blob: 0a1c5208bd325e5f0416403077676ab338329897 [file] [log] [blame]
/*
* Name server resolution
*
* Copyright 2014 Baptiste Assmann <bedis9@gmail.com>
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version
* 2 of the License, or (at your option) any later version.
*
*/
#include <errno.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <common/time.h>
#include <common/ticks.h>
#include <types/applet.h>
#include <types/cli.h>
#include <types/global.h>
#include <types/dns.h>
#include <types/proto_udp.h>
#include <types/stats.h>
#include <proto/channel.h>
#include <proto/cli.h>
#include <proto/checks.h>
#include <proto/dns.h>
#include <proto/fd.h>
#include <proto/log.h>
#include <proto/server.h>
#include <proto/task.h>
#include <proto/proto_udp.h>
#include <proto/stream_interface.h>
struct list dns_resolvers = LIST_HEAD_INIT(dns_resolvers);
struct dns_resolution *resolution = NULL;
/*
* pre-allocated memory for maximum record names in a DNS response
* Each name is DNS_MAX_NAME_SIZE, we add 1 for the NULL character
*
* WARNING: this is not thread safe...
*/
struct dns_response_packet dns_response;
struct chunk dns_trash = { };
struct dns_query_item dns_query_records[DNS_MAX_QUERY_RECORDS];
struct dns_answer_item dns_answer_records[DNS_MAX_ANSWER_RECORDS];
static int64_t dns_query_id_seed; /* random seed */
/* proto_udp callback functions for a DNS resolution */
struct dgram_data_cb resolve_dgram_cb = {
.recv = dns_resolve_recv,
.send = dns_resolve_send,
};
#if DEBUG
/*
* go through the resolutions associated to a resolvers section and print the ID and hostname in
* domain name format
* should be used for debug purpose only
*/
void dns_print_current_resolutions(struct dns_resolvers *resolvers)
{
list_for_each_entry(resolution, &resolvers->curr_resolution, list) {
printf(" resolution %d for %s\n", resolution->query_id, resolution->hostname_dn);
}
}
#endif
/*
* check if there is more than 1 resolution in the resolver's resolution list
* return value:
* 0: empty list
* 1: exactly one entry in the list
* 2: more than one entry in the list
*/
int dns_check_resolution_queue(struct dns_resolvers *resolvers)
{
if (LIST_ISEMPTY(&resolvers->curr_resolution))
return 0;
if ((resolvers->curr_resolution.n) && (resolvers->curr_resolution.n == resolvers->curr_resolution.p))
return 1;
if (! ((resolvers->curr_resolution.n == resolvers->curr_resolution.p)
&& (&resolvers->curr_resolution != resolvers->curr_resolution.n)))
return 2;
return 0;
}
/*
* reset all parameters of a DNS resolution to 0 (or equivalent)
* and clean it up from all associated lists (resolution->qid and resolution->list)
*/
void dns_reset_resolution(struct dns_resolution *resolution)
{
/* update resolution status */
resolution->step = RSLV_STEP_NONE;
resolution->try = 0;
resolution->try_cname = 0;
resolution->last_resolution = now_ms;
resolution->nb_responses = 0;
/* clean up query id */
eb32_delete(&resolution->qid);
resolution->query_id = 0;
resolution->qid.key = 0;
/* the second resolution in the queue becomes the first one */
LIST_DEL(&resolution->list);
}
/*
* function called when a network IO is generated on a name server socket for an incoming packet
* It performs the following actions:
* - check if the packet requires processing (not outdated resolution)
* - ensure the DNS packet received is valid and call requester's callback
* - call requester's error callback if invalid response
* - check the dn_name in the packet against the one sent
*/
void dns_resolve_recv(struct dgram_conn *dgram)
{
struct dns_nameserver *nameserver;
struct dns_resolvers *resolvers;
struct dns_resolution *resolution;
struct dns_query_item *query;
unsigned char buf[DNS_MAX_UDP_MESSAGE + 1];
unsigned char *bufend;
int fd, buflen, ret;
unsigned short query_id;
struct eb32_node *eb;
struct dns_response_packet *dns_p = &dns_response;
fd = dgram->t.sock.fd;
/* check if ready for reading */
if (!fd_recv_ready(fd))
return;
/* no need to go further if we can't retrieve the nameserver */
if ((nameserver = dgram->owner) == NULL)
return;
resolvers = nameserver->resolvers;
/* process all pending input messages */
while (1) {
/* read message received */
memset(buf, '\0', DNS_MAX_UDP_MESSAGE + 1);
if ((buflen = recv(fd, (char*)buf , DNS_MAX_UDP_MESSAGE, 0)) < 0) {
/* FIXME : for now we consider EAGAIN only */
fd_cant_recv(fd);
break;
}
/* message too big */
if (buflen > DNS_MAX_UDP_MESSAGE) {
nameserver->counters.too_big += 1;
continue;
}
/* initializing variables */
bufend = buf + buflen; /* pointer to mark the end of the buffer */
/* read the query id from the packet (16 bits) */
if (buf + 2 > bufend) {
nameserver->counters.invalid += 1;
continue;
}
query_id = dns_response_get_query_id(buf);
/* search the query_id in the pending resolution tree */
eb = eb32_lookup(&resolvers->query_ids, query_id);
if (eb == NULL) {
