| 2102 | no_cache_dnssec = 1; |
| 2103 | |
Simon Kelley | 8a9be9e | 2014-01-25 23:17:21 +0000 | [diff] [blame] | 2104 | m = process_reply(header, now, last_server, (unsigned int)m, |
Simon Kelley | e66b4df | 2015-04-28 20:45:57 +0100 | [diff] [blame] | 2105 | option_bool(OPT_NO_REBIND) && !norebind, no_cache_dnssec, cache_secure, bogusanswer, |
Simon Kelley | fa14bec | 2015-12-20 17:12:16 +0000 | [diff] [blame] | 2106 | ad_reqd, do_bit, added_pheader, check_subnet, &peer_addr); |
Simon Kelley | 4f7b304 | 2012-11-28 21:27:02 +0000 | [diff] [blame] | 2107 | |
| 2108 | break; |
| 2109 | } |
Simon Kelley | feba5c1 | 2004-07-27 20:28:58 +0100 | [diff] [blame] | 2110 | } |
Simon Kelley | 4f7b304 | 2012-11-28 21:27:02 +0000 | [diff] [blame] | 2111 | |
| 2112 | /* In case of local answer or no connections made. */ |
| 2113 | if (m == 0) |
Simon Kelley | 1682d15 | 2018-08-03 20:38:18 +0100 | [diff] [blame] | 2114 | { |
| 2115 | m = setup_reply(header, (unsigned int)size, addrp, flags, daemon->local_ttl); |
| 2116 | if (have_pseudoheader) |
| 2117 | m = add_pseudoheader(header, m, ((unsigned char *) header) + 65536, daemon->edns_pktsz, 0, NULL, 0, do_bit, 0); |
| 2118 | } |
Simon Kelley | feba5c1 | 2004-07-27 20:28:58 +0100 | [diff] [blame] | 2119 | } |
Simon Kelley | feba5c1 | 2004-07-27 20:28:58 +0100 | [diff] [blame] | 2120 | } |
Simon Kelley | 4f7b304 | 2012-11-28 21:27:02 +0000 | [diff] [blame] | 2121 | |
Simon Kelley | b842bc9 | 2015-07-12 21:09:11 +0100 | [diff] [blame] | 2122 | check_log_writer(1); |
Simon Kelley | feba5c1 | 2004-07-27 20:28:58 +0100 | [diff] [blame] | 2123 | |
Simon Kelley | 4b5ea12 | 2013-04-22 10:18:26 +0100 | [diff] [blame] | 2124 | *length = htons(m); |
| 2125 | |
| 2126 | if (m == 0 || !read_write(confd, packet, m + sizeof(u16), 0)) |
Simon Kelley | feba5c1 | 2004-07-27 20:28:58 +0100 | [diff] [blame] | 2127 | return packet; |
| 2128 | } |
| 2129 | } |
| 2130 | |
Simon Kelley | 1697269 | 2006-10-16 20:04:18 +0100 | [diff] [blame] | 2131 | static struct frec *allocate_frec(time_t now) |
Simon Kelley | 9e4abcb | 2004-01-22 19:47:41 +0000 | [diff] [blame] | 2132 | { |
Simon Kelley | 1697269 | 2006-10-16 20:04:18 +0100 | [diff] [blame] | 2133 | struct frec *f; |
Simon Kelley | 9e4abcb | 2004-01-22 19:47:41 +0000 | [diff] [blame] | 2134 | |
Simon Kelley | 5aabfc7 | 2007-08-29 11:24:47 +0100 | [diff] [blame] | 2135 | if ((f = (struct frec *)whine_malloc(sizeof(struct frec)))) |
Simon Kelley | 9e4abcb | 2004-01-22 19:47:41 +0000 | [diff] [blame] | 2136 | { |
Simon Kelley | 1a6bca8 | 2008-07-11 11:11:42 +0100 | [diff] [blame] | 2137 | f->next = daemon->frec_list; |
Simon Kelley | 9e4abcb | 2004-01-22 19:47:41 +0000 | [diff] [blame] | 2138 | f->time = now; |
Simon Kelley | 832af0b | 2007-01-21 20:01:28 +0000 | [diff] [blame] | 2139 | f->sentto = NULL; |
Simon Kelley | 74d4fcd | 2021-03-15 21:59:51 +0000 | [diff] [blame] | 2140 | f->rfds = NULL; |
Simon Kelley | 28866e9 | 2011-02-14 20:19:14 +0000 | [diff] [blame] | 2141 | f->flags = 0; |
Simon Kelley | 3a23715 | 2013-12-12 12:15:50 +0000 | [diff] [blame] | 2142 | #ifdef HAVE_DNSSEC |
Simon Kelley | 97bc798 | 2014-01-31 10:19:52 +0000 | [diff] [blame] | 2143 | f->dependent = NULL; |
Simon Kelley | 3a23715 | 2013-12-12 12:15:50 +0000 | [diff] [blame] | 2144 | f->blocking_query = NULL; |
