1 /* dnsmasq is Copyright (c) 2000-2009 Simon Kelley
2 
3    This program is free software; you can redistribute it and/or modify
4    it under the terms of the GNU General Public License as published by
5    the Free Software Foundation; version 2 dated June, 1991, or
6    (at your option) version 3 dated 29 June, 2007.
7 
8    This program is distributed in the hope that it will be useful,
9    but WITHOUT ANY WARRANTY; without even the implied warranty of
10    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
11    GNU General Public License for more details.
12 
13    You should have received a copy of the GNU General Public License
14    along with this program.  If not, see <http://www.gnu.org/licenses/>.
15 */
16 
17 #include "dnsmasq.h"
18 
19 static int add_resource_record(HEADER *header, char *limit, int *truncp,
20 			       unsigned int nameoffset, unsigned char **pp,
21 			       unsigned long ttl, unsigned int *offset, unsigned short type,
22 			       unsigned short class, char *format, ...);
23 
24 #define CHECK_LEN(header, pp, plen, len) \
25     ((size_t)((pp) - (unsigned char *)(header) + (len)) <= (plen))
26 
27 #define ADD_RDLEN(header, pp, plen, len) \
28     (!CHECK_LEN(header, pp, plen, len) ? 0 : (long)((pp) += (len)), 1)
29 
extract_name(HEADER * header,size_t plen,unsigned char ** pp,char * name,int isExtract,int extrabytes)30 static int extract_name(HEADER *header, size_t plen, unsigned char **pp,
31 			char *name, int isExtract, int extrabytes)
32 {
33   unsigned char *cp = (unsigned char *)name, *p = *pp, *p1 = NULL;
34   unsigned int j, l, hops = 0;
35   int retvalue = 1;
36 
37   if (isExtract)
38     *cp = 0;
39 
40   while (1)
41     {
42       unsigned int label_type;
43 
44       if (!CHECK_LEN(header, p, plen, 1))
45 	return 0;
46 
47       if ((l = *p++) == 0)
48 	/* end marker */
49 	{
50 	  /* check that there are the correct no of bytes after the name */
51 	  if (!CHECK_LEN(header, p, plen, extrabytes))
52 	    return 0;
53 
54 	  if (isExtract)
55 	    {
56 	      if (cp != (unsigned char *)name)
57 		cp--;
58 	      *cp = 0; /* terminate: lose final period */
59 	    }
60 	  else if (*cp != 0)
61 	    retvalue = 2;
62 
63 	  if (p1) /* we jumped via compression */
64 	    *pp = p1;
65 	  else
66 	    *pp = p;
67 
68 	  return retvalue;
69 	}
70 
71       label_type = l & 0xc0;
72 
73       if (label_type == 0xc0) /* pointer */
74 	{
75 	  if (!CHECK_LEN(header, p, plen, 1))
76 	    return 0;
77 
78 	  /* get offset */
79 	  l = (l&0x3f) << 8;
80 	  l |= *p++;
81 
82 	  if (!p1) /* first jump, save location to go back to */
83 	    p1 = p;
84 
85 	  hops++; /* break malicious infinite loops */
86 	  if (hops > 255)
87 	    return 0;
88 
89 	  p = l + (unsigned char *)header;
90 	}
91       else if (label_type == 0x80)
92 	return 0; /* reserved */
93       else if (label_type == 0x40)
94 	{ /* ELT */
95 	  unsigned int count, digs;
96 
97 	  if ((l & 0x3f) != 1)
98 	    return 0; /* we only understand bitstrings */
99 
100 	  if (!isExtract)
101 	    return 0; /* Cannot compare bitsrings */
102 
103 	  count = *p++;
104 	  if (count == 0)
105 	    count = 256;
106 	  digs = ((count-1)>>2)+1;
107 
108 	  /* output is \[x<hex>/siz]. which is digs+9 chars */
109 	  if (cp - (unsigned char *)name + digs + 9 >= MAXDNAME)
110 	    return 0;
111 	  if (!CHECK_LEN(header, p, plen, (count-1)>>3))
112 	    return 0;
113 
114 	  *cp++ = '\\';
115 	  *cp++ = '[';
116 	  *cp++ = 'x';
117 	  for (j=0; j<digs; j++)
118 	    {
119 	      unsigned int dig;
120 	      if (j%2 == 0)
121 		dig = *p >> 4;
122 	      else
123 		dig = *p++ & 0x0f;
124 
125 	      *cp++ = dig < 10 ? dig + '0' : dig + 'A' - 10;
126 	    }
127 	  cp += sprintf((char *)cp, "/%d]", count);
128 	  /* do this here to overwrite the zero char from sprintf */
129 	  *cp++ = '.';
130 	}
131       else
132 	{ /* label_type = 0 -> label. */
133 	  if (cp - (unsigned char *)name + l + 1 >= MAXDNAME)
134 	    return 0;
135 	  if (!CHECK_LEN(header, p, plen, l))
136 	    return 0;
137 
138 	  for(j=0; j<l; j++, p++)
139 	    if (isExtract)
140 	      {
141 		unsigned char c = *p;
142 		if (isascii(c) && !iscntrl(c) && c != '.')
143 		  *cp++ = *p;
144 		else
145 		  return 0;
146 	      }
147 	    else
148 	      {
149 		unsigned char c1 = *cp, c2 = *p;
150 
151 		if (c1 == 0)
152 		  retvalue = 2;
153 		else
154 		  {
155 		    cp++;
156 		    if (c1 >= 'A' && c1 <= 'Z')
157 		      c1 += 'a' - 'A';
158 		    if (c2 >= 'A' && c2 <= 'Z')
159 		      c2 += 'a' - 'A';
160 
161 		    if (c1 != c2)
162 		      retvalue =  2;
163 		  }
164 	      }
165 
166 	  if (isExtract)
167 	    *cp++ = '.';
168 	  else if (*cp != 0 && *cp++ != '.')
169 	    retvalue = 2;
170 	}
171     }
172 }
173 
174 /* Max size of input string (for IPv6) is 75 chars.) */
175 #define MAXARPANAME 75
in_arpa_name_2_addr(char * namein,struct all_addr * addrp)176 static int in_arpa_name_2_addr(char *namein, struct all_addr *addrp)
177 {
178   int j;
179   char name[MAXARPANAME+1], *cp1;
180   unsigned char *addr = (unsigned char *)addrp;
181   char *lastchunk = NULL, *penchunk = NULL;
182 
183   if (strlen(namein) > MAXARPANAME)
184     return 0;
185 
186   memset(addrp, 0, sizeof(struct all_addr));
187 
188   /* turn name into a series of asciiz strings */
189   /* j counts no of labels */
190   for(j = 1,cp1 = name; *namein; cp1++, namein++)
191     if (*namein == '.')
