search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
accept more TLS versions, ignore zero return
[ghsmtp.git] / DNS.cpp
blob297941d037c9eb4ad1c7959a2cdc443e02cbdcf9
1 #include "DNS.hpp"
2
3 #include "DNS-iostream.hpp"
4 #include "IP4.hpp"
5 #include "IP6.hpp"
6 #include "Sock.hpp"
7
8 #include <atomic>
9 #include <limits>
10 #include <memory>
11 #include <tuple>
12
13 #include <arpa/nameser.h>
14
15 #include <glog/logging.h>
16
17 #include "osutil.hpp"
18
19 DEFINE_bool(log_dns_data, false, "log all DNS TCP protocol data");
20 DEFINE_bool(random_dns_servers, false, "Pick starting DNS server at random");
21
22 namespace Config {
23 // The default timeout in glibc is 5 seconds. My setup with unbound
24 // in front of stubby with DNSSEC checking and all that seems to work
25 // better with just a little more time.
26
27 auto constexpr read_timeout{std::chrono::seconds(7)};
28 auto constexpr write_timeout{std::chrono::seconds(1)};
29
30 enum class sock_type : bool { stream, dgram };
31
32 struct nameserver {
33 char const* host; // name used to match cert
34 char const* addr;
35 char const* port;
36 sock_type typ;
37 };
38
39 constexpr nameserver nameservers[]{
40 {
41 "dns.mullvad.net",
42 "194.242.2.2",
43 "domain-s",
44 sock_type::stream,
45 }
46 /*
47 {
48 "localhost",
49 "::1",
50 "domain",
51 sock_type::stream,
52 },
53 {
54 "one.one.one.one",
55 "1.1.1.1",
56 "domain-s",
57 sock_type::stream,
58 },
59 {
60 "one.one.one.one",
61 "1.1.1.1",
62 "domain",
63 sock_type::dgram,
64 },
65 {
66 "dns.google",
67 "8.8.8.8",
68 "domain",
69 sock_type::dgram,
70 },
71 {
72 "dns.google",
73 "8.8.4.4",
74 "domain",
75 sock_type::dgram,
76 },
77
78 {
79 "dns.google",
80 "2001:4860:4860::8888",
81 "domain",
82 sock_type::dgram,
83 },
84 {
85 "dns.google",
86 "2001:4860:4860::8844",
87 "domain",
88 sock_type::dgram,
89 },
90 {
91 "1dot1dot1dot1.cloudflare-dns.com",
92 "1.0.0.1",
93 "domain-s",
94 sock_type::stream,
95 },
96 {
97 "1dot1dot1dot1.cloudflare-dns.com",
98 "2606:4700:4700::1111",
99 "domain-s",
100 sock_type::stream,
101 },
102 {
103 "1dot1dot1dot1.cloudflare-dns.com",
104 "2606:4700:4700::1001",
105 "domain-s",
106 sock_type::stream,
107 },
108 {
109 "dns9.quad9.net",
110 "9.9.9.9",
111 "domain-s",
112 sock_type::stream,
113 },
114 {
115 "dns10.quad9.net",
116 "9.9.9.10",
117 "domain-s",
118 sock_type::stream,
119 },
120 {
121 "dns10.quad9.net",
122 "149.112.112.10",
123 "domain-s",
124 sock_type::stream,
125 },
126 {
127 "dns10.quad9.net",
128 "2620:fe::10",
129 "domain-s",
130 sock_type::stream,
131 },
132 */
133 };
134 } // namespace Config
135
136 template <typename T, std::size_t N>
137 constexpr std::size_t countof(T const (&)[N]) noexcept
138 {
139 return N;
140 }
141
142 namespace DNS {
143
144 Resolver::Resolver(fs::path config_path)
145 {
146 auto tries = countof(Config::nameservers);
147
148 if (FLAGS_random_dns_servers) {
149 std::uniform_int_distribution<int> uniform_dist(
150 0, countof(Config::nameservers) - 1);
151 ns_ = uniform_dist(rng_);
152 }
153 else {
154 ns_ = static_cast<int>(countof(Config::nameservers) - 1);
155 }
156
157 while (tries--) {
158
159 // try the next one, with wrap
160 if (++ns_ == countof(Config::nameservers))
161 ns_ = 0;
162
163 auto const& nameserver = Config::nameservers[ns_];