Simon Kelley | 4619d94 | 2014-01-16 19:53:06 +0000 | [diff] [blame] | 2145 | f->stash = NULL; |
Simon Kelley | 3a23715 | 2013-12-12 12:15:50 +0000 | [diff] [blame] | 2146 | #endif |
Simon Kelley | 1a6bca8 | 2008-07-11 11:11:42 +0100 | [diff] [blame] | 2147 | daemon->frec_list = f; |
Simon Kelley | 9e4abcb | 2004-01-22 19:47:41 +0000 | [diff] [blame] | 2148 | } |
Simon Kelley | 1697269 | 2006-10-16 20:04:18 +0100 | [diff] [blame] | 2149 | |
| 2150 | return f; |
| 2151 | } |
| 2152 | |
Simon Kelley | 74d4fcd | 2021-03-15 21:59:51 +0000 | [diff] [blame] | 2153 | /* return a UDP socket bound to a random port, have to cope with straying into |
| 2154 | occupied port nos and reserved ones. */ |
| 2155 | static int random_sock(struct server *s) |
| 2156 | { |
| 2157 | int fd; |
| 2158 | |
| 2159 | if ((fd = socket(s->source_addr.sa.sa_family, SOCK_DGRAM, 0)) != -1) |
| 2160 | { |
| 2161 | if (local_bind(fd, &s->source_addr, s->interface, s->ifindex, 0)) |
| 2162 | return fd; |
| 2163 | |
| 2164 | if (s->interface[0] == 0) |
| 2165 | (void)prettyprint_addr(&s->source_addr, daemon->namebuff); |
| 2166 | else |
| 2167 | strcpy(daemon->namebuff, s->interface); |
| 2168 | |
| 2169 | my_syslog(LOG_ERR, _("failed to bind server socket to %s: %s"), |
| 2170 | daemon->namebuff, strerror(errno)); |
| 2171 | close(fd); |
| 2172 | } |
| 2173 | |
| 2174 | return -1; |
| 2175 | } |
| 2176 | |
| 2177 | /* compare source addresses and interface, serv2 can be null. */ |
| 2178 | static int server_isequal(const struct server *serv1, |
| 2179 | const struct server *serv2) |
| 2180 | { |
| 2181 | return (serv2 && |
| 2182 | serv2->ifindex == serv1->ifindex && |
| 2183 | sockaddr_isequal(&serv2->source_addr, &serv1->source_addr) && |
| 2184 | strncmp(serv2->interface, serv1->interface, IF_NAMESIZE) == 0); |
| 2185 | } |
| 2186 | |
| 2187 | /* fdlp points to chain of randomfds already in use by transaction. |
| 2188 | If there's already a suitable one, return it, else allocate a |
| 2189 | new one and add it to the list. |
| 2190 | |
| 2191 | Not leaking any resources in the face of allocation failures |
| 2192 | is rather convoluted here. |
| 2193 | |
| 2194 | Note that rfd->serv may be NULL, when a server goes away. |
| 2195 | */ |
| 2196 | int allocate_rfd(struct randfd_list **fdlp, struct server *serv) |
Simon Kelley | 1a6bca8 | 2008-07-11 11:11:42 +0100 | [diff] [blame] | 2197 | { |
| 2198 | static int finger = 0; |
Simon Kelley | 74d4fcd | 2021-03-15 21:59:51 +0000 | [diff] [blame] | 2199 | int i, j = 0; |
| 2200 | struct randfd_list *rfl; |
| 2201 | struct randfd *rfd = NULL; |
| 2202 | int fd = 0; |
| 2203 | |
| 2204 | /* If server has a pre-allocated fd, use that. */ |
| 2205 | if (serv->sfd) |
| 2206 | return serv->sfd->fd; |
| 2207 | |
| 2208 | /* existing suitable random port socket linked to this transaction? */ |
| 2209 | for (rfl = *fdlp; rfl; rfl = rfl->next) |
| 2210 | if (server_isequal(serv, rfl->rfd->serv)) |
| 2211 | return rfl->rfd->fd; |
Simon Kelley | 1a6bca8 | 2008-07-11 11:11:42 +0100 | [diff] [blame] | 2212 | |
Simon Kelley | 74d4fcd | 2021-03-15 21:59:51 +0000 | [diff] [blame] | 2213 | /* No. need new link. */ |
| 2214 | if ((rfl = daemon->rfl_spare)) |
| 2215 | daemon->rfl_spare = rfl->next; |