192       {
193 	penchunk = lastchunk;
194         lastchunk = cp1 + 1;
195 	*cp1 = 0;
196 	j++;
197       }
198     else
199       *cp1 = *namein;
200 
201   *cp1 = 0;
202 
203   if (j<3)
204     return 0;
205 
206   if (hostname_isequal(lastchunk, "arpa") && hostname_isequal(penchunk, "in-addr"))
207     {
208       /* IP v4 */
209       /* address arives as a name of the form
210 	 www.xxx.yyy.zzz.in-addr.arpa
211 	 some of the low order address octets might be missing
212 	 and should be set to zero. */
213       for (cp1 = name; cp1 != penchunk; cp1 += strlen(cp1)+1)
214 	{
215 	  /* check for digits only (weeds out things like
216 	     50.0/24.67.28.64.in-addr.arpa which are used
217 	     as CNAME targets according to RFC 2317 */
218 	  char *cp;
219 	  for (cp = cp1; *cp; cp++)
220 	    if (!isdigit((int)*cp))
221 	      return 0;
222 
223 	  addr[3] = addr[2];
224 	  addr[2] = addr[1];
225 	  addr[1] = addr[0];
226 	  addr[0] = atoi(cp1);
227 	}
228 
229       return F_IPV4;
230     }
231 #ifdef HAVE_IPV6
232   else if (hostname_isequal(penchunk, "ip6") &&
233 	   (hostname_isequal(lastchunk, "int") || hostname_isequal(lastchunk, "arpa")))
234     {
235       /* IP v6:
236          Address arrives as 0.1.2.3.4.5.6.7.8.9.a.b.c.d.e.f.ip6.[int|arpa]
237     	 or \[xfedcba9876543210fedcba9876543210/128].ip6.[int|arpa]
238 
239 	 Note that most of these the various reprentations are obsolete and
240 	 left-over from the many DNS-for-IPv6 wars. We support all the formats
241 	 that we can since there is no reason not to.
242       */
243 
244       if (*name == '\\' && *(name+1) == '[' &&
245 	  (*(name+2) == 'x' || *(name+2) == 'X'))
246 	{
247 	  for (j = 0, cp1 = name+3; *cp1 && isxdigit((int) *cp1) && j < 32; cp1++, j++)
248 	    {
249 	      char xdig[2];
250 	      xdig[0] = *cp1;
251 	      xdig[1] = 0;
252 	      if (j%2)
253 		addr[j/2] |= strtol(xdig, NULL, 16);
254 	      else
255 		addr[j/2] = strtol(xdig, NULL, 16) << 4;
256 	    }
257 
258 	  if (*cp1 == '/' && j == 32)
259 	    return F_IPV6;
260 	}
261       else
262 	{
263 	  for (cp1 = name; cp1 != penchunk; cp1 += strlen(cp1)+1)
264 	    {
265 	      if (*(cp1+1) || !isxdigit((int)*cp1))
266 		return 0;
267 
268 	      for (j = sizeof(struct all_addr)-1; j>0; j--)
269 		addr[j] = (addr[j] >> 4) | (addr[j-1] << 4);
270 	      addr[0] = (addr[0] >> 4) | (strtol(cp1, NULL, 16) << 4);
271 	    }
272 
273 	  return F_IPV6;
274 	}
275     }
276 #endif
277 
278   return 0;
279 }
280 
skip_name(unsigned char * ansp,HEADER * header,size_t plen,int extrabytes)281 static unsigned char *skip_name(unsigned char *ansp, HEADER *header, size_t plen, int extrabytes)
282 {
283   while(1)
284     {
285       unsigned int label_type;
286 
287       if (!CHECK_LEN(header, ansp, plen, 1))
288 	return NULL;
289 
290       label_type = (*ansp) & 0xc0;
291 
292       if (label_type == 0xc0)
293 	{
294 	  /* pointer for compression. */
295 	  ansp += 2;
296 	  break;
297 	}
298       else if (label_type == 0x80)
299 	return NULL; /* reserved */
300       else if (label_type == 0x40)
301 	{
302 	  /* Extended label type */
303 	  unsigned int count;
304 
305 	  if (!CHECK_LEN(header, ansp, plen, 2))
306 	    return NULL;
307 
308 	  if (((*ansp++) & 0x3f) != 1)
309 	    return NULL; /* we only understand bitstrings */
310 
311 	  count = *(ansp++); /* Bits in bitstring */
312 
313 	  if (count == 0) /* count == 0 means 256 bits */
314 	    ansp += 32;
315 	  else
316 	    ansp += ((count-1)>>3)+1;
317 	}
318       else
319 	{ /* label type == 0 Bottom six bits is length */
320 	  unsigned int len = (*ansp++) & 0x3f;
321 
322 	  if (!ADD_RDLEN(header, ansp, plen, len))
323 	    return NULL;
324 
325 	  if (len == 0)
326 	    break; /* zero length label marks the end. */
327 	}
328     }
329 
330   if (!CHECK_LEN(header, ansp, plen, extrabytes))
331     return NULL;
332 
333   return ansp;
334 }
335 
skip_questions(HEADER * header,size_t plen)336 static unsigned char *skip_questions(HEADER *header, size_t plen)
337 {
338   int q;
339   unsigned char *ansp = (unsigned char *)(header+1);
340 
341   for (q = ntohs(header->qdcount); q != 0; q--)
342     {
343       if (!(ansp = skip_name(ansp, header, plen, 4)))
344 	return NULL;
345       ansp += 4; /* class and type */
346     }
347 
348   return ansp;
349 }
350 
skip_section(unsigned char * ansp,int count,HEADER * header,size_t plen)351 static unsigned char *skip_section(unsigned char *ansp, int count, HEADER *header, size_t plen)
352 {
353   int i, rdlen;
354 
355   for (i = 0; i < count; i++)
356     {
357       if (!(ansp = skip_name(ansp, header, plen, 10)))
358 	return NULL;
359       ansp += 8; /* type, class, TTL */
360       GETSHORT(rdlen, ansp);
361       if (!ADD_RDLEN(header, ansp, plen, rdlen))
362 	return NULL;
363     }
364 
365   return ansp;
366 }
367 
368 /* CRC the question section. This is used to safely detect query
369    retransmision and to detect answers to questions we didn't ask, which
370    might be poisoning attacks. Note that we decode the name rather
371    than CRC the raw bytes, since replies might be compressed differently.
372    We ignore case in the names for the same reason. Return all-ones
373    if there is not question section. */
questions_crc(HEADER * header,size_t plen,char * name)374 unsigned int questions_crc(HEADER *header, size_t plen, char *name)
375 {
376   int q;
377   unsigned int crc = 0xffffffff;
378   unsigned char *p1, *p = (unsigned char *)(header+1);
379 
380   for (q = ntohs(header->qdcount); q != 0; q--)
381     {
382       if (!extract_name(header, plen, &p, name, 1, 4))
383 	return crc; /* bad packet */
384 
385       for (p1 = (unsigned char *)name; *p1; p1++)
386 	{
387 	  int i = 8;
388 	  char c = *p1;
389 
390 	  if (c >= 'A' && c <= 'Z')
391 	    c += 'a' - 'A';
392 
393 	  crc ^= c << 24;
394 	  while (i--)
395 	    crc = crc & 0x80000000 ? (crc << 1) ^ 0x04c11db7 : crc << 1;
396 	}
397 
398       /* CRC the class and type as well */
399       for (p1 = p; p1 < p+4; p1++)
400 	{
401 	  int i = 8;
402 	  crc ^= *p1 << 24;
403 	  while (i--)
404 	    crc = crc & 0x80000000 ? (crc << 1) ^ 0x04c11db7 : crc << 1;
405 	}
406 
407       p += 4;
408       if (!CHECK_LEN(header, p, plen, 0))
409 	return crc; /* bad packet */
410     }
411 
412   return crc;
413 }
414 
415 
resize_packet(HEADER * header,size_t plen,unsigned char * pheader,size_t hlen)416 size_t resize_packet(HEADER *header, size_t plen, unsigned char *pheader, size_t hlen)
417 {
418   unsigned char *ansp = skip_questions(header, plen);
419 
420   /* if packet is malformed, just return as-is. */
421   if (!ansp)
422     return plen;
423 
424   if (!(ansp = skip_section(ansp, ntohs(header->ancount) + ntohs(header->nscount) + ntohs(header->arcount),
425 			    header, plen)))
426     return plen;
427 
428   /* restore pseudoheader */
429   if (pheader && ntohs(header->arcount) == 0)
430     {
431       /* must use memmove, may overlap */
432       memmove(ansp, pheader, hlen);
433       header->arcount = htons(1);
434       ansp += hlen;
435     }
436 
437   return ansp - (unsigned char *)header;
438 }
439 
find_pseudoheader(HEADER * header,size_t plen,size_t * len,unsigned char ** p,int * is_sign)440 unsigned char *find_pseudoheader(HEADER *header, size_t plen, size_t  *len, unsigned char **p, int *is_sign)
441 {
442   /* See if packet has an RFC2671 pseudoheader, and if so return a pointer to it.
