1 /* 2 * iterator/iter_scrub.c - scrubbing, normalization, sanitization of DNS msgs. 3 * 4 * Copyright (c) 2007, NLnet Labs. All rights reserved. 5 * 6 * This software is open source. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * Redistributions of source code must retain the above copyright notice, 13 * this list of conditions and the following disclaimer. 14 * 15 * Redistributions in binary form must reproduce the above copyright notice, 16 * this list of conditions and the following disclaimer in the documentation 17 * and/or other materials provided with the distribution. 18 * 19 * Neither the name of the NLNET LABS nor the names of its contributors may 20 * be used to endorse or promote products derived from this software without 21 * specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36 /** 37 * \file 38 * 39 * This file has routine(s) for cleaning up incoming DNS messages from 40 * possible useless or malicious junk in it. 41 */ 42 #include "config.h" 43 #include "iterator/iter_scrub.h" 44 #include "iterator/iterator.h" 45 #include "iterator/iter_priv.h" 46 #include "services/cache/rrset.h" 47 #include "util/log.h" 48 #include "util/net_help.h" 49 #include "util/regional.h" 50 #include "util/config_file.h" 51 #include "util/module.h" 52 #include "util/data/msgparse.h" 53 #include "util/data/dname.h" 54 #include "util/data/msgreply.h" 55 #include "util/alloc.h" 56 #include "sldns/sbuffer.h" 57 58 /** RRset flag used during scrubbing. The RRset is OK. */ 59 #define RRSET_SCRUB_OK 0x80 60 61 /** remove rrset, update loop variables */ 62 static void 63 remove_rrset(const char* str, sldns_buffer* pkt, struct msg_parse* msg, 64 struct rrset_parse* prev, struct rrset_parse** rrset) 65 { 66 if(verbosity >= VERB_QUERY && str 67 && (*rrset)->dname_len <= LDNS_MAX_DOMAINLEN) { 68 uint8_t buf[LDNS_MAX_DOMAINLEN+1]; 69 dname_pkt_copy(pkt, buf, (*rrset)->dname); 70 log_nametypeclass(VERB_QUERY, str, buf, 71 (*rrset)->type, ntohs((*rrset)->rrset_class)); 72 } 73 if(prev) 74 prev->rrset_all_next = (*rrset)->rrset_all_next; 75 else msg->rrset_first = (*rrset)->rrset_all_next; 76 if(msg->rrset_last == *rrset) 77 msg->rrset_last = prev; 78 msg->rrset_count --; 79 switch((*rrset)->section) { 80 case LDNS_SECTION_ANSWER: msg->an_rrsets--; break; 81 case LDNS_SECTION_AUTHORITY: msg->ns_rrsets--; break; 82 case LDNS_SECTION_ADDITIONAL: msg->ar_rrsets--; break; 83 default: log_assert(0); 84 } 85 msgparse_bucket_remove(msg, *rrset); 86 *rrset = (*rrset)->rrset_all_next; 87 } 88 89 /** return true if rr type has additional names in it */ 90 static int 91 has_additional(uint16_t t) 92 { 93 switch(t) { 94 case LDNS_RR_TYPE_MB: 95 case LDNS_RR_TYPE_MD: 96 case LDNS_RR_TYPE_MF: 97 case LDNS_RR_TYPE_NS: 98 case LDNS_RR_TYPE_MX: 99 case LDNS_RR_TYPE_KX: 100 case LDNS_RR_TYPE_SRV: 101 return 1; 102 case LDNS_RR_TYPE_NAPTR: 103 /* TODO: NAPTR not supported, glue stripped off */ 104 return 0; 105 } 106 return 0; 107 } 108 109 /** get additional name from rrset RR, return false if no name present */ 110 static int 111 get_additional_name(struct rrset_parse* rrset, struct rr_parse* rr, 112 uint8_t** nm, size_t* nmlen, sldns_buffer* pkt) 113 { 114 size_t offset = 0; 115 size_t len, oldpos; 116 switch(rrset->type) { 117 case LDNS_RR_TYPE_MB: 118 case LDNS_RR_TYPE_MD: 119 case LDNS_RR_TYPE_MF: 120 case LDNS_RR_TYPE_NS: 121 offset = 0; 122 break; 123 case LDNS_RR_TYPE_MX: 124 case