| 2216 | else if (!(rfl = whine_malloc(sizeof(struct randfd_list)))) |
| 2217 | return -1; |
| 2218 | |
Simon Kelley | 1a6bca8 | 2008-07-11 11:11:42 +0100 | [diff] [blame] | 2219 | /* limit the number of sockets we have open to avoid starvation of |
| 2220 | (eg) TFTP. Once we have a reasonable number, randomness should be OK */ |
Simon Kelley | ea28d0e | 2021-03-26 22:02:04 +0000 | [diff] [blame] | 2221 | for (i = 0; i < daemon->numrrand; i++) |
Simon Kelley | 9009d74 | 2008-11-14 20:04:27 +0000 | [diff] [blame] | 2222 | if (daemon->randomsocks[i].refcount == 0) |
Simon Kelley | 1a6bca8 | 2008-07-11 11:11:42 +0100 | [diff] [blame] | 2223 | { |
Simon Kelley | 74d4fcd | 2021-03-15 21:59:51 +0000 | [diff] [blame] | 2224 | if ((fd = random_sock(serv)) != -1) |
| 2225 | { |
| 2226 | rfd = &daemon->randomsocks[i]; |
| 2227 | rfd->serv = serv; |
| 2228 | rfd->fd = fd; |
| 2229 | rfd->refcount = 1; |
| 2230 | } |
| 2231 | break; |
| 2232 | } |
| 2233 | |
| 2234 | /* No free ones or cannot get new socket, grab an existing one */ |
| 2235 | if (!rfd) |
Simon Kelley | ea28d0e | 2021-03-26 22:02:04 +0000 | [diff] [blame] | 2236 | for (j = 0; j < daemon->numrrand; j++) |
Simon Kelley | 74d4fcd | 2021-03-15 21:59:51 +0000 | [diff] [blame] | 2237 | { |
Simon Kelley | ea28d0e | 2021-03-26 22:02:04 +0000 | [diff] [blame] | 2238 | i = (j + finger) % daemon->numrrand; |
Simon Kelley | 74d4fcd | 2021-03-15 21:59:51 +0000 | [diff] [blame] | 2239 | if (daemon->randomsocks[i].refcount != 0 && |
| 2240 | server_isequal(serv, daemon->randomsocks[i].serv) && |
| 2241 | daemon->randomsocks[i].refcount != 0xfffe) |
| 2242 | { |
| 2243 | finger = i + 1; |
| 2244 | rfd = &daemon->randomsocks[i]; |
| 2245 | rfd->refcount++; |
| 2246 | break; |
| 2247 | } |
Simon Kelley | 1a6bca8 | 2008-07-11 11:11:42 +0100 | [diff] [blame] | 2248 | } |
| 2249 | |
Simon Kelley | ea28d0e | 2021-03-26 22:02:04 +0000 | [diff] [blame] | 2250 | if (j == daemon->numrrand) |
Simon Kelley | 1a6bca8 | 2008-07-11 11:11:42 +0100 | [diff] [blame] | 2251 | { |
Simon Kelley | 74d4fcd | 2021-03-15 21:59:51 +0000 | [diff] [blame] | 2252 | struct randfd_list *rfl_poll; |
Simon Kelley | 1a6bca8 | 2008-07-11 11:11:42 +0100 | [diff] [blame] | 2253 | |
Simon Kelley | 74d4fcd | 2021-03-15 21:59:51 +0000 | [diff] [blame] | 2254 | /* there are no free slots, and non with the same parameters we can piggy-back on. |
| 2255 | We're going to have to allocate a new temporary record, distinguished by |
| 2256 | refcount == 0xffff. This will exist in the frec randfd list, never be shared, |
| 2257 | and be freed when no longer in use. It will also be held on |
| 2258 | the daemon->rfl_poll list so the poll system can find it. */ |
| 2259 | |
| 2260 | if ((rfl_poll = daemon->rfl_spare)) |
| 2261 | daemon->rfl_spare = rfl_poll->next; |
| 2262 | else |
| 2263 | rfl_poll = whine_malloc(sizeof(struct randfd_list)); |
| 2264 | |
| 2265 | if (!rfl_poll || |
| 2266 | !(rfd = whine_malloc(sizeof(struct randfd))) || |
| 2267 | (fd = random_sock(serv)) == -1) |
| 2268 | { |
| 2269 | |
| 2270 | /* Don't leak anything we may already have */ |
| 2271 | rfl->next = daemon->rfl_spare; |
| 2272 | daemon->rfl_spare = rfl; |
| 2273 | |
| 2274 | if (rfl_poll) |
| 2275 | { |
| 2276 | rfl_poll->next = daemon->rfl_spare; |
| 2277 | daemon->rfl_spare = rfl_poll; |
| 2278 | } |
