1 /* 2 * smallapp/unbound-host.c - replacement for host that supports validation. 3 * 4 * Copyright (c) 2007, NLnet Labs. All rights reserved. 5 * 6 * This software is open source. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * Redistributions of source code must retain the above copyright notice, 13 * this list of conditions and the following disclaimer. 14 * 15 * Redistributions in binary form must reproduce the above copyright notice, 16 * this list of conditions and the following disclaimer in the documentation 17 * and/or other materials provided with the distribution. 18 * 19 * Neither the name of the NLNET LABS nor the names of its contributors may 20 * be used to endorse or promote products derived from this software without 21 * specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36 /** 37 * \file 38 * 39 * This file performs functionality like 'host', and also supports validation. 40 * It uses the libunbound library. 41 */ 42 43 #include "config.h" 44 #ifdef HAVE_GETOPT_H 45 #include <getopt.h> 46 #endif 47 /* remove alloc checks, not in this part of the code */ 48 #ifdef UNBOUND_ALLOC_STATS 49 #undef malloc 50 #undef calloc 51 #undef free 52 #undef realloc 53 #undef reallocarray 54 #undef strdup 55 #endif 56 #ifdef UNBOUND_ALLOC_LITE 57 #undef malloc 58 #undef calloc 59 #undef free 60 #undef realloc 61 #undef strdup 62 #define unbound_lite_wrapstr(s) s 63 #endif 64 #include "libunbound/unbound.h" 65 #include "sldns/rrdef.h" 66 #include "sldns/wire2str.h" 67 #ifdef HAVE_NSS 68 /* nss3 */ 69 #include "nss.h" 70 #endif 71 #ifdef HAVE_SSL 72 #ifdef HAVE_OPENSSL_SSL_H 73 #include <openssl/ssl.h> 74 #endif 75 #ifdef HAVE_OPENSSL_ERR_H 76 #include <openssl/err.h> 77 #endif 78 #endif /* HAVE_SSL */ 79 80 /** verbosity for unbound-host app */ 81 static int verb = 0; 82 83 /** Give unbound-host usage, and exit (1). */ 84 static void 85 usage(void) 86 { 87 printf("Usage: unbound-host [-C configfile] [-vdhr46] [-c class] [-t type]\n"); 88 printf(" [-y key] [-f keyfile] [-F namedkeyfile] hostname\n"); 89 printf(" Queries the DNS for information.\n"); 90 printf(" The hostname is looked up for IP4, IP6 and mail.\n"); 91 printf(" If an ip-address is given a reverse lookup is done.\n"); 92 printf(" Use the -v option to see DNSSEC security information.\n"); 93 printf(" -t type what type to look for.\n"); 94 printf(" -c class what class to look for, if not class IN.\n"); 95 printf(" -y 'keystring' specify trust anchor, DS or DNSKEY, like\n"); 96 printf(" -y 'example.com DS 31560 5 1 1CFED8478...'\n"); 97 printf(" -D DNSSEC enable with default root anchor\n"); 98 printf(" from %s\n", ROOT_ANCHOR_FILE); 99 printf(" -f keyfile read trust anchors from file, with lines as -y.\n"); 100 printf(" -F keyfile read named.conf-style trust anchors.\n"); 101 printf(" -C config use the specified unbound.conf (none read by default)\n"); 102 printf(" pass as first argument if you want to override some\n"); 103 printf(" options with further arguments\n"); 104 printf(" -r read forwarder information from /etc/resolv.conf\n"); 105 printf(" breaks validation if the forwarder does not do DNSSEC.\n"); 106 printf(" -v be more verbose, shows nodata and security.\n"); 107 printf(" -d debug, traces the action, -d -d shows more.\n"); 108 printf(" -4 use ipv4 network, avoid ipv6.\n"); 109 printf(" -6 use ipv6 network, avoid ipv4.\n"); 110 printf(" -h show this usage help.\n"); 111 printf("Version %s\n", PACKAGE_VERSION); 112 printf("BSD licensed, see LICENSE in source package for details.\n"); 113 printf("Report bugs to %s\n", PACKAGE_BUGREPORT); 114 exit(1); 115 } 116 117 /** determine if str is ip4 and put into reverse lookup format */ 118 static int 119 isip4(const char* nm, char** res) 120 { 121 struct in_addr addr; 122 /* ddd.ddd.ddd.ddd.in-addr.arpa. is less than 32 */ 123 char buf[32]; 124 if(inet_pton(AF_INET, nm, &addr) <= 0) { 125 return 0; 126 } 127 snprintf(buf, sizeof(buf), "%u.