1/* 2 * iterator/iter_scrub.c - scrubbing, normalization, sanitization of DNS msgs. 3 * 4 * Copyright (c) 2007, NLnet Labs. All rights reserved. 5 * 6 * This software is open source. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * Redistributions of source code must retain the above copyright notice, 13 * this list of conditions and the following disclaimer. 14 * 15 * Redistributions in binary form must reproduce the above copyright notice, 16 * this list of conditions and the following disclaimer in the documentation 17 * and/or other materials provided with the distribution. 18 * 19 * Neither the name of the NLNET LABS nor the names of its contributors may 20 * be used to endorse or promote products derived from this software without 21 * specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36/** 37 * \file 38 * 39 * This file has routine(s) for cleaning up incoming DNS messages from 40 * possible useless or malicious junk in it. 41 */ 42#include "config.h" 43#include "iterator/iter_scrub.h" 44#include "iterator/iterator.h" 45#include "iterator/iter_priv.h" 46#include "services/cache/rrset.h" 47#include "util/log.h" 48#include "util/net_help.h" 49#include "util/regional.h" 50#include "util/config_file.h" 51#include "util/module.h" 52#include "util/data/msgparse.h" 53#include "util/data/dname.h" 54#include "util/data/msgreply.h" 55#include "util/alloc.h" 56#include "sldns/sbuffer.h" 57 58/** RRset flag used during scrubbing. The RRset is OK. */ 59#define RRSET_SCRUB_OK 0x80 60 61/** remove rrset, update loop variables */ 62static void 63remove_rrset(const char* str, sldns_buffer* pkt, struct msg_parse* msg, 64 struct rrset_parse* prev, struct rrset_parse** rrset) 65{ 66 if(verbosity >= VERB_QUERY && str 67 && (*rrset)->dname_len <= LDNS_MAX_DOMAINLEN) { 68 uint8_t buf[LDNS_MAX_DOMAINLEN+1]; 69 dname_pkt_copy(pkt, buf, (*rrset)->dname); 70 log_nametypeclass(VERB_QUERY, str, buf, 71 (*rrset)->type, ntohs((*rrset)->rrset_class)); 72 } 73 if(prev) 74 prev->rrset_all_next = (*rrset)->rrset_all_next; 75 else msg->rrset_first = (*rrset)->rrset_all_next; 76 if(msg->rrset_last == *rrset) 77 msg->rrset_last = prev; 78 msg->rrset_count --; 79 switch((*rrset)->section) { 80 case LDNS_SECTION_ANSWER: msg->an_rrsets--; break; 81 case LDNS_SECTION_AUTHORITY: msg->ns_rrsets--; break; 82 case LDNS_SECTION_ADDITIONAL: msg->ar_rrsets--; break; 83 default: log_assert(0); 84 } 85 msgparse_bucket_remove(msg, *rrset); 86 *rrset = (*rrset)->rrset_all_next; 87} 88 89/** return true if rr type has additional names in it */ 90static int 91has_additional(uint16_t t) 92{ 93 switch(t) { 94 case LDNS_RR_TYPE_MB: 95 case LDNS_RR_TYPE_MD: 96 case LDNS_RR_TYPE_MF: 97 case LDNS_RR_TYPE_NS: 98 case LDNS_RR_TYPE_MX: 99 case LDNS_RR_TYPE_KX: 100 case LDNS_RR_TYPE_SRV: 101 return 1; 102 case LDNS_RR_TYPE_NAPTR: 103 /* TODO: NAPTR not supported, glue stripped off */ 104 return 0; 105 } 106 return 0; 107} 108 109/** get additional name from rrset RR, return false if no name present */ 110static int 111get_additional_name(struct rrset_parse* rrset, struct rr_parse* rr, 112 uint8_t** nm, size_t* nmlen, sldns_buffer* pkt) 113{ 114 size_t offset = 0; 115 size_t len, oldpos; 116 switch(rrset->type) { 117 case LDNS_RR_TYPE_MB: 118 case LDNS_RR_TYPE_MD: 119 case LDNS_RR_TYPE_MF: 120 case LDNS_RR_TYPE_NS: 121 offset = 0; 122 break; 123 case LDNS_RR_TYPE_MX: 124 case LDNS_RR_TYPE_KX: 125 offset = 2; 126 break; 127 case LDNS_RR_TYPE_SRV: 128 offset = 6; 129 break; 130 case LDNS_RR_TYPE_NAPTR: 131 /* TODO: NAPTR not supported, glue stripped off */ 132 return 0; 133 default: 134 return 0; 135 } 136 len = sldns_read_uint16(rr->ttl_data+sizeof(uint32_t)); 137 if(len < offset+1) 138 return 0; /* rdata field too small */ 139 *nm = rr->ttl_data+sizeof(uint32_t)+sizeof(uint16_t)+offset; 140 oldpos = sldns_buffer_position(pkt); 141 sldns_buffer_set_position(pkt, (size_t)(*nm - sldns_buffer_begin(pkt))); 142 *nmlen = pkt_dname_len(pkt); 