| 2279 | |
| 2280 | if (rfd) |
| 2281 | free(rfd); |
| 2282 | |
| 2283 | return -1; /* doom */ |
| 2284 | } |
| 2285 | |
| 2286 | /* Note rfd->serv not set here, since it's not reused */ |
| 2287 | rfd->fd = fd; |
| 2288 | rfd->refcount = 0xffff; /* marker for temp record */ |
| 2289 | |
| 2290 | rfl_poll->rfd = rfd; |
| 2291 | rfl_poll->next = daemon->rfl_poll; |
| 2292 | daemon->rfl_poll = rfl_poll; |
| 2293 | } |
| 2294 | |
| 2295 | rfl->rfd = rfd; |
| 2296 | rfl->next = *fdlp; |
| 2297 | *fdlp = rfl; |
| 2298 | |
| 2299 | return rfl->rfd->fd; |
Simon Kelley | 1a6bca8 | 2008-07-11 11:11:42 +0100 | [diff] [blame] | 2300 | } |
Simon Kelley | b5ea1cc | 2014-07-29 16:34:14 +0100 | [diff] [blame] | 2301 | |
Simon Kelley | 74d4fcd | 2021-03-15 21:59:51 +0000 | [diff] [blame] | 2302 | void free_rfds(struct randfd_list **fdlp) |
Simon Kelley | b5ea1cc | 2014-07-29 16:34:14 +0100 | [diff] [blame] | 2303 | { |
Simon Kelley | 74d4fcd | 2021-03-15 21:59:51 +0000 | [diff] [blame] | 2304 | struct randfd_list *tmp, *rfl, *poll, *next, **up; |
| 2305 | |
| 2306 | for (rfl = *fdlp; rfl; rfl = tmp) |
| 2307 | { |
| 2308 | if (rfl->rfd->refcount == 0xffff || --(rfl->rfd->refcount) == 0) |
| 2309 | close(rfl->rfd->fd); |
| 2310 | |
| 2311 | /* temporary overflow record */ |
| 2312 | if (rfl->rfd->refcount == 0xffff) |
| 2313 | { |
| 2314 | free(rfl->rfd); |
| 2315 | |
| 2316 | /* go through the link of all these by steam to delete. |
| 2317 | This list is expected to be almost always empty. */ |
| 2318 | for (poll = daemon->rfl_poll, up = &daemon->rfl_poll; poll; poll = next) |
| 2319 | { |
| 2320 | next = poll->next; |
| 2321 | |
| 2322 | if (poll->rfd == rfl->rfd) |
| 2323 | { |
| 2324 | *up = poll->next; |
| 2325 | poll->next = daemon->rfl_spare; |
| 2326 | daemon->rfl_spare = poll; |
| 2327 | } |
| 2328 | else |
| 2329 | up = &poll->next; |
| 2330 | } |
| 2331 | } |
| 2332 | |
| 2333 | tmp = rfl->next; |
| 2334 | rfl->next = daemon->rfl_spare; |
| 2335 | daemon->rfl_spare = rfl; |
| 2336 | } |
| 2337 | |
| 2338 | *fdlp = NULL; |
Simon Kelley | b5ea1cc | 2014-07-29 16:34:14 +0100 | [diff] [blame] | 2339 | } |
| 2340 | |
Simon Kelley | 1a6bca8 | 2008-07-11 11:11:42 +0100 | [diff] [blame] | 2341 | static void free_frec(struct frec *f) |
| 2342 | { |
Simon Kelley | 6a6e06f | 2020-12-04 18:35:11 +0000 | [diff] [blame] | 2343 | struct frec_src *last; |
Simon Kelley | 15b60dd | 2020-11-18 18:34:55 +0000 | [diff] [blame] | 2344 | |
Simon Kelley | 6a6e06f | 2020-12-04 18:35:11 +0000 | [diff] [blame] | 2345 | /* add back to freelist if not the record builtin to every frec. */ |
| 2346 | for (last = f->frec_src.next; last && last->next; last = last->next) ; |
| 2347 | if (last) |
| 2348 | { |
| 2349 | last->next = daemon->free_frec_src; |
| 2350 | daemon->free_frec_src = f->frec_src.next; |
| 2351 | } |
| 2352 | |
Simon Kelley | 15b60dd | 2020-11-18 18:34:55 +0000 | [diff] [blame] | 2353 | f->frec_src.next = NULL; |
Simon Kelley | 74d4fcd | 2021-03-15 21:59:51 +0000 | [diff] [blame] | 2354 | free_rfds(&f->rfds); |
Simon Kelley | 1a6bca8 | 2008-07-11 11:11:42 +0100 | [diff] [blame] | 2355 | f->sentto = NULL; |
Simon Kelley | 28866e9 | 2011-02-14 20:19:14 +0000 | [diff] [blame] | 2356 | f->flags = 0; |
Simon Kelley | 3a23715 | 2013-12-12 12:15:50 +0000 | [diff] [blame] | 2357 | |