/* unknown query id means an outdated response and can be safely ignored */
nameserver->counters.outdated += 1;
continue;
}
/* known query id means a resolution in prgress */
resolution = eb32_entry(eb, struct dns_resolution, qid);
if (!resolution) {
nameserver->counters.outdated += 1;
continue;
}
/* number of responses received */
resolution->nb_responses += 1;
ret = dns_validate_dns_response(buf, bufend, dns_p);
/* treat only errors */
switch (ret) {
case DNS_RESP_QUERY_COUNT_ERROR:
case DNS_RESP_INVALID:
nameserver->counters.invalid += 1;
resolution->requester_error_cb(resolution, DNS_RESP_INVALID);
continue;
case DNS_RESP_INTERNAL:
case DNS_RESP_ERROR:
nameserver->counters.other += 1;
resolution->requester_error_cb(resolution, DNS_RESP_ERROR);
continue;
case DNS_RESP_ANCOUNT_ZERO:
nameserver->counters.any_err += 1;
resolution->requester_error_cb(resolution, DNS_RESP_ANCOUNT_ZERO);
continue;
case DNS_RESP_NX_DOMAIN:
nameserver->counters.nx += 1;
resolution->requester_error_cb(resolution, DNS_RESP_NX_DOMAIN);
continue;
case DNS_RESP_REFUSED:
nameserver->counters.refused += 1;
resolution->requester_error_cb(resolution, DNS_RESP_REFUSED);
continue;
case DNS_RESP_CNAME_ERROR:
nameserver->counters.cname_error += 1;
resolution->requester_error_cb(resolution, DNS_RESP_CNAME_ERROR);
continue;
case DNS_RESP_TRUNCATED:
nameserver->counters.truncated += 1;
resolution->requester_error_cb(resolution, DNS_RESP_TRUNCATED);
continue;
case DNS_RESP_NO_EXPECTED_RECORD:
nameserver->counters.other += 1;
resolution->requester_error_cb(resolution, DNS_RESP_NO_EXPECTED_RECORD);
continue;
}
/* Now let's check the query's dname corresponds to the one we sent.
* We can check only the first query of the list. We send one query at a time
* so we get one query in the response */
query = LIST_NEXT(&dns_p->query_list, struct dns_query_item *, list);
if (query && memcmp(query->name, resolution->hostname_dn, resolution->hostname_dn_len) != 0) {
nameserver->counters.other += 1;
resolution->requester_error_cb(resolution, DNS_RESP_WRONG_NAME);
continue;
}
nameserver->counters.valid += 1;
resolution->requester_cb(resolution, nameserver, dns_p);
}
}
/*
* function called when a resolvers network socket is ready to send data
* It performs the following actions:
*/
void dns_resolve_send(struct dgram_conn *dgram)
{
int fd;
struct dns_nameserver *nameserver;
struct dns_resolvers *resolvers;
struct dns_resolution *resolution;
fd = dgram->t.sock.fd;
/* check if ready for sending */
if (!fd_send_ready(fd))
return;
/* we don't want/need to be waked up any more for sending */
fd_stop_send(fd);
/* no need to go further if we can't retrieve the nameserver */
if ((nameserver = dgram->owner) == NULL)
return;
resolvers = nameserver->resolvers;
resolution = LIST_NEXT(&resolvers->curr_resolution, struct dns_resolution *, list);
dns_send_query(resolution);
dns_update_resolvers_timeout(resolvers);
}
/*
* forge and send a DNS query to resolvers associated to a resolution
* It performs the following actions:
* returns:
* 0 in case of error or safe ignorance
* 1 if no error
*/
int dns_send_query(struct dns_resolution *resolution)
{
struct dns_resolvers *resolvers = NULL;
struct dns_nameserver *nameserver;
int ret, bufsize, fd;
resolvers = ((struct server *)resolution->requester)->resolvers;
if (!resolvers)
return 0;
bufsize = dns_build_query(resolution->query_id, resolution->query_type, resolution->hostname_dn,
resolution->hostname_dn_len, trash.str, trash.size);
if (bufsize == -1)
return 0;
list_for_each_entry(nameserver, &resolvers->nameserver_list, list) {
fd = nameserver->dgram->t.sock.fd;
errno = 0;
ret = send(fd, trash.str, bufsize, 0);
if (ret > 0)
nameserver->counters.sent += 1;
if (ret == 0 || errno == EAGAIN) {
/* nothing written, let's update the poller that we wanted to send
* but we were not able to */
fd_want_send(fd);
fd_cant_send(fd);
}
}
/* update resolution */
resolution->nb_responses = 0;
resolution->last_sent_packet = now_ms;
return 1;
}
/*
* update a resolvers' task timeout for next wake up
*/
void dns_update_resolvers_timeout(struct dns_resolvers *resolvers)
{
struct dns_resolution *resolution;
if (LIST_ISEMPTY(&resolvers->curr_resolution)) {
/* no more resolution pending, so no wakeup anymore */
resolvers->t->expire = TICK_ETERNITY;
}
else {
resolution = LIST_NEXT(&resolvers->curr_resolution, struct dns_resolution *, list);
resolvers->t->expire = tick_add(resolution->last_sent_packet, resolvers->timeout.retry);
}
}
/*
* Analyse, re-build and copy the name <name> from the DNS response packet <buffer>.
* <name> must point to the 'data_len' information or pointer 'c0' for compressed data.
* The result is copied into <dest>, ensuring we don't overflow using <dest_len>
* Returns the number of bytes the caller can move forward. If 0 it means an error occured
* while parsing the name.
* <offset> is the number of bytes the caller could move forward.
