doc/tor/dnsserv_8c_source.html

 /* Copyright (c) 2007-2021, The Tor Project, Inc. */

 /* See LICENSE for licensing information */


 /**

  * \file dnsserv.c

  * \brief Implements client-side DNS proxy server code.

  *

  * When a user enables the DNSPort configuration option to have their local

  * Tor client handle DNS requests, this module handles it.  It functions as a

  * "DNS Server" on the client side, which client applications use.

  *

  * Inbound DNS requests are represented as entry_connection_t here (since

  * that's how Tor represents client-side streams), which are kept associated

  * with an evdns_server_request structure as exposed by Libevent's

  * evdns code.

  *

  * Upon receiving a DNS request, libevent calls our evdns_server_callback()

  * function here, which causes this module to create an entry_connection_t

  * request as appropriate.  Later, when that request is answered,

  * connection_edge.c calls dnsserv_resolved() so we can finish up and tell the

  * DNS client.

  **/


 #include "core/or/or.h"

 #include "feature/client/dnsserv.h"

 #include "app/config/config.h"

 #include "core/mainloop/connection.h"

 #include "core/or/connection_edge.h"

 #include "feature/control/control_events.h"

 #include "core/mainloop/mainloop.h"

 #include "core/mainloop/netstatus.h"

 #include "core/or/policies.h"


 #include "feature/control/control_connection_st.h"

 #include "core/or/entry_connection_st.h"

 #include "core/or/listener_connection_st.h"

 #include "core/or/socks_request_st.h"

 #include "lib/evloop/compat_libevent.h"


 #include <event2/dns.h>

 #include <event2/dns_compat.h>

 /* XXXX this implies we want an improved evdns  */

 #include <event2/dns_struct.h>


 /** Helper function: called by evdns whenever the client sends a request to our

  * DNSPort.  We need to eventually answer the request <b>req</b>.

  */

 static void

 evdns_server_callback(struct evdns_server_request *req, void *data_)

 {

   const listener_connection_t *listener = data_;

   entry_connection_t *entry_conn;

   edge_connection_t *conn;

   int i = 0;

   struct evdns_server_question *q = NULL, *supported_q = NULL;

   struct sockaddr_storage addr;

   struct sockaddr *sa;

   int addrlen;

   tor_addr_t tor_addr;

   uint16_t port;

   int err = DNS_ERR_NONE;

   char *q_name;


   tor_assert(req);


   log_info(LD_APP, "Got a new DNS request!");


   /* Receiving a request on the DNSPort counts as user activity. */

   note_user_activity(approx_time());


   req->flags |= 0x80; /* set RA */


   /* First, check whether the requesting address matches our SOCKSPolicy. */

   if ((addrlen = evdns_server_request_get_requesting_addr(req,

                       (struct sockaddr*)&addr, (socklen_t)sizeof(addr))) < 0) {

     log_warn(LD_APP, "Couldn't get requesting address.");

     evdns_server_request_respond(req, DNS_ERR_SERVERFAILED);

     return;

   }

   (void) addrlen;

   sa = (struct sockaddr*) &addr;

   if (tor_addr_from_sockaddr(&tor_addr, sa, &port)<0) {

     log_warn(LD_APP, "Requesting address wasn't recognized.");

     evdns_server_request_respond(req, DNS_ERR_SERVERFAILED);

     return;

   }


   if (!socks_policy_permits_address(&tor_addr)) {

     log_warn(LD_APP, "Rejecting DNS request from disallowed IP.");

     evdns_server_request_respond(req, DNS_ERR_REFUSED);

     return;

   }


   /* Now, let's find the first actual question of a type we can answer in this

    * DNS request.  It makes us a little noncompliant to act like this; we

    * should fix that eventually if it turns out to make a difference for

    * anybody. */

   if (req->nquestions == 0) {

     log_info(LD_APP, "No questions in DNS request; sending back nil reply.");

     evdns_server_request_respond(req, 0);

     return;

   }

   if (req->nquestions > 1) {

     log_info(LD_APP, "Got a DNS request with more than one question; I only "

