You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

1145 lines
37 KiB

  1. /*
  2. * This file is part of PowerDNS or dnsdist.
  3. * Copyright -- PowerDNS.COM B.V. and its contributors
  4. *
  5. * This program is free software; you can redistribute it and/or modify
  6. * it under the terms of version 2 of the GNU General Public License as
  7. * published by the Free Software Foundation.
  8. *
  9. * In addition, for the avoidance of any doubt, permission is granted to
  10. * link this program with OpenSSL and to (re)distribute the binaries
  11. * produced as the result of such linking.
  12. *
  13. * This program is distributed in the hope that it will be useful,
  14. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  15. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  16. * GNU General Public License for more details.
  17. *
  18. * You should have received a copy of the GNU General Public License
  19. * along with this program; if not, write to the Free Software
  20. * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  21. */
  22. #pragma once
  23. #include <string>
  24. #include <atomic>
  25. #include "utility.hh"
  26. #include "dns.hh"
  27. #include "qtype.hh"
  28. #include <vector>
  29. #include <set>
  30. #include <unordered_set>
  31. #include <map>
  32. #include <cmath>
  33. #include <iostream>
  34. #include <utility>
  35. #include "misc.hh"
  36. #include "lwres.hh"
  37. #include <boost/optional.hpp>
  38. #include <boost/utility.hpp>
  39. #include "circular_buffer.hh"
  40. #include "sstuff.hh"
  41. #include "recursor_cache.hh"
  42. #include "recpacketcache.hh"
  43. #include <boost/tuple/tuple.hpp>
  44. #include <boost/optional.hpp>
  45. #include <boost/tuple/tuple_comparison.hpp>
  46. #include "mtasker.hh"
  47. #include "iputils.hh"
  48. #include "validate.hh"
  49. #include "ednssubnet.hh"
  50. #include "filterpo.hh"
  51. #include "negcache.hh"
  52. #include "proxy-protocol.hh"
  53. #include "sholder.hh"
  54. #ifdef HAVE_CONFIG_H
  55. #include "config.h"
  56. #endif
  57. #ifdef HAVE_PROTOBUF
  58. #include <boost/uuid/uuid.hpp>
  59. #ifdef HAVE_FSTRM
  60. #include "fstrm_logger.hh"
  61. #endif /* HAVE_FSTRM */
  62. #endif
  63. extern GlobalStateHolder<SuffixMatchNode> g_dontThrottleNames;
  64. extern GlobalStateHolder<NetmaskGroup> g_dontThrottleNetmasks;
  65. class RecursorLua4;
  66. typedef std::unordered_map<
  67. DNSName,
  68. pair<
  69. vector<ComboAddress>,
  70. bool
  71. >
  72. > NsSet;
  73. template<class Thing> class Throttle : public boost::noncopyable
  74. {
  75. public:
  76. struct entry_t
  77. {
  78. Thing thing;
  79. time_t ttd;
  80. mutable unsigned int count;
  81. };
  82. typedef multi_index_container<entry_t,
  83. indexed_by<
  84. ordered_unique<tag<Thing>, member<entry_t, Thing, &entry_t::thing>>,
  85. ordered_non_unique<tag<time_t>, member<entry_t, time_t, &entry_t::ttd>>
  86. >> cont_t;
  87. bool shouldThrottle(time_t now, const Thing &t)
  88. {
  89. auto i = d_cont.find(t);
  90. if (i == d_cont.end()) {
  91. return false;
  92. }
  93. if (now > i->ttd || i->count == 0) {
  94. d_cont.erase(i);
  95. return false;
  96. }
  97. i->count--;
  98. return true; // still listed, still blocked
  99. }
  100. void throttle(time_t now, const Thing &t, time_t ttl, unsigned int count)
  101. {
  102. auto i = d_cont.find(t);
  103. time_t ttd = now + ttl;
  104. if (i == d_cont.end()) {
  105. entry_t e = { t, ttd, count };
  106. d_cont.insert(e);
  107. } else if (ttd > i->ttd || count > i->count) {
  108. ttd = std::max(i->ttd, ttd);
  109. count = std::max(i->count, count);
  110. auto &ind = d_cont.template get<Thing>();
  111. ind.modify(i, [ttd,count](entry_t &e) { e.ttd = ttd; e.count = count; });
  112. }
  113. }
  114. size_t size() const
  115. {
  116. return d_cont.size();
  117. }
  118. const cont_t &getThrottleMap() const
  119. {
  120. return d_cont;
  121. }
  122. void clear()
  123. {
  124. d_cont.clear();
  125. }
  126. void prune() {
  127. time_t now = time(nullptr);
  128. auto &ind = d_cont.template get<time_t>();
  129. ind.erase(ind.begin(), ind.upper_bound(now));
  130. }
  131. private:
  132. cont_t d_cont;
  133. };
  134. /** Class that implements a decaying EWMA.