143 sldns_buffer_set_position(pkt, oldpos); 144 if(*nmlen == 0) 145 return 0; 146 return 1; 147} 148 149/** Place mark on rrsets in additional section they are OK */ 150static void 151mark_additional_rrset(sldns_buffer* pkt, struct msg_parse* msg, 152 struct rrset_parse* rrset) 153{ 154 /* Mark A and AAAA for NS as appropriate additional section info. */ 155 uint8_t* nm = NULL; 156 size_t nmlen = 0; 157 struct rr_parse* rr; 158 159 if(!has_additional(rrset->type)) 160 return; 161 for(rr = rrset->rr_first; rr; rr = rr->next) { 162 if(get_additional_name(rrset, rr, &nm, &nmlen, pkt)) { 163 /* mark A */ 164 hashvalue_type h = pkt_hash_rrset(pkt, nm, 165 LDNS_RR_TYPE_A, rrset->rrset_class, 0); 166 struct rrset_parse* r = msgparse_hashtable_lookup( 167 msg, pkt, h, 0, nm, nmlen, 168 LDNS_RR_TYPE_A, rrset->rrset_class); 169 if(r && r->section == LDNS_SECTION_ADDITIONAL) { 170 r->flags |= RRSET_SCRUB_OK; 171 } 172 173 /* mark AAAA */ 174 h = pkt_hash_rrset(pkt, nm, LDNS_RR_TYPE_AAAA, 175 rrset->rrset_class, 0); 176 r = msgparse_hashtable_lookup(msg, pkt, h, 0, nm, 177 nmlen, LDNS_RR_TYPE_AAAA, rrset->rrset_class); 178 if(r && r->section == LDNS_SECTION_ADDITIONAL) { 179 r->flags |= RRSET_SCRUB_OK; 180 } 181 } 182 } 183} 184 185/** Get target name of a CNAME */ 186static int 187parse_get_cname_target(struct rrset_parse* rrset, uint8_t** sname, 188 size_t* snamelen, sldns_buffer* pkt) 189{ 190 size_t oldpos, dlen; 191 if(rrset->rr_count != 1) { 192 struct rr_parse* sig; 193 verbose(VERB_ALGO, "Found CNAME rrset with " 194 "size > 1: %u", (unsigned)rrset->rr_count); 195 /* use the first CNAME! */ 196 rrset->rr_count = 1; 197 rrset->size = rrset->rr_first->size; 198 for(sig=rrset->rrsig_first; sig; sig=sig->next) 199 rrset->size += sig->size; 200 rrset->rr_last = rrset->rr_first; 201 rrset->rr_first->next = NULL; 202 } 203 if(rrset->rr_first->size < sizeof(uint16_t)+1) 204 return 0; /* CNAME rdata too small */ 205 *sname = rrset->rr_first->ttl_data + sizeof(uint32_t) 206 + sizeof(uint16_t); /* skip ttl, rdatalen */ 207 *snamelen = rrset->rr_first->size - sizeof(uint16_t); 208 209 if(rrset->rr_first->outside_packet) { 210 if(!dname_valid(*sname, *snamelen)) 211 return 0; 212 return 1; 213 } 214 oldpos = sldns_buffer_position(pkt); 215 sldns_buffer_set_position(pkt, (size_t)(*sname - sldns_buffer_begin(pkt))); 216 dlen = pkt_dname_len(pkt); 217 sldns_buffer_set_position(pkt, oldpos); 218 if(dlen == 0) 219 return 0; /* parse fail on the rdata name */ 220 *snamelen = dlen; 221 return 1; 222} 223 224/** Synthesize CNAME from DNAME, false if too long */ 225static int 226synth_cname(uint8_t* qname, size_t qnamelen, struct rrset_parse* dname_rrset, 227 uint8_t* alias, size_t* aliaslen, sldns_buffer* pkt) 228{ 229 /* we already know that sname is a strict subdomain of DNAME owner */ 230 uint8_t* dtarg = NULL; 231 size_t dtarglen; 232 if(!parse_get_cname_target(dname_rrset, &dtarg, &dtarglen, pkt)) 233 return 0; 234 if(qnamelen <= dname_rrset->dname_len) 235 return 0; 236 if(qnamelen == 0) 237 return 0; 238 log_assert(qnamelen > dname_rrset->dname_len); 239 /* DNAME from com. to net. with qname example.com. -> example.net. */ 240 /* so: \3com\0 to \3net\0 and qname \7example\3com\0 */ 241 *aliaslen = qnamelen + dtarglen - dname_rrset->dname_len; 242 if(*aliaslen > LDNS_MAX_DOMAINLEN) 243 return 0; /* should have been RCODE YXDOMAIN */ 244 /* decompress dnames into buffer, we know it fits */ 245 dname_pkt_copy(pkt, alias, qname); 246 dname_pkt_copy(pkt, alias+(qnamelen-dname_rrset->dname_len), dtarg); 247 return 1; 248} 249 250/** synthesize a CNAME rrset */ 251static struct rrset_parse* 252synth_cname_rrset(uint8_t** sname, size_t* snamelen, uint8_t* alias, 253 size_t aliaslen, struct regional* region, struct msg_parse* msg, 254 struct rrset_parse* rrset, struct rrset_parse* prev, 255 struct rrset_parse* nx, sldns_buffer* pkt) 256{ 257 struct rrset_parse* cn = (struct rrset_parse*)regional_alloc(region, 