1 /* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
3 This program is free software; you can redistribute it and/or modify
4 it under the terms of the GNU General Public License as published by
5 the Free Software Foundation; version 2 dated June, 1991, or
6 (at your option) version 3 dated 29 June, 2007.
8 This program is distributed in the hope that it will be useful,
9 but WITHOUT ANY WARRANTY; without even the implied warranty of
10 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 GNU General Public License for more details.
13 You should have received a copy of the GNU General Public License
14 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 int extract_name(struct dns_header *header, size_t plen, unsigned char **pp,
20 char *name, int isExtract, int extrabytes)
22 unsigned char *cp = (unsigned char *)name, *p = *pp, *p1 = NULL;
23 unsigned int j, l, namelen = 0, hops = 0;
31 unsigned int label_type;
33 if (!CHECK_LEN(header, p, plen, 1))
39 /* check that there are the correct no. of bytes after the name */
40 if (!CHECK_LEN(header, p1 ? p1 : p, plen, extrabytes))
45 if (cp != (unsigned char *)name)
47 *cp = 0; /* terminate: lose final period */
52 if (p1) /* we jumped via compression */
60 label_type = l & 0xc0;
62 if (label_type == 0xc0) /* pointer */
64 if (!CHECK_LEN(header, p, plen, 1))
71 if (!p1) /* first jump, save location to go back to */
74 hops++; /* break malicious infinite loops */
78 p = l + (unsigned char *)header;
80 else if (label_type == 0x00)
81 { /* label_type = 0 -> label. */
82 namelen += l + 1; /* include period */
83 if (namelen >= MAXDNAME)
85 if (!CHECK_LEN(header, p, plen, l))
88 for(j=0; j<l; j++, p++)
93 if (option_bool(OPT_DNSSEC_VALID))
95 if (c == 0 || c == '.' || c == NAME_ESCAPE)
105 if (c != 0 && c != '.')
112 unsigned char c1 = *cp, c2 = *p;
119 if (c1 >= 'A' && c1 <= 'Z')
122 if (option_bool(OPT_DNSSEC_VALID) && c1 == NAME_ESCAPE)
126 if (c2 >= 'A' && c2 <= 'Z')
136 else if (*cp != 0 && *cp++ != '.')
140 return 0; /* label types 0x40 and 0x80 not supported */
144 /* Max size of input string (for IPv6) is 75 chars.) */
145 #define MAXARPANAME 75
146 int in_arpa_name_2_addr(char *namein, union all_addr *addrp)
149 char name[MAXARPANAME+1], *cp1;
150 unsigned char *addr = (unsigned char *)addrp;
151 char *lastchunk = NULL, *penchunk = NULL;
153 if (strlen(namein) > MAXARPANAME)
156 memset(addrp, 0, sizeof(union all_addr));
158 /* turn name into a series of asciiz strings */
159 /* j counts no. of labels */
160 for(j = 1,cp1 = name; *namein; cp1++, namein++)
163 penchunk = lastchunk;
176 if (hostname_isequal(lastchunk, "arpa") && hostname_isequal(penchunk, "in-addr"))
179 /* address arrives as a name of the form
180 www.xxx.yyy.zzz.in-addr.arpa
181 some of the low order address octets might be missing
182 and should be set to zero. */
183 for (cp1 = name; cp1 != penchunk; cp1 += strlen(cp1)+1)
185 /* check for digits only (weeds out things like
186 50.0/24.67.28.64.in-addr.arpa which are used
187 as CNAME targets according to RFC 2317 */
189 for (cp = cp1; *cp; cp++)
190 if (!isdigit((unsigned char)*cp))
201 else if (hostname_isequal(penchunk, "ip6") &&
202 (hostname_isequal(lastchunk, "int") || hostname_isequal(lastchunk, "arpa")))
205 Address arrives as 0.1.2.3.4.5.6.7.8.9.a.b.c.d.e.f.ip6.[int|arpa]
206 or \[xfedcba9876543210fedcba9876543210/128].ip6.[int|arpa]
208 Note that most of these the various representations are obsolete and
209 left-over from the many DNS-for-IPv6 wars. We support all the formats
210 that we can since there is no reason not to.
213 if (*name == '\\' && *(name+1) == '[' &&
214 (*(name+2) == 'x' || *(name+2) == 'X'))
216 for (j = 0, cp1 = name+3; *cp1 && isxdigit((unsigned char) *cp1) && j < 32; cp1++, j++)
222 addr[j/2] |= strtol(xdig, NULL, 16);
224 addr[j/2] = strtol(xdig, NULL, 16) << 4;
227 if (*cp1 == '/' && j == 32)
232 for (cp1 = name; cp1 != penchunk; cp1 += strlen(cp1)+1)
234 if (*(cp1+1) || !isxdigit((unsigned char)*cp1))
237 for (j = sizeof(struct in6_addr)-1; j>0; j--)
238 addr[j] = (addr[j] >> 4) | (addr[j-1] << 4);
239 addr[0] = (addr[0] >> 4) | (strtol(cp1, NULL, 16) << 4);
249 unsigned char *skip_name(unsigned char *ansp, struct dns_header *header, size_t plen, int extrabytes)
253 unsigned int label_type;
255 if (!CHECK_LEN(header, ansp, plen, 1))
258 label_type = (*ansp) & 0xc0;
260 if (label_type == 0xc0)
262 /* pointer for compression. */
266 else if (label_type == 0x80)
267 return NULL; /* reserved */
268 else if (label_type == 0x40)
270 /* Extended label type */
273 if (!CHECK_LEN(header, ansp, plen, 2))
276 if (((*ansp++) & 0x3f) != 1)
277 return NULL; /* we only understand bitstrings */
279 count = *(ansp++); /* Bits in bitstring */
281 if (count == 0) /* count == 0 means 256 bits */
284 ansp += ((count-1)>>3)+1;
287 { /* label type == 0 Bottom six bits is length */
288 unsigned int len = (*ansp++) & 0x3f;
290 if (!ADD_RDLEN(header, ansp, plen, len))
294 break; /* zero length label marks the end. */
298 if (!CHECK_LEN(header, ansp, plen, extrabytes))
304 unsigned char *skip_questions(struct dns_header *header, size_t plen)
307 unsigned char *ansp = (unsigned char *)(header+1);
309 for (q = ntohs(header->qdcount); q != 0; q--)
311 if (!(ansp = skip_name(ansp, header, plen, 4)))
313 ansp += 4; /* class and type */
