projects / exim.git / blob
? search:


33520183b22fe90067a946207775aafd12ec9806
[exim.git] / src / src / dns.c
1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4
5 /* Copyright (c) University of Cambridge 1995 - 2014 */
6 /* See the file NOTICE for conditions of use and distribution. */
7
8 /* Functions for interfacing with the DNS. */
9
10 #include "exim.h"
11
12
13
14 /*************************************************
15 * Fake DNS resolver *
16 *************************************************/
17
18 /* This function is called instead of res_search() when Exim is running in its
19 test harness. It recognizes some special domain names, and uses them to force
20 failure and retry responses (optionally with a delay). Otherwise, it calls an
21 external utility that mocks-up a nameserver, if it can find the utility.
22 If not, it passes its arguments on to res_search(). The fake nameserver may
23 also return a code specifying that the name should be passed on.
24
25 Background: the original test suite required a real nameserver to carry the
26 test zones, whereas the new test suite has the fake server for portability. This
27 code supports both.
28
29 Arguments:
30 domain the domain name
31 type the DNS record type
32 answerptr where to put the answer
33 size size of the answer area
34
35 Returns: length of returned data, or -1 on error (h_errno set)
36 */
37
38 static int
39 fakens_search(const uschar *domain, int type, uschar *answerptr, int size)
40 {
41 int len = Ustrlen(domain);
42 int asize = size; /* Locally modified */
43 uschar *endname;
44 uschar name[256];
45 uschar utilname[256];
46 uschar *aptr = answerptr; /* Locally modified */
47 struct stat statbuf;
48
49 /* Remove terminating dot. */
50
51 if (domain[len - 1] == '.') len--;
52 Ustrncpy(name, domain, len);
53 name[len] = 0;
54 endname = name + len;
55
56 /* This code, for forcing TRY_AGAIN and NO_RECOVERY, is here so that it works
57 for the old test suite that uses a real nameserver. When the old test suite is
58 eventually abandoned, this code could be moved into the fakens utility. */
59
60 if (len >= 14 && Ustrcmp(endname - 14, "test.again.dns") == 0)
61 {
62 int delay = Uatoi(name); /* digits at the start of the name */
63 DEBUG(D_dns) debug_printf("Return from DNS lookup of %s (%s) faked for testing\n",
64 name, dns_text_type(type));
65 if (delay > 0)
66 {
67 DEBUG(D_dns) debug_printf("delaying %d seconds\n", delay);
68 sleep(delay);
69 }
70 h_errno = TRY_AGAIN;
71 return -1;
72 }
73
74 if (len >= 13 && Ustrcmp(endname - 13, "test.fail.dns") == 0)
75 {
76 DEBUG(D_dns) debug_printf("Return from DNS lookup of %s (%s) faked for testing\n",
77 name, dns_text_type(type));
78 h_errno = NO_RECOVERY;
79 return -1;
80 }
81
82 /* Look for the fakens utility, and if it exists, call it. */
83
84 (void)string_format(utilname, sizeof(utilname), "%s/bin/fakens",
85 config_main_directory);
86
87 if (stat(CS utilname, &statbuf) >= 0)
88 {
89 pid_t pid;
90 int infd, outfd, rc;
91 uschar *argv[5];
92
93 DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) using fakens\n", name, dns_text_type(type));
94
95 argv[0] = utilname;
96 argv[1] = config_main_directory;
97 argv[2] = name;
98 argv[3] = dns_text_type(type);
99 argv[4] = NULL;
100
101 pid = child_open(argv, NULL, 0000, &infd, &outfd, FALSE);
102 if (pid < 0)
103 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to run fakens: %s",
104 strerror(errno));
105
106 len = 0;
107 rc = -1;
108 while (asize > 0 && (rc = read(outfd, aptr, asize)) > 0)
109 {
110 len += rc;
111 aptr += rc; /* Don't modify the actual arguments, because they */
112 asize -= rc; /* may need to be passed on to res_search(). */
113 }
114
115 if (rc < 0)
116 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "read from fakens failed: %s",
117 strerror(errno));
118
119 switch(child_close(pid, 0))
120 {
121 case 0: return len;
122 case 1: h_errno = HOST_NOT_FOUND; return -1;
123 case 2: h_errno = TRY_AGAIN; return -1;
124 default:
125 case 3: h_errno = NO_RECOVERY; return -1;
126 case 4: h_errno = NO_DATA; return -1;
127 case 5: /* Pass on to res_search() */
128 DEBUG(D_dns) debug_printf("fakens returned PASS_ON\n");
129 }
130 }
131 else
132 {
133 DEBUG(D_dns) debug_printf("fakens (%s) not found\n", utilname);
134 }
135
136 /* fakens utility not found, or it returned "pass on" */
137
138 DEBUG(D_dns) debug_printf("passing %s on to res_search()\n", domain);
139
140 return res_search(CS domain, C_IN, type, answerptr, size);
141 }
142
143
144
145 /*************************************************
146 * Initialize and configure resolver *
147 *************************************************/
148
149 /* Initialize the resolver and the storage for holding DNS answers if this is
150 the first time we have been here, and set the resolver options.
