Compare commits
8 Commits
v2.73test2
...
v2.73test3
| Author | SHA1 | Date | |
|---|---|---|---|
|
424c4a8a53 | ||
|
|
97e618a0e3 | ||
|
d8dbd903d0 | ||
|
|
81c538efce | ||
|
d310ab7ecb | ||
|
|
0b1008d367 | ||
|
32fc6dbe03 | ||
|
|
83d2ed09fc |
2
.gitignore
vendored
2
.gitignore
vendored
@@ -3,7 +3,7 @@ src/*.mo
|
||||
src/dnsmasq.pot
|
||||
src/dnsmasq
|
||||
src/dnsmasq_baseline
|
||||
src/.configured
|
||||
src/.copts_*
|
||||
contrib/wrt/dhcp_lease_time
|
||||
contrib/wrt/dhcp_release
|
||||
debian/base/
|
||||
|
||||
17
CHANGELOG
17
CHANGELOG
@@ -22,8 +22,25 @@ version 2.73
|
||||
|
||||
Fix crash in DNSSEC code with long RRs. Thanks to Marco Davids
|
||||
for the bug report.
|
||||
|
||||
Add --ignore-address option. Ignore replies to A-record
|
||||
queries which include the specified address. No error is
|
||||
generated, dnsmasq simply continues to listen for another
|
||||
reply. This is useful to defeat blocking strategies which
|
||||
rely on quickly supplying a forged answer to a DNS
|
||||
request for certain domains, before the correct answer can
|
||||
arrive. Thanks to Glen Huang for the patch.
|
||||
|
||||
Revisit the part of DNSSEC validation which determines if an
|
||||
unsigned answer is legit, or is in some part of the DNS
|
||||
tree which should be signed. Dnsmasq now works from the
|
||||
DNS root downward looking for the limit of signed
|
||||
delegations, rather than working bottom up. This is
|
||||
both more correct, and less likely to trip over broken
|
||||
nameservers in the unsigned parts of the DNS tree
|
||||
which don't respond well to DNSSEC queries.
|
||||
|
||||
|
||||
version 2.72
|
||||
Add ra-advrouter mode, for RFC-3775 mobile IPv6 support.
|
||||
|
||||
|
||||
12
Makefile
12
Makefile
@@ -64,6 +64,8 @@ nettle_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG
|
||||
gmp_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC NO_GMP --copy -lgmp`
|
||||
sunos_libs = `if uname | grep SunOS >/dev/null 2>&1; then echo -lsocket -lnsl -lposix4; fi`
|
||||
version = -DVERSION='\"`$(top)/bld/get-version $(top)`\"'
|
||||
copts_conf = .copts_$(shell $(CC) -DDNSMASQ_COMPILE_OPTS $(COPTS) -E $(top)/$(SRC)/dnsmasq.h | \
|
||||
( md5sum 2>/dev/null || md5 ) | cut -f 1 -d ' ')
|
||||
|
||||
objs = cache.o rfc1035.o util.o option.o forward.o network.o \
|
||||
dnsmasq.o dhcp.o lease.o rfc2131.o netlink.o dbus.o bpf.o \
|
||||
@@ -83,7 +85,7 @@ all : $(BUILDDIR)
|
||||
|
||||
mostly_clean :
|
||||
rm -f $(BUILDDIR)/*.mo $(BUILDDIR)/*.pot
|
||||
rm -f $(BUILDDIR)/.configured $(BUILDDIR)/*.o $(BUILDDIR)/dnsmasq.a $(BUILDDIR)/dnsmasq
|
||||
rm -f $(BUILDDIR)/.copts_* $(BUILDDIR)/*.o $(BUILDDIR)/dnsmasq.a $(BUILDDIR)/dnsmasq
|
||||
|
||||
clean : mostly_clean
|
||||
rm -f $(BUILDDIR)/dnsmasq_baseline
|
||||
@@ -139,17 +141,19 @@ bloatcheck : $(BUILDDIR)/dnsmasq_baseline mostly_clean all
|
||||
|
||||
# rules below are targets in recusive makes with cwd=$(BUILDDIR)
|
||||
|
||||
.configured: $(hdrs)
|
||||
@rm -f *.o
|
||||
$(copts_conf): $(hdrs)
|
||||
@rm -f *.o .copts_*
|
||||
@touch $@
|
||||
|
||||
$(objs:.o=.c) $(hdrs):
|
||||
ln -s $(top)/$(SRC)/$@ .
|
||||
|
||||
$(objs): $(copts_conf) $(hdrs)
|
||||
|
||||
.c.o:
|
||||
$(CC) $(CFLAGS) $(COPTS) $(i18n) $(build_cflags) $(RPM_OPT_FLAGS) -c $<
|
||||
|
||||
dnsmasq : .configured $(hdrs) $(objs)
|
||||
dnsmasq : $(objs)
|
||||
$(CC) $(LDFLAGS) -o $@ $(objs) $(build_libs) $(LIBS)
|
||||
|
||||
dnsmasq.pot : $(objs:.o=.c) $(hdrs)
|
||||
|
||||
@@ -293,6 +293,12 @@ an advertising web page in response to queries for unregistered names,
|
||||
instead of the correct NXDOMAIN response. This option tells dnsmasq to
|
||||
fake the correct response when it sees this behaviour. As at Sept 2003
|
||||
the IP address being returned by Verisign is 64.94.110.11
|
||||
.TP
|
||||
.B \-B, --ignore-address=<ipaddr>
|
||||
Ignore replies to A-record queries which include the specified address.
|
||||
No error is generated, dnsmasq simply continues to listen for another reply.
|
||||
This is useful to defeat blocking strategies which rely on quickly supplying a
|
||||
forged answer to a DNS request for certain domain, before the correct answer can arrive.
