Github
/
FTL
mirror of
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
FTL/src/dnsmasq_interface.c

3564 lines
109 KiB
C
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

/* Pi-hole: A black hole for Internet advertisements
* (c) 2017 Pi-hole, LLC (https://pi-hole.net)
* Network-wide ad blocking via your own hardware.
*
* FTL Engine
* dnsmasq interfacing routines
*
* This file is copyright under the latest version of the EUPL.
* Please see LICENSE file for your rights under this license. */
#define FTLDNS
#include "dnsmasq/dnsmasq.h"
#undef __USE_XOPEN
#include "FTL.h"
#include "enums.h"
#include "dnsmasq_interface.h"
#include "shmem.h"
#include "overTime.h"
#include "database/common.h"
#include "database/database-thread.h"
#include "datastructure.h"
#include "database/gravity-db.h"
#include "config/setupVars.h"
#include "daemon.h"
#include "timers.h"
#include "gc.h"
#include "regex_r.h"
#include "config/config.h"
#include "capabilities.h"
#include "resolve.h"
#include "files.h"
// add_to_fifo_buffer() u.a.
#include "log.h"
// global variable daemonmode
#include "args.h"
// handle_realtime_signals()
#include "signals.h"
// atomic_flag_test_and_set()
#include <stdatomic.h>
// Eventqueue routines
#include "events.h"
#include <netinet/in.h>
// offsetof()
#include <stddef.h>
// get_edestr()
#include "api/api_helper.h"
// logg_rate_limit_message()
#include "database/message-table.h"
// http_init()
#include "webserver/webserver.h"
// type struct sqlite3_stmt_vec
#include "vector.h"
// check_one_struct()
#include "struct_size.h"
// query_to_database()
#include "database/query-table.h"
// reread_config()
#include "config/config.h"
// FTL_fork_and_bind_sockets()
#include "main.h"
// Private prototypes
static void print_flags(const unsigned int flags);
#define query_set_reply(flags, type, addr, query, response) _query_set_reply(flags, type, addr, query, response, __FILE__, __LINE__)
static void _query_set_reply(const unsigned int flags, const enum reply_type reply, const union all_addr *addr, queriesData* query,
const struct timeval response, const char *file, const int line);
#define FTL_check_blocking(queryID, domainID, clientID) _FTL_check_blocking(queryID, domainID, clientID, __FILE__, __LINE__)
static bool _FTL_check_blocking(int queryID, int domainID, int clientID, const char* file, const int line);
static enum query_status detect_blocked_IP(const unsigned short flags, const union all_addr *addr, const queriesData *query, const domainsData *domain);
static void query_blocked(queriesData* query, domainsData* domain, clientsData* client, const enum query_status new_status);
static void FTL_forwarded(const unsigned int flags, const char *name, const union all_addr *addr, unsigned short port, const int id, const char* file, const int line);
static void FTL_reply(const unsigned int flags, const char *name, const union all_addr *addr, const char* arg, const int id, const char* file, const int line);
static void FTL_upstream_error(const union all_addr *addr, const unsigned int flags, const int id, const char* file, const int line);
static void FTL_dnssec(const char *result, const union all_addr *addr, const int id, const char* file, const int line);
static void mysockaddr_extract_ip_port(const union mysockaddr *server, char ip[ADDRSTRLEN+1], in_port_t *port);
static void alladdr_extract_ip(union all_addr *addr, const sa_family_t family, char ip[ADDRSTRLEN+1]);
static void check_pihole_PTR(char *domain);
#define query_set_dnssec(query, dnssec) _query_set_dnssec(query, dnssec, __FILE__, __LINE__)
static void _query_set_dnssec(queriesData *query, const enum dnssec_status dnssec, const char *file, const int line);
static char *get_ptrname(struct in_addr *addr);
static const char *check_dnsmasq_name(const char *name);
// Static blocking metadata
static bool adbit = false;
static const char *blockingreason = "";
static enum reply_type force_next_DNS_reply = REPLY_UNKNOWN;
static int last_regex_idx = -1;
static struct ptr_record *pihole_ptr = NULL;
static char *pihole_suffix = NULL;
static char *hostname_suffix = NULL;
static char *cname_target = NULL;
#define HOSTNAME "Pi-hole hostname"
// Fork-private copy of the interface data the most recent query came from
static struct {
bool haveIPv4;
bool haveIPv6;
char name[IFNAMSIZ];
union all_addr addr4;
union all_addr addr6;
} next_iface = {false, false, "", {{ 0 }}, {{ 0 }}};
// Fork-private copy of the server data the most recent reply came from
static union mysockaddr last_server = {{ 0 }};
unsigned char* pihole_privacylevel = &config.misc.privacylevel.v.privacy_level;
const char *flagnames[] = {"F_IMMORTAL ", "F_NAMEP ", "F_REVERSE ", "F_FORWARD ", "F_DHCP ", "F_NEG ", "F_HOSTS ", "F_IPV4 ", "F_IPV6 ", "F_BIGNAME ", "F_NXDOMAIN ", "F_CNAME ", "F_DNSKEY ", "F_CONFIG ", "F_DS ", "F_DNSSECOK ", "F_UPSTREAM ", "F_RRNAME ", "F_SERVER ", "F_QUERY ", "F_NOERR ", "F_AUTH ", "F_DNSSEC ", "F_KEYTAG ", "F_SECSTAT ", "F_NO_RR ", "F_IPSET ", "F_NOEXTRA ", "F_DOMAINSRV", "F_RCODE", "F_RR", "F_STALE" };
void FTL_hook(unsigned int flags, const char *name, union all_addr *addr, char *arg, int id, unsigned short type, const char* file, const int line)
{
// Extract filename from path
const char *path = short_path(file);
const char *types = (flags & F_RR) ? querystr(arg, type) : "?";
log_debug(DEBUG_FLAGS, "Processing FTL hook from %s:%d (type: %s, name: \"%s\", id: %i)...", path, line, types, name, id);
print_flags(flags);
// Check domain name received from dnsmasq
name = check_dnsmasq_name(name);
// Note: The order matters here!
if((flags & F_QUERY) && (flags & F_FORWARD))
; // New query, handled by FTL_new_query via separate call
else if(flags & F_FORWARD && flags & F_SERVER)
// forwarded upstream (type is used to store the upstream port)
FTL_forwarded(flags, name, addr, type, id, path, line);
else if(flags == F_SECSTAT)
// DNSSEC validation result
FTL_dnssec(arg, addr, id, path, line);
else if(flags & F_RCODE && !(flags & F_CONFIG) && name && strcasecmp(name, "error") == 0)
// upstream sent something different than NOERROR or NXDOMAIN
FTL_upstream_error(addr, flags, id, path, line);
else if(flags & F_NOEXTRA && flags & F_DNSSEC)
{
// This is a new DNSSEC query (dnssec-query[DS])
if(!config.dns.showDNSSEC.v.b)
return;
// Type is overloaded with port since 2d65d55, so we have to
// derive the real query type from the arg string
unsigned short qtype = type;
if(strcmp(arg, "dnssec-query[DNSKEY]") == 0)
{
qtype = T_DNSKEY;
arg = (char*)"dnssec-query";
}
else if(strcmp(arg, "dnssec-query[DS]") == 0)
{
qtype = T_DS;
arg = (char*)"dnssec-query";
}
else if(strcmp(arg, "dnssec-retry[DNSKEY]") == 0)
{
qtype = T_DNSKEY;
arg = (char*)"dnssec-retry";
}
else if(strcmp(arg, "dnssec-retry[DS]") == 0)
{
qtype = T_DS;
arg = (char*)"dnssec-retry";
}
else
{
arg = (char*)"dnssec-unknown";
}
_FTL_new_query(flags, name, NULL, arg, qtype, id, INTERNAL, file, line);
// forwarded upstream (type is used to store the upstream port)
FTL_forwarded(flags, name, addr, type, id, path, line);
}
else if(flags & F_AUTH)
; // Ignored
else if(flags & F_IPSET)
; // Ignored
else if(flags == F_UPSTREAM && strcmp(arg, "truncated") == 0)
; // Ignored - truncated reply
//
// flags will by (F_UPSTREAM | F_NOEXTRA) with type being
// T_DNSKEY or T_DS when this is a truncated DNSSEC reply
//
// otherwise, flags will be F_UPSTREAM and the type is not set
// (== 0)
else
FTL_reply(flags, name, addr, arg, id, path, line);
}
// This is inspired by make_local_answer()
size_t _FTL_make_answer(struct dns_header *header, char *limit, const size_t len, int *ede, const char *file, const int line)
{
log_debug(DEBUG_FLAGS, "FTL_make_answer() called from %s:%d", short_path(file), line);
// Exit early if there are no questions in this query
if(ntohs(header->qdcount) == 0)
return 0;
// Get question name
char name[MAXDNAME] = { 0 };
unsigned char *p = (unsigned char *)(header+1);
if (!extract_name(header, len, &p, name, 1, 4))
return 0;
// Debug logging
if(*ede != EDE_UNSET)
log_debug(DEBUG_QUERIES, "Preparing reply for \"%s\", EDE: %s (%d)", name, edestr(*ede), *ede);
else
log_debug(DEBUG_QUERIES, "Preparing reply for \"%s\", EDE: N/A", name);
// Get question type
int qtype, flags = 0;
GETSHORT(qtype, p);
// Set flags based on what we will reply with
if(qtype == T_A)
flags = F_IPV4; // A type
else if(qtype == T_AAAA)
flags = F_IPV6; // AAAA type
else if(qtype == T_ANY)
flags = F_IPV4 | F_IPV6; // ANY type
else
flags = F_NOERR; // empty record
// Prepare answer records
bool forced_ip = false;
// Check first if we need to force our reply to something different than the
// default/configured blocking mode. For instance, we need to force NXDOMAIN
// for intercepted _esni.* queries or the Mozilla canary domain.