443      also return length of pseudoheader in *len and pointer to the UDP size in *p
444      Finally, check to see if a packet is signed. If it is we cannot change a single bit before
445      forwarding. We look for SIG and TSIG in the addition section, and TKEY queries (for GSS-TSIG) */
446 
447   int i, arcount = ntohs(header->arcount);
448   unsigned char *ansp = (unsigned char *)(header+1);
449   unsigned short rdlen, type, class;
450   unsigned char *ret = NULL;
451 
452   if (is_sign)
453     {
454       *is_sign = 0;
455 
456       if (header->opcode == QUERY)
457 	{
458 	  for (i = ntohs(header->qdcount); i != 0; i--)
459 	    {
460 	      if (!(ansp = skip_name(ansp, header, plen, 4)))
461 		return NULL;
462 
463 	      GETSHORT(type, ansp);
464 	      GETSHORT(class, ansp);
465 
466 	      if (class == C_IN && type == T_TKEY)
467 		*is_sign = 1;
468 	    }
469 	}
470     }
471   else
472     {
473       if (!(ansp = skip_questions(header, plen)))
474 	return NULL;
475     }
476 
477   if (arcount == 0)
478     return NULL;
479 
480   if (!(ansp = skip_section(ansp, ntohs(header->ancount) + ntohs(header->nscount), header, plen)))
481     return NULL;
482 
483   for (i = 0; i < arcount; i++)
484     {
485       unsigned char *save, *start = ansp;
486       if (!(ansp = skip_name(ansp, header, plen, 10)))
487 	return NULL;
488 
489       GETSHORT(type, ansp);
490       save = ansp;
491       GETSHORT(class, ansp);
492       ansp += 4; /* TTL */
493       GETSHORT(rdlen, ansp);
494       if (!ADD_RDLEN(header, ansp, plen, rdlen))
495 	return NULL;
496       if (type == T_OPT)
497 	{
498 	  if (len)
499 	    *len = ansp - start;
500 	  if (p)
501 	    *p = save;
502 	  ret = start;
503 	}
504       else if (is_sign &&
505 	       i == arcount - 1 &&
506 	       class == C_ANY &&
507 	       (type == T_SIG || type == T_TSIG))
508 	*is_sign = 1;
509     }
510 
511   return ret;
512 }
513 
514 
515 /* is addr in the non-globally-routed IP space? */
private_net(struct in_addr addr)516 static int private_net(struct in_addr addr)
517 {
518   in_addr_t ip_addr = ntohl(addr.s_addr);
519 
520   return
521     ((ip_addr & 0xFF000000) == 0x7F000000)  /* 127.0.0.0/8    (loopback) */ ||
522     ((ip_addr & 0xFFFF0000) == 0xC0A80000)  /* 192.168.0.0/16 (private)  */ ||
523     ((ip_addr & 0xFF000000) == 0x0A000000)  /* 10.0.0.0/8     (private)  */ ||
524     ((ip_addr & 0xFFF00000) == 0xAC100000)  /* 172.16.0.0/12  (private)  */ ||
525     ((ip_addr & 0xFFFF0000) == 0xA9FE0000)  /* 169.254.0.0/16 (zeroconf) */ ;
526 }
527 
do_doctor(unsigned char * p,int count,HEADER * header,size_t qlen)528 static unsigned char *do_doctor(unsigned char *p, int count, HEADER *header, size_t qlen)
529 {
530   int i, qtype, qclass, rdlen;
531   unsigned long ttl;
532 
533   for (i = count; i != 0; i--)
534     {
535       if (!(p = skip_name(p, header, qlen, 10)))
536 	return 0; /* bad packet */
537 
538       GETSHORT(qtype, p);
539       GETSHORT(qclass, p);
540       GETLONG(ttl, p);
541       GETSHORT(rdlen, p);
542 
543       if ((qclass == C_IN) && (qtype == T_A))
544 	{
545 	  struct doctor *doctor;
546 	  struct in_addr addr;
547 
548 	  if (!CHECK_LEN(header, p, qlen, INADDRSZ))
549 	    return 0;
550 
551 	   /* alignment */
552 	  memcpy(&addr, p, INADDRSZ);
553 
554 	  for (doctor = daemon->doctors; doctor; doctor = doctor->next)
555 	    {
556 	      if (doctor->end.s_addr == 0)
557 		{
558 		  if (!is_same_net(doctor->in, addr, doctor->mask))
559 		    continue;
560 		}
561 	      else if (ntohl(doctor->in.s_addr) > ntohl(addr.s_addr) ||
562 		       ntohl(doctor->end.s_addr) < ntohl(addr.s_addr))
563 		continue;
564 
565 	      addr.s_addr &= ~doctor->mask.s_addr;
566 	      addr.s_addr |= (doctor->out.s_addr & doctor->mask.s_addr);
567 	      /* Since we munged the data, the server it came from is no longer authoritative */
568 	      header->aa = 0;
569 	      memcpy(p, &addr, INADDRSZ);
570 	      break;
571 	    }
572 	}
573 
574       if (!ADD_RDLEN(header, p, qlen, rdlen))
575 	 return 0; /* bad packet */
576     }
577 
578   return p;
579 }
580 
find_soa(HEADER * header,size_t qlen)581 static int find_soa(HEADER *header, size_t qlen)
582 {
583   unsigned char *p;
584   int qtype, qclass, rdlen;
585   unsigned long ttl, minttl = ULONG_MAX;
586   int i, found_soa = 0;
587 
588   /* first move to NS section and find TTL from any SOA section */
589   if (!(p = skip_questions(header, qlen)) ||
590       !(p = do_doctor(p, ntohs(header->ancount), header, qlen)))
591     return 0;  /* bad packet */
592 
593   for (i = ntohs(header->nscount); i != 0; i--)
594     {
595       if (!(p = skip_name(p, header, qlen, 10)))
596 	return 0; /* bad packet */
597 
598       GETSHORT(qtype, p);
599       GETSHORT(qclass, p);
600       GETLONG(ttl, p);
601       GETSHORT(rdlen, p);
602 
603       if ((qclass == C_IN) && (qtype == T_SOA))
604 	{
605 	  found_soa = 1;
606 	  if (ttl < minttl)
607 	    minttl = ttl;
608 
609 	  /* MNAME */
610 	  if (!(p = skip_name(p, header, qlen, 0)))
611 	    return 0;
612 	  /* RNAME */
613 	  if (!(p = skip_name(p, header, qlen, 20)))
614 	    return 0;
615 	  p += 16; /* SERIAL REFRESH RETRY EXPIRE */
616 
617 	  GETLONG(ttl, p); /* minTTL */
618 	  if (ttl < minttl)
619 	    minttl = ttl;
620 	}
621       else if (!ADD_RDLEN(header, p, qlen, rdlen))
622 	return 0; /* bad packet */
623     }
624 
625   /* rewrite addresses in additioal section too */
626   if (!do_doctor(p, ntohs(header->arcount), header, qlen))
627     return 0;
628 
629   if (!found_soa)
630     minttl = daemon->neg_ttl;
631 
632   return minttl;
633 }
634 
635 /* Note that the following code can create CNAME chains that don't point to a real record,
636    either because of lack of memory, or lack of SOA records.  These are treated by the cache code as
637    expired and cleaned out that way.
