search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
more system calls for sanitize
[ghsmtp.git] / DNS.cpp
blobba426e32e8d6e4ed7f99389be610189c8537e93e
1 #include "DNS.hpp"
2
3 #include "DNS-iostream.hpp"
4 #include "IP4.hpp"
5 #include "IP6.hpp"
6 #include "Sock.hpp"
7
8 #include <atomic>
9 #include <limits>
10 #include <memory>
11 #include <tuple>
12
13 #include <arpa/nameser.h>
14
15 #include <experimental/random>
16
17 #include <glog/logging.h>
18
19 #include "osutil.hpp"
20
21 DEFINE_bool(log_dns_data, false, "log all DNS TCP protocol data");
22 DEFINE_bool(random_dns_servers, false, "Pick starting DNS server at random");
23
24 namespace Config {
25 // The default timeout in glibc is 5 seconds. My setup with unbound
26 // in front of stubby with DNSSEC checking and all that seems to work
27 // better with just a little more time.
28
29 auto constexpr read_timeout{std::chrono::seconds(7)};
30
31 enum class sock_type : bool { stream, dgram };
32
33 struct nameserver {
34 char const* host; // name used to match cert
35 char const* addr;
36 char const* port;
37 sock_type typ;
38 };
39
40 constexpr nameserver nameservers[]{
41 {
42 "localhost",
43 "127.0.0.1",
44 "domain",
45 sock_type::stream,
46 },
47 /*
48 {
49 "localhost",
50 "::1",
51 "domain",
52 sock_type::stream,
53 },
54 {
55 "one.one.one.one",
56 "1.1.1.1",
57 "domain-s",
58 sock_type::stream,
59 },
60 {
61 "one.one.one.one",
62 "1.1.1.1",
63 "domain",
64 sock_type::dgram,
65 },
66 {
67 "dns.google",
68 "8.8.8.8",
69 "domain",
70 sock_type::dgram,
71 },
72 {
73 "dns.google",
74 "8.8.4.4",
75 "domain",
76 sock_type::dgram,
77 },
78
79 {
80 "dns.google",
81 "2001:4860:4860::8888",
82 "domain",
83 sock_type::dgram,
84 },
85 {
86 "dns.google",
87 "2001:4860:4860::8844",
88 "domain",
89 sock_type::dgram,
90 },
91 {
92 "1dot1dot1dot1.cloudflare-dns.com",
93 "1.0.0.1",
94 "domain-s",
95 sock_type::stream,
96 },
97 {
98 "1dot1dot1dot1.cloudflare-dns.com",
99 "2606:4700:4700::1111",
100 "domain-s",
101 sock_type::stream,
102 },
103 {
104 "1dot1dot1dot1.cloudflare-dns.com",
105 "2606:4700:4700::1001",
106 "domain-s",
107 sock_type::stream,
108 },
109 {
110 "dns9.quad9.net",
111 "9.9.9.9",
112 "domain-s",
113 sock_type::stream,
114 },
115 {
116 "dns10.quad9.net",
117 "9.9.9.10",
118 "domain-s",
119 sock_type::stream,
120 },
121 {
122 "dns10.quad9.net",
123 "149.112.112.10",
124 "domain-s",
125 sock_type::stream,
126 },
127 {
128 "dns10.quad9.net",
129 "2620:fe::10",
130 "domain-s",
131 sock_type::stream,
132 },
133 */
134 };
135 } // namespace Config
136
137 template <typename T, std::size_t N>
138 constexpr std::size_t countof(T const (&)[N]) noexcept
139 {
140 return N;
141 }
142
143 namespace DNS {
144
145 Resolver::Resolver(fs::path config_path)
146 {
147 auto tries = countof(Config::nameservers);
148
149 if (FLAGS_random_dns_servers) {
150 ns_ = std::experimental::randint(
151 0, static_cast<int>(countof(Config::nameservers) - 1));
152 }
153 else {
154 ns_ = static_cast<int>(countof(Config::nameservers) - 1);
155 }
156
157 while (tries--) {
158
159 // try the next one, with wrap
160 if (++ns_ == countof(Config::nameservers))
161 ns_ = 0;