LDNS_RR_TYPE_KX: 125 offset = 2; 126 break; 127 case LDNS_RR_TYPE_SRV: 128 offset = 6; 129 break; 130 case LDNS_RR_TYPE_NAPTR: 131 /* TODO: NAPTR not supported, glue stripped off */ 132 return 0; 133 default: 134 return 0; 135 } 136 len = sldns_read_uint16(rr->ttl_data+sizeof(uint32_t)); 137 if(len < offset+1) 138 return 0; /* rdata field too small */ 139 *nm = rr->ttl_data+sizeof(uint32_t)+sizeof(uint16_t)+offset; 140 oldpos = sldns_buffer_position(pkt); 141 sldns_buffer_set_position(pkt, (size_t)(*nm - sldns_buffer_begin(pkt))); 142 *nmlen = pkt_dname_len(pkt); 143 sldns_buffer_set_position(pkt, oldpos); 144 if(*nmlen == 0) 145 return 0; 146 return 1; 147 } 148 149 /** Place mark on rrsets in additional section they are OK */ 150 static void 151 mark_additional_rrset(sldns_buffer* pkt, struct msg_parse* msg, 152 struct rrset_parse* rrset) 153 { 154 /* Mark A and AAAA for NS as appropriate additional section info. */ 155 uint8_t* nm = NULL; 156 size_t nmlen = 0; 157 struct rr_parse* rr; 158 159 if(!has_additional(rrset->type)) 160 return; 161 for(rr = rrset->rr_first; rr; rr = rr->next) { 162 if(get_additional_name(rrset, rr, &nm, &nmlen, pkt)) { 163 /* mark A */ 164 hashvalue_type h = pkt_hash_rrset(pkt, nm, 165 LDNS_RR_TYPE_A, rrset->rrset_class, 0); 166 struct rrset_parse* r = msgparse_hashtable_lookup( 167 msg, pkt, h, 0, nm, nmlen, 168 LDNS_RR_TYPE_A, rrset->rrset_class); 169 if(r && r->section == LDNS_SECTION_ADDITIONAL) { 170 r->flags |= RRSET_SCRUB_OK; 171 } 172 173 /* mark AAAA */ 174 h = pkt_hash_rrset(pkt, nm, LDNS_RR_TYPE_AAAA, 175 rrset->rrset_class, 0); 176 r = msgparse_hashtable_lookup(msg, pkt, h, 0, nm, 177 nmlen, LDNS_RR_TYPE_AAAA, rrset->rrset_class); 178 if(r && r->section == LDNS_SECTION_ADDITIONAL) { 179 r->flags |= RRSET_SCRUB_OK; 180 } 181 } 182 } 183 } 184 185 /** Get target name of a CNAME */ 186 static int 187 parse_get_cname_target(struct rrset_parse* rrset, uint8_t** sname, 188 size_t* snamelen) 189 { 190 if(rrset->rr_count != 1) { 191 struct rr_parse* sig; 192 verbose(VERB_ALGO, "Found CNAME rrset with " 193 "size > 1: %u", (unsigned)rrset->rr_count); 194 /* use the first CNAME! */ 195 rrset->rr_count = 1; 196 rrset->size = rrset->rr_first->size; 197 for(sig=rrset->rrsig_first; sig; sig=sig->next) 198 rrset->size += sig->size; 199 rrset->rr_last = rrset->rr_first; 200 rrset->rr_first->next = NULL; 201 } 202 if(rrset->rr_first->size < sizeof(uint16_t)+1) 203 return 0; /* CNAME rdata too small */ 204 *sname = rrset->rr_first->ttl_data + sizeof(uint32_t) 205 + sizeof(uint16_t); /* skip ttl, rdatalen */ 206 *snamelen = rrset->rr_first->size - sizeof(uint16_t); 207 return 1; 208 } 209 210 /** Synthesize CNAME from DNAME, false if too long */ 211 static int 212 synth_cname(uint8_t* qname, size_t qnamelen, struct rrset_parse* dname_rrset, 213 uint8_t* alias, size_t* aliaslen, sldns_buffer* pkt) 214 { 215 /* we already know that sname is a strict subdomain of DNAME owner */ 216 uint8_t* dtarg = NULL; 217 size_t dtarglen; 218 if(!parse_get_cname_target(dname_rrset, &dtarg, &dtarglen)) 219 return 0; 220 if(qnamelen <= dname_rrset->dname_len) 221 return 0; 222 if(qnamelen == 0) 223 return 0; 224 log_assert(qnamelen > dname_rrset->dname_len); 225 /* DNAME from com. to net. with qname example.com. -> example.net. */ 226 /* so: \3com\0 to \3net\0 and qname \7example\3com\0 */ 227 *aliaslen = qnamelen + dtarglen - dname_rrset->dname_len; 228 if(*aliaslen > LDNS_MAX_DOMAINLEN) 229 return 0; /* should have been RCODE YXDOMAIN */ 230 /* decompress dnames into buffer, we know it fits */ 231 dname_pkt_copy(pkt, alias, qname); 232 dname_pkt_copy(pkt, alias+(qnamelen-dname_rrset->dname_len), dtarg); 233 return 1; 234 } 235 236 /** synthesize a CNAME rrset */ 237 static struct rrset_parse* 238 synth_cname_rrset(uint8_t** sname, size_t* snamelen, uint8_t* alias, 239 size_t aliaslen, struct regional* region, struct msg_parse* msg, 240 struct rrset_parse* rrset, struct rrset_parse* prev, 241 struct rrset_parse* nx, sldns_buffer* pkt) 242 { 243 struct rrset_parse* cn = (struct rrset_parse*)regional_alloc(region, 244 sizeof(struct rrset_parse)); 245 if(!cn) 246 return NULL; 247 memset(cn, 0, sizeof(*cn)); 248 cn->rr_first = (struct rr_parse*)regional_alloc(region, 249 sizeof(struct rr_parse)); 250 if(!cn->rr_first) 251 return NULL; 252 cn->rr_last = cn->rr_first; 253 /* CNAME from sname to alias */ 254 cn->dname = (uint8_t*)regional_alloc(region, *snamelen); 255 if(!cn->dname) 256 return NULL; 257 dname_pkt_copy(pkt, cn->dname, *sname); 258 cn->dname_len = *snamelen; 259 cn->type = LDNS_RR_TYPE_CNAME; 260 cn->section = rrset->section; 261 cn->rrset_class = rrset->rrset_class; 262 cn->rr_count = 1; 263 cn->size = sizeof(uint16_t) + aliaslen; 264 cn->hash=pkt_hash_rrset(pkt, cn->dname, cn->type, cn->rrset_class, 0); 265 /* allocate TTL + rdatalen + uncompressed dname */ 266 memset(cn->rr_first, 0, sizeof(struct rr_parse)); 267 cn->rr_first->outside_packet = 1; 268 cn->rr_first->ttl_data = (uint8_t*)regional_alloc(region, 269 sizeof(uint32_t)+sizeof(uint16_t)+aliaslen); 270 if(!cn->rr_first->ttl_data) 271 return NULL; 272 sldns_write_uint32(cn->rr_first->ttl_data, 0); /* TTL = 0 */ 273 sldns_write_uint16(cn->rr_first->ttl_data+4, aliaslen); 274 memmove(cn->rr_first->ttl_data+6, alias, aliaslen); 275 cn->rr_first->size = sizeof(uint16_t)+aliaslen; 276 277 /* link it in */ 278 cn->rrset_all_next = nx; 279 if(prev) 280 prev->rrset_all_next = cn; 281 else msg->rrset_first = cn; 282 if(nx == NULL) 283 msg->rrset_last = cn; 284 msg->rrset_count ++; 285 msg->an_rrsets++; 286 /* it is not inserted in the msg hashtable. */ 287 288 *sname = cn->rr_first->ttl_data + sizeof(uint32_t)+sizeof(uint16_t); 289 *snamelen = aliaslen; 290 return cn; 291 } 292 293 /** check if DNAME applies to a name */ 294 static int 295 pkt_strict_sub(sldns_buffer* pkt, uint8_t* sname, uint8_t* dr) 296 { 297 uint8_t buf1[LDNS_MAX_DOMAINLEN+1]; 298 uint8_t buf2[LDNS_MAX_DOMAINLEN+1]; 299 /* decompress names */ 300 dname_pkt_copy(pkt, buf1, sname); 301 dname_pkt_copy(pkt, buf2, dr); 302 return dname_strict_subdomain_c(buf1, buf2); 303 } 304 305 /** check subdomain with decompression */ 306 static int 307 pkt_sub(sldns_buffer* pkt, uint8_t* comprname, uint8_t* zone) 308 { 309 uint8_t buf[LDNS_MAX_DOMAINLEN+1]; 310 dname_pkt_copy(pkt, buf, comprname); 311 return dname_subdomain_c(buf, zone); 312 } 313 314 /** check subdomain with decompression, compressed is parent */ 315 static int 316 sub_of_pkt(sldns_buffer* pkt, uint8_t* zone, uint8_t* comprname) 317 { 318 uint8_t buf[LDNS_MAX_DOMAINLEN+1]; 319 dname_pkt_copy(pkt, buf, comprname); 320 return dname_subdomain_c(zone, buf); 321 } 322 323 /** Check if there are SOA records in the authority section (negative) */ 324 static int 325 soa_in_auth(struct msg_parse* msg) 326 { 327 struct rrset_parse* rrset; 328 for(rrset = msg->rrset_first; rrset; rrset = rrset->rrset_all_next) 329 if(rrset->type == LDNS_RR_TYPE_SOA && 330 rrset->section == LDNS_SECTION_AUTHORITY) 331 return 1; 332 return 0; 333 } 334 335 /** 336 * This routine normalizes a response. This includes removing "irrelevant" 337 * records from the answer and additional sections and (re)synthesizing 338 * CNAMEs from DNAMEs, if present. 