if(force_next_DNS_reply == REPLY_NXDOMAIN)
{
flags = F_NXDOMAIN;
// Reset DNS reply forcing
force_next_DNS_reply = REPLY_UNKNOWN;
// Debug logging
log_debug(DEBUG_QUERIES, "Forced DNS reply to NXDOMAIN");
}
else if(force_next_DNS_reply == REPLY_NODATA)
{
flags = F_NOERR;
// Reset DNS reply forcing
force_next_DNS_reply = REPLY_UNKNOWN;
// Debug logging
log_debug(DEBUG_QUERIES, "Forced DNS reply to NODATA");
}
else if(force_next_DNS_reply == REPLY_REFUSED)
{
// Empty flags result in REFUSED
flags = 0;
// Reset DNS reply forcing
force_next_DNS_reply = REPLY_UNKNOWN;
// Debug logging
log_debug(DEBUG_QUERIES, "Forced DNS reply to REFUSED");
// Set EDE code to blocked
*ede = EDE_BLOCKED;
}
else if(force_next_DNS_reply == REPLY_IP)
{
// We do not need to change the flags here,
// they are already properly set (F_IPV4 and/or F_IPV6)
forced_ip = true;
// Reset DNS reply forcing
force_next_DNS_reply = REPLY_UNKNOWN;
// Debug logging
log_debug(DEBUG_QUERIES, "Forced DNS reply to IP");
}
else if(force_next_DNS_reply == REPLY_NONE)
{
// Reset DNS reply forcing
force_next_DNS_reply = REPLY_UNKNOWN;
// Debug logging
log_debug(DEBUG_QUERIES, "Forced DNS reply to NONE - dropping this query");
return 0;
}
else
{
// Overwrite flags only if not replying with a forced reply
if(config.dns.blocking.mode.v.blocking_mode == MODE_NX)
{
// If we block in NXDOMAIN mode, we set flags to NXDOMAIN
// (NEG will be added after setup_reply() below)
flags = F_NXDOMAIN;
log_debug(DEBUG_QUERIES, "Configured blocking mode is NXDOMAIN");
}
else if(config.dns.blocking.mode.v.blocking_mode == MODE_NODATA ||
(config.dns.blocking.mode.v.blocking_mode == MODE_IP_NODATA_AAAA && (flags & F_IPV6)))
{
// If we block in NODATA mode or NODATA for AAAA queries, we apply
// the NOERROR response flag. This ensures we're sending an empty response
flags = F_NOERR;
log_debug(DEBUG_QUERIES, "Configured blocking mode is NODATA%s",
config.dns.blocking.mode.v.blocking_mode == MODE_IP_NODATA_AAAA ? "-IPv6" : "");
}
}
// Check for regex redirecting
bool redirecting = false;
union all_addr redirect_addr4 = {{ 0 }}, redirect_addr6 = {{ 0 }};
if(last_regex_idx > -1)
{
redirecting = regex_get_redirect(last_regex_idx, &redirect_addr4.addr4, &redirect_addr6.addr6);
// Reset regex redirection forcing
last_regex_idx = -1;
// Debug logging
log_debug(DEBUG_QUERIES, "Regex match is %sredirected", redirecting ? "" : "NOT ");
}
if(force_next_DNS_reply == REPLY_CNAME && cname_target != NULL)
{
// Set flags to CNAME reply
flags = F_CONFIG | F_CNAME;
// Add A record (if available)
if(redirect_addr4.addr4.s_addr != 0)
flags |= F_IPV4;
// Add AAAA record (if available)
if(!IN6_IS_ADDR_UNSPECIFIED(&redirect_addr6.addr6))
flags |= F_IPV6;
// Reset DNS reply forcing
force_next_DNS_reply = REPLY_UNKNOWN;
}
// Debug logging
print_flags(flags);
// Setup reply header
setup_reply(header, flags, *ede);
// Add NEG flag when replying with NXDOMAIN or NODATA. This is necessary
// to get proper logging in pihole.log At the same time, we cannot add
// NEG before calling setup_reply() as it would, otherwise, result in an
// incorrect "nowhere to forward to" log entry (because setup_reply()
// checks for equality of flags instead of doing a bitmask comparison).
if(flags == F_NXDOMAIN || flags == F_NOERR)
flags |= F_NEG;
// Add flags according to current blocking mode
// Set blocking_flags to F_HOSTS so dnsmasq logs blocked queries being answered from a specific source
// (it would otherwise assume it knew the blocking status from cache which would prevent us from
// printing the blocking source (blacklist, regex, gravity) in dnsmasq's log file, our pihole.log)
if(flags != 0)
flags |= F_HOSTS;
// Skip questions so we can start adding answers (if applicable)
if (!(p = skip_questions(header, len)))
return 0;
// Are we replying to pi.hole / <hostname> / pi.hole.<local> / <hostname>.<local> ?
const bool hostn = strcmp(blockingreason, HOSTNAME) == 0;
int trunc = 0;
// Add CNAME answer record if requested
if(flags & F_CNAME)
{
// Debug logging
if(config.debug.queries.v.b)
log_debug(DEBUG_QUERIES, " Adding RR: \"%s CNAME %s\"", name, cname_target);
// Add CNAME resource record
header->ancount = htons(ntohs(header->ancount) + 1);
if(add_resource_record(header, limit, &trunc, sizeof(struct dns_header),
&p, daemon->local_ttl, NULL,
T_CNAME, C_IN, (char*)"d", cname_target))
log_query(flags, name, NULL, (char*)blockingreason, 0);
}
// Add A answer record if requested
if(flags & F_IPV4)
{
union all_addr addr = {{ 0 }};
// Overwrite with IP address if requested
if(redirecting)
memcpy(&addr, &redirect_addr4, sizeof(addr));
else if(config.dns.blocking.mode.v.blocking_mode == MODE_IP ||
config.dns.blocking.mode.v.blocking_mode == MODE_IP_NODATA_AAAA ||
forced_ip)
{
if(hostn && config.dns.reply.host.force4.v.b)
memcpy(&addr, &config.dns.reply.host.v4.v.in_addr, sizeof(addr.addr4));
else if(!hostn && config.dns.reply.blocking.force4.v.b)
memcpy(&addr, &config.dns.reply.blocking.v4.v.in_addr, sizeof(addr.addr4));
else
memcpy(&addr, &next_iface.addr4, sizeof(addr.addr4));
}
// Debug logging
if(config.debug.queries.v.b)
{
char ip[ADDRSTRLEN+1] = { 0 };
alladdr_extract_ip(&addr, AF_INET, ip);
log_debug(DEBUG_QUERIES, " Adding RR: \"%s A %s\"", name, ip);
}
// Add A resource record
header->ancount = htons(ntohs(header->ancount) + 1);
if(add_resource_record(header, limit, &trunc, sizeof(struct dns_header),
&p, hostn ? daemon->local_ttl : config.dns.blockTTL.v.ui,
NULL, T_A, C_IN, (char*)"4", &addr.addr4))
log_query(flags & ~F_IPV6, name, &addr, (char*)blockingreason, 0);
}
// Add AAAA answer record if requested
if(flags & F_IPV6)
{
union all_addr addr = {{ 0 }};
// Overwrite with IP address if requested
if(redirecting)
memcpy(&addr, &redirect_addr6, sizeof(addr));
else if(config.dns.blocking.mode.v.blocking_mode == MODE_IP ||
forced_ip)
{
if(hostn && config.dns.reply.host.force6.v.b)
memcpy(&addr, &config.dns.reply.host.v6.v.in6_addr, sizeof(addr.addr6));
else if(!hostn && config.dns.reply.blocking.force6.v.b)
memcpy(&addr, &config.dns.reply.blocking.v6.v.in6_addr, sizeof(addr.addr6));
else
memcpy(&addr, &next_iface.addr6, sizeof(addr.addr6));
}
// Debug logging
if(config.debug.queries.v.b)
{
char ip[ADDRSTRLEN+1] = { 0 };
alladdr_extract_ip(&addr, AF_INET6, ip);
log_debug(DEBUG_QUERIES, " Adding RR: \"%s AAAA %s\"", name, ip);
}
// Add AAAA resource record
header->ancount = htons(ntohs(header->ancount) + 1);
if(add_resource_record(header, limit, &trunc, sizeof(struct dns_header),
&p, hostn ? daemon->local_ttl : config.dns.blockTTL.v.ui,
NULL, T_AAAA, C_IN, (char*)"6", &addr.addr6))
log_query(flags & ~F_IPV4, name, &addr, (char*)blockingreason, 0);
}
// Log empty replies
if(!(flags & (F_IPV4 | F_IPV6)))
{
if(flags == 0)
{
// REFUSED
union all_addr addr = {{ 0 }};
addr.log.rcode = REFUSED;
addr.log.ede = EDE_BLOCKED;
log_query(F_RCODE | F_HOSTS, name, &addr, (char*)blockingreason, 0);
}
else
{
// NODATA/NXDOMAIN
// gravity blocked abc.com is NODATA/NXDOMAIN
log_query(flags, name, NULL, (char*)blockingreason, 0);
}
}
// Indicate if truncated (client should retry over TCP)
if (trunc)
header->hb3 |= HB3_TC;
return p - (unsigned char *)header;
}
static bool is_pihole_domain(const char *domain)
{
if(!pihole_suffix && daemon->domain_suffix)
{
// Build "pi.hole.<local suffix>" domain
pihole_suffix = calloc(strlen(daemon->domain_suffix) + 9, sizeof(char));
strcpy(pihole_suffix, "pi.hole.");
strcat(pihole_suffix, daemon->domain_suffix);
log_debug(DEBUG_QUERIES, "Domain suffix is \"%s\"", daemon->domain_suffix);
}
if(!hostname_suffix && daemon->domain_suffix)
{
// Build "<hostname>.<local suffix>" domain
hostname_suffix = calloc(strlen(hostname()) + strlen(daemon->domain_suffix) + 2, sizeof(char));
strcpy(hostname_suffix, hostname());
strcat(hostname_suffix, ".");
strcat(hostname_suffix, daemon->domain_suffix);
}
return strcasecmp(domain, "pi.hole") == 0 || strcasecmp(domain, hostname()) == 0 ||
(pihole_suffix && strcasecmp(domain, pihole_suffix) == 0) ||
(hostname_suffix && strcasecmp(domain, hostname_suffix) == 0);
}
bool _FTL_new_query(const unsigned int flags, const char *name,
union mysockaddr *addr, char *arg,
const unsigned short qtype, const int id,
const enum protocol proto,
const char* file, const int line)
{
// Create new query in data structure
// Get timestamp
const double querytimestamp = double_time();
// Save request time
struct timeval request;
gettimeofday(&request, 0);
// Determine query type
enum query_type querytype;
switch(qtype)
{
case T_A:
querytype = TYPE_A;
break;
case T_AAAA:
querytype = TYPE_AAAA;
break;
case T_ANY:
querytype = TYPE_ANY;
break;
case T_SRV:
querytype = TYPE_SRV;
break;
case T_SOA:
querytype = TYPE_SOA;
break;
case T_PTR:
querytype = TYPE_PTR;
break;
case T_TXT:
querytype = TYPE_TXT;
break;
case T_NAPTR:
querytype = TYPE_NAPTR;
break;
case T_MX:
querytype = TYPE_MX;
break;
case T_DS:
querytype = TYPE_DS;
break;
case T_RRSIG:
querytype = TYPE_RRSIG;
break;
case T_DNSKEY:
querytype = TYPE_DNSKEY;
break;
case T_NS:
querytype = TYPE_NS;
break;
case 64: // Scn. 2 of https://datatracker.ietf.org/doc/draft-ietf-dnsop-svcb-https/
querytype = TYPE_SVCB;
break;
case 65: // Scn. 2 of https://datatracker.ietf.org/doc/draft-ietf-dnsop-svcb-https/
querytype = TYPE_HTTPS;
break;
default:
querytype = TYPE_OTHER;
break;
}
// Check domain name received from dnsmasq
name = check_dnsmasq_name(name);
// If domain is "pi.hole" or the local hostname we skip analyzing this query
// and, instead, immediately reply with the IP address - these queries are not further analyzed
if(is_pihole_domain(name))
{
if(querytype == TYPE_A || querytype == TYPE_AAAA || querytype == TYPE_ANY)
{
// "Block" this query by sending the interface IP address
// Send NODATA when the current interface doesn't have
// the requested IP address, for instance AAAA on an
// virtual interface that has only an IPv4 address
if((querytype == TYPE_A &&
!next_iface.haveIPv4 &&
!config.dns.reply.host.force4.v.b) ||
(querytype == TYPE_AAAA &&
!next_iface.haveIPv6 &&
!config.dns.reply.host.force6.v.b))
force_next_DNS_reply = REPLY_NODATA;
else
force_next_DNS_reply = REPLY_IP;
blockingreason = HOSTNAME;
log_debug(DEBUG_QUERIES, "Replying to %s with %s", name,
force_next_DNS_reply == REPLY_IP ?