319 unsigned char *skip_section(unsigned char *ansp, int count, struct dns_header *header, size_t plen)
323 for (i = 0; i < count; i++)
325 if (!(ansp = skip_name(ansp, header, plen, 10)))
327 ansp += 8; /* type, class, TTL */
328 GETSHORT(rdlen, ansp);
329 if (!ADD_RDLEN(header, ansp, plen, rdlen))
336 size_t resize_packet(struct dns_header *header, size_t plen, unsigned char *pheader, size_t hlen)
338 unsigned char *ansp = skip_questions(header, plen);
340 /* if packet is malformed, just return as-is. */
344 if (!(ansp = skip_section(ansp, ntohs(header->ancount) + ntohs(header->nscount) + ntohs(header->arcount),
348 /* restore pseudoheader */
349 if (pheader && ntohs(header->arcount) == 0)
351 /* must use memmove, may overlap */
352 memmove(ansp, pheader, hlen);
353 header->arcount = htons(1);
357 return ansp - (unsigned char *)header;
360 /* is addr in the non-globally-routed IP space? */
361 int private_net(struct in_addr addr, int ban_localhost)
363 in_addr_t ip_addr = ntohl(addr.s_addr);
366 (((ip_addr & 0xFF000000) == 0x7F000000) && ban_localhost) /* 127.0.0.0/8 (loopback) */ ||
367 (((ip_addr & 0xFF000000) == 0x00000000) && ban_localhost) /* RFC 5735 section 3. "here" network */ ||
368 ((ip_addr & 0xFF000000) == 0x0A000000) /* 10.0.0.0/8 (private) */ ||
369 ((ip_addr & 0xFFF00000) == 0xAC100000) /* 172.16.0.0/12 (private) */ ||
370 ((ip_addr & 0xFFFF0000) == 0xC0A80000) /* 192.168.0.0/16 (private) */ ||
371 ((ip_addr & 0xFFFF0000) == 0xA9FE0000) /* 169.254.0.0/16 (zeroconf) */ ||
372 ((ip_addr & 0xFFFFFF00) == 0xC0000200) /* 192.0.2.0/24 (test-net) */ ||
373 ((ip_addr & 0xFFFFFF00) == 0xC6336400) /* 198.51.100.0/24(test-net) */ ||
374 ((ip_addr & 0xFFFFFF00) == 0xCB007100) /* 203.0.113.0/24 (test-net) */ ||
375 ((ip_addr & 0xFFFFFFFF) == 0xFFFFFFFF) /* 255.255.255.255/32 (broadcast)*/ ;
378 static int private_net6(struct in6_addr *a, int ban_localhost)
380 /* Block IPv4-mapped IPv6 addresses in private IPv4 address space */
381 if (IN6_IS_ADDR_V4MAPPED(a))
384 v4.s_addr = ((const uint32_t *) (a))[3];
385 return private_net(v4, ban_localhost);
389 (IN6_IS_ADDR_UNSPECIFIED(a) && ban_localhost) || /* RFC 6303 4.3 */
390 (IN6_IS_ADDR_LOOPBACK(a) && ban_localhost) || /* RFC 6303 4.3 */
391 IN6_IS_ADDR_LINKLOCAL(a) || /* RFC 6303 4.5 */
392 IN6_IS_ADDR_SITELOCAL(a) ||
393 ((unsigned char *)a)[0] == 0xfd || /* RFC 6303 4.4 */
394 ((u32 *)a)[0] == htonl(0x20010db8); /* RFC 6303 4.6 */
397 static unsigned char *do_doctor(unsigned char *p, int count, struct dns_header *header, size_t qlen, int *doctored)
399 int i, qtype, qclass, rdlen;
401 for (i = count; i != 0; i--)
403 if (!(p = skip_name(p, header, qlen, 10)))
404 return 0; /* bad packet */
411 if (qclass == C_IN && qtype == T_A)
413 struct doctor *doctor;
416 if (!CHECK_LEN(header, p, qlen, INADDRSZ))
420 memcpy(&addr, p, INADDRSZ);
422 for (doctor = daemon->doctors; doctor; doctor = doctor->next)
424 if (doctor->end.s_addr == 0)
426 if (!is_same_net(doctor->in, addr, doctor->mask))
429 else if (ntohl(doctor->in.s_addr) > ntohl(addr.s_addr) ||
430 ntohl(doctor->end.s_addr) < ntohl(addr.s_addr))
433 addr.s_addr &= ~doctor->mask.s_addr;
434 addr.s_addr |= (doctor->out.s_addr & doctor->mask.s_addr);
435 /* Since we munged the data, the server it came from is no longer authoritative */
436 header->hb3 &= ~HB3_AA;
438 memcpy(p, &addr, INADDRSZ);
443 if (!ADD_RDLEN(header, p, qlen, rdlen))
444 return 0; /* bad packet */
450 static int find_soa(struct dns_header *header, size_t qlen, int *doctored)
453 int qtype, qclass, rdlen;
454 unsigned long ttl, minttl = ULONG_MAX;
455 int i, found_soa = 0;
457 /* first move to NS section and find TTL from any SOA section */
458 if (!(p = skip_questions(header, qlen)) ||
459 !(p = do_doctor(p, ntohs(header->ancount), header, qlen, doctored)))
460 return 0; /* bad packet */
462 for (i = ntohs(header->nscount); i != 0; i--)
464 if (!(p = skip_name(p, header, qlen, 10)))
465 return 0; /* bad packet */
472 if ((qclass == C_IN) && (qtype == T_SOA))
479 if (!(p = skip_name(p, header, qlen, 0)))
482 if (!(p = skip_name(p, header, qlen, 20)))
484 p += 16; /* SERIAL REFRESH RETRY EXPIRE */
486 GETLONG(ttl, p); /* minTTL */
490 else if (!ADD_RDLEN(header, p, qlen, rdlen))
491 return 0; /* bad packet */
494 /* rewrite addresses in additional section too */
495 if (!do_doctor(p, ntohs(header->arcount), header, qlen, doctored))
499 minttl = daemon->neg_ttl;
504 /* Print TXT reply to log */
505 static int print_txt(struct dns_header *header, const size_t qlen, char *name,
506 unsigned char *p, const int ardlen, int secflag)
508 unsigned char *p1 = p;
509 if (!CHECK_LEN(header, p1, qlen, ardlen))
511 /* Loop over TXT payload */
512 while ((p1 - p) < ardlen)
514 unsigned int i, len = *p1;
515 unsigned char *p3 = p1;
516 if ((p1 + len - p) >= ardlen)
517 return 0; /* bad packet */
519 /* make counted string zero-term and sanitise */
520 for (i = 0; i < len; i++)
522 if (!isprint((int)*(p3+1)))
529 log_query(secflag | F_FORWARD | F_UPSTREAM, name, NULL, (char*)p1, 0);
531 memmove(p1 + 1, p1, i);
538 /* Note that the following code can create CNAME chains that don't point to a real record,
539 either because of lack of memory, or lack of SOA records. These are treated by the cache code as
540 expired and cleaned out that way.