              "handle one question at a time for now.  Skipping the extras.");

   }

   for (i = 0; i < req->nquestions; ++i) {

     if (req->questions[i]->dns_question_class != EVDNS_CLASS_INET)

       continue;

     switch (req->questions[i]->type) {

       case EVDNS_TYPE_A:

       case EVDNS_TYPE_AAAA:

       case EVDNS_TYPE_PTR:

         /* We always pick the first one of these questions, if there is

            one. */

         if (! supported_q)

           supported_q = req->questions[i];

         break;

       default:

         break;

       }

   }

   if (supported_q)

     q = supported_q;

   if (!q) {

     log_info(LD_APP, "None of the questions we got were ones we're willing "

              "to support. Sending NOTIMPL.");

     evdns_server_request_respond(req, DNS_ERR_NOTIMPL);

     return;

   }


   /* Make sure the name isn't too long: This should be impossible, I think. */

   if (err == DNS_ERR_NONE && strlen(q->name) > MAX_SOCKS_ADDR_LEN-1)

     err = DNS_ERR_FORMAT;


   if (err != DNS_ERR_NONE || !supported_q) {

     /* We got an error?  There's no question we're willing to answer? Then

      * send back an answer immediately; we're done. */

     evdns_server_request_respond(req, err);

     return;

   }


   /* Make a new dummy AP connection, and attach the request to it. */

   entry_conn = entry_connection_new(CONN_TYPE_AP, AF_INET);

   conn = ENTRY_TO_EDGE_CONN(entry_conn);

   CONNECTION_AP_EXPECT_NONPENDING(entry_conn);

   TO_CONN(conn)->state = AP_CONN_STATE_RESOLVE_WAIT;

   conn->is_dns_request = 1;


   tor_addr_copy(&TO_CONN(conn)->addr, &tor_addr);

   TO_CONN(conn)->port = port;

   TO_CONN(conn)->address = tor_addr_to_str_dup(&tor_addr);


   if (q->type == EVDNS_TYPE_A || q->type == EVDNS_TYPE_AAAA ||

       q->type == EVDNS_QTYPE_ALL) {

     entry_conn->socks_request->command = SOCKS_COMMAND_RESOLVE;

   } else {

     tor_assert(q->type == EVDNS_TYPE_PTR);

     entry_conn->socks_request->command = SOCKS_COMMAND_RESOLVE_PTR;

   }


   /* This serves our DNS port so enable DNS request by default. */

   entry_conn->entry_cfg.dns_request = 1;

   if (q->type == EVDNS_TYPE_A || q->type == EVDNS_QTYPE_ALL) {

     entry_conn->entry_cfg.ipv4_traffic = 1;

     entry_conn->entry_cfg.ipv6_traffic = 0;

     entry_conn->entry_cfg.prefer_ipv6 = 0;

   } else if (q->type == EVDNS_TYPE_AAAA) {

     entry_conn->entry_cfg.ipv4_traffic = 0;

     entry_conn->entry_cfg.ipv6_traffic = 1;

     entry_conn->entry_cfg.prefer_ipv6 = 1;

   }


   strlcpy(entry_conn->socks_request->address, q->name,

           sizeof(entry_conn->socks_request->address));


   entry_conn->socks_request->listener_type = listener->base_.type;

   entry_conn->dns_server_request = req;

   entry_conn->entry_cfg.isolation_flags = listener->entry_cfg.isolation_flags;

   entry_conn->entry_cfg.session_group = listener->entry_cfg.session_group;

   entry_conn->nym_epoch = get_signewnym_epoch();


   if (connection_add(ENTRY_TO_CONN(entry_conn)) < 0) {

     log_warn(LD_APP, "Couldn't register dummy connection for DNS request");

     evdns_server_request_respond(req, DNS_ERR_SERVERFAILED);

     connection_free_(ENTRY_TO_CONN(entry_conn));

     return;

   }


   control_event_stream_status(entry_conn, STREAM_EVENT_NEW_RESOLVE, 0);