  135. This class keeps an exponentially weighted moving average which, additionally, decays over time.
  136. The decaying is only done on get.
  137. */
  138. class DecayingEwma
  139. {
  140. public:
  141. DecayingEwma() {}
  142. DecayingEwma(const DecayingEwma& orig) = delete;
  143. DecayingEwma & operator=(const DecayingEwma& orig) = delete;
  144. void submit(int val, const struct timeval& now)
  145. {
  146. if (d_last.tv_sec == 0 && d_last.tv_usec == 0) {
  147. d_last = now;
  148. d_val = val;
  149. }
  150. else {
  151. float diff = makeFloat(d_last - now);
  152. d_last = now;
  153. float factor = expf(diff)/2.0f; // might be '0.5', or 0.0001
  154. d_val = (1-factor)*val + factor*d_val;
  155. }
  156. }
  157. float get(float factor)
  158. {
  159. return d_val *= factor;
  160. }
  161. float peek(void) const
  162. {
  163. return d_val;
  164. }
  165. private:
  166. struct timeval d_last{0, 0}; // stores time
  167. float d_val{0};
  168. };
  169. class fails_t : public boost::noncopyable
  170. {
  171. public:
  172. typedef unsigned long counter_t;
  173. struct value_t {
  174. value_t(const ComboAddress &a) : address(a) {}
  175. ComboAddress address;
  176. mutable counter_t value{0};
  177. time_t last{0};
  178. };
  179. typedef multi_index_container<value_t,
  180. indexed_by<
  181. ordered_unique<tag<ComboAddress>, member<value_t, ComboAddress, &value_t::address>>,
  182. ordered_non_unique<tag<time_t>, member<value_t, time_t, &value_t::last>>
  183. >> cont_t;
  184. cont_t getMap() const {
  185. return d_cont;
  186. }
  187. counter_t value(const ComboAddress& t) const
  188. {
  189. auto i = d_cont.find(t);
  190. if (i == d_cont.end()) {
  191. return 0;
  192. }
  193. return i->value;
  194. }
  195. counter_t incr(const ComboAddress& address, const struct timeval& now)
  196. {
  197. auto i = d_cont.insert(address).first;
  198. if (i->value < std::numeric_limits<counter_t>::max()) {
  199. i->value++;
  200. }
  201. auto &ind = d_cont.get<ComboAddress>();
  202. time_t tm = now.tv_sec;
  203. ind.modify(i, [tm](value_t &val) { val.last = tm; });
  204. return i->value;
  205. }
  206. void clear(const ComboAddress& a)
  207. {
  208. d_cont.erase(a);
  209. }
  210. void clear()
  211. {
  212. d_cont.clear();
  213. }
  214. size_t size() const
  215. {
  216. return d_cont.size();
  217. }
  218. void prune(time_t cutoff) {
  219. auto &ind = d_cont.get<time_t>();
  220. ind.erase(ind.begin(), ind.upper_bound(cutoff));
  221. }
  222. private:
  223. cont_t d_cont;
  224. };
  225. class SyncRes : public boost::noncopyable
  226. {
  227. public:
  228. enum LogMode { LogNone, Log, Store};
  229. typedef std::function<int(const ComboAddress& ip, const DNSName& qdomain, int qtype, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult *lwr, bool* chained)> asyncresolve_t;
  230. enum class HardenNXD { No, DNSSEC, Yes };
  231. //! This represents a number of decaying Ewmas, used to store performance per nameserver-name.
  232. /** Modelled to work mostly like the underlying DecayingEwma */
  233. struct DecayingEwmaCollection
  234. {
  235. void submit(const ComboAddress& remote, int usecs, const struct timeval& now)
  236. {
  237. d_collection[remote].submit(usecs, now);
  238. }
  239. float getFactor(const struct timeval &now) {
  240. float diff = makeFloat(d_lastget - now);
  241. return expf(diff / 60.0f); // is 1.0 or less
  242. }
  243. float get(const struct timeval& now)
  244. {
  245. if (d_collection.empty()) {
  246. return 0;
  247. }
  248. if (d_lastget.tv_sec == 0 && d_lastget.tv_usec == 0) {
  249. d_lastget = now;
  250. }
  251. float ret = std::numeric_limits<float>::max();
  252. float factor = getFactor(now);
  253. float tmp;
  254. for (auto& entry : d_collection) {
  255. if ((tmp = entry.second.get(factor)) < ret) {
  256. ret = tmp;
  257. }
  258. }
  259. d_lastget = now;
  260. return ret;
  261. }
  262. bool stale(time_t limit) const
  263. {
  264. return limit > d_lastget.tv_sec;
  265. }
  266. void purge(const std::map<ComboAddress, float>& keep)
  267. {
  268. for (auto iter = d_collection.begin(); iter != d_collection.end(); ) {
  269. if (keep.find(iter->first) != keep.end()) {
  270. ++iter;
  271. }
  272. else {
  273. iter = d_collection.erase(iter);
  274. }
  275. }
  276. }
  277. typedef std::map<ComboAddress, DecayingEwma> collection_t;
  278. collection_t d_collection;
  279. struct timeval d_lastget{0, 0}; // stores time
  280. };
  281. typedef std::unordered_map<DNSName, DecayingEwmaCollection> nsspeeds_t;
  282. vState getDSRecords(const DNSName& zone, dsmap_t& ds, bool onlyTA, unsigned int depth, bool bogusOnNXD=true, bool* foundCut=nullptr);
  283. class AuthDomain
  284. {
  285. public:
  286. typedef multi_index_container <
  287. DNSRecord,
  288. indexed_by <
  289. ordered_non_unique<
  290. composite_key< DNSRecord,
  291. member<DNSRecord, DNSName, &DNSRecord::d_name>,
  292. member<DNSRecord, uint16_t, &DNSRecord::d_type>
  293. >,
  294. composite_key_compare<std::less<DNSName>, std::less<uint16_t> >
  295. >
  296. >
  297. > records_t;
  298. records_t d_records;
  299. vector<ComboAddress> d_servers;
  300. DNSName d_name;
  301. bool d_rdForward{false};
  302. int getRecords(const DNSName& qname, uint16_t qtype, std::vector<DNSRecord>& records) const;
  303. bool isAuth() const
  304. {
  305. return d_servers.empty();
  306. }
