]> git.saurik.com Git - apple/mdnsresponder.git/blob - mDNSCore/dnsproxy.c
projects / apple / mdnsresponder.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
mDNSResponder-1096.0.2.tar.gz
[apple/mdnsresponder.git] / mDNSCore / dnsproxy.c
1 /* -*- Mode: C; tab-width: 4 -*-
2 *
3 * Copyright (c) 2011-2019 Apple Inc. All rights reserved.
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 */
17
18 #include "dnsproxy.h"
19
20 #ifndef UNICAST_DISABLED
21
22 extern mDNS mDNSStorage;
23
24 // Implementation Notes
25 //
26 // DNS Proxy listens on port 53 (UDPv4v6 & TCPv4v6) for DNS queries. It handles only
27 // the "Query" opcode of the DNS protocol described in RFC 1035. For all other opcodes, it returns
28 // "Not Implemented" error. The platform interface mDNSPlatformInitDNSProxySkts
29 // sets up the sockets and whenever it receives a packet, it calls ProxyTCPCallback or ProxyUDPCallback
30 // defined here. For TCP socket, the platform does the "accept" and only sends the received packets
31 // on the newly accepted socket. A single UDP socket (per address family) is used to send/recv
32 // requests/responses from all clients. For TCP, there is one socket per request. Hence, there is some
33 // extra state that needs to be disposed at the end.
34 //
35 // When a DNS request is received, ProxyCallbackCommon checks for malformed packet etc. and also checks
36 // for duplicates, before creating DNSProxyClient state and starting a question with the "core"
37 // (mDNS_StartQuery). When the callback for the question happens, it gathers all the necessary
38 // resource records, constructs a response and sends it back to the client.
39 //
40 // - Question callback is called with only one resource record at a time. We need all the resource
41 // records to construct the response. Hence, we lookup all the records ourselves.
42 //
43 // - The response may not fit the client's buffer size. In that case, we need to set the truncate bit
44 // and the client would retry using TCP.
45 //
46 // - The client may have set the DNSSEC OK bit in the EDNS0 option and that means we also have to
47 // return the RRSIGs or the NSEC records with the RRSIGs in the Additional section. We need to
48 // ask the "core" to fetch the DNSSEC records and do the validation if the CD bit is not set.
49 //
50 // Once the response is sent to the client, the client state is disposed. When there is no response
51 // from the "core", it eventually times out and we will not find any answers in the cache and we send a
52 // "NXDomain" response back. Thus, we don't need any special timers to reap the client state in the case
53 // of errors.
54
55 typedef struct DNSProxyClient_struct DNSProxyClient;
56
57 struct DNSProxyClient_struct {
58
59 DNSProxyClient *next;
60 mDNSAddr addr; // Client's IP address
61 mDNSIPPort port; // Client's port number
62 mDNSOpaque16 msgid; // DNS msg id
63 mDNSInterfaceID interfaceID; // Interface on which we received the request
64 void *socket; // Return socket
65 mDNSBool tcp; // TCP or UDP ?
66 mDNSOpaque16 requestFlags; // second 16 bit word in the DNSMessageHeader of the request
67 mDNSu8 *optRR; // EDNS0 option
68 mDNSu16 optLen; // Total Length of the EDNS0 option
69 mDNSu16 rcvBufSize; // How much can the client receive ?
70 mDNSBool DNSSECOK; // DNSSEC OK ?
71 void *context; // Platform context to be disposed if non-NULL
72 domainname qname; // q->qname can't be used for duplicate check
73 DNSQuestion q; // as it can change underneath us for CNAMEs
74 };
75
76 #define MIN_DNS_MESSAGE_SIZE 512
77 static DNSProxyClient *DNSProxyClients;
78
79 mDNSlocal void FreeDNSProxyClient(DNSProxyClient *pc)
80 {
81 if (pc->optRR)
82 mDNSPlatformMemFree(pc->optRR);
83 mDNSPlatformMemFree(pc);
84 }
85
86 mDNSlocal mDNSBool ParseEDNS0(DNSProxyClient *pc, const mDNSu8 *ptr, int length, const mDNSu8 *limit)
87 {
88 if (ptr + length > limit)
89 {
90 LogInfo("ParseEDNS0: Not enough space in the packet");