   /* Now, unless a controller asked us to leave streams unattached,

   * throw the connection over to get rewritten (which will

   * answer it immediately if it's in the cache, or completely bogus, or

   * automapped), and then attached to a circuit. */

   log_info(LD_APP, "Passing request for %s to rewrite_and_attach.",

            escaped_safe_str_client(q->name));

   q_name = tor_strdup(q->name); /* q could be freed in rewrite_and_attach */

   connection_ap_rewrite_and_attach_if_allowed(entry_conn, NULL, NULL);

   /* Now, the connection is marked if it was bad. */


   log_info(LD_APP, "Passed request for %s to rewrite_and_attach_if_allowed.",

            escaped_safe_str_client(q_name));

   tor_free(q_name);

 }


 /** Helper function: called whenever the client sends a resolve request to our

  * controller.  We need to eventually answer the request <b>req</b>.

  * Returns 0 if the controller will be getting (or has gotten) an event in

  * response; -1 if we couldn't launch the request.

  */

 int

 dnsserv_launch_request(const char *name, int reverse,

                        control_connection_t *control_conn)

 {

   entry_connection_t *entry_conn;

   edge_connection_t *conn;

   char *q_name;


   /* Launching a request for a user counts as user activity. */

   note_user_activity(approx_time());


   /* Make a new dummy AP connection, and attach the request to it. */

   entry_conn = entry_connection_new(CONN_TYPE_AP, AF_INET);

   entry_conn->entry_cfg.dns_request = 1;

   conn = ENTRY_TO_EDGE_CONN(entry_conn);

   CONNECTION_AP_EXPECT_NONPENDING(entry_conn);

   conn->base_.state = AP_CONN_STATE_RESOLVE_WAIT;


   tor_addr_copy(&TO_CONN(conn)->addr, &control_conn->base_.addr);

 #ifdef AF_UNIX

   /*

    * The control connection can be AF_UNIX and if so tor_addr_to_str_dup will

    * unhelpfully say "<unknown address type>"; say "(Tor_internal)"

    * instead.

    */

   if (control_conn->base_.socket_family == AF_UNIX) {

     TO_CONN(conn)->port = 0;

     TO_CONN(conn)->address = tor_strdup("(Tor_internal)");

   } else {

     TO_CONN(conn)->port = control_conn->base_.port;

     TO_CONN(conn)->address = tor_addr_to_str_dup(&control_conn->base_.addr);

   }

 #else /* !defined(AF_UNIX) */

   TO_CONN(conn)->port = control_conn->base_.port;

   TO_CONN(conn)->address = tor_addr_to_str_dup(&control_conn->base_.addr);

 #endif /* defined(AF_UNIX) */


   if (reverse)

     entry_conn->socks_request->command = SOCKS_COMMAND_RESOLVE_PTR;

   else

     entry_conn->socks_request->command = SOCKS_COMMAND_RESOLVE;


   conn->is_dns_request = 1;


   strlcpy(entry_conn->socks_request->address, name,

           sizeof(entry_conn->socks_request->address));


   entry_conn->socks_request->listener_type = CONN_TYPE_CONTROL_LISTENER;

   entry_conn->original_dest_address = tor_strdup(name);

   entry_conn->entry_cfg.session_group = SESSION_GROUP_CONTROL_RESOLVE;

   entry_conn->nym_epoch = get_signewnym_epoch();

   entry_conn->entry_cfg.isolation_flags = ISO_DEFAULT;


   if (connection_add(TO_CONN(conn))<0) {

     log_warn(LD_APP, "Couldn't register dummy connection for RESOLVE request");

     connection_free_(TO_CONN(conn));

     return -1;

   }


   control_event_stream_status(entry_conn, STREAM_EVENT_NEW_RESOLVE, 0);


   /* Now, unless a controller asked us to leave streams unattached,

   * throw the connection over to get rewritten (which will

   * answer it immediately if it's in the cache, or completely bogus, or

   * automapped), and then attached to a circuit. */

   log_info(LD_APP, "Passing request for %s to rewrite_and_attach.",

            escaped_safe_str_client(name));

   q_name = tor_strdup(name); /* q could be freed in rewrite_and_attach */

   connection_ap_rewrite_and_attach_if_allowed(entry_conn, NULL, NULL);