638    Return 1 if we reject an address because it look like parct of dns-rebinding attack. */
extract_addresses(HEADER * header,size_t qlen,char * name,time_t now)639 int extract_addresses(HEADER *header, size_t qlen, char *name, time_t now)
640 {
641   unsigned char *p, *p1, *endrr, *namep;
642   int i, j, qtype, qclass, aqtype, aqclass, ardlen, res, searched_soa = 0;
643   unsigned long ttl = 0;
644   struct all_addr addr;
645 
646   cache_start_insert();
647 
648   /* find_soa is needed for dns_doctor side-effects, so don't call it lazily if there are any. */
649   if (daemon->doctors)
650     {
651       searched_soa = 1;
652       ttl = find_soa(header, qlen);
653     }
654 
655   /* go through the questions. */
656   p = (unsigned char *)(header+1);
657 
658   for (i = ntohs(header->qdcount); i != 0; i--)
659     {
660       int found = 0, cname_count = 5;
661       struct crec *cpp = NULL;
662       int flags = header->rcode == NXDOMAIN ? F_NXDOMAIN : 0;
663       unsigned long cttl = ULONG_MAX, attl;
664 
665       namep = p;
666       if (!extract_name(header, qlen, &p, name, 1, 4))
667 	return 0; /* bad packet */
668 
669       GETSHORT(qtype, p);
670       GETSHORT(qclass, p);
671 
672       if (qclass != C_IN)
673 	continue;
674 
675       /* PTRs: we chase CNAMEs here, since we have no way to
676 	 represent them in the cache. */
677       if (qtype == T_PTR)
678 	{
679 	  int name_encoding = in_arpa_name_2_addr(name, &addr);
680 
681 	  if (!name_encoding)
682 	    continue;
683 
684 	  if (!(flags & F_NXDOMAIN))
685 	    {
686 	    cname_loop:
687 	      if (!(p1 = skip_questions(header, qlen)))
688 		return 0;
689 
690 	      for (j = ntohs(header->ancount); j != 0; j--)
691 		{
692 		  unsigned char *tmp = namep;
693 		  /* the loop body overwrites the original name, so get it back here. */
694 		  if (!extract_name(header, qlen, &tmp, name, 1, 0) ||
695 		      !(res = extract_name(header, qlen, &p1, name, 0, 10)))
696 		    return 0; /* bad packet */
697 
698 		  GETSHORT(aqtype, p1);
699 		  GETSHORT(aqclass, p1);
700 		  GETLONG(attl, p1);
701 		  GETSHORT(ardlen, p1);
702 		  endrr = p1+ardlen;
703 
704 		  /* TTL of record is minimum of CNAMES and PTR */
705 		  if (attl < cttl)
706 		    cttl = attl;
707 
708 		  if (aqclass == C_IN && res != 2 && (aqtype == T_CNAME || aqtype == T_PTR))
709 		    {
710 		      if (!extract_name(header, qlen, &p1, name, 1, 0))
711 			return 0;
712 
713 		      if (aqtype == T_CNAME)
714 			{
715 			  if (!cname_count--)
716 			    return 0; /* looped CNAMES */
717 			  goto cname_loop;
718 			}
719 
720 		      cache_insert(name, &addr, now, cttl, name_encoding | F_REVERSE);
721 		      found = 1;
722 		    }
723 
724 		  p1 = endrr;
725 		  if (!CHECK_LEN(header, p1, qlen, 0))
726 		    return 0; /* bad packet */
727 		}
728 	    }
729 
730 	   if (!found && !(daemon->options & OPT_NO_NEG))
731 	    {
732 	      if (!searched_soa)
733 		{
734 		  searched_soa = 1;
735 		  ttl = find_soa(header, qlen);
736 		}
737 	      if (ttl)
738 		cache_insert(NULL, &addr, now, ttl, name_encoding | F_REVERSE | F_NEG | flags);
739 	    }
740 	}
741       else
742 	{
743 	  /* everything other than PTR */
744 	  struct crec *newc;
745 	  int addrlen;
746 
747 	  if (qtype == T_A)
748 	    {
749 	      addrlen = INADDRSZ;
750 	      flags |= F_IPV4;
751 	    }
752 #ifdef HAVE_IPV6
753 	  else if (qtype == T_AAAA)
754 	    {
755 	      addrlen = IN6ADDRSZ;
756 	      flags |= F_IPV6;
757 	    }
758 #endif
759 	  else
760 	    continue;
761 
762 	  if (!(flags & F_NXDOMAIN))
763 	    {
764 	    cname_loop1:
765 	      if (!(p1 = skip_questions(header, qlen)))
766 		return 0;
767 
768 	      for (j = ntohs(header->ancount); j != 0; j--)
769 		{
770 		  if (!(res = extract_name(header, qlen, &p1, name, 0, 10)))
771 		    return 0; /* bad packet */
772 
773 		  GETSHORT(aqtype, p1);
774 		  GETSHORT(aqclass, p1);
775 		  GETLONG(attl, p1);
776 		  GETSHORT(ardlen, p1);
777 		  endrr = p1+ardlen;
778 
779 		  if (aqclass == C_IN && res != 2 && (aqtype == T_CNAME || aqtype == qtype))
780 		    {
781 		      if (aqtype == T_CNAME)
782 			{
783 			  if (!cname_count--)
784 			    return 0; /* looped CNAMES */
785 			  newc = cache_insert(name, NULL, now, attl, F_CNAME | F_FORWARD);
786 			  if (newc && cpp)
787 			    {
788 			      cpp->addr.cname.cache = newc;
789 			      cpp->addr.cname.uid = newc->uid;
790 			    }
791 
792 			  cpp = newc;
793 			  if (attl < cttl)
794 			    cttl = attl;
795 
796 			  if (!extract_name(header, qlen, &p1, name, 1, 0))
797 			    return 0;
798 			  goto cname_loop1;
799 			}
800 		      else
801 			{
802 			  found = 1;
803 
804 			  /* copy address into aligned storage */
805 			  if (!CHECK_LEN(header, p1, qlen, addrlen))
806 			    return 0; /* bad packet */
807 			  memcpy(&addr, p1, addrlen);
808 
809 			  /* check for returned address in private space */
810 			  if ((daemon->options & OPT_NO_REBIND) &&
811 			      (flags & F_IPV4) &&
812 			      private_net(addr.addr.addr4))
813 			    return 1;
814 
815 			  newc = cache_insert(name, &addr, now, attl, flags | F_FORWARD);
816 			  if (newc && cpp)
817 			    {
818 			      cpp->addr.cname.cache = newc;
819 			      cpp->addr.cname.uid = newc->uid;
820 			    }
821 			  cpp = NULL;
822 			}
823 		    }
824 
825 		  p1 = endrr;
826 		  if (!CHECK_LEN(header, p1, qlen, 0))
827 		    return 0; /* bad packet */
828 		}
829 	    }
830 
831 	  if (!found && !(daemon->options & OPT_NO_NEG))
832 	    {
833 	      if (!searched_soa)
834 		{
835 		  searched_soa = 1;
836 		  ttl = find_soa(header, qlen);
837 		}
838 	      /* If there's no SOA to get the TTL from, but there is a CNAME
839 		 pointing at this, inherit its TTL */
840 	      if (ttl || cpp)
841 		{
842 		  newc = cache_insert(name, NULL, now, ttl ? ttl : cttl, F_FORWARD | F_NEG | flags);
843 		  if (newc && cpp)
844 		    {
845 		      cpp->addr.cname.cache = newc;
846 		      cpp->addr.cname.uid = newc->uid;
847 		    }
848 		}
849 	    }
850 	}
851     }
852 
853   /* Don't put stuff from a truncated packet into the cache, but do everything else */
854   if (!header->tc)
855     cache_end_insert();
856 
857   return 0;
858 }
859 
860 /* If the packet holds exactly one query
861    return F_IPV4 or F_IPV6  and leave the name from the query in name.