|
||||
.TP
|
||||
.B \-f, --filterwin2k
|
||||
Later versions of windows make periodic DNS requests which don't get sensible answers from
|
||||
|
||||
@@ -569,8 +569,9 @@ struct hostsfile {
|
||||
#define STAT_SECURE_WILDCARD 7
|
||||
#define STAT_NO_SIG 8
|
||||
#define STAT_NO_DS 9
|
||||
#define STAT_NEED_DS_NEG 10
|
||||
#define STAT_CHASE_CNAME 11
|
||||
#define STAT_NO_NS 10
|
||||
#define STAT_NEED_DS_NEG 11
|
||||
#define STAT_CHASE_CNAME 12
|
||||
|
||||
#define FREC_NOREBIND 1
|
||||
#define FREC_CHECKING_DISABLED 2
|
||||
@@ -604,7 +605,9 @@ struct frec {
|
||||
#ifdef HAVE_DNSSEC
|
||||
int class, work_counter;
|
||||
struct blockdata *stash; /* Saved reply, whilst we validate */
|
||||
size_t stash_len;
|
||||
struct blockdata *orig_domain; /* domain of original query, whilst
|
||||
we're seeing is if in unsigned domain */
|
||||
size_t stash_len, name_start, name_len;
|
||||
struct frec *dependent; /* Query awaiting internally-generated DNSKEY or DS query */
|
||||
struct frec *blocking_query; /* Query which is blocking us. */
|
||||
#endif
|
||||
@@ -930,7 +933,7 @@ extern struct daemon {
|
||||
char *runfile;
|
||||
char *lease_change_command;
|
||||
struct iname *if_names, *if_addrs, *if_except, *dhcp_except, *auth_peers, *tftp_interfaces;
|
||||
struct bogus_addr *bogus_addr;
|
||||
struct bogus_addr *bogus_addr, *ignore_addr;
|
||||
struct server *servers;
|
||||
struct ipsets *ipsets;
|
||||
int log_fac; /* log facility */
|
||||
@@ -1093,6 +1096,7 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
|
||||
time_t now, int *ad_reqd, int *do_bit);
|
||||
int check_for_bogus_wildcard(struct dns_header *header, size_t qlen, char *name,
|
||||
struct bogus_addr *addr, time_t now);
|
||||
int check_for_ignored_address(struct dns_header *header, size_t qlen, struct bogus_addr *baddr);
|
||||
unsigned char *find_pseudoheader(struct dns_header *header, size_t plen,
|
||||
size_t *len, unsigned char **p, int *is_sign);
|
||||
int check_for_local_domain(char *name, time_t now);
|
||||
@@ -1125,7 +1129,7 @@ int in_zone(struct auth_zone *zone, char *name, char **cut);
|
||||
size_t dnssec_generate_query(struct dns_header *header, char *end, char *name, int class, int type, union mysockaddr *addr);
|
||||
int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t n, char *name, char *keyname, int class);
|
||||
int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int class);
|
||||
int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int *class, int *neganswer);
|
||||
int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int *class, int *neganswer, int *nons);
|
||||
int dnssec_chase_cname(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname);
|
||||
int dnskey_keytag(int alg, int flags, unsigned char *rdata, int rdlen);
|
||||
size_t filter_rrsigs(struct dns_header *header, size_t plen);
|
||||
|
||||
100
src/dnssec.c
100
src/dnssec.c
@@ -637,10 +637,13 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in
|
||||
struct crec *crecp = NULL;
|
||||
int type_covered, algo, labels, orig_ttl, sig_expiration, sig_inception, key_tag;
|
||||
u16 *rr_desc = get_desc(type);
|
||||
|
||||
|
||||
if (wildcard_out)
|
||||
*wildcard_out = NULL;
|
||||
|
||||
if (!(p = skip_questions(header, plen)))
|
||||
return STAT_BOGUS;
|
||||
|
||||
|
||||
name_labels = count_labels(name); /* For 4035 5.3.2 check */
|
||||
|
||||
/* look for RRSIGs for this RRset and get pointers to each RR in the set. */
|
||||
@@ -802,7 +805,7 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in
|
||||
{
|
||||
while (*name_start != '.' && *name_start != 0)
|
||||
name_start++;
|
||||
if (k != 1)
|
||||
if (k != 1 && *name_start == '.')
|
||||
name_start++;
|
||||
}
|
||||
|
||||
@@ -872,8 +875,7 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in
|
||||
/* The DNS packet is expected to contain the answer to a DNSKEY query.
|
||||
Put all DNSKEYs in the answer which are valid into the cache.
|
||||
return codes:
|
||||
STAT_INSECURE No DNSKEYs in reply.
|
||||
STAT_SECURE At least one valid DNSKEY found and in cache.
|
||||
STAT_SECURE At least one valid DNSKEY found and in cache.
|
||||
STAT_BOGUS No DNSKEYs found, which can be validated with DS,
|
||||
or self-sign for DNSKEY RRset is not valid, bad packet.
|
||||
STAT_NEED_DS DS records to validate a key not found, name in keyname
|
||||
@@ -893,11 +895,8 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch
|
||||
GETSHORT(qtype, p);
|
||||
GETSHORT(qclass, p);
|
||||
|
||||
if (qtype != T_DNSKEY || qclass != class)
|
||||
if (qtype != T_DNSKEY || qclass != class || ntohs(header->ancount) == 0)
|
||||
return STAT_BOGUS;
|
||||
|
||||
if (ntohs(header->ancount) == 0)
|
||||
return STAT_INSECURE;
|
||||
|
||||
/* See if we have cached a DS record which validates this key */
|
||||
if (!(crecp = cache_find_by_name(NULL, name, now, F_DS)))
|
||||
@@ -1100,17 +1099,17 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch
|
||||
/* The DNS packet is expected to contain the answer to a DS query
|
||||
Put all DSs in the answer which are valid into the cache.
|
||||
return codes:
|
||||
STAT_INSECURE no DS in reply or not signed.
|
||||
STAT_SECURE At least one valid DS found and in cache.
|
||||
STAT_NO_DS It's proved there's no DS here.
|
||||
STAT_BOGUS At least one DS found, which fails validation, bad packet.
|
||||
STAT_NO_NS It's proved there's no DS _or_ NS here.
|
||||
STAT_BOGUS no DS in reply or not signed, fails validation, bad packet.