  307. bool isForward() const
  308. {
  309. return !isAuth();
  310. }
  311. bool shouldRecurse() const
  312. {
  313. return d_rdForward;
  314. }
  315. const DNSName& getName() const
  316. {
  317. return d_name;
  318. }
  319. private:
  320. void addSOA(std::vector<DNSRecord>& records) const;
  321. };
  322. typedef std::unordered_map<DNSName, AuthDomain> domainmap_t;
  323. typedef Throttle<boost::tuple<ComboAddress,DNSName,uint16_t> > throttle_t;
  324. struct EDNSStatus {
  325. EDNSStatus(const ComboAddress &arg) : address(arg) {}
  326. ComboAddress address;
  327. time_t modeSetAt{0};
  328. mutable enum EDNSMode { UNKNOWN=0, EDNSOK=1, EDNSIGNORANT=2, NOEDNS=3 } mode{UNKNOWN};
  329. };
  330. struct ednsstatus_t : public multi_index_container<EDNSStatus,
  331. indexed_by<
  332. ordered_unique<tag<ComboAddress>, member<EDNSStatus, ComboAddress, &EDNSStatus::address>>,
  333. ordered_non_unique<tag<time_t>, member<EDNSStatus, time_t, &EDNSStatus::modeSetAt>>
  334. >> {
  335. void reset(index<ComboAddress>::type &ind, iterator it) {
  336. ind.modify(it, [](EDNSStatus &s) { s.mode = EDNSStatus::EDNSMode::UNKNOWN; s.modeSetAt = 0; });
  337. }
  338. void setMode(index<ComboAddress>::type &ind, iterator it, EDNSStatus::EDNSMode mode) {
  339. it->mode = mode;
  340. }
  341. void setTS(index<ComboAddress>::type &ind, iterator it, time_t ts) {
  342. ind.modify(it, [ts](EDNSStatus &s) { s.modeSetAt = ts; });
  343. }
  344. void prune(time_t cutoff) {
  345. auto &ind = get<time_t>();
  346. ind.erase(ind.begin(), ind.upper_bound(cutoff));
  347. }
  348. };
  349. struct ThreadLocalStorage {
  350. NegCache negcache;
  351. nsspeeds_t nsSpeeds;
  352. throttle_t throttle;
  353. ednsstatus_t ednsstatus;
  354. fails_t fails;
  355. std::shared_ptr<domainmap_t> domainmap;
  356. };
  357. static void setDefaultLogMode(LogMode lm)
  358. {
  359. s_lm = lm;
  360. }
  361. static uint64_t doEDNSDump(int fd);
  362. static uint64_t doDumpNSSpeeds(int fd);
  363. static uint64_t doDumpThrottleMap(int fd);
  364. static uint64_t doDumpFailedServers(int fd);
  365. static int getRootNS(struct timeval now, asyncresolve_t asyncCallback, unsigned int depth);
  366. static void clearDelegationOnly()
  367. {
  368. s_delegationOnly.clear();
  369. }
  370. static void addDelegationOnly(const DNSName& name)
  371. {
  372. s_delegationOnly.insert(name);
  373. }
  374. static void addDontQuery(const std::string& mask)
  375. {
  376. if (!s_dontQuery)
  377. s_dontQuery = std::unique_ptr<NetmaskGroup>(new NetmaskGroup());
  378. s_dontQuery->addMask(mask);
  379. }
  380. static void addDontQuery(const Netmask& mask)
  381. {
  382. if (!s_dontQuery)
  383. s_dontQuery = std::unique_ptr<NetmaskGroup>(new NetmaskGroup());
  384. s_dontQuery->addMask(mask);
  385. }
  386. static void clearDontQuery()
  387. {
  388. s_dontQuery = nullptr;
  389. }
  390. static void parseEDNSSubnetWhitelist(const std::string& wlist);
  391. static void parseEDNSSubnetAddFor(const std::string& subnetlist);
  392. static void addEDNSLocalSubnet(const std::string& subnet)
  393. {
  394. s_ednslocalsubnets.addMask(subnet);
  395. }
  396. static void addEDNSRemoteSubnet(const std::string& subnet)
  397. {
  398. s_ednsremotesubnets.addMask(subnet);
  399. }
  400. static void addEDNSDomain(const DNSName& domain)
  401. {
  402. s_ednsdomains.add(domain);
  403. }
  404. static void clearEDNSLocalSubnets()
  405. {
  406. s_ednslocalsubnets.clear();
  407. }
  408. static void clearEDNSRemoteSubnets()
  409. {
  410. s_ednsremotesubnets.clear();
  411. }
  412. static void clearEDNSDomains()
  413. {
  414. s_ednsdomains = SuffixMatchNode();
  415. }
  416. static void pruneNSSpeeds(time_t limit)
  417. {
  418. for(auto i = t_sstorage.nsSpeeds.begin(), end = t_sstorage.nsSpeeds.end(); i != end; ) {
  419. if(i->second.stale(limit)) {
  420. i = t_sstorage.nsSpeeds.erase(i);
  421. }
  422. else {
  423. ++i;
  424. }
  425. }
  426. }
  427. static uint64_t getNSSpeedsSize()
  428. {
  429. return t_sstorage.nsSpeeds.size();
  430. }
  431. static void submitNSSpeed(const DNSName& server, const ComboAddress& ca, uint32_t usec, const struct timeval& now)
  432. {
  433. t_sstorage.nsSpeeds[server].submit(ca, usec, now);
  434. }
  435. static void clearNSSpeeds()
  436. {
  437. t_sstorage.nsSpeeds.clear();
  438. }
  439. static EDNSStatus::EDNSMode getEDNSStatus(const ComboAddress& server)
  440. {
  441. const auto& it = t_sstorage.ednsstatus.find(server);
  442. if (it == t_sstorage.ednsstatus.end())
  443. return EDNSStatus::UNKNOWN;
  444. return it->mode;
  445. }
  446. static uint64_t getEDNSStatusesSize()
  447. {
  448. return t_sstorage.ednsstatus.size();
  449. }
  450. static void clearEDNSStatuses()
  451. {
  452. t_sstorage.ednsstatus.clear();
  453. }
  454. static void pruneEDNSStatuses(time_t cutoff)
  455. {
  456. t_sstorage.ednsstatus.prune(cutoff);
  457. }
  458. static uint64_t getThrottledServersSize()
  459. {
  460. return t_sstorage.throttle.size();
  461. }
  462. static void pruneThrottledServers()
  463. {
  464. t_sstorage.throttle.prune();
  465. }
  466. static void clearThrottle()
  467. {
  468. t_sstorage.throttle.clear();
  469. }
  470. static bool isThrottled(time_t now, const ComboAddress& server, const DNSName& target, uint16_t qtype)
  471. {
  472. return t_sstorage.throttle.shouldThrottle(now, boost::make_tuple(server, target, qtype));