%u.%u.%u.in-addr.arpa", 128 (unsigned)((uint8_t*)&addr)[3], (unsigned)((uint8_t*)&addr)[2], 129 (unsigned)((uint8_t*)&addr)[1], (unsigned)((uint8_t*)&addr)[0]); 130 *res = strdup(buf); 131 return 1; 132 } 133 134 /** determine if str is ip6 and put into reverse lookup format */ 135 static int 136 isip6(const char* nm, char** res) 137 { 138 struct in6_addr addr; 139 /* [nibble.]{32}.ip6.arpa. is less than 128 */ 140 const char* hex = "0123456789abcdef"; 141 char buf[128]; 142 char *p; 143 int i; 144 if(inet_pton(AF_INET6, nm, &addr) <= 0) { 145 return 0; 146 } 147 p = buf; 148 for(i=15; i>=0; i--) { 149 uint8_t b = ((uint8_t*)&addr)[i]; 150 *p++ = hex[ (b&0x0f) ]; 151 *p++ = '.'; 152 *p++ = hex[ (b&0xf0) >> 4 ]; 153 *p++ = '.'; 154 } 155 snprintf(buf+16*4, sizeof(buf)-16*4, "ip6.arpa"); 156 *res = strdup(buf); 157 if(!*res) { 158 fprintf(stderr, "error: out of memory\n"); 159 exit(1); 160 } 161 return 1; 162 } 163 164 /** massage input name */ 165 static char* 166 massage_qname(const char* nm, int* reverse) 167 { 168 /* recognise IP4 and IP6, create reverse addresses if needed */ 169 char* res; 170 if(isip4(nm, &res)) { 171 *reverse = 1; 172 } else if(isip6(nm, &res)) { 173 *reverse = 1; 174 } else { 175 res = strdup(nm); 176 } 177 if(!res) { 178 fprintf(stderr, "error: out of memory\n"); 179 exit(1); 180 } 181 return res; 182 } 183 184 /** massage input type */ 185 static int 186 massage_type(const char* t, int reverse, int* multi) 187 { 188 if(t) { 189 int r = sldns_get_rr_type_by_name(t); 190 if(r == 0 && strcasecmp(t, "TYPE0") != 0 && 191 strcmp(t, "") != 0) { 192 fprintf(stderr, "error unknown type %s\n", t); 193 exit(1); 194 } 195 return r; 196 } 197 if(!t && reverse) 198 return LDNS_RR_TYPE_PTR; 199 *multi = 1; 200 return LDNS_RR_TYPE_A; 201 } 202 203 /** massage input class */ 204 static int 205 massage_class(const char* c) 206 { 207 if(c) { 208 int r = sldns_get_rr_class_by_name(c); 209 if(r == 0 && strcasecmp(c, "CLASS0") != 0 && 210 strcmp(c, "") != 0) { 211 fprintf(stderr, "error unknown class %s\n", c); 212 exit(1); 213 } 214 return r; 215 } 216 return LDNS_RR_CLASS_IN; 217 } 218 219 /** nice security status string */ 220 static const char* 221 secure_str(struct ub_result* result) 222 { 223 if(result->rcode != 0 && result->rcode != 3) return "(error)"; 224 if(result->secure) return "(secure)"; 225 if(result->bogus) return "(BOGUS (security failure))"; 226 return "(insecure)"; 227 } 228 229 /** nice string for type */ 230 static void 231 pretty_type(char* s, size_t len, int t) 232 { 233 char d[16]; 234 sldns_wire2str_type_buf((uint16_t)t, d, sizeof(d)); 235 snprintf(s, len, "%s", d); 236 } 237 238 /** nice string for class */ 239 static void 240 pretty_class(char* s, size_t len, int c) 241 { 242 char d[16]; 243 sldns_wire2str_class_buf((uint16_t)c, d, sizeof(d)); 244 snprintf(s, len, "%s", d); 245 } 246 247 /** nice string for rcode */ 248 static void 249 pretty_rcode(char* s, size_t len, int r) 250 { 251 char d[16]; 252 sldns_wire2str_rcode_buf(r, d, sizeof(d)); 253 snprintf(s, len, "%s", d); 254 } 255 256 /** convert and print rdata */ 257 static void 258 print_rd(int t, char* data, size_t len) 259 { 260 char s[65535]; 261 sldns_wire2str_rdata_buf((uint8_t*)data, len, s, sizeof(s), (uint16_t)t); 262 printf(" %s", s); 263 } 264 265 /** pretty line of RR data for results */ 266 static void 267 pretty_rdata(char* q, char* cstr, char* tstr, int t, const char* sec, 268 char* data, size_t len) 269 { 270 printf("%s", q); 271 if(strcmp(cstr, "IN") != 0) 272 