*/
int dns_read_name(unsigned char *buffer, unsigned char *bufend, unsigned char *name, char *destination, int dest_len, int *offset)
{
int nb_bytes = 0, n = 0;
int label_len;
unsigned char *reader = name;
char *dest = destination;
while (1) {
/* name compression is in use */
if ((*reader & 0xc0) == 0xc0) {
/* a pointer must point BEFORE current position */
if ((buffer + reader[1]) > reader) {
goto out_error;
}
n = dns_read_name(buffer, bufend, buffer + reader[1], dest, dest_len - nb_bytes, offset);
if (n == 0)
goto out_error;
dest += n;
nb_bytes += n;
goto out;
}
label_len = *reader;
if (label_len == 0)
goto out;
/* Check if:
* - we won't read outside the buffer
* - there is enough place in the destination
*/
if ((reader + label_len >= bufend) || (nb_bytes + label_len >= dest_len))
goto out_error;
/* +1 to take label len + label string */
label_len += 1;
memcpy(dest, reader, label_len);
dest += label_len;
nb_bytes += label_len;
reader += label_len;
}
out:
/* offset computation:
* parse from <name> until finding either NULL or a pointer "c0xx"
*/
reader = name;
*offset = 0;
while (reader < bufend) {
if ((reader[0] & 0xc0) == 0xc0) {
*offset += 2;
break;
}
else if (*reader == 0) {
*offset += 1;
break;
}
*offset += 1;
++reader;
}
return nb_bytes;
out_error:
return 0;
}
/*
* Function to validate that the buffer DNS response provided in <resp> and
* finishing before <bufend> is valid from a DNS protocol point of view.
*
* The result is stored in the structured pointed by <dns_p>.
* It's up to the caller to allocate memory for <dns_p>.
*
* This function returns one of the DNS_RESP_* code to indicate the type of
* error found.
*/
int dns_validate_dns_response(unsigned char *resp, unsigned char *bufend, struct dns_response_packet *dns_p)
{
unsigned char *reader;
char *previous_dname, tmpname[DNS_MAX_NAME_SIZE];
int len, flags, offset, ret;
int dns_query_record_id, dns_answer_record_id;
struct dns_query_item *dns_query;
struct dns_answer_item *dns_answer_record;
reader = resp;
len = 0;
previous_dname = NULL;
/* initialization of local buffer */
memset(dns_p, '\0', sizeof(struct dns_response_packet));
chunk_reset(&dns_trash);
/* query id */
if (reader + 2 >= bufend)
return DNS_RESP_INVALID;
dns_p->header.id = reader[0] * 256 + reader[1];
reader += 2;
/*
* flags and rcode are stored over 2 bytes
* First byte contains:
* - response flag (1 bit)
* - opcode (4 bits)
* - authoritative (1 bit)
* - truncated (1 bit)
* - recursion desired (1 bit)
*/
if (reader + 2 >= bufend)
return DNS_RESP_INVALID;
flags = reader[0] * 256 + reader[1];
if (flags & DNS_FLAG_TRUNCATED)
return DNS_RESP_TRUNCATED;
if ((flags & DNS_FLAG_REPLYCODE) != DNS_RCODE_NO_ERROR) {
if ((flags & DNS_FLAG_REPLYCODE) == DNS_RCODE_NX_DOMAIN)
return DNS_RESP_NX_DOMAIN;
else if ((flags & DNS_FLAG_REPLYCODE) == DNS_RCODE_REFUSED)
return DNS_RESP_REFUSED;
return DNS_RESP_ERROR;
}
/* move forward 2 bytes for flags */
reader += 2;
/* 2 bytes for question count */
if (reader + 2 >= bufend)
return DNS_RESP_INVALID;
dns_p->header.qdcount = reader[0] * 256 + reader[1];
/* (for now) we send one query only, so we expect only one in the response too */
if (dns_p->header.qdcount != 1)
return DNS_RESP_QUERY_COUNT_ERROR;
if (dns_p->header.qdcount > DNS_MAX_QUERY_RECORDS)
return DNS_RESP_INVALID;
reader += 2;
/* 2 bytes for answer count */
if (reader + 2 >= bufend)
return DNS_RESP_INVALID;
dns_p->header.ancount = reader[0] * 256 + reader[1];
if (dns_p->header.ancount == 0)
return DNS_RESP_ANCOUNT_ZERO;
/* check if too many records are announced */
if (dns_p->header.ancount > DNS_MAX_ANSWER_RECORDS)
return DNS_RESP_INVALID;
reader += 2;
/* 2 bytes authority count */
if (reader + 2 >= bufend)
return DNS_RESP_INVALID;
dns_p->header.nscount = reader[0] * 256 + reader[1];
reader += 2;
/* 2 bytes additional count */
if (reader + 2 >= bufend)
return DNS_RESP_INVALID;
dns_p->header.arcount = reader[0] * 256 + reader[1];
reader += 2;
/* parsing dns queries */
LIST_INIT(&dns_p->query_list);
for (dns_query_record_id = 0; dns_query_record_id < dns_p->header.qdcount; dns_query_record_id++) {
/* use next pre-allocated dns_query_item after ensuring there is
* still one available.
* It's then added to our packet query list.