862    Abuse F_BIGNAME to indicate an NS query - yuck. */
863 
extract_request(HEADER * header,size_t qlen,char * name,unsigned short * typep)864 unsigned short extract_request(HEADER *header, size_t qlen, char *name, unsigned short *typep)
865 {
866   unsigned char *p = (unsigned char *)(header+1);
867   int qtype, qclass;
868 
869   if (typep)
870     *typep = 0;
871 
872   if (ntohs(header->qdcount) != 1 || header->opcode != QUERY)
873     return 0; /* must be exactly one query. */
874 
875   if (!extract_name(header, qlen, &p, name, 1, 4))
876     return 0; /* bad packet */
877 
878   GETSHORT(qtype, p);
879   GETSHORT(qclass, p);
880 
881   if (typep)
882     *typep = qtype;
883 
884   if (qclass == C_IN)
885     {
886       if (qtype == T_A)
887 	return F_IPV4;
888       if (qtype == T_AAAA)
889 	return F_IPV6;
890       if (qtype == T_ANY)
891 	return  F_IPV4 | F_IPV6;
892       if (qtype == T_NS || qtype == T_SOA)
893 	return F_QUERY | F_BIGNAME;
894     }
895 
896   return F_QUERY;
897 }
898 
899 
setup_reply(HEADER * header,size_t qlen,struct all_addr * addrp,unsigned short flags,unsigned long ttl)900 size_t setup_reply(HEADER *header, size_t qlen,
901 		struct all_addr *addrp, unsigned short flags, unsigned long ttl)
902 {
903   unsigned char *p = skip_questions(header, qlen);
904 
905   header->qr = 1; /* response */
906   header->aa = 0; /* authoritive */
907   header->ra = 1; /* recursion if available */
908   header->tc = 0; /* not truncated */
909   header->nscount = htons(0);
910   header->arcount = htons(0);
911   header->ancount = htons(0); /* no answers unless changed below */
912   if (flags == F_NEG)
913     header->rcode = SERVFAIL; /* couldn't get memory */
914   else if (flags == F_NOERR)
915     header->rcode = NOERROR; /* empty domain */
916   else if (flags == F_NXDOMAIN)
917     header->rcode = NXDOMAIN;
918   else if (p && flags == F_IPV4)
919     { /* we know the address */
920       header->rcode = NOERROR;
921       header->ancount = htons(1);
922       header->aa = 1;
923       add_resource_record(header, NULL, NULL, sizeof(HEADER), &p, ttl, NULL, T_A, C_IN, "4", addrp);
924     }
925 #ifdef HAVE_IPV6
926   else if (p && flags == F_IPV6)
927     {
928       header->rcode = NOERROR;
929       header->ancount = htons(1);
930       header->aa = 1;
931       add_resource_record(header, NULL, NULL, sizeof(HEADER), &p, ttl, NULL, T_AAAA, C_IN, "6", addrp);
932     }
933 #endif
934   else /* nowhere to forward to */
935     header->rcode = REFUSED;
936 
937   return p - (unsigned char *)header;
938 }
939 
940 /* check if name matches local names ie from /etc/hosts or DHCP or local mx names. */
check_for_local_domain(char * name,time_t now)941 int check_for_local_domain(char *name, time_t now)
942 {
943   struct crec *crecp;
944   struct mx_srv_record *mx;
945   struct txt_record *txt;
946   struct interface_name *intr;
947   struct ptr_record *ptr;
948 
949   if ((crecp = cache_find_by_name(NULL, name, now, F_IPV4 | F_IPV6)) &&
950       (crecp->flags & (F_HOSTS | F_DHCP)))
951     return 1;
952 
953   for (mx = daemon->mxnames; mx; mx = mx->next)
954     if (hostname_isequal(name, mx->name))
955       return 1;
956 
957   for (txt = daemon->txt; txt; txt = txt->next)
958     if (hostname_isequal(name, txt->name))
959       return 1;
960 
961   for (intr = daemon->int_names; intr; intr = intr->next)
962     if (hostname_isequal(name, intr->name))
963       return 1;
964 
965   for (ptr = daemon->ptr; ptr; ptr = ptr->next)
966     if (hostname_isequal(name, ptr->name))
967       return 1;
968 
969   return 0;
970 }
971 
972 /* Is the packet a reply with the answer address equal to addr?
973    If so mung is into an NXDOMAIN reply and also put that information
974    in the cache. */
check_for_bogus_wildcard(HEADER * header,size_t qlen,char * name,struct bogus_addr * baddr,time_t now)975 int check_for_bogus_wildcard(HEADER *header, size_t qlen, char *name,
976 			     struct bogus_addr *baddr, time_t now)
977 {
978   unsigned char *p;
979   int i, qtype, qclass, rdlen;
980   unsigned long ttl;
981   struct bogus_addr *baddrp;
982 
983   /* skip over questions */
984   if (!(p = skip_questions(header, qlen)))
985     return 0; /* bad packet */
986 
987   for (i = ntohs(header->ancount); i != 0; i--)
988     {
989       if (!extract_name(header, qlen, &p, name, 1, 10))
990 	return 0; /* bad packet */
991 
992       GETSHORT(qtype, p);
993       GETSHORT(qclass, p);
994       GETLONG(ttl, p);
995       GETSHORT(rdlen, p);
996 
997       if (qclass == C_IN && qtype == T_A)
998 	{
999 	  if (!CHECK_LEN(header, p, qlen, INADDRSZ))
1000 	    return 0;
1001 
1002 	  for (baddrp = baddr; baddrp; baddrp = baddrp->next)
1003 	    if (memcmp(&baddrp->addr, p, INADDRSZ) == 0)
1004 	      {
1005 		/* Found a bogus address. Insert that info here, since there no SOA record
1006 		   to get the ttl from in the normal processing */
1007 		cache_start_insert();
1008 		cache_insert(name, NULL, now, ttl, F_IPV4 | F_FORWARD | F_NEG | F_NXDOMAIN | F_CONFIG);
1009 		cache_end_insert();
1010 
1011 		return 1;
1012 	      }
1013 	}
1014 
1015       if (!ADD_RDLEN(header, p, qlen, rdlen))
1016 	return 0;
1017     }
1018 
1019   return 0;
1020 }
1021 
add_resource_record(HEADER * header,char * limit,int * truncp,unsigned int nameoffset,unsigned char ** pp,unsigned long ttl,unsigned int * offset,unsigned short type,unsigned short class,char * format,...)1022 static int add_resource_record(HEADER *header, char *limit, int *truncp, unsigned int nameoffset, unsigned char **pp,
1023 			       unsigned long ttl, unsigned int *offset, unsigned short type, unsigned short class, char *format, ...)