151
152 Arguments:
153 qualify_single TRUE to set the RES_DEFNAMES option
154 search_parents TRUE to set the RES_DNSRCH option
155 use_dnssec TRUE to set the RES_USE_DNSSEC option
156
157 Returns: nothing
158 */
159
160 void
161 dns_init(BOOL qualify_single, BOOL search_parents, BOOL use_dnssec)
162 {
163 res_state resp = os_get_dns_resolver_res();
164
165 if ((resp->options & RES_INIT) == 0)
166 {
167 DEBUG(D_resolver) resp->options |= RES_DEBUG; /* For Cygwin */
168 os_put_dns_resolver_res(resp);
169 res_init();
170 DEBUG(D_resolver) resp->options |= RES_DEBUG;
171 os_put_dns_resolver_res(resp);
172 }
173
174 resp->options &= ~(RES_DNSRCH | RES_DEFNAMES);
175 resp->options |= (qualify_single? RES_DEFNAMES : 0) |
176 (search_parents? RES_DNSRCH : 0);
177 if (dns_retrans > 0) resp->retrans = dns_retrans;
178 if (dns_retry > 0) resp->retry = dns_retry;
179
180 #ifdef RES_USE_EDNS0
181 if (dns_use_edns0 >= 0)
182 {
183 if (dns_use_edns0)
184 resp->options |= RES_USE_EDNS0;
185 else
186 resp->options &= ~RES_USE_EDNS0;
187 DEBUG(D_resolver)
188 debug_printf("Coerced resolver EDNS0 support %s.\n",
189 dns_use_edns0 ? "on" : "off");
190 }
191 #else
192 if (dns_use_edns0 >= 0)
193 DEBUG(D_resolver)
194 debug_printf("Unable to %sset EDNS0 without resolver support.\n",
195 dns_use_edns0 ? "" : "un");
196 #endif
197
198 #ifndef DISABLE_DNSSEC
199 # ifdef RES_USE_DNSSEC
200 # ifndef RES_USE_EDNS0
201 # error Have RES_USE_DNSSEC but not RES_USE_EDNS0? Something hinky ...
202 # endif
203 if (use_dnssec)
204 resp->options |= RES_USE_DNSSEC;
205 if (dns_dnssec_ok >= 0)
206 {
207 if (dns_use_edns0 == 0 && dns_dnssec_ok != 0)
208 {
209 DEBUG(D_resolver)
210 debug_printf("CONFLICT: dns_use_edns0 forced false, dns_dnssec_ok forced true, ignoring latter!\n");
211 }
212 else
213 {
214 if (dns_dnssec_ok)
215 resp->options |= RES_USE_DNSSEC;
216 else
217 resp->options &= ~RES_USE_DNSSEC;
218 DEBUG(D_resolver) debug_printf("Coerced resolver DNSSEC support %s.\n",
219 dns_dnssec_ok ? "on" : "off");
220 }
221 }
222 # else
223 if (dns_dnssec_ok >= 0)
224 DEBUG(D_resolver)
225 debug_printf("Unable to %sset DNSSEC without resolver support.\n",
226 dns_dnssec_ok ? "" : "un");
227 if (use_dnssec)
228 DEBUG(D_resolver)
229 debug_printf("Unable to set DNSSEC without resolver support.\n");
230 # endif
231 #endif /* DISABLE_DNSSEC */
232
233 os_put_dns_resolver_res(resp);
234 }
235
236
237
238 /*************************************************
239 * Build key name for PTR records *
240 *************************************************/
241
242 /* This function inverts an IP address and adds the relevant domain, to produce
243 a name that can be used to look up PTR records.
244
245 Arguments:
246 string the IP address as a string
247 buffer a suitable buffer, long enough to hold the result
248
249 Returns: nothing
250 */
251
252 void
253 dns_build_reverse(const uschar *string, uschar *buffer)
254 {
255 const uschar *p = string + Ustrlen(string);
256 uschar *pp = buffer;
257
258 /* Handle IPv4 address */
259
260 #if HAVE_IPV6
261 if (Ustrchr(string, ':') == NULL)
262 #endif
263 {
264 int i;
265 for (i = 0; i < 4; i++)
266 {
267 const uschar *ppp = p;
268 while (ppp > string && ppp[-1] != '.') ppp--;
269 Ustrncpy(pp, ppp, p - ppp);
270 pp += p - ppp;
271 *pp++ = '.';
272 p = ppp - 1;
273 }
274 Ustrcpy(pp, "in-addr.arpa");
275 }
276
277 /* Handle IPv6 address; convert to binary so as to fill out any
278 abbreviation in the textual form. */
279
280 #if HAVE_IPV6
281 else
282 {
283 int i;
284 int v6[4];
285 (void)host_aton(string, v6);
286
287 /* The original specification for IPv6 reverse lookup was to invert each
288 nibble, and look in the ip6.int domain. The domain was subsequently
289 changed to ip6.arpa. */
290
291 for (i = 3; i >= 0; i--)
292 {
293 int j;
294 for (j = 0; j < 32; j += 4)
295 {
296 sprintf(CS pp, "%x.", (v6[i] >> j) & 15);
297 pp += 2;
298 }
299 }
300 Ustrcpy(pp, "ip6.arpa.");
301
302 /* Another way of doing IPv6 reverse lookups was proposed in conjunction
303 with A6 records. However, it fell out of favour when they did. The
304 alternative was to construct a binary key, and look in ip6.arpa. I tried
305 to make this code do that, but I could not make it work on Solaris 8. The
306 resolver seems to lose the initial backslash somehow. However, now that
307 this style of reverse lookup has been dropped, it doesn't matter. These
308 lines are left here purely for historical interest. */
309
310 /**************************************************
311 Ustrcpy(pp, "\\[x");
312 pp += 3;
313
314 for (i = 0; i < 4; i++)
315 {
316 sprintf(pp, "%08X", v6[i]);
317 pp += 8;
318 }
319 Ustrcpy(pp, "].ip6.arpa.");
320 **************************************************/
321
322 }
323 #endif
324 }
325
326
327
328
329 /*************************************************
330 * Get next DNS record from answer block *
331 *************************************************/
332
333 /* Call this with reset == RESET_ANSWERS to scan the answer block, reset ==
334 RESET_AUTHORITY to scan the authority records, reset == RESET_ADDITIONAL to
335 scan the additional records, and reset == RESET_NEXT to get the next record.
