--- embedaddon/dnsmasq/src/rfc1035.c 2013/07/29 19:37:40 1.1.1.1 +++ embedaddon/dnsmasq/src/rfc1035.c 2021/03/17 00:56:46 1.1.1.4 @@ -1,4 +1,4 @@ -/* dnsmasq is Copyright (c) 2000-2013 Simon Kelley +/* dnsmasq is Copyright (c) 2000-2021 Simon Kelley This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -16,18 +16,11 @@ #include "dnsmasq.h" - -#define CHECK_LEN(header, pp, plen, len) \ - ((size_t)((pp) - (unsigned char *)(header) + (len)) <= (plen)) - -#define ADD_RDLEN(header, pp, plen, len) \ - (!CHECK_LEN(header, pp, plen, len) ? 0 : (((pp) += (len)), 1)) - int extract_name(struct dns_header *header, size_t plen, unsigned char **pp, char *name, int isExtract, int extrabytes) { unsigned char *cp = (unsigned char *)name, *p = *pp, *p1 = NULL; - unsigned int j, l, hops = 0; + unsigned int j, l, namelen = 0, hops = 0; int retvalue = 1; if (isExtract) @@ -43,8 +36,8 @@ int extract_name(struct dns_header *header, size_t ple if ((l = *p++) == 0) /* end marker */ { - /* check that there are the correct no of bytes after the name */ - if (!CHECK_LEN(header, p, plen, extrabytes)) + /* check that there are the correct no. of bytes after the name */ + if (!CHECK_LEN(header, p1 ? p1 : p, plen, extrabytes)) return 0; if (isExtract) @@ -84,49 +77,10 @@ int extract_name(struct dns_header *header, size_t ple p = l + (unsigned char *)header; } - else if (label_type == 0x80) - return 0; /* reserved */ - else if (label_type == 0x40) - { /* ELT */ - unsigned int count, digs; - - if ((l & 0x3f) != 1) - return 0; /* we only understand bitstrings */ - - if (!isExtract) - return 0; /* Cannot compare bitsrings */ - - count = *p++; - if (count == 0) - count = 256; - digs = ((count-1)>>2)+1; - - /* output is \[x/siz]. which is digs+9 chars */ - if (cp - (unsigned char *)name + digs + 9 >= MAXDNAME) - return 0; - if (!CHECK_LEN(header, p, plen, (count-1)>>3)) - return 0; - - *cp++ = '\\'; - *cp++ = '['; - *cp++ = 'x'; - for (j=0; j> 4; - else - dig = *p++ & 0x0f; - - *cp++ = dig < 10 ? dig + '0' : dig + 'A' - 10; - } - cp += sprintf((char *)cp, "/%d]", count); - /* do this here to overwrite the zero char from sprintf */ - *cp++ = '.'; - } - else + else if (label_type == 0x00) { /* label_type = 0 -> label. */ - if (cp - (unsigned char *)name + l + 1 >= MAXDNAME) + namelen += l + 1; /* include period */ + if (namelen >= MAXDNAME) return 0; if (!CHECK_LEN(header, p, plen, l)) return 0; @@ -135,9 +89,22 @@ int extract_name(struct dns_header *header, size_t ple if (isExtract) { unsigned char c = *p; - if (isascii(c) && !iscntrl(c) && c != '.') - *cp++ = *p; +#ifdef HAVE_DNSSEC + if (option_bool(OPT_DNSSEC_VALID)) + { + if (c == 0 || c == '.' || c == NAME_ESCAPE) + { + *cp++ = NAME_ESCAPE; + *cp++ = c+1; + } + else + *cp++ = c; + } else +#endif + if (c != 0 && c != '.') + *cp++ = c; + else return 0; } else @@ -151,25 +118,32 @@ int extract_name(struct dns_header *header, size_t ple cp++; if (c1 >= 'A' && c1 <= 'Z') c1 += 'a' - 'A'; +#ifdef HAVE_DNSSEC + if (option_bool(OPT_DNSSEC_VALID) && c1 == NAME_ESCAPE) + c1 = (*cp++)-1; +#endif + if (c2 >= 'A' && c2 <= 'Z') c2 += 'a' - 'A'; - + if (c1 != c2) retvalue = 2; } } - + if (isExtract) *cp++ = '.'; else if (*cp != 0 && *cp++ != '.') retvalue = 2; } + else + return 0; /* label types 0x40 and 0x80 not supported */ } } /* Max size of input string (for IPv6) is 75 chars.) */ #define MAXARPANAME 75 -int in_arpa_name_2_addr(char *namein, struct all_addr *addrp) +int in_arpa_name_2_addr(char *namein, union all_addr *addrp) { int j; char name[MAXARPANAME+1], *cp1; @@ -179,10 +153,10 @@ int in_arpa_name_2_addr(char *namein, struct all_addr if (strlen(namein) > MAXARPANAME) return 0; - memset(addrp, 0, sizeof(struct all_addr)); + memset(addrp, 0, sizeof(union all_addr)); /* turn name into a series of asciiz strings */ - /* j counts no of labels */ + /* j counts no. of labels */ for(j = 1,cp1 = name; *namein; cp1++, namein++) if (*namein == '.') { @@ -202,7 +176,7 @@ int in_arpa_name_2_addr(char *namein, struct all_addr if (hostname_isequal(lastchunk, "arpa") && hostname_isequal(penchunk, "in-addr")) { /* IP v4 */ - /* address arives as a name of the form + /* address arrives as a name of the form www.xxx.yyy.zzz.in-addr.arpa some of the low order address octets might be missing and should be set to zero. */ @@ -224,7 +198,6 @@ int in_arpa_name_2_addr(char *namein, struct all_addr return F_IPV4; } -#ifdef HAVE_IPV6 else if (hostname_isequal(penchunk, "ip6") && (hostname_isequal(lastchunk, "int") || hostname_isequal(lastchunk, "arpa"))) { @@ -232,7 +205,7 @@ int in_arpa_name_2_addr(char *namein, struct all_addr Address arrives as 0.1.2.3.4.5.6.7.8.9.a.b.c.d.e.f.ip6.[int|arpa] or \[xfedcba9876543210fedcba9876543210/128].ip6.[int|arpa] - Note that most of these the various reprentations are obsolete and + Note that most of these the various representations are obsolete and left-over from the many DNS-for-IPv6 wars. We support all the formats that we can since there is no reason not to. */ @@ -261,7 +234,7 @@ int in_arpa_name_2_addr(char *namein, struct all_addr if (*(cp1+1) || !isxdigit((unsigned char)*cp1)) return 0; - for (j = sizeof(struct all_addr)-1; j>0; j--) + for (j = sizeof(struct in6_addr)-1; j>0; j--) addr[j] = (addr[j] >> 4) | (addr[j-1] << 4); addr[0] = (addr[0] >> 4) | (strtol(cp1, NULL, 16) << 4); } @@ -269,12 +242,11 @@ int in_arpa_name_2_addr(char *namein, struct all_addr return F_IPV6; } } -#endif return 0; } -static unsigned char *skip_name(unsigned char *ansp, struct dns_header *header, size_t plen, int extrabytes) +unsigned char *skip_name(unsigned char *ansp, struct dns_header *header, size_t plen, int extrabytes) { while(1) { @@ -344,7 +316,7 @@ unsigned char *skip_questions(struct dns_header *heade return ansp; } -static unsigned char *skip_section(unsigned char *ansp, int count, struct dns_header *header, size_t plen) +unsigned char *skip_section(unsigned char *ansp, int count, struct dns_header *header, size_t plen) { int i, rdlen; @@ -361,54 +333,6 @@ static unsigned char *skip_section(unsigned char *ansp return ansp; } -/* CRC the question section. This is used to safely detect query - retransmision and to detect answers to questions we didn't ask, which - might be poisoning attacks. Note that we decode the name rather - than CRC the raw bytes, since replies might be compressed differently. - We ignore case in the names for the same reason. Return all-ones - if there is not question section. */ -unsigned int questions_crc(struct dns_header *header, size_t plen, char *name) -{ - int q; - unsigned int crc = 0xffffffff; - unsigned char *p1, *p = (unsigned char *)(header+1); - - for (q = ntohs(header->qdcount); q != 0; q--) - { - if (!extract_name(header, plen, &p, name, 1, 4)) - return crc; /* bad packet */ - - for (p1 = (unsigned char *)name; *p1; p1++) - { - int i = 8; - char c = *p1; - - if (c >= 'A' && c <= 'Z') - c += 'a' - 'A'; - - crc ^= c << 24; - while (i--) - crc = crc & 0x80000000 ? (crc << 1) ^ 0x04c11db7 : crc << 1; - } - - /* CRC the class and type as well */ - for (p1 = p; p1 < p+4; p1++) - { - int i = 8; - crc ^= *p1 << 24; - while (i--) - crc = crc & 