339 * 340 * @param pkt: packet. 341 * @param msg: msg to normalize. 342 * @param qinfo: original query. 343 * @param region: where to allocate synthesized CNAMEs. 344 * @return 0 on error. 345 */ 346 static int 347 scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg, 348 struct query_info* qinfo, struct regional* region) 349 { 350 uint8_t* sname = qinfo->qname; 351 size_t snamelen = qinfo->qname_len; 352 struct rrset_parse* rrset, *prev, *nsset=NULL; 353 354 if(FLAGS_GET_RCODE(msg->flags) != LDNS_RCODE_NOERROR && 355 FLAGS_GET_RCODE(msg->flags) != LDNS_RCODE_NXDOMAIN) 356 return 1; 357 358 /* For the ANSWER section, remove all "irrelevant" records and add 359 * synthesized CNAMEs from DNAMEs 360 * This will strip out-of-order CNAMEs as well. */ 361 362 /* walk through the parse packet rrset list, keep track of previous 363 * for insert and delete ease, and examine every RRset */ 364 prev = NULL; 365 rrset = msg->rrset_first; 366 while(rrset && rrset->section == LDNS_SECTION_ANSWER) { 367 if(rrset->type == LDNS_RR_TYPE_DNAME && 368 pkt_strict_sub(pkt, sname, rrset->dname)) { 369 /* check if next rrset is correct CNAME. else, 370 * synthesize a CNAME */ 371 struct rrset_parse* nx = rrset->rrset_all_next; 372 uint8_t alias[LDNS_MAX_DOMAINLEN+1]; 373 size_t aliaslen = 0; 374 if(rrset->rr_count != 1) { 375 verbose(VERB_ALGO, "Found DNAME rrset with " 376 "size > 1: %u", 377 (unsigned)rrset->rr_count); 378 return 0; 379 } 380 if(!synth_cname(sname, snamelen, rrset, alias, 381 &aliaslen, pkt)) { 382 verbose(VERB_ALGO, "synthesized CNAME " 383 "too long"); 384 return 0; 385 } 386 if(nx && nx->type == LDNS_RR_TYPE_CNAME && 387 dname_pkt_compare(pkt, sname, nx->dname) == 0) { 388 /* check next cname */ 389 uint8_t* t = NULL; 390 size_t tlen = 0; 391 if(!parse_get_cname_target(nx, &t, &tlen)) 392 return 0; 393 if(dname_pkt_compare(pkt, alias, t) == 0) { 394 /* it's OK and better capitalized */ 395 prev = rrset; 396 rrset = nx; 397 continue; 398 } 399 /* synth ourselves */ 400 } 401 /* synth a CNAME rrset */ 402 prev = synth_cname_rrset(&sname, &snamelen, alias, 403 aliaslen, region, msg, rrset, rrset, nx, pkt); 404 if(!prev) { 405 log_err("out of memory synthesizing CNAME"); 406 return 0; 407 } 408 /* FIXME: resolve the conflict between synthesized 409 * CNAME ttls and the cache. */ 410 rrset = nx; 411 continue; 412 413 } 414 415 /* The only records in the ANSWER section not allowed to */ 416 if(dname_pkt_compare(pkt, sname, rrset->dname) != 0) { 417 remove_rrset("normalize: removing irrelevant RRset:", 418 pkt, msg, prev, &rrset); 419 continue; 420 } 421 422 /* Follow the CNAME chain. */ 423 if(rrset->type == LDNS_RR_TYPE_CNAME) { 424 struct rrset_parse* nx = rrset->rrset_all_next; 425 uint8_t* oldsname = sname; 426 /* see if the next one is a DNAME, if so, swap them */ 427 if(nx && nx->section == LDNS_SECTION_ANSWER && 428 nx->type == LDNS_RR_TYPE_DNAME && 429 nx->rr_count == 1 && 430 pkt_strict_sub(pkt, sname, nx->dname)) { 431 /* there is a DNAME after this CNAME, it 432 * is in the