|
||||
STAT_NEED_DNSKEY DNSKEY records to validate a DS not found, name in keyname
|
||||
*/
|
||||
|
||||
int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int class)
|
||||
{
|
||||
unsigned char *p = (unsigned char *)(header+1);
|
||||
int qtype, qclass, val, i, neganswer;
|
||||
int qtype, qclass, val, i, neganswer, nons;
|
||||
|
||||
if (ntohs(header->qdcount) != 1 ||
|
||||
!(p = skip_name(p, header, plen, 4)))
|
||||
@@ -1122,32 +1121,39 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char
|
||||
if (qtype != T_DS || qclass != class)
|
||||
val = STAT_BOGUS;
|
||||
else
|
||||
val = dnssec_validate_reply(now, header, plen, name, keyname, NULL, &neganswer);
|
||||
|
||||
if (val == STAT_NO_SIG)
|
||||
val = STAT_INSECURE;
|
||||
val = dnssec_validate_reply(now, header, plen, name, keyname, NULL, &neganswer, &nons);
|
||||
/* Note dnssec_validate_reply() will have cached positive answers */
|
||||
|
||||
if (val == STAT_NO_SIG || val == STAT_INSECURE)
|
||||
val = STAT_BOGUS;
|
||||
|
||||
p = (unsigned char *)(header+1);
|
||||
extract_name(header, plen, &p, name, 1, 4);
|
||||
p += 4; /* qtype, qclass */
|
||||
|
||||
if (!(p = skip_section(p, ntohs(header->ancount), header, plen)))
|
||||
return STAT_BOGUS;
|
||||
val = STAT_BOGUS;
|
||||
|
||||
if (val == STAT_BOGUS)
|
||||
log_query(F_UPSTREAM, name, NULL, "BOGUS DS");
|
||||
|
||||
if ((val == STAT_SECURE || val == STAT_INSECURE) && neganswer)
|
||||
{
|
||||
int rdlen, flags = F_FORWARD | F_DS | F_NEG;
|
||||
log_query(F_UPSTREAM, name, NULL, "BOGUS DS");
|
||||
return STAT_BOGUS;
|
||||
}
|
||||
|
||||
/* By here, the answer is proved secure, and a positive answer has been cached. */
|
||||
if (val == STAT_SECURE && neganswer)
|
||||
{
|
||||
int rdlen, flags = F_FORWARD | F_DS | F_NEG | F_DNSSECOK;
|
||||
unsigned long ttl, minttl = ULONG_MAX;
|
||||
struct all_addr a;
|
||||
|
||||
if (RCODE(header) == NXDOMAIN)
|
||||
flags |= F_NXDOMAIN;
|
||||
|
||||
if (val == STAT_SECURE)
|
||||
flags |= F_DNSSECOK;
|
||||
/* We only cache validated DS records, DNSSECOK flag hijacked
|
||||
to store presence/absence of NS. */
|
||||
if (nons)
|
||||
flags &= ~F_DNSSECOK;
|
||||
|
||||
for (i = ntohs(header->nscount); i != 0; i--)
|
||||
{
|
||||
@@ -1193,10 +1199,12 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char
|
||||
a.addr.dnssec.class = class;
|
||||
cache_insert(name, &a, now, ttl, flags);
|
||||
|
||||
cache_end_insert();
|
||||
cache_end_insert();
|
||||
|
||||
log_query(F_UPSTREAM, name, NULL, nons ? "no delegation" : "no DS");
|
||||
}
|
||||
|
||||
return (val == STAT_SECURE) ? STAT_NO_DS : STAT_INSECURE;
|
||||
return nons ? STAT_NO_NS : STAT_NO_DS;
|
||||
}
|
||||
|
||||
return val;
|
||||
@@ -1320,12 +1328,15 @@ static int find_nsec_records(struct dns_header *header, size_t plen, unsigned ch
|
||||
}
|
||||
|
||||
static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsigned char **nsecs, int nsec_count,
|
||||
char *workspace1, char *workspace2, char *name, int type)
|
||||
char *workspace1, char *workspace2, char *name, int type, int *nons)
|
||||
{
|
||||
int i, rc, rdlen;
|
||||
unsigned char *p, *psave;
|
||||
int offset = (type & 0xff) >> 3;
|
||||
int mask = 0x80 >> (type & 0x07);
|
||||
|
||||
if (nons)
|
||||
*nons = 0;
|
||||
|
||||
/* Find NSEC record that proves name doesn't exist */
|
||||
for (i = 0; i < nsec_count; i++)
|
||||
@@ -1352,6 +1363,10 @@ static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsi
|
||||
rdlen -= p - psave;
|
||||
/* rdlen is now length of type map, and p points to it */
|
||||
|
||||
/* If we can prove that there's no NS record, return that information. */
|
||||
if (nons && rdlen >= 2 && p[0] == 0 && (p[2] & (0x80 >> T_NS)) == 0)
|
||||
*nons = 1;
|
||||
|
||||
while (rdlen >= 2)
|
||||
{
|
||||
if (!CHECK_LEN(header, p, plen, rdlen))
|
||||
@@ -1453,7 +1468,7 @@ static int base32_decode(char *in, unsigned char *out)
|
||||
}
|
||||
|
||||
static int check_nsec3_coverage(struct dns_header *header, size_t plen, int digest_len, unsigned char *digest, int type,
|
||||
char *workspace1, char *workspace2, unsigned char **nsecs, int nsec_count)
|
||||
char *workspace1, char *workspace2, unsigned char **nsecs, int nsec_count, int *nons)
|
||||
{
|
||||
int i, hash_len, salt_len, base32_len, rdlen;
|
||||
unsigned char *p, *psave;
|
||||
@@ -1494,6 +1509,10 @@ static int check_nsec3_coverage(struct dns_header *header, size_t plen, int dige
|
||||
if (!CHECK_LEN(header, p, plen, rdlen))
|
||||
return 0;
|
||||
|
||||
/* If we can prove that there's no NS record, return that information. */
|
||||
if (nons && rdlen >= 2 && p[0] == 0 && (p[2] & (0x80 >> T_NS)) == 0)
|
||||
*nons = 1;
|
||||
|
||||
while (rdlen >= 2)
|
||||
{
|
||||
if (p[0] == type >> 8)
|
||||
@@ -1530,13 +1549,16 @@ static int check_nsec3_coverage(struct dns_header *header, size_t plen, int dige
|
||||
}
|
||||
|
||||
static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, unsigned char **nsecs, int nsec_count,
|
||||
char *workspace1, char *workspace2, char *name, int type, char *wildname)
|
||||
char *workspace1, char *workspace2, char *name, int type, char *wildname, int *nons)
|
||||
{
|
||||
unsigned char *salt, *p, *digest;
|
||||
int digest_len, i, iterations, salt_len, base32_len, algo = 0;
|
||||
struct nettle_hash const *hash;
|
||||
char *closest_encloser, *next_closest, *wildcard;
|
||||
|
||||
|
||||
if (nons)
|
||||
*nons = 0;
|
||||
|
||||
/* Look though the NSEC3 records to find the first one with
|
||||
an algorithm we support (currently only algo == 1).
