iter_scrub.c File Reference

This file has routine(s) for cleaning up incoming DNS messages from possible useless or malicious junk in it. More...

#include "config.h"
#include "iterator/iter_scrub.h"
#include "iterator/iterator.h"
#include "iterator/iter_priv.h"
#include "services/cache/rrset.h"
#include "util/log.h"
#include "util/net_help.h"
#include "util/regional.h"
#include "util/config_file.h"
#include "util/module.h"
#include "util/data/msgparse.h"
#include "util/data/dname.h"
#include "util/data/msgreply.h"
#include "util/alloc.h"

Defines

#define RRSET_SCRUB_OK   0x80
 RRset flag used during scrubbing.

Functions

static void remove_rrset (const char *str, ldns_buffer *pkt, struct msg_parse *msg, struct rrset_parse *prev, struct rrset_parse **rrset)
 remove rrset, update loop variables
static int has_additional (uint16_t t)
 return true if rr type has additional names in it
static int get_additional_name (struct rrset_parse *rrset, struct rr_parse *rr, uint8_t **nm, size_t *nmlen, ldns_buffer *pkt)
 get additional name from rrset RR, return false if no name present
static void mark_additional_rrset (ldns_buffer *pkt, struct msg_parse *msg, struct rrset_parse *rrset)
 Place mark on rrsets in additional section they are OK.
static int parse_get_cname_target (struct rrset_parse *rrset, uint8_t **sname, size_t *snamelen)
 Get target name of a CNAME.
static int synth_cname (uint8_t *qname, size_t qnamelen, struct rrset_parse *dname_rrset, uint8_t *alias, size_t *aliaslen, ldns_buffer *pkt)
 Synthesize CNAME from DNAME, false if too long.
static struct rrset_parsesynth_cname_rrset (uint8_t **sname, size_t *snamelen, uint8_t *alias, size_t aliaslen, struct regional *region, struct msg_parse *msg, struct rrset_parse *rrset, struct rrset_parse *prev, struct rrset_parse *nx, ldns_buffer *pkt)
 synthesize a CNAME rrset
static int pkt_strict_sub (ldns_buffer *pkt, uint8_t *sname, uint8_t *dr)
 check if DNAME applies to a name
static int pkt_sub (ldns_buffer *pkt, uint8_t *comprname, uint8_t *zone)
 check subdomain with decompression
static int scrub_normalize (ldns_buffer *pkt, struct msg_parse *msg, struct query_info *qinfo, struct regional *region)
 This routine normalizes a response.
static void store_rrset (ldns_buffer *pkt, struct msg_parse *msg, struct module_env *env, struct rrset_parse *rrset)
 Store potential poison in the cache (only if hardening disabled).
static int sanitize_nsec_is_overreach (struct rrset_parse *rrset, uint8_t *zonename)
 Check if right hand name in NSEC is within zone.
static int scrub_sanitize (ldns_buffer *pkt, struct msg_parse *msg, struct query_info *qinfo, uint8_t *zonename, struct module_env *env, struct iter_env *ie)
 Given a response event, remove suspect RRsets from the response.
int scrub_message (ldns_buffer *pkt, struct msg_parse *msg, struct query_info *qinfo, uint8_t *zonename, struct regional *region, struct module_env *env, struct iter_env *ie)
 Cleanup the passed dns message.


Detailed Description

This file has routine(s) for cleaning up incoming DNS messages from possible useless or malicious junk in it.


Define Documentation

#define RRSET_SCRUB_OK   0x80

RRset flag used during scrubbing.

The RRset is OK.

Referenced by mark_additional_rrset(), and scrub_normalize().


Function Documentation

static int scrub_normalize ( ldns_buffer *  pkt,
struct msg_parse msg,
struct query_info qinfo,
struct regional region 
) [static]

This routine normalizes a response.

This includes removing "irrelevant" records from the answer and additional sections and (re)synthesizing CNAMEs from DNAMEs, if present.

Parameters:
pkt,: packet.
msg,: msg to normalize.
qinfo,: original query.
region,: where to allocate synthesized CNAMEs.
Returns:
0 on error.