162
163 auto const& nameserver = Config::nameservers[ns_];
164 auto typ = (nameserver.typ == Config::sock_type::stream) ? SOCK_STREAM
165 : SOCK_DGRAM;
166
167 uint16_t port =
168 osutil::get_port(nameserver.port, (typ == SOCK_STREAM) ? "tcp" : "udp");
169 ns_fd_ = -1;
170
171 if (IP4::is_address(nameserver.addr)) {
172 ns_fd_ = socket(AF_INET, typ, 0);
173 PCHECK(ns_fd_ >= 0) << "socket() failed";
174
175 auto in4{sockaddr_in{}};
176 in4.sin_family = AF_INET;
177 in4.sin_port = htons(port);
178 CHECK_EQ(inet_pton(AF_INET, nameserver.addr,
179 reinterpret_cast<void*>(&in4.sin_addr)),
180 1);
181 if (connect(ns_fd_, reinterpret_cast<const sockaddr*>(&in4),
182 sizeof(in4))) {
183 PLOG(INFO) << "connect failed " << nameserver.host << '['
184 << nameserver.addr << "]:" << nameserver.port;
185 close(ns_fd_);
186 ns_fd_ = -1;
187 continue;
188 }
189 }
190 else if (IP6::is_address(nameserver.addr)) {
191 ns_fd_ = socket(AF_INET6, typ, 0);
192 PCHECK(ns_fd_ >= 0) << "socket() failed";
193
194 auto in6{sockaddr_in6{}};
195 in6.sin6_family = AF_INET6;
196 in6.sin6_port = htons(port);
197 CHECK_EQ(inet_pton(AF_INET6, nameserver.addr,
198 reinterpret_cast<void*>(&in6.sin6_addr)),
199 1);
200 if (connect(ns_fd_, reinterpret_cast<const sockaddr*>(&in6),
201 sizeof(in6))) {
202 PLOG(INFO) << "connect failed " << nameserver.host << '['
203 << nameserver.addr << "]:" << nameserver.port;
204 close(ns_fd_);
205 ns_fd_ = -1;
206 continue;
207 }
208 }
209
210 POSIX::set_nonblocking(ns_fd_);
211
212 if (nameserver.typ == Config::sock_type::stream) {
213 ns_sock_ = std::make_unique<Sock>(ns_fd_, ns_fd_);
214 if (FLAGS_log_dns_data) {
215 ns_sock_->log_data_on();
216 }
217 else {
218 ns_sock_->log_data_off();
219 }
220
221 if (port != 53) {
222 DNS::RR_collection tlsa_rrs; // empty FIXME!
223 ns_sock_->starttls_client(config_path, nullptr, nameserver.host,
224 tlsa_rrs, false);
225 if (ns_sock_->verified()) {
226 ns_fd_ = -1;
227 return;
228 }
229 close(ns_fd_);
230 ns_fd_ = -1;
231 continue;
232 }
233 ns_fd_ = -1;
234 }
235
236 return;
237 }
238
239 LOG(FATAL) << "no nameservers left to try";
240 }
241
242 message Resolver::xchg(message const& q)
243 {
244 if (Config::nameservers[ns_].typ == Config::sock_type::stream) {
245 CHECK_EQ(ns_fd_, -1);
246
247 uint16_t sz = htons(std::size(q));
248
249 ns_sock_->out().write(reinterpret_cast<char const*>(&sz), sizeof sz);
250 ns_sock_->out().write(reinterpret_cast<char const*>(begin(q)), size(q));
251 ns_sock_->out().flush();
252
253 sz = 0;
254 ns_sock_->in().read(reinterpret_cast<char*>(&sz), sizeof sz);
255 sz = ntohs(sz);
256
257 DNS::message::container_t bfr(sz);
258 ns_sock_->in().read(reinterpret_cast<char*>(bfr.data()), sz);
259 CHECK_EQ(ns_sock_->in().gcount(), std::streamsize(sz));
260
261 if (!ns_sock_->in()) {
262 LOG(WARNING) << "Resolver::xchg was able to read only "
263 << ns_sock_->in().gcount() << " octets";
264 }
265
266 return message{std::move(bfr)};
267 }
268
269 CHECK(Config::nameservers[ns_].typ == Config::sock_type::dgram);
270 CHECK_GE(ns_fd_, 0);
271
272 CHECK_EQ(send(ns_fd_, std::begin(q), std::size(q), 0), std::size(q));
273