91 return mDNSfalse;
92 }
93 // Skip the root label
94 ptr++;
95 mDNSu16 rrtype = (mDNSu16) ((mDNSu16)ptr[0] << 8 | ptr[1]);
96 if (rrtype != kDNSType_OPT)
97 {
98 LogInfo("ParseEDNS0: Not the right type %d", rrtype);
99 return mDNSfalse;
100 }
101 mDNSu16 rrclass = (mDNSu16) ((mDNSu16)ptr[2] << 8 | ptr[3]);
102 #if MDNS_DEBUGMSGS
103 mDNSu8 rcode = ptr[4];
104 mDNSu8 version = ptr[5];
105 mDNSu16 flag = (mDNSu16) ((mDNSu16)ptr[6] << 8 | ptr[7]);
106 debugf("rrtype is %s, length is %d, rcode %d, version %d, flag 0x%x", DNSTypeName(rrtype), rrclass, rcode, version, flag);
107 #endif
108 pc->rcvBufSize = rrclass;
109 pc->DNSSECOK = ptr[6] & 0x80;
110
111 return mDNStrue;
112 }
113
114 mDNSexport mDNSu8 *DNSProxySetAttributes(DNSQuestion *q, DNSMessageHeader *h, DNSMessage *msg, mDNSu8 *ptr, mDNSu8 *limit)
115 {
116 DNSProxyClient *pc = (DNSProxyClient *)q->QuestionContext;
117
118 (void) msg;
119
120 h->flags = pc->requestFlags;
121 if (pc->optRR)
122 {
123 if (ptr + pc->optLen > limit)
124 {
125 LogInfo("DNSProxySetAttributes: Cannot set EDNS0 option start %p, OptLen %d, end %p", ptr, pc->optLen, limit);
126 return ptr;
127 }
128 h->numAdditionals++;
129 mDNSPlatformMemCopy(ptr, pc->optRR, pc->optLen);
130 ptr += pc->optLen;
131 }
132 return ptr;
133 }
134
135 mDNSlocal mDNSu8 *AddEDNS0Option(mDNSu8 *ptr, mDNSu8 *limit)
136 {
137 int len = 4096;
138
139 if (ptr + 11 > limit)
140 {
141 LogInfo("AddEDNS0Option: not enough space");
142 return mDNSNULL;
143 }
144 mDNSStorage.omsg.h.numAdditionals++;
145 ptr[0] = 0;
146 ptr[1] = (mDNSu8) (kDNSType_OPT >> 8);
147 ptr[2] = (mDNSu8) (kDNSType_OPT & 0xFF);
148 ptr[3] = (mDNSu8) (len >> 8);
149 ptr[4] = (mDNSu8) (len & 0xFF);
150 ptr[5] = 0; // rcode
151 ptr[6] = 0; // version
152 ptr[7] = 0;
153 ptr[8] = 0; // flags
154 ptr[9] = 0; // rdlength
155 ptr[10] = 0; // rdlength
156
157 debugf("AddEDNS0 option");
158
159 return (ptr + 11);
160 }
161
162 // Currently RD and CD bit should be copied if present in the request or cleared if
163 // not present in the request. RD bit is normally set in the response and hence the
164 // cache reflects the right value. CD bit behaves differently. If the CD bit is set
165 // the first time, the cache retains it, if it is present in response (assuming the
166 // upstream server does it right). Next time through we should not use the cached
167 // value of the CD bit blindly. It depends on whether it was in the request or not.
168 mDNSlocal mDNSOpaque16 SetResponseFlags(DNSProxyClient *pc, const mDNSOpaque16 responseFlags)
169 {
170 mDNSOpaque16 rFlags = responseFlags;
171
172 if (pc->requestFlags.b[0] & kDNSFlag0_RD)
173 rFlags.b[0] |= kDNSFlag0_RD;
174 else
175 rFlags.b[0] &= ~kDNSFlag0_RD;
176
177 if (pc->requestFlags.b[1] & kDNSFlag1_CD)
178 rFlags.b[1] |= kDNSFlag1_CD;
179 else
180 rFlags.b[1] &= ~kDNSFlag1_CD;
181
182 return rFlags;
183 }
184
185 mDNSlocal mDNSu8 *AddResourceRecords(DNSProxyClient *pc, mDNSu8 **prevptr, mStatus *error)
186 {
187 mDNS *const m = &mDNSStorage;
188 CacheGroup *cg;
189 CacheRecord *cr;
190 int len = sizeof(DNSMessageHeader);
191 mDNSu8 *orig = m->omsg.data;
192 mDNSBool first = mDNStrue;
193 mDNSu8 *ptr = mDNSNULL;
194 mDNSs32 now;
195 mDNSs32 ttl;
196 CacheRecord *nsec = mDNSNULL;
197 CacheRecord *soa = mDNSNULL;
198 CacheRecord *cname = mDNSNULL;
199 mDNSu8 *limit;
200 domainname tempQName;
201 mDNSu32 tempQNameHash;
202
203 *error = mStatus_NoError;
204 *prevptr = mDNSNULL;
205
206 mDNS_Lock(m);
207 now = m->timenow;
208 mDNS_Unlock(m);
209
210 if (!pc->tcp)
211 {
212 if (!pc->rcvBufSize)
213 {
214 limit = m->omsg.data + MIN_DNS_MESSAGE_SIZE;
215 }
216 else
217 {
218 limit = (pc->rcvBufSize > AbsoluteMaxDNSMessageData ? m->omsg.data + AbsoluteMaxDNSMessageData : m->omsg.data + pc->rcvBufSize);
219 }
220 }
221 else
222 {
223 // For TCP, limit is not determined by EDNS0 but by 16 bit rdlength field and
224 // AbsoluteMaxDNSMessageData is smaller than 64k.
