You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

468 lines
15 KiB

  1. /*
  2. * This file is part of PowerDNS or dnsdist.
  3. * Copyright -- PowerDNS.COM B.V. and its contributors
  4. *
  5. * This program is free software; you can redistribute it and/or modify
  6. * it under the terms of version 2 of the GNU General Public License as
  7. * published by the Free Software Foundation.
  8. *
  9. * In addition, for the avoidance of any doubt, permission is granted to
  10. * link this program with OpenSSL and to (re)distribute the binaries
  11. * produced as the result of such linking.
  12. *
  13. * This program is distributed in the hope that it will be useful,
  14. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  15. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  16. * GNU General Public License for more details.
  17. *
  18. * You should have received a copy of the GNU General Public License
  19. * along with this program; if not, write to the Free Software
  20. * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  21. */
  22. #ifdef HAVE_CONFIG_H
  23. #include "config.h"
  24. #endif
  25. #include "utility.hh"
  26. #include "lwres.hh"
  27. #include <iostream>
  28. #include "dnsrecords.hh"
  29. #include <errno.h>
  30. #include "misc.hh"
  31. #include <algorithm>
  32. #include <sstream>
  33. #include <cstring>
  34. #include <string>
  35. #include <vector>
  36. #include "dns.hh"
  37. #include "qtype.hh"
  38. #include "pdnsexception.hh"
  39. #include "arguments.hh"
  40. #include "sstuff.hh"
  41. #include "syncres.hh"
  42. #include "dnswriter.hh"
  43. #include "dnsparser.hh"
  44. #include "logger.hh"
  45. #include "dns_random.hh"
  46. #include <boost/scoped_array.hpp>
  47. #include <boost/algorithm/string.hpp>
  48. #include "validate-recursor.hh"
  49. #include "ednssubnet.hh"
  50. #include "query-local-address.hh"
  51. #ifdef HAVE_PROTOBUF
  52. #include "uuid-utils.hh"
  53. #ifdef HAVE_FSTRM
  54. #include "rec-dnstap.hh"
  55. #include "fstrm_logger.hh"
  56. bool g_syslog;
  57. static bool isEnabledForQueries(const std::shared_ptr<std::vector<std::unique_ptr<FrameStreamLogger>>>& fstreamLoggers)
  58. {
  59. if (fstreamLoggers == nullptr) {
  60. return false;
  61. }
  62. for (auto& logger : *fstreamLoggers) {
  63. if (logger->logQueries()) {
  64. return true;
  65. }
  66. }
  67. return false;
  68. }
  69. static void logFstreamQuery(const std::shared_ptr<std::vector<std::unique_ptr<FrameStreamLogger>>>& fstreamLoggers, const struct timeval &queryTime, const ComboAddress& ip, bool doTCP,
  70. boost::optional<const DNSName&> auth, const vector<uint8_t>& packet)
  71. {
  72. if (fstreamLoggers == nullptr)
  73. return;
  74. struct timespec ts;
  75. TIMEVAL_TO_TIMESPEC(&queryTime, &ts);
  76. RecDnstapMessage message(SyncRes::s_serverID, nullptr, &ip, doTCP, auth, reinterpret_cast<const char*>(&*packet.begin()), packet.size(), &ts, nullptr);
  77. std::string str;
  78. message.serialize(str);
  79. for (auto& logger : *fstreamLoggers) {
  80. logger->queueData(str);
  81. }
  82. }
  83. static bool isEnabledForResponses(const std::shared_ptr<std::vector<std::unique_ptr<FrameStreamLogger>>>& fstreamLoggers)
  84. {
  85. if (fstreamLoggers == nullptr) {
  86. return false;
  87. }
  88. for (auto& logger : *fstreamLoggers) {
  89. if (logger->logResponses()) {
  90. return true;
  91. }
  92. }
  93. return false;
  94. }
  95. static void logFstreamResponse(const std::shared_ptr<std::vector<std::unique_ptr<FrameStreamLogger>>>& fstreamLoggers, const ComboAddress& ip, bool doTCP,
  96. boost::optional<const DNSName&> auth, const std::string& packet, const struct timeval& queryTime, const struct timeval& replyTime)
  97. {
  98. if (fstreamLoggers == nullptr)
  99. return;