258 sizeof(struct rrset_parse)); 259 if(!cn) 260 return NULL; 261 memset(cn, 0, sizeof(*cn)); 262 cn->rr_first = (struct rr_parse*)regional_alloc(region, 263 sizeof(struct rr_parse)); 264 if(!cn->rr_first) 265 return NULL; 266 cn->rr_last = cn->rr_first; 267 /* CNAME from sname to alias */ 268 cn->dname = (uint8_t*)regional_alloc(region, *snamelen); 269 if(!cn->dname) 270 return NULL; 271 dname_pkt_copy(pkt, cn->dname, *sname); 272 cn->dname_len = *snamelen; 273 cn->type = LDNS_RR_TYPE_CNAME; 274 cn->section = rrset->section; 275 cn->rrset_class = rrset->rrset_class; 276 cn->rr_count = 1; 277 cn->size = sizeof(uint16_t) + aliaslen; 278 cn->hash=pkt_hash_rrset(pkt, cn->dname, cn->type, cn->rrset_class, 0); 279 /* allocate TTL + rdatalen + uncompressed dname */ 280 memset(cn->rr_first, 0, sizeof(struct rr_parse)); 281 cn->rr_first->outside_packet = 1; 282 cn->rr_first->ttl_data = (uint8_t*)regional_alloc(region, 283 sizeof(uint32_t)+sizeof(uint16_t)+aliaslen); 284 if(!cn->rr_first->ttl_data) 285 return NULL; 286 memmove(cn->rr_first->ttl_data, rrset->rr_first->ttl_data, 287 sizeof(uint32_t)); /* RFC6672: synth CNAME TTL == DNAME TTL */ 288 sldns_write_uint16(cn->rr_first->ttl_data+4, aliaslen); 289 memmove(cn->rr_first->ttl_data+6, alias, aliaslen); 290 cn->rr_first->size = sizeof(uint16_t)+aliaslen; 291 292 /* link it in */ 293 cn->rrset_all_next = nx; 294 if(prev) 295 prev->rrset_all_next = cn; 296 else msg->rrset_first = cn; 297 if(nx == NULL) 298 msg->rrset_last = cn; 299 msg->rrset_count ++; 300 msg->an_rrsets++; 301 /* it is not inserted in the msg hashtable. */ 302 303 *sname = cn->rr_first->ttl_data + sizeof(uint32_t)+sizeof(uint16_t); 304 *snamelen = aliaslen; 305 return cn; 306} 307 308/** check if DNAME applies to a name */ 309static int 310pkt_strict_sub(sldns_buffer* pkt, uint8_t* sname, uint8_t* dr) 311{ 312 uint8_t buf1[LDNS_MAX_DOMAINLEN+1]; 313 uint8_t buf2[LDNS_MAX_DOMAINLEN+1]; 314 /* decompress names */ 315 dname_pkt_copy(pkt, buf1, sname); 316 dname_pkt_copy(pkt, buf2, dr); 317 return dname_strict_subdomain_c(buf1, buf2); 318} 319 320/** check subdomain with decompression */ 321static int 322pkt_sub(sldns_buffer* pkt, uint8_t* comprname, uint8_t* zone) 323{ 324 uint8_t buf[LDNS_MAX_DOMAINLEN+1]; 325 dname_pkt_copy(pkt, buf, comprname); 326 return dname_subdomain_c(buf, zone); 327} 328 329/** check subdomain with decompression, compressed is parent */ 330static int 331sub_of_pkt(sldns_buffer* pkt, uint8_t* zone, uint8_t* comprname) 332{ 333 uint8_t buf[LDNS_MAX_DOMAINLEN+1]; 334 dname_pkt_copy(pkt, buf, comprname); 335 return dname_subdomain_c(zone, buf); 336} 337 338/** Check if there are SOA records in the authority section (negative) */ 339static int 340soa_in_auth(struct msg_parse* msg) 341{ 342 struct rrset_parse* rrset; 343 for(rrset = msg->rrset_first; rrset; rrset = rrset->rrset_all_next) 344 if(rrset->type == LDNS_RR_TYPE_SOA && 345 rrset->section == LDNS_SECTION_AUTHORITY) 346 return 1; 347 return 0; 348} 349 350/** Check if type is allowed in the authority section */ 351static int 352type_allowed_in_authority_section(uint16_t tp) 353{ 354 if(tp == LDNS_RR_TYPE_SOA || tp == LDNS_RR_TYPE_NS || 355 tp == LDNS_RR_TYPE_DS || tp == LDNS_RR_TYPE_NSEC || 356 tp == LDNS_RR_TYPE_NSEC3) 357 return 1; 358 return 0; 359} 360 361/** Check if type is allowed in the additional section */ 362static int 363type_allowed_in_additional_section(uint16_t tp) 364{ 365 if(tp == LDNS_RR_TYPE_A || tp == LDNS_RR_TYPE_AAAA) 366 return 1; 367 return 0; 368} 369 370/** 371 * This routine normalizes a response. This includes removing "irrelevant" 372 * records from the answer and additional sections and (re)synthesizing 373 * CNAMEs from DNAMEs, if present. 374 * 375 * @param pkt: packet. 376 * @param msg: msg to normalize. 377 * @param qinfo: original query. 378 * @param region: where to allocate synthesized CNAMEs. 379 * @param env: module env with config options. 380 * @return 0 on error. 