  473. }
  474. static bool isThrottled(time_t now, const ComboAddress& server)
  475. {
  476. return t_sstorage.throttle.shouldThrottle(now, boost::make_tuple(server, "", 0));
  477. }
  478. static void doThrottle(time_t now, const ComboAddress& server, time_t duration, unsigned int tries)
  479. {
  480. t_sstorage.throttle.throttle(now, boost::make_tuple(server, "", 0), duration, tries);
  481. }
  482. static uint64_t getFailedServersSize()
  483. {
  484. return t_sstorage.fails.size();
  485. }
  486. static void clearFailedServers()
  487. {
  488. t_sstorage.fails.clear();
  489. }
  490. static void pruneFailedServers(time_t cutoff)
  491. {
  492. t_sstorage.fails.prune(cutoff);
  493. }
  494. static unsigned long getServerFailsCount(const ComboAddress& server)
  495. {
  496. return t_sstorage.fails.value(server);
  497. }
  498. static void clearNegCache()
  499. {
  500. t_sstorage.negcache.clear();
  501. }
  502. static uint64_t getNegCacheSize()
  503. {
  504. return t_sstorage.negcache.size();
  505. }
  506. static void pruneNegCache(unsigned int maxEntries)
  507. {
  508. t_sstorage.negcache.prune(maxEntries);
  509. }
  510. static uint64_t wipeNegCache(const DNSName& name, bool subtree = false)
  511. {
  512. return t_sstorage.negcache.wipe(name, subtree);
  513. }
  514. static void setDomainMap(std::shared_ptr<domainmap_t> newMap)
  515. {
  516. t_sstorage.domainmap = newMap;
  517. }
  518. static const std::shared_ptr<domainmap_t> getDomainMap()
  519. {
  520. return t_sstorage.domainmap;
  521. }
  522. static void setECSScopeZeroAddress(const Netmask& scopeZeroMask)
  523. {
  524. s_ecsScopeZero.source = scopeZeroMask;
  525. }
  526. static void clearECSStats()
  527. {
  528. s_ecsqueries.store(0);
  529. s_ecsresponses.store(0);
  530. for (size_t idx = 0; idx < 32; idx++) {
  531. SyncRes::s_ecsResponsesBySubnetSize4[idx].store(0);
  532. }
  533. for (size_t idx = 0; idx < 128; idx++) {
  534. SyncRes::s_ecsResponsesBySubnetSize6[idx].store(0);
  535. }
  536. }
  537. explicit SyncRes(const struct timeval& now);
  538. int beginResolve(const DNSName &qname, const QType &qtype, uint16_t qclass, vector<DNSRecord>&ret, unsigned int depth = 0);
  539. void setId(int id)
  540. {
  541. if(doLog())
  542. d_prefix="["+itoa(id)+"] ";
  543. }
  544. void setLogMode(LogMode lm)
  545. {
  546. d_lm = lm;
  547. }
  548. bool doLog() const
  549. {
  550. return d_lm != LogNone;
  551. }
  552. bool setCacheOnly(bool state = true)
  553. {
  554. bool old = d_cacheonly;
  555. d_cacheonly = state;
  556. return old;
  557. }
  558. void setQNameMinimization(bool state=true)
  559. {
  560. d_qNameMinimization=state;
  561. }
  562. void setDoEDNS0(bool state=true)
  563. {
  564. d_doEDNS0=state;
  565. }
  566. void setDoDNSSEC(bool state=true)
  567. {
  568. d_doDNSSEC=state;
  569. }
  570. void setDNSSECValidationRequested(bool requested=true)
  571. {
  572. d_DNSSECValidationRequested = requested;
  573. }
  574. bool isDNSSECValidationRequested() const
  575. {
  576. return d_DNSSECValidationRequested;
  577. }
  578. bool shouldValidate() const
  579. {
  580. return d_DNSSECValidationRequested && !d_wasOutOfBand;
  581. }
  582. void setWantsRPZ(bool state=true)
  583. {
  584. d_wantsRPZ=state;
  585. }
  586. bool getWantsRPZ() const
  587. {
  588. return d_wantsRPZ;
  589. }
  590. string getTrace() const
  591. {
  592. return d_trace.str();
  593. }
  594. bool getQNameMinimization() const
  595. {
  596. return d_qNameMinimization;
  597. }
  598. void setLuaEngine(shared_ptr<RecursorLua4> pdl)
  599. {
  600. d_pdl = pdl;
  601. }
  602. bool wasVariable() const
  603. {
  604. return d_wasVariable;
  605. }
  606. bool wasOutOfBand() const
  607. {
  608. return d_wasOutOfBand;
  609. }
  610. struct timeval getNow() const
  611. {
  612. return d_now;
  613. }
  614. void setQuerySource(const ComboAddress& requestor, boost::optional<const EDNSSubnetOpts&> incomingECS);
  615. #ifdef HAVE_PROTOBUF
  616. void setInitialRequestId(boost::optional<const boost::uuids::uuid&> initialRequestId)
  617. {
  618. d_initialRequestId = initialRequestId;
  619. }
  620. void setOutgoingProtobufServers(std::shared_ptr<std::vector<std::unique_ptr<RemoteLogger>>>& servers)
  621. {
  622. d_outgoingProtobufServers = servers;
  623. }
  624. #endif
  625. #ifdef HAVE_FSTRM
  626. void setFrameStreamServers(std::shared_ptr<std::vector<std::unique_ptr<FrameStreamLogger>>>& servers)
  627. {
  628. d_frameStreamServers = servers;
  629. }
  630. #endif /* HAVE_FSTRM */
  631. void setAsyncCallback(asyncresolve_t func)
  632. {
  633. d_asyncResolve = func;
  634. }
  635. vState getValidationState() const
  636. {
  637. return d_queryValidationState;
  638. }
  639. void setQueryReceivedOverTCP(bool tcp)
  640. {
  641. d_queryReceivedOverTCP = tcp;
  642. }
  643. static thread_local ThreadLocalStorage t_sstorage;
  644. static std::atomic<uint64_t> s_queries;
  645. static std::atomic<uint64_t> s_outgoingtimeouts;
  646. static std::atomic<uint64_t> s_outgoing4timeouts;
  647. static std::atomic<uint64_t> s_outgoing6timeouts;
  648. static std::atomic<uint64_t> s_throttledqueries;
  649. static std::atomic<uint64_t> s_dontqueries;
  650. static std::atomic<uint64_t> s_qnameminfallbacksuccess;
  651. static std::atomic<uint64_t> s_authzonequeries;
  652. static std::atomic<uint64_t> s_outqueries;
  653. static std::atomic<uint64_t> s_tcpoutqueries;