336 The result is in static storage which must be copied if it is to be preserved.
337
338 Arguments:
339 dnsa pointer to dns answer block
340 dnss pointer to dns scan block
341 reset option specifing what portion to scan, as described above
342
343 Returns: next dns record, or NULL when no more
344 */
345
346 dns_record *
347 dns_next_rr(dns_answer *dnsa, dns_scan *dnss, int reset)
348 {
349 HEADER *h = (HEADER *)dnsa->answer;
350 int namelen;
351
352 /* Reset the saved data when requested to, and skip to the first required RR */
353
354 if (reset != RESET_NEXT)
355 {
356 dnss->rrcount = ntohs(h->qdcount);
357 dnss->aptr = dnsa->answer + sizeof(HEADER);
358
359 /* Skip over questions; failure to expand the name just gives up */
360
361 while (dnss->rrcount-- > 0)
362 {
363 namelen = dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen,
364 dnss->aptr, (DN_EXPAND_ARG4_TYPE) &(dnss->srr.name), DNS_MAXNAME);
365 if (namelen < 0) { dnss->rrcount = 0; return NULL; }
366 dnss->aptr += namelen + 4; /* skip name & type & class */
367 }
368
369 /* Get the number of answer records. */
370
371 dnss->rrcount = ntohs(h->ancount);
372
373 /* Skip over answers if we want to look at the authority section. Also skip
374 the NS records (i.e. authority section) if wanting to look at the additional
375 records. */
376
377 if (reset == RESET_ADDITIONAL) dnss->rrcount += ntohs(h->nscount);
378
379 if (reset == RESET_AUTHORITY || reset == RESET_ADDITIONAL)
380 {
381 while (dnss->rrcount-- > 0)
382 {
383 namelen = dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen,
384 dnss->aptr, (DN_EXPAND_ARG4_TYPE) &(dnss->srr.name), DNS_MAXNAME);
385 if (namelen < 0) { dnss->rrcount = 0; return NULL; }
386 dnss->aptr += namelen + 8; /* skip name, type, class & TTL */
387 GETSHORT(dnss->srr.size, dnss->aptr); /* size of data portion */
388 dnss->aptr += dnss->srr.size; /* skip over it */
389 }
390 dnss->rrcount = (reset == RESET_AUTHORITY)
391 ? ntohs(h->nscount) : ntohs(h->arcount);
392 }
393 }
394
395 /* The variable dnss->aptr is now pointing at the next RR, and dnss->rrcount
396 contains the number of RR records left. */
397
398 if (dnss->rrcount-- <= 0) return NULL;
399
400 /* If expanding the RR domain name fails, behave as if no more records
401 (something safe). */
402
403 namelen = dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen, dnss->aptr,
404 (DN_EXPAND_ARG4_TYPE) &(dnss->srr.name), DNS_MAXNAME);
405 if (namelen < 0) { dnss->rrcount = 0; return NULL; }
406
407 /* Move the pointer past the name and fill in the rest of the data structure
408 from the following bytes. */
409
410 dnss->aptr += namelen;
411 GETSHORT(dnss->srr.type, dnss->aptr); /* Record type */
412 dnss->aptr += 6; /* Don't want class or TTL */
413 GETSHORT(dnss->srr.size, dnss->aptr); /* Size of data portion */
414 dnss->srr.data = dnss->aptr; /* The record's data follows */
415 dnss->aptr += dnss->srr.size; /* Advance to next RR */
416
417 /* Return a pointer to the dns_record structure within the dns_answer. This is
418 for convenience so that the scans can use nice-looking for loops. */
419
420 return &(dnss->srr);
421 }
422
423
424
425
426 /*************************************************
427 * Return whether AD bit set in DNS result *
428 *************************************************/
429
430 /* We do not perform DNSSEC work ourselves; if the administrator has installed
431 a verifying resolver which sets AD as appropriate, though, we'll use that.
