Tor 0.4.9.0-alpha-dev
dnsserv.c
Go to the documentation of this file.
1/* Copyright (c) 2007-2021, The Tor Project, Inc. */
2/* See LICENSE for licensing information */
3
4/**
5 * \file dnsserv.c
6 * \brief Implements client-side DNS proxy server code.
7 *
8 * When a user enables the DNSPort configuration option to have their local
9 * Tor client handle DNS requests, this module handles it. It functions as a
10 * "DNS Server" on the client side, which client applications use.
11 *
12 * Inbound DNS requests are represented as entry_connection_t here (since
13 * that's how Tor represents client-side streams), which are kept associated
14 * with an evdns_server_request structure as exposed by Libevent's
15 * evdns code.
16 *
17 * Upon receiving a DNS request, libevent calls our evdns_server_callback()
18 * function here, which causes this module to create an entry_connection_t
19 * request as appropriate. Later, when that request is answered,
20 * connection_edge.c calls dnsserv_resolved() so we can finish up and tell the
21 * DNS client.
22 **/
23
24#include "core/or/or.h"
26#include "app/config/config.h"
32#include "core/or/policies.h"
33
39
40#include <event2/dns.h>
41#include <event2/dns_compat.h>
42/* XXXX this implies we want an improved evdns */
43#include <event2/dns_struct.h>
44
45/** Helper function: called by evdns whenever the client sends a request to our
46 * DNSPort. We need to eventually answer the request <b>req</b>.
47 */
48static void
49evdns_server_callback(struct evdns_server_request *req, void *data_)
50{
51 const listener_connection_t *listener = data_;
52 entry_connection_t *entry_conn;
54 int i = 0;
55 struct evdns_server_question *q = NULL, *supported_q = NULL;
56 struct sockaddr_storage addr;
57 struct sockaddr *sa;
58 int addrlen;
59 tor_addr_t tor_addr;
60 uint16_t port;
61 int err = DNS_ERR_NONE;
62 char *q_name;
63
64 tor_assert(req);
65
66 log_info(LD_APP, "Got a new DNS request!");
67
68 /* Receiving a request on the DNSPort counts as user activity. */
70
71 req->flags |= 0x80; /* set RA */
72
73 /* First, check whether the requesting address matches our SOCKSPolicy. */
74 if ((addrlen = evdns_server_request_get_requesting_addr(req,
75 (struct sockaddr*)&addr, (socklen_t)sizeof(addr))) < 0) {
76 log_warn(LD_APP, "Couldn't get requesting address.");
77 evdns_server_request_respond(req, DNS_ERR_SERVERFAILED);
78 return;
79 }
80 (void) addrlen;
81 sa = (struct sockaddr*) &addr;
82 if (tor_addr_from_sockaddr(&tor_addr, sa, &port)<0) {
83 log_warn(LD_APP, "Requesting address wasn't recognized.");
84 evdns_server_request_respond(req, DNS_ERR_SERVERFAILED);
85 return;
86 }
87
88 if (!socks_policy_permits_address(&tor_addr)) {
89 log_warn(LD_APP, "Rejecting DNS request from disallowed IP.");
90 evdns_server_request_respond(req, DNS_ERR_REFUSED);
91 return;
92 }
93
94 /* Now, let's find the first actual question of a type we can answer in this
95 * DNS request. It makes us a little noncompliant to act like this; we
96 * should fix that eventually if it turns out to make a difference for
97 * anybody. */
98 if (req->nquestions == 0) {
99 log_info(LD_APP, "No questions in DNS request; sending back nil reply.");
100 evdns_server_request_respond(req, 0);
101 return;
102 }
103 if (req->nquestions > 1) {
104 log_info(LD_APP, "Got a DNS request with more than one question; I only "
105 "handle one question at a time for now. Skipping the extras.");
106 }
107 for (i = 0; i < req->nquestions; ++i) {
108 if (req->questions[i]->dns_question_class != EVDNS_CLASS_INET)
109 continue;
110 switch (req->questions[i]->type) {
111 case EVDNS_TYPE_A:
112 case EVDNS_TYPE_AAAA:
113 case EVDNS_TYPE_PTR:
114 /* We always pick the first one of these questions, if there is
115 one. */
116 if (! supported_q)
117 supported_q = req->questions[i];
118 break;
119 default:
120 break;
121 }
122 }
123 if (supported_q)
124 q = supported_q;
125 if (!q) {
126 log_info(LD_APP, "None of the questions we got were ones we're willing "
127 "to support. Sending NOTIMPL.");
128 evdns_server_request_respond(req, DNS_ERR_NOTIMPL);
129 return;
130 }
131
132 /* Make sure the name isn't too long: This should be impossible, I think. */
133 if (err == DNS_ERR_NONE && strlen(q->name) > MAX_SOCKS_ADDR_LEN-1)
134 err = DNS_ERR_FORMAT;
135
136 if (err != DNS_ERR_NONE || !supported_q) {
137 /* We got an error? There's no question we're willing to answer? Then
138 * send back an answer immediately; we're done. */
139 evdns_server_request_respond(req, err);
140 return;
141 }
142
143 /* Make a new dummy AP connection, and attach the request to it. */
144 entry_conn = entry_connection_new(CONN_TYPE_AP, AF_INET);
145 conn = ENTRY_TO_EDGE_CONN(entry_conn);
146 CONNECTION_AP_EXPECT_NONPENDING(entry_conn);
147 TO_CONN(conn)->state = AP_CONN_STATE_RESOLVE_WAIT;
148 conn->is_dns_request = 1;
149
150 tor_addr_copy(&TO_CONN(conn)->addr, &tor_addr);
151 TO_CONN(conn)->port = port;
152 TO_CONN(conn)->address = tor_addr_to_str_dup(&tor_addr);
153
154 if (q->type == EVDNS_TYPE_A || q->type == EVDNS_TYPE_AAAA ||
155 q->type == EVDNS_QTYPE_ALL) {
157 } else {
158 tor_assert(q->type == EVDNS_TYPE_PTR);
160 }
161
162 /* This serves our DNS port so enable DNS request by default. */
163 entry_conn->entry_cfg.dns_request = 1;
164 if (q->type == EVDNS_TYPE_A || q->type == EVDNS_QTYPE_ALL) {
165 entry_conn->entry_cfg.ipv4_traffic = 1;
166 entry_conn->entry_cfg.ipv6_traffic = 0;
167 entry_conn->entry_cfg.prefer_ipv6 = 0;
168 } else if (q->type == EVDNS_TYPE_AAAA) {
169 entry_conn->entry_cfg.ipv4_traffic = 0;
170 entry_conn->entry_cfg.ipv6_traffic = 1;
171 entry_conn->entry_cfg.prefer_ipv6 = 1;
172 }
173
174 strlcpy(entry_conn->socks_request->address, q->name,
175 sizeof(entry_conn->socks_request->address));
176
177 entry_conn->socks_request->listener_type = listener->base_.type;
178 entry_conn->dns_server_request = req;
179 entry_conn->entry_cfg.isolation_flags = listener->entry_cfg.isolation_flags;
180 entry_conn->entry_cfg.session_group = listener->entry_cfg.session_group;
181 entry_conn->nym_epoch = get_signewnym_epoch();
182
183 if (connection_add(ENTRY_TO_CONN(entry_conn)) < 0) {
184 log_warn(LD_APP, "Couldn't register dummy connection for DNS request");
185 evdns_server_request_respond(req, DNS_ERR_SERVERFAILED);
186 connection_free_(ENTRY_TO_CONN(entry_conn));
187 return;
188 }
189
190 control_event_stream_status(entry_conn, STREAM_EVENT_NEW_RESOLVE, 0);
191
192 /* Now, unless a controller asked us to leave streams unattached,
193 * throw the connection over to get rewritten (which will
194 * answer it immediately if it's in the cache, or completely bogus, or
195 * automapped), and then attached to a circuit. */
196 log_info(LD_APP, "Passing request for %s to rewrite_and_attach.",
197 escaped_safe_str_client(q->name));
198 q_name = tor_strdup(q->name); /* q could be freed in rewrite_and_attach */
199 connection_ap_rewrite_and_attach_if_allowed(entry_conn, NULL, NULL);
200 /* Now, the connection is marked if it was bad. */
201
202 log_info(LD_APP, "Passed request for %s to rewrite_and_attach_if_allowed.",
204 tor_free(q_name);
205}
206
207/** Helper function: called whenever the client sends a resolve request to our
208 * controller. We need to eventually answer the request <b>req</b>.