0x80000000 ? (crc << 1) ^ 0x04c11db7 : crc << 1; - } - - p += 4; - if (!CHECK_LEN(header, p, plen, 0)) - return crc; /* bad packet */ - } - - return crc; -} - - size_t resize_packet(struct dns_header *header, size_t plen, unsigned char *pheader, size_t hlen) { unsigned char *ansp = skip_questions(header, plen); @@ -433,210 +357,36 @@ size_t resize_packet(struct dns_header *header, size_t return ansp - (unsigned char *)header; } -unsigned char *find_pseudoheader(struct dns_header *header, size_t plen, size_t *len, unsigned char **p, int *is_sign) -{ - /* See if packet has an RFC2671 pseudoheader, and if so return a pointer to it. - also return length of pseudoheader in *len and pointer to the UDP size in *p - Finally, check to see if a packet is signed. If it is we cannot change a single bit before - forwarding. We look for SIG and TSIG in the addition section, and TKEY queries (for GSS-TSIG) */ - - int i, arcount = ntohs(header->arcount); - unsigned char *ansp = (unsigned char *)(header+1); - unsigned short rdlen, type, class; - unsigned char *ret = NULL; - - if (is_sign) - { - *is_sign = 0; - - if (OPCODE(header) == QUERY) - { - for (i = ntohs(header->qdcount); i != 0; i--) - { - if (!(ansp = skip_name(ansp, header, plen, 4))) - return NULL; - - GETSHORT(type, ansp); - GETSHORT(class, ansp); - - if (class == C_IN && type == T_TKEY) - *is_sign = 1; - } - } - } - else - { - if (!(ansp = skip_questions(header, plen))) - return NULL; - } - - if (arcount == 0) - return NULL; - - if (!(ansp = skip_section(ansp, ntohs(header->ancount) + ntohs(header->nscount), header, plen))) - return NULL; - - for (i = 0; i < arcount; i++) - { - unsigned char *save, *start = ansp; - if (!(ansp = skip_name(ansp, header, plen, 10))) - return NULL; - - GETSHORT(type, ansp); - save = ansp; - GETSHORT(class, ansp); - ansp += 4; /* TTL */ - GETSHORT(rdlen, ansp); - if (!ADD_RDLEN(header, ansp, plen, rdlen)) - return NULL; - if (type == T_OPT) - { - if (len) - *len = ansp - start; - if (p) - *p = save; - ret = start; - } - else if (is_sign && - i == arcount - 1 && - class == C_ANY && - (type == T_SIG || type == T_TSIG)) - *is_sign = 1; - } - - return ret; -} - -struct macparm { - unsigned char *limit; - struct dns_header *header; - size_t plen; - union mysockaddr *l3; -}; - -static int filter_mac(int family, char *addrp, char *mac, size_t maclen, void *parmv) -{ - struct macparm *parm = parmv; - int match = 0; - unsigned short rdlen; - struct dns_header *header = parm->header; - unsigned char *lenp, *datap, *p; - - if (family == parm->l3->sa.sa_family) - { - if (family == AF_INET && memcmp (&parm->l3->in.sin_addr, addrp, INADDRSZ) == 0) - match = 1; -#ifdef HAVE_IPV6 - else - if (family == AF_INET6 && memcmp (&parm->l3->in6.sin6_addr, addrp, IN6ADDRSZ) == 0) - match = 1; -#endif - } - - if (!match) - return 1; /* continue */ - - if (ntohs(header->arcount) == 0) - { - /* We are adding the pseudoheader */ - if (!(p = skip_questions(header, parm->plen)) || - !(p = skip_section(p, - ntohs(header->ancount) + ntohs(header->nscount), - header, parm->plen))) - return 0; - *p++ = 0; /* empty name */ - PUTSHORT(T_OPT, p); - PUTSHORT(PACKETSZ, p); /* max packet length - is 512 suitable default for non-EDNS0 resolvers? */ - PUTLONG(0, p); /* extended RCODE */ - lenp = p; - PUTSHORT(0, p); /* RDLEN */ - rdlen = 0; - if (((ssize_t)maclen) > (parm->limit - (p + 4))) - return 0; /* Too big */ - header->arcount = htons(1); - datap = p; - } - else - { - int i, is_sign; - unsigned short code, len; - - if (ntohs(header->arcount) != 1 || - !(p = find_pseudoheader(header, parm->plen, NULL, NULL, &is_sign)) || - is_sign || - (!(p = skip_name(p, header, parm->plen, 10)))) - return 0; - - p += 8; /* skip UDP length and RCODE */ - - lenp = p; - GETSHORT(rdlen, p); - if (!CHECK_LEN(header, p, parm->plen, rdlen)) - return 0; /* bad packet */ - datap = p; - - /* check if option already there */ - for (i = 0; i + 4 < rdlen; i += len + 4) - { - GETSHORT(code, p); - GETSHORT(len, p); - if (code == EDNS0_OPTION_MAC) - return 0; - p += len; - } - - if (((ssize_t)maclen) > (parm->limit - (p + 4))) - return 0; /* Too big */ - } - - PUTSHORT(EDNS0_OPTION_MAC, p); - PUTSHORT(maclen, p); - memcpy(p, mac, maclen); - p += maclen; - - PUTSHORT(p - datap, lenp); - parm->plen = p - (unsigned char *)header; - - return 0; /* done */ -} - - -size_t add_mac(struct dns_header *header, size_t plen, char *limit, union mysockaddr *l3) -{ - struct macparm parm; - -/* Must have an existing pseudoheader as the only ar-record, - or have no ar-records. Must also not be signed */ - - if (ntohs(header->arcount) > 1) - return plen; - - parm.header = header; - parm.limit = (unsigned char *)limit; - parm.plen = plen; - parm.l3 = l3; - - iface_enumerate(AF_UNSPEC, &parm, filter_mac); - - return parm.plen; -} - - /* is addr in the non-globally-routed IP space? */ -static int private_net(struct in_addr addr, int ban_localhost) +int private_net(struct in_addr addr, int ban_localhost) { in_addr_t ip_addr = ntohl(addr.s_addr); return - (((ip_addr & 0xFF000000) == 0x7F000000) && ban_localhost) /* 127.0.0.0/8 (loopback) */ || - ((ip_addr & 0xFFFF0000) == 0xC0A80000) /* 192.168.0.0/16 (private) */ || + (((ip_addr & 0xFF000000) == 0x7F000000) && ban_localhost) /* 127.0.0.0/8 (loopback) */ || + ((ip_addr & 0xFF000000) == 0x00000000) /* RFC 5735 section 3. "here" network */ || ((ip_addr & 0xFF000000) == 0x0A000000) /* 10.0.0.0/8 (private) */ || ((ip_addr & 0xFFF00000) == 0xAC100000) /* 172.16.0.0/12 (private) */ || - ((ip_addr & 0xFFFF0000) == 0xA9FE0000) /* 169.254.0.0/16 (zeroconf) */ ; + ((ip_addr & 0xFFFF0000) == 0xC0A80000) /* 192.168.0.0/16 (private) */ || + ((ip_addr & 0xFFFF0000) == 0xA9FE0000) /* 169.254.0.0/16 (zeroconf) */ || + ((ip_addr & 0xFFFFFF00) == 0xC0000200) /* 192.0.2.0/24 (test-net) */ || + ((ip_addr & 0xFFFFFF00) == 0xC6336400) /* 198.51.100.0/24(test-net) */ || + ((ip_addr & 0xFFFFFF00) == 0xCB007100) /* 203.0.113.0/24 (test-net) */ || + ((ip_addr & 0xFFFFFFFF) == 0xFFFFFFFF) /* 255.255.255.255/32 (broadcast)*/ ; } -static unsigned char *do_doctor(unsigned char *p, int count, struct dns_header *header, size_t qlen, char *name) +static int private_net6(struct in6_addr *a) { + return + IN6_IS_ADDR_UNSPECIFIED(a) || /* RFC 6303 4.3 */ + IN6_IS_ADDR_LOOPBACK(a) || /* RFC 6303 4.3 */ + IN6_IS_ADDR_LINKLOCAL(a) || /* RFC 6303 4.5 */ + ((unsigned char *)a)[0] == 0xfd || /* RFC 6303 4.4 */ + ((u32 *)a)[0] == htonl(0x20010db8); /* RFC 6303 4.6 */ +} + +static unsigned char *do_doctor(unsigned char *p, int count, struct dns_header *header, size_t qlen, char *name, int *doctored) +{ int i, qtype, qclass, rdlen; for (i = count; i != 0; i--) @@ -680,6 +430,7 @@ static unsigned char *do_doctor(unsigned char *p, int addr.s_addr |= (doctor->out.s_addr & doctor->mask.s_addr); /* Since we munged the data, the server it came from is no longer authoritative */ header->hb3 &= ~HB3_AA; + *doctored = 1; memcpy(p, &addr, INADDRSZ); break; } @@ -693,6 +444,8 @@ static unsigned char *do_doctor(unsigned char *p, int { unsigned int i, len = *p1; unsigned char *p2 = p1; + if ((p1 + len - p) >= rdlen) + return 0; /* bad packet */ /* make counted string zero-term and sanitise */ for (i = 0; i < len; i++) { @@ -718,7 +471,7 @@ static unsigned char *do_doctor(unsigned char *p, int return p; } -static int find_soa(struct dns_header *header, size_t qlen, char *name) +static int find_soa(struct dns_header *header, size_t qlen, char *name, int *doctored) { unsigned char *p; int qtype, qclass, rdlen; @@ -727,7 +480,7 @@ static int find_soa(struct dns_header *header, size_t /* first move to NS section and find TTL from any SOA section */ if (!