541 Return 1 if we reject an address because it look like part of dns-rebinding attack.
542 Return 2 if the packet is malformed.
544 int extract_addresses(struct dns_header *header, size_t qlen, char *name, time_t now,
545 struct ipsets *ipsets, struct ipsets *nftsets, int is_sign, int check_rebind,
546 int no_cache_dnssec, int secure, int *doctored)
548 unsigned char *p, *p1, *endrr, *namep;
549 int j, qtype, qclass, aqtype, aqclass, ardlen, res, searched_soa = 0;
550 unsigned long ttl = 0;
555 (void)ipsets; /* unused */
560 (void)nftsets; /* unused */
562 int found = 0, cname_count = CNAME_CHAIN;
563 struct crec *cpp = NULL;
564 int flags = RCODE(header) == NXDOMAIN ? F_NXDOMAIN : 0;
568 unsigned long cttl = ULONG_MAX, attl;
570 cache_start_insert();
572 /* find_soa is needed for dns_doctor side effects, so don't call it lazily if there are any. */
573 if (daemon->doctors || option_bool(OPT_DNSSEC_VALID))
576 ttl = find_soa(header, qlen, doctored);
583 if (option_bool(OPT_DNSSEC_VALID))
584 for (j = 0; j < ntohs(header->ancount); j++)
585 if (daemon->rr_status[j] != 0)
591 namep = p = (unsigned char *)(header+1);
593 if (ntohs(header->qdcount) != 1 || !extract_name(header, qlen, &p, name, 1, 4))
594 return 2; /* bad packet */
602 /* PTRs: we chase CNAMEs here, since we have no way to
603 represent them in the cache. */
606 int insert = 1, name_encoding = in_arpa_name_2_addr(name, &addr);
608 if (!(flags & F_NXDOMAIN))
611 if (!(p1 = skip_questions(header, qlen)))
614 for (j = 0; j < ntohs(header->ancount); j++)
617 if (!(res = extract_name(header, qlen, &p1, name, 0, 10)))
618 return 2; /* bad packet */
620 GETSHORT(aqtype, p1);
621 GETSHORT(aqclass, p1);
624 if ((daemon->max_ttl != 0) && (attl > daemon->max_ttl) && !is_sign)
627 PUTLONG(daemon->max_ttl, p1);
629 GETSHORT(ardlen, p1);
632 /* TTL of record is minimum of CNAMES and PTR */
636 if (aqclass == C_IN && res != 2 && (aqtype == T_CNAME || aqtype == T_PTR))
639 if (option_bool(OPT_DNSSEC_VALID) && !no_cache_dnssec && daemon->rr_status[j] != 0)
641 /* validated RR anywhere in CNAME chain, don't cache. */
642 if (cname_short || aqtype == T_CNAME)
645 secflag = F_DNSSECOK;
646 /* limit TTL based on signature. */
647 if (daemon->rr_status[j] < cttl)
648 cttl = daemon->rr_status[j];
652 if (aqtype == T_CNAME)
653 log_query(secflag | F_CNAME | F_FORWARD | F_UPSTREAM, name, NULL, NULL, 0);
655 if (!extract_name(header, qlen, &p1, name, 1, 0))
658 if (aqtype == T_CNAME)
661 return 0; /* looped CNAMES, we can't cache. */
671 log_query(secflag | F_FORWARD | F_UPSTREAM, name, NULL, NULL, aqtype);
674 log_query(name_encoding | secflag | F_REVERSE | F_UPSTREAM, name, &addr, NULL, 0);
676 cache_insert(name, &addr, C_IN, now, cttl, name_encoding | secflag | F_REVERSE);
681 if (!CHECK_LEN(header, p1, qlen, 0))
682 return 2; /* bad packet */
686 if (!found && !option_bool(OPT_NO_NEG))
691 ttl = find_soa(header, qlen, doctored);
694 flags |= F_NEG | (secure ? F_DNSSECOK : 0);
695 if (name_encoding && ttl)
697 flags |= F_REVERSE | name_encoding;
698 cache_insert(NULL, &addr, C_IN, now, ttl, flags);
701 log_query(flags | F_UPSTREAM, name, &addr, NULL, 0);
706 /* everything other than PTR */
708 int addrlen = 0, insert = 1;
715 else if (qtype == T_AAAA)
720 else if (qtype == T_SRV)
723 insert = 0; /* NOTE: do not cache data from CNAME queries. */
726 if (!(p1 = skip_questions(header, qlen)))
729 for (j = 0; j < ntohs(header->ancount); j++)
733 if (!(res = extract_name(header, qlen, &p1, name, 0, 10)))
734 return 2; /* bad packet */
736 GETSHORT(aqtype, p1);
737 GETSHORT(aqclass, p1);
739 if ((daemon->max_ttl != 0) && (attl > daemon->max_ttl) && !is_sign)
742 PUTLONG(daemon->max_ttl, p1);
744 GETSHORT(ardlen, p1);
747 /* Not what we're looking for? */
748 if (aqclass != C_IN || res == 2)
751 if (!CHECK_LEN(header, p1, qlen, 0))
752 return 2; /* bad packet */
757 if (option_bool(OPT_DNSSEC_VALID) && !no_cache_dnssec && daemon->rr_status[j] != 0)
759 secflag = F_DNSSECOK;
761 /* limit TTl based on sig. */
762 if (daemon->rr_status[j] < attl)
763 attl = daemon->rr_status[j];
767 if (aqtype == T_CNAME)
770 return 0; /* looped CNAMES */
772 log_query(secflag | F_CNAME | F_FORWARD | F_UPSTREAM, name, NULL, NULL, 0);
776 if ((newc = cache_insert(name, NULL, C_IN, now, attl, F_CNAME | F_FORWARD | secflag)))
778 newc->addr.cname.target.cache = NULL;
779 newc->addr.cname.is_name_ptr = 0;
783 cpp->addr.cname.target.cache = newc;
784 cpp->addr.cname.uid = newc->uid;
794 if (!extract_name(header, qlen, &p1, name, 1, 0))
797 if (qtype != T_CNAME)
802 else if (aqtype != qtype)
805 if (!option_bool(OPT_DNSSEC_VALID) || aqtype != T_RRSIG)
807 log_query(secflag | F_FORWARD | F_UPSTREAM, name, NULL, NULL, aqtype);
809 else if (!(flags & F_NXDOMAIN))
815 unsigned char *tmp = namep;
817 if (!CHECK_LEN(header, p1, qlen, 6))
818 return 2; /* bad packet */
819 GETSHORT(addr.srv.priority, p1);
820 GETSHORT(addr.srv.weight, p1);
821 GETSHORT(addr.srv.srvport, p1);
822 if (!extract_name(header, qlen, &p1, name, 1, 0))
824 addr.srv.targetlen = strlen(name) + 1; /* include terminating zero */
825 if (!(addr.srv.target = blockdata_alloc(name, addr.srv.targetlen)))
828 /* we overwrote the original name, so get it back here. */
829 if (!extract_name(header, qlen, &tmp, name, 1, 0))
832 else if (flags & (F_IPV4 | F_IPV6))
834 /* copy address into aligned storage */
835 if (!CHECK_LEN(header, p1, qlen, addrlen))