"interface-local IP address" :
"NODATA due to missing iface address");
return true;
}
else
{
// Don't block this query
return false;
}
}
// Check if this is a PTR request for a local interface.
// If so, we inject a "pi.hole" reply here
if(querytype == TYPE_PTR && config.dns.piholePTR.v.ptr_type != PTR_NONE)
check_pihole_PTR((char*)name);
// Convert domain to lower case
char *domainString = strdup(name);
strtolower(domainString);
// Get client IP address
// The requestor's IP address can be rewritten using EDNS(0) client
// subnet (ECS) data), however, we do not rewrite the IPs ::1 and
// 127.0.0.1 to avoid queries originating from localhost of the
// *distant* machine as queries coming from the *local* machine
const sa_family_t family = addr ? addr->sa.sa_family : AF_INET;
in_port_t clientPort = daemon->port;
bool internal_query = false;
char clientIP[ADDRSTRLEN+1] = { 0 };
ednsData *edns = getEDNS();
if(config.dns.EDNS0ECS.v.b && edns && edns->client_set)
{
// Use ECS provided client
strncpy(clientIP, edns->client, ADDRSTRLEN);
clientIP[ADDRSTRLEN] = '\0';
}
else if(addr)
{
// Use original requestor
mysockaddr_extract_ip_port(addr, clientIP, &clientPort);
}
else
{
// No client address available, this is an automatically generated (e.g.
// DNSSEC) query
internal_query = true;
strcpy(clientIP, "::");
}
// Check if user wants to skip queries coming from localhost
if(config.dns.ignoreLocalhost.v.b &&
(strcmp(clientIP, "127.0.0.1") == 0 || strcmp(clientIP, "::1") == 0))
{
free(domainString);
return false;
}
// Lock shared memory
lock_shm();
const int queryID = counters->queries;
// Find client IP
const int clientID = findClientID(clientIP, true, false);
// Get client pointer
clientsData* client = getClient(clientID, true);
if(client == NULL)
{
// Encountered memory error, skip query
// Free allocated memory
free(domainString);
// Release thread lock
unlock_shm();
return false;
}
// Interface name is only available for regular queries, not for
// automatically generated DNSSEC queries
const char *interface = internal_query ? "-" : next_iface.name;
// Check rate-limit for this client
if(!internal_query && config.dns.rateLimit.count.v.ui > 0 &&
(++client->rate_limit > config.dns.rateLimit.count.v.ui || client->flags.rate_limited))
{
if(!client->flags.rate_limited)
{
// Log the first rate-limited query for this client in
// this interval. We do not log the blocked domain for
// privacy reasons
logg_rate_limit_message(clientIP, client->rate_limit);
// Reset rate-limiting counter so we can count what
// comes within the adjacent interval
client->rate_limit = 0;
}
// Memorize this client needs rate-limiting
client->flags.rate_limited = true;
// Block this query
force_next_DNS_reply = REPLY_REFUSED;
blockingreason = "Rate-limiting";
// Free allocated memory
free(domainString);
// Do not further process this query, Pi-hole has never seen it
unlock_shm();
return true;
}
// Log new query if in debug mode
if(config.debug.queries.v.b)
{
const char *types = querystr(arg, qtype);
log_debug(DEBUG_QUERIES, "**** new %sIPv%d %s query \"%s\" from %s/%s#%d (ID %i, FTL %i, %s:%i)",
proto == TCP ? "TCP " : proto == UDP ? "UDP " : "",
family == AF_INET ? 4 : 6, types, domainString, interface,
internal_query ? "<internal>" : clientIP, clientPort,
id, queryID, short_path(file), line);
}
// Update overTime
const unsigned int timeidx = getOverTimeID(querytimestamp);
// Skip rest of the analysis if this query is not of type A or AAAA
// but user wants to see only A and AAAA queries (pre-v4.1 behavior)
if(config.dns.analyzeOnlyAandAAAA.v.b && querytype != TYPE_A && querytype != TYPE_AAAA)
{
// Don't process this query further here, we already counted it
if(config.debug.queries.v.b)
{
const char *types = querystr(arg, qtype);
log_debug(DEBUG_QUERIES, "Skipping new query: %s (%i)", types, id);
}
free(domainString);
unlock_shm();
return false;
}
// Go through already knows domains and see if it is one of them
const int domainID = findDomainID(domainString, true);
// Save everything
queriesData* query = getQuery(queryID, false);
if(query == NULL)
{
// Encountered memory error, skip query
log_err("No memory available, skipping query analysis");
// Free allocated memory
free(domainString);
// Release thread lock
unlock_shm();
return false;
}
// Fill query object with available data
query->magic = MAGICBYTE;
query->timestamp = querytimestamp;
query->type = querytype;
counters->querytype[querytype]++;
log_debug(DEBUG_STATUS, "query type %d set (new query), ID = %d, new count = %d", query->type, id, counters->querytype[query->type]);
query->qtype = qtype;
query->id = id; // Has to be set before calling query_set_status()
// This query is unknown as long as no reply has been found and analyzed
query_set_status_init(query, QUERY_UNKNOWN);
query->domainID = domainID;
query->clientID = clientID;
// Initialize database field, will be set when the query is stored in the long-term DB
query->flags.database.stored = false;
query->flags.database.changed = true;
query->flags.complete = false;
query->response = querytimestamp;
query->flags.response_calculated = false;
// Initialize reply type
query->reply = REPLY_UNKNOWN;
counters->reply[REPLY_UNKNOWN]++;
log_debug(DEBUG_STATUS, "reply type %d set (new query), ID = %d, new count = %d", query->reply, query->id, counters->reply[query->reply]);
// Store DNSSEC result for this domain
query->dnssec = DNSSEC_UNKNOWN;
query->CNAME_domainID = -1;
// This query is not yet known ad forwarded or blocked
query->flags.blocked = false;
query->flags.allowed = false;
// Indicator that this query was not forwarded so far
query->upstreamID = -1;
// Check and apply possible privacy level rules
// The currently set privacy level (at the time the query is
// generated) is stored in the queries structure
query->privacylevel = config.misc.privacylevel.v.privacy_level;
// Query extended DNS error
query->ede = EDE_UNSET;
// Initialize cache ID, may be reusing an existing one if this
// (domain,client,type) tuple was already seen before
query->cacheID = findCacheID(domainID, clientID, querytype, true);
// This query is new and not yet known to the database
query->db = -1;
// Increase DNS queries counter
counters->queries++;
// Update overTime data structure with the new client
change_clientcount(client, 0, 0, timeidx, 1);
// Set lastQuery timer and add one query for network table
client->lastQuery = querytimestamp;
client->numQueriesARP++;
// Process interface information of client (if available)
// Skip interface name length 1 to skip "-". No real interface should
// have a name with a length of 1...