225 limit = m->omsg.data + AbsoluteMaxDNSMessageData;
226 }
227 LogInfo("AddResourceRecords: Limit is %d", limit - m->omsg.data);
228
229 AssignDomainName(&tempQName, &pc->qname);
230 tempQNameHash = DomainNameHashValue(&tempQName);
231
232 again:
233 nsec = soa = cname = mDNSNULL;
234
235 cg = CacheGroupForName(m, tempQNameHash, &tempQName);
236 if (!cg)
237 {
238 LogInfo("AddResourceRecords: CacheGroup not found for %##s", tempQName.c);
239 *error = mStatus_NoSuchRecord;
240 return mDNSNULL;
241 }
242 // Set ValidatingResponse so that you can get RRSIGs also matching
243 // the question
244 if (pc->DNSSECOK)
245 pc->q.ValidatingResponse = 1;
246 for (cr = cg->members; cr; cr = cr->next)
247 {
248 if (SameNameCacheRecordAnswersQuestion(cr, &pc->q))
249 {
250 if (first)
251 {
252 // If this is the first time, initialize the header and the question.
253 // This code needs to be here so that we can use the responseFlags from the
254 // cache record
255 mDNSOpaque16 responseFlags = SetResponseFlags(pc, cr->responseFlags);
256 InitializeDNSMessage(&m->omsg.h, pc->msgid, responseFlags);
257 ptr = putQuestion(&m->omsg, m->omsg.data, m->omsg.data + AbsoluteMaxDNSMessageData, &pc->qname, pc->q.qtype, pc->q.qclass);
258 if (!ptr)
259 {
260 LogInfo("AddResourceRecords: putQuestion NULL for %##s (%s)", &pc->qname.c, DNSTypeName(pc->q.qtype));
261 return mDNSNULL;
262 }
263 first = mDNSfalse;
264 }
265 // - For NegativeAnswers there is nothing to add
266 // - If DNSSECOK is set, we also automatically lookup the RRSIGs which
267 // will also be returned. If the client is explicitly looking up
268 // a DNSSEC record (e.g., DNSKEY, DS) we should return the response.
269 // DNSSECOK bit only influences whether we add the RRSIG or not.
270 if (cr->resrec.RecordType != kDNSRecordTypePacketNegative)
271 {
272 LogInfo("AddResourceRecords: Answering question with %s", CRDisplayString(m, cr));
273 ttl = cr->resrec.rroriginalttl - (now - cr->TimeRcvd) / mDNSPlatformOneSecond;
274 ptr = PutResourceRecordTTLWithLimit(&m->omsg, ptr, &m->omsg.h.numAnswers, &cr->resrec, ttl, limit);
275 if (!ptr)
276 {
277 *prevptr = orig;
278 return mDNSNULL;
279 }
280 len += (ptr - orig);
281 orig = ptr;
282 }
283 // If we have nsecs (wildcard expanded answer or negative response), add them
284 // in the additional section below if the DNSSECOK bit is set
285 if (pc->DNSSECOK && cr->nsec)
286 {
287 LogInfo("AddResourceRecords: nsec set for %s", CRDisplayString(m ,cr));
288 nsec = cr->nsec;
289 }
290 if (cr->soa)
291 {
292 LogInfo("AddResourceRecords: soa set for %s", CRDisplayString(m ,cr));
293 soa = cr->soa;
294 }
295 // If we are using CNAME to answer a question and CNAME is not the type we
296 // are looking for, note down the CNAME record so that we can follow them
297 // later. Before we follow the CNAME, print the RRSIGs and any nsec (wildcard
298 // expanded) if any.
299 if ((pc->q.qtype != cr->resrec.rrtype) && cr->resrec.rrtype == kDNSType_CNAME)
300 {
301 LogInfo("AddResourceRecords: cname set for %s", CRDisplayString(m ,cr));
302 cname = cr;
303 }
304 }
305 }
306 // Along with the nsec records, we also cache the SOA record. For non-DNSSEC question, we need
307 // to send the SOA back. Normally we either cache the SOA record (non-DNSSEC question) pointed
308 // to by "cr->soa" or the NSEC/SOA records along with their RRSIGs (DNSSEC question) pointed to
309 // by "cr->nsec". Two cases:
310 //
311 // - if we issue a DNSSEC question followed by non-DNSSEC question for the same name,
312 // we only have the nsec records and we need to filter the SOA record alone for the
313 // non-DNSSEC questions.
314 //
315 // - if we issue a non-DNSSEC question followed by DNSSEC question for the same name,
316 // the "core" flushes the cache entry and re-issue the question with EDNS0/DOK bit and
317 // in this case we return all the DNSSEC records we have.