  654. static std::atomic<uint64_t> s_nodelegated;
  655. static std::atomic<uint64_t> s_unreachables;
  656. static std::atomic<uint64_t> s_ecsqueries;
  657. static std::atomic<uint64_t> s_ecsresponses;
  658. static std::map<uint8_t, std::atomic<uint64_t>> s_ecsResponsesBySubnetSize4;
  659. static std::map<uint8_t, std::atomic<uint64_t>> s_ecsResponsesBySubnetSize6;
  660. static string s_serverID;
  661. static unsigned int s_minimumTTL;
  662. static unsigned int s_minimumECSTTL;
  663. static unsigned int s_maxqperq;
  664. static unsigned int s_maxnsaddressqperq;
  665. static unsigned int s_maxtotusec;
  666. static unsigned int s_maxdepth;
  667. static unsigned int s_maxnegttl;
  668. static unsigned int s_maxbogusttl;
  669. static unsigned int s_maxcachettl;
  670. static unsigned int s_packetcachettl;
  671. static unsigned int s_packetcacheservfailttl;
  672. static unsigned int s_serverdownmaxfails;
  673. static unsigned int s_serverdownthrottletime;
  674. static unsigned int s_ecscachelimitttl;
  675. static uint8_t s_ecsipv4limit;
  676. static uint8_t s_ecsipv6limit;
  677. static uint8_t s_ecsipv4cachelimit;
  678. static uint8_t s_ecsipv6cachelimit;
  679. static bool s_doIPv4;
  680. static bool s_doIPv6;
  681. static bool s_noEDNSPing;
  682. static bool s_noEDNS;
  683. static bool s_rootNXTrust;
  684. static bool s_nopacketcache;
  685. static bool s_qnameminimization;
  686. static HardenNXD s_hardenNXD;
  687. std::unordered_map<std::string,bool> d_discardedPolicies;
  688. DNSFilterEngine::Policy d_appliedPolicy;
  689. std::unordered_set<std::string> d_policyTags;
  690. boost::optional<string> d_routingTag;
  691. unsigned int d_authzonequeries;
  692. unsigned int d_outqueries;
  693. unsigned int d_tcpoutqueries;
  694. unsigned int d_throttledqueries;
  695. unsigned int d_timeouts;
  696. unsigned int d_unreachables;
  697. unsigned int d_totUsec;
  698. private:
  699. ComboAddress d_requestor;
  700. ComboAddress d_cacheRemote;
  701. static std::unordered_set<DNSName> s_delegationOnly;
  702. static NetmaskGroup s_ednslocalsubnets;
  703. static NetmaskGroup s_ednsremotesubnets;
  704. static SuffixMatchNode s_ednsdomains;
  705. static EDNSSubnetOpts s_ecsScopeZero;
  706. static LogMode s_lm;
  707. static std::unique_ptr<NetmaskGroup> s_dontQuery;
  708. const static std::unordered_set<uint16_t> s_redirectionQTypes;
  709. struct GetBestNSAnswer
  710. {
  711. DNSName qname;
  712. set<pair<DNSName,DNSName> > bestns;
  713. uint8_t qtype;
  714. bool operator<(const GetBestNSAnswer &b) const
  715. {
  716. return boost::tie(qtype, qname, bestns) <
  717. boost::tie(b.qtype, b.qname, b.bestns);
  718. }
  719. };
  720. typedef std::map<DNSName,vState> zonesStates_t;
  721. enum StopAtDelegation { DontStop, Stop, Stopped };
  722. int doResolveAt(NsSet &nameservers, DNSName auth, bool flawedNSSet, const DNSName &qname, const QType &qtype, vector<DNSRecord>&ret,
  723. unsigned int depth, set<GetBestNSAnswer>&beenthere, vState& state, StopAtDelegation* stopAtDelegation);
  724. bool doResolveAtThisIP(const std::string& prefix, const DNSName& qname, const QType& qtype, LWResult& lwr, boost::optional<Netmask>& ednsmask, const DNSName& auth, bool const sendRDQuery, const DNSName& nsName, const ComboAddress& remoteIP, bool doTCP, bool* truncated);
  725. bool processAnswer(unsigned int depth, LWResult& lwr, const DNSName& qname, const QType& qtype, DNSName& auth, bool wasForwarded, const boost::optional<Netmask> ednsmask, bool sendRDQuery, NsSet &nameservers, std::vector<DNSRecord>& ret, const DNSFilterEngine& dfe, bool* gotNewServers, int* rcode, vState& state);
  726. int doResolve(const DNSName &qname, const QType &qtype, vector<DNSRecord>&ret, unsigned int depth, set<GetBestNSAnswer>& beenthere, vState& state);
  727. int doResolveNoQNameMinimization(const DNSName &qname, const QType &qtype, vector<DNSRecord>&ret, unsigned int depth, set<GetBestNSAnswer>& beenthere, vState& state, bool* fromCache = NULL, StopAtDelegation* stopAtDelegation = NULL, bool considerforwards = true);
  728. bool doOOBResolve(const AuthDomain& domain, const DNSName &qname, const QType &qtype, vector<DNSRecord>&ret, int& res);
  729. bool doOOBResolve(const DNSName &qname, const QType &qtype, vector<DNSRecord>&ret, unsigned int depth, int &res);
  730. bool isRecursiveForwardOrAuth(const DNSName &qname) const;
  731. domainmap_t::const_iterator getBestAuthZone(DNSName* qname) const;
  732. bool doCNAMECacheCheck(const DNSName &qname, const QType &qtype, vector<DNSRecord>&ret, unsigned int depth, int &res, vState& state, bool wasAuthZone, bool wasForwardRecurse);
  733. bool doCacheCheck(const DNSName &qname, const DNSName& authname, bool wasForwardedOrAuthZone, bool wasAuthZone, bool wasForwardRecurse, const QType &qtype, vector<DNSRecord>&ret, unsigned int depth, int &res, vState& state);
  734. void getBestNSFromCache(const DNSName &qname, const QType &qtype, vector<DNSRecord>&bestns, bool* flawedNSSet, unsigned int depth, set<GetBestNSAnswer>& beenthere, const boost::optional<DNSName>& cutOffDomain = boost::none);
  735. DNSName getBestNSNamesFromCache(const DNSName &qname, const QType &qtype, NsSet& nsset, bool* flawedNSSet, unsigned int depth, set<GetBestNSAnswer>&beenthere);
  736. inline vector<std::pair<DNSName, float>> shuffleInSpeedOrder(NsSet &nameservers, const string &prefix);