| 2358 | #ifdef HAVE_DNSSEC |
| 2359 | if (f->stash) |
Simon Kelley | 0fc2f31 | 2014-01-08 10:26:58 +0000 | [diff] [blame] | 2360 | { |
| 2361 | blockdata_free(f->stash); |
| 2362 | f->stash = NULL; |
| 2363 | } |
Simon Kelley | 3a23715 | 2013-12-12 12:15:50 +0000 | [diff] [blame] | 2364 | |
| 2365 | /* Anything we're waiting on is pointless now, too */ |
| 2366 | if (f->blocking_query) |
| 2367 | free_frec(f->blocking_query); |
| 2368 | f->blocking_query = NULL; |
Simon Kelley | 39048ad | 2014-01-21 17:33:58 +0000 | [diff] [blame] | 2369 | f->dependent = NULL; |
Simon Kelley | 3a23715 | 2013-12-12 12:15:50 +0000 | [diff] [blame] | 2370 | #endif |
Simon Kelley | 1a6bca8 | 2008-07-11 11:11:42 +0100 | [diff] [blame] | 2371 | } |
| 2372 | |
Simon Kelley | 09f3b2c | 2017-05-09 01:34:02 +0100 | [diff] [blame] | 2373 | |
| 2374 | |
Simon Kelley | 1697269 | 2006-10-16 20:04:18 +0100 | [diff] [blame] | 2375 | /* if wait==NULL return a free or older than TIMEOUT record. |
| 2376 | else return *wait zero if one available, or *wait is delay to |
Simon Kelley | 1a6bca8 | 2008-07-11 11:11:42 +0100 | [diff] [blame] | 2377 | when the oldest in-use record will expire. Impose an absolute |
Simon Kelley | 3a23715 | 2013-12-12 12:15:50 +0000 | [diff] [blame] | 2378 | limit of 4*TIMEOUT before we wipe things (for random sockets). |
Simon Kelley | 8caf3d7 | 2020-04-04 17:00:32 +0100 | [diff] [blame] | 2379 | If force is non-NULL, always return a result, even if we have |
| 2380 | to allocate above the limit, and never free the record pointed |
| 2381 | to by the force argument. */ |
| 2382 | struct frec *get_new_frec(time_t now, int *wait, struct frec *force) |
Simon Kelley | 1697269 | 2006-10-16 20:04:18 +0100 | [diff] [blame] | 2383 | { |
Simon Kelley | 1a6bca8 | 2008-07-11 11:11:42 +0100 | [diff] [blame] | 2384 | struct frec *f, *oldest, *target; |
Simon Kelley | 1697269 | 2006-10-16 20:04:18 +0100 | [diff] [blame] | 2385 | int count; |
| 2386 | |
| 2387 | if (wait) |
| 2388 | *wait = 0; |
| 2389 | |
Simon Kelley | 1a6bca8 | 2008-07-11 11:11:42 +0100 | [diff] [blame] | 2390 | for (f = daemon->frec_list, oldest = NULL, target = NULL, count = 0; f; f = f->next, count++) |
Simon Kelley | 832af0b | 2007-01-21 20:01:28 +0000 | [diff] [blame] | 2391 | if (!f->sentto) |
Simon Kelley | 1a6bca8 | 2008-07-11 11:11:42 +0100 | [diff] [blame] | 2392 | target = f; |
| 2393 | else |
Simon Kelley | 1697269 | 2006-10-16 20:04:18 +0100 | [diff] [blame] | 2394 | { |
Simon Kelley | 9a31b68 | 2015-12-15 10:20:39 +0000 | [diff] [blame] | 2395 | #ifdef HAVE_DNSSEC |
| 2396 | /* Don't free DNSSEC sub-queries here, as we may end up with |
| 2397 | dangling references to them. They'll go when their "real" query |
| 2398 | is freed. */ |
Simon Kelley | 8caf3d7 | 2020-04-04 17:00:32 +0100 | [diff] [blame] | 2399 | if (!f->dependent && f != force) |
Simon Kelley | 9a31b68 | 2015-12-15 10:20:39 +0000 | [diff] [blame] | 2400 | #endif |
| 2401 | { |
| 2402 | if (difftime(now, f->time) >= 4*TIMEOUT) |
| 2403 | { |
| 2404 | free_frec(f); |
| 2405 | target = f; |
| 2406 | } |
| 2407 | |
| 2408 | |
| 2409 | if (!oldest || difftime(f->time, oldest->time) <= 0) |
| 2410 | oldest = f; |
| 2411 | } |
Simon Kelley | 1697269 | 2006-10-16 20:04:18 +0100 | [diff] [blame] | 2412 | } |