318 for (; nsec; nsec = nsec->next)
319 {
320 if (!pc->DNSSECOK && DNSSECRecordType(nsec->resrec.rrtype))
321 continue;
322 LogInfo("AddResourceRecords:NSEC Answering question with %s", CRDisplayString(m, nsec));
323 ttl = nsec->resrec.rroriginalttl - (now - nsec->TimeRcvd) / mDNSPlatformOneSecond;
324 ptr = PutResourceRecordTTLWithLimit(&m->omsg, ptr, &m->omsg.h.numAuthorities, &nsec->resrec, ttl, limit);
325 if (!ptr)
326 {
327 *prevptr = orig;
328 return mDNSNULL;
329 }
330 len += (ptr - orig);
331 orig = ptr;
332 }
333 if (soa)
334 {
335 LogInfo("AddResourceRecords: SOA Answering question with %s", CRDisplayString(m, soa));
336 ptr = PutResourceRecordTTLWithLimit(&m->omsg, ptr, &m->omsg.h.numAuthorities, &soa->resrec, soa->resrec.rroriginalttl, limit);
337 if (!ptr)
338 {
339 *prevptr = orig;
340 return mDNSNULL;
341 }
342 len += (ptr - orig);
343 orig = ptr;
344 }
345 if (cname)
346 {
347 AssignDomainName(&tempQName, &cname->resrec.rdata->u.name);
348 tempQNameHash = DomainNameHashValue(&tempQName);
349 goto again;
350 }
351 if (!ptr)
352 {
353 LogInfo("AddResourceRecords: Did not find any valid ResourceRecords");
354 *error = mStatus_NoSuchRecord;
355 return mDNSNULL;
356 }
357 if (pc->rcvBufSize)
358 {
359 ptr = AddEDNS0Option(ptr, limit);
360 if (!ptr)
361 {
362 *prevptr = orig;
363 return mDNSNULL;
364 }
365 len += (ptr - orig);
366 // orig = ptr; Commented out to avoid ‘value never read’ error message
367 }
368 LogInfo("AddResourceRecord: Added %d bytes to the packet", len);
369 return ptr;
370 }
371
372 mDNSlocal void ProxyClientCallback(mDNS *const m, DNSQuestion *question, const ResourceRecord *const answer, QC_result AddRecord)
373 {
374 DNSProxyClient *pc = question->QuestionContext;
375 DNSProxyClient **ppc = &DNSProxyClients;
376 mDNSu8 *ptr;
377 mDNSu8 *prevptr;
378 mStatus error;
379
380 if (!AddRecord)
381 return;
382
383 LogInfo("ProxyClientCallback: ResourceRecord %s", RRDisplayString(m, answer));
384
385 // We asked for validation and not timed out yet, then wait for the DNSSEC result.
386 // We have to set the AD bit in the response if it is secure which can't be done
387 // till we get the DNSSEC result back (indicated by QC_dnssec).
388 if (question->ValidationRequired)
389 {
390 mDNSs32 now;
391
392 mDNS_Lock(m);
393 now = m->timenow;
394 mDNS_Unlock(m);
395 if (((now - question->StopTime) < 0) && AddRecord != QC_dnssec)
396 {
397 LogInfo("ProxyClientCallback: No DNSSEC answer yet for Question %##s (%s), AddRecord %d, answer %s", question->qname.c,
398 DNSTypeName(question->qtype), AddRecord, RRDisplayString(m, answer));
399 return;
400 }
401 }
402
403 if (answer->RecordType != kDNSRecordTypePacketNegative)
404 {
405 if (answer->rrtype != question->qtype)
406 {
407 // Wait till we get called for the real response
408 LogInfo("ProxyClientCallback: Received %s, not answering yet", RRDisplayString(m, answer));
409 return;
410 }
411 }
412 ptr = AddResourceRecords(pc, &prevptr, &error);
413 if (!ptr)
414 {
415 LogInfo("ProxyClientCallback: AddResourceRecords NULL for %##s (%s)", &pc->qname.c, DNSTypeName(pc->q.qtype));
416 if (error == mStatus_NoError && prevptr)
417 {
418 // No space to add the record. Set the Truncate bit for UDP.
419 //
420 // TBD: For TCP, we need to send the rest of the data. But finding out what is left
421 // is harder. We should allocate enough buffer in the first place to send all
422 // of the data.
423 if (!pc->tcp)
424 {
425 m->omsg.h.flags.b[0] |= kDNSFlag0_TC;
426 ptr = prevptr;
427 }
428 else
429 {
430 LogInfo("ProxyClientCallback: ERROR!! Not enough space to return in TCP for %##s (%s)", &pc->qname.c, DNSTypeName(pc->q.qtype));
431 ptr = prevptr;
432 }
433 }
434 else
435 {
436 mDNSOpaque16 flags = { { kDNSFlag0_QR_Response | kDNSFlag0_OP_StdQuery, kDNSFlag1_RC_ServFail } };
437 // We could not find the record for some reason. Return a response, so that the client
438 // is not waiting forever.