  737. inline vector<ComboAddress> shuffleForwardSpeed(const vector<ComboAddress> &rnameservers, const string &prefix, const bool wasRd);
  738. bool moreSpecificThan(const DNSName& a, const DNSName &b) const;
  739. vector<ComboAddress> getAddrs(const DNSName &qname, unsigned int depth, set<GetBestNSAnswer>& beenthere, bool cacheOnly, unsigned int& addressQueriesForNS);
  740. bool nameserversBlockedByRPZ(const DNSFilterEngine& dfe, const NsSet& nameservers);
  741. bool nameserverIPBlockedByRPZ(const DNSFilterEngine& dfe, const ComboAddress&);
  742. bool throttledOrBlocked(const std::string& prefix, const ComboAddress& remoteIP, const DNSName& qname, const QType& qtype, bool pierceDontQuery);
  743. vector<ComboAddress> retrieveAddressesForNS(const std::string& prefix, const DNSName& qname, vector<std::pair<DNSName, float>>::const_iterator& tns, const unsigned int depth, set<GetBestNSAnswer>& beenthere, const vector<std::pair<DNSName, float>>& rnameservers, NsSet& nameservers, bool& sendRDQuery, bool& pierceDontQuery, bool& flawedNSSet, bool cacheOnly, unsigned int& addressQueriesForNS);
  744. void sanitizeRecords(const std::string& prefix, LWResult& lwr, const DNSName& qname, const QType& qtype, const DNSName& auth, bool wasForwarded, bool rdQuery);
  745. RCode::rcodes_ updateCacheFromRecords(unsigned int depth, LWResult& lwr, const DNSName& qname, const QType& qtype, const DNSName& auth, bool wasForwarded, const boost::optional<Netmask>, vState& state, bool& needWildcardProof, bool& gatherWildcardProof, unsigned int& wildcardLabelsCount, bool sendRDQuery);
  746. bool processRecords(const std::string& prefix, const DNSName& qname, const QType& qtype, const DNSName& auth, LWResult& lwr, const bool sendRDQuery, vector<DNSRecord>& ret, set<DNSName>& nsset, DNSName& newtarget, DNSName& newauth, bool& realreferral, bool& negindic, vState& state, const bool needWildcardProof, const bool gatherwildcardProof, const unsigned int wildcardLabelsCount, int& rcode, unsigned int depth);
  747. bool doSpecialNamesResolve(const DNSName &qname, const QType &qtype, const uint16_t qclass, vector<DNSRecord> &ret);
  748. int asyncresolveWrapper(const ComboAddress& ip, bool ednsMANDATORY, const DNSName& domain, const DNSName& auth, int type, bool doTCP, bool sendRDQuery, struct timeval* now, boost::optional<Netmask>& srcmask, LWResult* res, bool* chained) const;
  749. boost::optional<Netmask> getEDNSSubnetMask(const DNSName&dn, const ComboAddress& rem);
  750. bool validationEnabled() const;
  751. uint32_t computeLowestTTD(const std::vector<DNSRecord>& records, const std::vector<std::shared_ptr<RRSIGRecordContent> >& signatures, uint32_t signaturesTTL) const;
  752. void updateValidationState(vState& state, const vState stateUpdate);
  753. vState validateRecordsWithSigs(unsigned int depth, const DNSName& qname, const QType& qtype, const DNSName& name, const QType& type, const std::vector<DNSRecord>& records, const std::vector<std::shared_ptr<RRSIGRecordContent> >& signatures);
  754. vState validateDNSKeys(const DNSName& zone, const std::vector<DNSRecord>& dnskeys, const std::vector<std::shared_ptr<RRSIGRecordContent> >& signatures, unsigned int depth);
  755. vState getDNSKeys(const DNSName& signer, skeyset_t& keys, unsigned int depth);
  756. dState getDenialValidationState(const NegCache::NegCacheEntry& ne, const vState state, const dState expectedState, bool referralToUnsigned);
  757. void updateDenialValidationState(vState& neValidationState, const DNSName& neName, vState& state, const dState denialState, const dState expectedState, bool allowOptOut);
  758. void computeNegCacheValidationStatus(const NegCache::NegCacheEntry& ne, const DNSName& qname, const QType& qtype, const int res, vState& state, unsigned int depth);
  759. vState getTA(const DNSName& zone, dsmap_t& ds);
  760. bool haveExactValidationStatus(const DNSName& domain);
  761. vState getValidationStatus(const DNSName& subdomain, bool allowIndeterminate=true);
  762. void updateValidationStatusInCache(const DNSName &qname, const QType& qt, bool aa, vState newState) const;
  763. bool lookForCut(const DNSName& qname, unsigned int depth, const vState existingState, vState& newState);
  764. void computeZoneCuts(const DNSName& begin, const DNSName& end, unsigned int depth);
  765. void handleNewTarget(const std::string& prefix, const DNSName& qname, const DNSName& newtarget, uint16_t qtype, std::vector<DNSRecord>& ret, int& rcode, int depth, const std::vector<DNSRecord>& recordsFromAnswer, vState& state);
  766. void handlePolicyHit(const std::string& prefix, const DNSName& qname, const QType& qtype, vector<DNSRecord>& ret, bool& done, int& rcode, unsigned int depth);
  767. void setUpdatingRootNS()
  768. {
  769. d_updatingRootNS = true;
  770. }
  771. zonesStates_t d_cutStates;
  772. ostringstream d_trace;
  773. shared_ptr<RecursorLua4> d_pdl;
  774. boost::optional<Netmask> d_outgoingECSNetwork;
  775. std::shared_ptr<std::vector<std::unique_ptr<RemoteLogger>>> d_outgoingProtobufServers{nullptr};
  776. std::shared_ptr<std::vector<std::unique_ptr<FrameStreamLogger>>> d_frameStreamServers{nullptr};
  777. #ifdef HAVE_PROTOBUF
  778. boost::optional<const boost::uuids::uuid&> d_initialRequestId;
  779. #endif
  780. asyncresolve_t d_asyncResolve{nullptr};
  781. struct timeval d_now;
  782. string d_prefix;
  783. vState d_queryValidationState{vState::Indeterminate};
  784. /* When d_cacheonly is set to true, we will only check the cache.