ANSWER section, and the DNAME 433 * applies to the name we cover */ 434 /* check if the alias of the DNAME equals 435 * this CNAME */ 436 uint8_t alias[LDNS_MAX_DOMAINLEN+1]; 437 size_t aliaslen = 0; 438 uint8_t* t = NULL; 439 size_t tlen = 0; 440 if(synth_cname(sname, snamelen, nx, alias, 441 &aliaslen, pkt) && 442 parse_get_cname_target(rrset, &t, &tlen) && 443 dname_pkt_compare(pkt, alias, t) == 0) { 444 /* the synthesized CNAME equals the 445 * current CNAME. This CNAME is the 446 * one that the DNAME creates, and this 447 * CNAME is better capitalised */ 448 verbose(VERB_ALGO, "normalize: re-order of DNAME and its CNAME"); 449 if(prev) prev->rrset_all_next = nx; 450 else msg->rrset_first = nx; 451 if(nx->rrset_all_next == NULL) 452 msg->rrset_last = rrset; 453 rrset->rrset_all_next = 454 nx->rrset_all_next; 455 nx->rrset_all_next = rrset; 456 /* prev = nx; unused, enable if there 457 * is other rrset removal code after 458 * this */ 459 } 460 } 461 462 /* move to next name in CNAME chain */ 463 if(!parse_get_cname_target(rrset, &sname, &snamelen)) 464 return 0; 465 prev = rrset; 466 rrset = rrset->rrset_all_next; 467 /* in CNAME ANY response, can have data after CNAME */ 468 if(qinfo->qtype == LDNS_RR_TYPE_ANY) { 469 while(rrset && rrset->section == 470 LDNS_SECTION_ANSWER && 471 dname_pkt_compare(pkt, oldsname, 472 rrset->dname) == 0) { 473 prev = rrset; 474 rrset = rrset->rrset_all_next; 475 } 476 } 477 continue; 478 } 479 480 /* Otherwise, make sure that the RRset matches the qtype. */ 481 if(qinfo->qtype != LDNS_RR_TYPE_ANY && 482 qinfo->qtype != rrset->type) { 483 remove_rrset("normalize: removing irrelevant RRset:", 484 pkt, msg, prev, &rrset); 485 continue; 486 } 487 488 /* Mark the additional names from relevant rrset as OK. */ 489 /* only for RRsets that match the query name, other ones 490 * will be removed by sanitize, so no additional for them */ 491 if(dname_pkt_compare(pkt, qinfo->qname, rrset->dname) == 0) 492 mark_additional_rrset(pkt, msg, rrset); 493 494 prev = rrset; 495 rrset = rrset->rrset_all_next; 496 } 497 498 /* Mark additional names from AUTHORITY */ 499 while(rrset && rrset->section == LDNS_SECTION_AUTHORITY) { 500 if(rrset->type==LDNS_RR_TYPE_DNAME || 501 rrset->type==LDNS_RR_TYPE_CNAME || 502 rrset->type==LDNS_RR_TYPE_A || 503 rrset->type==LDNS_RR_TYPE_AAAA) { 504 remove_rrset("normalize: removing irrelevant " 505 "RRset:", pkt, msg, prev, &rrset); 506 continue; 507 } 508 /* only one NS set allowed in authority section */ 509 if(rrset->type==LDNS_RR_TYPE_NS) { 510 /* NS set must be pertinent to the query */ 511 if(!sub_of_pkt(pkt, qinfo->qname, rrset->dname)) { 512 remove_rrset("normalize: removing irrelevant " 513 "RRset:", pkt, msg, prev, &rrset); 514 continue; 515 } 516 /* we don't want NS sets for NXDOMAIN answers, 517 * because they could contain poisonous contents, 518 * from. eg. fragmentation attacks, inserted after 519 * long RRSIGs in the packet get to the packet 520 * border and such */ 521 /* also for NODATA answers */ 522 if(FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NXDOMAIN || 523 (FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NOERROR 524 && soa_in_auth(msg) && msg->an_rrsets == 0)) { 525 remove_rrset("normalize: removing irrelevant " 526 "RRset:", pkt, msg, prev, &rrset); 527 continue; 528 } 529 if(nsset == NULL) { 530 nsset = rrset; 531 } else { 532 remove_rrset("normalize: removing irrelevant " 