439 LogInfo("ProxyClientCallback: No response");
440 if (!mDNSOpaque16IsZero(pc->q.responseFlags))
441 flags = pc->q.responseFlags;
442 InitializeDNSMessage(&m->omsg.h, pc->msgid, flags);
443 ptr = putQuestion(&m->omsg, m->omsg.data, m->omsg.data + AbsoluteMaxDNSMessageData, &pc->qname, pc->q.qtype, pc->q.qclass);
444 if (!ptr)
445 {
446 LogInfo("ProxyClientCallback: putQuestion NULL for %##s (%s)", &pc->qname.c, DNSTypeName(pc->q.qtype));
447 goto done;
448 }
449 }
450 }
451 if (question->ValidationRequired)
452 {
453 if (question->ValidationState == DNSSECValDone && question->ValidationStatus == DNSSEC_Secure)
454 {
455 LogInfo("ProxyClientCallback: Setting AD bit for Question %##s (%s)", question->qname.c, DNSTypeName(question->qtype));
456 m->omsg.h.flags.b[1] |= kDNSFlag1_AD;
457 }
458 else
459 {
460 // If some external resolver sets the AD bit and we did not validate the response securely, don't set
461 // the AD bit. It is possible that we did not see all the records that the upstream resolver saw or
462 // a buggy implementation somewhere.
463 if (m->omsg.h.flags.b[1] & kDNSFlag1_AD)
464 {
465 LogInfo("ProxyClientCallback: AD bit set in the response for response that was not validated locally %##s (%s)",
466 question->qname.c, DNSTypeName(question->qtype));
467 m->omsg.h.flags.b[1] &= ~kDNSFlag1_AD;
468 }
469 }
470 }
471
472 debugf("ProxyClientCallback: InterfaceID is %p for response to client", pc->interfaceID);
473
474 if (!pc->tcp)
475 {
476 mDNSSendDNSMessage(m, &m->omsg, ptr, pc->interfaceID, mDNSNULL, (UDPSocket *)pc->socket, &pc->addr, pc->port, mDNSNULL, mDNSfalse);
477 }
478 else
479 {
480 mDNSSendDNSMessage(m, &m->omsg, ptr, pc->interfaceID, (TCPSocket *)pc->socket, mDNSNULL, &pc->addr, pc->port, mDNSNULL, mDNSfalse);
481 }
482
483 done:
484 mDNS_StopQuery(m, question);
485
486 while (*ppc && *ppc != pc)
487 ppc=&(*ppc)->next;
488 if (!*ppc)
489 {
490 LogMsg("ProxyClientCallback: question %##s (%s) not found", question->qname.c, DNSTypeName(question->qtype));
491 return;
492 }
493 *ppc = pc->next;
494 mDNSPlatformDisposeProxyContext(pc->context);
495 FreeDNSProxyClient(pc);
496 }
497
498 mDNSlocal void SendError(void *socket, DNSMessage *const msg, const mDNSu8 *const end, const mDNSAddr *dstaddr,
499 const mDNSIPPort dstport, const mDNSInterfaceID InterfaceID, mDNSBool tcp, void *context, mDNSu8 rcode)
500 {
501 mDNS *const m = &mDNSStorage;
502 int pktlen = (int)(end - (mDNSu8 *)msg);
503
504 // RFC 1035 requires that we copy the question back and RFC 2136 is okay with sending nothing
505 // in the body or send back whatever we get for updates. It is easy to return whatever we get
506 // in the question back to the responder. We return as much as we can fit in our standard
507 // output packet.
508 if (pktlen > AbsoluteMaxDNSMessageData)
509 pktlen = AbsoluteMaxDNSMessageData;
510
511 mDNSPlatformMemCopy(&m->omsg.h, &msg->h, sizeof(DNSMessageHeader));
512 m->omsg.h.flags.b[0] |= kDNSFlag0_QR_Response;
513 m->omsg.h.flags.b[1] = rcode;
514 mDNSPlatformMemCopy(m->omsg.data, (mDNSu8 *)&msg->data, (pktlen - sizeof(DNSMessageHeader)));
515
516 if (!tcp)
517 {
518 mDNSSendDNSMessage(m, &m->omsg, (mDNSu8 *)&m->omsg + pktlen, InterfaceID, mDNSNULL, socket, dstaddr, dstport, mDNSNULL, mDNSfalse);
519 }
520 else
521 {
522 mDNSSendDNSMessage(m, &m->omsg, (mDNSu8 *)&m->omsg + pktlen, InterfaceID, (TCPSocket *)socket, mDNSNULL, dstaddr, dstport, mDNSNULL, mDNSfalse);
523 }
524 mDNSPlatformDisposeProxyContext(context);
525 }
526
527 mDNSlocal DNSQuestion *IsDuplicateClient(const mDNSAddr *const addr, const mDNSIPPort port, const mDNSOpaque16 id,
528 const DNSQuestion *const question)
529 {
530 DNSProxyClient *pc;
531
532 for (pc = DNSProxyClients; pc; pc = pc->next)
533 {
534 if (mDNSSameAddress(&pc->addr, addr) &&
535 mDNSSameIPPort(pc->port, port) &&
536 mDNSSameOpaque16(pc->msgid, id) &&
537 pc->q.qtype == question->qtype &&
538 pc->q.qclass == question->qclass &&
539 SameDomainName(&pc->qname, &question->qname))
540 {