if(!internal_query && strlen(interface) > 1)
{
if(client->ifacepos == 0u)
{
// Store in the client data if unknown so far
client->ifacepos = addstr(interface);
}
else
{
// Check if this is still the same interface or
// if the client moved to another interface
// (may require group re-processing)
const char *oldiface = getstr(client->ifacepos);
if(strcasecmp(oldiface, interface) != 0)
{
if(config.debug.clients.v.b)
{
const char *clientName = getstr(client->namepos);
log_debug(DEBUG_CLIENTS, "Client %s (%s) changed interface: %s -> %s",
clientIP, clientName, oldiface, interface);
}
gravityDB_reload_groups(client);
}
}
}
// Set client MAC address from EDNS(0) information (if available)
if(config.dns.EDNS0ECS.v.b && edns && edns->mac_set)
{
memcpy(client->hwaddr, edns->mac_byte, 6);
client->hwlen = 6;
}
// Try to obtain MAC address from dnsmasq's cache (also asks the kernel)
if(client->hwlen < 1)
{
client->hwlen = find_mac(addr, client->hwaddr, 1, time(NULL));
if(config.debug.arp.v.b)
{
if(client->hwlen == 6)
log_debug(DEBUG_ARP, "find_mac(\"%s\") returned hardware address "
"%02X:%02X:%02X:%02X:%02X:%02X", clientIP,
client->hwaddr[0], client->hwaddr[1], client->hwaddr[2],
client->hwaddr[3], client->hwaddr[4], client->hwaddr[5]);
else
log_debug(DEBUG_ARP, "find_mac(\"%s\") returned %i bytes of data",
clientIP, client->hwlen);
}
}
bool blockDomain = false;
// Check if this should be blocked only for active queries
// (skipped for internally generated ones, e.g., DNSSEC)
if(!internal_query)
blockDomain = FTL_check_blocking(queryID, domainID, clientID);
// Free allocated memory
free(domainString);
// Store query in database
query->flags.database.changed = true;
// Release thread lock
unlock_shm();
return blockDomain;
}
void _FTL_iface(struct irec *recviface, const union all_addr *addr, const sa_family_t addrfamily,
const char *file, const int line)
{
// Invalidate data we have from the last interface/query
// Set addresses to 0.0.0.0 and ::, respectively
memset(&next_iface.addr4, 0, sizeof(next_iface.addr4));
memset(&next_iface.addr6, 0, sizeof(next_iface.addr6));
next_iface.haveIPv4 = next_iface.haveIPv6 = false;
// Debug logging
log_debug(DEBUG_NETWORKING, "Interfaces: Called from %s:%d", short_path(file), line);
// Use dummy when interface record is not available
next_iface.name[0] = '-';
next_iface.name[1] = '\0';
// Check if we need to identify the receiving interface by its address
if(!recviface && addr &&
((addrfamily == AF_INET && addr->addr4.s_addr != INADDR_ANY) ||
(addrfamily == AF_INET6 && !IN6_IS_ADDR_UNSPECIFIED(&addr->addr6))))
{
if(config.debug.networking.v.b)
{
char addrstr[INET6_ADDRSTRLEN] = { 0 };
if(addrfamily == AF_INET)
inet_ntop(AF_INET, &addr->addr4, addrstr, INET6_ADDRSTRLEN);
else // if(addrfamily == AF_INET6)
inet_ntop(AF_INET6, &addr->addr6, addrstr, INET6_ADDRSTRLEN);
log_debug(DEBUG_NETWORKING, "Identifying interface (looking for %s):", addrstr);
}
// Loop over interfaces and try to find match
for (struct irec *iface = daemon->interfaces; iface; iface = iface->next)
{
char addrstr[INET6_ADDRSTRLEN] = { 0 };
const char *iname = iface->slabel ? iface->slabel : iface->name;
if(iface->addr.sa.sa_family == AF_INET)
{
if(config.debug.networking.v.b)
{
inet_ntop(AF_INET, &iface->addr.in.sin_addr, addrstr, INET6_ADDRSTRLEN);
log_debug(DEBUG_NETWORKING, " - IPv4 interface %s (%d,%d) is %s",
iname, iface->index, iface->label, addrstr);
}
if(iface->addr.in.sin_addr.s_addr == addr->addr4.s_addr)
{
// Set receiving interface
recviface = iface;
break;
}
}
else if(iface->addr.sa.sa_family == AF_INET6)
{
if(config.debug.networking.v.b)
{
inet_ntop(AF_INET6, &iface->addr.in6.sin6_addr, addrstr, INET6_ADDRSTRLEN);
log_debug(DEBUG_NETWORKING, " - IPv6 interface %s (%d,%d) is %s",
iname, iface->index, iface->label, addrstr);
}
if(IN6_ARE_ADDR_EQUAL(&iface->addr.in6.sin6_addr, &addr->addr6))
{
// Set receiving interface
recviface = iface;
break;
}
}
}
log_debug(DEBUG_NETWORKING, recviface ?
" ^^^^^ MATCH ^^^^^" :
" --> NO MATCH <--");
}
// Return early when there is no interface available at this point
// This means we didn't get one passed + we didn't find one above
if(!recviface)
{
log_debug(DEBUG_NETWORKING, "No receiving interface available at this point");
return;
}
// Determine addresses of this interface, we have to loop over all interfaces as
// recviface will always only contain *either* IPv4 or IPv6 information
bool haveGUAv6 = false, haveULAv6 = false;
log_debug(DEBUG_NETWORKING, "Analyzing interfaces:");
for (struct irec *iface = daemon->interfaces; iface != NULL; iface = iface->next)
{
const sa_family_t family = iface->addr.sa.sa_family;
const char *iname = iface->slabel ? iface->slabel : iface->name;
// If this interface has no name, we skip it
if(iname == NULL)
{
if(config.debug.networking.v.b)
log_debug(DEBUG_NETWORKING, " - SKIP IPv%d interface (%d,%d): no name",
family == AF_INET ? 4 : 6, iface->index, iface->label);
continue;
}
// Check if this is the interface we want
if(iface->index != recviface->index || iface->label != recviface->label)
{
if(config.debug.networking.v.b)
log_debug(DEBUG_NETWORKING, " - SKIP IPv%d interface %s: (%d,%d) != (%d,%d)",
family == AF_INET ? 4 : 6, iname, iface->index, iface->label,
recviface->index, recviface->label);
continue;
}
// *** If we reach this point, we know this interface is the one we are looking for ***//
// Copy interface name
strncpy(next_iface.name, iname, sizeof(next_iface.name)-1);
next_iface.name[sizeof(next_iface.name)-1] = '\0';
bool isULA = false, isGUA = false, isLL = false;
// Check if this address is different from 0000:0000:0000:0000:0000:0000:0000:0000
if(family == AF_INET6 && memcmp(&next_iface.addr6.addr6, &iface->addr.in6.sin6_addr, sizeof(iface->addr.in6.sin6_addr)) != 0)
{
// Extract first byte
// We do not directly access the underlying union as
// MUSL defines it differently than GNU C
uint8_t bytes[2];
memcpy(&bytes, &iface->addr.in6.sin6_addr, 2);
// Global Unicast Address (2000::/3, RFC 4291)
isGUA = (bytes[0] & 0x70) == 0x20;
// Unique Local Address (fc00::/7, RFC 4193)
isULA = (bytes[0] & 0xfe) == 0xfc;
// Link Local Address (fe80::/10, RFC 4291)
isLL = (bytes[0] & 0xff) == 0xfe && (bytes[1] & 0x30) == 0;
// Store IPv6 address only if we don't already have a GUA or ULA address
// This makes the preference:
// 1. ULA
// 2. GUA
// 3. Link-local
if((!haveGUAv6 && !haveULAv6) || (haveGUAv6 && isULA))
{
next_iface.haveIPv6 = true;
// Store IPv6 address
memcpy(&next_iface.addr6.addr6, &iface->addr.in6.sin6_addr, sizeof(iface->addr.in6.sin6_addr));
if(isGUA)
haveGUAv6 = true;
else if(isULA)
haveULAv6 = true;
}
}
// Check if this address is different from 0.0.0.0
else if(family == AF_INET && memcmp(&next_iface.addr4.addr4, &iface->addr.in.sin_addr, sizeof(iface->addr.in.sin_addr)) != 0)
{
next_iface.haveIPv4 = true;
// Store IPv4 address
memcpy(&next_iface.addr4.addr4, &iface->addr.in.sin_addr, sizeof(iface->addr.in.sin_addr));
}
// Debug logging
if(config.debug.networking.v.b)
{
char buffer[ADDRSTRLEN+1] = { 0 };
if(family == AF_INET)
inet_ntop(AF_INET, &iface->addr.in.sin_addr, buffer, ADDRSTRLEN);
else if(family == AF_INET6)
inet_ntop(AF_INET6, &iface->addr.in6.sin6_addr, buffer, ADDRSTRLEN);
const char *type = family == AF_INET6 ? isGUA ? " (GUA)" : isULA ? " (ULA)" : isLL ? " (LL)" : " (other)" : "";
log_debug(DEBUG_NETWORKING, " - OK IPv%d interface %s (%d,%d) is %s%s",
family == AF_INET ? 4 : 6, next_iface.name,
iface->index, iface->label, buffer, type);
}
// Exit loop early if we already have everything we need
// (a valid IPv4 address + a valid ULA IPv6 address)
if(next_iface.haveIPv4 && haveULAv6)
{
log_debug(DEBUG_NETWORKING, "Exiting interface analysis early (have IPv4 + ULAv6)");
break;
}
}
}
static void check_pihole_PTR(char *domain)
{
// Return early if Pi-hole PTR is not available
if(pihole_ptr == NULL)
return;
// Convert PTR request into numeric form
union all_addr addr = {{ 0 }};
const int flags = in_arpa_name_2_addr(domain, &addr);
// Check if this is a valid in-addr.arpa (IPv4) or ip6.[int|arpa] (IPv6)
// specifier. If not, nothing is to be done here and we return early
if(flags == 0)
return;
// We do not want to reply with "pi.hole" to loopback PTRs
if((flags == F_IPV4 && addr.addr4.s_addr == htonl(INADDR_LOOPBACK)) ||
(flags == F_IPV6 && IN6_IS_ADDR_LOOPBACK(&addr.addr6)))
return;
// If we reached this point, addr contains the address the client requested
// a name for. We compare this address against all addresses of the local
// interfaces to see if we should reply with "pi.hole"
for (struct irec *iface = daemon->interfaces; iface != NULL; iface = iface->next)
{
const sa_family_t family = iface->addr.sa.sa_family;
if((family == AF_INET && flags == F_IPV4 && iface->addr.in.sin_addr.s_addr == addr.addr4.s_addr) ||
(family == AF_INET6 && flags == F_IPV6 && IN6_ARE_ADDR_EQUAL(&iface->addr.in6.sin6_addr, &addr.addr6)))
{
// The last PTR record in daemon->ptr is reserved for Pi-hole
free(pihole_ptr->name);
pihole_ptr->name = strdup(domain);
if(family == AF_INET)
{
// IPv4 supports conditional domains
struct in_addr addrv4 = { 0 };
addrv4.s_addr = iface->addr.in.sin_addr.s_addr;
pihole_ptr->ptr = get_ptrname(&addrv4);
}
else
{
// IPv6 does not support conditional domains
pihole_ptr->ptr = get_ptrname(NULL);
}
// Debug logging
log_debug(DEBUG_QUERIES, "Generating PTR response: %s -> %s", pihole_ptr->name, pihole_ptr->ptr);
return;
}
}
}
inline static void set_dnscache_blockingstatus(DNSCacheData * dns_cache, clientsData *client,
enum domain_client_status new_status, const char *domain)
{
// Memorize blocking status DNS cache for the domain/client combination
dns_cache->blocking_status = new_status;
const char *clientip = client ? getstr(client->ippos) : "N/A";
log_debug(DEBUG_QUERIES, "DNS cache: %s/%s is %s", clientip, domain, blockingreason);
}
static bool check_domain_blocked(const char *domain, const int clientID,
clientsData *client, queriesData *query, DNSCacheData *dns_cache,
enum query_status *new_status, bool *db_okay)
{
// Return early if this domain is explicitly allowed
if(query->flags.allowed)
return false;
// Check domains against exact blacklist
const enum db_result blacklist = in_denylist(domain, dns_cache, client);
if(blacklist == FOUND)
{
// Set new status
*new_status = QUERY_DENYLIST;
blockingreason = "exactly denied";
// Mark domain as exactly denied for this client
set_dnscache_blockingstatus(dns_cache, client, DENYLIST_BLOCKED, domain);
// We block this domain
return true;
}
// Check domain against antigravity
int list_id = -1;
const enum db_result antigravity = in_gravity(domain, client, true, &list_id);
if(antigravity == FOUND)
{
log_debug(DEBUG_QUERIES, "Allowing query due to antigravity match (list ID %i)", list_id);
// Store ID of the matching antigravity list
// positive values (incl. 0) are used for domainlists
// -1 means "not set"
// -2 is gravity list 0
// -3 is gravity list 1
// ...