printf(" in class %s", cstr); 273 if(t == LDNS_RR_TYPE_A) 274 printf(" has address"); 275 else if(t == LDNS_RR_TYPE_AAAA) 276 printf(" has IPv6 address"); 277 else if(t == LDNS_RR_TYPE_MX) 278 printf(" mail is handled by"); 279 else if(t == LDNS_RR_TYPE_PTR) 280 printf(" domain name pointer"); 281 else printf(" has %s record", tstr); 282 print_rd(t, data, len); 283 if(verb > 0) 284 printf(" %s", sec); 285 printf("\n"); 286 } 287 288 /** pretty line of output for results */ 289 static void 290 pretty_output(char* q, int t, int c, struct ub_result* result, int docname) 291 { 292 int i; 293 const char *secstatus = secure_str(result); 294 char tstr[16]; 295 char cstr[16]; 296 char rcodestr[16]; 297 pretty_type(tstr, 16, t); 298 pretty_class(cstr, 16, c); 299 pretty_rcode(rcodestr, 16, result->rcode); 300 301 if(!result->havedata && result->rcode) { 302 printf("Host %s not found: %d(%s).", 303 q, result->rcode, rcodestr); 304 if(verb > 0) 305 printf(" %s", secstatus); 306 printf("\n"); 307 if(result->bogus && result->why_bogus) 308 printf("%s\n", result->why_bogus); 309 return; 310 } 311 if(docname && result->canonname && 312 result->canonname != result->qname) { 313 printf("%s is an alias for %s", result->qname, 314 result->canonname); 315 if(verb > 0) 316 printf(" %s", secstatus); 317 printf("\n"); 318 } 319 /* remove trailing . from long canonnames for nicer output */ 320 if(result->canonname && strlen(result->canonname) > 1 && 321 result->canonname[strlen(result->canonname)-1] == '.') 322 result->canonname[strlen(result->canonname)-1] = 0; 323 if(!result->havedata) { 324 if(verb > 0) { 325 printf("%s", result->canonname?result->canonname:q); 326 if(strcmp(cstr, "IN") != 0) 327 printf(" in class %s", cstr); 328 if(t == LDNS_RR_TYPE_A) 329 printf(" has no address"); 330 else if(t == LDNS_RR_TYPE_AAAA) 331 printf(" has no IPv6 address"); 332 else if(t == LDNS_RR_TYPE_PTR) 333 printf(" has no domain name ptr"); 334 else if(t == LDNS_RR_TYPE_MX) 335 printf(" has no mail handler record"); 336 else if(t == LDNS_RR_TYPE_ANY) { 337 char* s = sldns_wire2str_pkt( 338 result->answer_packet, 339 (size_t)result->answer_len); 340 if(!s) { 341 fprintf(stderr, "alloc failure\n"); 342 exit(1); 343 } 344 printf("%s\n", s); 345 free(s); 346 } else printf(" has no %s record", tstr); 347 printf(" %s\n", secstatus); 348 } 349 /* else: emptiness to indicate no data */ 350 if(result->bogus && result->why_bogus) 351 printf("%s\n", result->why_bogus); 352 return; 353 } 354 i=0; 355 while(result->data[i]) 356 { 357 pretty_rdata( 358 result->canonname?result->canonname:q, 359 cstr, tstr, t, secstatus, result->data[i], 360 (size_t)result->len[i]); 361 i++; 362 } 363 if(result->bogus && result->why_bogus) 364 printf("%s\n", result->why_bogus); 365 } 366 367 /** perform a lookup and printout return if domain existed */ 368 static int 369 dnslook(struct ub_ctx* ctx, char* q, int t, int c, int docname) 370 { 371 int ret; 372 struct ub_result* result; 373 374 ret = ub_resolve(ctx, q, t, c, &result); 375 if(ret != 0) { 376 fprintf(stderr, "resolve error: %s\n", ub_strerror(ret)); 377 exit(1); 378 } 379 pretty_output(q, t, c, result, docname); 380 ret = result->nxdomain; 381 ub_resolve_free(result); 382 return ret; 383 } 384 385 /** perform host lookup */ 386 static void 387 lookup(struct ub_ctx* ctx, const char* nm, const char* qt, const char* qc) 388 { 389 /* massage input into a query name, type and class */ 390 int multi = 0; /* no type, so do A, AAAA, MX */ 391 int reverse = 0; /* we are doing a reverse lookup */ 392 char* realq = massage_qname(nm, &reverse); 393 int t = massage_type(qt, reverse, &multi); 394 int c = massage_class(qc); 395 396 /* perform the query */ 397 if(multi) { 398 