541 LogInfo("IsDuplicateClient: Found a duplicate client in the list");
542 return(&pc->q);
543 }
544 }
545 return(mDNSNULL);
546 }
547
548 mDNSlocal mDNSBool CheckDNSProxyIpIntf(mDNSInterfaceID InterfaceID)
549 {
550 mDNS *const m = &mDNSStorage;
551 int i;
552 mDNSu32 ip_ifindex = (mDNSu32)(unsigned long)InterfaceID;
553
554 LogInfo("CheckDNSProxyIpIntf: Check for ifindex[%d] in stored input interface list: [%d] [%d] [%d] [%d] [%d]",
555 ip_ifindex, m->dp_ipintf[0], m->dp_ipintf[1], m->dp_ipintf[2], m->dp_ipintf[3], m->dp_ipintf[4]);
556
557 if (ip_ifindex > 0)
558 {
559 for (i = 0; i < MaxIp; i++)
560 {
561 if (ip_ifindex == m->dp_ipintf[i])
562 return mDNStrue;
563 }
564 }
565
566 LogMsg("CheckDNSProxyIpIntf: ifindex[%d] not in stored input interface list: [%d] [%d] [%d] [%d] [%d]",
567 ip_ifindex, m->dp_ipintf[0], m->dp_ipintf[1], m->dp_ipintf[2], m->dp_ipintf[3], m->dp_ipintf[4]);
568
569 return mDNSfalse;
570
571 }
572
573 mDNSlocal void ProxyCallbackCommon(void *socket, DNSMessage *const msg, const mDNSu8 *const end, const mDNSAddr *const srcaddr,
574 const mDNSIPPort srcport, const mDNSAddr *dstaddr, const mDNSIPPort dstport, const mDNSInterfaceID InterfaceID, mDNSBool tcp, void *context)
575 {
576 mDNS *const m = &mDNSStorage;
577 mDNSu8 QR_OP;
578 const mDNSu8 *ptr;
579 DNSQuestion q, *qptr;
580 DNSProxyClient *pc;
581 const mDNSu8 *optRR = mDNSNULL;
582 int optLen = 0;
583 DNSProxyClient **ppc = &DNSProxyClients;
584
585 (void) dstaddr;
586 (void) dstport;
587
588 debugf("ProxyCallbackCommon: DNS Query coming from InterfaceID %p", InterfaceID);
589 // Ignore if the DNS Query is not from a Valid Input InterfaceID
590 if (!CheckDNSProxyIpIntf(InterfaceID))
591 {
592 LogMsg("ProxyCallbackCommon: Rejecting DNS Query coming from InterfaceID %p", InterfaceID);
593 return;
594 }
595
596 if ((unsigned)(end - (mDNSu8 *)msg) < sizeof(DNSMessageHeader))
597 {
598 debugf("ProxyCallbackCommon: DNS Message from %#a:%d to %#a:%d length %d too short", srcaddr, mDNSVal16(srcport), dstaddr, mDNSVal16(dstport), (int)(end - (mDNSu8 *)msg));
599 return;
600 }
601
602 // Read the integer parts which are in IETF byte-order (MSB first, LSB second)
603 ptr = (mDNSu8 *)&msg->h.numQuestions;
604 msg->h.numQuestions = (mDNSu16)((mDNSu16)ptr[0] << 8 | ptr[1]);
605 msg->h.numAnswers = (mDNSu16)((mDNSu16)ptr[2] << 8 | ptr[3]);
606 msg->h.numAuthorities = (mDNSu16)((mDNSu16)ptr[4] << 8 | ptr[5]);
607 msg->h.numAdditionals = (mDNSu16)((mDNSu16)ptr[6] << 8 | ptr[7]);
608
609 QR_OP = (mDNSu8)(msg->h.flags.b[0] & kDNSFlag0_QROP_Mask);
610 if (QR_OP != kDNSFlag0_QR_Query)
611 {
612 LogInfo("ProxyCallbackCommon: Not a query(%d) for pkt from %#a:%d", QR_OP, srcaddr, mDNSVal16(srcport));
613 SendError(socket, msg, end, srcaddr, srcport, InterfaceID, tcp, context, kDNSFlag1_RC_NotImpl);
614 return;
615 }
616
617 if (msg->h.numQuestions != 1 || msg->h.numAnswers || msg->h.numAuthorities)
618 {
619 LogInfo("ProxyCallbackCommon: Malformed pkt from %#a:%d, Q:%d, An:%d, Au:%d", srcaddr, mDNSVal16(srcport),
620 msg->h.numQuestions, msg->h.numAnswers, msg->h.numAuthorities);
621 SendError(socket, msg, end, srcaddr, srcport, InterfaceID, tcp, context, kDNSFlag1_RC_FormErr);
622 return;
623 }
624 ptr = msg->data;
625 ptr = getQuestion(msg, ptr, end, InterfaceID, &q);
626 if (!ptr)
627 {
628 LogInfo("ProxyCallbackCommon: Question cannot be parsed for pkt from %#a:%d", srcaddr, mDNSVal16(srcport));
629 SendError(socket, msg, end, srcaddr, srcport, InterfaceID, tcp, context, kDNSFlag1_RC_FormErr);
630 return;
631 }
632 else
633 {
634 LogInfo("ProxyCallbackCommon: Question %##s (%s)", q.qname.c, DNSTypeName(q.qtype));
635 }
636 ptr = LocateOptRR(msg, end, 0);
637 if (ptr)
638 {
639 optRR = ptr;
640 ptr = skipResourceRecord(msg, ptr, end);
641 // Be liberal and ignore the EDNS0 option if we can't parse it properly
642 if (!ptr)
643 {
644 LogInfo("ProxyCallbackCommon: EDNS0 cannot be parsed for pkt from %#a:%d, ignoring", srcaddr, mDNSVal16(srcport));
645 }
646 else
647 {
648 optLen = ptr - optRR;