*/
if (dns_query_record_id > DNS_MAX_QUERY_RECORDS)
return DNS_RESP_INVALID;
dns_query = &dns_query_records[dns_query_record_id];
LIST_ADDQ(&dns_p->query_list, &dns_query->list);
/* name is a NULL terminated string in our case, since we have
* one query per response and the first one can't be compressed
* (using the 0x0c format)
*/
offset = 0;
len = dns_read_name(resp, bufend, reader, dns_query->name, DNS_MAX_NAME_SIZE, &offset);
if (len == 0)
return DNS_RESP_INVALID;
reader += offset;
previous_dname = dns_query->name;
/* move forward 2 bytes for question type */
if (reader + 2 >= bufend)
return DNS_RESP_INVALID;
dns_query->type = reader[0] * 256 + reader[1];
reader += 2;
/* move forward 2 bytes for question class */
if (reader + 2 >= bufend)
return DNS_RESP_INVALID;
dns_query->class = reader[0] * 256 + reader[1];
reader += 2;
}
/* now parsing response records */
LIST_INIT(&dns_p->answer_list);
for (dns_answer_record_id = 0; dns_answer_record_id < dns_p->header.ancount; dns_answer_record_id++) {
if (reader >= bufend)
return DNS_RESP_INVALID;
/* pull next response record from the list, if still one available, then add it
* to the record list */
if (dns_answer_record_id > DNS_MAX_ANSWER_RECORDS)
return DNS_RESP_INVALID;
dns_answer_record = &dns_answer_records[dns_answer_record_id];
LIST_ADDQ(&dns_p->answer_list, &dns_answer_record->list);
offset = 0;
len = dns_read_name(resp, bufend, reader, tmpname, DNS_MAX_NAME_SIZE, &offset);
if (len == 0)
return DNS_RESP_INVALID;
/* check if the current record dname is valid.
* previous_dname points either to queried dname or last CNAME target
*/
if (memcmp(previous_dname, tmpname, len) != 0) {
if (dns_answer_record_id == 0) {
/* first record, means a mismatch issue between queried dname
* and dname found in the first record */
return DNS_RESP_INVALID;
} else {
/* if not the first record, this means we have a CNAME resolution
* error */
return DNS_RESP_CNAME_ERROR;
}
}
dns_answer_record->name = chunk_newstr(&dns_trash);
if (dns_answer_record->name == NULL)
return DNS_RESP_INVALID;
ret = chunk_strncat(&dns_trash, tmpname, len);
if (ret == 0)
return DNS_RESP_INVALID;
reader += offset;
if (reader >= bufend)
return DNS_RESP_INVALID;
if (reader >= bufend)
return DNS_RESP_INVALID;
/* 2 bytes for record type (A, AAAA, CNAME, etc...) */
if (reader + 2 > bufend)
return DNS_RESP_INVALID;
dns_answer_record->type = reader[0] * 256 + reader[1];
reader += 2;
/* 2 bytes for class (2) */
if (reader + 2 > bufend)
return DNS_RESP_INVALID;
dns_answer_record->class = reader[0] * 256 + reader[1];
reader += 2;
/* 4 bytes for ttl (4) */
if (reader + 4 > bufend)
return DNS_RESP_INVALID;
dns_answer_record->ttl = reader[0] * 16777216 + reader[1] * 65536
+ reader[2] * 256 + reader[3];
reader += 4;
/* now reading data len */
if (reader + 2 > bufend)
return DNS_RESP_INVALID;
dns_answer_record->data_len = reader[0] * 256 + reader[1];
/* move forward 2 bytes for data len */
reader += 2;
/* analyzing record content */
switch (dns_answer_record->type) {
case DNS_RTYPE_A:
/* ipv4 is stored on 4 bytes */
if (dns_answer_record->data_len != 4)
return DNS_RESP_INVALID;
dns_answer_record->address.sa_family = AF_INET;
memcpy(&(((struct sockaddr_in *)&dns_answer_record->address)->sin_addr),
reader, dns_answer_record->data_len);
break;
case DNS_RTYPE_CNAME:
/* check if this is the last record and update the caller about the status:
* no IP could be found and last record was a CNAME. Could be triggered
* by a wrong query type
*
* + 1 because dns_answer_record_id starts at 0 while number of answers
* is an integer and starts at 1.
*/
if (dns_answer_record_id + 1 == dns_p->header.ancount)
return DNS_RESP_CNAME_ERROR;
offset = 0;
len = dns_read_name(resp, bufend, reader, tmpname, DNS_MAX_NAME_SIZE, &offset);
if (len == 0)
return DNS_RESP_INVALID;
dns_answer_record->target = chunk_newstr(&dns_trash);
if (dns_answer_record->target == NULL)
return DNS_RESP_INVALID;
ret = chunk_strncat(&dns_trash, tmpname, len);
if (ret == 0)
return DNS_RESP_INVALID;
previous_dname = dns_answer_record->target;
break;
case DNS_RTYPE_AAAA:
/* ipv6 is stored on 16 bytes */
if (dns_answer_record->data_len != 16)
return DNS_RESP_INVALID;
dns_answer_record->address.sa_family = AF_INET6;
memcpy(&(((struct sockaddr_in6 *)&dns_answer_record->address)->sin6_addr),
reader, dns_answer_record->data_len);
break;
} /* switch (record type) */
/* move forward dns_answer_record->data_len for analyzing next record in the response */
reader += dns_answer_record->data_len;
} /* for i 0 to ancount */
/* let's add a last \0 to close our last string */
ret = chunk_strncat(&dns_trash, "\0", 1);
if (ret == 0)
return DNS_RESP_INVALID;
return DNS_RESP_VALID;
}
/*
* search dn_name resolution in resp.