  100. struct timespec ts1, ts2;
  101. TIMEVAL_TO_TIMESPEC(&queryTime, &ts1);
  102. TIMEVAL_TO_TIMESPEC(&replyTime, &ts2);
  103. RecDnstapMessage message(SyncRes::s_serverID, nullptr, &ip, doTCP, auth, static_cast<const char*>(&*packet.begin()), packet.size(), &ts1, &ts2);
  104. std::string str;
  105. message.serialize(str);
  106. for (auto& logger : *fstreamLoggers) {
  107. logger->queueData(str);
  108. }
  109. }
  110. #endif // HAVE_FSTRM
  111. static void logOutgoingQuery(const std::shared_ptr<std::vector<std::unique_ptr<RemoteLogger>>>& outgoingLoggers, boost::optional<RecProtoBufMessage>& message, boost::optional<const boost::uuids::uuid&> initialRequestId, const boost::uuids::uuid& uuid, const ComboAddress& ip, const DNSName& domain, int type, uint16_t qid, bool doTCP, size_t bytes, boost::optional<Netmask>& srcmask)
  112. {
  113. if (!outgoingLoggers) {
  114. return;
  115. }
  116. bool log = false;
  117. for (auto& logger : *outgoingLoggers) {
  118. if (logger->logQueries()) {
  119. log = true;
  120. break;
  121. }
  122. }
  123. if (!log) {
  124. return;
  125. }
  126. message = RecProtoBufMessage(DNSProtoBufMessage::OutgoingQuery, uuid, nullptr, &ip, domain, type, QClass::IN, qid, doTCP, bytes);
  127. message->setServerIdentity(SyncRes::s_serverID);
  128. if (initialRequestId) {
  129. message->setInitialRequestID(*initialRequestId);
  130. }
  131. if (srcmask) {
  132. message->setEDNSSubnet(*srcmask);
  133. }
  134. // cerr <<message.toDebugString()<<endl;
  135. std::string str;
  136. message->serialize(str);
  137. for (auto& logger : *outgoingLoggers) {
  138. if (logger->logQueries()) {
  139. logger->queueData(str);
  140. }
  141. }
  142. }
  143. static void logIncomingResponse(const std::shared_ptr<std::vector<std::unique_ptr<RemoteLogger>>>& outgoingLoggers, boost::optional<RecProtoBufMessage>& message, boost::optional<const boost::uuids::uuid&> initialRequestId, const boost::uuids::uuid& uuid, const ComboAddress& ip, const DNSName& domain, int type, uint16_t qid, bool doTCP, boost::optional<Netmask>& srcmask, size_t bytes, int rcode, const std::vector<DNSRecord>& records, const struct timeval& queryTime, const std::set<uint16_t>& exportTypes)
  144. {
  145. if (!outgoingLoggers) {
  146. return;
  147. }
  148. bool log = false;
  149. for (auto& logger : *outgoingLoggers) {
  150. if (logger->logResponses()) {
  151. log = true;
  152. break;
  153. }
  154. }
  155. if (!log) {
  156. return;
  157. }
  158. if (!message) {
  159. message = RecProtoBufMessage(DNSProtoBufMessage::IncomingResponse, uuid, nullptr, &ip, domain, type, QClass::IN, qid, doTCP, bytes);
  160. message->setServerIdentity(SyncRes::s_serverID);
  161. if (initialRequestId) {
  162. message->setInitialRequestID(*initialRequestId);
  163. }
  164. if (srcmask) {
  165. message->setEDNSSubnet(*srcmask);
  166. }
  167. }
  168. else {
  169. message->updateTime();
  170. message->setType(DNSProtoBufMessage::IncomingResponse);
  171. message->setBytes(bytes);
  172. }
  173. message->setQueryTime(queryTime.tv_sec, queryTime.tv_usec);
  174. if (rcode == -1) {
  175. message->setNetworkErrorResponseCode();
  176. }
  177. else {
  178. message->setResponseCode(rcode);
  179. }
  180. message->addRRs(records, exportTypes);
  181. // cerr <<message.toDebugString()<<endl;
  182. std::string str;
  183. message->serialize(str);
  184. for (auto& logger : *outgoingLoggers) {
  185. if (logger->logResponses()) {
  186. logger->queueData(str);
  187. }
  188. }
  189. }
  190. #endif /* HAVE_PROTOBUF */
  191. //! returns -2 for OS limits error, -1 for permanent error that has to do with remote **transport**, 0 for timeout, 1 for success
  192. /** lwr is only filled out in case 1 was returned, and even when returning 1 for 'success', lwr might contain DNS errors