649 LogInfo("ProxyCallbackCommon: EDNS0 opt length %d present in Question %##s (%s)", optLen, q.qname.c, DNSTypeName(q.qtype));
650 }
651 }
652 else
653 {
654 LogInfo("ProxyCallbackCommon: EDNS0 opt not present in Question %##s (%s), ptr %p", q.qname.c, DNSTypeName(q.qtype), ptr);
655 }
656
657 qptr = IsDuplicateClient(srcaddr, srcport, msg->h.id, &q);
658 if (qptr)
659 {
660 LogInfo("ProxyCallbackCommon: Found a duplicate for pkt from %#a:%d, ignoring this", srcaddr, mDNSVal16(srcport));
661 return;
662 }
663 pc = (DNSProxyClient *) mDNSPlatformMemAllocateClear(sizeof(*pc));
664 if (!pc)
665 {
666 LogMsg("ProxyCallbackCommon: Memory failure for pkt from %#a:%d, ignoring this", srcaddr, mDNSVal16(srcport));
667 return;
668 }
669 pc->addr = *srcaddr;
670 pc->port = srcport;
671 pc->msgid = msg->h.id;
672 pc->interfaceID = InterfaceID; // input interface
673 pc->socket = socket;
674 pc->tcp = tcp;
675 pc->requestFlags = msg->h.flags;
676 pc->context = context;
677 AssignDomainName(&pc->qname, &q.qname);
678 if (optRR)
679 {
680 if (!ParseEDNS0(pc, optRR, optLen, end))
681 {
682 LogInfo("ProxyCallbackCommon: Invalid EDNS0 option for pkt from %#a:%d, ignoring this", srcaddr, mDNSVal16(srcport));
683 }
684 else
685 {
686 pc->optRR = (mDNSu8 *) mDNSPlatformMemAllocate(optLen);
687 if (!pc->optRR)
688 {
689 LogMsg("ProxyCallbackCommon: Memory failure for pkt from %#a:%d, ignoring this", srcaddr, mDNSVal16(srcport));
690 FreeDNSProxyClient(pc);
691 return;
692 }
693 mDNSPlatformMemCopy(pc->optRR, optRR, optLen);
694 pc->optLen = optLen;
695 }
696 }
697
698 debugf("ProxyCallbackCommon: DNS Query forwarding to interface index %d", m->dp_opintf);
699 mDNS_SetupQuestion(&pc->q, (mDNSInterfaceID)(unsigned long)m->dp_opintf, &q.qname, q.qtype, ProxyClientCallback, pc);
700 pc->q.TimeoutQuestion = 1;
701 // Set ReturnIntermed so that we get the negative responses
702 pc->q.ReturnIntermed = mDNStrue;
703 pc->q.ProxyQuestion = mDNStrue;
704 pc->q.ProxyDNSSECOK = pc->DNSSECOK;
705 pc->q.responseFlags = zeroID;
706 if (pc->DNSSECOK)
707 {
708 if (!(msg->h.flags.b[1] & kDNSFlag1_CD) && pc->q.qtype != kDNSType_RRSIG && pc->q.qtype != kDNSQType_ANY)
709 {
710 LogInfo("ProxyCallbackCommon: Setting Validation required bit for %#a:%d, validating %##s (%s)", srcaddr, mDNSVal16(srcport),
711 q.qname.c, DNSTypeName(q.qtype));
712 pc->q.ValidationRequired = DNSSEC_VALIDATION_SECURE;
713 }
714 else
715 {
716 LogInfo("ProxyCallbackCommon: CD bit not set OR not a valid type for %#a:%d, not validating %##s (%s)", srcaddr, mDNSVal16(srcport),
717 q.qname.c, DNSTypeName(q.qtype));
718 }
719 }
720 else
721 {
722 LogInfo("ProxyCallbackCommon: DNSSEC OK bit not set for %#a:%d, not validating %##s (%s)", srcaddr, mDNSVal16(srcport),
723 q.qname.c, DNSTypeName(q.qtype));
724 }
725
726 while (*ppc)
727 ppc = &((*ppc)->next);
728 *ppc = pc;
729
730 mDNS_StartQuery(m, &pc->q);
731 }
732
733 mDNSexport void ProxyUDPCallback(void *socket, DNSMessage *const msg, const mDNSu8 *const end, const mDNSAddr *const srcaddr,
734 const mDNSIPPort srcport, const mDNSAddr *dstaddr, const mDNSIPPort dstport, const mDNSInterfaceID InterfaceID, void *context)
735 {
736 LogInfo("ProxyUDPCallback: DNS Message from %#a:%d to %#a:%d length %d", srcaddr, mDNSVal16(srcport), dstaddr, mDNSVal16(dstport), (int)(end - (mDNSu8 *)msg));
737 ProxyCallbackCommon(socket, msg, end, srcaddr, srcport, dstaddr, dstport, InterfaceID, mDNSfalse, context);
738 }
739
740 mDNSexport void ProxyTCPCallback(void *socket, DNSMessage *const msg, const mDNSu8 *const end, const mDNSAddr *const srcaddr,
741 const mDNSIPPort srcport, const mDNSAddr *dstaddr, const mDNSIPPort dstport, const mDNSInterfaceID InterfaceID, void *context)
742 {
743 LogInfo("ProxyTCPCallback: DNS Message from %#a:%d to %#a:%d length %d", srcaddr, mDNSVal16(srcport), dstaddr, mDNSVal16(dstport), (int)(end - (mDNSu8 *)msg));
744
745 // If the connection was closed from the other side or incoming packet does not match stored input interface list, locate the client
746 // state and free it.