Simon Kelley | 1a6bca8 | 2008-07-11 11:11:42 +0100 | [diff] [blame] | 2413 | |
| 2414 | if (target) |
| 2415 | { |
| 2416 | target->time = now; |
| 2417 | return target; |
| 2418 | } |
Simon Kelley | 1697269 | 2006-10-16 20:04:18 +0100 | [diff] [blame] | 2419 | |
| 2420 | /* can't find empty one, use oldest if there is one |
| 2421 | and it's older than timeout */ |
Simon Kelley | 09f3b2c | 2017-05-09 01:34:02 +0100 | [diff] [blame] | 2422 | if (!force && oldest && ((int)difftime(now, oldest->time)) >= TIMEOUT) |
Simon Kelley | 1697269 | 2006-10-16 20:04:18 +0100 | [diff] [blame] | 2423 | { |
| 2424 | /* keep stuff for twice timeout if we can by allocating a new |
| 2425 | record instead */ |
| 2426 | if (difftime(now, oldest->time) < 2*TIMEOUT && |
| 2427 | count <= daemon->ftabsize && |
| 2428 | (f = allocate_frec(now))) |
| 2429 | return f; |
| 2430 | |
| 2431 | if (!wait) |
| 2432 | { |
Simon Kelley | 1a6bca8 | 2008-07-11 11:11:42 +0100 | [diff] [blame] | 2433 | free_frec(oldest); |
Simon Kelley | 1697269 | 2006-10-16 20:04:18 +0100 | [diff] [blame] | 2434 | oldest->time = now; |
| 2435 | } |
| 2436 | return oldest; |
| 2437 | } |
| 2438 | |
| 2439 | /* none available, calculate time 'till oldest record expires */ |
Simon Kelley | 3a23715 | 2013-12-12 12:15:50 +0000 | [diff] [blame] | 2440 | if (!force && count > daemon->ftabsize) |
Simon Kelley | 1697269 | 2006-10-16 20:04:18 +0100 | [diff] [blame] | 2441 | { |
Marcelo Salhab Brogliato | 0da5e89 | 2013-05-31 11:49:06 +0100 | [diff] [blame] | 2442 | static time_t last_log = 0; |
| 2443 | |
Simon Kelley | 1697269 | 2006-10-16 20:04:18 +0100 | [diff] [blame] | 2444 | if (oldest && wait) |
| 2445 | *wait = oldest->time + (time_t)TIMEOUT - now; |
Marcelo Salhab Brogliato | 0da5e89 | 2013-05-31 11:49:06 +0100 | [diff] [blame] | 2446 | |
| 2447 | if ((int)difftime(now, last_log) > 5) |
| 2448 | { |
| 2449 | last_log = now; |
| 2450 | my_syslog(LOG_WARNING, _("Maximum number of concurrent DNS queries reached (max: %d)"), daemon->ftabsize); |
| 2451 | } |
| 2452 | |
Simon Kelley | 1697269 | 2006-10-16 20:04:18 +0100 | [diff] [blame] | 2453 | return NULL; |
| 2454 | } |
| 2455 | |
| 2456 | if (!(f = allocate_frec(now)) && wait) |
| 2457 | /* wait one second on malloc failure */ |
| 2458 | *wait = 1; |
| 2459 | |
Simon Kelley | 9e4abcb | 2004-01-22 19:47:41 +0000 | [diff] [blame] | 2460 | return f; /* OK if malloc fails and this is NULL */ |
| 2461 | } |
Simon Kelley | 09f3b2c | 2017-05-09 01:34:02 +0100 | [diff] [blame] | 2462 | |
Simon Kelley | 74d4fcd | 2021-03-15 21:59:51 +0000 | [diff] [blame] | 2463 | static struct frec *lookup_frec(unsigned short id, int fd, void *hash) |
Simon Kelley | 9e4abcb | 2004-01-22 19:47:41 +0000 | [diff] [blame] | 2464 | { |
| 2465 | struct frec *f; |
Simon Kelley | 74d4fcd | 2021-03-15 21:59:51 +0000 | [diff] [blame] | 2466 | struct server *s; |
| 2467 | int type; |
| 2468 | struct randfd_list *fdl; |
| 2469 | |
Simon Kelley | 1a6bca8 | 2008-07-11 11:11:42 +0100 | [diff] [blame] | 2470 | for(f = daemon->frec_list; f; f = f->next) |
Simon Kelley | 832af0b | 2007-01-21 20:01:28 +0000 | [diff] [blame] | 2471 | if (f->sentto && f->new_id == id && |
Simon Kelley | 2d76586 | 2020-11-12 22:06:07 +0000 | [diff] [blame] | 2472 | (memcmp(hash, f->hash, HASH_SIZE) == 0)) |