1024 {
1025   va_list ap;
1026   unsigned char *sav, *p = *pp;
1027   int j;
1028   unsigned short usval;
1029   long lval;
1030   char *sval;
1031 
1032   if (truncp && *truncp)
1033     return 0;
1034 
1035   PUTSHORT(nameoffset | 0xc000, p);
1036   PUTSHORT(type, p);
1037   PUTSHORT(class, p);
1038   PUTLONG(ttl, p);      /* TTL */
1039 
1040   sav = p;              /* Save pointer to RDLength field */
1041   PUTSHORT(0, p);       /* Placeholder RDLength */
1042 
1043   va_start(ap, format);   /* make ap point to 1st unamed argument */
1044 
1045   for (; *format; format++)
1046     switch (*format)
1047       {
1048 #ifdef HAVE_IPV6
1049       case '6':
1050 	sval = va_arg(ap, char *);
1051 	memcpy(p, sval, IN6ADDRSZ);
1052 	p += IN6ADDRSZ;
1053 	break;
1054 #endif
1055 
1056       case '4':
1057 	sval = va_arg(ap, char *);
1058 	memcpy(p, sval, INADDRSZ);
1059 	p += INADDRSZ;
1060 	break;
1061 
1062       case 's':
1063 	usval = va_arg(ap, int);
1064 	PUTSHORT(usval, p);
1065 	break;
1066 
1067       case 'l':
1068 	lval = va_arg(ap, long);
1069 	PUTLONG(lval, p);
1070 	break;
1071 
1072       case 'd':
1073 	/* get domain-name answer arg and store it in RDATA field */
1074 	if (offset)
1075 	  *offset = p - (unsigned char *)header;
1076 	p = do_rfc1035_name(p, va_arg(ap, char *));
1077 	*p++ = 0;
1078 	break;
1079 
1080       case 't':
1081 	usval = va_arg(ap, int);
1082 	sval = va_arg(ap, char *);
1083 	memcpy(p, sval, usval);
1084 	p += usval;
1085 	break;
1086 
1087       case 'z':
1088 	sval = va_arg(ap, char *);
1089 	usval = sval ? strlen(sval) : 0;
1090 	if (usval > 255)
1091 	  usval = 255;
1092 	*p++ = (unsigned char)usval;
1093 	memcpy(p, sval, usval);
1094 	p += usval;
1095 	break;
1096       }
1097 
1098   va_end(ap);	/* clean up variable argument pointer */
1099 
1100   j = p - sav - 2;
1101   PUTSHORT(j, sav);     /* Now, store real RDLength */
1102 
1103   /* check for overflow of buffer */
1104   if (limit && ((unsigned char *)limit - p) < 0)
1105     {
1106       if (truncp)
1107 	*truncp = 1;
1108       return 0;
1109     }
1110 
1111   *pp = p;
1112   return 1;
1113 }
1114 
crec_ttl(struct crec * crecp,time_t now)1115 static unsigned long crec_ttl(struct crec *crecp, time_t now)
1116 {
1117   /* Return 0 ttl for DHCP entries, which might change
1118      before the lease expires. */
1119 
1120   if  (crecp->flags & (F_IMMORTAL | F_DHCP))
1121     return daemon->local_ttl;
1122 
1123   return crecp->ttd - now;
1124 }
1125 
1126 
1127 /* return zero if we can't answer from cache, or packet size if we can */
answer_request(HEADER * header,char * limit,size_t qlen,struct in_addr local_addr,struct in_addr local_netmask,time_t now)1128 size_t answer_request(HEADER *header, char *limit, size_t qlen,
1129 		      struct in_addr local_addr, struct in_addr local_netmask, time_t now)
1130 {
1131   char *name = daemon->namebuff;
1132   unsigned char *p, *ansp, *pheader;
1133   int qtype, qclass;
1134   struct all_addr addr;
1135   unsigned int nameoffset;
1136   unsigned short flag;
1137   int q, ans, anscount = 0, addncount = 0;
1138   int dryrun = 0, sec_reqd = 0;
1139   int is_sign;
1140   struct crec *crecp;
1141   int nxdomain = 0, auth = 1, trunc = 0;
1142   struct mx_srv_record *rec;
1143 
1144   /* If there is an RFC2671 pseudoheader then it will be overwritten by
1145      partial replies, so we have to do a dry run to see if we can answer
1146      the query. We check to see if the do bit is set, if so we always
1147      forward rather than answering from the cache, which doesn't include
1148      security information. */
1149 
1150   if (find_pseudoheader(header, qlen, NULL, &pheader, &is_sign))
1151     {
1152       unsigned short udpsz, ext_rcode, flags;
1153       unsigned char *psave = pheader;
1154 
1155       GETSHORT(udpsz, pheader);
1156       GETSHORT(ext_rcode, pheader);
1157       GETSHORT(flags, pheader);
1158 
1159       sec_reqd = flags & 0x8000; /* do bit */
1160 
1161       /* If our client is advertising a larger UDP packet size
1162 	 than we allow, trim it so that we don't get an overlarge
1163 	 response from upstream */
1164 
1165       if (!is_sign && (udpsz > daemon->edns_pktsz))
1166 	PUTSHORT(daemon->edns_pktsz, psave);
1167 
1168       dryrun = 1;
1169     }
1170 
1171   if (ntohs(header->qdcount) == 0 || header->opcode != QUERY )
1172     return 0;
1173 
1174   for (rec = daemon->mxnames; rec; rec = rec->next)
1175     rec->offset = 0;
1176 
1177  rerun:
1178   /* determine end of question section (we put answers there) */
1179   if (!(ansp = skip_questions(header, qlen)))
1180     return 0; /* bad packet */
1181 
1182   /* now process each question, answers go in RRs after the question */
1183   p = (unsigned char *)(header+1);
1184 
1185   for (q = ntohs(header->qdcount); q != 0; q--)
1186     {
1187       /* save pointer to name for copying into answers */
1188       nameoffset = p - (unsigned char *)header;
1189 
1190       /* now extract name as .-concatenated string into name */
1191       if (!extract_name(header, qlen, &p, name, 1, 4))
1192 	return 0; /* bad packet */
1193 
1194       GETSHORT(qtype, p);
1195       GETSHORT(qclass, p);
1196 
1197       ans = 0; /* have we answered this question */
1198 
1199       if (qtype == T_TXT || qtype == T_ANY)
1200 	{
1201 	  struct txt_record *t;
1202 	  for(t = daemon->txt; t ; t = t->next)
1203 	    {
1204 	      if (t->class == qclass && hostname_isequal(name, t->name))
1205 		{
1206 		  ans = 1;
1207 		  if (!dryrun)
1208 		    {
1209 		      log_query(F_CNAME | F_FORWARD | F_CONFIG | F_NXDOMAIN, name, NULL, "<TXT>");
1210 		      if (add_resource_record(header, limit, &trunc, nameoffset, &ansp,
1211 					      daemon->local_ttl, NULL,
1212 					      T_TXT, t->class, "t", t->len, t->txt))
1213 			anscount++;
1214 
1215 		    }
1216 		}
1217 	    }
1218 	}
1219 
1220       if (qclass == C_IN)
1221 	{
1222 	  if (qtype == T_PTR || qtype == T_ANY)
1223 	    {
1224 	      /* see if it's w.z.y.z.in-addr.arpa format */
1225 	      int is_arpa = in_arpa_name_2_addr(name, &addr);
1226 	      struct ptr_record *ptr;