432 (AD = Authentic Data)
433
434 Argument: pointer to dns answer block
435 Returns: bool indicating presence of AD bit
436 */
437
438 BOOL
439 dns_is_secure(const dns_answer * dnsa)
440 {
441 #ifdef DISABLE_DNSSEC
442 DEBUG(D_dns)
443 debug_printf("DNSSEC support disabled at build-time; dns_is_secure() false\n");
444 return FALSE;
445 #else
446 HEADER *h = (HEADER *)dnsa->answer;
447 return h->ad ? TRUE : FALSE;
448 #endif
449 }
450
451 static void
452 dns_set_insecure(dns_answer * dnsa)
453 {
454 HEADER * h = (HEADER *)dnsa->answer;
455 h->ad = 0;
456 }
457
458
459
460
461 /*************************************************
462 * Turn DNS type into text *
463 *************************************************/
464
465 /* Turn the coded record type into a string for printing. All those that Exim
466 uses should be included here.
467
468 Argument: record type
469 Returns: pointer to string
470 */
471
472 uschar *
473 dns_text_type(int t)
474 {
475 switch(t)
476 {
477 case T_A: return US"A";
478 case T_MX: return US"MX";
479 case T_AAAA: return US"AAAA";
480 case T_A6: return US"A6";
481 case T_TXT: return US"TXT";
482 case T_SPF: return US"SPF";
483 case T_PTR: return US"PTR";
484 case T_SOA: return US"SOA";
485 case T_SRV: return US"SRV";
486 case T_NS: return US"NS";
487 case T_CNAME: return US"CNAME";
488 case T_TLSA: return US"TLSA";
489 default: return US"?";
490 }
491 }
492
493
494
495 /*************************************************
496 * Cache a failed DNS lookup result *
497 *************************************************/
498
499 /* We cache failed lookup results so as not to experience timeouts many
500 times for the same domain. We need to retain the resolver options because they
501 may change. For successful lookups, we rely on resolver and/or name server
502 caching.
503
504 Arguments:
505 name the domain name
506 type the lookup type
507 rc the return code
508
509 Returns: the return code
510 */
511
512 static int
513 dns_return(const uschar * name, int type, int rc)
514 {
515 res_state resp = os_get_dns_resolver_res();
516 tree_node *node = store_get_perm(sizeof(tree_node) + 290);
517 sprintf(CS node->name, "%.255s-%s-%lx", name, dns_text_type(type),
518 resp->options);
519 node->data.val = rc;
520 (void)tree_insertnode(&tree_dns_fails, node);
521 return rc;
522 }
523
524
525
526 /*************************************************
527 * Do basic DNS lookup *
528 *************************************************/
529
530 /* Call the resolver to look up the given domain name, using the given type,
531 and check the result. The error code TRY_AGAIN is documented as meaning "non-
532 Authoritive Host not found, or SERVERFAIL". Sometimes there are badly set
533 up nameservers that produce this error continually, so there is the option of
534 providing a list of domains for which this is treated as a non-existent
535 host.
536
537 Arguments:
538 dnsa pointer to dns_answer structure
539 name name to look up
540 type type of DNS record required (T_A, T_MX, etc)
541
542 Returns: DNS_SUCCEED successful lookup
543 DNS_NOMATCH name not found (NXDOMAIN)
544 or name contains illegal characters (if checking)
545 or name is an IP address (for IP address lookup)
546 DNS_NODATA domain exists, but no data for this type (NODATA)
547 DNS_AGAIN soft failure, try again later
548 DNS_FAIL DNS failure
549 */
550
551 int
552 dns_basic_lookup(dns_answer *dnsa, const uschar *name, int type)
553 {
554 #ifndef STAND_ALONE
555 int rc = -1;
556 const uschar *save_domain;
557 #endif
558 res_state resp = os_get_dns_resolver_res();
559
560 tree_node *previous;
561 uschar node_name[290];
562
563 /* DNS lookup failures of any kind are cached in a tree. This is mainly so that
564 a timeout on one domain doesn't happen time and time again for messages that
565 have many addresses in the same domain. We rely on the resolver and name server
566 caching for successful lookups. */
567
568 sprintf(CS node_name, "%.255s-%s-%lx", name, dns_text_type(type),
569 resp->options);
570 previous = tree_search(tree_dns_fails, node_name);
571 if (previous != NULL)
572 {
573 DEBUG(D_dns) debug_printf("DNS lookup of %.255s-%s: using cached value %s\n",
574 name, dns_text_type(type),
575 (previous->data.val == DNS_NOMATCH)? "DNS_NOMATCH" :
576 (previous->data.val == DNS_NODATA)? "DNS_NODATA" :
577 (previous->data.val == DNS_AGAIN)? "DNS_AGAIN" :
578 (previous->data.val == DNS_FAIL)? "DNS_FAIL" : "??");
579 return previous->data.val;
580 }
581
582 #ifdef EXPERIMENTAL_INTERNATIONAL
583 /* Convert all names to a-label form before doing lookup */
584 {
585 uschar * alabel;
586 uschar * errstr = NULL;
587 DEBUG(D_dns) if (string_is_utf8(name))
588 debug_printf("convert utf8 '%s' to alabel for for lookup\n", name);
589 if ((alabel = string_domain_utf8_to_alabel(name, &errstr)), errstr)
590 {
591 DEBUG(D_dns)
592 debug_printf("DNS name '%s' utf8 conversion to alabel failed: %s\n", name,
593 errstr);
594 host_find_failed_syntax = TRUE;
595 return DNS_NOMATCH;
596 }
597 name = alabel;
598 }
599 #endif
600
601 /* If configured, check the hygene of the name passed to lookup. Otherwise,
602 although DNS lookups may give REFUSED at the lower level, some resolvers
603 turn this into TRY_AGAIN, which is silly. Give a NOMATCH return, since such
604 domains cannot be in the DNS. The check is now done by a regular expression;
605 give it space for substring storage to save it having to get its own if the
606 regex has substrings that are used - the default uses a conditional.