(p = skip_questions(header, qlen)) || - !(p = do_doctor(p, ntohs(header->ancount), header, qlen, name))) + !(p = do_doctor(p, ntohs(header->ancount), header, qlen, name, doctored))) return 0; /* bad packet */ for (i = ntohs(header->nscount); i != 0; i--) @@ -762,8 +515,8 @@ static int find_soa(struct dns_header *header, size_t return 0; /* bad packet */ } - /* rewrite addresses in additioal section too */ - if (!do_doctor(p, ntohs(header->arcount), header, qlen, NULL)) + /* rewrite addresses in additional section too */ + if (!do_doctor(p, ntohs(header->arcount), header, qlen, NULL, doctored)) return 0; if (!found_soa) @@ -777,25 +530,39 @@ static int find_soa(struct dns_header *header, size_t expired and cleaned out that way. Return 1 if we reject an address because it look like part of dns-rebinding attack. */ int extract_addresses(struct dns_header *header, size_t qlen, char *name, time_t now, - char **ipsets, int is_sign, int check_rebind, int checking_disabled) + char **ipsets, int is_sign, int check_rebind, int no_cache_dnssec, + int secure, int *doctored) { unsigned char *p, *p1, *endrr, *namep; int i, j, qtype, qclass, aqtype, aqclass, ardlen, res, searched_soa = 0; unsigned long ttl = 0; - struct all_addr addr; + union all_addr addr; #ifdef HAVE_IPSET char **ipsets_cur; #else (void)ipsets; /* unused */ #endif + cache_start_insert(); /* find_soa is needed for dns_doctor and logging side-effects, so don't call it lazily if there are any. */ - if (daemon->doctors || option_bool(OPT_LOG)) + if (daemon->doctors || option_bool(OPT_LOG) || option_bool(OPT_DNSSEC_VALID)) { searched_soa = 1; - ttl = find_soa(header, qlen, name); + ttl = find_soa(header, qlen, name, doctored); + + if (*doctored) + { + if (secure) + return 0; +#ifdef HAVE_DNSSEC + if (option_bool(OPT_DNSSEC_VALID)) + for (i = 0; i < ntohs(header->ancount); i++) + if (daemon->rr_status[i] != 0) + return 0; +#endif + } } /* go through the questions. */ @@ -803,11 +570,14 @@ int extract_addresses(struct dns_header *header, size_ for (i = ntohs(header->qdcount); i != 0; i--) { - int found = 0, cname_count = 5; + int found = 0, cname_count = CNAME_CHAIN; struct crec *cpp = NULL; int flags = RCODE(header) == NXDOMAIN ? F_NXDOMAIN : 0; +#ifdef HAVE_DNSSEC + int cname_short = 0; +#endif unsigned long cttl = ULONG_MAX, attl; - + namep = p; if (!extract_name(header, qlen, &p, name, 1, 4)) return 0; /* bad packet */ @@ -833,8 +603,9 @@ int extract_addresses(struct dns_header *header, size_ if (!(p1 = skip_questions(header, qlen))) return 0; - for (j = ntohs(header->ancount); j != 0; j--) + for (j = 0; j < ntohs(header->ancount); j++) { + int secflag = 0; unsigned char *tmp = namep; /* the loop body overwrites the original name, so get it back here. */ if (!extract_name(header, qlen, &tmp, name, 1, 0) || @@ -860,15 +631,31 @@ int extract_addresses(struct dns_header *header, size_ { if (!extract_name(header, qlen, &p1, name, 1, 0)) return 0; - +#ifdef HAVE_DNSSEC + if (option_bool(OPT_DNSSEC_VALID) && daemon->rr_status[j] != 0) + { + /* validated RR anywhere in CNAME chain, don't cache. */ + if (cname_short || aqtype == T_CNAME) + return 0; + + secflag = F_DNSSECOK; + /* limit TTL based on signature. */ + if (daemon->rr_status[j] < cttl) + cttl = daemon->rr_status[j]; + } +#endif + if (aqtype == T_CNAME) { if (!cname_count--) - return 0; /* looped CNAMES */ + return 0; /* looped CNAMES, we can't cache. */ +#ifdef HAVE_DNSSEC + cname_short = 1; +#endif goto cname_loop; } - cache_insert(name, &addr, now, cttl, name_encoding | F_REVERSE); + cache_insert(name, &addr, C_IN, now, cttl, name_encoding | secflag | F_REVERSE); found = 1; } @@ -883,118 +670,182 @@ int extract_addresses(struct dns_header *header, size_ if (!searched_soa) { searched_soa = 1; - ttl = find_soa(header, qlen, NULL); + ttl = find_soa(header, qlen, NULL, doctored); } if (ttl) - cache_insert(NULL, &addr, now, ttl, name_encoding | F_REVERSE | F_NEG | flags); + cache_insert(NULL, &addr, C_IN, now, ttl, name_encoding | F_REVERSE | F_NEG | flags | (secure ? F_DNSSECOK : 0)); } } else { /* everything other than PTR */ struct crec *newc; - int addrlen; + int addrlen = 0; if (qtype == T_A) { addrlen = INADDRSZ; flags |= F_IPV4; } -#ifdef HAVE_IPV6 else if (qtype == T_AAAA) { addrlen = IN6ADDRSZ; flags |= F_IPV6; } -#endif - else + else if (qtype == T_SRV) + flags |= F_SRV; + else continue; - if (!(flags & F_NXDOMAIN)) + cname_loop1: + if (!(p1 = skip_questions(header, qlen))) + return 0; + + for (j = 0; j < ntohs(header->ancount); j++) { - cname_loop1: - if (!(p1 = skip_questions(header, qlen))) - return 0; + int secflag = 0; - for (j = ntohs(header->ancount); j != 0; j--) + if (!(res = extract_name(header, qlen, &p1, name, 0, 10))) + return 0; /* bad packet */ + + GETSHORT(aqtype, p1); + GETSHORT(aqclass, p1); + GETLONG(attl, p1); + if ((daemon->max_ttl != 0) && (attl > daemon->max_ttl) && !is_sign) { - if (!(res = extract_name(header, qlen, &p1, name, 0, 10))) - return 0; /* bad packet */ - - GETSHORT(aqtype, p1); - GETSHORT(aqclass, p1); - GETLONG(attl, p1); - if ((daemon->max_ttl != 0) && (attl > daemon->max_ttl) && !is_sign) + (p1) -= 4; + PUTLONG(daemon->max_ttl, p1); + } + GETSHORT(ardlen, p1); + endrr = p1+ardlen; + + if (aqclass == C_IN && res != 2 && (aqtype == T_CNAME || aqtype == qtype)) + { +#ifdef HAVE_DNSSEC + if (option_bool(OPT_DNSSEC_VALID) && daemon->rr_status[j] != 0) { - (p1) -= 4; - PUTLONG(daemon->max_ttl, p1); + secflag = F_DNSSECOK; + + /* limit TTl based on sig. */ + if (daemon->rr_status[j] < attl) + attl = daemon->rr_status[j]; } - GETSHORT(ardlen, p1); - endrr = p1+ardlen; - - if (aqclass == C_IN && res != 2 && (aqtype == T_CNAME || aqtype == qtype)) +#endif + if (aqtype == T_CNAME) { - if (aqtype == T_CNAME) + if (!cname_count--) + return 0; /* looped CNAMES */ + + if ((newc = cache_insert(name, NULL, C_IN, now, attl, F_CNAME | F_FORWARD | secflag))) { - if (!cname_count--) - return 0; /* looped CNAMES */ - newc = cache_insert(name, NULL, now, attl, F_CNAME | F_FORWARD); - if (newc) + newc->addr.cname.target.cache = NULL; + newc->addr.cname.is_name_ptr = 0; + if (cpp) { - newc->addr.cname.cache = NULL; - if (cpp) - { - cpp->addr.cname.cache = newc; - cpp->addr.cname.uid = newc->uid; - } + next_uid(newc); + cpp->addr.cname.target.cache = newc; + cpp->addr.cname.uid = newc->uid; } + } + + cpp = newc; + if (attl < cttl) + cttl = attl; + + namep = p1; + if (!extract_name(header, qlen, &p1, name, 1, 0)) + return 0; + + goto cname_loop1; + } + else if (!