747 if (((end - (mDNSu8 *)msg) == 0) || (!CheckDNSProxyIpIntf(InterfaceID)))
748 {
749 DNSProxyClient **ppc = &DNSProxyClients;
750 DNSProxyClient **prevpc;
751
752 prevpc = ppc;
753 while (*ppc && (*ppc)->socket != socket)
754 {
755 prevpc = ppc;
756 ppc=&(*ppc)->next;
757 }
758 if (!*ppc)
759 {
760 mDNSPlatformDisposeProxyContext(socket);
761 LogMsg("ProxyTCPCallback: socket cannot be found");
762 return;
763 }
764 *prevpc = (*ppc)->next;
765 LogInfo("ProxyTCPCallback: free");
766 mDNSPlatformDisposeProxyContext(socket);
767 FreeDNSProxyClient(*ppc);
768 return;
769 }
770 ProxyCallbackCommon(socket, msg, end, srcaddr, srcport, dstaddr, dstport, InterfaceID, mDNStrue, context);
771 }
772
773 mDNSexport void DNSProxyInit(mDNSu32 IpIfArr[MaxIp], mDNSu32 OpIf)
774 {
775 mDNS *const m = &mDNSStorage;
776 int i;
777
778 // Store DNSProxy Interface fields in mDNS struct
779 for (i = 0; i < MaxIp; i++)
780 m->dp_ipintf[i] = IpIfArr[i];
781 m->dp_opintf = OpIf;
782
783 LogInfo("DNSProxyInit Storing interface list: Input [%d, %d, %d, %d, %d] Output [%d]", m->dp_ipintf[0],
784 m->dp_ipintf[1], m->dp_ipintf[2], m->dp_ipintf[3], m->dp_ipintf[4], m->dp_opintf);
785 }
786
787 mDNSexport void DNSProxyTerminate(void)
788 {
789 mDNS *const m = &mDNSStorage;
790 int i;
791
792 // Clear DNSProxy Interface fields from mDNS struct
793 for (i = 0; i < MaxIp; i++)
794 m->dp_ipintf[i] = 0;
795 m->dp_opintf = 0;
796
797 LogInfo("DNSProxyTerminate Cleared interface list: Input [%d, %d, %d, %d, %d] Output [%d]", m->dp_ipintf[0],
798 m->dp_ipintf[1], m->dp_ipintf[2], m->dp_ipintf[3], m->dp_ipintf[4], m->dp_opintf);
799 }
800 #else // UNICAST_DISABLED
801
802 mDNSexport void ProxyUDPCallback(void *socket, DNSMessage *const msg, const mDNSu8 *const end, const mDNSAddr *const srcaddr, const mDNSIPPort srcport, const mDNSAddr *dstaddr, const mDNSIPPort dstport, const mDNSInterfaceID InterfaceID, void *context)
803 {
804 (void) socket;
805 (void) msg;
806 (void) end;
807 (void) srcaddr;
808 (void) srcport;
809 (void) dstaddr;
810 (void) dstport;
811 (void) InterfaceID;
812 (void) context;
813 }
814
815 mDNSexport void ProxyTCPCallback(void *socket, DNSMessage *const msg, const mDNSu8 *const end, const mDNSAddr *const srcaddr, const mDNSIPPort srcport, const mDNSAddr *dstaddr, const mDNSIPPort dstport, const mDNSInterfaceID InterfaceID, void *context)
816 {
817 (void) socket;
818 (void) msg;
819 (void) end;
820 (void) srcaddr;
821 (void) srcport;
822 (void) dstaddr;
823 (void) dstport;
824 (void) InterfaceID;
825 (void) context;
826 }
827
828 mDNSexport void DNSProxyInit(mDNSu32 IpIfArr[MaxIp], mDNSu32 OpIf)
829 {
830 (void) IpIfArr;
831 (void) OpIf;
832 }
833 extern void DNSProxyTerminate(void)
834 {
835 }
836
837
838 #endif // UNICAST_DISABLED
mirror of mDNSResponder