533 "RRset:", pkt, msg, prev, &rrset); 534 continue; 535 } 536 } 537 /* if this is type DS and we query for type DS we just got 538 * a referral answer for our type DS query, fix packet */ 539 if(rrset->type==LDNS_RR_TYPE_DS && 540 qinfo->qtype == LDNS_RR_TYPE_DS && 541 dname_pkt_compare(pkt, qinfo->qname, rrset->dname) == 0) { 542 rrset->section = LDNS_SECTION_ANSWER; 543 msg->ancount = rrset->rr_count + rrset->rrsig_count; 544 msg->nscount = 0; 545 msg->arcount = 0; 546 msg->an_rrsets = 1; 547 msg->ns_rrsets = 0; 548 msg->ar_rrsets = 0; 549 msg->rrset_count = 1; 550 msg->rrset_first = rrset; 551 msg->rrset_last = rrset; 552 rrset->rrset_all_next = NULL; 553 return 1; 554 } 555 mark_additional_rrset(pkt, msg, rrset); 556 prev = rrset; 557 rrset = rrset->rrset_all_next; 558 } 559 560 /* For each record in the additional section, remove it if it is an 561 * address record and not in the collection of additional names 562 * found in ANSWER and AUTHORITY. */ 563 /* These records have not been marked OK previously */ 564 while(rrset && rrset->section == LDNS_SECTION_ADDITIONAL) { 565 /* FIXME: what about other types? */ 566 if(rrset->type==LDNS_RR_TYPE_A || 567 rrset->type==LDNS_RR_TYPE_AAAA) 568 { 569 if((rrset->flags & RRSET_SCRUB_OK)) { 570 /* remove flag to clean up flags variable */ 571 rrset->flags &= ~RRSET_SCRUB_OK; 572 } else { 573 remove_rrset("normalize: removing irrelevant " 574 "RRset:", pkt, msg, prev, &rrset); 575 continue; 576 } 577 } 578 if(rrset->type==LDNS_RR_TYPE_DNAME || 579 rrset->type==LDNS_RR_TYPE_CNAME || 580 rrset->type==LDNS_RR_TYPE_NS) { 581 remove_rrset("normalize: removing irrelevant " 582 "RRset:", pkt, msg, prev, &rrset); 583 continue; 584 } 585 prev = rrset; 586 rrset = rrset->rrset_all_next; 587 } 588 589 return 1; 590 } 591 592 /** 593 * Store potential poison in the cache (only if hardening disabled). 594 * The rrset is stored in the cache but removed from the message. 595 * So that it will be used for infrastructure purposes, but not be 596 * returned to the client. 597 * @param pkt: packet 598 * @param msg: message parsed 599 * @param env: environment with cache 600 * @param rrset: to store. 601 */ 602 static void 603 store_rrset(sldns_buffer* pkt, struct msg_parse* msg, struct module_env* env, 604 struct rrset_parse* rrset) 605 { 606 struct ub_packed_rrset_key* k; 607 struct packed_rrset_data* d; 608 struct rrset_ref ref; 609 time_t now = *env->now; 610 611 k = alloc_special_obtain(env->alloc); 612 if(!k) 613 return; 614 k->entry.data = NULL; 615 if(!parse_copy_decompress_rrset(pkt, msg, rrset, NULL, k)) { 616 alloc_special_release(env->alloc, k); 617 return; 618 } 619 d = (struct packed_rrset_data*)k->entry.data; 620 packed_rrset_ttl_add(d, now); 621 ref.key = k; 622 ref.id = k->id; 623 /*ignore ret: it was in the cache, ref updated */ 624 (void)rrset_cache_update(env->rrset_cache, &ref, env->alloc, now); 625 } 626 627 /** 628 * Check if right hand name in NSEC is within zone 629 * @param rrset: the NSEC rrset 630 * @param zonename: the zone name. 631 * @return true if BAD. 632 */ 633 static int sanitize_nsec_is_overreach(struct rrset_parse* rrset, 634 uint8_t* zonename) 635 { 636 struct rr_parse* rr; 637 uint8_t* rhs; 638 size_t len; 639 log_assert(rrset->type == LDNS_RR_TYPE_NSEC); 640 for(rr = rrset->rr_first; rr; rr = rr->next) { 641 rhs = rr->ttl_data+4+2; 642 len = sldns_read_uint16(rr->ttl_data+4); 643 if(!dname_valid(rhs, len)) { 644 /* malformed domain name in rdata */ 645 return 1; 646 } 647 if(!dname_subdomain_c(rhs, zonename)) { 648 /* overreaching */ 649 return 1; 650 } 651 } 652 /* all NSEC RRs OK */ 653 return 0; 654 } 655 656 /** 657 * Given a response event, remove suspect RRsets from the response. 