1227 	      struct interface_name* intr = NULL;
1228 
1229 	      for (ptr = daemon->ptr; ptr; ptr = ptr->next)
1230 		if (hostname_isequal(name, ptr->name))
1231 		  break;
1232 
1233 	      if (is_arpa == F_IPV4)
1234 		for (intr = daemon->int_names; intr; intr = intr->next)
1235 		  {
1236 		    if (addr.addr.addr4.s_addr == get_ifaddr(intr->intr).s_addr)
1237 		      break;
1238 		    else
1239 		      while (intr->next && strcmp(intr->intr, intr->next->intr) == 0)
1240 			intr = intr->next;
1241 		  }
1242 
1243 	      if (intr)
1244 		{
1245 		  ans = 1;
1246 		  if (!dryrun)
1247 		    {
1248 		      log_query(F_IPV4 | F_REVERSE | F_CONFIG, intr->name, &addr, NULL);
1249 		      if (add_resource_record(header, limit, &trunc, nameoffset, &ansp,
1250 					      daemon->local_ttl, NULL,
1251 					      T_PTR, C_IN, "d", intr->name))
1252 			anscount++;
1253 		    }
1254 		}
1255 	      else if (ptr)
1256 		{
1257 		  ans = 1;
1258 		  if (!dryrun)
1259 		    {
1260 		      log_query(F_CNAME | F_FORWARD | F_CONFIG | F_NXDOMAIN, name, NULL, "<PTR>");
1261 		      for (ptr = daemon->ptr; ptr; ptr = ptr->next)
1262 			if (hostname_isequal(name, ptr->name) &&
1263 			    add_resource_record(header, limit, &trunc, nameoffset, &ansp,
1264 						daemon->local_ttl, NULL,
1265 						T_PTR, C_IN, "d", ptr->ptr))
1266 			  anscount++;
1267 
1268 		    }
1269 		}
1270 	      else if ((crecp = cache_find_by_addr(NULL, &addr, now, is_arpa)))
1271 		do
1272 		  {
1273 		    /* don't answer wildcard queries with data not from /etc/hosts or dhcp leases */
1274 		    if (qtype == T_ANY && !(crecp->flags & (F_HOSTS | F_DHCP)))
1275 		      continue;
1276 
1277 		    if (crecp->flags & F_NEG)
1278 		      {
1279 			ans = 1;
1280 			auth = 0;
1281 			if (crecp->flags & F_NXDOMAIN)
1282 			  nxdomain = 1;
1283 			if (!dryrun)
1284 			  log_query(crecp->flags & ~F_FORWARD, name, &addr, NULL);
1285 		      }
1286 		    else if ((crecp->flags & (F_HOSTS | F_DHCP)) || !sec_reqd)
1287 		      {
1288 			ans = 1;
1289 			if (!(crecp->flags & (F_HOSTS | F_DHCP)))
1290 			  auth = 0;
1291 			if (!dryrun)
1292 			  {
1293 			    log_query(crecp->flags & ~F_FORWARD, cache_get_name(crecp), &addr,
1294 				      record_source(crecp->uid));
1295 
1296 			    if (add_resource_record(header, limit, &trunc, nameoffset, &ansp,
1297 						    crec_ttl(crecp, now), NULL,
1298 						    T_PTR, C_IN, "d", cache_get_name(crecp)))
1299 			      anscount++;
1300 			  }
1301 		      }
1302 		  } while ((crecp = cache_find_by_addr(crecp, &addr, now, is_arpa)));
1303 	      else if (is_arpa == F_IPV4 &&
1304 		       (daemon->options & OPT_BOGUSPRIV) &&
1305 		       private_net(addr.addr.addr4))
1306 		{
1307 		  /* if not in cache, enabled and private IPV4 address, return NXDOMAIN */
1308 		  ans = 1;
1309 		  nxdomain = 1;
1310 		  if (!dryrun)
1311 		    log_query(F_CONFIG | F_REVERSE | F_IPV4 | F_NEG | F_NXDOMAIN,
1312 			      name, &addr, NULL);
1313 		}
1314 	    }
1315 
1316 	  for (flag = F_IPV4; flag; flag = (flag == F_IPV4) ? F_IPV6 : 0)
1317 	    {
1318 	      unsigned short type = T_A;
1319 
1320 	      if (flag == F_IPV6)
1321 #ifdef HAVE_IPV6
1322 		type = T_AAAA;
1323 #else
1324 	        break;
1325 #endif
1326 
1327 	      if (qtype != type && qtype != T_ANY)
1328 		continue;
1329 
1330 	      /* Check for "A for A"  queries */
1331 	      if (qtype == T_A && (addr.addr.addr4.s_addr = inet_addr(name)) != (in_addr_t) -1)
1332 		{
1333 		  ans = 1;
1334 		  if (!dryrun)
1335 		    {
1336 		      log_query(F_FORWARD | F_CONFIG | F_IPV4, name, &addr, NULL);
1337 		      if (add_resource_record(header, limit, &trunc, nameoffset, &ansp,
1338 					      daemon->local_ttl, NULL, type, C_IN, "4", &addr))
1339 			anscount++;
1340 		    }
1341 		  continue;
1342 		}
1343 
1344 	      /* interface name stuff */
1345 	      if (qtype == T_A)
1346 		{
1347 		  struct interface_name *intr;
1348 
1349 		  for (intr = daemon->int_names; intr; intr = intr->next)
1350 		    if (hostname_isequal(name, intr->name))
1351 		      break;
1352 
1353 		  if (intr)
1354 		    {
1355 		      ans = 1;
1356 		      if (!dryrun)
1357 			{
1358 			  if ((addr.addr.addr4 = get_ifaddr(intr->intr)).s_addr == (in_addr_t) -1)
1359 			    log_query(F_FORWARD | F_CONFIG | F_IPV4 | F_NEG, name, NULL, NULL);
1360 			  else
1361 			    {
1362 			      log_query(F_FORWARD | F_CONFIG | F_IPV4, name, &addr, NULL);
1363 			      if (add_resource_record(header, limit, &trunc, nameoffset, &ansp,
1364 						      daemon->local_ttl, NULL, type, C_IN, "4", &addr))
1365 				anscount++;
1366 			    }
1367 			}
1368 		      continue;
1369 		    }
1370 		}
1371 
1372 	    cname_restart:
1373 	      if ((crecp = cache_find_by_name(NULL, name, now, flag | F_CNAME)))
1374 		{
1375 		  int localise = 0;
1376 
1377 		  /* See if a putative address is on the network from which we recieved
1378 		     the query, is so we'll filter other answers. */
1379 		  if (local_addr.s_addr != 0 && (daemon->options & OPT_LOCALISE) && flag == F_IPV4)
1380 		    {
1381 		      struct crec *save = crecp;
1382 		      do {
1383 			if ((crecp->flags & F_HOSTS) &&
1384 			    is_same_net(*((struct in_addr *)&crecp->addr), local_addr, local_netmask))
1385 			  {
1386 			    localise = 1;
1387 			    break;
1388 			  }
1389 			} while ((crecp = cache_find_by_name(crecp, name, now, flag | F_CNAME)));
1390 		      crecp = save;
1391 		    }
1392 
1393 		  do
1394 		    {
1395 		      /* don't answer wildcard queries with data not from /etc/hosts
1396 			 or DHCP leases */
1397 		      if (qtype == T_ANY && !(crecp->flags & (F_HOSTS | F_DHCP)))
1398 			break;
1399 
1400 		      if (crecp->flags & F_CNAME)
1401 			{
1402 			  if (!dryrun)
1403 			    {
1404 			      log_query(crecp->flags, name, NULL, record_source(crecp->uid));
1405 			      if (add_resource_record(header, limit, &trunc, nameoffset, &ansp,
1406 						      crec_ttl(crecp, now), &nameoffset,
1407 						      T_CNAME, C_IN, "d", cache_get_name(crecp->addr.cname.cache)))
1408 				anscount++;
1409 			    }
1410 
1411 			  strcpy(name, cache_get_name(crecp->addr.cname.cache));