607
608 This test is omitted for PTR records. These occur only in calls from the dnsdb
609 lookup, which constructs the names itself, so they should be OK. Besides,
610 bitstring labels don't conform to normal name syntax. (But the aren't used any
611 more.)
612
613 For SRV records, we omit the initial _smtp._tcp. components at the start. */
614
615 #ifndef STAND_ALONE /* Omit this for stand-alone tests */
616
617 if (check_dns_names_pattern[0] != 0 && type != T_PTR && type != T_TXT)
618 {
619 const uschar *checkname = name;
620 int ovector[3*(EXPAND_MAXN+1)];
621
622 dns_pattern_init();
623
624 /* For an SRV lookup, skip over the first two components (the service and
625 protocol names, which both start with an underscore). */
626
627 if (type == T_SRV || type == T_TLSA)
628 {
629 while (*checkname++ != '.');
630 while (*checkname++ != '.');
631 }
632
633 if (pcre_exec(regex_check_dns_names, NULL, CCS checkname, Ustrlen(checkname),
634 0, PCRE_EOPT, ovector, sizeof(ovector)/sizeof(int)) < 0)
635 {
636 DEBUG(D_dns)
637 debug_printf("DNS name syntax check failed: %s (%s)\n", name,
638 dns_text_type(type));
639 host_find_failed_syntax = TRUE;
640 return DNS_NOMATCH;
641 }
642 }
643
644 #endif /* STAND_ALONE */
645
646 /* Call the resolver; for an overlong response, res_search() will return the
647 number of bytes the message would need, so we need to check for this case. The
648 effect is to truncate overlong data.
649
650 On some systems, res_search() will recognize "A-for-A" queries and return
651 the IP address instead of returning -1 with h_error=HOST_NOT_FOUND. Some
652 nameservers are also believed to do this. It is, of course, contrary to the
653 specification of the DNS, so we lock it out. */
654
655 if ((type == T_A || type == T_AAAA) && string_is_ip_address(name, NULL) != 0)
656 return DNS_NOMATCH;
657
658 /* If we are running in the test harness, instead of calling the normal resolver
659 (res_search), we call fakens_search(), which recognizes certain special
660 domains, and interfaces to a fake nameserver for certain special zones. */
661
662 dnsa->answerlen = running_in_test_harness
663 ? fakens_search(name, type, dnsa->answer, MAXPACKET)
664 : res_search(CCS name, C_IN, type, dnsa->answer, MAXPACKET);
665
666 if (dnsa->answerlen > MAXPACKET)
667 {
668 DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) resulted in overlong packet (size %d), truncating to %d.\n",
669 name, dns_text_type(type), dnsa->answerlen, MAXPACKET);
670 dnsa->answerlen = MAXPACKET;
671 }
672
673 if (dnsa->answerlen < 0) switch (h_errno)
674 {
675 case HOST_NOT_FOUND:
676 DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) gave HOST_NOT_FOUND\n"
677 "returning DNS_NOMATCH\n", name, dns_text_type(type));
678 return dns_return(name, type, DNS_NOMATCH);
679
680 case TRY_AGAIN:
681 DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) gave TRY_AGAIN\n",
682 name, dns_text_type(type));
683
684 /* Cut this out for various test programs */
685 #ifndef STAND_ALONE
686 save_domain = deliver_domain;
687 deliver_domain = string_copy(name); /* set $domain */
688 rc = match_isinlist(name, (const uschar **)&dns_again_means_nonexist, 0, NULL, NULL,
689 MCL_DOMAIN, TRUE, NULL);
690 deliver_domain = save_domain;
691 if (rc != OK)
692 {
693 DEBUG(D_dns) debug_printf("returning DNS_AGAIN\n");
694 return dns_return(name, type, DNS_AGAIN);
695 }
696 DEBUG(D_dns) debug_printf("%s is in dns_again_means_nonexist: returning "
697 "DNS_NOMATCH\n", name);
698 return dns_return(name, type, DNS_NOMATCH);
699
700 #else /* For stand-alone tests */
701 return dns_return(name, type, DNS_AGAIN);
702 #endif
703
704 case NO_RECOVERY:
705 DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) gave NO_RECOVERY\n"
706 "returning DNS_FAIL\n", name, dns_text_type(type));
707 return dns_return(name, type, DNS_FAIL);
708
709 case NO_DATA:
710 DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) gave NO_DATA\n"
711 "returning DNS_NODATA\n", name, dns_text_type(type));
712 return dns_return(name, type, DNS_NODATA);
713
714 default:
715 DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) gave unknown DNS error %d\n"
716 "returning DNS_FAIL\n", name, dns_text_type(type), h_errno);
717 return dns_return(name, type, DNS_FAIL);
718 }
719
720 DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) succeeded\n",
721 name, dns_text_type(type));
722
723 return DNS_SUCCEED;
724 }
725
726
727
728
729 /************************************************
730 * Do a DNS lookup and handle CNAMES *
731 ************************************************/
732
733 /* Look up the given domain name, using the given type. Follow CNAMEs if
734 necessary, but only so many times. There aren't supposed to be CNAME chains in
735 the DNS, but you are supposed to cope with them if you find them.