658 * "Suspect" rrsets are potentially poison. Note that this routine expects 659 * the response to be in a "normalized" state -- that is, all "irrelevant" 660 * RRsets have already been removed, CNAMEs are in order, etc. 661 * 662 * @param pkt: packet. 663 * @param msg: msg to normalize. 664 * @param qinfo: the question originally asked. 665 * @param zonename: name of server zone. 666 * @param env: module environment with config and cache. 667 * @param ie: iterator environment with private address data. 668 * @return 0 on error. 669 */ 670 static int 671 scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg, 672 struct query_info* qinfo, uint8_t* zonename, struct module_env* env, 673 struct iter_env* ie) 674 { 675 int del_addi = 0; /* if additional-holding rrsets are deleted, we 676 do not trust the normalized additional-A-AAAA any more */ 677 struct rrset_parse* rrset, *prev; 678 prev = NULL; 679 rrset = msg->rrset_first; 680 681 /* the first DNAME is allowed to stay. It needs checking before 682 * it can be used from the cache. After normalization, an initial 683 * DNAME will have a correctly synthesized CNAME after it. */ 684 if(rrset && rrset->type == LDNS_RR_TYPE_DNAME && 685 rrset->section == LDNS_SECTION_ANSWER && 686 pkt_strict_sub(pkt, qinfo->qname, rrset->dname) && 687 pkt_sub(pkt, rrset->dname, zonename)) { 688 prev = rrset; /* DNAME allowed to stay in answer section */ 689 rrset = rrset->rrset_all_next; 690 } 691 692 /* remove all records from the answer section that are 693 * not the same domain name as the query domain name. 694 * The answer section should contain rrsets with the same name 695 * as the question. For DNAMEs a CNAME has been synthesized. 696 * Wildcards have the query name in answer section. 697 * ANY queries get query name in answer section. 698 * Remainders of CNAME chains are cut off and resolved by iterator. */ 699 while(rrset && rrset->section == LDNS_SECTION_ANSWER) { 700 if(dname_pkt_compare(pkt, qinfo->qname, rrset->dname) != 0) { 701 if(has_additional(rrset->type)) del_addi = 1; 702 remove_rrset("sanitize: removing extraneous answer " 703 "RRset:", pkt, msg, prev, &rrset); 704 continue; 705 } 706 prev = rrset; 707 rrset = rrset->rrset_all_next; 708 } 709 710 /* At this point, we brutally remove ALL rrsets that aren't 711 * children of the originating zone. The idea here is that, 712 * as far as we know, the server that we contacted is ONLY 713 * authoritative for the originating zone. It, of course, MAY 714 * be authoritative for any other zones, and of course, MAY 715 * NOT be authoritative for some subdomains of the originating 716 * zone. */ 717 prev = NULL; 718 rrset = msg->rrset_first; 719 while(rrset) { 720 721 /* remove private addresses */ 722 if( (rrset->type == LDNS_RR_TYPE_A || 723 rrset->type == LDNS_RR_TYPE_AAAA)) { 724 725 /* do not set servfail since this leads to too 726 * many drops of other people using rfc1918 space */ 727 /* also do not remove entire rrset, unless all records 728 * in it are bad */ 729 if(priv_rrset_bad(ie->priv, pkt, rrset)) { 730 remove_rrset(NULL, pkt, msg, prev, &rrset); 731 continue; 732 } 733 } 734 735 /* skip DNAME records -- they will always be followed by a 736 * synthesized CNAME, which will be relevant. 