Tor  0.4.8.0-alpha-dev
dnsserv.c
Go to the documentation of this file.
1 /* Copyright (c) 2007-2021, The Tor Project, Inc. */
2 /* See LICENSE for licensing information */
3 
4 /**
5  * \file dnsserv.c
6  * \brief Implements client-side DNS proxy server code.
7  *
8  * When a user enables the DNSPort configuration option to have their local
9  * Tor client handle DNS requests, this module handles it. It functions as a
10  * "DNS Server" on the client side, which client applications use.
11  *
12  * Inbound DNS requests are represented as entry_connection_t here (since
13  * that's how Tor represents client-side streams), which are kept associated
14  * with an evdns_server_request structure as exposed by Libevent's
15  * evdns code.
16  *
17  * Upon receiving a DNS request, libevent calls our evdns_server_callback()
18  * function here, which causes this module to create an entry_connection_t
19  * request as appropriate. Later, when that request is answered,
20  * connection_edge.c calls dnsserv_resolved() so we can finish up and tell the
21  * DNS client.
22  **/
23 
24 #include "core/or/or.h"
25 #include "feature/client/dnsserv.h"
26 #include "app/config/config.h"
30 #include "core/mainloop/mainloop.h"
32 #include "core/or/policies.h"
33 
39 
40 #include <event2/dns.h>
41 #include <event2/dns_compat.h>
42 /* XXXX this implies we want an improved evdns */
43 #include <event2/dns_struct.h>
44 
45 /** Helper function: called by evdns whenever the client sends a request to our
46  * DNSPort. We need to eventually answer the request <b>req</b>.
47  */
48 static void
49 evdns_server_callback(struct evdns_server_request *req, void *data_)
50 {
51  const listener_connection_t *listener = data_;
52  entry_connection_t *entry_conn;
53  edge_connection_t *conn;
54  int i = 0;
55  struct evdns_server_question *q = NULL, *supported_q = NULL;
56  struct sockaddr_storage addr;
57  struct sockaddr *sa;
58  int addrlen;
59  tor_addr_t tor_addr;
60  uint16_t port;
61  int err = DNS_ERR_NONE;
62  char *q_name;
63 
64  tor_assert(req);
65 
66  log_info(LD_APP, "Got a new DNS request!");
67 
68  /* Receiving a request on the DNSPort counts as user activity. */
70 
71  req->flags |= 0x80; /* set RA */
72 
73  /* First, check whether the requesting address matches our SOCKSPolicy. */
74  if ((addrlen = evdns_server_request_get_requesting_addr(req,
75  (struct sockaddr*)&addr, (socklen_t)sizeof(addr))) < 0) {
76  log_warn(LD_APP, "Couldn't get requesting address.");
77  evdns_server_request_respond(req, DNS_ERR_SERVERFAILED);
78  return;
79  }
80  (void) addrlen;
81  sa = (struct sockaddr*) &addr;
82  if (tor_addr_from_sockaddr(&tor_addr, sa, &port)<0) {
83  log_warn(LD_APP, "Requesting address wasn't recognized.");
84  evdns_server_request_respond(req, DNS_ERR_SERVERFAILED);
85  return;
86  }
87 
88  if (!socks_policy_permits_address(&tor_addr)) {
89  log_warn(LD_APP, "Rejecting DNS request from disallowed IP.");
90  evdns_server_request_respond(req, DNS_ERR_REFUSED);
91  return;
92  }
93 
94  /* Now, let's find the first actual question of a type we can answer in this
95  * DNS request. It makes us a little noncompliant to act like this; we
96  * should fix that eventually if it turns out to make a difference for
97  * anybody. */
98  if (req->nquestions == 0) {
99  log_info(LD_APP, "No questions in DNS request; sending back nil reply.");
100  evdns_server_request_respond(req, 0);
101  return;
102  }
103  if (req->nquestions > 1) {
104  log_info(LD_APP, "Got a DNS request with more than one question; I only "
105  "handle one question at a time for now. Skipping the extras.");
106  }
107  for (i = 0; i < req->nquestions; ++i) {
108  if (req->questions[i]->dns_question_class != EVDNS_CLASS_INET)
109  continue;
110  switch (req->questions[i]->type) {