|
||||
|
||||
@@ -1609,7 +1631,7 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns
|
||||
if ((digest_len = hash_name(name, &digest, hash, salt, salt_len, iterations)) == 0)
|
||||
return STAT_BOGUS;
|
||||
|
||||
if (check_nsec3_coverage(header, plen, digest_len, digest, type, workspace1, workspace2, nsecs, nsec_count))
|
||||
if (check_nsec3_coverage(header, plen, digest_len, digest, type, workspace1, workspace2, nsecs, nsec_count, nons))
|
||||
return STAT_SECURE;
|
||||
|
||||
/* Can't find an NSEC3 which covers the name directly, we need the "closest encloser NSEC3"
|
||||
@@ -1654,7 +1676,7 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns
|
||||
if ((digest_len = hash_name(next_closest, &digest, hash, salt, salt_len, iterations)) == 0)
|
||||
return STAT_BOGUS;
|
||||
|
||||
if (!check_nsec3_coverage(header, plen, digest_len, digest, type, workspace1, workspace2, nsecs, nsec_count))
|
||||
if (!check_nsec3_coverage(header, plen, digest_len, digest, type, workspace1, workspace2, nsecs, nsec_count, NULL))
|
||||
return STAT_BOGUS;
|
||||
|
||||
/* Finally, check that there's no seat of wildcard synthesis */
|
||||
@@ -1669,7 +1691,7 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns
|
||||
if ((digest_len = hash_name(wildcard, &digest, hash, salt, salt_len, iterations)) == 0)
|
||||
return STAT_BOGUS;
|
||||
|
||||
if (!check_nsec3_coverage(header, plen, digest_len, digest, type, workspace1, workspace2, nsecs, nsec_count))
|
||||
if (!check_nsec3_coverage(header, plen, digest_len, digest, type, workspace1, workspace2, nsecs, nsec_count, NULL))
|
||||
return STAT_BOGUS;
|
||||
}
|
||||
|
||||
@@ -1678,7 +1700,8 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns
|
||||
|
||||
/* Validate all the RRsets in the answer and authority sections of the reply (4035:3.2.3) */
|
||||
/* Returns are the same as validate_rrset, plus the class if the missing key is in *class */
|
||||
int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int *class, int *neganswer)
|
||||
int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname,
|
||||
int *class, int *neganswer, int *nons)
|
||||
{
|
||||
unsigned char *ans_start, *qname, *p1, *p2, **nsecs;
|
||||
int type1, class1, rdlen1, type2, class2, rdlen2, qclass, qtype;
|
||||
@@ -1808,10 +1831,11 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
|
||||
return STAT_BOGUS; /* No NSECs or bad packet */
|
||||
|
||||
if (nsec_type == T_NSEC)
|
||||
rc = prove_non_existence_nsec(header, plen, nsecs, nsec_count, daemon->workspacename, keyname, name, type1);
|
||||
rc = prove_non_existence_nsec(header, plen, nsecs, nsec_count, daemon->workspacename, keyname, name, type1, NULL);
|
||||
else
|
||||
rc = prove_non_existence_nsec3(header, plen, nsecs, nsec_count, daemon->workspacename, keyname, name, type1, wildname);
|
||||
|
||||
rc = prove_non_existence_nsec3(header, plen, nsecs, nsec_count, daemon->workspacename,
|
||||
keyname, name, type1, wildname, NULL);
|
||||
|
||||
if (rc != STAT_SECURE)
|
||||
return rc;
|
||||
}
|
||||
@@ -1934,9 +1958,9 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
|
||||
return STAT_BOGUS;
|
||||
|
||||
if (nsec_type == T_NSEC)
|
||||
return prove_non_existence_nsec(header, plen, nsecs, nsec_count, daemon->workspacename, keyname, name, qtype);
|
||||
return prove_non_existence_nsec(header, plen, nsecs, nsec_count, daemon->workspacename, keyname, name, qtype, nons);
|
||||
else
|
||||
return prove_non_existence_nsec3(header, plen, nsecs, nsec_count, daemon->workspacename, keyname, name, qtype, NULL);
|
||||
return prove_non_existence_nsec3(header, plen, nsecs, nsec_count, daemon->workspacename, keyname, name, qtype, NULL, nons);
|
||||
}
|
||||
|
||||
/* Chase the CNAME chain in the packet until the first record which _doesn't validate.