(flags & F_NXDOMAIN)) + { + found = 1; + + if (flags & F_SRV) + { + unsigned char *tmp = namep; - cpp = newc; - if (attl < cttl) - cttl = attl; - - if (!extract_name(header, qlen, &p1, name, 1, 0)) - return 0; - goto cname_loop1; + if (!CHECK_LEN(header, p1, qlen, 6)) + return 0; /* bad packet */ + GETSHORT(addr.srv.priority, p1); + GETSHORT(addr.srv.weight, p1); + GETSHORT(addr.srv.srvport, p1); + if (!extract_name(header, qlen, &p1, name, 1, 0)) + return 0; + addr.srv.targetlen = strlen(name) + 1; /* include terminating zero */ + if (!(addr.srv.target = blockdata_alloc(name, addr.srv.targetlen))) + return 0; + + /* we overwrote the original name, so get it back here. */ + if (!extract_name(header, qlen, &tmp, name, 1, 0)) + return 0; } else { - found = 1; - /* copy address into aligned storage */ if (!CHECK_LEN(header, p1, qlen, addrlen)) return 0; /* bad packet */ memcpy(&addr, p1, addrlen); - + /* check for returned address in private space */ - if (check_rebind && - (flags & F_IPV4) && - private_net(addr.addr.addr4, !option_bool(OPT_LOCAL_REBIND))) - return 1; + if (check_rebind) + { + if ((flags & F_IPV4) && + private_net(addr.addr4, !option_bool(OPT_LOCAL_REBIND))) + return 1; + /* Block IPv4-mapped IPv6 addresses in private IPv4 address space */ + if (flags & F_IPV6) + { + if (IN6_IS_ADDR_V4MAPPED(&addr.addr6)) + { + struct in_addr v4; + v4.s_addr = ((const uint32_t *) (&addr.addr6))[3]; + if (private_net(v4, !option_bool(OPT_LOCAL_REBIND))) + return 1; + } + + /* Check for link-local (LL) and site-local (ULA) IPv6 addresses */ + if (IN6_IS_ADDR_LINKLOCAL(&addr.addr6) || + IN6_IS_ADDR_SITELOCAL(&addr.addr6)) + return 1; + + /* Check for the IPv6 loopback address (::1) when + option rebind-localhost-ok is NOT set */ + if (!option_bool(OPT_LOCAL_REBIND) && + IN6_IS_ADDR_LOOPBACK(&addr.addr6)) + return 1; + } + } + #ifdef HAVE_IPSET if (ipsets && (flags & (F_IPV4 | F_IPV6))) { ipsets_cur = ipsets; while (*ipsets_cur) - add_to_ipset(*ipsets_cur++, &addr, flags, 0); + { + log_query((flags & (F_IPV4 | F_IPV6)) | F_IPSET, name, &addr, *ipsets_cur); + add_to_ipset(*ipsets_cur++, &addr, flags, 0); + } } #endif - - newc = cache_insert(name, &addr, now, attl, flags | F_FORWARD); - if (newc && cpp) - { - cpp->addr.cname.cache = newc; - cpp->addr.cname.uid = newc->uid; - } - cpp = NULL; } + + newc = cache_insert(name, &addr, C_IN, now, attl, flags | F_FORWARD | secflag); + if (newc && cpp) + { + next_uid(newc); + cpp->addr.cname.target.cache = newc; + cpp->addr.cname.uid = newc->uid; + } + cpp = NULL; } - - p1 = endrr; - if (!CHECK_LEN(header, p1, qlen, 0)) - return 0; /* bad packet */ } + + p1 = endrr; + if (!CHECK_LEN(header, p1, qlen, 0)) + return 0; /* bad packet */ } if (!found && !option_bool(OPT_NO_NEG)) @@ -1002,16 +853,17 @@ int extract_addresses(struct dns_header *header, size_ if (!searched_soa) { searched_soa = 1; - ttl = find_soa(header, qlen, NULL); + ttl = find_soa(header, qlen, NULL, doctored); } /* If there's no SOA to get the TTL from, but there is a CNAME pointing at this, inherit its TTL */ if (ttl || cpp) { - newc = cache_insert(name, NULL, now, ttl ? ttl : cttl, F_FORWARD | F_NEG | flags); + newc = cache_insert(name, NULL, C_IN, now, ttl ? ttl : cttl, F_FORWARD | F_NEG | flags | (secure ? F_DNSSECOK : 0)); if (newc && cpp) { - cpp->addr.cname.cache = newc; + next_uid(newc); + cpp->addr.cname.target.cache = newc; cpp->addr.cname.uid = newc->uid; } } @@ -1020,15 +872,13 @@ int extract_addresses(struct dns_header *header, size_ } /* Don't put stuff from a truncated packet into the cache. - Don't cache replies where DNSSEC validation was turned off, either - the upstream server told us so, or the original query specified it. Don't cache replies from non-recursive nameservers, since we may get a reply containing a CNAME but not its target, even though the target does exist. */ if (!(header->hb3 & HB3_TC) && !(header->hb4 & HB4_CD) && (header->hb4 & HB4_RA) && - !checking_disabled) + !no_cache_dnssec) cache_end_insert(); return 0; @@ -1036,7 +886,6 @@ int extract_addresses(struct dns_header *header, size_ /* If the packet holds exactly one query return F_IPV4 or F_IPV6 and leave the name from the query in name */ - unsigned int extract_request(struct dns_header *header, size_t qlen, char *name, unsigned short *typep) { unsigned char *p = (unsigned char *)(header+1); @@ -1066,86 +915,105 @@ unsigned int extract_request(struct dns_header *header if (qtype == T_ANY) return F_IPV4 | F_IPV6; } + + /* F_DNSSECOK as agument to search_servers() inhibits forwarding + to servers for domains without a trust anchor. This make the + behaviour for DS and DNSKEY queries we forward the same + as for DS and DNSKEY queries we originate. */ + if (qtype == T_DS || qtype == T_DNSKEY) + return F_DNSSECOK; return F_QUERY; } - size_t setup_reply(struct dns_header *header, size_t qlen, - struct all_addr *addrp, unsigned int flags, unsigned long ttl) + union all_addr *addrp, unsigned int flags, unsigned long ttl) { - unsigned char *p = skip_questions(header, qlen); + unsigned char *p; + if (!(p = skip_questions(header, qlen))) + return 0; + /* clear authoritative and truncated flags, set QR flag */ - header->hb3 = (header->hb3 & ~(HB3_AA | HB3_TC)) | HB3_QR; - /* set RA flag */ - header->hb4 |= HB4_RA; + header->hb3 = (header->hb3 & ~(HB3_AA | HB3_TC )) | HB3_QR; + /* clear AD flag, set RA flag */ + header->hb4 = (header->hb4 & ~HB4_AD) | HB4_RA; header->nscount = htons(0); header->arcount = htons(0); header->ancount = htons(0); /* no answers unless changed below */ - if (flags == F_NEG) - SET_RCODE(header, SERVFAIL); /* couldn't get memory */ - else if (flags == F_NOERR) + if (flags == F_NOERR) SET_RCODE(header, NOERROR); /* empty domain */ else if (flags == F_NXDOMAIN) SET_RCODE(header, NXDOMAIN); - else if (p && flags == F_IPV4) - { /* we know the address */ - SET_RCODE(header, NOERROR); - header->ancount = htons(1); - header->hb3 |= HB3_AA; - add_resource_record(header, NULL, NULL, sizeof(struct dns_header), &p, ttl, NULL, T_A, C_IN, "4", addrp); + else if (flags == F_SERVFAIL) + { + union all_addr a; + a.log.rcode = SERVFAIL; + log_query(F_CONFIG | F_RCODE, "error", &a, NULL); + SET_RCODE(header, SERVFAIL); } -#ifdef HAVE_IPV6 - else if (p && flags == F_IPV6) + else if (flags & ( F_IPV4 | F_IPV6)) { - SET_RCODE(header, NOERROR); - header->ancount = htons(1); - header->hb3 |= HB3_AA; - add_resource_record(header, NULL, NULL, sizeof(struct dns_header), &p, ttl, NULL, T_AAAA, C_IN, "6", addrp); + if (flags & F_IPV4) + { /* we know the address */ + SET_RCODE(header, NOERROR); + header->ancount = htons(1); + header->hb3 |= HB3_AA; + add_resource_record(header, NULL, NULL, sizeof(struct dns_header), &p, ttl, NULL, T_A, C_IN, "4", addrp); + } + + if (flags & F_IPV6) + { + SET_RCODE(header, NOERROR); + header->ancount = htons(ntohs(header->ancount) + 1); + header->hb3 |= HB3_AA; + add_resource_record(header, NULL, NULL, sizeof(struct dns_header), &p, ttl, NULL, T_AAAA, C_IN, "6", addrp); + } } -#endif else /* nowhere to forward to */ - SET_RCODE(header, REFUSED); - + { + union all_addr a; + a.log.rcode = REFUSED; + log_query(F_CONFIG | F_RCODE, "error", &a, NULL); + SET_RCODE(header, REFUSED); + } + return