381 */ 382static int 383scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg, 384 struct query_info* qinfo, struct regional* region, 385 struct module_env* env) 386{ 387 uint8_t* sname = qinfo->qname; 388 size_t snamelen = qinfo->qname_len; 389 struct rrset_parse* rrset, *prev, *nsset=NULL; 390 391 if(FLAGS_GET_RCODE(msg->flags) != LDNS_RCODE_NOERROR && 392 FLAGS_GET_RCODE(msg->flags) != LDNS_RCODE_NXDOMAIN) 393 return 1; 394 395 /* For the ANSWER section, remove all "irrelevant" records and add 396 * synthesized CNAMEs from DNAMEs 397 * This will strip out-of-order CNAMEs as well. */ 398 399 /* walk through the parse packet rrset list, keep track of previous 400 * for insert and delete ease, and examine every RRset */ 401 prev = NULL; 402 rrset = msg->rrset_first; 403 while(rrset && rrset->section == LDNS_SECTION_ANSWER) { 404 if(rrset->type == LDNS_RR_TYPE_DNAME && 405 pkt_strict_sub(pkt, sname, rrset->dname)) { 406 /* check if next rrset is correct CNAME. else, 407 * synthesize a CNAME */ 408 struct rrset_parse* nx = rrset->rrset_all_next; 409 uint8_t alias[LDNS_MAX_DOMAINLEN+1]; 410 size_t aliaslen = 0; 411 if(rrset->rr_count != 1) { 412 verbose(VERB_ALGO, "Found DNAME rrset with " 413 "size > 1: %u", 414 (unsigned)rrset->rr_count); 415 return 0; 416 } 417 if(!synth_cname(sname, snamelen, rrset, alias, 418 &aliaslen, pkt)) { 419 verbose(VERB_ALGO, "synthesized CNAME " 420 "too long"); 421 return 0; 422 } 423 if(nx && nx->type == LDNS_RR_TYPE_CNAME && 424 dname_pkt_compare(pkt, sname, nx->dname) == 0) { 425 /* check next cname */ 426 uint8_t* t = NULL; 427 size_t tlen = 0; 428 if(!parse_get_cname_target(nx, &t, &tlen, pkt)) 429 return 0; 430 if(dname_pkt_compare(pkt, alias, t) == 0) { 431 /* it's OK and better capitalized */ 432 prev = rrset; 433 rrset = nx; 434 continue; 435 } 436 /* synth ourselves */ 437 } 438 /* synth a CNAME rrset */ 439 prev = synth_cname_rrset(&sname, &snamelen, alias, 440 aliaslen, region, msg, rrset, rrset, nx, pkt); 441 if(!prev) { 442 log_err("out of memory synthesizing CNAME"); 443 return 0; 444 } 445 /* FIXME: resolve the conflict between synthesized 446 * CNAME ttls and the cache. */ 447 rrset = nx; 448 continue; 449 450 } 451 452 /* The only records in the ANSWER section not allowed to */ 453 if(dname_pkt_compare(pkt, sname, rrset->dname) != 0) { 454 remove_rrset("normalize: removing irrelevant RRset:", 455 pkt, msg, prev, &rrset); 456 continue; 457 } 458 459 /* Follow the CNAME chain. */ 460 if(rrset->type == LDNS_RR_TYPE_CNAME) { 461 struct rrset_parse* nx = rrset->rrset_all_next; 462 uint8_t* oldsname = sname; 463 /* see if the next one is a DNAME, if so, swap them */ 464 if(nx && nx->section == LDNS_SECTION_ANSWER && 465 nx->type == LDNS_RR_TYPE_DNAME && 466 nx->rr_count == 1 && 467 pkt_strict_sub(pkt, sname, nx->dname)) { 468 /* there is a DNAME after this CNAME, it 469 * is in the ANSWER section, and the DNAME 470 * applies to the name we cover */ 471 /* check if the alias of the DNAME equals 472 * this CNAME */ 473 uint8_t alias[LDNS_MAX_DOMAINLEN+1]; 474 size_t aliaslen = 0; 475 uint8_t* t = NULL; 476 size_t tlen = 0; 477 if(synth_cname(sname, snamelen, nx, alias, 478 &aliaslen, pkt) && 479 parse_get_cname_target(rrset, &t, &tlen, pkt) && 480 dname_pkt_compare(pkt, alias, t) == 0) { 481 /* the synthesized CNAME equals the 482 * current CNAME. This CNAME is the 483 * one that the DNAME creates, and this 484 * CNAME is better capitalised */ 485 verbose(VERB_ALGO, "normalize: re-order of DNAME and its CNAME"); 486 if(prev) prev->rrset_all_next = nx; 487 else msg->rrset_first = nx; 488 if(nx->rrset_all_next == NULL) 489 msg->rrset_last = rrset; 490 rrset->rrset_all_next = 491 nx->rrset_all_next; 492 nx->rrset_all_next = rrset; 493 /* prev = nx; unused, enable if there 494 * is other rrset removal code after 495 * this */ 496 } 497 } 498 499 /* move to next name in CNAME chain */ 500 if(!parse_get_cname_target(rrset, &sname, &snamelen, pkt)) 