   /* Now, the connection is marked if it was bad. */


   log_info(LD_APP, "Passed request for %s to rewrite_and_attach_if_allowed.",

            escaped_safe_str_client(q_name));

   tor_free(q_name);

   return 0;

 }


 /** If there is a pending request on <b>conn</b> that's waiting for an answer,

  * send back an error and free the request. */

 void

 dnsserv_reject_request(entry_connection_t *conn)

 {

   if (conn->dns_server_request) {

     evdns_server_request_respond(conn->dns_server_request,

                                  DNS_ERR_SERVERFAILED);

     conn->dns_server_request = NULL;

   }

 }


 /** Look up the original name that corresponds to 'addr' in req.  We use this

  * to preserve case in order to facilitate clients using 0x20-hacks to avoid

  * DNS poisoning. */

 static const char *

 evdns_get_orig_address(const struct evdns_server_request *req,

                        int rtype, const char *addr)

 {

   int i, type;


   switch (rtype) {

   case RESOLVED_TYPE_IPV4:

     type = EVDNS_TYPE_A;

     break;

   case RESOLVED_TYPE_HOSTNAME:

     type = EVDNS_TYPE_PTR;

     break;

   case RESOLVED_TYPE_IPV6:

     type = EVDNS_TYPE_AAAA;

     break;

   case RESOLVED_TYPE_ERROR:

   case RESOLVED_TYPE_ERROR_TRANSIENT:

      /* Addr doesn't matter, since we're not sending it back in the reply.*/

     return addr;

   default:

     tor_fragile_assert();

     return addr;

   }


   for (i = 0; i < req->nquestions; ++i) {

     const struct evdns_server_question *q = req->questions[i];

     if (q->type == type && !strcasecmp(q->name, addr))

       return q->name;

   }

   return addr;

 }


 /** Tell the dns request waiting for an answer on <b>conn</b> that we have an

  * answer of type <b>answer_type</b> (RESOLVE_TYPE_IPV4/IPV6/ERR), of length

  * <b>answer_len</b>, in <b>answer</b>, with TTL <b>ttl</b>.  Doesn't do

  * any caching; that's handled elsewhere. */

 void

 dnsserv_resolved(entry_connection_t *conn,

                  int answer_type,

                  size_t answer_len,

                  const char *answer,

                  int ttl)

 {

   struct evdns_server_request *req = conn->dns_server_request;

   const char *name;

   int err = DNS_ERR_NONE;

   if (!req)

     return;

   name = evdns_get_orig_address(req, answer_type,

                                 conn->socks_request->address);


   /* XXXX Re-do; this is dumb. */

   if (ttl < 60)

     ttl = 60;


   /* The evdns interface is: add a bunch of reply items (corresponding to one

    * or more of the questions in the request); then, call

    * evdns_server_request_respond. */

   if (answer_type == RESOLVED_TYPE_IPV6) {

     evdns_server_request_add_aaaa_reply(req,

                                         name,

                                         1, answer, ttl);

   } else if (answer_type == RESOLVED_TYPE_IPV4 && answer_len == 4 &&

              conn->socks_request->command == SOCKS_COMMAND_RESOLVE) {

     evdns_server_request_add_a_reply(req,

                                      name,

                                      1, answer, ttl);

   } else if (answer_type == RESOLVED_TYPE_HOSTNAME &&

              answer_len < 256 &&

              conn->socks_request->command == SOCKS_COMMAND_RESOLVE_PTR) {

     char *ans = tor_strndup(answer, answer_len);

     evdns_server_request_add_ptr_reply(req, NULL,

                                        name,

                                        ans, ttl);

     tor_free(ans);

   } else if (answer_type == RESOLVED_TYPE_ERROR) {

     err = DNS_ERR_NOTEXIST;

   } else { /* answer_type == RESOLVED_TYPE_ERROR_TRANSIENT */

     err = DNS_ERR_SERVERFAILED;

   }


   evdns_server_request_respond(req, err);


   conn->dns_server_request = NULL;