dns_cache->list_id = -1 * (list_id + 2);
// Mark query as allowed to prevent further checks such as CNAME
// inspection. This ensures antigravity matches have similar effects
// than explicitly allowed domains.
query->flags.allowed = true;
return false;
}
// Check domains against gravity domains
const enum db_result gravity = in_gravity(domain, client, false, &list_id);
if(gravity == FOUND)
{
// Set new status
*new_status = QUERY_GRAVITY;
blockingreason = "gravity blocked";
// Mark domain as gravity blocked for this client
set_dnscache_blockingstatus(dns_cache, client, GRAVITY_BLOCKED, domain);
log_debug(DEBUG_QUERIES, "Blocking query due to gravity match (list ID %i)", list_id);
// Store ID of the matching gravity list
// see remarks above for the list_id values
dns_cache->list_id = -1 * (list_id + 2);
// We block this domain
return true;
}
// Check if one of the database lookups returned that the database is
// currently busy
if(blacklist == LIST_NOT_AVAILABLE ||
antigravity == LIST_NOT_AVAILABLE ||
gravity == LIST_NOT_AVAILABLE)
{
*db_okay = false;
// Handle reply to this query as configured
if(config.dns.replyWhenBusy.v.busy_reply == BUSY_ALLOW)
{
log_debug(DEBUG_QUERIES, "Allowing query as gravity database is not available");
// Permit this query
// As we set db_okay to false, this allowing here does not enter the
// DNS cache so this domain will be rechecked on the next query
return false;
}
else if(config.dns.replyWhenBusy.v.busy_reply == BUSY_REFUSE)
{
blockingreason = "to be refused (gravity database is not available)";
force_next_DNS_reply = REPLY_REFUSED;
*new_status = QUERY_DBBUSY;
}
else if(config.dns.replyWhenBusy.v.busy_reply == BUSY_DROP)
{
blockingreason = "to be dropped (gravity database is not available)";
force_next_DNS_reply = REPLY_NONE;
*new_status = QUERY_DBBUSY;
}
else
{
blockingreason = "to be blocked (gravity database is not available)";
*new_status = QUERY_DBBUSY;
}
// We block this query
return true;
}
// Check domain against blacklist regex filters
// Skipped when the domain is whitelisted or blocked by exact blacklist or gravity
if(in_regex(domain, dns_cache, client->id, REGEX_DENY))
{
// Set new status
*new_status = QUERY_REGEX;
blockingreason = "regex denied";
// Mark domain as regex matched for this client
set_dnscache_blockingstatus(dns_cache, client, REGEX_BLOCKED, domain);
// Regex may be overwriting reply type for this domain
if(dns_cache->force_reply != REPLY_UNKNOWN)
force_next_DNS_reply = dns_cache->force_reply;
cname_target = dns_cache->cname_target;
// Store ID of this regex (fork-private)
last_regex_idx = dns_cache->list_id;
// We block this domain
return true;
}
// Not blocked because not found on any list
return false;
}
// Special domain checking
static bool special_domain(const queriesData *query, const char *domain)
{
// Mozilla canary domain
// Network administrators may configure their networks as follows to signal
// that their local DNS resolver implemented special features that make the
// network unsuitable for DoH:
// DNS queries for the A and AAAA records for the domain
// “use-application-dns.net” must respond with either: a response code other
// than NOERROR, such as NXDOMAIN (non-existent domain) or SERVFAIL; or
// respond with NOERROR, but return no A or AAAA records.
// https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https
if(config.dns.specialDomains.mozillaCanary.v.b &&
strcasecmp(domain, "use-application-dns.net") == 0 &&
(query->type == TYPE_A || query->type == TYPE_AAAA))
{
blockingreason = "Mozilla canary domain";
force_next_DNS_reply = REPLY_NXDOMAIN;
return true;
}
// Apple iCloud Private Relay
// Some enterprise or school networks might be required to audit all
// network traffic by policy, and your network can block access to
// Private Relay in these cases. The user will be alerted that they need
// to either disable Private Relay for your network or choose another
// network.
// The fastest and most reliable way to alert users is to return a
// negative answer from your networks DNS resolver, preventing DNS
// resolution for the following hostnames used by Private Relay traffic.
// Avoid causing DNS resolution timeouts or silently dropping IP packets
// sent to the Private Relay server, as this can lead to delays on
// client devices.
// > mask.icloud.com
// > mask-h2.icloud.com
// https://developer.apple.com/support/prepare-your-network-for-icloud-private-relay
if(config.dns.specialDomains.iCloudPrivateRelay.v.b &&
(strcasecmp(domain, "mask.icloud.com") == 0 ||
strcasecmp(domain, "mask-h2.icloud.com") == 0))
{
blockingreason = "Apple iCloud Private Relay domain";
force_next_DNS_reply = REPLY_NXDOMAIN;
return true;
}
return false;
}
static bool _FTL_check_blocking(int queryID, int domainID, int clientID, const char* file, const int line)
{
// Only check blocking conditions when global blocking is enabled
if(get_blockingstatus() == BLOCKING_DISABLED)
{
return false;
}
// Get query, domain and client pointers
queriesData *query = getQuery(queryID, true);
domainsData *domain = getDomain(domainID, true);
clientsData *client = getClient(clientID, true);
if(query == NULL || domain == NULL || client == NULL)
{
log_err("No memory available, skipping query analysis");
return false;
}
// Get cache pointer
// When this function is called with a different domain than the one
// already stored in the query, we have to re-lookup the cache ID.
// This can happen when a CNAME chain is followed and analyzed
const int cacheID = query->domainID == domainID && query->clientID == clientID ?
query->cacheID :
findCacheID(domainID, clientID, query->type, true);
DNSCacheData *dns_cache = getDNSCache(cacheID, true);
if(dns_cache == NULL)
{
log_err("No memory available, skipping query analysis");
return false;
}
// Skip the entire chain of tests if we already know the answer for this
// particular client
unsigned char blockingStatus = dns_cache->blocking_status;
char *domainstr = (char*)getstr(domain->domainpos);
switch(blockingStatus)
{
case UNKNOWN_BLOCKED:
// New domain/client combination.
// We have to go through all the tests below
log_debug(DEBUG_QUERIES, "%s is not known", domainstr);
break;
case DENYLIST_BLOCKED:
// Known as exactly denied, we return this result early, skipping
// all the lengthy tests below
blockingreason = "exactly denied";
log_debug(DEBUG_QUERIES, "%s is known as %s", domainstr, blockingreason);
// Do not block if the entire query is to be permitted
// as something along the CNAME path hit the whitelist
if(!query->flags.allowed)
{
force_next_DNS_reply = dns_cache->force_reply;
query_blocked(query, domain, client, QUERY_DENYLIST);
return true;
}
break;
case GRAVITY_BLOCKED:
// Known as gravity blocked, we return this result early, skipping
// all the lengthy tests below
blockingreason = "gravity blocked";
log_debug(DEBUG_QUERIES, "%s is known as %s", domainstr, blockingreason);
// Do not block if the entire query is to be permitted
// as sometving along the CNAME path hit the whitelist
if(!query->flags.allowed)
{
force_next_DNS_reply = dns_cache->force_reply;
query_blocked(query, domain, client, QUERY_GRAVITY);
return true;
}
break;
case REGEX_BLOCKED:
// Known as regex denied, we return this result early, skipping all
// the lengthy tests below
blockingreason = "regex denied";
log_debug(DEBUG_QUERIES, "%s is known as %s (cache regex ID: %i)",
domainstr, blockingreason, dns_cache->list_id);
// Do not block if the entire query is to be permitted as something
// along the CNAME path hit the whitelist
if(!query->flags.allowed)
{
force_next_DNS_reply = dns_cache->force_reply;
last_regex_idx = dns_cache->list_id;
query_blocked(query, domain, client, QUERY_REGEX);
return true;
}
break;
case ALLOWED:
// Known as allowed, we return this result early, skipping all the
// lengthy tests below
log_debug(DEBUG_QUERIES, "%s is known as not to be blocked (allowed)", domainstr);
query->flags.allowed = true;
return false;
break;
case SPECIAL_DOMAIN:
// Known as a special domain, we return this result early, skipping
// all the lengthy tests below
blockingreason = "special domain";
log_debug(DEBUG_QUERIES, "%s is known as special domain", domainstr);
force_next_DNS_reply = dns_cache->force_reply;
query_blocked(query, domain, client, QUERY_SPECIAL_DOMAIN);
return true;
break;
case NOT_BLOCKED:
// Known as not blocked, we return this result early, skipping all
// the lengthy tests below
log_debug(DEBUG_QUERIES, "%s is known as not to be blocked", domainstr);
return false;
break;
}
// Skip all checks and continue if we hit already at least one allowlist in the chain
if(query->flags.allowed)
{
log_debug(DEBUG_QUERIES, "Query is permitted as at least one allowlist entry matched");
return false;
}
// when we reach this point: the query is not in FTL's cache (for this client)
// Make a local copy of the domain string. The string memory may get
// reorganized in the following. We cannot expect domainstr to remain
// valid for all time.