209 * Returns 0 if the controller will be getting (or has gotten) an event in
210 * response; -1 if we couldn't launch the request.
211 */
212int
213dnsserv_launch_request(const char *name, int reverse,
214 control_connection_t *control_conn)
215{
216 entry_connection_t *entry_conn;
217 edge_connection_t *conn;
218 char *q_name;
219
220 /* Launching a request for a user counts as user activity. */
222
223 /* Make a new dummy AP connection, and attach the request to it. */
224 entry_conn = entry_connection_new(CONN_TYPE_AP, AF_INET);
225 entry_conn->entry_cfg.dns_request = 1;
226 conn = ENTRY_TO_EDGE_CONN(entry_conn);
227 CONNECTION_AP_EXPECT_NONPENDING(entry_conn);
228 conn->base_.state = AP_CONN_STATE_RESOLVE_WAIT;
229
230 tor_addr_copy(&TO_CONN(conn)->addr, &control_conn->base_.addr);
231#ifdef AF_UNIX
232 /*
233 * The control connection can be AF_UNIX and if so tor_addr_to_str_dup will
234 * unhelpfully say "<unknown address type>"; say "(Tor_internal)"
235 * instead.
236 */
237 if (control_conn->base_.socket_family == AF_UNIX) {
238 TO_CONN(conn)->port = 0;
239 TO_CONN(conn)->address = tor_strdup("(Tor_internal)");
240 } else {
241 TO_CONN(conn)->port = control_conn->base_.port;
242 TO_CONN(conn)->address = tor_addr_to_str_dup(&control_conn->base_.addr);
243 }
244#else /* !defined(AF_UNIX) */
245 TO_CONN(conn)->port = control_conn->base_.port;
246 TO_CONN(conn)->address = tor_addr_to_str_dup(&control_conn->base_.addr);
247#endif /* defined(AF_UNIX) */
248
249 if (reverse)
251 else
253
254 conn->is_dns_request = 1;
255
256 strlcpy(entry_conn->socks_request->address, name,
257 sizeof(entry_conn->socks_request->address));
258
260 entry_conn->original_dest_address = tor_strdup(name);
261 entry_conn->entry_cfg.session_group = SESSION_GROUP_CONTROL_RESOLVE;
262 entry_conn->nym_epoch = get_signewnym_epoch();
263 entry_conn->entry_cfg.isolation_flags = ISO_DEFAULT;
264
265 if (connection_add(TO_CONN(conn))<0) {
266 log_warn(LD_APP, "Couldn't register dummy connection for RESOLVE request");
268 return -1;
269 }
270
271 control_event_stream_status(entry_conn, STREAM_EVENT_NEW_RESOLVE, 0);
272
273 /* Now, unless a controller asked us to leave streams unattached,
274 * throw the connection over to get rewritten (which will
275 * answer it immediately if it's in the cache, or completely bogus, or
276 * automapped), and then attached to a circuit. */
277 log_info(LD_APP, "Passing request for %s to rewrite_and_attach.",
279 q_name = tor_strdup(name); /* q could be freed in rewrite_and_attach */
280 connection_ap_rewrite_and_attach_if_allowed(entry_conn, NULL, NULL);
281 /* Now, the connection is marked if it was bad. */
282
283 log_info(LD_APP, "Passed request for %s to rewrite_and_attach_if_allowed.",
285 tor_free(q_name);
286 return 0;
287}
288
289/** If there is a pending request on <b>conn</b> that's waiting for an answer,
290 * send back an error and free the request. */
291void
293{
294 if (conn->dns_server_request) {
295 evdns_server_request_respond(conn->dns_server_request,
296 DNS_ERR_SERVERFAILED);
297 conn->dns_server_request = NULL;
298 }
299}
300
301/** Look up the original name that corresponds to 'addr' in req. We use this
302 * to preserve case in order to facilitate clients using 0x20-hacks to avoid
303 * DNS poisoning. */
304static const char *
305evdns_get_orig_address(const struct evdns_server_request *req,
306 int rtype, const char *addr)
307{
308 int i, type;