* If existing IP not found, return the first IP matching family_priority,
* otherwise, first ip found
* The following tasks are the responsibility of the caller:
* - <dns_p> contains an error free DNS response
* For both cases above, dns_validate_dns_response is required
* returns one of the DNS_UPD_* code
*/
#define DNS_MAX_IP_REC 20
int dns_get_ip_from_response(struct dns_response_packet *dns_p,
struct dns_options *dns_opts, void *currentip,
short currentip_sin_family,
void **newip, short *newip_sin_family,
void *owner)
{
struct dns_answer_item *record;
int family_priority;
int i, currentip_found;
unsigned char *newip4, *newip6;
struct {
void *ip;
unsigned char type;
} rec[DNS_MAX_IP_REC];
int currentip_sel;
int j;
int rec_nb = 0;
int score, max_score;
struct dns_response_packet *dns_response = dns_p;
family_priority = dns_opts->family_prio;
*newip = newip4 = newip6 = NULL;
currentip_found = 0;
*newip_sin_family = AF_UNSPEC;
/* now parsing response records */
list_for_each_entry(record, &dns_response->answer_list, list) {
/* analyzing record content */
switch (record->type) {
case DNS_RTYPE_A:
/* Store IPv4, only if some room is avalaible. */
if (rec_nb < DNS_MAX_IP_REC) {
rec[rec_nb].ip = &(((struct sockaddr_in *)&record->address)->sin_addr);
rec[rec_nb].type = AF_INET;
rec_nb++;
}
break;
/* we're looking for IPs only. CNAME validation is done when
* parsing the response buffer for the first time */
case DNS_RTYPE_CNAME:
break;
case DNS_RTYPE_AAAA:
/* Store IPv6, only if some room is avalaible. */
if (rec_nb < DNS_MAX_IP_REC) {
rec[rec_nb].ip = &(((struct sockaddr_in6 *)&record->address)->sin6_addr);
rec[rec_nb].type = AF_INET6;
rec_nb++;
}
break;
} /* switch (record type) */
} /* list for each record entries */
/* Select an IP regarding configuration preference.
* Top priority is the prefered network ip version,
* second priority is the prefered network.
* the last priority is the currently used IP,
*
* For these three priorities, a score is calculated. The
* weight are:
* 8 - prefered netwok ip version.
* 4 - prefered network.
* 2 - if the ip in the record is not affected to any other server in the same backend (duplication)
* 1 - current ip.
* The result with the biggest score is returned.
*/
max_score = -1;
for (i = 0; i < rec_nb; i++) {
int record_ip_already_affected = 0;
score = 0;
/* Check for prefered ip protocol. */
if (rec[i].type == family_priority)
score += 8;
/* Check for prefered network. */
for (j = 0; j < dns_opts->pref_net_nb; j++) {
/* Compare only the same adresses class. */
if (dns_opts->pref_net[j].family != rec[i].type)
continue;
if ((rec[i].type == AF_INET &&
in_net_ipv4(rec[i].ip,
&dns_opts->pref_net[j].mask.in4,
&dns_opts->pref_net[j].addr.in4)) ||
(rec[i].type == AF_INET6 &&
in_net_ipv6(rec[i].ip,
&dns_opts->pref_net[j].mask.in6,
&dns_opts->pref_net[j].addr.in6))) {
score += 4;
break;
}
}
/* Check if the IP found in the record is already affected to a member of a group.
* If yes, the score should be incremented by 2.
*/
if (owner) {
if (snr_check_ip_callback(owner, rec[i].ip, &rec[i].type))
record_ip_already_affected = 1;
}
if (record_ip_already_affected == 0)
score += 2;
/* Check for current ip matching. */
if (rec[i].type == currentip_sin_family &&
((currentip_sin_family == AF_INET &&
memcmp(rec[i].ip, currentip, 4) == 0) ||
(currentip_sin_family == AF_INET6 &&
memcmp(rec[i].ip, currentip, 16) == 0))) {
score += 1;
currentip_sel = 1;
} else
currentip_sel = 0;
/* Keep the address if the score is better than the previous
* score. The maximum score is 15, if this value is reached,
* we break the parsing. Implicitly, this score is reached
* the ip selected is the current ip.
*/
if (score > max_score) {
if (rec[i].type == AF_INET)
newip4 = rec[i].ip;
else
newip6 = rec[i].ip;
currentip_found = currentip_sel;
if (score == 15)
return DNS_UPD_NO;
max_score = score;
}
}
/* no IP found in the response */
if (!newip4 && !newip6) {
return DNS_UPD_NO_IP_FOUND;
}
/* case when the caller looks first for an IPv4 address */
if (family_priority == AF_INET) {
if (newip4) {
*newip = newip4;
*newip_sin_family = AF_INET;
if (currentip_found == 1)
return DNS_UPD_NO;
return DNS_UPD_SRVIP_NOT_FOUND;
}
else if (newip6) {
*newip = newip6;
*newip_sin_family = AF_INET6;
if (currentip_found == 1)
return DNS_UPD_NO;
return DNS_UPD_SRVIP_NOT_FOUND;
}
}
/* case when the caller looks first for an IPv6 address */
else if (family_priority == AF_INET6) {
if (newip6) {
*newip = newip6;
*newip_sin_family = AF_INET6;
if (currentip_found == 1)
return DNS_UPD_NO;
return DNS_UPD_SRVIP_NOT_FOUND;
}
else if (newip4) {
*newip = newip4;
*newip_sin_family = AF_INET;
if (currentip_found == 1)
return DNS_UPD_NO;
return DNS_UPD_SRVIP_NOT_FOUND;
}
}
/* case when the caller have no preference (we prefer IPv6) */
else if (family_priority == AF_UNSPEC) {
if (newip6) {
*newip = newip6;
*newip_sin_family = AF_INET6;
if (currentip_found == 1)
return DNS_UPD_NO;
return DNS_UPD_SRVIP_NOT_FOUND;
}
else if (newip4) {
*newip = newip4;
*newip_sin_family = AF_INET;
if (currentip_found == 1)
return DNS_UPD_NO;
return DNS_UPD_SRVIP_NOT_FOUND;
}
}
/* no reason why we should change the server's IP address */
return DNS_UPD_NO;
}
/*
* returns the query id contained in a DNS response
*/
unsigned short dns_response_get_query_id(unsigned char *resp)
{
/* read the query id from the response */
return resp[0] * 256 + resp[1];
}
/*
* used during haproxy's init phase
* parses resolvers sections and initializes:
* - task (time events) for each resolvers section
* - the datagram layer (network IO events) for each nameserver
* It takes one argument:
* - close_first takes 2 values: 0 or 1. If 1, the connection is closed first.