501 return 0; 502 prev = rrset; 503 rrset = rrset->rrset_all_next; 504 /* in CNAME ANY response, can have data after CNAME */ 505 if(qinfo->qtype == LDNS_RR_TYPE_ANY) { 506 while(rrset && rrset->section == 507 LDNS_SECTION_ANSWER && 508 dname_pkt_compare(pkt, oldsname, 509 rrset->dname) == 0) { 510 prev = rrset; 511 rrset = rrset->rrset_all_next; 512 } 513 } 514 continue; 515 } 516 517 /* Otherwise, make sure that the RRset matches the qtype. */ 518 if(qinfo->qtype != LDNS_RR_TYPE_ANY && 519 qinfo->qtype != rrset->type) { 520 remove_rrset("normalize: removing irrelevant RRset:", 521 pkt, msg, prev, &rrset); 522 continue; 523 } 524 525 /* Mark the additional names from relevant rrset as OK. */ 526 /* only for RRsets that match the query name, other ones 527 * will be removed by sanitize, so no additional for them */ 528 if(dname_pkt_compare(pkt, qinfo->qname, rrset->dname) == 0) 529 mark_additional_rrset(pkt, msg, rrset); 530 531 prev = rrset; 532 rrset = rrset->rrset_all_next; 533 } 534 535 /* Mark additional names from AUTHORITY */ 536 while(rrset && rrset->section == LDNS_SECTION_AUTHORITY) { 537 /* protect internals of recursor by making sure to del these */ 538 if(rrset->type==LDNS_RR_TYPE_DNAME || 539 rrset->type==LDNS_RR_TYPE_CNAME || 540 rrset->type==LDNS_RR_TYPE_A || 541 rrset->type==LDNS_RR_TYPE_AAAA) { 542 remove_rrset("normalize: removing irrelevant " 543 "RRset:", pkt, msg, prev, &rrset); 544 continue; 545 } 546 /* Allowed list of types in the authority section */ 547 if(env->cfg->harden_unknown_additional && 548 !type_allowed_in_authority_section(rrset->type)) { 549 remove_rrset("normalize: removing irrelevant " 550 "RRset:", pkt, msg, prev, &rrset); 551 continue; 552 } 553 /* only one NS set allowed in authority section */ 554 if(rrset->type==LDNS_RR_TYPE_NS) { 555 /* NS set must be pertinent to the query */ 556 if(!sub_of_pkt(pkt, qinfo->qname, rrset->dname)) { 557 remove_rrset("normalize: removing irrelevant " 558 "RRset:", pkt, msg, prev, &rrset); 559 continue; 560 } 561 /* we don't want NS sets for NXDOMAIN answers, 562 * because they could contain poisonous contents, 563 * from. eg. fragmentation attacks, inserted after 564 * long RRSIGs in the packet get to the packet 565 * border and such */ 566 /* also for NODATA answers */ 567 if(FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NXDOMAIN || 568 (FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NOERROR 569 && soa_in_auth(msg) && msg->an_rrsets == 0)) { 570 remove_rrset("normalize: removing irrelevant " 571 "RRset:", pkt, msg, prev, &rrset); 572 continue; 573 } 574 if(nsset == NULL) { 575 nsset = rrset; 576 } else { 577 remove_rrset("normalize: removing irrelevant " 578 "RRset:", pkt, msg, prev, &rrset); 579 continue; 580 } 581 } 582 /* if this is type DS and we query for type DS we just got 583 * a referral answer for our type DS query, fix packet */ 584 if(rrset->type==LDNS_RR_TYPE_DS && 585 qinfo->qtype == LDNS_RR_TYPE_DS && 586 dname_pkt_compare(pkt, qinfo->qname, rrset->dname) == 0) { 587 rrset->section = LDNS_SECTION_ANSWER; 588 msg->ancount = rrset->rr_count + rrset->rrsig_count; 589 msg->nscount = 0; 590 msg->arcount = 0; 591 msg->an_rrsets = 1; 592 msg->ns_rrsets = 0; 593 msg->ar_rrsets = 0; 594 msg->rrset_count = 1; 595 msg->rrset_first = rrset; 596 msg->rrset_last = rrset; 597 rrset->rrset_all_next = NULL; 598 return 1; 599 } 600 mark_additional_rrset(pkt, msg, rrset); 601 prev = rrset; 602 rrset = rrset->rrset_all_next; 603 } 604 605 /* For each record in the additional section, remove it if it is an 606 * address record and not in the collection of additional names 607 * found in ANSWER and AUTHORITY. */ 608 /* These records have not been marked OK previously */ 609 while(rrset && rrset->section == LDNS_SECTION_ADDITIONAL) { 610 if(rrset->type==LDNS_RR_TYPE_A || 611 rrset->type==LDNS_RR_TYPE_AAAA) 612 { 613 if((rrset->flags & RRSET_SCRUB_OK)) { 614 /* remove flag to clean up flags