111  case EVDNS_TYPE_A:
112  case EVDNS_TYPE_AAAA:
113  case EVDNS_TYPE_PTR:
114  /* We always pick the first one of these questions, if there is
115  one. */
116  if (! supported_q)
117  supported_q = req->questions[i];
118  break;
119  default:
120  break;
121  }
122  }
123  if (supported_q)
124  q = supported_q;
125  if (!q) {
126  log_info(LD_APP, "None of the questions we got were ones we're willing "
127  "to support. Sending NOTIMPL.");
128  evdns_server_request_respond(req, DNS_ERR_NOTIMPL);
129  return;
130  }
131 
132  /* Make sure the name isn't too long: This should be impossible, I think. */
133  if (err == DNS_ERR_NONE && strlen(q->name) > MAX_SOCKS_ADDR_LEN-1)
134  err = DNS_ERR_FORMAT;
135 
136  if (err != DNS_ERR_NONE || !supported_q) {
137  /* We got an error? There's no question we're willing to answer? Then
138  * send back an answer immediately; we're done. */
139  evdns_server_request_respond(req, err);
140  return;
141  }
142 
143  /* Make a new dummy AP connection, and attach the request to it. */
144  entry_conn = entry_connection_new(CONN_TYPE_AP, AF_INET);
145  conn = ENTRY_TO_EDGE_CONN(entry_conn);
146  CONNECTION_AP_EXPECT_NONPENDING(entry_conn);
147  TO_CONN(conn)->state = AP_CONN_STATE_RESOLVE_WAIT;
148  conn->is_dns_request = 1;
149 
150  tor_addr_copy(&TO_CONN(conn)->addr, &tor_addr);
151  TO_CONN(conn)->port = port;
152  TO_CONN(conn)->address = tor_addr_to_str_dup(&tor_addr);
153 
154  if (q->type == EVDNS_TYPE_A || q->type == EVDNS_TYPE_AAAA ||
155  q->type == EVDNS_QTYPE_ALL) {
157  } else {
158  tor_assert(q->type == EVDNS_TYPE_PTR);
160  }
161 
162  /* This serves our DNS port so enable DNS request by default. */
163  entry_conn->entry_cfg.dns_request = 1;
164  if (q->type == EVDNS_TYPE_A || q->type == EVDNS_QTYPE_ALL) {
165  entry_conn->entry_cfg.ipv4_traffic = 1;
166  entry_conn->entry_cfg.ipv6_traffic = 0;
167  entry_conn->entry_cfg.prefer_ipv6 = 0;
168  } else if (q->type == EVDNS_TYPE_AAAA) {
169  entry_conn->entry_cfg.ipv4_traffic = 0;
170  entry_conn->entry_cfg.ipv6_traffic = 1;
171  entry_conn->entry_cfg.prefer_ipv6 = 1;
172  }
173 
174  strlcpy(entry_conn->socks_request->address, q->name,
175  sizeof(entry_conn->socks_request->address));
176 
177  entry_conn->socks_request->listener_type = listener->base_.type;
178  entry_conn->dns_server_request = req;
179  entry_conn->entry_cfg.isolation_flags = listener->entry_cfg.isolation_flags;
180  entry_conn->entry_cfg.session_group = listener->entry_cfg.session_group;
181  entry_conn->nym_epoch = get_signewnym_epoch();
182 
183  if (connection_add(ENTRY_TO_CONN(entry_conn)) < 0) {
184  log_warn(LD_APP, "Couldn't register dummy connection for DNS request");
185  evdns_server_request_respond(req, DNS_ERR_SERVERFAILED);
186  connection_free_(ENTRY_TO_CONN(entry_conn));
187  return;
188  }
189 
190  control_event_stream_status(entry_conn, STREAM_EVENT_NEW_RESOLVE, 0);
191 
192  /* Now, unless a controller asked us to leave streams unattached,
193  * throw the connection over to get rewritten (which will
194  * answer it immediately if it's in the cache, or completely bogus, or
195  * automapped), and then attached to a circuit. */
196  log_info(LD_APP, "Passing request for %s to rewrite_and_attach.",
197  escaped_safe_str_client(q->name));
198  q_name = tor_strdup(q->name); /* q could be freed in rewrite_and_attach */
199  connection_ap_rewrite_and_attach_if_allowed(entry_conn, NULL, NULL);
200  /* Now, the connection is marked if it was bad. */
201 
202  log_info(LD_APP, "Passed request for %s to rewrite_and_attach_if_allowed.",
203  escaped_safe_str_client(q_name));
204  tor_free(q_name);
205 }
206 
207 /** Helper function: called whenever the client sends a resolve request to our
208  * controller. We need to eventually answer the request <b>req</b>.