 }


 /** Set up the evdns server port for the UDP socket on <b>conn</b>, which

  * must be an AP_DNS_LISTENER */

 void

 dnsserv_configure_listener(connection_t *conn)

 {

   listener_connection_t *listener_conn;

   tor_assert(conn);

   tor_assert(SOCKET_OK(conn->s));

   tor_assert(conn->type == CONN_TYPE_AP_DNS_LISTENER);


   listener_conn = TO_LISTENER_CONN(conn);

   listener_conn->dns_server_port =

     tor_evdns_add_server_port(conn->s, 0, evdns_server_callback,

                               listener_conn);

 }


 /** Free the evdns server port for <b>conn</b>, which must be an

  * AP_DNS_LISTENER. */

 void

 dnsserv_close_listener(connection_t *conn)

 {

   listener_connection_t *listener_conn;

   tor_assert(conn);

   tor_assert(conn->type == CONN_TYPE_AP_DNS_LISTENER);


   listener_conn = TO_LISTENER_CONN(conn);


   if (listener_conn->dns_server_port) {

     evdns_close_server_port(listener_conn->dns_server_port);

     listener_conn->dns_server_port = NULL;

   }

 }

tor_addr_copy
void tor_addr_copy(tor_addr_t *dest, const tor_addr_t *src)
Definition: address.c:933

tor_addr_to_str_dup
char * tor_addr_to_str_dup(const tor_addr_t *addr)
Definition: address.c:1164

tor_addr_from_sockaddr
int tor_addr_from_sockaddr(tor_addr_t *a, const struct sockaddr *sa, uint16_t *port_out)
Definition: address.c:165

approx_time
time_t approx_time(void)
Definition: approx_time.c:32

compat_libevent.h
Header for compat_libevent.c.

name
const char * name
Definition: config.c:2443

escaped_safe_str_client
const char * escaped_safe_str_client(const char *address)
Definition: config.c:1117

config.h
Header file for config.c.

TO_LISTENER_CONN
listener_connection_t * TO_LISTENER_CONN(connection_t *c)
Definition: connection.c:237

entry_connection_new
entry_connection_t * entry_connection_new(int type, int socket_family)
Definition: connection.c:604

connection_free_
void connection_free_(connection_t *conn)
Definition: connection.c:973

connection.h
Header file for connection.c.

CONN_TYPE_CONTROL_LISTENER
#define CONN_TYPE_CONTROL_LISTENER
Definition: connection.h:58

CONN_TYPE_AP
#define CONN_TYPE_AP
Definition: connection.h:51

CONN_TYPE_AP_DNS_LISTENER
#define CONN_TYPE_AP_DNS_LISTENER
Definition: connection.h:68

connection_ap_rewrite_and_attach_if_allowed
int connection_ap_rewrite_and_attach_if_allowed(entry_connection_t *conn, origin_circuit_t *circ, crypt_path_t *cpath)
Definition: connection_edge.c:1754

connection_edge.h
Header file for connection_edge.c.

AP_CONN_STATE_RESOLVE_WAIT
#define AP_CONN_STATE_RESOLVE_WAIT
Definition: connection_edge.h:53

control_connection_st.h
Controller connection structure.

control_event_stream_status
int control_event_stream_status(entry_connection_t *conn, stream_status_event_t tp, int reason_code)
Definition: control_events.c:789

control_events.h
Header file for control_events.c.

dnsserv_configure_listener
void dnsserv_configure_listener(connection_t *conn)
Definition: dnsserv.c:394

evdns_get_orig_address
static const char * evdns_get_orig_address(const struct evdns_server_request *req, int rtype, const char *addr)
Definition: dnsserv.c:305

dnsserv_reject_request
void dnsserv_reject_request(entry_connection_t *conn)
Definition: dnsserv.c:292

evdns_server_callback
static void evdns_server_callback(struct evdns_server_request *req, void *data_)
Definition: dnsserv.c:49

dnsserv_launch_request
int dnsserv_launch_request(const char *name, int reverse, control_connection_t *control_conn)
Definition: dnsserv.c:213

dnsserv_resolved
void dnsserv_resolved(entry_connection_t *conn, int answer_type, size_t answer_len, const char *answer, int ttl)
Definition: dnsserv.c:342

dnsserv_close_listener
void dnsserv_close_listener(connection_t *conn)
Definition: dnsserv.c:410

dnsserv.h
Header file for dnsserv.c.

entry_connection_st.h
Entry connection structure.