736
737 The assumption is made that if the resolver gives back records of the
738 requested type *and* a CNAME, we don't need to make another call to look up
739 the CNAME. I can't see how it could return only some of the right records. If
740 it's done a CNAME lookup in the past, it will have all of them; if not, it
741 won't return any.
742
743 If fully_qualified_name is not NULL, set it to point to the full name
744 returned by the resolver, if this is different to what it is given, unless
745 the returned name starts with "*" as some nameservers seem to be returning
746 wildcards in this form. In international mode "different" means "alabel
747 forms are different".
748
749 Arguments:
750 dnsa pointer to dns_answer structure
751 name domain name to look up
752 type DNS record type (T_A, T_MX, etc)
753 fully_qualified_name if not NULL, return the returned name here if its
754 contents are different (i.e. it must be preset)
755
756 Returns: DNS_SUCCEED successful lookup
757 DNS_NOMATCH name not found
758 DNS_NODATA no data found
759 DNS_AGAIN soft failure, try again later
760 DNS_FAIL DNS failure
761 */
762
763 int
764 dns_lookup(dns_answer *dnsa, const uschar *name, int type,
765 const uschar **fully_qualified_name)
766 {
767 int i;
768 const uschar *orig_name = name;
769 BOOL secure_so_far = TRUE;
770
771 /* Loop to follow CNAME chains so far, but no further... */
772
773 for (i = 0; i < 10; i++)
774 {
775 uschar data[256];
776 dns_record *rr, cname_rr, type_rr;
777 dns_scan dnss;
778 int datalen, rc;
779
780 /* DNS lookup failures get passed straight back. */
781
782 if ((rc = dns_basic_lookup(dnsa, name, type)) != DNS_SUCCEED) return rc;
783
784 /* We should have either records of the required type, or a CNAME record,
785 or both. We need to know whether both exist for getting the fully qualified
786 name, but avoid scanning more than necessary. Note that we must copy the
787 contents of any rr blocks returned by dns_next_rr() as they use the same
788 area in the dnsa block. */
789
790 cname_rr.data = type_rr.data = NULL;
791 for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
792 rr != NULL;
793 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
794 {
795 if (rr->type == type)
796 {
797 if (type_rr.data == NULL) type_rr = *rr;
798 if (cname_rr.data != NULL) break;
799 }
800 else if (rr->type == T_CNAME) cname_rr = *rr;
801 }
802
803 /* For the first time round this loop, if a CNAME was found, take the fully
804 qualified name from it; otherwise from the first data record, if present. */
805
806 if (i == 0 && fully_qualified_name != NULL)
807 {
808 uschar * rr_name = cname_rr.data ? cname_rr.name
809 : type_rr.data ? type_rr.name : NULL;
810 if ( rr_name
811 && Ustrcmp(rr_name, *fully_qualified_name) != 0
812 && rr_name[0] != '*'
813 #ifdef EXPERIMENTAL_INTERNATIONAL
814 && ( !string_is_utf8(*fully_qualified_name)
815 || Ustrcmp(rr_name,
816 string_domain_utf8_to_alabel(*fully_qualified_name, NULL)) != 0
817 )
818 #endif
819 )
820 *fully_qualified_name = string_copy_dnsdomain(rr_name);
821 }
822
823 /* If any data records of the correct type were found, we are done. */
824
825 if (type_rr.data != NULL)
826 {
827 if (!secure_so_far) /* mark insecure if any element of CNAME chain was */
828 dns_set_insecure(dnsa);
829 return DNS_SUCCEED;
830 }
831
832 /* If there are no data records, we need to re-scan the DNS using the
833 domain given in the CNAME record, which should exist (otherwise we should
834 have had a failure from dns_lookup). However code against the possibility of
835 its not existing. */
836
837 if (cname_rr.data == NULL) return DNS_FAIL;
838 datalen = dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen,
839 cname_rr.data, (DN_EXPAND_ARG4_TYPE)data, sizeof(data));
840 if (datalen < 0) return DNS_FAIL;
841 name = data;
842
843 if (!dns_is_secure(dnsa))
844 secure_so_far = FALSE;
845
846 DEBUG(D_dns) debug_printf("CNAME found: change to %s\n", name);
847 } /* Loop back to do another lookup */
848
849 /*Control reaches here after 10 times round the CNAME loop. Something isn't
850 right... */
851
852 log_write(0, LOG_MAIN, "CNAME loop for %s encountered", orig_name);
853 return DNS_FAIL;
854 }
855
856
857
858
859
860
861 /************************************************
862 * Do a DNS lookup and handle virtual types *
863 ************************************************/
864
865 /* This function handles some invented "lookup types" that synthesize feature
866 not available in the basic types. The special types all have negative values.