|
||||
|
||||
336
src/forward.c
336
src/forward.c
@@ -26,8 +26,9 @@ static void free_frec(struct frec *f);
|
||||
#ifdef HAVE_DNSSEC
|
||||
static int tcp_key_recurse(time_t now, int status, struct dns_header *header, size_t n,
|
||||
int class, char *name, char *keyname, struct server *server, int *keycount);
|
||||
static int do_check_sign(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int class);
|
||||
static int send_check_sign(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname);
|
||||
static int do_check_sign(struct frec *forward, int status, time_t now, char *name, char *keyname);
|
||||
static int send_check_sign(struct frec *forward, time_t now, struct dns_header *header, size_t plen,
|
||||
char *name, char *keyname);
|
||||
#endif
|
||||
|
||||
|
||||
@@ -724,6 +725,10 @@ void reply_query(int fd, int family, time_t now)
|
||||
if (!(forward = lookup_frec(ntohs(header->id), hash)))
|
||||
return;
|
||||
|
||||
if (daemon->ignore_addr && RCODE(header) == NOERROR &&
|
||||
check_for_ignored_address(header, n, daemon->ignore_addr))
|
||||
return;
|
||||
|
||||
if ((RCODE(header) == SERVFAIL || RCODE(header) == REFUSED) &&
|
||||
!option_bool(OPT_ORDER) &&
|
||||
forward->forwardall == 0)
|
||||
@@ -811,18 +816,22 @@ void reply_query(int fd, int family, time_t now)
|
||||
else if (forward->flags & FREC_DS_QUERY)
|
||||
{
|
||||
status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
|
||||
if (status == STAT_NO_DS)
|
||||
status = STAT_INSECURE;
|
||||
if (status == STAT_NO_DS || status == STAT_NO_NS)
|
||||
status = STAT_BOGUS;
|
||||
}
|
||||
else if (forward->flags & FREC_CHECK_NOSIGN)
|
||||
status = do_check_sign(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
|
||||
{
|
||||
status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
|
||||
if (status != STAT_NEED_KEY)
|
||||
status = do_check_sign(forward, status, now, daemon->namebuff, daemon->keyname);
|
||||
}
|
||||
else
|
||||
{
|
||||
status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class, NULL);
|
||||
status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class, NULL, NULL);
|
||||
if (status == STAT_NO_SIG)
|
||||
{
|
||||
if (option_bool(OPT_DNSSEC_NO_SIGN))
|
||||
status = send_check_sign(now, header, n, daemon->namebuff, daemon->keyname);
|
||||
status = send_check_sign(forward, now, header, n, daemon->namebuff, daemon->keyname);
|
||||
else
|
||||
status = STAT_INSECURE;
|
||||
}
|
||||
@@ -857,6 +866,7 @@ void reply_query(int fd, int family, time_t now)
|
||||
new->blocking_query = NULL;
|
||||
new->sentto = server;
|
||||
new->rfd4 = NULL;
|
||||
new->orig_domain = NULL;
|
||||
#ifdef HAVE_IPV6
|
||||
new->rfd6 = NULL;
|
||||
#endif
|
||||
@@ -885,7 +895,9 @@ void reply_query(int fd, int family, time_t now)
|
||||
new->new_id = get_id();
|
||||
header->id = htons(new->new_id);
|
||||
/* Save query for retransmission */
|
||||
new->stash = blockdata_alloc((char *)header, nn);
|
||||
if (!(new->stash = blockdata_alloc((char *)header, nn)))
|
||||
return;
|
||||
|
||||
new->stash_len = nn;
|
||||
|
||||
/* Don't resend this. */
|
||||
@@ -942,18 +954,22 @@ void reply_query(int fd, int family, time_t now)
|
||||
else if (forward->flags & FREC_DS_QUERY)
|
||||
{
|
||||
status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
|
||||
if (status == STAT_NO_DS)
|
||||
status = STAT_INSECURE;
|
||||
if (status == STAT_NO_DS || status == STAT_NO_NS)
|
||||
status = STAT_BOGUS;
|
||||
}
|
||||
else if (forward->flags & FREC_CHECK_NOSIGN)
|
||||
status = do_check_sign(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
|
||||
{
|
||||
status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
|
||||
if (status != STAT_NEED_KEY)
|
||||
status = do_check_sign(forward, status, now, daemon->namebuff, daemon->keyname);
|
||||
}
|
||||
else
|
||||
{
|
||||
status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class, NULL);
|
||||
status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class, NULL, NULL);
|
||||
if (status == STAT_NO_SIG)
|
||||
{
|
||||
if (option_bool(OPT_DNSSEC_NO_SIGN))
|
||||
status = send_check_sign(now, header, n, daemon->namebuff, daemon->keyname);
|
||||
status = send_check_sign(forward, now, header, n, daemon->namebuff, daemon->keyname);
|
||||
else
|
||||
status = STAT_INSECURE;
|
||||
}
|
||||
@@ -1315,70 +1331,80 @@ void receive_query(struct listener *listen, time_t now)
|
||||
/* UDP: we've got an unsigned answer, return STAT_INSECURE if we can prove there's no DS
|
||||
and therefore the answer shouldn't be signed, or STAT_BOGUS if it should be, or
|
||||
STAT_NEED_DS_NEG and keyname if we need to do the query. */
|
||||
static int send_check_sign(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname)
|
||||
static int send_check_sign(struct frec *forward, time_t now, struct dns_header *header, size_t plen,
|
||||
char *name, char *keyname)
|
||||
{
|
||||
struct crec *crecp;
|
||||
char *name_start = name;
|
||||
int status = dnssec_chase_cname(now, header, plen, name, keyname);
|
||||
|
||||
if (status != STAT_INSECURE)
|
||||
return status;
|
||||
|
||||
/* Store the domain we're trying to check. */
|
||||
forward->name_start = strlen(name);
|
||||
forward->name_len = forward->name_start + 1;
|
||||
if (!(forward->orig_domain = blockdata_alloc(name, forward->name_len)))
|
||||
return STAT_BOGUS;
|
||||
|
||||
return do_check_sign(forward, 0, now, name, keyname);
|
||||
}
|
||||
|
||||
/* We either have a a reply (header non-NULL, or we need to start by looking in the cache */
|
||||
static int do_check_sign(struct frec *forward, int status, time_t now, char *name, char *keyname)
|
||||
{
|
||||
/* get domain we're checking back from blockdata store, it's stored on the original query. */
|
||||
while (forward->dependent)
|
||||
forward = forward->dependent;
|
||||
|
||||
blockdata_retrieve(forward->orig_domain, forward->name_len, name);
|
||||
|
||||
while (1)
|
||||
{
|
||||
crecp = cache_find_by_name(NULL, name_start, now, F_DS);
|
||||
|
||||
if (crecp && (crecp->flags & F_DNSSECOK))
|
||||
return (crecp->flags & F_NEG) ? STAT_INSECURE : STAT_BOGUS;
|
||||
|
||||
if (crecp && (crecp->flags & F_NEG) && (name_start = strchr(name_start, '.')))
|
||||
{
|
||||
name_start++; /* chop a label off and try again */
|
||||
continue;
|
||||
}
|
||||
char *p;
|
||||
|
||||
/* Reached the root */
|
||||
if (!name_start)
|
||||
if (status == 0)
|
||||
{
|
||||
struct crec *crecp;
|
||||
|
||||
/* Haven't received answer, see if in cache */
|
||||
if (!(crecp = cache_find_by_name(NULL, &name[forward->name_start], now, F_DS)))
|
||||
{
|
||||
/* put name of DS record we're missing into keyname */
|
||||
strcpy(keyname, &name[forward->name_start]);
|
||||
/* and wait for reply to arrive */
|
||||
return STAT_NEED_DS_NEG;
|
||||
}
|
||||
|
||||
/* F_DNSSECOK misused in DS cache records to non-existance of NS record */
|
||||
if (!(crecp->flags & F_NEG))
|
||||
status = STAT_SECURE;
|
||||
else if (crecp->flags & F_DNSSECOK)
|
||||
status = STAT_NO_DS;
|
||||
else
|
||||
status = STAT_NO_NS;
|
||||
}
|
||||
|
||||
/* Have entered non-signed part of DNS tree. */
|
||||
if (status == STAT_NO_DS)
|
||||
return STAT_INSECURE;
|
||||
|
||||
if (status == STAT_BOGUS)
|
||||
return STAT_BOGUS;
|
||||
|
||||
strcpy(keyname, name_start);
|
||||
return STAT_NEED_DS_NEG;
|
||||
}
|
||||
}
|
||||
/* There's a proven DS record, or we're within a zone, where there doesn't need
|
||||
to be a DS record. Add a name and try again.