Simon Kelley | 257ac0c | 2020-11-12 18:49:23 +0000 | [diff] [blame] | 2473 | { |
| 2474 | /* sent from random port */ |
Simon Kelley | 74d4fcd | 2021-03-15 21:59:51 +0000 | [diff] [blame] | 2475 | for (fdl = f->rfds; fdl; fdl = fdl->next) |
| 2476 | if (fdl->rfd->fd == fd) |
Simon Kelley | 257ac0c | 2020-11-12 18:49:23 +0000 | [diff] [blame] | 2477 | return f; |
Simon Kelley | 74d4fcd | 2021-03-15 21:59:51 +0000 | [diff] [blame] | 2478 | |
| 2479 | /* Sent to upstream from socket associated with a server. |
| 2480 | Note we have to iterate over all the possible servers, since they may |
| 2481 | have different bound sockets. */ |
| 2482 | type = f->sentto->flags & SERV_TYPE; |
| 2483 | s = f->sentto; |
| 2484 | do { |
Petr Menšík | 8f9bd61 | 2021-03-27 23:16:09 +0000 | [diff] [blame] | 2485 | if (server_test_type(s, f->sentto->domain, type, 0) && |
Simon Kelley | 74d4fcd | 2021-03-15 21:59:51 +0000 | [diff] [blame] | 2486 | s->sfd && s->sfd->fd == fd) |
| 2487 | return f; |
| 2488 | |
| 2489 | s = s->next ? s->next : daemon->servers; |
| 2490 | } while (s != f->sentto); |
Simon Kelley | 257ac0c | 2020-11-12 18:49:23 +0000 | [diff] [blame] | 2491 | } |
Simon Kelley | 74d4fcd | 2021-03-15 21:59:51 +0000 | [diff] [blame] | 2492 | |
Simon Kelley | 9e4abcb | 2004-01-22 19:47:41 +0000 | [diff] [blame] | 2493 | return NULL; |
| 2494 | } |
| 2495 | |
Simon Kelley | 15b60dd | 2020-11-18 18:34:55 +0000 | [diff] [blame] | 2496 | static struct frec *lookup_frec_by_query(void *hash, unsigned int flags) |
| 2497 | { |
| 2498 | struct frec *f; |
| 2499 | |
| 2500 | /* FREC_DNSKEY and FREC_DS_QUERY are never set in flags, so the test below |
Simon Kelley | 25e63f1 | 2020-11-25 21:17:52 +0000 | [diff] [blame] | 2501 | ensures that no frec created for internal DNSSEC query can be returned here. |
| 2502 | |
| 2503 | Similarly FREC_NO_CACHE is never set in flags, so a query which is |
| 2504 | contigent on a particular source address EDNS0 option will never be matched. */ |
Simon Kelley | 15b60dd | 2020-11-18 18:34:55 +0000 | [diff] [blame] | 2505 | |
| 2506 | #define FLAGMASK (FREC_CHECKING_DISABLED | FREC_AD_QUESTION | FREC_DO_QUESTION \ |
Simon Kelley | 25e63f1 | 2020-11-25 21:17:52 +0000 | [diff] [blame] | 2507 | | FREC_HAS_PHEADER | FREC_DNSKEY_QUERY | FREC_DS_QUERY | FREC_NO_CACHE) |
Simon Kelley | feba5c1 | 2004-07-27 20:28:58 +0100 | [diff] [blame] | 2508 | |
Simon Kelley | 1a6bca8 | 2008-07-11 11:11:42 +0100 | [diff] [blame] | 2509 | for(f = daemon->frec_list; f; f = f->next) |
Simon Kelley | 832af0b | 2007-01-21 20:01:28 +0000 | [diff] [blame] | 2510 | if (f->sentto && |
Simon Kelley | 15b60dd | 2020-11-18 18:34:55 +0000 | [diff] [blame] | 2511 | (f->flags & FLAGMASK) == flags && |
| 2512 | memcmp(hash, f->hash, HASH_SIZE) == 0) |
Simon Kelley | 9e4abcb | 2004-01-22 19:47:41 +0000 | [diff] [blame] | 2513 | return f; |
Simon Kelley | 15b60dd | 2020-11-18 18:34:55 +0000 | [diff] [blame] | 2514 | |
Simon Kelley | 9e4abcb | 2004-01-22 19:47:41 +0000 | [diff] [blame] | 2515 | return NULL; |
| 2516 | } |
Simon Kelley | 15b60dd | 2020-11-18 18:34:55 +0000 | [diff] [blame] | 2517 | |
Simon Kelley | 47a9516 | 2014-07-08 22:22:02 +0100 | [diff] [blame] | 2518 | /* Send query packet again, if we can. */ |
| 2519 | void resend_query() |
| 2520 | { |