867 Positive type values are passed straight on to dns_lookup().
868
869 Arguments:
870 dnsa pointer to dns_answer structure
871 name domain name to look up
872 type DNS record type (T_A, T_MX, etc or a "special")
873 fully_qualified_name if not NULL, return the returned name here if its
874 contents are different (i.e. it must be preset)
875
876 Returns: DNS_SUCCEED successful lookup
877 DNS_NOMATCH name not found
878 DNS_NODATA no data found
879 DNS_AGAIN soft failure, try again later
880 DNS_FAIL DNS failure
881 */
882
883 int
884 dns_special_lookup(dns_answer *dnsa, const uschar *name, int type,
885 const uschar **fully_qualified_name)
886 {
887 switch (type)
888 {
889 /* The "mx hosts only" type doesn't require any special action here */
890 case T_MXH:
891 return dns_lookup(dnsa, name, T_MX, fully_qualified_name);
892
893 /* Find nameservers for the domain or the nearest enclosing zone, excluding
894 the root servers. */
895 case T_ZNS:
896 type = T_NS;
897 /* FALLTHROUGH */
898 case T_SOA:
899 {
900 const uschar *d = name;
901 while (d != 0)
902 {
903 int rc = dns_lookup(dnsa, d, type, fully_qualified_name);
904 if (rc != DNS_NOMATCH && rc != DNS_NODATA) return rc;
905 while (*d != 0 && *d != '.') d++;
906 if (*d++ == 0) break;
907 }
908 return DNS_NOMATCH;
909 }
910
911 /* Try to look up the Client SMTP Authorization SRV record for the name. If
912 there isn't one, search from the top downwards for a CSA record in a parent
913 domain, which might be making assertions about subdomains. If we find a record
914 we set fully_qualified_name to whichever lookup succeeded, so that the caller
915 can tell whether to look at the explicit authorization field or the subdomain
916 assertion field. */
917 case T_CSA:
918 {
919 uschar *srvname, *namesuff, *tld, *p;
920 int priority, weight, port;
921 int limit, rc, i;
922 BOOL ipv6;
923 dns_record *rr;
924 dns_scan dnss;
925
926 DEBUG(D_dns) debug_printf("CSA lookup of %s\n", name);
927
928 srvname = string_sprintf("_client._smtp.%s", name);
929 rc = dns_lookup(dnsa, srvname, T_SRV, NULL);
930 if (rc == DNS_SUCCEED || rc == DNS_AGAIN)
931 {
932 if (rc == DNS_SUCCEED) *fully_qualified_name = string_copy(name);
933 return rc;
934 }
935
936 /* Search for CSA subdomain assertion SRV records from the top downwards,
937 starting with the 2nd level domain. This order maximizes cache-friendliness.
938 We skip the top level domains to avoid loading their nameservers and because
939 we know they'll never have CSA SRV records. */
940
941 namesuff = Ustrrchr(name, '.');
942 if (namesuff == NULL) return DNS_NOMATCH;
943 tld = namesuff + 1;
944 ipv6 = FALSE;
945 limit = dns_csa_search_limit;
946
947 /* Use more appropriate search parameters if we are in the reverse DNS. */
948
949 if (strcmpic(namesuff, US".arpa") == 0)
950 {
951 if (namesuff - 8 > name && strcmpic(namesuff - 8, US".in-addr.arpa") == 0)
952 {
953 namesuff -= 8;
954 tld = namesuff + 1;
955 limit = 3;
956 }
957 else if (namesuff - 4 > name && strcmpic(namesuff - 4, US".ip6.arpa") == 0)
958 {
959 namesuff -= 4;
960 tld = namesuff + 1;
961 ipv6 = TRUE;
962 limit = 3;
963 }
964 }
965
966 DEBUG(D_dns) debug_printf("CSA TLD %s\n", tld);
967
968 /* Do not perform the search if the top level or 2nd level domains do not
969 exist. This is quite common, and when it occurs all the search queries would
970 go to the root or TLD name servers, which is not friendly. So we check the
971 AUTHORITY section; if it contains the root's SOA record or the TLD's SOA then
972 the TLD or the 2LD (respectively) doesn't exist and we can skip the search.