164 auto typ = (nameserver.typ == Config::sock_type::stream) ? SOCK_STREAM
165 : SOCK_DGRAM;
166
167 uint16_t port =
168 osutil::get_port(nameserver.port, (typ == SOCK_STREAM) ? "tcp" : "udp");
169 ns_fd_ = -1;
170
171 if (IP4::is_address(nameserver.addr)) {
172 ns_fd_ = socket(AF_INET, typ, 0);
173 PCHECK(ns_fd_ >= 0) << "socket() failed";
174
175 auto in4{sockaddr_in{}};
176 in4.sin_family = AF_INET;
177 in4.sin_port = htons(port);
178 CHECK_EQ(inet_pton(AF_INET, nameserver.addr,
179 reinterpret_cast<void*>(&in4.sin_addr)),
180 1);
181 if (connect(ns_fd_, reinterpret_cast<const sockaddr*>(&in4),
182 sizeof(in4))) {
183 PLOG(INFO) << "connect failed " << nameserver.host << '['
184 << nameserver.addr << "]:" << nameserver.port;
185 close(ns_fd_);
186 ns_fd_ = -1;
187 continue;
188 }
189 }
190 else if (IP6::is_address(nameserver.addr)) {
191 ns_fd_ = socket(AF_INET6, typ, 0);
192 PCHECK(ns_fd_ >= 0) << "socket() failed";
193
194 auto in6{sockaddr_in6{}};
195 in6.sin6_family = AF_INET6;
196 in6.sin6_port = htons(port);
197 CHECK_EQ(inet_pton(AF_INET6, nameserver.addr,
198 reinterpret_cast<void*>(&in6.sin6_addr)),
199 1);
200 if (connect(ns_fd_, reinterpret_cast<const sockaddr*>(&in6),
201 sizeof(in6))) {
202 PLOG(INFO) << "connect failed " << nameserver.host << '['
203 << nameserver.addr << "]:" << nameserver.port;
204 close(ns_fd_);
205 ns_fd_ = -1;
206 continue;
207 }
208 }
209
210 POSIX::set_nonblocking(ns_fd_);
211
212 if (nameserver.typ == Config::sock_type::stream) {
213 ns_sock_ = std::make_unique<Sock>(ns_fd_, ns_fd_);
214 if (FLAGS_log_dns_data) {
215 ns_sock_->log_data_on();
216 }
217 else {
218 ns_sock_->log_data_off();
219 }
220
221 if (port != 53) {
222 DNS::RR_collection tlsa_rrs; // empty FIXME!
223 ns_sock_->starttls_client(config_path, nullptr, nameserver.host,
224 tlsa_rrs, false);
225 if (ns_sock_->verified()) {
226 ns_fd_ = -1;
227 return;
228 }
229 close(ns_fd_);
230 ns_fd_ = -1;
231 continue;
232 }
233 ns_fd_ = -1;
234 }
235
236 return;
237 }
238
239 LOG(FATAL) << "no nameservers left to try";
240 }
241
242 message Resolver::xchg(message const& q)
243 {
244 if (Config::nameservers[ns_].typ == Config::sock_type::stream) {
245 CHECK_EQ(ns_fd_, -1);
246
247 auto const sp = static_cast<std::span<DNS::message::octet const>>(q);
248
249 uint16_t sz = sp.size();
250
251 sz = htons(sz);
252 ns_sock_->out().write(reinterpret_cast<char const*>(&sz), sizeof sz);
253 ns_sock_->out().write(reinterpret_cast<char const*>(sp.data()), sp.size());
254 ns_sock_->out().flush();
255
256 sz = 0;
257 ns_sock_->in().read(reinterpret_cast<char*>(&sz), sizeof sz);
258 sz = ntohs(sz);
259
260 DNS::message::container_t bfr(sz);
261 ns_sock_->in().read(reinterpret_cast<char*>(bfr.data()), sz);
262 CHECK_EQ(ns_sock_->in().gcount(), std::streamsize(sz));
263
264 if (!ns_sock_->in()) {
265 LOG(WARNING) << "Resolver::xchg was able to read only "
266 << ns_sock_->in().gcount() << " octets";
267 }
268
269 return message{std::move(bfr)};
270 }
271
272 CHECK(Config::nameservers[ns_].typ == Config::sock_type::dgram);
273 CHECK_GE(ns_fd_, 0);
274
275 auto t_o{false};
276
277 auto const sp = static_cast<std::span<DNS::message::octet const>>(q);
278
279 auto const wrlen =
280 POSIX::write(ns_fd_, reinterpret_cast<char const*>(sp.data()), sp.size(),