domainstr = strdup(domainstr);
const char *blockedDomain = domainstr;
// Check exact whitelist for match
query->flags.allowed = in_allowlist(domainstr, dns_cache, client) == FOUND;
// If not found: Check regex whitelist for match
if(!query->flags.allowed)
query->flags.allowed = in_regex(domainstr, dns_cache, client->id, REGEX_ALLOW);
// Check if this is a special domain
if(!query->flags.allowed && special_domain(query, domainstr))
{
// Set DNS cache properties
dns_cache->blocking_status = SPECIAL_DOMAIN;
dns_cache->force_reply = force_next_DNS_reply;
// Adjust counters
query_blocked(query, domain, client, QUERY_SPECIAL_DOMAIN);
// Debug output
log_debug(DEBUG_QUERIES, "Special domain: %s is %s", domainstr, blockingreason);
return true;
}
// Check blacklist (exact + regex) and gravity for queried domain
unsigned char new_status = QUERY_UNKNOWN;
bool db_okay = true;
bool blockDomain = check_domain_blocked(domainstr, clientID, client, query, dns_cache, &new_status, &db_okay);
// Check blacklist (exact + regex) and gravity for _esni.domain if enabled
// (defaulting to true)
if(config.dns.blockESNI.v.b &&
!query->flags.allowed && blockDomain == NOT_FOUND &&
strlen(domainstr) > 6 && strncasecmp(domainstr, "_esni.", 6u) == 0)
{
blockDomain = check_domain_blocked(domainstr + 6u, clientID, client, query, dns_cache, &new_status, &db_okay);
if(blockDomain)
{
// Truncate "_esni." from queried domain if the parenting domain was
// the reason for blocking this query
blockedDomain = domainstr + 6u;
// Force next DNS reply to be NXDOMAIN for _esni.* queries
force_next_DNS_reply = REPLY_NXDOMAIN;
// Store this in the DNS cache only if the database is available at
// this point
if(db_okay)
dns_cache->force_reply = REPLY_NXDOMAIN;
}
}
// Common actions regardless what the possible blocking reason is
if(blockDomain)
{
// Adjust counters
query_blocked(query, domain, client, new_status);
// Debug output
if(config.debug.queries.v.b)
{
log_debug(DEBUG_QUERIES, "Blocking %s as %s is %s (domainlist ID: %i)",
domainstr, blockedDomain, blockingreason, dns_cache->list_id);
if(force_next_DNS_reply != 0)
log_debug(DEBUG_QUERIES, "Forcing next reply to %s", get_query_reply_str(force_next_DNS_reply));
}
}
else if(db_okay)
{
// Explicitly mark as not blocked to skip the entire gravity/blacklist
// chain when the same client asks for the same domain in the future.
// Store domain as allowed if this is the case
dns_cache->blocking_status = query->flags.allowed ? ALLOWED : NOT_BLOCKED;
// Debug output
// client is guaranteed to be non-NULL above
log_debug(DEBUG_QUERIES, "DNS cache: %s/%s is %s (domainlist ID: %i)", getstr(client->ippos),
domainstr, query->flags.allowed ? "allowed" : "not blocked", dns_cache->list_id);
}
free(domainstr);
return blockDomain;
}
bool _FTL_CNAME(const char *dst, const char *src, const int id, const char* file, const int line)
{
log_debug(DEBUG_QUERIES, "FTL_CNAME called with: src = %s, dst = %s, id = %d", src, dst, id);
// Does the user want to skip deep CNAME inspection?
if(!config.dns.CNAMEdeepInspect.v.b)
{
log_debug(DEBUG_QUERIES, "Skipping analysis as CNAME inspection is disabled");
return false;
}
// Lock shared memory
lock_shm();
// Save status and upstreamID in corresponding query identified by dnsmasq's ID
const int queryID = findQueryID(id);
if(queryID < 0)
{
// This may happen e.g. if the original query was a PTR query
// or "pi.hole" and we ignored them altogether
unlock_shm();
log_debug(DEBUG_QUERIES, "Skipping analysis as parent query is not found");
return false;
}
// Get query pointer so we can later extract the client requesting this domain for
// the per-client blocking evaluation
queriesData* query = getQuery(queryID, true);
if(query == NULL)
{
// Nothing to be done here
unlock_shm();
log_debug(DEBUG_QUERIES, "Skipping analysis as parent query is not valid");
return false;
}
// Example to make the terminology used in here clear:
// CNAME abc -> 123
// CNAME 123 -> 456
// CNAME 456 -> 789
// parent_domain: abc
// child_domains: [123, 456, 789]
// parent_domain = Domain at the top of the CNAME path
// This is the domain which was queried first in this chain
const int parent_domainID = query->domainID;
// child_domain = Intermediate domain in CNAME path
// This is the domain which was queried later in this chain
char *child_domain = strdup(dst);
// Convert to lowercase for matching
strtolower(child_domain);
const int child_domainID = findDomainID(child_domain, false);
// Get client ID from the original query (the entire chain always
// belongs to the same client)
const int clientID = query->clientID;
// Check per-client blocking for the child domain
const bool block = FTL_check_blocking(queryID, child_domainID, clientID);
// If we find during a CNAME inspection that we want to block the entire chain,
// the originally queried domain itself was not counted as blocked. We have to
// correct this when we are going to short-circuit the entire query
if(block)
{
// Increase blocked count of parent domain
domainsData* parent_domain = getDomain(parent_domainID, true);
if(parent_domain == NULL)
{
// Memory error, return
free(child_domain);
unlock_shm();
return false;
}
parent_domain->blockedcount++;
// Store query response as CNAME type
struct timeval response;
gettimeofday(&response, 0);
query_set_reply(F_CNAME, 0, NULL, query, response);
// Store domain that was the reason for blocking the entire chain
query->CNAME_domainID = child_domainID;
// Change blocking reason into CNAME-caused blocking
if(query->status == QUERY_GRAVITY)
{
query_set_status(query, QUERY_GRAVITY_CNAME);
}
else if(query->status == QUERY_REGEX)
{
// Get parent and child DNS cache entries
const int parent_cacheID = query->cacheID;
const int child_cacheID = findCacheID(child_domainID, clientID, query->type, false);
// Get cache pointers
DNSCacheData *parent_cache = getDNSCache(parent_cacheID, true);
DNSCacheData *child_cache = getDNSCache(child_cacheID, true);
// Propagate ID of responsible regex up from the child to the parent
// domain (but only if set)
if(parent_cache != NULL && child_cache != NULL && child_cache->list_id != -1)
parent_cache->list_id = child_cache->list_id;
// Set status
query_set_status(query, QUERY_REGEX_CNAME);
}
else if(query->status == QUERY_DENYLIST)
{
// Only set status
query_set_status(query, QUERY_DENYLIST_CNAME);
}
}
// Debug logging for deep CNAME inspection (if enabled)
log_debug(DEBUG_QUERIES, "Query %d: CNAME %s ---> %s", id, src, dst);
// Mark query for updating in the database
query->flags.database.changed = true;
// Return result
free(child_domain);
unlock_shm();
return block;
}
static void FTL_forwarded(const unsigned int flags, const char *name, const union all_addr *addr,
unsigned short port, const int id, const char* file, const int line)
{
// Save that this query got forwarded to an upstream server
const double now = double_time();
// Lock shared memory
lock_shm();
// Get forward destination IP address and port
in_port_t upstreamPort = 53;
char dest[ADDRSTRLEN];
// If addr == NULL, we will only duplicate an empty string instead of uninitialized memory
dest[0] = '\0';
if(addr != NULL)
{
if(flags & F_IPV4)
{
inet_ntop(AF_INET, addr, dest, ADDRSTRLEN);
// Reverse-engineer port from underlying sockaddr_in structure
const in_port_t *rport = (in_port_t*)((void*)addr
- offsetof(struct sockaddr_in, sin_addr)
+ offsetof(struct sockaddr_in, sin_port));
upstreamPort = ntohs(*rport);
if(upstreamPort != port)
log_err("Port mismatch for %s: we derived %d, dnsmasq told us %d", dest, upstreamPort, port);
}
else
{
inet_ntop(AF_INET6, addr, dest, ADDRSTRLEN);
// Reverse-engineer port from underlying sockaddr_in6 structure
const in_port_t *rport = (in_port_t*)((void*)addr
- offsetof(struct sockaddr_in6, sin6_addr)
+ offsetof(struct sockaddr_in6, sin6_port));
upstreamPort = ntohs(*rport);
if(upstreamPort != port)
log_err("Port mismatch for %s: we derived %d, dnsmasq told us %d", dest, upstreamPort, port);
}
}
// Convert upstreamIP to lower case
char *upstreamIP = strdup(dest);
strtolower(upstreamIP);
// Debug logging
log_debug(DEBUG_QUERIES, "**** forwarded %s to %s#%u (ID %i, %s:%i)",
name, upstreamIP, upstreamPort, id, file, line);
// Save status and upstreamID in corresponding query identified by dnsmasq's ID
const int queryID = findQueryID(id);
if(queryID < 0)
{
// This may happen e.g. if the original query was a PTR query or "pi.hole"
// as we ignore them altogether
free(upstreamIP);
unlock_shm();
return;
}
// Get query pointer
queriesData* query = getQuery(queryID, true);
if(query == NULL)
{
free(upstreamIP);
unlock_shm();
return;
}
// Get ID of upstream destination, create new upstream record
// if not found in current data structure
const int upstreamID = findUpstreamID(upstreamIP, upstreamPort);
query->upstreamID = upstreamID;
upstreamsData *upstream = getUpstream(upstreamID, true);
if(upstream != NULL)
upstream->count++;
// Proceed only if
// - current query has not been marked as replied to so far
// (it could be that answers from multiple forward
// destinations are coming in for the same query)
// - the query was formally known as cached but had to be forwarded
// (this is a special case further described below)
if(query->flags.complete && query->status != QUERY_CACHE)
{
free(upstreamIP);
unlock_shm();
return;
}
if(query->status == QUERY_CACHE)
{
// Detect if we cached the <CNAME> but need to ask the upstream
// servers for the actual IPs now, we remove this query from the
// counters for cache replied queries as we had to forward a
// request for it. Example:
// Assume a domain a.com is a CNAME which is cached and has a very
// long TTL. It point to another domain server.a.com which has an
// A record but this has a much lower TTL.
// If you now query a.com and then again after some time, you end
// up in a situation where dnsmasq can answer the first level of
// the DNS result (the CNAME) from cache, hence the status of this
// query is marked as "answered from cache" in FTLDNS. However, for
// server.a.com with the much shorter TTL, we still have to forward
// something and ask the upstream server for the final IP address.