|
||||
If we've already tried the whole name, then fail */
|
||||
|
||||
/* Got answer to DS query from send_check_sign, check for proven non-existence, or make the next DS query to try. */
|
||||
static int do_check_sign(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int class)
|
||||
|
||||
{
|
||||
char *name_start;
|
||||
unsigned char *p;
|
||||
int status;
|
||||
|
||||
/* In this case only, a SERVFAIL reply allows us to continue up the tree, looking for a
|
||||
suitable NSEC reply to DS queries. */
|
||||
if (RCODE(header) != SERVFAIL)
|
||||
{
|
||||
status = dnssec_validate_ds(now, header, plen, name, keyname, class);
|
||||
if (forward->name_start == 0)
|
||||
return STAT_BOGUS;
|
||||
|
||||
if (status != STAT_INSECURE)
|
||||
{
|
||||
if (status == STAT_NO_DS)
|
||||
status = STAT_INSECURE;
|
||||
return status;
|
||||
}
|
||||
for (p = &name[forward->name_start-2]; (*p != '.') && (p != name); p--);
|
||||
|
||||
if (p != name)
|
||||
p++;
|
||||
|
||||
forward->name_start = p - name;
|
||||
status = 0; /* force to cache when we iterate. */
|
||||
}
|
||||
|
||||
p = (unsigned char *)(header+1);
|
||||
|
||||
if (extract_name(header, plen, &p, name, 1, 4) &&
|
||||
(name_start = strchr(name, '.')))
|
||||
{
|
||||
name_start++; /* chop a label off and try again */
|
||||
strcpy(keyname, name_start);
|
||||
return STAT_NEED_DS_NEG;
|
||||
}
|
||||
|
||||
return STAT_BOGUS;
|
||||
}
|
||||
|
||||
/* Move toward the root, until we find a signed non-existance of a DS, in which case
|
||||
@@ -1390,9 +1416,10 @@ static int tcp_check_for_unsigned_zone(time_t now, struct dns_header *header, s
|
||||
size_t m;
|
||||
unsigned char *packet, *payload;
|
||||
u16 *length;
|
||||
unsigned char *p = (unsigned char *)(header+1);
|
||||
int status;
|
||||
char *name_start = name;
|
||||
int status, name_len;
|
||||
struct blockdata *block;
|
||||
|
||||
char *name_start;
|
||||
|
||||
/* Get first insecure entry in CNAME chain */
|
||||
status = tcp_key_recurse(now, STAT_CHASE_CNAME, header, plen, class, name, keyname, server, keycount);
|
||||
@@ -1405,95 +1432,113 @@ static int tcp_check_for_unsigned_zone(time_t now, struct dns_header *header, s
|
||||
payload = &packet[2];
|
||||
header = (struct dns_header *)payload;
|
||||
length = (u16 *)packet;
|
||||
|
||||
/* Stash the name away, since the buffer will be trashed when we recurse */
|
||||
name_len = strlen(name) + 1;
|
||||
name_start = name + name_len - 1;
|
||||
|
||||
if (!(block = blockdata_alloc(name, name_len)))
|
||||
{
|
||||
free(packet);
|
||||
return STAT_BOGUS;
|
||||
}
|
||||
|
||||
while (1)
|
||||
{
|
||||
unsigned char *newhash, hash[HASH_SIZE];
|
||||
unsigned char c1, c2;
|
||||
struct crec *crecp = cache_find_by_name(NULL, name_start, now, F_DS);
|
||||
|
||||
struct crec *crecp;
|
||||
|
||||
if (--(*keycount) == 0)
|
||||
{
|
||||
free(packet);
|
||||
blockdata_free(block);
|
||||
return STAT_BOGUS;
|
||||
}
|
||||
|
||||
if (crecp && (crecp->flags & F_DNSSECOK))
|
||||
{
|
||||
free(packet);
|
||||
return (crecp->flags & F_NEG) ? STAT_INSECURE : STAT_BOGUS;
|
||||
|
||||
while ((crecp = cache_find_by_name(NULL, name_start, now, F_DS)))
|
||||
{
|
||||
if ((crecp->flags & F_NEG) && (crecp->flags & F_DNSSECOK))
|
||||
{
|
||||
/* Found a secure denial of DS - delegation is indeed insecure */
|
||||
free(packet);
|
||||
blockdata_free(block);
|
||||
return STAT_INSECURE;
|
||||
}
|
||||
|
||||
/* Here, either there's a secure DS, or no NS and no DS, and therefore no delegation.
|
||||
Add another label and continue. */
|
||||
|
||||
if (name_start == name)
|
||||
{
|
||||
free(packet);
|
||||
blockdata_free(block);
|
||||
return STAT_BOGUS; /* run out of labels */
|
||||
}
|
||||
|
||||
name_start -= 2;
|
||||
while (*name_start != '.' && name_start != name)
|
||||
name_start--;
|
||||
if (name_start != name)
|
||||
name_start++;
|
||||
}
|
||||
|
||||
/* If we have cached insecurely that a DS doesn't exist,
|
||||
ise that is a hit for where to start looking for the secure one */
|
||||
if (crecp && (crecp->flags & F_NEG) && (name_start = strchr(name_start, '.')))