281 Config::write_timeout, t_o);
282 if (wrlen != std::streamsize(sp.size())) {
283 LOG(WARNING) << "DNS write failed";
284 return message{0};
285 }
286 if (t_o) {
287 LOG(WARNING) << "DNS write timed out";
288 return message{0};
289 }
290
291 DNS::message::container_t bfr(Config::max_udp_sz);
292
293 auto constexpr hook{[]() {}};
294 auto const a_rdlen = POSIX::read(ns_fd_, reinterpret_cast<char*>(bfr.data()),
295 bfr.size(), hook, Config::read_timeout, t_o);
296 if (a_rdlen < 0) {
297 LOG(WARNING) << "DNS read failed";
298 return message{0};
299 }
300 if (t_o) {
301 LOG(WARNING) << "DNS read timed out";
302 return message{0};
303 }
304
305 bfr.resize(a_rdlen); // down from max_udp_sz
306 bfr.shrink_to_fit();
307
308 return message{std::move(bfr)};
309 }
310
311 RR_collection Resolver::get_records(RR_type typ, char const* name)
312 {
313 Query q(*this, typ, name);
314 return q.get_records();
315 }
316
317 std::vector<std::string> Resolver::get_strings(RR_type typ, char const* name)
318 {
319 Query q(*this, typ, name);
320 return q.get_strings();
321 }
322
323 bool Query::xchg_(Resolver& res, uint16_t id)
324 {
325 auto tries = 3;
326
327 while (tries) {
328
329 a_ = res.xchg(q_);
330
331 auto const a_sp = static_cast<std::span<DNS::message::octet const>>(a_);
332
333 if (!a_sp.size()) {
334 bogus_or_indeterminate_ = true;
335 LOG(WARNING) << "no reply from nameserver";
336 return false;
337 }
338
339 if (a_sp.size() < message::min_sz()) {
340 bogus_or_indeterminate_ = true;
341 LOG(WARNING) << "packet too small";
342 return false;
343 }
344
345 if (a_.id() == id)
346 break;
347
348 LOG(WARNING) << "packet out of order; ids don't match, got " << a_.id()
349 << " expecting " << id;
350 --tries;
351 }
352
353 if (tries)
354 return true;
355
356 bogus_or_indeterminate_ = true;
357 LOG(WARNING) << "no tries left, giving up";
358
359 return false;
360 }
361
362 Query::Query(Resolver& res, RR_type type, char const* name)
363 : type_(type)
364 {
365 uint16_t id = res.rnd_id();
366 uint16_t cls = ns_c_in;
367
368 q_ = create_question(name, type, cls, id);
369
370 if (!xchg_(res, id))
371 return;
372
373 auto const a_sp = static_cast<std::span<DNS::message::octet const>>(a_);
374
375 if (a_sp.size() < message::min_sz()) {
376 bogus_or_indeterminate_ = true;
377 LOG(INFO) << "bad (or no) reply for " << name << '/' << type;
378 return;
379 }
380
381 check_answer(nx_domain_, bogus_or_indeterminate_, rcode_, extended_rcode_,
382 truncation_, authentic_data_, has_record_, q_, a_, type, name);
383
384 if (truncation_) {
385 // if UDP, retry with TCP
386 bogus_or_indeterminate_ = true;
387 LOG(INFO) << "truncated answer for " << name << '/' << type;
388 }
389 }
390
391 RR_collection Query::get_records()
392 {
393 if (bogus_or_indeterminate_)
394 return RR_collection{};
395
396 return DNS::get_records(a_, bogus_or_indeterminate_);
397 }
398
399 std::vector<std::string> Query::get_strings()
400 {
401 std::vector<std::string> ret;
402
403 auto const rr_set = get_records();
404
405 for (auto rr : rr_set) {
406 std::visit(
407 [&ret, type = type_](auto const& r) {
408 if (type == r.rr_type()) {
409 auto const s = r.as_str();
410 if (s)
411 ret.push_back(*s);
412 }
413 },
414 rr);
415 }
416
417 return ret;
418 }
419
420 } // namespace DNS
Gene's SMTP server