209  * Returns 0 if the controller will be getting (or has gotten) an event in
210  * response; -1 if we couldn't launch the request.
211  */
212 int
213 dnsserv_launch_request(const char *name, int reverse,
214  control_connection_t *control_conn)
215 {
216  entry_connection_t *entry_conn;
217  edge_connection_t *conn;
218  char *q_name;
219 
220  /* Launching a request for a user counts as user activity. */
222 
223  /* Make a new dummy AP connection, and attach the request to it. */
224  entry_conn = entry_connection_new(CONN_TYPE_AP, AF_INET);
225  entry_conn->entry_cfg.dns_request = 1;
226  conn = ENTRY_TO_EDGE_CONN(entry_conn);
227  CONNECTION_AP_EXPECT_NONPENDING(entry_conn);
228  conn->base_.state = AP_CONN_STATE_RESOLVE_WAIT;
229 
230  tor_addr_copy(&TO_CONN(conn)->addr, &control_conn->base_.addr);
231 #ifdef AF_UNIX
232  /*
233  * The control connection can be AF_UNIX and if so tor_addr_to_str_dup will
234  * unhelpfully say "<unknown address type>"; say "(Tor_internal)"
235  * instead.
236  */
237  if (control_conn->base_.socket_family == AF_UNIX) {
238  TO_CONN(conn)->port = 0;
239  TO_CONN(conn)->address = tor_strdup("(Tor_internal)");
240  } else {
241  TO_CONN(conn)->port = control_conn->base_.port;
242  TO_CONN(conn)->address = tor_addr_to_str_dup(&control_conn->base_.addr);
243  }
244 #else /* !defined(AF_UNIX) */
245  TO_CONN(conn)->port = control_conn->base_.port;
246  TO_CONN(conn)->address = tor_addr_to_str_dup(&control_conn->base_.addr);
247 #endif /* defined(AF_UNIX) */
248 
249  if (reverse)
251  else
253 
254  conn->is_dns_request = 1;
255 
256  strlcpy(entry_conn->socks_request->address, name,
257  sizeof(entry_conn->socks_request->address));
258 
260  entry_conn->original_dest_address = tor_strdup(name);
261  entry_conn->entry_cfg.session_group = SESSION_GROUP_CONTROL_RESOLVE;
262  entry_conn->nym_epoch = get_signewnym_epoch();
263  entry_conn->entry_cfg.isolation_flags = ISO_DEFAULT;
264 
265  if (connection_add(TO_CONN(conn))<0) {
266  log_warn(LD_APP, "Couldn't register dummy connection for RESOLVE request");
267  connection_free_(TO_CONN(conn));
268  return -1;
269  }
270 
271  control_event_stream_status(entry_conn, STREAM_EVENT_NEW_RESOLVE, 0);
272 
273  /* Now, unless a controller asked us to leave streams unattached,
274  * throw the connection over to get rewritten (which will
275  * answer it immediately if it's in the cache, or completely bogus, or
276  * automapped), and then attached to a circuit. */
277  log_info(LD_APP, "Passing request for %s to rewrite_and_attach.",
279  q_name = tor_strdup(name); /* q could be freed in rewrite_and_attach */
280  connection_ap_rewrite_and_attach_if_allowed(entry_conn, NULL, NULL);
281  /* Now, the connection is marked if it was bad. */
282 
283  log_info(LD_APP, "Passed request for %s to rewrite_and_attach_if_allowed.",
284  escaped_safe_str_client(q_name));
285  tor_free(q_name);
286  return 0;
287 }
288 
289 /** If there is a pending request on <b>conn</b> that's waiting for an answer,
290  * send back an error and free the request. */
291 void
293 {
294  if (conn->dns_server_request) {
295  evdns_server_request_respond(conn->dns_server_request,
296  DNS_ERR_SERVERFAILED);
297  conn->dns_server_request = NULL;
298  }
299 }
300 
301 /** Look up the original name that corresponds to 'addr' in req. We use this
302  * to preserve case in order to facilitate clients using 0x20-hacks to avoid
303  * DNS poisoning. */
304 static const char *
305 evdns_get_orig_address(const struct evdns_server_request *req,
306  int rtype, const char *addr)