| 2521 | if (daemon->srv_save) |
Petr Menšík | 51f7bc9 | 2021-03-18 01:05:43 +0100 | [diff] [blame] | 2522 | server_send(daemon->srv_save, daemon->fd_save, |
| 2523 | daemon->packet, daemon->packet_len, 0); |
Simon Kelley | 47a9516 | 2014-07-08 22:22:02 +0100 | [diff] [blame] | 2524 | } |
Simon Kelley | 9e4abcb | 2004-01-22 19:47:41 +0000 | [diff] [blame] | 2525 | |
Simon Kelley | 849a835 | 2006-06-09 21:02:31 +0100 | [diff] [blame] | 2526 | /* A server record is going away, remove references to it */ |
Simon Kelley | 5aabfc7 | 2007-08-29 11:24:47 +0100 | [diff] [blame] | 2527 | void server_gone(struct server *server) |
Simon Kelley | 849a835 | 2006-06-09 21:02:31 +0100 | [diff] [blame] | 2528 | { |
| 2529 | struct frec *f; |
Simon Kelley | 74d4fcd | 2021-03-15 21:59:51 +0000 | [diff] [blame] | 2530 | int i; |
Simon Kelley | 849a835 | 2006-06-09 21:02:31 +0100 | [diff] [blame] | 2531 | |
Simon Kelley | 1a6bca8 | 2008-07-11 11:11:42 +0100 | [diff] [blame] | 2532 | for (f = daemon->frec_list; f; f = f->next) |
Simon Kelley | 832af0b | 2007-01-21 20:01:28 +0000 | [diff] [blame] | 2533 | if (f->sentto && f->sentto == server) |
Simon Kelley | 1a6bca8 | 2008-07-11 11:11:42 +0100 | [diff] [blame] | 2534 | free_frec(f); |
Simon Kelley | 74d4fcd | 2021-03-15 21:59:51 +0000 | [diff] [blame] | 2535 | |
| 2536 | /* If any random socket refers to this server, NULL the reference. |
| 2537 | No more references to the socket will be created in the future. */ |
Simon Kelley | ea28d0e | 2021-03-26 22:02:04 +0000 | [diff] [blame] | 2538 | for (i = 0; i < daemon->numrrand; i++) |
Simon Kelley | 74d4fcd | 2021-03-15 21:59:51 +0000 | [diff] [blame] | 2539 | if (daemon->randomsocks[i].refcount != 0 && daemon->randomsocks[i].serv == server) |
| 2540 | daemon->randomsocks[i].serv = NULL; |
Simon Kelley | 849a835 | 2006-06-09 21:02:31 +0100 | [diff] [blame] | 2541 | |
| 2542 | if (daemon->last_server == server) |
| 2543 | daemon->last_server = NULL; |
Simon Kelley | 74d4fcd | 2021-03-15 21:59:51 +0000 | [diff] [blame] | 2544 | |
Simon Kelley | 849a835 | 2006-06-09 21:02:31 +0100 | [diff] [blame] | 2545 | if (daemon->srv_save == server) |
| 2546 | daemon->srv_save = NULL; |
| 2547 | } |
Simon Kelley | 9e4abcb | 2004-01-22 19:47:41 +0000 | [diff] [blame] | 2548 | |
Simon Kelley | 316e273 | 2010-01-22 20:16:09 +0000 | [diff] [blame] | 2549 | /* return unique random ids. */ |
Simon Kelley | 8a9be9e | 2014-01-25 23:17:21 +0000 | [diff] [blame] | 2550 | static unsigned short get_id(void) |
Simon Kelley | 9e4abcb | 2004-01-22 19:47:41 +0000 | [diff] [blame] | 2551 | { |
| 2552 | unsigned short ret = 0; |
Simon Kelley | 257ac0c | 2020-11-12 18:49:23 +0000 | [diff] [blame] | 2553 | struct frec *f; |
Simon Kelley | 832af0b | 2007-01-21 20:01:28 +0000 | [diff] [blame] | 2554 | |
Simon Kelley | 257ac0c | 2020-11-12 18:49:23 +0000 | [diff] [blame] | 2555 | while (1) |
| 2556 | { |
| 2557 | ret = rand16(); |
| 2558 | |
| 2559 | /* ensure id is unique. */ |
| 2560 | for (f = daemon->frec_list; f; f = f->next) |
| 2561 | if (f->sentto && f->new_id == ret) |
| 2562 | break; |
| 2563 | |
| 2564 | if (!f) |
| 2565 | return ret; |
| 2566 | } |
Simon Kelley | 9e4abcb | 2004-01-22 19:47:41 +0000 | [diff] [blame] | 2567 | } |
| 2568 | |
| 2569 | |
| 2570 | |
| 2571 | |
| 2572 | |