836 return 2; /* bad packet */
837 memcpy(&addr, p1, addrlen);
839 /* check for returned address in private space */
842 if ((flags & F_IPV4) &&
843 private_net(addr.addr4, !option_bool(OPT_LOCAL_REBIND)))
846 if ((flags & F_IPV6) &&
847 private_net6(&addr.addr6, !option_bool(OPT_LOCAL_REBIND)))
852 if (ipsets && (flags & (F_IPV4 | F_IPV6)))
853 for (ipsets_cur = ipsets->sets; *ipsets_cur; ipsets_cur++)
854 if (add_to_ipset(*ipsets_cur, &addr, flags, 0) == 0)
855 log_query((flags & (F_IPV4 | F_IPV6)) | F_IPSET, ipsets->domain, &addr, *ipsets_cur, 1);
858 if (nftsets && (flags & (F_IPV4 | F_IPV6)))
859 for (nftsets_cur = nftsets->sets; *nftsets_cur; nftsets_cur++)
860 if (add_to_nftset(*nftsets_cur, &addr, flags, 0) == 0)
861 log_query((flags & (F_IPV4 | F_IPV6)) | F_IPSET, nftsets->domain, &addr, *nftsets_cur, 0);
867 newc = cache_insert(name, &addr, C_IN, now, attl, flags | F_FORWARD | secflag);
871 cpp->addr.cname.target.cache = newc;
872 cpp->addr.cname.uid = newc->uid;
879 if (!print_txt(header, qlen, name, p1, ardlen, secflag))
883 log_query(flags | F_FORWARD | secflag | F_UPSTREAM, name, &addr, NULL, aqtype);
887 if (!CHECK_LEN(header, p1, qlen, 0))
888 return 2; /* bad packet */
891 if (!found && (qtype != T_ANY || (flags & F_NXDOMAIN)))
893 if (flags & F_NXDOMAIN)
895 flags &= ~(F_IPV4 | F_IPV6 | F_SRV);
897 /* Can store NXDOMAIN reply to CNAME or ANY query. */
898 if (qtype == T_CNAME || qtype == T_ANY)
902 log_query(F_UPSTREAM | F_FORWARD | F_NEG | flags | (secure ? F_DNSSECOK : 0), name, NULL, NULL, 0);
907 ttl = find_soa(header, qlen, doctored);
910 /* If there's no SOA to get the TTL from, but there is a CNAME
911 pointing at this, inherit its TTL */
912 if (insert && !option_bool(OPT_NO_NEG) && (ttl || cpp))
917 newc = cache_insert(name, NULL, C_IN, now, ttl, F_FORWARD | F_NEG | flags | (secure ? F_DNSSECOK : 0));
921 cpp->addr.cname.target.cache = newc;
922 cpp->addr.cname.uid = newc->uid;
928 /* Don't put stuff from a truncated packet into the cache.
929 Don't cache replies from non-recursive nameservers, since we may get a
930 reply containing a CNAME but not its target, even though the target
932 if (!(header->hb3 & HB3_TC) &&
933 !(header->hb4 & HB4_CD) &&
934 (header->hb4 & HB4_RA) &&
941 #if defined(HAVE_CONNTRACK) && defined(HAVE_UBUS)
942 /* Don't pass control chars and weird escapes to UBus. */
943 static int safe_name(char *name)
947 for (r = (unsigned char *)name; *r; r++)
948 if (!isprint((int)*r))
954 void report_addresses(struct dns_header *header, size_t len, u32 mark)
956 unsigned char *p, *endrr;
959 struct allowlist *allowlists;
962 if (RCODE(header) != NOERROR)
965 for (allowlists = daemon->allowlists; allowlists; allowlists = allowlists->next)
966 if (allowlists->mark == (mark & daemon->allowlist_mask & allowlists->mask))
967 for (pattern_pos = allowlists->patterns; *pattern_pos; pattern_pos++)
968 if (!strcmp(*pattern_pos, "*"))
971 if (!(p = skip_questions(header, len)))
973 for (i = ntohs(header->ancount); i != 0; i--)
975 int aqtype, aqclass, ardlen;
977 if (!extract_name(header, len, &p, daemon->namebuff, 1, 10))
980 if (!CHECK_LEN(header, p, len, 10))
983 GETSHORT(aqclass, p);
987 if (!CHECK_LEN(header, p, len, ardlen))
993 if (aqtype == T_CNAME)
995 if (!extract_name(header, len, &p, daemon->workspacename, 1, 0))
997 if (safe_name(daemon->namebuff) && safe_name(daemon->workspacename))
998 ubus_event_bcast_connmark_allowlist_resolved(mark, daemon->namebuff, daemon->workspacename, attl);
1002 struct in_addr addr;
1003 char ip[INET_ADDRSTRLEN];
1004 if (ardlen != INADDRSZ)
1006 memcpy(&addr, p, ardlen);
1007 if (inet_ntop(AF_INET, &addr, ip, sizeof ip) && safe_name(daemon->namebuff))
1008 ubus_event_bcast_connmark_allowlist_resolved(mark, daemon->namebuff, ip, attl);
1010 else if (aqtype == T_AAAA)
1012 struct in6_addr addr;
1013 char ip[INET6_ADDRSTRLEN];
1014 if (ardlen != IN6ADDRSZ)
1016 memcpy(&addr, p, ardlen);
1017 if (inet_ntop(AF_INET6, &addr, ip, sizeof ip) && safe_name(daemon->namebuff))
1018 ubus_event_bcast_connmark_allowlist_resolved(mark, daemon->namebuff, ip, attl);
1027 /* If the packet holds exactly one query
1028 return F_IPV4 or F_IPV6 and leave the name from the query in name */
1029 unsigned int extract_request(struct dns_header *header, size_t qlen, char *name, unsigned short *typep)
1031 unsigned char *p = (unsigned char *)(header+1);
1037 *name = 0; /* return empty name if no query found. */
1039 if (ntohs(header->qdcount) != 1 || OPCODE(header) != QUERY)
1040 return 0; /* must be exactly one query. */
1042 if (!(header->hb3 & HB3_QR) && (ntohs(header->ancount) != 0 || ntohs(header->nscount) != 0))
1043 return 0; /* non-standard query. */
1045 if (!extract_name(header, qlen, &p, name, 1, 4))
1046 return 0; /* bad packet */
1049 GETSHORT(qclass, p);
1058 if (qtype == T_AAAA)
1061 return F_IPV4 | F_IPV6;
1065 /* F_DNSSECOK as agument to search_servers() inhibits forwarding
1066 to servers for domains without a trust anchor. This make the
1067 behaviour for DS and DNSKEY queries we forward the same
1068 as for DS and DNSKEY queries we originate. */
1069 if (option_bool(OPT_DNSSEC_VALID) && (qtype == T_DS || qtype == T_DNSKEY))
1076 void setup_reply(struct dns_header *header, unsigned int flags, int ede)
1078 /* clear authoritative and truncated flags, set QR flag */
1079 header->hb3 = (header->hb3 & ~(HB3_AA | HB3_TC )) | HB3_QR;
1080 /* clear AD flag, set RA flag */