  193. Never throws!
  194. */
  195. int asyncresolve(const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, const std::shared_ptr<std::vector<std::unique_ptr<RemoteLogger>>>& outgoingLoggers, const std::shared_ptr<std::vector<std::unique_ptr<FrameStreamLogger>>>& fstrmLoggers, const std::set<uint16_t>& exportTypes, LWResult *lwr, bool* chained)
  196. {
  197. size_t len;
  198. size_t bufsize=g_outgoingEDNSBufsize;
  199. std::string buf;
  200. buf.resize(bufsize);
  201. vector<uint8_t> vpacket;
  202. // string mapped0x20=dns0x20(domain);
  203. uint16_t qid = dns_random_uint16();
  204. DNSPacketWriter pw(vpacket, domain, type);
  205. pw.getHeader()->rd=sendRDQuery;
  206. pw.getHeader()->id=qid;
  207. /* RFC 6840 section 5.9:
  208. * This document further specifies that validating resolvers SHOULD set
  209. * the CD bit on every upstream query. This is regardless of whether
  210. * the CD bit was set on the incoming query [...]
  211. *
  212. * sendRDQuery is only true if the qname is part of a forward-zone-recurse (or
  213. * set in the forward-zone-file), so we use this as an indicator for it being
  214. * an "upstream query". To stay true to "dnssec=off means 3.X behaviour", we
  215. * only set +CD on forwarded query in any mode other than dnssec=off.
  216. */
  217. pw.getHeader()->cd=(sendRDQuery && g_dnssecmode != DNSSECMode::Off);
  218. string ping;
  219. bool weWantEDNSSubnet=false;
  220. uint8_t outgoingECSBits = 0;
  221. ComboAddress outgoingECSAddr;
  222. if(EDNS0Level > 0) {
  223. DNSPacketWriter::optvect_t opts;
  224. if(srcmask) {
  225. EDNSSubnetOpts eo;
  226. eo.source = *srcmask;
  227. outgoingECSBits = srcmask->getBits();
  228. outgoingECSAddr = srcmask->getNetwork();
  229. // cout<<"Adding request mask: "<<eo.source.toString()<<endl;
  230. opts.push_back(make_pair(EDNSOptionCode::ECS, makeEDNSSubnetOptsString(eo)));
  231. weWantEDNSSubnet=true;
  232. }
  233. pw.addOpt(g_outgoingEDNSBufsize, 0, g_dnssecmode == DNSSECMode::Off ? 0 : EDNSOpts::DNSSECOK, opts);
  234. pw.commit();
  235. }
  236. lwr->d_rcode = 0;
  237. lwr->d_haveEDNS = false;
  238. int ret;
  239. DTime dt;
  240. dt.set();
  241. *now=dt.getTimeval();
  242. #ifdef HAVE_PROTOBUF
  243. boost::uuids::uuid uuid;
  244. const struct timeval queryTime = *now;
  245. boost::optional<RecProtoBufMessage> pbMessage = boost::none;
  246. if (outgoingLoggers) {
  247. uuid = getUniqueID();
  248. logOutgoingQuery(outgoingLoggers, pbMessage, context ? context->d_initialRequestId : boost::none, uuid, ip, domain, type, qid, doTCP, vpacket.size(), srcmask);
  249. }
  250. #endif /* HAVE_PROTOBUF */
  251. #ifdef HAVE_FSTRM
  252. if (isEnabledForQueries(fstrmLoggers)) {
  253. logFstreamQuery(fstrmLoggers, queryTime, ip, doTCP, context ? context->d_auth : boost::none, vpacket);
  254. }
  255. #endif /* HAVE_FSTRM */
  256. srcmask = boost::none; // this is also our return value, even if EDNS0Level == 0