307 {
308  int i, type;
309 
310  switch (rtype) {
311  case RESOLVED_TYPE_IPV4:
312  type = EVDNS_TYPE_A;
313  break;
314  case RESOLVED_TYPE_HOSTNAME:
315  type = EVDNS_TYPE_PTR;
316  break;
317  case RESOLVED_TYPE_IPV6:
318  type = EVDNS_TYPE_AAAA;
319  break;
320  case RESOLVED_TYPE_ERROR:
321  case RESOLVED_TYPE_ERROR_TRANSIENT:
322  /* Addr doesn't matter, since we're not sending it back in the reply.*/
323  return addr;
324  default:
326  return addr;
327  }
328 
329  for (i = 0; i < req->nquestions; ++i) {
330  const struct evdns_server_question *q = req->questions[i];
331  if (q->type == type && !strcasecmp(q->name, addr))
332  return q->name;
333  }
334  return addr;
335 }
336 
337 /** Tell the dns request waiting for an answer on <b>conn</b> that we have an
338  * answer of type <b>answer_type</b> (RESOLVE_TYPE_IPV4/IPV6/ERR), of length
339  * <b>answer_len</b>, in <b>answer</b>, with TTL <b>ttl</b>. Doesn't do
340  * any caching; that's handled elsewhere. */
341 void
343  int answer_type,
344  size_t answer_len,
345  const char *answer,
346  int ttl)
347 {
348  struct evdns_server_request *req = conn->dns_server_request;
349  const char *name;
350  int err = DNS_ERR_NONE;
351  if (!req)
352  return;
353  name = evdns_get_orig_address(req, answer_type,
354  conn->socks_request->address);
355 
356  /* XXXX Re-do; this is dumb. */
357  if (ttl < 60)
358  ttl = 60;
359 
360  /* The evdns interface is: add a bunch of reply items (corresponding to one
361  * or more of the questions in the request); then, call
362  * evdns_server_request_respond. */
363  if (answer_type == RESOLVED_TYPE_IPV6) {
364  evdns_server_request_add_aaaa_reply(req,
365  name,
366  1, answer, ttl);
367  } else if (answer_type == RESOLVED_TYPE_IPV4 && answer_len == 4 &&
369  evdns_server_request_add_a_reply(req,
370  name,
371  1, answer, ttl);
372  } else if (answer_type == RESOLVED_TYPE_HOSTNAME &&
373  answer_len < 256 &&
375  char *ans = tor_strndup(answer, answer_len);
376  evdns_server_request_add_ptr_reply(req, NULL,
377  name,
378  ans, ttl);
379  tor_free(ans);
380  } else if (answer_type == RESOLVED_TYPE_ERROR) {
381  err = DNS_ERR_NOTEXIST;
382  } else { /* answer_type == RESOLVED_TYPE_ERROR_TRANSIENT */
383  err = DNS_ERR_SERVERFAILED;
384  }
385 
386  evdns_server_request_respond(req, err);
387 
388  conn->dns_server_request = NULL;
389 }
390 
391 /** Set up the evdns server port for the UDP socket on <b>conn</b>, which
392  * must be an AP_DNS_LISTENER */
393 void
395 {
396  listener_connection_t *listener_conn;
397  tor_assert(conn);
398  tor_assert(SOCKET_OK(conn->s));
400 
401  listener_conn = TO_LISTENER_CONN(conn);
402  listener_conn->dns_server_port =
403  tor_evdns_add_server_port(conn->s, 0, evdns_server_callback,
404  listener_conn);
405 }
406 
407 /** Free the evdns server port for <b>conn</b>, which must be an
408  * AP_DNS_LISTENER. */
409 void
411 {
412  listener_connection_t *listener_conn;
413  tor_assert(conn);
415 
416  listener_conn = TO_LISTENER_CONN(conn);
417 
418  if (listener_conn->dns_server_port) {
419  evdns_close_server_port(listener_conn->dns_server_port);
420  listener_conn->dns_server_port = NULL;
421  }
422 }
void tor_addr_copy(tor_addr_t *dest, const tor_addr_t *src)
Definition: address.c:933
char * tor_addr_to_str_dup(const tor_addr_t *addr)
Definition: address.c:1164
int tor_addr_from_sockaddr(tor_addr_t *a, const struct sockaddr *sa, uint16_t *port_out)
Definition: address.c:165
time_t approx_time(void)
Definition: approx_time.c:32
Header for compat_libevent.c.