274 DNS::message::container_t bfr(Config::max_udp_sz);
275
276 auto constexpr hook{[]() {}};
277 auto t_o{false};
278 auto const a_buf = reinterpret_cast<char*>(bfr.data());
279 auto const a_buflen = POSIX::read(ns_fd_, a_buf, int(Config::max_udp_sz),
280 hook, Config::read_timeout, t_o);
281
282 if (a_buflen < 0) {
283 LOG(WARNING) << "DNS read failed";
284 return message{0};
285 }
286
287 if (t_o) {
288 LOG(WARNING) << "DNS read timed out";
289 return message{0};
290 }
291
292 bfr.resize(a_buflen);
293 bfr.shrink_to_fit();
294
295 return message{std::move(bfr)};
296 }
297
298 RR_collection Resolver::get_records(RR_type typ, char const* name)
299 {
300 Query q(*this, typ, name);
301 return q.get_records();
302 }
303
304 std::vector<std::string> Resolver::get_strings(RR_type typ, char const* name)
305 {
306 Query q(*this, typ, name);
307 return q.get_strings();
308 }
309
310 bool Query::xchg_(Resolver& res, uint16_t id)
311 {
312 auto tries = 3;
313
314 while (tries) {
315
316 a_ = res.xchg(q_);
317
318 if (!size(a_)) {
319 bogus_or_indeterminate_ = true;
320 LOG(WARNING) << "no reply from nameserver";
321 return false;
322 }
323
324 if (size(a_) < min_message_sz()) {
325 bogus_or_indeterminate_ = true;
326 LOG(WARNING) << "packet too small";
327 return false;
328 }
329
330 if (a_.id() == id)
331 break;
332
333 LOG(WARNING) << "packet out of order; ids don't match, got " << a_.id()
334 << " expecting " << id;
335 --tries;
336 }
337
338 if (tries)
339 return true;
340
341 bogus_or_indeterminate_ = true;
342 LOG(WARNING) << "no tries left, giving up";
343
344 return false;
345 }
346
347 Query::Query(Resolver& res, RR_type type, char const* name)
348 : type_(type)
349 {
350 static_assert(std::numeric_limits<uint16_t>::min() == 0);
351 static_assert(std::numeric_limits<uint16_t>::max() == 65535);
352
353 uint16_t id =
354 std::experimental::randint(std::numeric_limits<uint16_t>::min(),
355 std::numeric_limits<uint16_t>::max());
356
357 uint16_t cls = ns_c_in;
358
359 q_ = create_question(name, type, cls, id);
360
361 if (!xchg_(res, id))
362 return;
363
364 if (size(a_) < min_message_sz()) {
365 bogus_or_indeterminate_ = true;
366 LOG(INFO) << "bad (or no) reply for " << name << '/' << type;
367 return;
368 }
369
370 check_answer(nx_domain_, bogus_or_indeterminate_, rcode_, extended_rcode_,
371 truncation_, authentic_data_, has_record_, q_, a_, type, name);
372
373 if (truncation_) {
374 // if UDP, retry with TCP
375 bogus_or_indeterminate_ = true;
376 LOG(INFO) << "truncated answer for " << name << '/' << type;
377 }
378 }
379
380 RR_collection Query::get_records()
381 {
382 if (bogus_or_indeterminate_)
383 return RR_collection{};
384
385 return DNS::get_records(a_, bogus_or_indeterminate_);
386 }
387
388 std::vector<std::string> Query::get_strings()
389 {
390 std::vector<std::string> ret;
391
392 auto const rr_set = get_records();
393
394 for (auto rr : rr_set) {
395 std::visit(
396 [&ret, type = type_](auto const& r) {
397 if (type == r.rr_type()) {
398 auto const s = r.as_str();
399 if (s)
400 ret.push_back(*s);
401 }
402 },
403 rr);
404 }
405
406 return ret;
407 }
408
409 } // namespace DNS
Gene's SMTP server