1412 			  goto cname_restart;
1413 			}
1414 
1415 		      if (crecp->flags & F_NEG)
1416 			{
1417 			  ans = 1;
1418 			  auth = 0;
1419 			  if (crecp->flags & F_NXDOMAIN)
1420 			    nxdomain = 1;
1421 			  if (!dryrun)
1422 			    log_query(crecp->flags, name, NULL, NULL);
1423 			}
1424 		      else if ((crecp->flags & (F_HOSTS | F_DHCP)) || !sec_reqd)
1425 			{
1426 			  /* If we are returning local answers depending on network,
1427 			     filter here. */
1428 			  if (localise &&
1429 			      (crecp->flags & F_HOSTS) &&
1430 			      !is_same_net(*((struct in_addr *)&crecp->addr), local_addr, local_netmask))
1431 			    continue;
1432 
1433 			  if (!(crecp->flags & (F_HOSTS | F_DHCP)))
1434 			    auth = 0;
1435 
1436 			  ans = 1;
1437 			  if (!dryrun)
1438 			    {
1439 			      log_query(crecp->flags & ~F_REVERSE, name, &crecp->addr.addr,
1440 					record_source(crecp->uid));
1441 
1442 			      if (add_resource_record(header, limit, &trunc, nameoffset, &ansp,
1443 						      crec_ttl(crecp, now), NULL, type, C_IN,
1444 						      type == T_A ? "4" : "6", &crecp->addr))
1445 				anscount++;
1446 			    }
1447 			}
1448 		    } while ((crecp = cache_find_by_name(crecp, name, now, flag | F_CNAME)));
1449 		}
1450 	    }
1451 
1452 	  if (qtype == T_MX || qtype == T_ANY)
1453 	    {
1454 	      int found = 0;
1455 	      for (rec = daemon->mxnames; rec; rec = rec->next)
1456 		if (!rec->issrv && hostname_isequal(name, rec->name))
1457 		  {
1458 		  ans = found = 1;
1459 		  if (!dryrun)
1460 		    {
1461 		      unsigned int offset;
1462 		      log_query(F_CNAME | F_FORWARD | F_CONFIG | F_NXDOMAIN, name, NULL, "<MX>");
1463 		      if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->local_ttl,
1464 					      &offset, T_MX, C_IN, "sd", rec->weight, rec->target))
1465 			{
1466 			  anscount++;
1467 			  if (rec->target)
1468 			    rec->offset = offset;
1469 			}
1470 		    }
1471 		  }
1472 
1473 	      if (!found && (daemon->options & (OPT_SELFMX | OPT_LOCALMX)) &&
1474 		  cache_find_by_name(NULL, name, now, F_HOSTS | F_DHCP))
1475 		{
1476 		  ans = 1;
1477 		  if (!dryrun)
1478 		    {
1479 		      log_query(F_CNAME | F_FORWARD | F_CONFIG | F_NXDOMAIN, name, NULL, "<MX>");
1480 		      if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->local_ttl, NULL,
1481 					      T_MX, C_IN, "sd", 1,
1482 					      (daemon->options & OPT_SELFMX) ? name : daemon->mxtarget))
1483 			anscount++;
1484 		    }
1485 		}
1486 	    }
1487 
1488 	  if (qtype == T_SRV || qtype == T_ANY)
1489 	    {
1490 	      int found = 0;
1491 
1492 	      for (rec = daemon->mxnames; rec; rec = rec->next)
1493 		if (rec->issrv && hostname_isequal(name, rec->name))
1494 		  {
1495 		    found = ans = 1;
1496 		    if (!dryrun)
1497 		      {
1498 			unsigned int offset;
1499 			log_query(F_CNAME | F_FORWARD | F_CONFIG | F_NXDOMAIN, name, NULL, "<SRV>");
1500 			if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->local_ttl,
1501 						&offset, T_SRV, C_IN, "sssd",
1502 						rec->priority, rec->weight, rec->srvport, rec->target))
1503 			  {
1504 			    anscount++;
1505 			    if (rec->target)
1506 			      rec->offset = offset;
1507 			  }
1508 		      }
1509 		  }
1510 
1511 	      if (!found && (daemon->options & OPT_FILTER) &&  (qtype == T_SRV || (qtype == T_ANY && strchr(name, '_'))))
1512 		{
1513 		  ans = 1;
1514 		  if (!dryrun)
1515 		    log_query(F_CONFIG | F_NEG, name, NULL, NULL);
1516 		}
1517 	    }
1518 
1519 	  if (qtype == T_NAPTR || qtype == T_ANY)
1520 	    {
1521 	      struct naptr *na;
1522 	      for (na = daemon->naptr; na; na = na->next)
1523 		if (hostname_isequal(name, na->name))
1524 		  {
1525 		    ans = 1;
1526 		    if (!dryrun)
1527 		      {
1528 			log_query(F_CNAME | F_FORWARD | F_CONFIG | F_NXDOMAIN, name, NULL, "<NAPTR>");
1529 			if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->local_ttl,
1530 						NULL, T_NAPTR, C_IN, "sszzzd",
1531 						na->order, na->pref, na->flags, na->services, na->regexp, na->replace))
1532 			  anscount++;
1533 		      }
1534 		  }
1535 	    }
1536 
1537 	  if (qtype == T_MAILB)
1538 	    ans = 1, nxdomain = 1;
1539 
1540 	  if (qtype == T_SOA && (daemon->options & OPT_FILTER))
1541 	    {
1542 	      ans = 1;
1543 	      if (!dryrun)
1544 		log_query(F_CONFIG | F_NEG, name, &addr, NULL);
1545 	    }
1546 	}
1547 
1548       if (!ans)
1549 	return 0; /* failed to answer a question */
1550     }
1551 
1552   if (dryrun)
1553     {
1554       dryrun = 0;
1555       goto rerun;
1556     }
1557 
1558   /* create an additional data section, for stuff in SRV and MX record replies. */
1559   for (rec = daemon->mxnames; rec; rec = rec->next)
1560     if (rec->offset != 0)
1561       {
1562 	/* squash dupes */
1563 	struct mx_srv_record *tmp;
1564 	for (tmp = rec->next; tmp; tmp = tmp->next)
1565 	  if (tmp->offset != 0 && hostname_isequal(rec->target, tmp->target))
1566 	    tmp->offset = 0;
1567 
1568 	crecp = NULL;
1569 	while ((crecp = cache_find_by_name(crecp, rec->target, now, F_IPV4 | F_IPV6)))
1570 	  {
1571 #ifdef HAVE_IPV6
1572 	    int type =  crecp->flags & F_IPV4 ? T_A : T_AAAA;
1573 #else
1574 	    int type = T_A;
1575 #endif
1576 	    if (crecp->flags & F_NEG)
1577 	      continue;
1578 
1579 	    if (add_resource_record(header, limit, NULL, rec->offset, &ansp,
1580 				    crec_ttl(crecp, now), NULL, type, C_IN,
1581 				    crecp->flags & F_IPV4 ? "4" : "6", &crecp->addr))
1582 	      addncount++;
1583 	  }
1584       }
1585 
1586   /* done all questions, set up header and return length of result */
1587   header->qr = 1; /* response */
1588   header->aa = auth; /* authoritive - only hosts and DHCP derived names. */
1589   header->ra = 1; /* recursion if available */
1590   header->tc = trunc; /* truncation */
1591   if (anscount == 0 && nxdomain)
1592     header->rcode = NXDOMAIN;
1593   else
1594     header->rcode = NOERROR; /* no error */
1595   header->ancount = htons(anscount);
1596   header->nscount = htons(0);
1597   header->arcount = htons(addncount);
1598   return ansp - (unsigned char *)header;
1599 }
1600 
1601 
1602 
1603 
1604 
1605