  785. * This is set when the RD bit is unset in the incoming query
  786. */
  787. bool d_cacheonly;
  788. bool d_doDNSSEC;
  789. bool d_DNSSECValidationRequested{false};
  790. bool d_doEDNS0{true};
  791. bool d_requireAuthData{true};
  792. bool d_updatingRootNS{false};
  793. bool d_wantsRPZ{true};
  794. bool d_wasOutOfBand{false};
  795. bool d_wasVariable{false};
  796. bool d_qNameMinimization{false};
  797. bool d_queryReceivedOverTCP{false};
  798. bool d_followCNAME{true};
  799. LogMode d_lm;
  800. };
  801. class Socket;
  802. /* external functions, opaque to us */
  803. int asendtcp(const string& data, Socket* sock);
  804. int arecvtcp(string& data, size_t len, Socket* sock, bool incompleteOkay);
  805. struct PacketID
  806. {
  807. PacketID() : id(0), type(0), sock(0), inNeeded(0), inIncompleteOkay(false), outPos(0), nearMisses(0), fd(-1), closed(false)
  808. {
  809. remote.reset();
  810. }
  811. uint16_t id; // wait for a specific id/remote pair
  812. uint16_t type; // and this is its type
  813. ComboAddress remote; // this is the remote
  814. DNSName domain; // this is the question
  815. Socket* sock; // or wait for an event on a TCP fd
  816. string inMSG; // they'll go here
  817. size_t inNeeded; // if this is set, we'll read until inNeeded bytes are read
  818. bool inIncompleteOkay;
  819. string outMSG; // the outgoing message that needs to be sent
  820. string::size_type outPos; // how far we are along in the outMSG
  821. typedef set<uint16_t > chain_t;
  822. mutable chain_t chain;
  823. mutable uint32_t nearMisses; // number of near misses - host correct, id wrong
  824. int fd;
  825. mutable bool closed; // Processing already started, don't accept new chained ids
  826. bool operator<(const PacketID& b) const
  827. {
  828. int ourSock= sock ? sock->getHandle() : 0;
  829. int bSock = b.sock ? b.sock->getHandle() : 0;
  830. if( tie(remote, ourSock, type) < tie(b.remote, bSock, b.type))
  831. return true;
  832. if( tie(remote, ourSock, type) > tie(b.remote, bSock, b.type))
  833. return false;
  834. return tie(fd, id, domain) < tie(b.fd, b.id, b.domain);
  835. }
  836. };
  837. struct PacketIDBirthdayCompare: public std::binary_function<PacketID, PacketID, bool>
  838. {
  839. bool operator()(const PacketID& a, const PacketID& b) const
  840. {
  841. int ourSock= a.sock ? a.sock->getHandle() : 0;
  842. int bSock = b.sock ? b.sock->getHandle() : 0;
  843. if( tie(a.remote, ourSock, a.type) < tie(b.remote, bSock, b.type))
  844. return true;
  845. if( tie(a.remote, ourSock, a.type) > tie(b.remote, bSock, b.type))
  846. return false;
  847. return a.domain < b.domain;
  848. }
  849. };
  850. extern std::unique_ptr<MemRecursorCache> s_RC;
  851. extern thread_local std::unique_ptr<RecursorPacketCache> t_packetCache;
  852. typedef MTasker<PacketID,string> MT_t;
  853. MT_t* getMT();
  854. struct RecursorStats
  855. {
  856. std::atomic<uint64_t> servFails;
  857. std::atomic<uint64_t> nxDomains;
  858. std::atomic<uint64_t> noErrors;
  859. std::atomic<uint64_t> answers0_1, answers1_10, answers10_100, answers100_1000, answersSlow;
  860. std::atomic<uint64_t> auth4Answers0_1, auth4Answers1_10, auth4Answers10_100, auth4Answers100_1000, auth4AnswersSlow;
  861. std::atomic<uint64_t> auth6Answers0_1, auth6Answers1_10, auth6Answers10_100, auth6Answers100_1000, auth6AnswersSlow;
  862. std::atomic<uint64_t> ourtime0_1, ourtime1_2, ourtime2_4, ourtime4_8, ourtime8_16, ourtime16_32, ourtimeSlow;
  863. double avgLatencyUsec{0};
  864. double avgLatencyOursUsec{0};
  865. std::atomic<uint64_t> qcounter; // not increased for unauth packets
  866. std::atomic<uint64_t> ipv6qcounter;
  867. std::atomic<uint64_t> tcpqcounter;
  868. std::atomic<uint64_t> unauthorizedUDP; // when this is increased, qcounter isn't
  869. std::atomic<uint64_t> unauthorizedTCP; // when this is increased, qcounter isn't
  870. std::atomic<uint64_t> policyDrops;
  871. std::atomic<uint64_t> tcpClientOverflow;
  872. std::atomic<uint64_t> clientParseError;
  873. std::atomic<uint64_t> serverParseError;
  874. std::atomic<uint64_t> tooOldDrops;
  875. std::atomic<uint64_t> truncatedDrops;
  876. std::atomic<uint64_t> queryPipeFullDrops;
  877. std::atomic<uint64_t> unexpectedCount;
  878. std::atomic<uint64_t> caseMismatchCount;
  879. std::atomic<uint64_t> spoofCount;
  880. std::atomic<uint64_t> resourceLimits;
  881. std::atomic<uint64_t> overCapacityDrops;
  882. std::atomic<uint64_t> ipv6queries;
  883. std::atomic<uint64_t> chainResends;
  884. std::atomic<uint64_t> nsSetInvalidations;
  885. std::atomic<uint64_t> ednsPingMatches;
  886. std::atomic<uint64_t> ednsPingMismatches;
  887. std::atomic<uint64_t> noPingOutQueries, noEdnsOutQueries;
  888. std::atomic<uint64_t> packetCacheHits;
  889. std::atomic<uint64_t> noPacketError;
  890. std::atomic<uint64_t> ignoredCount;