const char * name
Definition: config.c:2443
const char * escaped_safe_str_client(const char *address)
Definition: config.c:1117
Header file for config.c.
listener_connection_t * TO_LISTENER_CONN(connection_t *c)
Definition: connection.c:237
entry_connection_t * entry_connection_new(int type, int socket_family)
Definition: connection.c:604
void connection_free_(connection_t *conn)
Definition: connection.c:973
Header file for connection.c.
#define CONN_TYPE_CONTROL_LISTENER
Definition: connection.h:58
#define CONN_TYPE_AP
Definition: connection.h:51
#define CONN_TYPE_AP_DNS_LISTENER
Definition: connection.h:68
int connection_ap_rewrite_and_attach_if_allowed(entry_connection_t *conn, origin_circuit_t *circ, crypt_path_t *cpath)
Header file for connection_edge.c.
#define AP_CONN_STATE_RESOLVE_WAIT
Controller connection structure.
int control_event_stream_status(entry_connection_t *conn, stream_status_event_t tp, int reason_code)
Header file for control_events.c.
void dnsserv_configure_listener(connection_t *conn)
Definition: dnsserv.c:394
static const char * evdns_get_orig_address(const struct evdns_server_request *req, int rtype, const char *addr)
Definition: dnsserv.c:305
void dnsserv_reject_request(entry_connection_t *conn)
Definition: dnsserv.c:292
static void evdns_server_callback(struct evdns_server_request *req, void *data_)
Definition: dnsserv.c:49
int dnsserv_launch_request(const char *name, int reverse, control_connection_t *control_conn)
Definition: dnsserv.c:213
void dnsserv_resolved(entry_connection_t *conn, int answer_type, size_t answer_len, const char *answer, int ttl)
Definition: dnsserv.c:342
void dnsserv_close_listener(connection_t *conn)
Definition: dnsserv.c:410
Header file for dnsserv.c.
Entry connection structure.
#define ENTRY_TO_EDGE_CONN(c)
Listener connection structure.
#define LD_APP
Definition: log.h:78
unsigned get_signewnym_epoch(void)
Definition: mainloop.c:1340
Header file for mainloop.c.
#define tor_free(p)
Definition: malloc.h:56
void note_user_activity(time_t now)
Definition: netstatus.c:63
Header for netstatus.c.
#define SOCKET_OK(s)
Definition: nettypes.h:39
Master header file for Tor-specific functionality.
#define ISO_DEFAULT
Definition: or.h:863
#define SESSION_GROUP_CONTROL_RESOLVE
Definition: or.h:870
#define TO_CONN(c)
Definition: or.h:603
#define ENTRY_TO_CONN(c)
Definition: or.h:606
int socks_policy_permits_address(const tor_addr_t *addr)
Definition: policies.c:1063
Header file for policies.c.
Client request structure.
#define SOCKS_COMMAND_RESOLVE_PTR
#define SOCKS_COMMAND_RESOLVE
uint8_t state
Definition: connection_st.h:49
unsigned int type
Definition: connection_st.h:50
uint16_t port
tor_socket_t s
tor_addr_t addr
unsigned int is_dns_request
socks_request_t * socks_request
struct evdns_server_request * dns_server_request
struct evdns_server_port * dns_server_port
char address[MAX_SOCKS_ADDR_LEN]
#define tor_assert(expr)
Definition: util_bug.h:102
#define tor_fragile_assert()
Definition: util_bug.h:270