References rrset_parse::dname, dname_pkt_compare(), rrset_parse::flags, msg_parse::flags, FLAGS_GET_RCODE, FLAGS_SET_RCODE, log_err(), mark_additional_rrset(), parse_get_cname_target(), pkt_strict_sub(), query_info::qname, query_info::qname_len, query_info::qtype, remove_rrset(), rrset_parse::rr_count, rrset_parse::rrset_all_next, msg_parse::rrset_first, RRSET_SCRUB_OK, rrset_parse::section, synth_cname(), synth_cname_rrset(), rrset_parse::type, VERB_ALGO, and verbose().

Referenced by scrub_message().

static void store_rrset ( ldns_buffer *  pkt,
struct msg_parse msg,
struct module_env env,
struct rrset_parse rrset 
) [static]

Store potential poison in the cache (only if hardening disabled).

The rrset is stored in the cache but removed from the message. So that it will be used for infrastructure purposes, but not be returned to the client.

Parameters:
pkt,: packet
msg,: message parsed
env,: environment with cache
rrset,: to store.

References module_env::alloc, alloc_special_obtain(), alloc_special_release(), lruhash_entry::data, ub_packed_rrset_key::entry, ub_packed_rrset_key::id, rrset_ref::id, rrset_ref::key, module_env::now, packed_rrset_ttl_add(), parse_copy_decompress_rrset(), module_env::rrset_cache, and rrset_cache_update().

Referenced by scrub_sanitize().

static int sanitize_nsec_is_overreach ( struct rrset_parse rrset,
uint8_t *  zonename 
) [static]

Check if right hand name in NSEC is within zone.

Parameters:
rrset,: the NSEC rrset
zonename,: the zone name.
Returns:
true if BAD.

References dname_subdomain_c(), dname_valid(), log_assert, rr_parse::next, rrset_parse::rr_first, rr_parse::ttl_data, and rrset_parse::type.

Referenced by scrub_sanitize().

static int scrub_sanitize ( ldns_buffer *  pkt,
struct msg_parse msg,
struct query_info qinfo,
uint8_t *  zonename,
struct module_env env,
struct iter_env ie 
) [static]

Given a response event, remove suspect RRsets from the response.

"Suspect" rrsets are potentially poison. Note that this routine expects the response to be in a "normalized" state -- that is, all "irrelevant" RRsets have already been removed, CNAMEs are in order, etc.

Parameters:
pkt,: packet.
msg,: msg to normalize.
qinfo,: the question originally asked.
zonename,: name of server zone.
env,: module environment with config and cache.
ie,: iterator environment with private address data.
Returns:
0 on error.

References msg_parse::an_rrsets, module_env::cfg, rrset_parse::dname, dname_pkt_compare(), msg_parse::flags, FLAGS_GET_RCODE, FLAGS_SET_RCODE, config_file::harden_glue, pkt_strict_sub(), pkt_sub(), iter_env::priv, priv_rrset_bad(), query_info::qname, remove_rrset(), rrset_parse::rrset_all_next, msg_parse::rrset_first, sanitize_nsec_is_overreach(), rrset_parse::section, store_rrset(), and rrset_parse::type.

Referenced by scrub_message().

int scrub_message ( ldns_buffer *  pkt,
struct msg_parse msg,
struct query_info qinfo,
uint8_t *  zonename,
struct regional regional,
struct module_env env,
struct iter_env ie 
)

Cleanup the passed dns message.

Parameters:
pkt,: the packet itself, for resolving name compression pointers. the packet buffer is unaltered.
msg,: the parsed packet, this structure is cleaned up.
qinfo,: the query info that was sent to the server. Checked.
zonename,: the name of the last delegation point. Used to determine out of bailiwick information.
regional,: where to allocate (new) parts of the message.
env,: module environment with config settings and cache.
ie,: iterator module environment data.
Returns:
: false if the message is total waste. true if scrubbed with success.

References BIT_QR, dname_pkt_compare(), msg_parse::flags, FLAGS_GET_RCODE, log_nametypeclass(), msg_parse::qclass, query_info::qclass, msg_parse::qdcount, query_info::qname, msg_parse::qname, query_info::qtype, msg_parse::qtype, scrub_normalize(), scrub_sanitize(), and VERB_ALGO.

Referenced by process_response().


Generated on Tue Oct 13 06:46:30 2009 for unbound by  doxygen 1.5.9