// Correct reply timer if a response time has already been calculated
if(query->flags.response_calculated)
{
struct timeval response;
gettimeofday(&response, 0);
// Reset timer to measure how long it takes until an answer arrives
// If a response time has already been calculated, we
// can go back in time to measure both the initial cache
// lookup and the (now starting) time it takes for the
// upstream to respond
query->response = now - query->response;
query->flags.response_calculated = false;
}
}
else
{
// Normal forwarded query (status is set below)
// Hereby, this query is now fully determined
query->flags.complete = true;
}
// Set query status to forwarded only after the
// if(query->status == QUERY_CACHE) { ... }
// from above as otherwise this check will always
// be negative
query_set_status(query, QUERY_FORWARDED);
// Release allocated memory
free(upstreamIP);
// Mark query for updating in the database
query->flags.database.changed = true;
// Unlock shared memory
unlock_shm();
}
static unsigned int reload = 0u;
void FTL_dnsmasq_reload(void)
{
// This function is called by the dnsmasq code on receive of SIGHUP
// *before* clearing the cache and re-reading the lists
if(reload++ > 0)
log_info("Received SIGHUP, flushing cache and re-reading config");
// Gravity database updates
// - (Re-)open gravity database connection
// - Get number of blocked domains
// - check adlist table for inaccessible adlists
// - Read and compile regex filters (incl. per-client)
// - Flush FTL's DNS cache
set_event(RELOAD_GRAVITY);
// Print current set of capabilities if requested via debug flag
if(config.debug.caps.v.b)
check_capabilities();
// Re-read pihole.toml (incl. rewriting) on every but the first reload
// (which is happening right after the start of dnsmasq)
if(reload > 1)
reread_config();
// Report blocking mode
log_info("Blocking status is %s", config.dns.blocking.active.v.b ? "enabled" : "disabled");
// Set resolver as ready
resolver_ready = true;
}
static void alladdr_extract_ip(union all_addr *addr, const sa_family_t family, char ip[ADDRSTRLEN+1])
{
// Extract IP address
inet_ntop(family, addr, ip, ADDRSTRLEN);
}
static void mysockaddr_extract_ip_port(const union mysockaddr *server, char ip[ADDRSTRLEN+1], in_port_t *port)
{
// Extract IP address
inet_ntop(server->sa.sa_family,
server->sa.sa_family == AF_INET ?
(void*)&server->in.sin_addr :
(void*)&server->in6.sin6_addr,
ip, ADDRSTRLEN);
// Extract port (only if requested)
if(port != NULL)
{
*port = ntohs(server->sa.sa_family == AF_INET ?
server->in.sin_port :
server->in6.sin6_port);
}
}
// Compute cache/upstream response time
static inline void set_response_time(queriesData *query, const double now)
{
// Do this only if this is the first time we set a reply
if(query->flags.response_calculated)
return;
// Convert absolute timestamp to relative timestamp
query->response = now - query->response;
query->flags.response_calculated = true;
}
// Changes upstream server (only relevant when multiple servers are defined)
// If this is an upstream response and the answering upstream is known (may not
// be the case for internally generated DNSSEC queries), we have to check if the
// first answering upstream server is also the first one we sent the query to.
// If not, we need to change the upstream server associated with this query to
// get accurate statistics
static void update_upstream(queriesData *query, const int id)
{
// We use query->flags.response_calculated to check if this is the first
// response received for this query and check the family of last server
// to see if it is available
if(query->flags.response_calculated || last_server.sa.sa_family == 0)
return;
char ip[ADDRSTRLEN+1] = { 0 };
in_port_t port = 0;
mysockaddr_extract_ip_port(&last_server, ip, &port);
int upstreamID = findUpstreamID(ip, port);
if(upstreamID != query->upstreamID)
{
if(config.debug.queries.v.b)
{
upstreamsData *upstream = getUpstream(query->upstreamID, true);
if(upstream)
{
const char *oldaddr = getstr(upstream->ippos);
const in_port_t oldport = upstream->port;
log_debug(DEBUG_QUERIES, "Query ID %d: Associated upstream changed (was %s#%d) as %s#%d replied earlier",
id, oldaddr, oldport, ip, port);
}
}
// Update upstream server ID
query->upstreamID = upstreamID;
}
}
static void FTL_reply(const unsigned int flags, const char *name, const union all_addr *addr,
const char *arg, const int id, const char* file, const int line)
{
const double now = double_time();
// If domain is "pi.hole", we skip this query
// We compare case-insensitive here
// Hint: name can be NULL, e.g. for NODATA/NXDOMAIN replies
if(name != NULL && strcasecmp(name, "pi.hole") == 0)
{
return;
}
// Get response time before lock because we want to measure upstream not
// the lock. The latter may artificially add some extra nanoseconds when
// the Pi-hole is currently busy
struct timeval response;
gettimeofday(&response, 0);
// Lock shared memory
lock_shm();
// Save status in corresponding query identified by dnsmasq's ID
const int queryID = findQueryID(id);
if(queryID < 0)
{
// This may happen e.g. if the original query was "pi.hole"
log_debug(DEBUG_QUERIES, "FTL_reply(): Query %i has not been found", id);
unlock_shm();
return;
}
// Check if this reply came from our local cache
bool cached = false;
if(!(flags & F_UPSTREAM))
{
cached = true;
if((flags & F_HOSTS) || // hostname.list, /etc/hosts and others
((flags & F_NAMEP) && (flags & F_DHCP)) || // DHCP server reply
(flags & F_FORWARD) || // cached answer to previously forwarded request
(flags & F_REVERSE) || // cached answer to reverse request (PTR)
(flags & F_RRNAME)) // cached answer to TXT query
{
; // Okay
}
else
log_debug(DEBUG_FLAGS, "***** Unknown cache query");
}
// Is this a stale reply?
const bool stale = flags & F_STALE;
// Possible debugging output
if(config.debug.queries.v.b)
{
// Human-readable answer may be provided by arg
// (e.g. for non-cached queries such as SOA)
const char *answer = arg;
// Determine returned address (if applicable)
char dest[ADDRSTRLEN]; dest[0] = '\0';
if(addr)
{
inet_ntop((flags & F_IPV4) ? AF_INET : AF_INET6, addr, dest, ADDRSTRLEN);
answer = dest; // Overwrite answer with human-readable IP address
}
// Extract answer (used e.g. for detecting if a local config is a user-defined
// wildcard blocking entry in form "server=/tobeblocked.com/")
if(flags & F_CNAME)
answer = "(CNAME)";
else if((flags & F_NEG) && (flags & F_NXDOMAIN))
answer = "(NXDOMAIN)";
else if(flags & F_NEG)
answer = "(NODATA)";
else if(flags & F_RCODE && addr != NULL)
{
unsigned int rcode = addr->log.rcode;
if(rcode == REFUSED)
{
// This happens, e.g., in a "nowhere to forward to" situation
answer = "REFUSED (nowhere to forward to)";
}
else if(rcode == SERVFAIL)
{
// This happens on upstream destination errors
answer = "SERVFAIL";
}
}
else if(flags & F_NOEXTRA)
{
if(flags & F_KEYTAG)
answer = "DNSKEY";
else
answer = arg; // e.g. "reply <TLD> is no DS"
}
// Substitute "." if we are querying the root domain (e.g. DNSKEY)
const char *dispname = name;
if(!name || strlen(name) == 0)
dispname = ".";
if(cached || last_server.sa.sa_family == 0)
// Log cache or upstream reply from unknown source
log_debug(DEBUG_QUERIES, "**** got %s%s reply: %s is %s (ID %i, %s:%i)",
stale ? "stale ": "", cached ? "cache" : "upstream",
dispname, answer, id, file, line);
else
{
char ip[ADDRSTRLEN+1] = { 0 };
in_port_t port = 0;
mysockaddr_extract_ip_port(&last_server, ip, &port);
// Log server which replied to our request
log_debug(DEBUG_QUERIES, "**** got %s%s reply from %s#%d: %s is %s (ID %i, %s:%i)",
stale ? "stale ": "", cached ? "cache" : "upstream",
ip, port, dispname, answer, id, file, line);
}
}
// Get and check query pointer
queriesData* query = getQuery(queryID, true);
if(query == NULL)
{
// Nothing to be done here
unlock_shm();
return;
}
// EDE analysis
if(addr && flags & (F_RCODE | F_SECSTAT) && addr->log.ede != EDE_UNSET)
{
query->ede = addr->log.ede;
log_debug(DEBUG_QUERIES, " EDE (1): %s (%d)", edestr(addr->log.ede), addr->log.ede);
}
ednsData *edns = getEDNS();
if(edns != NULL && edns->ede != EDE_UNSET)
{
query->ede = edns->ede;
log_debug(DEBUG_QUERIES, " EDE (2): %s (%d)", edestr(edns->ede), edns->ede);
}
// Update upstream server (if applicable)
if(!cached)
update_upstream(query, id);
// Reset last_server to avoid possibly changing the upstream server
// again in the next query
memset(&last_server, 0, sizeof(last_server));
// Save response time
// Skipped internally if already computed
set_response_time(query, now);
// We only process the first reply further in here
// Check if reply type is still UNKNOWN
if(query->reply != REPLY_UNKNOWN)
{
// Nothing to be done here
unlock_shm();
return;
}
// Determine if this reply is an exact match for the queried domain
const int domainID = query->domainID;
// Get domain pointer
domainsData* domain = getDomain(domainID, true);
if(domain == NULL)
{
// Memory error, skip reply
unlock_shm();
return;
}
// Determine query status (live or stale data?)