p - (unsigned char *)header; } /* check if name matches local names ie from /etc/hosts or DHCP or local mx names. */ int check_for_local_domain(char *name, time_t now) { - struct crec *crecp; struct mx_srv_record *mx; struct txt_record *txt; struct interface_name *intr; struct ptr_record *ptr; struct naptr *naptr; - if ((crecp = cache_find_by_name(NULL, name, now, F_IPV4 | F_IPV6 | F_CNAME)) && - (crecp->flags & (F_HOSTS | F_DHCP))) - return 1; - for (naptr = daemon->naptr; naptr; naptr = naptr->next) - if (hostname_isequal(name, naptr->name)) + if (hostname_issubdomain(name, naptr->name)) return 1; for (mx = daemon->mxnames; mx; mx = mx->next) - if (hostname_isequal(name, mx->name)) + if (hostname_issubdomain(name, mx->name)) return 1; for (txt = daemon->txt; txt; txt = txt->next) - if (hostname_isequal(name, txt->name)) + if (hostname_issubdomain(name, txt->name)) return 1; for (intr = daemon->int_names; intr; intr = intr->next) - if (hostname_isequal(name, intr->name)) + if (hostname_issubdomain(name, intr->name)) return 1; for (ptr = daemon->ptr; ptr; ptr = ptr->next) - if (hostname_isequal(name, ptr->name)) + if (hostname_issubdomain(name, ptr->name)) return 1; - + + if (cache_find_non_terminal(name, now)) + return 1; + return 0; } @@ -1185,7 +1053,7 @@ int check_for_bogus_wildcard(struct dns_header *header /* Found a bogus address. Insert that info here, since there no SOA record to get the ttl from in the normal processing */ cache_start_insert(); - cache_insert(name, NULL, now, ttl, F_IPV4 | F_FORWARD | F_NEG | F_NXDOMAIN | F_CONFIG); + cache_insert(name, NULL, C_IN, now, ttl, F_IPV4 | F_FORWARD | F_NEG | F_NXDOMAIN); cache_end_insert(); return 1; @@ -1199,6 +1067,44 @@ int check_for_bogus_wildcard(struct dns_header *header return 0; } +int check_for_ignored_address(struct dns_header *header, size_t qlen, struct bogus_addr *baddr) +{ + unsigned char *p; + int i, qtype, qclass, rdlen; + struct bogus_addr *baddrp; + + /* skip over questions */ + if (!(p = skip_questions(header, qlen))) + return 0; /* bad packet */ + + for (i = ntohs(header->ancount); i != 0; i--) + { + if (!(p = skip_name(p, header, qlen, 10))) + return 0; /* bad packet */ + + GETSHORT(qtype, p); + GETSHORT(qclass, p); + p += 4; /* TTL */ + GETSHORT(rdlen, p); + + if (qclass == C_IN && qtype == T_A) + { + if (!CHECK_LEN(header, p, qlen, INADDRSZ)) + return 0; + + for (baddrp = baddr; baddrp; baddrp = baddrp->next) + if (memcmp(&baddrp->addr, p, INADDRSZ) == 0) + return 1; + } + + if (!ADD_RDLEN(header, p, qlen, rdlen)) + return 0; + } + + return 0; +} + + int add_resource_record(struct dns_header *header, char *limit, int *truncp, int nameoffset, unsigned char **pp, unsigned long ttl, int *offset, unsigned short type, unsigned short class, char *format, ...) { @@ -1208,29 +1114,41 @@ int add_resource_record(struct dns_header *header, cha unsigned short usval; long lval; char *sval; + +#define CHECK_LIMIT(size) \ + if (limit && p + (size) > (unsigned char*)limit) goto truncated; - if (truncp && *truncp) - return 0; - va_start(ap, format); /* make ap point to 1st unamed argument */ + if (truncp && *truncp) + goto truncated; + if (nameoffset > 0) { + CHECK_LIMIT(2); PUTSHORT(nameoffset | 0xc000, p); } else { char *name = va_arg(ap, char *); - if (name) - p = do_rfc1035_name(p, name); + if (name && !(p = do_rfc1035_name(p, name, limit))) + goto truncated; + if (nameoffset < 0) { + CHECK_LIMIT(2); PUTSHORT(-nameoffset | 0xc000, p); } else - *p++ = 0; + { + CHECK_LIMIT(1); + *p++ = 0; + } } + /* type (2) + class (2) + ttl (4) + rdlen (2) */ + CHECK_LIMIT(10); + PUTSHORT(type, p); PUTSHORT(class, p); PUTLONG(ttl, p); /* TTL */ @@ -1241,40 +1159,51 @@ int add_resource_record(struct dns_header *header, cha for (; *format; format++) switch (*format) { -#ifdef HAVE_IPV6 case '6': + CHECK_LIMIT(IN6ADDRSZ); sval = va_arg(ap, char *); memcpy(p, sval, IN6ADDRSZ); p += IN6ADDRSZ; break; -#endif case '4': + CHECK_LIMIT(INADDRSZ); sval = va_arg(ap, char *); memcpy(p, sval, INADDRSZ); p += INADDRSZ; break; + case 'b': + CHECK_LIMIT(1); + usval = va_arg(ap, int); + *p++ = usval; + break; + case 's': + CHECK_LIMIT(2); usval = va_arg(ap, int); PUTSHORT(usval, p); break; case 'l': + CHECK_LIMIT(4); lval = va_arg(ap, long); PUTLONG(lval, p); break; case 'd': - /* get domain-name answer arg and store it in RDATA field */ - if (offset) - *offset = p - (unsigned char *)header; - p = do_rfc1035_name(p, va_arg(ap, char *)); - *p++ = 0; + /* get domain-name answer arg and store it in RDATA field */ + if (offset) + *offset = p - (unsigned char *)header; + if (!(p = do_rfc1035_name(p, va_arg(ap, char *), limit))) + goto truncated; + CHECK_LIMIT(1); + *p++ = 0; break; case 't': usval = va_arg(ap, int); + CHECK_LIMIT(usval); sval = va_arg(ap, char *); if (usval != 0) memcpy(p, sval, usval); @@ -1286,6 +1215,7 @@ int add_resource_record(struct dns_header *header, cha usval = sval ? strlen(sval) : 0; if (usval > 255) usval = 255; + CHECK_LIMIT(usval + 1); *p++ = (unsigned char)usval; memcpy(p, sval, usval); p += usval; @@ -1294,84 +1224,90 @@ int add_resource_record(struct dns_header *header, cha va_end(ap); /* clean up variable argument pointer */ + /* Now, store real RDLength. sav already checked against limit. */ j = p - sav - 2; - PUTSHORT(j, sav); /* Now, store real RDLength */ + PUTSHORT(j, sav); - /* check for overflow of buffer */ - if (limit && ((unsigned char *)limit - p) < 0) - { - if (truncp) - *truncp = 1; - return 0; - } - *pp = p; return 1; + + truncated: + va_end(ap); + if (truncp) + *truncp = 1; + return 0; + +#undef CHECK_LIMIT } static unsigned long crec_ttl(struct crec *crecp, time_t now) { /* Return 0 ttl for DHCP entries, which might change - before the lease expires. */ + before the lease expires, unless configured otherwise. */ - if (crecp->flags & (F_IMMORTAL | F_DHCP)) - return daemon->local_ttl; + if (crecp->flags & F_DHCP) + { + int conf_ttl = daemon->use_dhcp_ttl ? daemon->dhcp_ttl : daemon->local_ttl; + + /* Apply ceiling of actual lease length to configured TTL. */ + if (!(crecp->flags & F_IMMORTAL) && (crecp->ttd - now) < conf_ttl) + return crecp->ttd - now; + + return conf_ttl; + } - /* Return the Max TTL value if it is lower then the actual TTL */ + /* Immortal entries other than DHCP are local, and hold TTL in TTD field. */ + if (crecp->flags & F_IMMORTAL) + return crecp->ttd; + + /* Return the Max TTL value if it is lower than the actual TTL */ if (daemon->max_ttl == 0 || ((unsigned)(crecp->ttd - now) < daemon->max_ttl)) return crecp->ttd - now; else return daemon->max_ttl; } - +static int cache_validated(const struct crec *crecp) +{ + return (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK)); +} + /* return zero if we can't answer from cache, or packet size if we can */ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, - struct in_addr local_addr, struct in_addr local_netmask, time_t now) + struct in_addr local_addr, struct in_addr local_netmask, + time_t now, int ad_reqd, int do_bit, int have_pseudoheader) { char *name = daemon->namebuff; - unsigned char *p, *ansp, *pheader; - int qtype, qclass; - struct all_addr