737 * FIXME: should this do something differently with DNAME 738 * rrsets NOT in Section.ANSWER? */ 739 /* But since DNAME records are also subdomains of the zone, 740 * same check can be used */ 741 742 if(!pkt_sub(pkt, rrset->dname, zonename)) { 743 if(msg->an_rrsets == 0 && 744 rrset->type == LDNS_RR_TYPE_NS && 745 rrset->section == LDNS_SECTION_AUTHORITY && 746 FLAGS_GET_RCODE(msg->flags) == 747 LDNS_RCODE_NOERROR && !soa_in_auth(msg) && 748 sub_of_pkt(pkt, zonename, rrset->dname)) { 749 /* noerror, nodata and this NS rrset is above 750 * the zone. This is LAME! 751 * Leave in the NS for lame classification. */ 752 /* remove everything from the additional 753 * (we dont want its glue that was approved 754 * during the normalize action) */ 755 del_addi = 1; 756 } else if(!env->cfg->harden_glue && ( 757 rrset->type == LDNS_RR_TYPE_A || 758 rrset->type == LDNS_RR_TYPE_AAAA)) { 759 /* store in cache! Since it is relevant 760 * (from normalize) it will be picked up 761 * from the cache to be used later */ 762 store_rrset(pkt, msg, env, rrset); 763 remove_rrset("sanitize: storing potential " 764 "poison RRset:", pkt, msg, prev, &rrset); 765 continue; 766 } else { 767 if(has_additional(rrset->type)) del_addi = 1; 768 remove_rrset("sanitize: removing potential " 769 "poison RRset:", pkt, msg, prev, &rrset); 770 continue; 771 } 772 } 773 if(del_addi && rrset->section == LDNS_SECTION_ADDITIONAL) { 774 remove_rrset("sanitize: removing potential " 775 "poison reference RRset:", pkt, msg, prev, &rrset); 776 continue; 777 } 778 /* check if right hand side of NSEC is within zone */ 779 if(rrset->type == LDNS_RR_TYPE_NSEC && 780 sanitize_nsec_is_overreach(rrset, zonename)) { 781 remove_rrset("sanitize: removing overreaching NSEC " 782 "RRset:", pkt, msg, prev, &rrset); 783 continue; 784 } 785 prev = rrset; 786 rrset = rrset->rrset_all_next; 787 } 788 return 1; 789 } 790 791 int 792 scrub_message(sldns_buffer* pkt, struct msg_parse* msg, 793 struct query_info* qinfo, uint8_t* zonename, struct regional* region, 794 struct module_env* env, struct iter_env* ie) 795 { 796 /* basic sanity checks */ 797 log_nametypeclass(VERB_ALGO, "scrub for", zonename, LDNS_RR_TYPE_NS, 798 qinfo->qclass); 799 if(msg->qdcount > 1) 800 return 0; 801 if( !(msg->flags&BIT_QR) ) 802 return 0; 803 msg->flags &= ~(BIT_AD|BIT_Z); /* force off bit AD and Z */ 804 805 /* make sure that a query is echoed back when NOERROR or NXDOMAIN */ 806 /* this is not required for basic operation but is a forgery 807 * resistance (security) feature */ 808 if((FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NOERROR || 809 FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NXDOMAIN) && 810 msg->qdcount == 0) 811 return 0; 812 813 /* if a query is echoed back, make sure it is correct. Otherwise, 814 * this may be not a reply to our query. */ 815 if(msg->qdcount == 1) { 816 if(dname_pkt_compare(pkt, msg->qname, qinfo->qname) != 0) 817 return 0; 818 if(msg->qtype != qinfo->qtype || msg->qclass != qinfo->qclass) 819 return 0; 820 } 821 822 /* normalize the response, this cleans up the additional. */ 823 if(!scrub_normalize(pkt, msg, qinfo, region)) 824 return 0; 825 /* delete all out-of-zone information */ 826 if(!scrub_sanitize(pkt, msg, qinfo, zonename, env, ie)) 827 return 0; 828 return 1; 829 } 830