  257. if(!doTCP) {
  258. int queryfd;
  259. if(ip.sin4.sin_family==AF_INET6)
  260. g_stats.ipv6queries++;
  261. if((ret=asendto((const char*)&*vpacket.begin(), vpacket.size(), 0, ip, qid,
  262. domain, type, &queryfd)) < 0) {
  263. return ret; // passes back the -2 EMFILE
  264. }
  265. if (queryfd == -1) {
  266. *chained = true;
  267. }
  268. // sleep until we see an answer to this, interface to mtasker
  269. ret=arecvfrom(buf, 0, ip, &len, qid,
  270. domain, type, queryfd, now);
  271. }
  272. else {
  273. try {
  274. Socket s(ip.sin4.sin_family, SOCK_STREAM);
  275. s.setNonBlocking();
  276. ComboAddress local = pdns::getQueryLocalAddress(ip.sin4.sin_family, 0);
  277. s.bind(local);
  278. s.connect(ip);
  279. uint16_t tlen=htons(vpacket.size());
  280. char *lenP=(char*)&tlen;
  281. const char *msgP=(const char*)&*vpacket.begin();
  282. string packet=string(lenP, lenP+2)+string(msgP, msgP+vpacket.size());
  283. ret=asendtcp(packet, &s);
  284. if(!(ret>0))
  285. return ret;
  286. packet.clear();
  287. ret=arecvtcp(packet, 2, &s, false);
  288. if(!(ret > 0))
  289. return ret;
  290. memcpy(&tlen, packet.c_str(), sizeof(tlen));
  291. len=ntohs(tlen); // switch to the 'len' shared with the rest of the function
  292. ret=arecvtcp(packet, len, &s, false);
  293. if(!(ret > 0))
  294. return ret;
  295. buf.resize(len);
  296. memcpy(const_cast<char*>(buf.data()), packet.c_str(), len);
  297. ret=1;
  298. }
  299. catch(NetworkError& ne) {
  300. ret = -2; // OS limits error
  301. }
  302. }
  303. lwr->d_usec=dt.udiff();
  304. *now=dt.getTimeval();
  305. if(ret <= 0) { // includes 'timeout'
  306. #ifdef HAVE_PROTOBUF
  307. if (outgoingLoggers) {
  308. logIncomingResponse(outgoingLoggers, pbMessage, context ? context->d_initialRequestId : boost::none, uuid, ip, domain, type, qid, doTCP, srcmask, 0, -1, {}, queryTime, exportTypes);
  309. }
  310. #endif
  311. return ret;
  312. }
  313. buf.resize(len);
  314. #ifdef HAVE_FSTRM
  315. if (isEnabledForResponses(fstrmLoggers)) {
  316. logFstreamResponse(fstrmLoggers, ip, doTCP, context ? context->d_auth : boost::none, buf, queryTime, *now);
  317. }
  318. #endif /* HAVE_FSTRM */
  319. lwr->d_records.clear();
  320. try {
  321. lwr->d_tcbit=0;
  322. MOADNSParser mdp(false, buf);
  323. lwr->d_aabit=mdp.d_header.aa;
  324. lwr->d_tcbit=mdp.d_header.tc;
  325. lwr->d_rcode=mdp.d_header.rcode;
  326. if(mdp.d_header.rcode == RCode::FormErr && mdp.d_qname.empty() && mdp.d_qtype == 0 && mdp.d_qclass == 0) {
  327. #ifdef HAVE_PROTOBUF
  328. if(outgoingLoggers) {
  329. logIncomingResponse(outgoingLoggers, pbMessage, context ? context->d_initialRequestId : boost::none, uuid, ip, domain, type, qid, doTCP, srcmask, len, lwr->d_rcode, lwr->d_records, queryTime, exportTypes);
  330. }
  331. #endif
  332. lwr->d_validpacket=true;
  333. return 1; // this is "success", the error is set in lwr->d_rcode