309
310 switch (rtype) {
311 case RESOLVED_TYPE_IPV4:
312 type = EVDNS_TYPE_A;
313 break;
314 case RESOLVED_TYPE_HOSTNAME:
315 type = EVDNS_TYPE_PTR;
316 break;
317 case RESOLVED_TYPE_IPV6:
318 type = EVDNS_TYPE_AAAA;
319 break;
320 case RESOLVED_TYPE_ERROR:
321 case RESOLVED_TYPE_ERROR_TRANSIENT:
322 /* Addr doesn't matter, since we're not sending it back in the reply.*/
323 return addr;
324 default:
326 return addr;
327 }
328
329 for (i = 0; i < req->nquestions; ++i) {
330 const struct evdns_server_question *q = req->questions[i];
331 if (q->type == type && !strcasecmp(q->name, addr))
332 return q->name;
333 }
334 return addr;
335}
336
337/** Tell the dns request waiting for an answer on <b>conn</b> that we have an
338 * answer of type <b>answer_type</b> (RESOLVE_TYPE_IPV4/IPV6/ERR), of length
339 * <b>answer_len</b>, in <b>answer</b>, with TTL <b>ttl</b>. Doesn't do
340 * any caching; that's handled elsewhere. */
341void
343 int answer_type,
344 size_t answer_len,
345 const char *answer,
346 int ttl)
347{
348 struct evdns_server_request *req = conn->dns_server_request;
349 const char *name;
350 int err = DNS_ERR_NONE;
351 if (!req)
352 return;
353 name = evdns_get_orig_address(req, answer_type,
354 conn->socks_request->address);
355
356 /* XXXX Re-do; this is dumb. */
357 if (ttl < 60)
358 ttl = 60;
359
360 /* The evdns interface is: add a bunch of reply items (corresponding to one
361 * or more of the questions in the request); then, call
362 * evdns_server_request_respond. */
363 if (answer_type == RESOLVED_TYPE_IPV6) {
364 evdns_server_request_add_aaaa_reply(req,
365 name,
366 1, answer, ttl);
367 } else if (answer_type == RESOLVED_TYPE_IPV4 && answer_len == 4 &&
369 evdns_server_request_add_a_reply(req,
370 name,
371 1, answer, ttl);
372 } else if (answer_type == RESOLVED_TYPE_HOSTNAME &&
373 answer_len < 256 &&
375 char *ans = tor_strndup(answer, answer_len);
376 evdns_server_request_add_ptr_reply(req, NULL,
377 name,
378 ans, ttl);
379 tor_free(ans);
380 } else if (answer_type == RESOLVED_TYPE_ERROR) {
381 err = DNS_ERR_NOTEXIST;
382 } else { /* answer_type == RESOLVED_TYPE_ERROR_TRANSIENT */
383 err = DNS_ERR_SERVERFAILED;
384 }
385
386 evdns_server_request_respond(req, err);
387
388 conn->dns_server_request = NULL;
389}
390
391/** Set up the evdns server port for the UDP socket on <b>conn</b>, which
392 * must be an AP_DNS_LISTENER */
393void
395{
396 listener_connection_t *listener_conn;
397 tor_assert(conn);
398 tor_assert(SOCKET_OK(conn->s));
400
401 listener_conn = TO_LISTENER_CONN(conn);
402 listener_conn->dns_server_port =
403 tor_evdns_add_server_port(conn->s, 0, evdns_server_callback,
404 listener_conn);
405}
406
407/** Free the evdns server port for <b>conn</b>, which must be an
408 * AP_DNS_LISTENER. */
409void
411{
412 listener_connection_t *listener_conn;
413 tor_assert(conn);
415
416 listener_conn = TO_LISTENER_CONN(conn);
417
418 if (listener_conn->dns_server_port) {
419 evdns_close_server_port(listener_conn->dns_server_port);
420 listener_conn->dns_server_port = NULL;
421 }
422}
void tor_addr_copy(tor_addr_t *dest, const tor_addr_t *src)
Definition: address.c:933
char * tor_addr_to_str_dup(const tor_addr_t *addr)
Definition: address.c:1164
int tor_addr_from_sockaddr(tor_addr_t *a, const struct sockaddr *sa, uint16_t *port_out)
Definition: address.c:165
time_t approx_time(void)
Definition: approx_time.c:32
Header for compat_libevent.c.