973 If the TLD and the 2LD exist but the explicit CSA record lookup failed, then
974 the AUTHORITY SOA will be the 2LD's or a subdomain thereof. */
975
976 if (rc == DNS_NOMATCH)
977 {
978 /* This is really gross. The successful return value from res_search() is
979 the packet length, which is stored in dnsa->answerlen. If we get a
980 negative DNS reply then res_search() returns -1, which causes the bounds
981 checks for name decompression to fail when it is treated as a packet
982 length, which in turn causes the authority search to fail. The correct
983 packet length has been lost inside libresolv, so we have to guess a
984 replacement value. (The only way to fix this properly would be to
985 re-implement res_search() and res_query() so that they don't muddle their
986 success and packet length return values.) For added safety we only reset
987 the packet length if the packet header looks plausible. */
988
989 HEADER *h = (HEADER *)dnsa->answer;
990 if (h->qr == 1 && h->opcode == QUERY && h->tc == 0
991 && (h->rcode == NOERROR || h->rcode == NXDOMAIN)
992 && ntohs(h->qdcount) == 1 && ntohs(h->ancount) == 0
993 && ntohs(h->nscount) >= 1)
994 dnsa->answerlen = MAXPACKET;
995
996 for (rr = dns_next_rr(dnsa, &dnss, RESET_AUTHORITY);
997 rr != NULL;
998 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
999 if (rr->type != T_SOA) continue;
1000 else if (strcmpic(rr->name, US"") == 0 ||
1001 strcmpic(rr->name, tld) == 0) return DNS_NOMATCH;
1002 else break;
1003 }
1004
1005 for (i = 0; i < limit; i++)
1006 {
1007 if (ipv6)
1008 {
1009 /* Scan through the IPv6 reverse DNS in chunks of 16 bits worth of IP
1010 address, i.e. 4 hex chars and 4 dots, i.e. 8 chars. */
1011 namesuff -= 8;
1012 if (namesuff <= name) return DNS_NOMATCH;
1013 }
1014 else
1015 /* Find the start of the preceding domain name label. */
1016 do
1017 if (--namesuff <= name) return DNS_NOMATCH;
1018 while (*namesuff != '.');
1019
1020 DEBUG(D_dns) debug_printf("CSA parent search at %s\n", namesuff + 1);
1021
1022 srvname = string_sprintf("_client._smtp.%s", namesuff + 1);
1023 rc = dns_lookup(dnsa, srvname, T_SRV, NULL);
1024 if (rc == DNS_AGAIN) return rc;
1025 if (rc != DNS_SUCCEED) continue;
1026
1027 /* Check that the SRV record we have found is worth returning. We don't
1028 just return the first one we find, because some lower level SRV record
1029 might make stricter assertions than its parent domain. */
1030
1031 for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
1032 rr != NULL;
1033 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
1034 {
1035 if (rr->type != T_SRV) continue;
1036
1037 /* Extract the numerical SRV fields (p is incremented) */
1038 p = rr->data;
1039 GETSHORT(priority, p);
1040 GETSHORT(weight, p); weight = weight; /* compiler quietening */
1041 GETSHORT(port, p);
1042
1043 /* Check the CSA version number */
1044 if (priority != 1) continue;
1045
1046 /* If it's making an interesting assertion, return this response. */
1047 if (port & 1)
1048 {
1049 *fully_qualified_name = namesuff + 1;
1050 return DNS_SUCCEED;
1051 }
1052 }
1053 }
1054 return DNS_NOMATCH;
1055 }
1056
1057 default:
1058 if (type >= 0)
1059 return dns_lookup(dnsa, name, type, fully_qualified_name);
1060 }
1061
1062 /* Control should never reach here */
1063
1064 return DNS_FAIL;
1065 }
1066
1067
1068
1069
1070
1071 /*************************************************
1072 * Get address(es) from DNS record *
1073 *************************************************/
1074
1075 /* The record type is either T_A for an IPv4 address or T_AAAA (or T_A6 when
1076 supported) for an IPv6 address.
1077
1078 Argument:
1079 dnsa the DNS answer block
1080 rr the RR
1081
1082 Returns: pointer to a chain of dns_address items
1083 */
1084
1085 dns_address *
1086 dns_address_from_rr(dns_answer *dnsa, dns_record *rr)
1087 {
1088 dns_address *yield = NULL;
1089
1090 dnsa = dnsa; /* Stop picky compilers warning */
1091
1092 if (rr->type == T_A)
1093 {
1094 uschar *p = US rr->data;
1095 yield = store_get(sizeof(dns_address) + 20);
1096 (void)sprintf(CS yield->address, "%d.%d.%d.%d", p[0], p[1], p[2], p[3]);
1097 yield->next = NULL;
1098 }
1099
1100 #if HAVE_IPV6
1101
1102 else
1103 {
1104 yield = store_get(sizeof(dns_address) + 50);
1105 inet_ntop(AF_INET6, US rr->data, CS yield->address, 50);
1106 yield->next = NULL;
1107 }
1108 #endif /* HAVE_IPV6 */
1109
1110 return yield;
1111 }
1112
1113
1114
1115 void
1116 dns_pattern_init(void)
1117 {
1118 if (check_dns_names_pattern[0] != 0 && !regex_check_dns_names)
1119 regex_check_dns_names =
1120 regex_must_compile(check_dns_names_pattern, FALSE, TRUE);
1121 }
1122
1123 /* vi: aw ai sw=2
1124 */
1125 /* End of dns.c */
Unnamed repository; edit this file 'description' to name the repository.