* returns:
* 0 in case of error
* 1 when no error
*/
int dns_init_resolvers(int close_socket)
{
struct dns_resolvers *curr_resolvers;
struct dns_nameserver *curnameserver;
struct dgram_conn *dgram;
struct task *t;
char *dns_trash_str;
int fd;
dns_trash_str = malloc(global.tune.bufsize);
if (dns_trash_str == NULL) {
Alert("Starting resolvers: out of memory.\n");
return 0;
}
/* allocate memory for the dns_trash buffer used to temporarily store
* the records of the received response */
chunk_init(&dns_trash, dns_trash_str, global.tune.bufsize);
/* give a first random value to our dns query_id seed */
dns_query_id_seed = random();
/* run through the resolvers section list */
list_for_each_entry(curr_resolvers, &dns_resolvers, list) {
/* create the task associated to the resolvers section */
if ((t = task_new()) == NULL) {
Alert("Starting [%s] resolvers: out of memory.\n", curr_resolvers->id);
return 0;
}
/* update task's parameters */
t->process = dns_process_resolve;
t->context = curr_resolvers;
t->expire = TICK_ETERNITY;
curr_resolvers->t = t;
list_for_each_entry(curnameserver, &curr_resolvers->nameserver_list, list) {
dgram = NULL;
if (close_socket == 1) {
if (curnameserver->dgram) {
fd_delete(curnameserver->dgram->t.sock.fd);
memset(curnameserver->dgram, '\0', sizeof(*dgram));
dgram = curnameserver->dgram;
}
}
/* allocate memory only if it has not already been allocated
* by a previous call to this function */
if (!dgram && (dgram = calloc(1, sizeof(*dgram))) == NULL) {
Alert("Starting [%s/%s] nameserver: out of memory.\n", curr_resolvers->id,
curnameserver->id);
return 0;
}
/* update datagram's parameters */
dgram->owner = (void *)curnameserver;
dgram->data = &resolve_dgram_cb;
/* create network UDP socket for this nameserver */
if ((fd = socket(curnameserver->addr.ss_family, SOCK_DGRAM, IPPROTO_UDP)) == -1) {
Alert("Starting [%s/%s] nameserver: can't create socket.\n", curr_resolvers->id,
curnameserver->id);
free(dgram);
dgram = NULL;
return 0;
}
/* "connect" the UDP socket to the name server IP */
if (connect(fd, (struct sockaddr*)&curnameserver->addr, get_addr_len(&curnameserver->addr)) == -1) {
Alert("Starting [%s/%s] nameserver: can't connect socket.\n", curr_resolvers->id,
curnameserver->id);
close(fd);
free(dgram);
dgram = NULL;
return 0;
}
/* make the socket non blocking */
fcntl(fd, F_SETFL, O_NONBLOCK);
/* add the fd in the fd list and update its parameters */
fd_insert(fd);
fdtab[fd].owner = dgram;
fdtab[fd].iocb = dgram_fd_handler;
fd_want_recv(fd);
dgram->t.sock.fd = fd;
/* update nameserver's datagram property */
curnameserver->dgram = dgram;
continue;
}
/* task can be queued */
task_queue(t);
}
return 1;
}
/*
* Forge a DNS query. It needs the following information from the caller:
* - <query_id>: the DNS query id corresponding to this query
* - <query_type>: DNS_RTYPE_* request DNS record type (A, AAAA, ANY, etc...)