|
||||
{
|
||||
name_start++; /* chop a label off and try again */
|
||||
continue;
|
||||
}
|
||||
|
||||
/* reached the root */
|
||||
if (!name_start)
|
||||
{
|
||||
free(packet);
|
||||
return STAT_BOGUS;
|
||||
}
|
||||
/* Can't find it in the cache, have to send a query */
|
||||
|
||||
m = dnssec_generate_query(header, ((char *) header) + 65536, name_start, class, T_DS, &server->addr);
|
||||
|
||||
/* We rely on the question section coming back unchanged, ensure it is with the hash. */
|
||||
if ((newhash = hash_questions(header, (unsigned int)m, name)))
|
||||
*length = htons(m);
|
||||
|
||||
if (read_write(server->tcpfd, packet, m + sizeof(u16), 0) &&
|
||||
read_write(server->tcpfd, &c1, 1, 1) &&
|
||||
read_write(server->tcpfd, &c2, 1, 1) &&
|
||||
read_write(server->tcpfd, payload, (c1 << 8) | c2, 1))
|
||||
{
|
||||
memcpy(hash, newhash, HASH_SIZE);
|
||||
|
||||
*length = htons(m);
|
||||
m = (c1 << 8) | c2;
|
||||
|
||||
if (read_write(server->tcpfd, packet, m + sizeof(u16), 0) &&
|
||||
read_write(server->tcpfd, &c1, 1, 1) &&
|
||||
read_write(server->tcpfd, &c2, 1, 1) &&
|
||||
read_write(server->tcpfd, payload, (c1 << 8) | c2, 1))
|
||||
/* Note this trashes all three name workspaces */
|
||||
status = tcp_key_recurse(now, STAT_NEED_DS_NEG, header, m, class, name, keyname, server, keycount);
|
||||
|
||||
if (status == STAT_NO_DS)
|
||||
{
|
||||
m = (c1 << 8) | c2;
|
||||
|
||||
newhash = hash_questions(header, (unsigned int)m, name);
|
||||
if (newhash && memcmp(hash, newhash, HASH_SIZE) == 0)
|
||||
{
|
||||
/* In this case only, a SERVFAIL reply allows us to continue up the tree, looking for a
|
||||
suitable NSEC reply to DS queries. */
|
||||
if (RCODE(header) == SERVFAIL)
|
||||
status = STAT_INSECURE;
|
||||
else
|
||||
/* Note this trashes all three name workspaces */
|
||||
status = tcp_key_recurse(now, STAT_NEED_DS_NEG, header, m, class, name, keyname, server, keycount);
|
||||
|
||||
/* We've found a DS which proves the bit of the DNS where the
|
||||
original query is, is unsigned, so the answer is OK,
|
||||
if unvalidated. */
|
||||
if (status == STAT_NO_DS)
|
||||
{
|
||||
free(packet);
|
||||
return STAT_INSECURE;
|
||||
}
|
||||
|
||||
/* No DS, not got to DNSSEC-land yet, go up. */
|
||||
if (status == STAT_INSECURE)
|
||||
{
|
||||
p = (unsigned char *)(header+1);
|
||||
|
||||
if (extract_name(header, plen, &p, name, 1, 4) &&
|
||||
(name_start = strchr(name, '.')))
|
||||
{
|
||||
name_start++; /* chop a label off and try again */
|
||||
continue;
|
||||
}
|
||||
}
|
||||
}
|
||||
/* Found a secure denial of DS - delegation is indeed insecure */
|
||||
free(packet);
|
||||
blockdata_free(block);
|
||||
return STAT_INSECURE;
|
||||
}
|
||||
|
||||
if (status == STAT_BOGUS)
|
||||
{
|
||||
free(packet);
|
||||
blockdata_free(block);
|
||||
return STAT_BOGUS;
|
||||
}
|
||||
|
||||
/* Here, either there's a secure DS, or no NS and no DS, and therefore no delegation.
|
||||
Add another label and continue. */
|
||||
|
||||
/* Get name we're checking back. */
|
||||
blockdata_retrieve(block, name_len, name);
|
||||
|
||||
if (name_start == name)
|
||||
{
|
||||
free(packet);
|
||||
blockdata_free(block);
|
||||
return STAT_BOGUS; /* run out of labels */
|
||||
}
|
||||
|
||||
name_start -= 2;
|
||||
while (*name_start != '.' && name_start != name)
|
||||
name_start--;
|
||||
if (name_start != name)
|
||||
name_start++;
|
||||
}
|
||||
else
|
||||
{
|
||||
/* IO failure */
|
||||
free(packet);
|
||||
blockdata_free(block);
|
||||
return STAT_BOGUS; /* run out of labels */
|
||||
}
|
||||
|
||||
free(packet);
|
||||
|
||||
return STAT_BOGUS;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1512,14 +1557,14 @@ static int tcp_key_recurse(time_t now, int status, struct dns_header *header, si
|
||||
else if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG)
|
||||
{
|
||||
new_status = dnssec_validate_ds(now, header, n, name, keyname, class);
|
||||
if (status == STAT_NEED_DS && new_status == STAT_NO_DS)
|
||||
new_status = STAT_INSECURE;
|
||||
if (status == STAT_NEED_DS && (new_status == STAT_NO_DS || new_status == STAT_NO_NS))
|
||||
new_status = STAT_BOGUS;
|
||||
}
|
||||
else if (status == STAT_CHASE_CNAME)
|
||||
new_status = dnssec_chase_cname(now, header, n, name, keyname);
|
||||
else
|
||||
{
|
||||
new_status = dnssec_validate_reply(now, header, n, name, keyname, &class, NULL);
|
||||
new_status = dnssec_validate_reply(now, header, n, name, keyname, &class, NULL, NULL);
|
||||
|
||||
if (new_status == STAT_NO_SIG)
|
||||
{
|
||||
@@ -1572,14 +1617,14 @@ static int tcp_key_recurse(time_t now, int status, struct dns_header *header, si
|
||||
else if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG)
|
||||
{
|
||||
new_status = dnssec_validate_ds(now, header, n, name, keyname, class);
|
||||
if (status == STAT_NEED_DS && new_status == STAT_NO_DS)
|
||||
new_status = STAT_INSECURE; /* Validated no DS */
|
||||
if (status == STAT_NEED_DS && (new_status == STAT_NO_DS || new_status == STAT_NO_NS))
|
||||
new_status = STAT_BOGUS; /* Validated no DS */
|
||||
}
|
||||
else if (status == STAT_CHASE_CNAME)
|
||||
new_status = dnssec_chase_cname(now, header, n, name, keyname);
|
||||
else
|
||||
{
|
||||
new_status = dnssec_validate_reply(now, header, n, name, keyname, &class, NULL);
|
||||
new_status = dnssec_validate_reply(now, header, n, name, keyname, &class, NULL, NULL);
|
||||
|
||||
if (new_status == STAT_NO_SIG)
|
||||
{
|
||||
@@ -1957,6 +2002,7 @@ static struct frec *allocate_frec(time_t now)
|
||||
f->dependent = NULL;
|
||||
f->blocking_query = NULL;
|
||||
f->stash = NULL;
|
||||
f->orig_domain = NULL;
|
||||
#endif
|
||||
daemon->frec_list = f;
|
||||
}
|
||||
@@ -2025,6 +2071,12 @@ static void free_frec(struct frec *f)
|
||||
f->stash = NULL;
|
||||
}
|
||||
|
||||
if (f->orig_domain)
|
||||
{
|
||||
blockdata_free(f->orig_domain);
|
||||
f->orig_domain = NULL;
|
||||
}
|
||||
|
||||
/* Anything we're waiting on is pointless now, too */
|
||||
if (f->blocking_query)
|
||||
free_frec(f->blocking_query);
|
||||
|
||||
@@ -15,10 +15,10 @@
|
||||
*/
|
||||
|
||||
#include "dnsmasq.h"
|
||||
#include <sys/inotify.h>
|
||||
|
||||
#ifdef HAVE_LINUX_NETWORK
|
||||
|
||||
#include <sys/inotify.h>
|
||||
|
||||
/* the strategy is to set a inotify on the directories containing
|
||||
resolv files, for any files in the directory which are close-write
|
||||
or moved into the directory.