ENTRY_TO_EDGE_CONN
#define ENTRY_TO_EDGE_CONN(c)
Definition: entry_connection_st.h:102

listener_connection_st.h
Listener connection structure.

LD_APP
#define LD_APP
Definition: log.h:78

get_signewnym_epoch
unsigned get_signewnym_epoch(void)
Definition: mainloop.c:1340

mainloop.h
Header file for mainloop.c.

tor_free
#define tor_free(p)
Definition: malloc.h:56

note_user_activity
void note_user_activity(time_t now)
Definition: netstatus.c:63

netstatus.h
Header for netstatus.c.

SOCKET_OK
#define SOCKET_OK(s)
Definition: nettypes.h:39

or.h
Master header file for Tor-specific functionality.

ISO_DEFAULT
#define ISO_DEFAULT
Definition: or.h:863

SESSION_GROUP_CONTROL_RESOLVE
#define SESSION_GROUP_CONTROL_RESOLVE
Definition: or.h:870

TO_CONN
#define TO_CONN(c)
Definition: or.h:603

ENTRY_TO_CONN
#define ENTRY_TO_CONN(c)
Definition: or.h:606

socks_policy_permits_address
int socks_policy_permits_address(const tor_addr_t *addr)
Definition: policies.c:1063

policies.h
Header file for policies.c.

socks_request_st.h
Client request structure.

SOCKS_COMMAND_RESOLVE_PTR
#define SOCKS_COMMAND_RESOLVE_PTR
Definition: socks_request_st.h:27

SOCKS_COMMAND_RESOLVE
#define SOCKS_COMMAND_RESOLVE
Definition: socks_request_st.h:25

connection_t
Definition: connection_st.h:45

connection_t::state
uint8_t state
Definition: connection_st.h:49

connection_t::type
unsigned int type
Definition: connection_st.h:50

connection_t::port
uint16_t port
Definition: connection_st.h:150

connection_t::socket_family
int socket_family
Definition: connection_st.h:115

connection_t::s
tor_socket_t s
Definition: connection_st.h:100

connection_t::addr
tor_addr_t addr
Definition: connection_st.h:149

control_connection_t
Definition: control_connection_st.h:19

edge_connection_t
Definition: edge_connection_st.h:22

edge_connection_t::is_dns_request
unsigned int is_dns_request
Definition: edge_connection_st.h:61

entry_connection_t
Definition: entry_connection_st.h:19

entry_connection_t::nym_epoch
unsigned nym_epoch
Definition: entry_connection_st.h:33

entry_connection_t::socks_request
socks_request_t * socks_request
Definition: entry_connection_st.h:27

entry_connection_t::dns_server_request
struct evdns_server_request * dns_server_request
Definition: entry_connection_st.h:58

entry_connection_t::original_dest_address
char * original_dest_address
Definition: entry_connection_st.h:36

entry_port_cfg_t::isolation_flags
uint8_t isolation_flags
Definition: entry_port_cfg_st.h:20

entry_port_cfg_t::session_group
int session_group
Definition: entry_port_cfg_st.h:21

listener_connection_t
Definition: listener_connection_st.h:18

listener_connection_t::dns_server_port
struct evdns_server_port * dns_server_port
Definition: listener_connection_st.h:23

socks_request_t::command
uint8_t command
Definition: socks_request_st.h:47

socks_request_t::listener_type
uint8_t listener_type
Definition: socks_request_st.h:49

socks_request_t::address
char address[MAX_SOCKS_ADDR_LEN]
Definition: socks_request_st.h:57

tor_addr_t
Definition: address.h:69

tor_assert
#define tor_assert(expr)
Definition: util_bug.h:102

tor_fragile_assert
#define tor_fragile_assert()
Definition: util_bug.h:270