variable */ 615 rrset->flags &= ~RRSET_SCRUB_OK; 616 } else { 617 remove_rrset("normalize: removing irrelevant " 618 "RRset:", pkt, msg, prev, &rrset); 619 continue; 620 } 621 } 622 /* protect internals of recursor by making sure to del these */ 623 if(rrset->type==LDNS_RR_TYPE_DNAME || 624 rrset->type==LDNS_RR_TYPE_CNAME || 625 rrset->type==LDNS_RR_TYPE_NS) { 626 remove_rrset("normalize: removing irrelevant " 627 "RRset:", pkt, msg, prev, &rrset); 628 continue; 629 } 630 /* Allowed list of types in the additional section */ 631 if(env->cfg->harden_unknown_additional && 632 !type_allowed_in_additional_section(rrset->type)) { 633 remove_rrset("normalize: removing irrelevant " 634 "RRset:", pkt, msg, prev, &rrset); 635 continue; 636 } 637 prev = rrset; 638 rrset = rrset->rrset_all_next; 639 } 640 641 return 1; 642} 643 644/** 645 * Store potential poison in the cache (only if hardening disabled). 646 * The rrset is stored in the cache but removed from the message. 647 * So that it will be used for infrastructure purposes, but not be 648 * returned to the client. 649 * @param pkt: packet 650 * @param msg: message parsed 651 * @param env: environment with cache 652 * @param rrset: to store. 653 */ 654static void 655store_rrset(sldns_buffer* pkt, struct msg_parse* msg, struct module_env* env, 656 struct rrset_parse* rrset) 657{ 658 struct ub_packed_rrset_key* k; 659 struct packed_rrset_data* d; 660 struct rrset_ref ref; 661 time_t now = *env->now; 662 663 k = alloc_special_obtain(env->alloc); 664 if(!k) 665 return; 666 k->entry.data = NULL; 667 if(!parse_copy_decompress_rrset(pkt, msg, rrset, NULL, k)) { 668 alloc_special_release(env->alloc, k); 669 return; 670 } 671 d = (struct packed_rrset_data*)k->entry.data; 672 packed_rrset_ttl_add(d, now); 673 ref.key = k; 674 ref.id = k->id; 675 /*ignore ret: it was in the cache, ref updated */ 676 (void)rrset_cache_update(env->rrset_cache, &ref, env->alloc, now); 677} 678 679/** 680 * Check if right hand name in NSEC is within zone 681 * @param pkt: the packet buffer for decompression. 682 * @param rrset: the NSEC rrset 683 * @param zonename: the zone name. 684 * @return true if BAD. 685 */ 686static int sanitize_nsec_is_overreach(sldns_buffer* pkt, 687 struct rrset_parse* rrset, uint8_t* zonename) 688{ 689 struct rr_parse* rr; 690 uint8_t* rhs; 691 size_t len; 692 log_assert(rrset->type == LDNS_RR_TYPE_NSEC); 693 for(rr = rrset->rr_first; rr; rr = rr->next) { 694 size_t pos = sldns_buffer_position(pkt); 695 size_t rhspos; 696 rhs = rr->ttl_data+4+2; 697 len = sldns_read_uint16(rr->ttl_data+4); 698 rhspos = rhs-sldns_buffer_begin(pkt); 699 sldns_buffer_set_position(pkt, rhspos); 700 if(pkt_dname_len(pkt) == 0) { 701 /* malformed */ 702 sldns_buffer_set_position(pkt, pos); 703 return 1; 704 } 705 if(sldns_buffer_position(pkt)-rhspos > len) { 706 /* outside of rdata boundaries */ 707 sldns_buffer_set_position(pkt, pos); 708 return 1; 709 } 710 sldns_buffer_set_position(pkt, pos); 711 if(!pkt_sub(pkt, rhs, zonename)) { 712 /* overreaching */ 713 return 1; 714 } 715 } 716 /* all NSEC RRs OK */ 717 return 0; 718} 719 720/** Remove individual RRs, if the length is wrong. Returns true if the RRset 721 * has been removed. */ 722static int 723scrub_sanitize_rr_length(sldns_buffer* pkt, struct msg_parse* msg, 724 struct rrset_parse* prev, struct rrset_parse** rrset, int* added_ede, 725 struct module_qstate* qstate) 726{ 727 struct rr_parse* rr, *rr_prev = NULL; 728 for(rr = (*rrset)->rr_first; rr; rr = rr->next) { 729 730 /* Sanity check for length of records 731 * An A record should be 6 bytes only 732 * (2 bytes for length and 4 for IPv4 addr)*/ 733 if((*rrset)->type == LDNS_RR_TYPE_A && rr->size != 6 ) { 734 if(!