addr; + unsigned char *p, *ansp; + unsigned int qtype, qclass; + union all_addr addr; int nameoffset; unsigned short flag; int q, ans, anscount = 0, addncount = 0; - int dryrun = 0, sec_reqd = 0; - int is_sign; + int dryrun = 0; struct crec *crecp; - int nxdomain = 0, auth = 1, trunc = 0; + int nxdomain = 0, notimp = 0, auth = 1, trunc = 0, sec_data = 1; struct mx_srv_record *rec; - - /* If there is an RFC2671 pseudoheader then it will be overwritten by - partial replies, so we have to do a dry run to see if we can answer - the query. We check to see if the do bit is set, if so we always - forward rather than answering from the cache, which doesn't include - security information. */ + size_t len; + int rd_bit = (header->hb3 & HB3_RD); - if (find_pseudoheader(header, qlen, NULL, &pheader, &is_sign)) - { - unsigned short udpsz, flags; - unsigned char *psave = pheader; - - GETSHORT(udpsz, pheader); - pheader += 2; /* ext_rcode */ - GETSHORT(flags, pheader); - - sec_reqd = flags & 0x8000; /* do bit */ - - /* If our client is advertising a larger UDP packet size - than we allow, trim it so that we don't get an overlarge - response from upstream */ - - if (!is_sign && (udpsz > daemon->edns_pktsz)) - PUTSHORT(daemon->edns_pktsz, psave); - - dryrun = 1; - } - - if (ntohs(header->qdcount) == 0 || OPCODE(header) != QUERY ) + /* never answer queries with RD unset, to avoid cache snooping. */ + if (ntohs(header->ancount) != 0 || + ntohs(header->nscount) != 0 || + ntohs(header->qdcount) == 0 || + OPCODE(header) != QUERY ) return 0; + + /* Don't return AD set if checking disabled. */ + if (header->hb4 & HB4_CD) + sec_data = 0; + /* If there is an additional data section then it will be overwritten by + partial replies, so we have to do a dry run to see if we can answer + the query. */ + if (ntohs(header->arcount) != 0) + dryrun = 1; + for (rec = daemon->mxnames; rec; rec = rec->next) rec->offset = 0; @@ -1385,6 +1321,8 @@ size_t answer_request(struct dns_header *header, char for (q = ntohs(header->qdcount); q != 0; q--) { + int count = 255; /* catch loops */ + /* save pointer to name for copying into answers */ nameoffset = p - (unsigned char *)header; @@ -1396,7 +1334,37 @@ size_t answer_request(struct dns_header *header, char GETSHORT(qclass, p); ans = 0; /* have we answered this question */ - + + while (--count != 0 && (crecp = cache_find_by_name(NULL, name, now, F_CNAME))) + { + char *cname_target = cache_get_cname_target(crecp); + + /* If the client asked for DNSSEC don't use cached data. */ + if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) || + (rd_bit && (!do_bit || cache_validated(crecp)))) + { + if (crecp->flags & F_CONFIG || qtype == T_CNAME) + ans = 1; + + if (!(crecp->flags & F_DNSSECOK)) + sec_data = 0; + + if (!dryrun) + { + log_query(crecp->flags, name, NULL, record_source(crecp->uid)); + if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, + crec_ttl(crecp, now), &nameoffset, + T_CNAME, C_IN, "d", cname_target)) + anscount++; + } + + } + else + return 0; /* give up if any cached CNAME in chain can't be used for DNSSEC reasons. */ + + strcpy(name, cname_target); + } + if (qtype == T_TXT || qtype == T_ANY) { struct txt_record *t; @@ -1404,16 +1372,47 @@ size_t answer_request(struct dns_header *header, char { if (t->class == qclass && hostname_isequal(name, t->name)) { - ans = 1; + ans = 1, sec_data = 0; if (!dryrun) { - log_query(F_CONFIG | F_RRNAME, name, NULL, ""); - if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, - daemon->local_ttl, NULL, - T_TXT, t->class, "t", t->len, t->txt)) - anscount++; + unsigned long ttl = daemon->local_ttl; + int ok = 1; +#ifndef NO_ID + /* Dynamically generate stat record */ + if (t->stat != 0) + { + ttl = 0; + if (!cache_make_stat(t)) + ok = 0; + } +#endif + if (ok) + { + log_query(F_CONFIG | F_RRNAME, name, NULL, ""); + if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, + ttl, NULL, + T_TXT, t->class, "t", t->len, t->txt)) + anscount++; + } + } + } + } + } + if (qclass == C_CHAOS) + { + /* don't forward *.bind and *.server chaos queries - always reply with NOTIMP */ + if (hostname_issubdomain("bind", name) || hostname_issubdomain("server", name)) + { + if (!ans) + { + notimp = 1, auth = 0; + if (!dryrun) + { + addr.log.rcode = NOTIMP; + log_query(F_CONFIG | F_RCODE, name, &addr, NULL); } + ans = 1, sec_data = 0; } } } @@ -1426,13 +1425,14 @@ size_t answer_request(struct dns_header *header, char if ((t->class == qtype || qtype == T_ANY) && hostname_isequal(name, t->name)) { ans = 1; + sec_data = 0; if (!dryrun) { - log_query(F_CONFIG | F_RRNAME, name, NULL, ""); + log_query(F_CONFIG | F_RRNAME, name, NULL, querystr(NULL, t->class)); if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->local_ttl, NULL, t->class, C_IN, "t", t->len, t->txt)) - anscount ++; + anscount++; } } @@ -1450,19 +1450,41 @@ size_t answer_request(struct dns_header *header, char if (is_arpa == F_IPV4) for (intr = daemon->int_names; intr; intr = intr->next) { - if (addr.addr.addr4.s_addr == get_ifaddr(intr->intr).s_addr) + struct addrlist *addrlist; + + for (addrlist = intr->addr; addrlist; addrlist = addrlist->next) + if (!(addrlist->flags & ADDRLIST_IPV6) && addr.addr4.s_addr == addrlist->addr.addr4.s_addr) + break; + + if (addrlist) break; else while (intr->next && strcmp(intr->intr, intr->next->intr) == 0) intr = intr->next; } + else if (is_arpa == F_IPV6) + for (intr = daemon->int_names; intr; intr = intr->next) + { + struct addrlist *addrlist; + + for (addrlist = intr->addr; addrlist; addrlist = addrlist->next) + if ((addrlist->flags & ADDRLIST_IPV6) && IN6_ARE_ADDR_EQUAL(&addr.addr6, &addrlist->addr.addr6)) + break; + + if (addrlist) + break; + else + while (intr->next && strcmp(intr->intr, intr->next->intr) == 0) + intr = intr->next; + } if (intr) { + sec_data = 0; ans = 1; if (!dryrun) { - log_query(F_IPV4 | F_REVERSE | F_CONFIG, intr->name, &addr, NULL); + log_query(is_arpa | F_REVERSE | F_CONFIG, intr->name, &addr, NULL); if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->local_ttl, NULL, T_PTR, C_IN, "d", intr->name)) @@ -1472,6 +1494,7 @@ size_t answer_request(struct dns_header *header, char else if (ptr) { ans = 1; + sec_data = 0; if (!dryrun) { log_query(F_CONFIG | F_RRNAME, name, NULL, ""); @@ -1485,252 +1508,278 @@ size_t answer_request(struct dns_header *header, char } } else if ((crecp = cache_find_by_addr(NULL, &addr, now, is_arpa))) - do - { - /* don't answer wildcard queries with data not from /etc/hosts or dhcp leases */ - if (qtype == T_ANY && !(crecp->flags & (F_HOSTS | F_DHCP))) - continue; - - if (crecp->flags & F_NEG) - { - ans = 1; - auth = 0; - if (crecp->flags & F_NXDOMAIN) - nxdomain = 1; - if (!dryrun) - log_query(crecp->flags & ~F_FORWARD, name, &addr, NULL); - } - else if ((crecp->flags & (F_HOSTS | F_DHCP)) || !sec_reqd) - { - ans = 1; - if (!