* - <hostname_dn>: hostname in domain name format
* - <hostname_dn_len>: length of <hostname_dn>
* To store the query, the caller must pass a buffer <buf> and its size <bufsize>
*
* the DNS query is stored in <buf>
* returns:
* -1 if <buf> is too short
*/
int dns_build_query(int query_id, int query_type, char *hostname_dn, int hostname_dn_len, char *buf, int bufsize)
{
struct dns_header *dns;
struct dns_question qinfo;
char *ptr, *bufend;
memset(buf, '\0', bufsize);
ptr = buf;
bufend = buf + bufsize;
/* check if there is enough room for DNS headers */
if (ptr + sizeof(struct dns_header) >= bufend)
return -1;
/* set dns query headers */
dns = (struct dns_header *)ptr;
dns->id = (unsigned short) htons(query_id);
dns->flags = htons(0x0100); /* qr=0, opcode=0, aa=0, tc=0, rd=1, ra=0, z=0, rcode=0 */
dns->qdcount = htons(1); /* 1 question */
dns->ancount = 0;
dns->nscount = 0;
dns->arcount = 0;
/* move forward ptr */
ptr += sizeof(struct dns_header);
/* check if there is enough room for query hostname */
if ((ptr + hostname_dn_len) >= bufend)
return -1;
/* set up query hostname */
memcpy(ptr, hostname_dn, hostname_dn_len);
ptr[hostname_dn_len + 1] = '\0';
/* move forward ptr */
ptr += (hostname_dn_len + 1);
/* check if there is enough room for query hostname*/
if (ptr + sizeof(struct dns_question) >= bufend)
return -1;
/* set up query info (type and class) */
qinfo.qtype = htons(query_type);
qinfo.qclass = htons(DNS_RCLASS_IN);
memcpy(ptr, &qinfo, sizeof(qinfo));
ptr += sizeof(struct dns_question);
return ptr - buf;
}
/*
* turn a string into domain name label:
* www.haproxy.org into 3www7haproxy3org
* if dn memory is pre-allocated, you must provide its size in dn_len
* if dn memory isn't allocated, dn_len must be set to 0.
* In the second case, memory will be allocated.
* in case of error, -1 is returned, otherwise, number of bytes copied in dn
*/
char *dns_str_to_dn_label(const char *string, char *dn, int dn_len)
{
char *c, *d;
int i, offset;
/* offset between string size and theorical dn size */
offset = 1;
/*
* first, get the size of the string turned into its domain name version
* This function also validates the string respect the RFC
*/
if ((i = dns_str_to_dn_label_len(string)) == -1)
return NULL;
/* yes, so let's check there is enough memory */
if (dn_len < i + offset)
return NULL;
i = strlen(string);
memcpy(dn + offset, string, i);
dn[i + offset] = '\0';
/* avoid a '\0' at the beginning of dn string which may prevent the for loop
* below from working.
* Actually, this is the reason of the offset. */
dn[0] = '0';
for (c = dn; *c ; ++c) {
/* c points to the first '0' char or a dot, which we don't want to read */
d = c + offset;
i = 0;
while (*d != '.' && *d) {
i++;
d++;
}
*c = i;
c = d - 1; /* because of c++ of the for loop */
}
return dn;
}
/*
* compute and return the length of <string> it it were translated into domain name
* label:
* www.haproxy.org into 3www7haproxy3org would return 16
* NOTE: add +1 for '\0' when allocating memory ;)
*/
int dns_str_to_dn_label_len(const char *string)
{
return strlen(string) + 1;
}
/*
* validates host name:
* - total size
* - each label size individually
* returns:
* 0 in case of error. If <err> is not NULL, an error message is stored there.
* 1 when no error. <err> is left unaffected.
*/
int dns_hostname_validation(const char *string, char **err)
{
const char *c, *d;
int i;
if (strlen(string) > DNS_MAX_NAME_SIZE) {
if (err)
*err = DNS_TOO_LONG_FQDN;
return 0;
}
c = string;
while (*c) {
d = c;
i = 0;
while (*d != '.' && *d && i <= DNS_MAX_LABEL_SIZE) {
i++;
if (!((*d == '-') || (*d == '_') ||
((*d >= 'a') && (*d <= 'z')) ||
((*d >= 'A') && (*d <= 'Z')) ||
((*d >= '0') && (*d <= '9')))) {
if (err)
*err = DNS_INVALID_CHARACTER;
return 0;
}
d++;
}
if ((i >= DNS_MAX_LABEL_SIZE) && (d[i] != '.')) {
if (err)
*err = DNS_LABEL_TOO_LONG;
return 0;
}
if (*d == '\0')
goto out;
c = ++d;
}
out:
return 1;
}
/*
* 2 bytes random generator to generate DNS query ID
*/
uint16_t dns_rnd16(void)
{
dns_query_id_seed ^= dns_query_id_seed << 13;
dns_query_id_seed ^= dns_query_id_seed >> 7;
dns_query_id_seed ^= dns_query_id_seed << 17;
return dns_query_id_seed;
}
/*
* function called when a timeout occurs during name resolution process
* if max number of tries is reached, then stop, otherwise, retry.