*added_ede) { 735 *added_ede = 1; 736 errinf_ede(qstate, "sanitize: records of inappropriate length have been removed.", 737 LDNS_EDE_OTHER); 738 } 739 if(msgparse_rrset_remove_rr("sanitize: removing type A RR of inappropriate length:", 740 pkt, *rrset, rr_prev, rr, NULL, 0)) { 741 remove_rrset("sanitize: removing type A RRset of inappropriate length:", 742 pkt, msg, prev, rrset); 743 return 1; 744 } 745 continue; 746 } 747 748 /* Sanity check for length of records 749 * An AAAA record should be 18 bytes only 750 * (2 bytes for length and 16 for IPv6 addr)*/ 751 if((*rrset)->type == LDNS_RR_TYPE_AAAA && rr->size != 18 ) { 752 if(!*added_ede) { 753 *added_ede = 1; 754 errinf_ede(qstate, "sanitize: records of inappropriate length have been removed.", 755 LDNS_EDE_OTHER); 756 } 757 if(msgparse_rrset_remove_rr("sanitize: removing type AAAA RR of inappropriate length:", 758 pkt, *rrset, rr_prev, rr, NULL, 0)) { 759 remove_rrset("sanitize: removing type AAAA RRset of inappropriate length:", 760 pkt, msg, prev, rrset); 761 return 1; 762 } 763 continue; 764 } 765 rr_prev = rr; 766 } 767 return 0; 768} 769 770/** 771 * Given a response event, remove suspect RRsets from the response. 772 * "Suspect" rrsets are potentially poison. Note that this routine expects 773 * the response to be in a "normalized" state -- that is, all "irrelevant" 774 * RRsets have already been removed, CNAMEs are in order, etc. 775 * 776 * @param pkt: packet. 777 * @param msg: msg to normalize. 778 * @param qinfo: the question originally asked. 779 * @param zonename: name of server zone. 780 * @param env: module environment with config and cache. 781 * @param ie: iterator environment with private address data. 782 * @param qstate: for setting errinf for EDE error messages. 783 * @return 0 on error. 784 */ 785static int 786scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg, 787 struct query_info* qinfo, uint8_t* zonename, struct module_env* env, 788 struct iter_env* ie, struct module_qstate* qstate) 789{ 790 int del_addi = 0; /* if additional-holding rrsets are deleted, we 791 do not trust the normalized additional-A-AAAA any more */ 792 int added_rrlen_ede = 0; 793 struct rrset_parse* rrset, *prev; 794 prev = NULL; 795 rrset = msg->rrset_first; 796 797 /* the first DNAME is allowed to stay. It needs checking before 798 * it can be used from the cache. After normalization, an initial 799 * DNAME will have a correctly synthesized CNAME after it. */ 800 if(rrset && rrset->type == LDNS_RR_TYPE_DNAME && 801 rrset->section == LDNS_SECTION_ANSWER && 802 pkt_strict_sub(pkt, qinfo->qname, rrset->dname) && 803 pkt_sub(pkt, rrset->dname, zonename)) { 804 prev = rrset; /* DNAME allowed to stay in answer section */ 805 rrset = rrset->rrset_all_next; 806 } 807 808 /* remove all records from the answer section that are 809 * not the same domain name as the query domain name. 810 * The answer section should contain rrsets with the same name 811 * as the question. For DNAMEs a CNAME has been synthesized. 812 * Wildcards have the query name in answer section. 813 * ANY queries get query name in answer section. 814 * Remainders of CNAME chains are cut off and resolved by iterator. */ 815 while(rrset && rrset->section == LDNS_SECTION_ANSWER) { 816 if(dname_pkt_compare(pkt, qinfo->qname, rrset->dname) != 0) { 817 if(has_additional(rrset->type)) del_addi = 1; 818 remove_rrset("sanitize: removing extraneous answer " 819 "RRset:", pkt, msg, prev, &rrset); 820 continue; 821 } 822 prev = rrset; 823 rrset = rrset->rrset_all_next; 824 } 825 826 /* At this point, we brutally remove ALL rrsets that aren't 827 * children of the originating zone. The idea here is that, 828 * as far as we know, the server that we contacted is ONLY 829 * authoritative for the originating zone. It, of course, MAY 830 * be authoritative for any other zones, and of course, MAY 831 * NOT be authoritative for some subdomains of the originating 832 * zone. */ 833 prev = NULL; 834 rrset = msg->rrset_first; 835 while(rrset) { 836 837 /* Sanity check for length of records */ 838 if(rrset->type == LDNS_RR_TYPE_A || 839 rrset->type == LDNS_RR_TYPE_AAAA) { 840 if(scrub_sanitize_rr_length(pkt, msg, prev, &rrset, 841 &added_rrlen_ede, qstate)) 842 continue; 843 } 844 845 /* remove private addresses */ 846 if( (rrset->type == LDNS_RR_TYPE_A || 847 rrset->type == LDNS_RR_TYPE_AAAA)) { 848 849 /* do not set servfail since this leads to too 850 * many drops of other people using rfc1918 space */ 851 /* also do not remove entire rrset, unless all records 852 * in it are bad */ 853 if(priv_rrset_bad(ie->priv, pkt, rrset)) { 854 remove_rrset(NULL, pkt, msg, prev, &rrset); 855 continue; 856 } 857 } 858 859 /* skip DNAME records -- they will always be followed by a 860 * synthesized CNAME, which will be relevant. 861 * FIXME: should this do something differently with DNAME 862 * rrsets NOT in Section.ANSWER? */ 863 /* But since DNAME records are also subdomains of the zone, 864 * same check can be used */ 865 866 if(!pkt_sub(pkt, rrset->dname, zonename)) { 867 if(msg->an_rrsets == 0 && 868 rrset->type == LDNS_RR_TYPE_NS && 869 rrset->section == LDNS_SECTION_AUTHORITY && 870 FLAGS_GET_RCODE(msg->flags) == 871 LDNS_RCODE_NOERROR && !soa_in_auth(msg) && 872 sub_of_pkt(pkt, zonename, rrset->dname)) { 873 /* noerror, nodata and this NS rrset is above 874 * the zone. This is LAME! 875 * Leave in the NS for lame classification. */ 876 /* remove everything from the additional 877 * (we dont want its glue that was approved 878 * during the normalize action) */ 879 del_addi = 1; 880 } else if(!env->cfg->harden_glue && ( 881 rrset->type == LDNS_RR_TYPE_A || 882 rrset->type == LDNS_RR_TYPE_AAAA)) { 883 /* store in cache! Since it is relevant 884 * (from normalize) it will be picked up 885 * from the cache to be used later */ 886 store_rrset(pkt, msg, env, rrset); 887 remove_rrset("sanitize: storing potential " 888 "poison RRset:", pkt, msg, prev, &rrset); 889 continue; 890 } else { 891 if(has_additional(rrset->type)) del_addi = 1; 892 remove_rrset("sanitize: removing potential " 893 "poison RRset:", pkt, msg, prev, &rrset); 894 continue; 895 } 896 } 897 if(del_addi && rrset->section == LDNS_SECTION_ADDITIONAL) { 898 remove_rrset("sanitize: removing potential " 899 "poison reference RRset:", pkt, msg, prev, &rrset); 900 continue; 901 } 902 /* check if right hand side of NSEC is within zone */ 903 if(rrset->type == LDNS_RR_TYPE_NSEC && 904 sanitize_nsec_is_overreach(pkt, rrset, zonename)) { 905 remove_rrset("sanitize: removing overreaching NSEC " 906 "RRset:", pkt, msg, prev, &rrset); 907 continue; 908 } 909 prev = rrset; 910 rrset = rrset->rrset_all_next; 911 } 912 return 1; 913} 914 915int 916scrub_message(sldns_buffer* pkt, struct msg_parse* msg, 917 struct query_info* qinfo, uint8_t* zonename, struct regional* region, 918 struct module_env* env, struct module_qstate* qstate, 919 struct iter_env* ie) 920{ 921 /* basic sanity checks */ 922 log_nametypeclass(VERB_ALGO, "scrub for", zonename, LDNS_RR_TYPE_NS, 923 qinfo->qclass); 924 if(msg->qdcount > 1) 925 return 0; 926 if( !(msg->flags&BIT_QR) ) 927 return 0; 928 msg->flags &= ~(BIT_AD|BIT_Z); /* force off bit AD and Z */ 929 930 /* make sure that a query is echoed back when NOERROR or NXDOMAIN */ 931 /* this is not required for basic operation but is a forgery 932 * resistance (security) feature */ 933 if((FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NOERROR || 934 FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NXDOMAIN) && 935 msg->qdcount == 0) 936 return 0; 937 938 /* if a query is echoed back, make sure it is correct. Otherwise, 939 * this may be not a reply to our query. */ 940 if(msg->qdcount == 1) { 941 if(dname_pkt_compare(pkt, msg->qname, qinfo->qname) != 0) 942 return 0; 943 if(msg->qtype != qinfo->qtype || msg->qclass != qinfo->qclass) 944 return 0; 945 } 946 947 /* normalize the response, this cleans up the additional. */ 948 if(!scrub_normalize(pkt, msg, qinfo, region, env)) 949 return 0; 950 /* delete all out-of-zone information */ 951 if(!scrub_sanitize(pkt, msg, qinfo, zonename, env, ie, qstate)) 952 return 0; 953 return 1; 954} 955