const char * escaped_safe_str_client(const char *address)
Definition: config.c:1136
const char * name
Definition: config.c:2462
Header file for config.c.
entry_connection_t * entry_connection_new(int type, int socket_family)
Definition: connection.c:603
void connection_free_(connection_t *conn)
Definition: connection.c:972
listener_connection_t * TO_LISTENER_CONN(connection_t *c)
Definition: connection.c:236
Header file for connection.c.
#define CONN_TYPE_CONTROL_LISTENER
Definition: connection.h:58
#define CONN_TYPE_AP
Definition: connection.h:51
#define CONN_TYPE_AP_DNS_LISTENER
Definition: connection.h:68
int connection_ap_rewrite_and_attach_if_allowed(entry_connection_t *conn, origin_circuit_t *circ, crypt_path_t *cpath)
Header file for connection_edge.c.
#define AP_CONN_STATE_RESOLVE_WAIT
Controller connection structure.
int control_event_stream_status(entry_connection_t *conn, stream_status_event_t tp, int reason_code)
Header file for control_events.c.
void dnsserv_configure_listener(connection_t *conn)
Definition: dnsserv.c:394
static const char * evdns_get_orig_address(const struct evdns_server_request *req, int rtype, const char *addr)
Definition: dnsserv.c:305
void dnsserv_reject_request(entry_connection_t *conn)
Definition: dnsserv.c:292
static void evdns_server_callback(struct evdns_server_request *req, void *data_)
Definition: dnsserv.c:49
int dnsserv_launch_request(const char *name, int reverse, control_connection_t *control_conn)
Definition: dnsserv.c:213
void dnsserv_resolved(entry_connection_t *conn, int answer_type, size_t answer_len, const char *answer, int ttl)
Definition: dnsserv.c:342
void dnsserv_close_listener(connection_t *conn)
Definition: dnsserv.c:410
Header file for dnsserv.c.
Entry connection structure.
#define ENTRY_TO_EDGE_CONN(c)
Listener connection structure.
#define LD_APP
Definition: log.h:78
unsigned get_signewnym_epoch(void)
Definition: mainloop.c:1350
Header file for mainloop.c.
#define tor_free(p)
Definition: malloc.h:56
void note_user_activity(time_t now)
Definition: netstatus.c:63
Header for netstatus.c.
#define SOCKET_OK(s)
Definition: nettypes.h:39
Master header file for Tor-specific functionality.
#define ISO_DEFAULT
Definition: or.h:875
#define SESSION_GROUP_CONTROL_RESOLVE
Definition: or.h:882
#define TO_CONN(c)
Definition: or.h:612
#define ENTRY_TO_CONN(c)
Definition: or.h:615
int socks_policy_permits_address(const tor_addr_t *addr)
Definition: policies.c:1063
Header file for policies.c.
Client request structure.
#define SOCKS_COMMAND_RESOLVE_PTR
#define SOCKS_COMMAND_RESOLVE
uint8_t state
Definition: connection_st.h:49
unsigned int type
Definition: connection_st.h:50
uint16_t port
tor_socket_t s
tor_addr_t addr
unsigned int is_dns_request
socks_request_t * socks_request
struct evdns_server_request * dns_server_request
struct evdns_server_port * dns_server_port
char address[MAX_SOCKS_ADDR_LEN]
#define tor_assert(expr)
Definition: util_bug.h:103
#define tor_fragile_assert()
Definition: util_bug.h:278