(crecp->flags & (F_HOSTS | F_DHCP))) - auth = 0; - if (!dryrun) - { - log_query(crecp->flags & ~F_FORWARD, cache_get_name(crecp), &addr, - record_source(crecp->uid)); - - if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, - crec_ttl(crecp, now), NULL, - T_PTR, C_IN, "d", cache_get_name(crecp))) - anscount++; - } - } - } while ((crecp = cache_find_by_addr(crecp, &addr, now, is_arpa))); - else if (is_arpa == F_IPV4 && - option_bool(OPT_BOGUSPRIV) && - private_net(addr.addr.addr4, 1)) { - /* if not in cache, enabled and private IPV4 address, return NXDOMAIN */ + /* Don't use cache when DNSSEC data required, unless we know that + the zone is unsigned, which implies that we're doing + validation. */ + if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) || + (rd_bit && (!do_bit || cache_validated(crecp)) )) + { + do + { + /* don't answer wildcard queries with data not from /etc/hosts or dhcp leases */ + if (qtype == T_ANY && !(crecp->flags & (F_HOSTS | F_DHCP))) + continue; + + if (!(crecp->flags & F_DNSSECOK)) + sec_data = 0; + + ans = 1; + + if (crecp->flags & F_NEG) + { + auth = 0; + if (crecp->flags & F_NXDOMAIN) + nxdomain = 1; + if (!dryrun) + log_query(crecp->flags & ~F_FORWARD, name, &addr, NULL); + } + else + { + if (!(crecp->flags & (F_HOSTS | F_DHCP))) + auth = 0; + if (!dryrun) + { + log_query(crecp->flags & ~F_FORWARD, cache_get_name(crecp), &addr, + record_source(crecp->uid)); + + if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, + crec_ttl(crecp, now), NULL, + T_PTR, C_IN, "d", cache_get_name(crecp))) + anscount++; + } + } + } while ((crecp = cache_find_by_addr(crecp, &addr, now, is_arpa))); + } + } + else if (is_rev_synth(is_arpa, &addr, name)) + { ans = 1; - nxdomain = 1; + sec_data = 0; if (!dryrun) - log_query(F_CONFIG | F_REVERSE | F_IPV4 | F_NEG | F_NXDOMAIN, - name, &addr, NULL); + { + log_query(F_CONFIG | F_REVERSE | is_arpa, name, &addr, NULL); + + if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, + daemon->local_ttl, NULL, + T_PTR, C_IN, "d", name)) + anscount++; + } } - } - - for (flag = F_IPV4; flag; flag = (flag == F_IPV4) ? F_IPV6 : 0) - { - unsigned short type = T_A; - - if (flag == F_IPV6) -#ifdef HAVE_IPV6 - type = T_AAAA; -#else - break; -#endif - - if (qtype != type && qtype != T_ANY) - continue; - - /* Check for "A for A" queries; be rather conservative - about what looks like dotted-quad. */ - if (qtype == T_A) + else if (option_bool(OPT_BOGUSPRIV) && ( + (is_arpa == F_IPV6 && private_net6(&addr.addr6)) || + (is_arpa == F_IPV4 && private_net(addr.addr4, 1)))) { - char *cp; - unsigned int i, a; - int x; + struct server *serv; + unsigned int namelen = strlen(name); + char *nameend = name + namelen; - for (cp = name, i = 0, a = 0; *cp; i++) + /* see if have rev-server set */ + for (serv = daemon->servers; serv; serv = serv->next) { - if (!isdigit((unsigned char)*cp) || (x = strtol(cp, &cp, 10)) > 255) - { - i = 5; - break; - } - - a = (a << 8) + x; - - if (*cp == '.') - cp++; + unsigned int domainlen; + char *matchstart; + + if ((serv->flags & (SERV_HAS_DOMAIN | SERV_NO_ADDR)) != SERV_HAS_DOMAIN) + continue; + + domainlen = strlen(serv->domain); + if (domainlen == 0 || domainlen > namelen) + continue; + + matchstart = nameend - domainlen; + if (hostname_isequal(matchstart, serv->domain) && + (namelen == domainlen || *(matchstart-1) == '.' )) + break; } - - if (i == 4) + + /* if no configured server, not in cache, enabled and private IPV4 address, return NXDOMAIN */ + if (!serv) { ans = 1; + sec_data = 0; + nxdomain = 1; if (!dryrun) - { - addr.addr.addr4.s_addr = htonl(a); - log_query(F_FORWARD | F_CONFIG | F_IPV4, name, &addr, NULL); - if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, - daemon->local_ttl, NULL, type, C_IN, "4", &addr)) - anscount++; - } - continue; + log_query(F_CONFIG | F_REVERSE | is_arpa | F_NEG | F_NXDOMAIN, + name, &addr, NULL); } } + } + for (flag = F_IPV4; flag; flag = (flag == F_IPV4) ? F_IPV6 : 0) + { + unsigned short type = (flag == F_IPV6) ? T_AAAA : T_A; + struct interface_name *intr; + + if (qtype != type && qtype != T_ANY) + continue; + /* interface name stuff */ - if (qtype == T_A) + for (intr = daemon->int_names; intr; intr = intr->next) + if (hostname_isequal(name, intr->name)) + break; + + if (intr) { - struct interface_name *intr; + struct addrlist *addrlist; + int gotit = 0, localise = 0; + enumerate_interfaces(0); + + /* See if a putative address is on the network from which we received + the query, is so we'll filter other answers. */ + if (local_addr.s_addr != 0 && option_bool(OPT_LOCALISE) && type == T_A) + for (intr = daemon->int_names; intr; intr = intr->next) + if (hostname_isequal(name, intr->name)) + for (addrlist = intr->addr; addrlist; addrlist = addrlist->next) + if (!(addrlist->flags & ADDRLIST_IPV6) && + is_same_net(addrlist->addr.addr4, local_addr, local_netmask)) + { + localise = 1; + break; + } + for (intr = daemon->int_names; intr; intr = intr->next) if (hostname_isequal(name, intr->name)) - break; - - if (intr) - { - ans = 1; - if (!dryrun) - { - if ((addr.addr.addr4 = get_ifaddr(intr->intr)).s_addr == (in_addr_t) -1) - log_query(F_FORWARD | F_CONFIG | F_IPV4 | F_NEG, name, NULL, NULL); - else + { + for (addrlist = intr->addr; addrlist; addrlist = addrlist->next) + if (((addrlist->flags & ADDRLIST_IPV6) ? T_AAAA : T_A) == type) { - log_query(F_FORWARD | F_CONFIG | F_IPV4, name, &addr, NULL); - if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, - daemon->local_ttl, NULL, type, C_IN, "4", &addr)) - anscount++; + if (localise && + !is_same_net(addrlist->addr.addr4, local_addr, local_netmask)) + continue; + + if (addrlist->flags & ADDRLIST_REVONLY) + continue; + + ans = 1; + sec_data = 0; + if (!dryrun) + { + gotit = 1; + log_query(F_FORWARD | F_CONFIG | flag, name, &addrlist->addr, NULL); + if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, + daemon->local_ttl, NULL, type, C_IN, + type == T_A ? "4" : "6", &addrlist->addr)) + anscount++; + } } - } - continue; - } + } + + if (!dryrun && !gotit) + log_query(F_FORWARD | F_CONFIG | flag | F_NEG, name, NULL, NULL); + + continue; } - cname_restart: - if ((crecp = cache_find_by_name(NULL, name, now, flag | F_CNAME))) + if ((crecp = cache_find_by_name(NULL, name, now, flag | (dryrun ? F_NO_RR : 0)))) { int localise = 0; - /* See if a putative address is on the network from which we recieved + /* See if a putative address is on the network from which we received the query, is so we'll filter other answers. */ if (local_addr.s_addr != 0 && option_bool(OPT_LOCALISE) && flag == F_IPV4) { struct crec *save = crecp; do { if ((crecp->flags & F_HOSTS) && - is_same_net(*((struct in_addr *)&crecp->addr), local_addr, local_netmask)) + is_same_net(crecp->addr.addr4, local_addr, local_netmask)) { localise = 1; break; } - } while ((crecp = cache_find_by_name(crecp, name, now, flag | F_CNAME))); + } while ((crecp = cache_find_by_name(crecp, name, now, flag))); crecp = save; } - - do - { - /* don't answer wildcard queries with data not from /etc/hosts - or DHCP leases */ - if (qtype == T_ANY && !