*/
struct task *dns_process_resolve(struct task *t)
{
struct dns_resolvers *resolvers = t->context;
struct dns_resolution *resolution, *res_back;
int res_preferred_afinet, res_preferred_afinet6;
struct dns_options *dns_opts = NULL;
/* timeout occurs inevitably for the first element of the FIFO queue */
if (LIST_ISEMPTY(&resolvers->curr_resolution)) {
/* no first entry, so wake up was useless */
t->expire = TICK_ETERNITY;
return t;
}
/* look for the first resolution which is not expired */
list_for_each_entry_safe(resolution, res_back, &resolvers->curr_resolution, list) {
/* when we find the first resolution in the future, then we can stop here */
if (tick_is_le(now_ms, resolution->last_sent_packet))
goto out;
/*
* if current resolution has been tried too many times and finishes in timeout
* we update its status and remove it from the list
*/
if (resolution->try <= 0) {
/* clean up resolution information and remove from the list */
dns_reset_resolution(resolution);
/* notify the result to the requester */
resolution->requester_error_cb(resolution, DNS_RESP_TIMEOUT);
goto out;
}
resolution->try -= 1;
dns_opts = &((struct server *)resolution->requester)->dns_opts;
res_preferred_afinet = dns_opts->family_prio == AF_INET && resolution->query_type == DNS_RTYPE_A;
res_preferred_afinet6 = dns_opts->family_prio == AF_INET6 && resolution->query_type == DNS_RTYPE_AAAA;
/* let's change the query type if needed */
if (res_preferred_afinet6) {
/* fallback from AAAA to A */
resolution->query_type = DNS_RTYPE_A;
}
else if (res_preferred_afinet) {
/* fallback from A to AAAA */
resolution->query_type = DNS_RTYPE_AAAA;
}
/* resend the DNS query */
dns_send_query(resolution);
/* check if we have more than one resolution in the list */
if (dns_check_resolution_queue(resolvers) > 1) {
/* move the rsolution to the end of the list */
LIST_DEL(&resolution->list);
LIST_ADDQ(&resolvers->curr_resolution, &resolution->list);
}
}
out:
dns_update_resolvers_timeout(resolvers);
return t;
}
/* if an arg is found, it sets the resolvers section pointer into cli.p0 */
static int cli_parse_stat_resolvers(char **args, struct appctx *appctx, void *private)
{
struct dns_resolvers *presolvers;
if (*args[3]) {
list_for_each_entry(presolvers, &dns_resolvers, list) {
if (strcmp(presolvers->id, args[3]) == 0) {
appctx->ctx.cli.p0 = presolvers;
break;
}
}
if (appctx->ctx.cli.p0 == NULL) {
appctx->ctx.cli.msg = "Can't find that resolvers section\n";
appctx->st0 = CLI_ST_PRINT;
return 1;
}
}
return 0;
}
/* This function allocates memory for a DNS resolution structure.
* It's up to the caller to set the parameters
* Returns a pointer to the structure resolution or NULL if memory could
* not be allocated.
*/
struct dns_resolution *dns_alloc_resolution(void)
{
struct dns_resolution *resolution = NULL;
resolution = calloc(1, sizeof(*resolution));
if (!resolution) {
free(resolution);
return NULL;
}
return resolution;
}
/* This function free the memory allocated to a DNS resolution */
void dns_free_resolution(struct dns_resolution *resolution)
{
free(resolution);
return;
}
/* This function dumps counters from all resolvers section and associated name
* servers. It returns 0 if the output buffer is full and it needs to be called
* again, otherwise non-zero. It may limit itself to the resolver pointed to by
* <cli.p0> if it's not null.
*/
static int cli_io_handler_dump_resolvers_to_buffer(struct appctx *appctx)
{
struct stream_interface *si = appctx->owner;
struct dns_resolvers *presolvers;
struct dns_nameserver *pnameserver;
chunk_reset(&trash);
switch (appctx->st2) {
case STAT_ST_INIT:
appctx->st2 = STAT_ST_LIST; /* let's start producing data */
/* fall through */
case STAT_ST_LIST:
if (LIST_ISEMPTY(&dns_resolvers)) {
chunk_appendf(&trash, "No resolvers found\n");
}
else {
list_for_each_entry(presolvers, &dns_resolvers, list) {
if (appctx->ctx.cli.p0 != NULL && appctx->ctx.cli.p0 != presolvers)
continue;
chunk_appendf(&trash, "Resolvers section %s\n", presolvers->id);
list_for_each_entry(pnameserver, &presolvers->nameserver_list, list) {
chunk_appendf(&trash, " nameserver %s:\n", pnameserver->id);
chunk_appendf(&trash, " sent: %ld\n", pnameserver->counters.sent);
chunk_appendf(&trash, " valid: %ld\n", pnameserver->counters.valid);
chunk_appendf(&trash, " update: %ld\n", pnameserver->counters.update);
chunk_appendf(&trash, " cname: %ld\n", pnameserver->counters.cname);
chunk_appendf(&trash, " cname_error: %ld\n", pnameserver->counters.cname_error);
chunk_appendf(&trash, " any_err: %ld\n", pnameserver->counters.any_err);
chunk_appendf(&trash, " nx: %ld\n", pnameserver->counters.nx);
chunk_appendf(&trash, " timeout: %ld\n", pnameserver->counters.timeout);
chunk_appendf(&trash, " refused: %ld\n", pnameserver->counters.refused);
chunk_appendf(&trash, " other: %ld\n", pnameserver->counters.other);
chunk_appendf(&trash, " invalid: %ld\n", pnameserver->counters.invalid);
chunk_appendf(&trash, " too_big: %ld\n", pnameserver->counters.too_big);
chunk_appendf(&trash, " truncated: %ld\n", pnameserver->counters.truncated);
chunk_appendf(&trash, " outdated: %ld\n", pnameserver->counters.outdated);
}
}
}
/* display response */
if (bi_putchk(si_ic(si), &trash) == -1) {
/* let's try again later from this session. We add ourselves into
* this session's users so that it can remove us upon termination.
*/
si->flags |= SI_FL_WAIT_ROOM;
return 0;
}
appctx->st2 = STAT_ST_FIN;
/* fall through */
default:
appctx->st2 = STAT_ST_FIN;
return 1;
}
}
/* register cli keywords */
static struct cli_kw_list cli_kws = {{ },{
{ { "show", "stat", "resolvers", NULL }, "show stat resolvers [id]: dumps counters from all resolvers section and\n"
" associated name servers",
cli_parse_stat_resolvers, cli_io_handler_dump_resolvers_to_buffer },
{{},}
}};
__attribute__((constructor))
static void __dns_init(void)
{
cli_register_kw(&cli_kws);
}