if(!dnslook(ctx, realq, LDNS_RR_TYPE_A, c, 1)) { 399 /* domain exists, lookup more */ 400 (void)dnslook(ctx, realq, LDNS_RR_TYPE_AAAA, c, 0); 401 (void)dnslook(ctx, realq, LDNS_RR_TYPE_MX, c, 0); 402 } 403 } else { 404 (void)dnslook(ctx, realq, t, c, 1); 405 } 406 ub_ctx_delete(ctx); 407 free(realq); 408 } 409 410 /** print error if any */ 411 static void 412 check_ub_res(int r) 413 { 414 if(r != 0) { 415 fprintf(stderr, "error: %s\n", ub_strerror(r)); 416 exit(1); 417 } 418 } 419 420 /** getopt global, in case header files fail to declare it. */ 421 extern int optind; 422 /** getopt global, in case header files fail to declare it. */ 423 extern char* optarg; 424 425 /** Main routine for unbound-host */ 426 int main(int argc, char* argv[]) 427 { 428 int c; 429 char* qclass = NULL; 430 char* qtype = NULL; 431 char* use_syslog = NULL; 432 struct ub_ctx* ctx = NULL; 433 int debuglevel = 0; 434 435 ctx = ub_ctx_create(); 436 if(!ctx) { 437 fprintf(stderr, "error: out of memory\n"); 438 exit(1); 439 } 440 /* no need to fetch additional targets, we only do few lookups */ 441 check_ub_res(ub_ctx_set_option(ctx, "target-fetch-policy:", "0 0 0 0 0")); 442 443 /* parse the options */ 444 while( (c=getopt(argc, argv, "46DF:c:df:hrt:vy:C:")) != -1) { 445 switch(c) { 446 case '4': 447 check_ub_res(ub_ctx_set_option(ctx, "do-ip6:", "no")); 448 break; 449 case '6': 450 check_ub_res(ub_ctx_set_option(ctx, "do-ip4:", "no")); 451 break; 452 case 'c': 453 qclass = optarg; 454 break; 455 case 'C': 456 check_ub_res(ub_ctx_config(ctx, optarg)); 457 break; 458 case 'D': 459 check_ub_res(ub_ctx_add_ta_file(ctx, ROOT_ANCHOR_FILE)); 460 break; 461 case 'd': 462 debuglevel++; 463 if(debuglevel < 2) 464 debuglevel = 2; /* at least VERB_DETAIL */ 465 break; 466 case 'r': 467 check_ub_res(ub_ctx_resolvconf(ctx, "/etc/resolv.conf")); 468 break; 469 case 't': 470 qtype = optarg; 471 break; 472 case 'v': 473 verb++; 474 break; 475 case 'y': 476 check_ub_res(ub_ctx_add_ta(ctx, optarg)); 477 break; 478 case 'f': 479 check_ub_res(ub_ctx_add_ta_file(ctx, optarg)); 480 break; 481 case 'F': 482 check_ub_res(ub_ctx_trustedkeys(ctx, optarg)); 483 break; 484 case '?': 485 case 'h': 486 default: 487 ub_ctx_delete(ctx); 488 usage(); 489 } 490 } 491 if(debuglevel != 0) /* set after possible -C options */ 492 check_ub_res(ub_ctx_debuglevel(ctx, debuglevel)); 493 if(ub_ctx_get_option(ctx, "use-syslog", &use_syslog) == 0) { 494 if(strcmp(use_syslog, "yes") == 0) /* disable use-syslog */ 495 check_ub_res(ub_ctx_set_option(ctx, 496 "use-syslog:", "no")); 497 #ifdef UNBOUND_ALLOC_STATS 498 unbound_stat_free_log(use_syslog, __FILE__, __LINE__, __func__); 499 #else 500 free(use_syslog); 501 #endif 502 } 503 argc -= optind; 504 argv += optind; 505 if(argc != 1) { 506 ub_ctx_delete(ctx); 507 usage(); 508 } 509 510 #ifdef HAVE_SSL 511 #ifdef HAVE_ERR_LOAD_CRYPTO_STRINGS 512 ERR_load_crypto_strings(); 513 #endif 514 #if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_SSL) 515 ERR_load_SSL_strings(); 516 #endif 517 #if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_CRYPTO) 518 # ifndef S_SPLINT_S 519 OpenSSL_add_all_algorithms(); 520 # endif 521 #else 522 OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS 523 | OPENSSL_INIT_ADD_ALL_DIGESTS 524 | OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL); 525 #endif 526 #if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_SSL) 527 (void)SSL_library_init(); 528 #else 529 (void)OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL); 530 #endif 531 #endif /* HAVE_SSL */ 532 #ifdef HAVE_NSS 533 if(NSS_NoDB_Init(".") != SECSuccess) { 534 fprintf(stderr, "could not init NSS\n"); 535 return 1; 536 } 537 #endif 538 lookup(ctx, argv[0], qtype, qclass); 539 return 0; 540 } 541