  334. }
  335. if(domain != mdp.d_qname) {
  336. if(!mdp.d_qname.empty() && domain.toString().find((char)0) == string::npos /* ugly */) {// embedded nulls are too noisy, plus empty domains are too
  337. g_log<<Logger::Notice<<"Packet purporting to come from remote server "<<ip.toString()<<" contained wrong answer: '" << domain << "' != '" << mdp.d_qname << "'" << endl;
  338. }
  339. // unexpected count has already been done @ pdns_recursor.cc
  340. goto out;
  341. }
  342. lwr->d_records.reserve(mdp.d_answers.size());
  343. for(const auto& a : mdp.d_answers)
  344. lwr->d_records.push_back(a.first);
  345. EDNSOpts edo;
  346. if(EDNS0Level > 0 && getEDNSOpts(mdp, &edo)) {
  347. lwr->d_haveEDNS = true;
  348. if(weWantEDNSSubnet) {
  349. for(const auto& opt : edo.d_options) {
  350. if(opt.first==EDNSOptionCode::ECS) {
  351. EDNSSubnetOpts reso;
  352. if(getEDNSSubnetOptsFromString(opt.second, &reso)) {
  353. // cerr<<"EDNS Subnet response: "<<reso.source.toString()<<", scope: "<<reso.scope.toString()<<", family = "<<reso.scope.getNetwork().sin4.sin_family<<endl;
  354. /* rfc7871 states that 0 "indicate[s] that the answer is suitable for all addresses in FAMILY",
  355. so we might want to still pass the information along to be able to differentiate between
  356. IPv4 and IPv6. Still I'm pretty sure it doesn't matter in real life, so let's not duplicate
  357. entries in our cache. */
  358. if(reso.scope.getBits()) {
  359. uint8_t bits = std::min(reso.scope.getBits(), outgoingECSBits);
  360. outgoingECSAddr.truncate(bits);
  361. srcmask = Netmask(outgoingECSAddr, bits);
  362. }
  363. }
  364. }
  365. }
  366. }
  367. }
  368. #ifdef HAVE_PROTOBUF
  369. if(outgoingLoggers) {
  370. logIncomingResponse(outgoingLoggers, pbMessage, context ? context->d_initialRequestId : boost::none, uuid, ip, domain, type, qid, doTCP, srcmask, len, lwr->d_rcode, lwr->d_records, queryTime, exportTypes);
  371. }
  372. #endif
  373. lwr->d_validpacket=true;
  374. return 1;
  375. }
  376. catch(std::exception &mde) {
  377. if(::arg().mustDo("log-common-errors"))
  378. g_log<<Logger::Notice<<"Unable to parse packet from remote server "<<ip.toString()<<": "<<mde.what()<<endl;
  379. lwr->d_rcode = RCode::FormErr;
  380. g_stats.serverParseError++;
  381. #ifdef HAVE_PROTOBUF
  382. if(outgoingLoggers) {
  383. logIncomingResponse(outgoingLoggers, pbMessage, context ? context->d_initialRequestId : boost::none, uuid, ip, domain, type, qid, doTCP, srcmask, len, lwr->d_rcode, lwr->d_records, queryTime, exportTypes);
  384. }
  385. #endif
  386. lwr->d_validpacket=false;
  387. return 1; // success - oddly enough
  388. }
  389. catch(...) {
  390. g_log<<Logger::Notice<<"Unknown error parsing packet from remote server"<<endl;
  391. }
  392. g_stats.serverParseError++;
  393. out:
  394. if(!lwr->d_rcode)
  395. lwr->d_rcode=RCode::ServFail;
  396. return -1;
  397. }