1081 header->hb4 = (header->hb4 & ~HB4_AD) | HB4_RA;
1083 header->nscount = htons(0);
1084 header->arcount = htons(0);
1085 header->ancount = htons(0); /* no answers unless changed below */
1086 if (flags == F_NOERR)
1087 SET_RCODE(header, NOERROR); /* empty domain */
1088 else if (flags == F_NXDOMAIN)
1089 SET_RCODE(header, NXDOMAIN);
1090 else if (flags & ( F_IPV4 | F_IPV6))
1092 SET_RCODE(header, NOERROR);
1093 header->hb3 |= HB3_AA;
1095 else /* nowhere to forward to */
1098 a.log.rcode = REFUSED;
1100 log_query(F_CONFIG | F_RCODE, "error", &a, NULL, 0);
1101 SET_RCODE(header, REFUSED);
1105 /* check if name matches local names ie from /etc/hosts or DHCP or local mx names. */
1106 int check_for_local_domain(char *name, time_t now)
1108 struct mx_srv_record *mx;
1109 struct txt_record *txt;
1110 struct interface_name *intr;
1111 struct ptr_record *ptr;
1112 struct naptr *naptr;
1114 for (naptr = daemon->naptr; naptr; naptr = naptr->next)
1115 if (hostname_issubdomain(name, naptr->name))
1118 for (mx = daemon->mxnames; mx; mx = mx->next)
1119 if (hostname_issubdomain(name, mx->name))
1122 for (txt = daemon->txt; txt; txt = txt->next)
1123 if (hostname_issubdomain(name, txt->name))
1126 for (intr = daemon->int_names; intr; intr = intr->next)
1127 if (hostname_issubdomain(name, intr->name))
1130 for (ptr = daemon->ptr; ptr; ptr = ptr->next)
1131 if (hostname_issubdomain(name, ptr->name))
1134 if (cache_find_non_terminal(name, now))
1140 static int check_bad_address(struct dns_header *header, size_t qlen, struct bogus_addr *baddr, char *name, unsigned long *ttlp)
1143 int i, qtype, qclass, rdlen;
1145 struct bogus_addr *baddrp;
1147 /* skip over questions */
1148 if (!(p = skip_questions(header, qlen)))
1149 return 0; /* bad packet */
1151 for (i = ntohs(header->ancount); i != 0; i--)
1153 if (name && !extract_name(header, qlen, &p, name, 1, 10))
1154 return 0; /* bad packet */
1156 if (!name && !(p = skip_name(p, header, qlen, 10)))
1160 GETSHORT(qclass, p);
1171 struct in_addr addr;
1173 if (!CHECK_LEN(header, p, qlen, INADDRSZ))
1176 memcpy(&addr, p, INADDRSZ);
1178 for (baddrp = baddr; baddrp; baddrp = baddrp->next)
1179 if (!baddrp->is6 && is_same_net_prefix(addr, baddrp->addr.addr4, baddrp->prefix))
1182 else if (qtype == T_AAAA)
1184 struct in6_addr addr;
1186 if (!CHECK_LEN(header, p, qlen, IN6ADDRSZ))
1189 memcpy(&addr, p, IN6ADDRSZ);
1191 for (baddrp = baddr; baddrp; baddrp = baddrp->next)
1192 if (baddrp->is6 && is_same_net6(&addr, &baddrp->addr.addr6, baddrp->prefix))
1197 if (!ADD_RDLEN(header, p, qlen, rdlen))
1204 /* Is the packet a reply with the answer address equal to addr?
1205 If so mung is into an NXDOMAIN reply and also put that information
1207 int check_for_bogus_wildcard(struct dns_header *header, size_t qlen, char *name, time_t now)
1211 if (check_bad_address(header, qlen, daemon->bogus_addr, name, &ttl))
1213 /* Found a bogus address. Insert that info here, since there no SOA record
1214 to get the ttl from in the normal processing */
1215 cache_start_insert();
1216 cache_insert(name, NULL, C_IN, now, ttl, F_IPV4 | F_FORWARD | F_NEG | F_NXDOMAIN);
1225 int check_for_ignored_address(struct dns_header *header, size_t qlen)
1227 return check_bad_address(header, qlen, daemon->ignore_addr, NULL, NULL);
1230 int add_resource_record(struct dns_header *header, char *limit, int *truncp, int nameoffset, unsigned char **pp,
1231 unsigned long ttl, int *offset, unsigned short type, unsigned short class, char *format, ...)
1234 unsigned char *sav, *p = *pp;
1236 unsigned short usval;
1240 #define CHECK_LIMIT(size) \
1241 if (limit && p + (size) > (unsigned char*)limit) goto truncated;
1243 va_start(ap, format); /* make ap point to 1st unamed argument */
1245 if (truncp && *truncp)
1251 PUTSHORT(nameoffset | 0xc000, p);
1255 char *name = va_arg(ap, char *);
1256 if (name && !(p = do_rfc1035_name(p, name, limit)))
1262 PUTSHORT(-nameoffset | 0xc000, p);
1271 /* type (2) + class (2) + ttl (4) + rdlen (2) */
1276 PUTLONG(ttl, p); /* TTL */
1278 sav = p; /* Save pointer to RDLength field */
1279 PUTSHORT(0, p); /* Placeholder RDLength */
1281 for (; *format; format++)
1285 CHECK_LIMIT(IN6ADDRSZ);
1286 sval = va_arg(ap, char *);
1287 memcpy(p, sval, IN6ADDRSZ);
1292 CHECK_LIMIT(INADDRSZ);
1293 sval = va_arg(ap, char *);
1294 memcpy(p, sval, INADDRSZ);
1300 usval = va_arg(ap, int);
1306 usval = va_arg(ap, int);
1312 lval = va_arg(ap, long);
1317 /* get domain-name answer arg and store it in RDATA field */
1319 *offset = p - (unsigned char *)header;
1320 if (!(p = do_rfc1035_name(p, va_arg(ap, char *), limit)))
1327 usval = va_arg(ap, int);
1329 sval = va_arg(ap, char *);
1331 memcpy(p, sval, usval);
1336 sval = va_arg(ap, char *);
1337 usval = sval ? strlen(sval) : 0;
1340 CHECK_LIMIT(usval + 1);
1341 *p++ = (unsigned char)usval;
1342 memcpy(p, sval, usval);
1347 va_end(ap); /* clean up variable argument pointer */
1349 /* Now, store real RDLength. sav already checked against limit. */
1365 static int crec_isstale(struct crec *crecp, time_t now)
1367 return (!(crecp->flags & F_IMMORTAL)) && difftime(crecp->ttd, now) < 0;
1370 static unsigned long crec_ttl(struct crec *crecp, time_t now)
1372 signed long ttl = difftime(crecp->ttd, now);
1374 /* Return 0 ttl for DHCP entries, which might change
1375 before the lease expires, unless configured otherwise. */
1377 if (crecp->flags & F_DHCP)
1379 int conf_ttl = daemon->use_dhcp_ttl ? daemon->dhcp_ttl : daemon->local_ttl;