(crecp->flags & (F_HOSTS | F_DHCP))) - break; - - if (crecp->flags & F_CNAME) - { - if (!dryrun) - { - log_query(crecp->flags, name, NULL, record_source(crecp->uid)); - if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, - crec_ttl(crecp, now), &nameoffset, - T_CNAME, C_IN, "d", cache_get_name(crecp->addr.cname.cache))) - anscount++; - } - - strcpy(name, cache_get_name(crecp->addr.cname.cache)); - goto cname_restart; - } - - if (crecp->flags & F_NEG) - { - ans = 1; - auth = 0; - if (crecp->flags & F_NXDOMAIN) - nxdomain = 1; - if (!dryrun) - log_query(crecp->flags, name, NULL, NULL); - } - else if ((crecp->flags & (F_HOSTS | F_DHCP)) || !sec_reqd) - { - /* If we are returning local answers depending on network, - filter here. */ - if (localise && - (crecp->flags & F_HOSTS) && - !is_same_net(*((struct in_addr *)&crecp->addr), local_addr, local_netmask)) - continue; - - if (!(crecp->flags & (F_HOSTS | F_DHCP))) + + /* If the client asked for DNSSEC don't use cached data. */ + if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) || + (rd_bit && (!do_bit || cache_validated(crecp)) )) + do + { + /* don't answer wildcard queries with data not from /etc/hosts + or DHCP leases */ + if (qtype == T_ANY && !(crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG))) + break; + + if (!(crecp->flags & F_DNSSECOK)) + sec_data = 0; + + if (crecp->flags & F_NEG) + { + ans = 1; auth = 0; - - ans = 1; - if (!dryrun) - { - log_query(crecp->flags & ~F_REVERSE, name, &crecp->addr.addr, - record_source(crecp->uid)); - - if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, - crec_ttl(crecp, now), NULL, type, C_IN, - type == T_A ? "4" : "6", &crecp->addr)) - anscount++; - } - } - } while ((crecp = cache_find_by_name(crecp, name, now, flag | F_CNAME))); + if (crecp->flags & F_NXDOMAIN) + nxdomain = 1; + if (!dryrun) + log_query(crecp->flags, name, NULL, NULL); + } + else + { + /* If we are returning local answers depending on network, + filter here. */ + if (localise && + (crecp->flags & F_HOSTS) && + !is_same_net(crecp->addr.addr4, local_addr, local_netmask)) + continue; + + if (!(crecp->flags & (F_HOSTS | F_DHCP))) + auth = 0; + + ans = 1; + if (!dryrun) + { + log_query(crecp->flags & ~F_REVERSE, name, &crecp->addr, + record_source(crecp->uid)); + + if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, + crec_ttl(crecp, now), NULL, type, C_IN, + type == T_A ? "4" : "6", &crecp->addr)) + anscount++; + } + } + } while ((crecp = cache_find_by_name(crecp, name, now, flag))); } - } - - if (qtype == T_CNAME || qtype == T_ANY) - { - if ((crecp = cache_find_by_name(NULL, name, now, F_CNAME)) && - (qtype == T_CNAME || (crecp->flags & (F_HOSTS | F_DHCP)))) + else if (is_name_synthetic(flag, name, &addr)) { - ans = 1; + ans = 1, sec_data = 0; if (!dryrun) { - log_query(crecp->flags, name, NULL, record_source(crecp->uid)); + log_query(F_FORWARD | F_CONFIG | flag, name, &addr, NULL); if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, - crec_ttl(crecp, now), &nameoffset, - T_CNAME, C_IN, "d", cache_get_name(crecp->addr.cname.cache))) + daemon->local_ttl, NULL, type, C_IN, type == T_A ? "4" : "6", &addr)) anscount++; } } } - + if (qtype == T_MX || qtype == T_ANY) { int found = 0; for (rec = daemon->mxnames; rec; rec = rec->next) if (!rec->issrv && hostname_isequal(name, rec->name)) { - ans = found = 1; - if (!dryrun) - { - int offset; - log_query(F_CONFIG | F_RRNAME, name, NULL, ""); - if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->local_ttl, - &offset, T_MX, C_IN, "sd", rec->weight, rec->target)) - { - anscount++; - if (rec->target) - rec->offset = offset; - } - } + ans = found = 1; + sec_data = 0; + if (!dryrun) + { + int offset; + log_query(F_CONFIG | F_RRNAME, name, NULL, ""); + if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->local_ttl, + &offset, T_MX, C_IN, "sd", rec->weight, rec->target)) + { + anscount++; + if (rec->target) + rec->offset = offset; + } + } } - if (!found && (option_bool(OPT_SELFMX) || option_bool(OPT_LOCALMX)) && - cache_find_by_name(NULL, name, now, F_HOSTS | F_DHCP)) + if (!found && (option_bool(OPT_SELFMX) || option_bool(OPT_LOCALMX)) && + cache_find_by_name(NULL, name, now, F_HOSTS | F_DHCP | F_NO_RR)) { ans = 1; + sec_data = 0; if (!dryrun) { log_query(F_CONFIG | F_RRNAME, name, NULL, ""); @@ -1751,6 +1800,7 @@ size_t answer_request(struct dns_header *header, char if (rec->issrv && hostname_isequal(name, rec->name)) { found = ans = 1; + sec_data = 0; if (!dryrun) { int offset; @@ -1783,10 +1833,45 @@ size_t answer_request(struct dns_header *header, char *up = move; move->next = NULL; } - + + if (!found) + { + if ((crecp = cache_find_by_name(NULL, name, now, F_SRV | (dryrun ? F_NO_RR : 0))) && + rd_bit && (!do_bit || (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK)))) + { + if (!(crecp->flags & F_DNSSECOK)) + sec_data = 0; + + auth = 0; + found = ans = 1; + + do { + if (crecp->flags & F_NEG) + { + if (crecp->flags & F_NXDOMAIN) + nxdomain = 1; + if (!dryrun) + log_query(crecp->flags, name, NULL, NULL); + } + else if (!dryrun) + { + char *target = blockdata_retrieve(crecp->addr.srv.target, crecp->addr.srv.targetlen, NULL); + log_query(crecp->flags, name, NULL, 0); + + if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, + crec_ttl(crecp, now), NULL, T_SRV, C_IN, "sssd", + crecp->addr.srv.priority, crecp->addr.srv.weight, crecp->addr.srv.srvport, + target)) + anscount++; + } + } while ((crecp = cache_find_by_name(crecp, name, now, F_SRV))); + } + } + if (!found && option_bool(OPT_FILTER) && (qtype == T_SRV || (qtype == T_ANY && strchr(name, '_')))) { ans = 1; + sec_data = 0; if (!dryrun) log_query(F_CONFIG | F_NEG, name, NULL, NULL); } @@ -1799,6 +1884,7 @@ size_t answer_request(struct dns_header *header, char if (hostname_isequal(name, na->name)) { ans = 1; + sec_data = 0; if (!dryrun) { log_query(F_CONFIG | F_RRNAME, name, NULL, ""); @@ -1811,11 +1897,12 @@ size_t answer_request(struct dns_header *header, char } if (qtype == T_MAILB) - ans = 1, nxdomain = 1; + ans = 1, nxdomain = 1, sec_data = 0; if (qtype == T_SOA && option_bool(OPT_FILTER)) { - ans = 1; + ans = 1; + sec_data = 0; if (!dryrun) log_query(F_CONFIG | F_NEG, name, &addr, NULL); } @@ -1844,11 +1931,8 @@ size_t answer_request(struct dns_header *header, char crecp = NULL; while ((crecp = cache_find_by_name(crecp, rec->target, now, F_IPV4 | F_IPV6))) { -#ifdef HAVE_IPV6 int type = crecp->flags & F_IPV4 ? T_A : T_AAAA; -#else - int type = T_A; -#endif + if (crecp->flags & F_NEG) continue; @@ -1865,21 +1949,34 @@ size_t answer_request(struct dns_header *header, char /* set RA flag */ header->hb4 |= HB4_RA; - /* authoritive - only hosts and DHCP derived names. */ + /* authoritative - only hosts and DHCP derived names. */ if (auth) header->hb3 |= HB3_AA; /* truncation */ if (trunc) header->hb3 |= HB3_TC; - - if (anscount == 0 && nxdomain) + + if (nxdomain) SET_RCODE(header, NXDOMAIN); + else if (notimp) + SET_RCODE(header, NOTIMP); else SET_RCODE(header, NOERROR); /* no error */ header->ancount = htons(anscount); header->nscount = htons(0); header->arcount = htons(addncount); - return ansp - (unsigned char *)header; -} + len = ansp - (unsigned char *)header; + + /* Advertise our packet size limit in our reply */ + if (have_pseudoheader) + len = add_pseudoheader(header, len, (unsigned char *)limit, daemon->edns_pktsz, 0, NULL, 0, do_bit, 0); + + if (ad_reqd && sec_data) + header->hb4 |= HB4_AD; + else + header->hb4 &= ~HB4_AD; + + return len; +}