|
||||
|
||||
18
src/option.c
18
src/option.c
@@ -147,6 +147,7 @@ struct myoption {
|
||||
#define LOPT_LOCAL_SERVICE 335
|
||||
#define LOPT_DNSSEC_TIME 336
|
||||
#define LOPT_LOOP_DETECT 337
|
||||
#define LOPT_IGNORE_ADDR 338
|
||||
|
||||
#ifdef HAVE_GETOPT_LONG
|
||||
static const struct option opts[] =
|
||||
@@ -181,6 +182,7 @@ static const struct myoption opts[] =
|
||||
{ "local-service", 0, 0, LOPT_LOCAL_SERVICE },
|
||||
{ "bogus-priv", 0, 0, 'b' },
|
||||
{ "bogus-nxdomain", 1, 0, 'B' },
|
||||
{ "ignore-address", 1, 0, LOPT_IGNORE_ADDR },
|
||||
{ "selfmx", 0, 0, 'e' },
|
||||
{ "filterwin2k", 0, 0, 'f' },
|
||||
{ "pid-file", 2, 0, 'x' },
|
||||
@@ -457,6 +459,7 @@ static struct {
|
||||
{ LOPT_QUIET_RA, OPT_QUIET_RA, NULL, gettext_noop("Do not log RA."), NULL },
|
||||
{ LOPT_LOCAL_SERVICE, OPT_LOCAL_SERVICE, NULL, gettext_noop("Accept queries only from directly-connected networks"), NULL },
|
||||
{ LOPT_LOOP_DETECT, OPT_LOOP_DETECT, NULL, gettext_noop("Detect and remove DNS forwarding loops"), NULL },
|
||||
{ LOPT_IGNORE_ADDR, ARG_DUP, "<ipaddr>", gettext_noop("Ignore DNS responses containing ipaddr."), NULL },
|
||||
{ 0, 0, NULL, NULL, NULL }
|
||||
};
|
||||
|
||||
@@ -2119,14 +2122,23 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
|
||||
break;
|
||||
|
||||
case 'B': /* --bogus-nxdomain */
|
||||
{
|
||||
case LOPT_IGNORE_ADDR: /* --ignore-address */
|
||||
{
|
||||
struct in_addr addr;
|
||||
unhide_metas(arg);
|
||||
if (arg && (inet_pton(AF_INET, arg, &addr) > 0))
|
||||
{
|
||||
struct bogus_addr *baddr = opt_malloc(sizeof(struct bogus_addr));
|
||||
baddr->next = daemon->bogus_addr;
|
||||
daemon->bogus_addr = baddr;
|
||||
if (option == 'B')
|
||||
{
|
||||
baddr->next = daemon->bogus_addr;
|
||||
daemon->bogus_addr = baddr;
|
||||
}
|
||||
else
|
||||
{
|
||||
baddr->next = daemon->ignore_addr;
|
||||
daemon->ignore_addr = baddr;
|
||||
}
|
||||
baddr->addr = addr;
|
||||
}
|
||||
else
|
||||
|
||||
@@ -1328,6 +1328,43 @@ int check_for_bogus_wildcard(struct dns_header *header, size_t qlen, char *name,
|
||||
return 0;
|
||||
}
|
||||
|
||||
int check_for_ignored_address(struct dns_header *header, size_t qlen, struct bogus_addr *baddr)
|
||||
{
|
||||
unsigned char *p;
|
||||
int i, qtype, qclass, rdlen;
|
||||
struct bogus_addr *baddrp;
|
||||
|
||||
/* skip over questions */
|
||||
if (!(p = skip_questions(header, qlen)))
|
||||
return 0; /* bad packet */
|
||||
|
||||
for (i = ntohs(header->ancount); i != 0; i--)
|
||||
{
|
||||
if (!(p = skip_name(p, header, qlen, 10)))
|
||||
return 0; /* bad packet */
|
||||
|
||||
GETSHORT(qtype, p);
|
||||
GETSHORT(qclass, p);
|
||||
p += 4; /* TTL */
|
||||
GETSHORT(rdlen, p);
|
||||
|
||||
if (qclass == C_IN && qtype == T_A)
|
||||
{
|
||||
if (!CHECK_LEN(header, p, qlen, INADDRSZ))
|
||||
return 0;
|
||||
|
||||
for (baddrp = baddr; baddrp; baddrp = baddrp->next)
|
||||
if (memcmp(&baddrp->addr, p, INADDRSZ) == 0)
|
||||
return 1;
|
||||
}
|
||||
|
||||
if (!ADD_RDLEN(header, p, qlen, rdlen))
|
||||
return 0;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
int add_resource_record(struct dns_header *header, char *limit, int *truncp, int nameoffset, unsigned char **pp,
|
||||
unsigned long ttl, int *offset, unsigned short type, unsigned short class, char *format, ...)
|
||||
{
|
||||
|
||||
Reference in New Issue
Block a user