1381 /* Apply ceiling of actual lease length to configured TTL. */
1382 if (!(crecp->flags & F_IMMORTAL) && ttl < conf_ttl)
1388 /* Immortal entries other than DHCP are local, and hold TTL in TTD field. */
1389 if (crecp->flags & F_IMMORTAL)
1392 /* Stale cache entries. */
1396 /* Return the Max TTL value if it is lower than the actual TTL */
1397 if (daemon->max_ttl == 0 || ((unsigned)ttl < daemon->max_ttl))
1400 return daemon->max_ttl;
1403 static int cache_validated(const struct crec *crecp)
1405 return (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK));
1408 /* return zero if we can't answer from cache, or packet size if we can */
1409 size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
1410 struct in_addr local_addr, struct in_addr local_netmask,
1411 time_t now, int ad_reqd, int do_bit, int have_pseudoheader,
1414 char *name = daemon->namebuff;
1415 unsigned char *p, *ansp;
1416 unsigned int qtype, qclass;
1417 union all_addr addr;
1419 unsigned short flag;
1420 int q, ans, anscount = 0, addncount = 0;
1423 int nxdomain = 0, notimp = 0, auth = 1, trunc = 0, sec_data = 1;
1424 struct mx_srv_record *rec;
1426 int rd_bit = (header->hb3 & HB3_RD);
1431 /* never answer queries with RD unset, to avoid cache snooping. */
1432 if (ntohs(header->ancount) != 0 ||
1433 ntohs(header->nscount) != 0 ||
1434 ntohs(header->qdcount) == 0 ||
1435 OPCODE(header) != QUERY )
1438 /* Don't return AD set if checking disabled. */
1439 if (header->hb4 & HB4_CD)
1442 /* If there is an additional data section then it will be overwritten by
1443 partial replies, so we have to do a dry run to see if we can answer
1445 if (ntohs(header->arcount) != 0)
1448 for (rec = daemon->mxnames; rec; rec = rec->next)
1452 /* determine end of question section (we put answers there) */
1453 if (!(ansp = skip_questions(header, qlen)))
1454 return 0; /* bad packet */
1456 /* now process each question, answers go in RRs after the question */
1457 p = (unsigned char *)(header+1);
1459 for (q = ntohs(header->qdcount); q != 0; q--)
1461 int count = 255; /* catch loops */
1463 /* save pointer to name for copying into answers */
1464 nameoffset = p - (unsigned char *)header;
1466 /* now extract name as .-concatenated string into name */
1467 if (!extract_name(header, qlen, &p, name, 1, 4))
1468 return 0; /* bad packet */
1471 GETSHORT(qclass, p);
1473 ans = 0; /* have we answered this question */
1476 while (--count != 0 && (crecp = cache_find_by_name(NULL, name, now, F_CNAME | F_NXDOMAIN)))
1481 if (crec_isstale(crecp, now))
1486 stale_flag = F_STALE;
1489 if (crecp->flags & F_NXDOMAIN)
1491 if (qtype == T_CNAME)
1494 log_query(stale_flag | crecp->flags, name, NULL, record_source(crecp->uid), 0);
1502 cname_target = cache_get_cname_target(crecp);
1504 /* If the client asked for DNSSEC don't use cached data. */
1505 if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) ||
1506 (rd_bit && (!do_bit || cache_validated(crecp))))
1508 if (crecp->flags & F_CONFIG || qtype == T_CNAME)
1511 if (!(crecp->flags & F_DNSSECOK))
1516 log_query(stale_flag | crecp->flags, name, NULL, record_source(crecp->uid), 0);
1517 if (add_resource_record(header, limit, &trunc, nameoffset, &ansp,
1518 crec_ttl(crecp, now), &nameoffset,
1519 T_CNAME, C_IN, "d", cname_target))
1525 return 0; /* give up if any cached CNAME in chain can't be used for DNSSEC reasons. */
1527 if (qtype == T_CNAME)
1530 strcpy(name, cname_target);
1533 if (qtype == T_TXT || qtype == T_ANY)
1535 struct txt_record *t;
1536 for(t = daemon->txt; t ; t = t->next)
1538 if (t->class == qclass && hostname_isequal(name, t->name))
1540 ans = 1, sec_data = 0;
1543 unsigned long ttl = daemon->local_ttl;
1546 /* Dynamically generate stat record */
1550 if (!cache_make_stat(t))
1556 log_query(F_CONFIG | F_RRNAME, name, NULL, "<TXT>", 0);
1557 if (add_resource_record(header, limit, &trunc, nameoffset, &ansp,
1559 T_TXT, t->class, "t", t->len, t->txt))
1567 if (qclass == C_CHAOS)
1569 /* don't forward *.bind and *.server chaos queries - always reply with NOTIMP */
1570 if (hostname_issubdomain("bind", name) || hostname_issubdomain("server", name))
1574 notimp = 1, auth = 0;
1577 addr.log.rcode = NOTIMP;
1578 log_query(F_CONFIG | F_RCODE, name, &addr, NULL, 0);
1580 ans = 1, sec_data = 0;
1587 struct txt_record *t;
1589 for (t = daemon->rr; t; t = t->next)
1590 if ((t->class == qtype || qtype == T_ANY) && hostname_isequal(name, t->name))
1596 log_query(F_CONFIG | F_RRNAME, name, NULL, NULL, t->class);
1597 if (add_resource_record(header, limit, &trunc, nameoffset, &ansp,
1598 daemon->local_ttl, NULL,
1599 t->class, C_IN, "t", t->len, t->txt))
1604 if (qtype == T_PTR || qtype == T_ANY)
1606 /* see if it's w.z.y.z.in-addr.arpa format */
1607 int is_arpa = in_arpa_name_2_addr(name, &addr);
1608 struct ptr_record *ptr;
1609 struct interface_name* intr = NULL;
1611 for (ptr = daemon->ptr; ptr; ptr = ptr->next)
1612 if (hostname_isequal(name, ptr->name))
1615 if (is_arpa == F_IPV4)
1616 for (intr = daemon->int_names; intr; intr = intr->next)
1618 struct addrlist *addrlist;
1620 for (addrlist = intr->addr; addrlist; addrlist = addrlist->next)
1621 if (!(addrlist->flags & ADDRLIST_IPV6) && addr.addr4.s_addr == addrlist->addr.addr4.s_addr)
1626 else if (!(intr->flags & INP4))
1627 while (intr->next && strcmp(intr->intr, intr->next->intr) == 0)
1630 else if (is_arpa == F_IPV6)