  891. std::atomic<uint64_t> emptyQueriesCount;
  892. time_t startupTime;
  893. std::atomic<uint64_t> dnssecQueries;
  894. std::atomic<uint64_t> dnssecAuthenticDataQueries;
  895. std::atomic<uint64_t> dnssecCheckDisabledQueries;
  896. std::atomic<uint64_t> variableResponses;
  897. unsigned int maxMThreadStackUsage;
  898. std::atomic<uint64_t> dnssecValidations; // should be the sum of all dnssecResult* stats
  899. std::map<vState, std::atomic<uint64_t> > dnssecResults;
  900. std::map<DNSFilterEngine::PolicyKind, std::atomic<uint64_t> > policyResults;
  901. std::atomic<uint64_t> rebalancedQueries{0};
  902. std::atomic<uint64_t> proxyProtocolInvalidCount{0};
  903. };
  904. //! represents a running TCP/IP client session
  905. class TCPConnection : public boost::noncopyable
  906. {
  907. public:
  908. TCPConnection(int fd, const ComboAddress& addr);
  909. ~TCPConnection();
  910. int getFD() const
  911. {
  912. return d_fd;
  913. }
  914. std::vector<ProxyProtocolValue> proxyProtocolValues;
  915. std::string data;
  916. const ComboAddress d_remote;
  917. ComboAddress d_source;
  918. ComboAddress d_destination;
  919. size_t queriesCount{0};
  920. size_t proxyProtocolGot{0};
  921. ssize_t proxyProtocolNeed{0};
  922. enum stateenum {PROXYPROTOCOLHEADER, BYTE0, BYTE1, GETQUESTION, DONE} state{BYTE0};
  923. uint16_t qlen{0};
  924. uint16_t bytesread{0};
  925. uint16_t d_requestsInFlight{0}; // number of mthreads spawned for this connection
  926. // The max number of concurrent TCP requests we're willing to process
  927. static uint16_t s_maxInFlight;
  928. static unsigned int getCurrentConnections() { return s_currentConnections; }
  929. private:
  930. const int d_fd;
  931. static AtomicCounter s_currentConnections; //!< total number of current TCP connections
  932. };
  933. class ImmediateServFailException
  934. {
  935. public:
  936. ImmediateServFailException(string r) : reason(r) {};
  937. string reason; //! Print this to tell the user what went wrong
  938. };
  939. class PolicyHitException
  940. {
  941. };
  942. class ImmediateQueryDropException
  943. {
  944. };
  945. class SendTruncatedAnswerException
  946. {
  947. };
  948. typedef boost::circular_buffer<ComboAddress> addrringbuf_t;
  949. extern thread_local std::unique_ptr<addrringbuf_t> t_servfailremotes, t_largeanswerremotes, t_remotes, t_bogusremotes, t_timeouts;
  950. extern thread_local std::unique_ptr<boost::circular_buffer<pair<DNSName,uint16_t> > > t_queryring, t_servfailqueryring, t_bogusqueryring;
  951. extern thread_local std::shared_ptr<NetmaskGroup> t_allowFrom;
  952. string doQueueReloadLuaScript(vector<string>::const_iterator begin, vector<string>::const_iterator end);
  953. string doTraceRegex(vector<string>::const_iterator begin, vector<string>::const_iterator end);
  954. void parseACLs();
  955. extern RecursorStats g_stats;
  956. extern unsigned int g_networkTimeoutMsec;
  957. extern unsigned int g_numThreads;
  958. extern uint16_t g_outgoingEDNSBufsize;
  959. extern std::atomic<uint32_t> g_maxCacheEntries, g_maxPacketCacheEntries;
  960. extern bool g_lowercaseOutgoing;
  961. std::string reloadAuthAndForwards();
  962. ComboAddress parseIPAndPort(const std::string& input, uint16_t port);
  963. typedef boost::function<void*(void)> pipefunc_t;
  964. void broadcastFunction(const pipefunc_t& func);
  965. void distributeAsyncFunction(const std::string& question, const pipefunc_t& func);
  966. int directResolve(const DNSName& qname, const QType& qtype, int qclass, vector<DNSRecord>& ret);
  967. int followCNAMERecords(std::vector<DNSRecord>& ret, const QType& qtype);
  968. int getFakeAAAARecords(const DNSName& qname, ComboAddress prefix, vector<DNSRecord>& ret);
  969. int getFakePTRRecords(const DNSName& qname, vector<DNSRecord>& ret);
  970. template<class T> T broadcastAccFunction(const boost::function<T*()>& func);
  971. std::shared_ptr<SyncRes::domainmap_t> parseAuthAndForwards();
  972. uint64_t* pleaseGetNsSpeedsSize();
  973. uint64_t* pleaseGetFailedServersSize();
  974. uint64_t* pleaseGetEDNSStatusesSize();
  975. uint64_t* pleaseGetNegCacheSize();
  976. uint64_t* pleaseGetConcurrentQueries();
  977. uint64_t* pleaseGetThrottleSize();
  978. uint64_t* pleaseGetPacketCacheHits();
  979. uint64_t* pleaseGetPacketCacheSize();
  980. uint64_t* pleaseWipePacketCache(const DNSName& canon, bool subtree, uint16_t qtype=0xffff);
  981. uint64_t* pleaseWipeAndCountNegCache(const DNSName& canon, bool subtree=false);
  982. void doCarbonDump(void*);
  983. bool primeHints(void);
  984. void primeRootNSZones(bool, unsigned int depth);
  985. extern __thread struct timeval g_now;
  986. struct ThreadTimes
  987. {
  988. uint64_t msec;
  989. vector<uint64_t> times;
  990. ThreadTimes& operator+=(const ThreadTimes& rhs)
  991. {
  992. times.push_back(rhs.msec);
  993. return *this;
  994. }
  995. };