1631 for (intr = daemon->int_names; intr; intr = intr->next)
1633 struct addrlist *addrlist;
1635 for (addrlist = intr->addr; addrlist; addrlist = addrlist->next)
1636 if ((addrlist->flags & ADDRLIST_IPV6) && IN6_ARE_ADDR_EQUAL(&addr.addr6, &addrlist->addr.addr6))
1641 else if (!(intr->flags & INP6))
1642 while (intr->next && strcmp(intr->intr, intr->next->intr) == 0)
1652 log_query(is_arpa | F_REVERSE | F_CONFIG, intr->name, &addr, NULL, 0);
1653 if (add_resource_record(header, limit, &trunc, nameoffset, &ansp,
1654 daemon->local_ttl, NULL,
1655 T_PTR, C_IN, "d", intr->name))
1665 log_query(F_CONFIG | F_RRNAME, name, NULL, "<PTR>", 0);
1666 for (ptr = daemon->ptr; ptr; ptr = ptr->next)
1667 if (hostname_isequal(name, ptr->name) &&
1668 add_resource_record(header, limit, &trunc, nameoffset, &ansp,
1669 daemon->local_ttl, NULL,
1670 T_PTR, C_IN, "d", ptr->ptr))
1675 else if (is_arpa && (crecp = cache_find_by_addr(NULL, &addr, now, is_arpa)))
1677 /* Don't use cache when DNSSEC data required, unless we know that
1678 the zone is unsigned, which implies that we're doing
1680 if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) ||
1681 (rd_bit && (!do_bit || cache_validated(crecp)) ))
1687 if (crec_isstale(crecp, now))
1692 stale_flag = F_STALE;
1695 /* don't answer wildcard queries with data not from /etc/hosts or dhcp leases */
1696 if (qtype == T_ANY && !(crecp->flags & (F_HOSTS | F_DHCP)))
1700 if (!(crecp->flags & F_DNSSECOK))
1705 if (crecp->flags & F_NEG)
1708 if (crecp->flags & F_NXDOMAIN)
1711 log_query(stale_flag | (crecp->flags & ~F_FORWARD), name, &addr, NULL, 0);
1715 if (!(crecp->flags & (F_HOSTS | F_DHCP)))
1719 log_query(stale_flag | (crecp->flags & ~F_FORWARD), cache_get_name(crecp), &addr,
1720 record_source(crecp->uid), 0);
1722 if (add_resource_record(header, limit, &trunc, nameoffset, &ansp,
1723 crec_ttl(crecp, now), NULL,
1724 T_PTR, C_IN, "d", cache_get_name(crecp)))
1728 } while ((crecp = cache_find_by_addr(crecp, &addr, now, is_arpa)));
1731 else if (is_rev_synth(is_arpa, &addr, name))
1737 log_query(F_CONFIG | F_REVERSE | is_arpa, name, &addr, NULL, 0);
1739 if (add_resource_record(header, limit, &trunc, nameoffset, &ansp,
1740 daemon->local_ttl, NULL,
1741 T_PTR, C_IN, "d", name))
1745 else if (option_bool(OPT_BOGUSPRIV) &&
1746 ((is_arpa == F_IPV6 && private_net6(&addr.addr6, 1)) || (is_arpa == F_IPV4 && private_net(addr.addr4, 1))) &&
1747 !lookup_domain(name, F_DOMAINSRV, NULL, NULL))
1749 /* if no configured server, not in cache, enabled and private IPV4 address, return NXDOMAIN */
1754 log_query(F_CONFIG | F_REVERSE | is_arpa | F_NEG | F_NXDOMAIN,
1755 name, &addr, NULL, 0);
1759 for (flag = F_IPV4; flag; flag = (flag == F_IPV4) ? F_IPV6 : 0)
1761 unsigned short type = (flag == F_IPV6) ? T_AAAA : T_A;
1762 struct interface_name *intr;
1764 if (qtype != type && qtype != T_ANY)
1767 /* interface name stuff */
1768 for (intr = daemon->int_names; intr; intr = intr->next)
1769 if (hostname_isequal(name, intr->name))
1774 struct addrlist *addrlist;
1775 int gotit = 0, localise = 0;
1777 enumerate_interfaces(0);
1779 /* See if a putative address is on the network from which we received
1780 the query, is so we'll filter other answers. */
1781 if (local_addr.s_addr != 0 && option_bool(OPT_LOCALISE) && type == T_A)
1782 for (intr = daemon->int_names; intr; intr = intr->next)
1783 if (hostname_isequal(name, intr->name))
1784 for (addrlist = intr->addr; addrlist; addrlist = addrlist->next)
1785 if (!(addrlist->flags & ADDRLIST_IPV6) &&
1786 is_same_net(addrlist->addr.addr4, local_addr, local_netmask))
1792 for (intr = daemon->int_names; intr; intr = intr->next)
1793 if (hostname_isequal(name, intr->name))
1795 for (addrlist = intr->addr; addrlist; addrlist = addrlist->next)
1796 if (((addrlist->flags & ADDRLIST_IPV6) ? T_AAAA : T_A) == type)
1799 !is_same_net(addrlist->addr.addr4, local_addr, local_netmask))
1802 if (addrlist->flags & ADDRLIST_REVONLY)
1810 log_query(F_FORWARD | F_CONFIG | flag, name, &addrlist->addr, NULL, 0);
1811 if (add_resource_record(header, limit, &trunc, nameoffset, &ansp,
1812 daemon->local_ttl, NULL, type, C_IN,
1813 type == T_A ? "4" : "6", &addrlist->addr))
1819 if (!dryrun && !gotit)
1820 log_query(F_FORWARD | F_CONFIG | flag | F_NEG, name, NULL, NULL, 0);
1825 if ((crecp = cache_find_by_name(NULL, name, now, flag | F_NXDOMAIN | (dryrun ? F_NO_RR : 0))))
1829 /* See if a putative address is on the network from which we received
1830 the query, is so we'll filter other answers. */
1831 if (local_addr.s_addr != 0 && option_bool(OPT_LOCALISE) && flag == F_IPV4)
1833 struct crec *save = crecp;
1835 if ((crecp->flags & F_HOSTS) &&
1836 is_same_net(crecp->addr.addr4, local_addr, local_netmask))
1841 } while ((crecp = cache_find_by_name(crecp, name, now, flag)));
1845 /* If the client asked for DNSSEC don't use cached data. */
1846 if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) ||
1847 (rd_bit && (!do_bit || cache_validated(crecp)) ))
1852 if (crec_isstale(crecp, now))
1857 stale_flag = F_STALE;
1860 /* don't answer wildcard queries with data not from /etc/hosts
1862 if (qtype == T_ANY && !(crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)))
1865 if (!(crecp->flags & F_DNSSECOK))
1868 if (crecp->flags & F_NEG)
1872 if (crecp->flags & F_NXDOMAIN)
1875 log_query(stale_flag | crecp->flags, name, NULL, NULL, 0);
1879 /* If we are returning local answers depending on network,
1882 (crecp->flags & F_HOSTS) &&
1883 !is_same_net(crecp->addr.addr4, local_addr, local_netmask))
1886 if (!(crecp->flags & (F_HOSTS | F_DHCP)))
1892 log_query(stale_flag | (crecp->flags & ~F_REVERSE), name, &crecp->addr,
1893 record_source(crecp->uid), 0);
1895 if (add_resource_record(header, limit, &trunc, nameoffset, &ansp,
1896 crec_ttl(crecp, now), NULL, type, C_IN,
1897 type == T_A ? "4" : "6", &crecp->addr))
1901 } while ((crecp = cache_find_by_name(crecp, name, now, flag)));
1903 else if (is_name_synthetic(flag, name, &addr))
1905 ans = 1, sec_data = 0;
1908 log_query(F_FORWARD | F_CONFIG | flag, name, &addr, NULL, 0);
1909 if (add_resource_record(header, limit, &trunc, nameoffset, &ansp,
1910 daemon->local_ttl, NULL, type, C_IN, type == T_A ? "4" : "6", &addr))
1916 if (qtype == T_MX || qtype == T_ANY)
1919 for (rec = daemon->mxnames; rec; rec = rec->next)
1920 if (!rec->issrv && hostname_isequal(name, rec->name))
1927 log_query(F_CONFIG | F_RRNAME, name, NULL, "<MX>", 0);
1928 if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->local_ttl,
1929 &offset, T_MX, C_IN, "sd", rec->weight, rec->target))
1933 rec->offset = offset;
1938 if (!found && (option_bool(OPT_SELFMX) || option_bool(OPT_LOCALMX)) &&
1939 cache_find_by_name(NULL, name, now, F_HOSTS | F_DHCP | F_NO_RR))
1945 log_query(F_CONFIG | F_RRNAME, name, NULL, "<MX>", 0);
1946 if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->local_ttl, NULL,
1947 T_MX, C_IN, "sd", 1,
1948 option_bool(OPT_SELFMX) ? name : daemon->mxtarget))
1954 if (qtype == T_SRV || qtype == T_ANY)
1957 struct mx_srv_record *move = NULL, **up = &daemon->mxnames;
1959 for (rec = daemon->mxnames; rec; rec = rec->next)
1960 if (rec->issrv && hostname_isequal(name, rec->name))
1967 log_query(F_CONFIG | F_RRNAME, name, NULL, "<SRV>", 0);
1968 if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->local_ttl,
1969 &offset, T_SRV, C_IN, "sssd",
1970 rec->priority, rec->weight, rec->srvport, rec->target))
1974 rec->offset = offset;
1978 /* unlink first SRV record found */
1990 /* put first SRV record back at the end. */
1999 if ((crecp = cache_find_by_name(NULL, name, now, F_SRV | F_NXDOMAIN | (dryrun ? F_NO_RR : 0))) &&
2000 rd_bit && (!do_bit || (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK))))
2005 if (crec_isstale(crecp, now))
2010 stale_flag = F_STALE;
2012 /* don't answer wildcard queries with data not from /etc/hosts or dhcp leases, except for NXDOMAIN */
2013 if (qtype == T_ANY && !(crecp->flags & (F_NXDOMAIN)))
2016 if (!(crecp->flags & F_DNSSECOK))
2022 if (crecp->flags & F_NEG)
2024 if (crecp->flags & F_NXDOMAIN)
2027 log_query(stale_flag | crecp->flags, name, NULL, NULL, 0);
2031 char *target = blockdata_retrieve(crecp->addr.srv.target, crecp->addr.srv.targetlen, NULL);
2032 log_query(stale_flag | crecp->flags, name, NULL, NULL, 0);
2034 if (add_resource_record(header, limit, &trunc, nameoffset, &ansp,
2035 crec_ttl(crecp, now), NULL, T_SRV, C_IN, "sssd",
2036 crecp->addr.srv.priority, crecp->addr.srv.weight, crecp->addr.srv.srvport,
2040 } while ((crecp = cache_find_by_name(crecp, name, now, F_SRV)));
2043 if (!found && option_bool(OPT_FILTER) && (qtype == T_SRV || (qtype == T_ANY && strchr(name, '_'))))
2048 log_query(F_CONFIG | F_NEG, name, NULL, NULL, 0);
2052 if (qtype == T_NAPTR || qtype == T_ANY)
2055 for (na = daemon->naptr; na; na = na->next)
2056 if (hostname_isequal(name, na->name))
2062 log_query(F_CONFIG | F_RRNAME, name, NULL, "<NAPTR>", 0);
2063 if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->local_ttl,
2064 NULL, T_NAPTR, C_IN, "sszzzd",
2065 na->order, na->pref, na->flags, na->services, na->regexp, na->replace))
2071 if (qtype == T_MAILB)
2072 ans = 1, nxdomain = 1, sec_data = 0;
2074 if (qtype == T_SOA && option_bool(OPT_FILTER))
2079 log_query(F_CONFIG | F_NEG, name, &addr, NULL, 0);
2084 return 0; /* failed to answer a question */
2093 /* create an additional data section, for stuff in SRV and MX record replies. */
2094 for (rec = daemon->mxnames; rec; rec = rec->next)
2095 if (rec->offset != 0)
2098 struct mx_srv_record *tmp;
2099 for (tmp = rec->next; tmp; tmp = tmp->next)
2100 if (tmp->offset != 0 && hostname_isequal(rec->target, tmp->target))
2104 while ((crecp = cache_find_by_name(crecp, rec->target, now, F_IPV4 | F_IPV6)))
2106 int type = crecp->flags & F_IPV4 ? T_A : T_AAAA;
2108 if (crecp->flags & F_NEG)
2111 if (add_resource_record(header, limit, NULL, rec->offset, &ansp,
2112 crec_ttl(crecp, now), NULL, type, C_IN,
2113 crecp->flags & F_IPV4 ? "4" : "6", &crecp->addr))
2118 /* done all questions, set up header and return length of result */
2119 /* clear authoritative and truncated flags, set QR flag */
2120 header->hb3 = (header->hb3 & ~(HB3_AA | HB3_TC)) | HB3_QR;
2122 header->hb4 |= HB4_RA;
2124 /* authoritative - only hosts and DHCP derived names. */
2126 header->hb3 |= HB3_AA;
2130 header->hb3 |= HB3_TC;
2133 SET_RCODE(header, NXDOMAIN);
2135 SET_RCODE(header, NOTIMP);
2137 SET_RCODE(header, NOERROR); /* no error */
2138 header->ancount = htons(anscount);
2139 header->nscount = htons(0);
2140 header->arcount = htons(addncount);
2142 len = ansp - (unsigned char *)header;
2144 /* Advertise our packet size limit in our reply */
2145 if (have_pseudoheader)
2146 len = add_pseudoheader(header, len, (unsigned char *)limit, daemon->edns_pktsz, 0, NULL, 0, do_bit, 0);
2148 if (ad_reqd && sec_data)
2149 header->hb4 |= HB4_AD;
2151 header->hb4 &= ~HB4_AD;