const enum query_status qs = stale ? QUERY_CACHE_STALE : QUERY_CACHE;
// This is either a reply served from cache or a blocked query (which appear
// to be from cache because of flags containing F_HOSTS)
if(cached)
{
// Set status of this query only if this is not a blocked query
if(!is_blocked(query->status))
query_set_status(query, qs);
// Detect if returned IP indicates that this query was blocked
const enum query_status new_status = detect_blocked_IP(flags, addr, query, domain);
// Update status of this query if detected as external blocking
if(new_status != query->status)
{
clientsData *client = getClient(query->clientID, true);
if(client != NULL)
query_blocked(query, domain, client, new_status);
}
// Save reply type and update individual reply counters
query_set_reply(flags, 0, addr, query, response);
// We know from cache that this domain is either SECURE or
// INSECURE, bogus queries are not cached
if(flags & F_DNSSECOK)
query_set_dnssec(query, DNSSEC_SECURE);
else
query_set_dnssec(query, DNSSEC_INSECURE);
// Hereby, this query is now fully determined
query->flags.complete = true;
// Mark query for updating in the database
query->flags.database.changed = true;
unlock_shm();
return;
}
// else: This is a reply from upstream
// Check if this domain matches exactly
const bool isExactMatch = name != NULL && strcasecmp(name, getstr(domain->domainpos)) == 0;
if((flags & F_CONFIG) && isExactMatch && !query->flags.complete)
{
// Answered from local configuration, might be a wildcard or user-provided
// Answered from a custom (user provided) cache file or because
// we're the authoritative DNS server (e.g. DHCP server and this
// is our own domain)
query_set_status(query, qs);
// Save reply type and update individual reply counters
query_set_reply(flags, 0, addr, query, response);
// Hereby, this query is now fully determined
query->flags.complete = true;
// Mark query for updating in the database
query->flags.database.changed = true;
}
else if((flags & (F_FORWARD | F_UPSTREAM)) && isExactMatch)
{
upstreamsData *upstream = getUpstream(query->upstreamID, true);
upstream->responses++;
// Re-compute upstream average response time and uncertainty
upstream->rtime += query->response;
const double mean = upstream->rtime / upstream->responses;
upstream->rtuncertainty += (mean - query->response)*(mean - query->response);
// Only proceed if query is not already known
// to have been blocked by Quad9
if(query->status == QUERY_EXTERNAL_BLOCKED_IP ||
query->status == QUERY_EXTERNAL_BLOCKED_NULL ||
query->status == QUERY_EXTERNAL_BLOCKED_NXRA)
{
unlock_shm();
return;
}
// DNSSEC query handling
unsigned int reply_flags = flags;
if(flags & F_NOEXTRA && (query->type == TYPE_DNSKEY || query->type == TYPE_DS))
{
if(flags & F_KEYTAG)
{
// We were able to validate this query, mark it
// as SECURE (reply <domain> is {DNSKEY,DS}
// keytag <X>, algo <Y>, digest <Z>)
query_set_dnssec(query, DNSSEC_SECURE);
}
else if(strstr(arg, "BOGUS") != NULL)
{
// BOGUS DS
query_set_dnssec(query, DNSSEC_BOGUS);
}
else
{
// If is a negative reply to a DNSSEC query
// (reply <domain> is no DS), we overwrite flags
// to store NODATA for this query
reply_flags = F_NEG;
}
}
// Save reply type and update individual reply counters
query_set_reply(reply_flags, 0, addr, query, response);
// Further checks if this is an IP address
if(addr)
{
// Detect if returned IP indicates that this query was blocked
const enum query_status new_status = detect_blocked_IP(flags, addr, query, domain);
// Update status of this query if detected as external blocking
if(new_status != query->status)
{
clientsData *client = getClient(query->clientID, true);
if(client != NULL)
query_blocked(query, domain, client, new_status);
}
}
// Mark query for updating in the database
query->flags.database.changed = true;
}
else if(flags & F_REVERSE)
{
// isExactMatch is not used here as the PTR is special.
// Example:
// Question: PTR 8.8.8.8
// will lead to:
// domain->domain = 8.8.8.8.in-addr.arpa
// and will return
// name = google-public-dns-a.google.com
// Hence, isExactMatch is always false
// Save reply type and update individual reply counters
query_set_reply(flags, 0, addr, query, response);
// Mark query for updating in the database
query->flags.database.changed = true;
}
else if(isExactMatch && !query->flags.complete)
{
log_warn("Unknown REPLY");
}
else if(config.debug.flags.v.b)
{
log_warn("Unknown upstream REPLY");
}
if(query && option_bool(OPT_DNSSEC_PROXY))
{
// DNSSEC proxy mode is enabled. Interpret AD flag
// and set DNSSEC status accordingly
query_set_dnssec(query, adbit ? DNSSEC_SECURE : DNSSEC_INSECURE);
}
if(query && option_bool(OPT_DNSSEC_PROXY))
{
// DNSSEC proxy mode is enabled. Interpret AD flag
// and set DNSSEC status accordingly
query_set_dnssec(query, adbit ? DNSSEC_SECURE : DNSSEC_INSECURE);
}
unlock_shm();
}
static enum query_status detect_blocked_IP(const unsigned short flags, const union all_addr *addr, const queriesData *query, const domainsData *domain)
{
// Compare returned IP against list of known blocking splash pages
if (!addr)
{
return query->status;
}
// First, we check if we want to skip this result even before comparing against the known IPs
if(flags & F_HOSTS || flags & F_REVERSE)
{
// Skip replies which originated locally. Otherwise, we would
// count gravity.list blocked queries as externally blocked.
// Also: Do not mark responses of PTR requests as externally blocked.
const char *cause = (flags & F_HOSTS) ? "origin is HOSTS" : "query is PTR";
log_debug(DEBUG_QUERIES, "Skipping detection of external blocking IP for ID %i as %s", query->id, cause);
// Return early, do not compare against known blocking page IP addresses below
return query->status;
}
// If received one of the following IPs as reply, OpenDNS
// (Cisco Umbrella) blocked this query
// See https://support.opendns.com/hc/en-us/articles/227986927-What-are-the-Cisco-Umbrella-Block-Page-IP-Addresses-
// for a full list of these IP addresses
in_addr_t ipv4Addr = ntohl(addr->addr4.s_addr);
in_addr_t ipv6Addr = ntohl(addr->addr6.s6_addr32[3]);
// Check for IP block 146.112.61.104 - 146.112.61.110
if((flags & F_IPV4) && ipv4Addr >= 0x92703d68 && ipv4Addr <= 0x92703d6e)
{
if(config.debug.queries.v.b)
{
char answer[ADDRSTRLEN]; answer[0] = '\0';
inet_ntop(AF_INET, addr, answer, ADDRSTRLEN);
log_debug(DEBUG_QUERIES, "Upstream responded with known blocking page (IPv4), ID %i:\n\t\"%s\" -> \"%s\"",
query->id, getstr(domain->domainpos), answer);
}
// Update status
return QUERY_EXTERNAL_BLOCKED_IP;
}
// Check for IP block :ffff:146.112.61.104 - :ffff:146.112.61.110
else if(flags & F_IPV6 &&
addr->addr6.s6_addr32[0] == 0 &&
addr->addr6.s6_addr32[1] == 0 &&
addr->addr6.s6_addr32[2] == 0xffff0000 &&
ipv6Addr >= 0x92703d68 && ipv6Addr <= 0x92703d6e)
{
if(config.debug.queries.v.b)
{
char answer[ADDRSTRLEN]; answer[0] = '\0';
inet_ntop(AF_INET6, addr, answer, ADDRSTRLEN);
log_debug(DEBUG_QUERIES, "Upstream responded with known blocking page (IPv6), ID %i:\n\t\"%s\" -> \"%s\"",
query->id, getstr(domain->domainpos), answer);
}
// Update status
return QUERY_EXTERNAL_BLOCKED_IP;
}
// If upstream replied with 0.0.0.0 or ::,
// we assume that it filtered the reply as
// nothing is reachable under these addresses
else if(flags & F_IPV4 && ipv4Addr == 0)
{
if(config.debug.queries.v.b)
{
log_debug(DEBUG_QUERIES, "Upstream responded with 0.0.0.0, ID %i:\n\t\"%s\" -> \"0.0.0.0\"",
query->id, getstr(domain->domainpos));
}
// Update status
return QUERY_EXTERNAL_BLOCKED_NULL;
}
else if(flags & F_IPV6 &&
addr->addr6.s6_addr32[0] == 0 &&
addr->addr6.s6_addr32[1] == 0 &&
addr->addr6.s6_addr32[2] == 0 &&
addr->addr6.s6_addr32[3] == 0)
{
if(config.debug.queries.v.b)
{
log_debug(DEBUG_QUERIES, "Upstream responded with ::, ID %i:\n\t\"%s\" -> \"::\"",
query->id, getstr(domain->domainpos));
}
// Update status
return QUERY_EXTERNAL_BLOCKED_NULL;
}
// Nothing happened here
return query->status;
}
static void query_blocked(queriesData* query, domainsData* domain, clientsData* client, const enum query_status new_status)
{
// Get response time
struct timeval response;
gettimeofday(&response, 0);
// Adjust counters if we recorded a non-blocking status
if(query->status == QUERY_FORWARDED)
{
// Get forward pointer
upstreamsData* upstream = getUpstream(query->upstreamID, true);
if(upstream != NULL)
upstream->count--;
}
else if(is_blocked(query->status))
{
// Already a blocked query, no need to change anything
return;
}
if(is_blocked(new_status))
{
// Count as blocked query
if(domain != NULL)
domain->blockedcount++;
if(client != NULL)
change_clientcount(client, 0, 1, -1, 0);
query->flags.blocked = true;
}
// Update status
query_set_status(query, new_status);
// Mark query for updating in the database
query->flags.database.changed = true;
}
static void FTL_dnssec(const char *arg, const union all_addr *addr, const int id, const char* file, const int line)
{
// Process DNSSEC result for a domain
// Lock shared memory
lock_shm();
// Search for corresponding query identified by ID
const int queryID = findQueryID(id);
if(queryID < 0)
{
// This may happen e.g. if the original query was an unhandled query type
unlock_shm();
return;
}
// Get query pointer
queriesData* query = getQuery(queryID, true);
if(query == NULL)
{
// Memory error, skip this DNSSEC details
unlock_shm();
return;
}
// Debug logging
if(config.debug.queries.v.b)
{
// Get domain pointer
const domainsData* domain = getDomain(query->domainID, true);
if(domain != NULL)
log_debug(DEBUG_QUERIES, "**** DNSSEC %s is %s (ID %i, %s:%i)", getstr(domain->domainpos), arg, id, file, line);
if(addr && addr->log.ede != EDE_UNSET) // This function is only called if (flags & F_SECSTAT)
log_debug(DEBUG_QUERIES, " EDE: %s (%d)", edestr(addr->log.ede), addr->log.ede);
}
// Store EDE
if(addr && addr->log.ede != EDE_UNSET)
query->ede = addr->log.ede;
// Iterate through possible values
if(strcmp(arg, "SECURE") == 0)
query_set_dnssec(query, DNSSEC_SECURE);
else if(strcmp(arg, "INSECURE") == 0)
query_set_dnssec(query, DNSSEC_INSECURE);
else if(strcmp(arg, "BOGUS") == 0)
query_set_dnssec(query, DNSSEC_BOGUS);
else if(strcmp(arg, "ABANDONED") == 0)
query_set_dnssec(query, DNSSEC_ABANDONED);
else if(strcmp(arg, "TRUNCATED") == 0)
query_set_dnssec(query, DNSSEC_TRUNCATED);
else
log_warn("Unknown DNSSEC status \"%s\"", arg);
// Set reply to NONE (if not already set) as we will not reply to this
// query when the status is neither SECURE nor INSECURE
if (query->reply == REPLY_UNKNOWN &&
query->dnssec != DNSSEC_SECURE &&
query->dnssec != DNSSEC_INSECURE)
{
struct timeval response;
gettimeofday(&response, 0);
query_set_reply(0, REPLY_NONE, addr, query, response);
}
// Mark query for updating in the database
query->flags.database.changed = true;
// Unlock shared memory
unlock_shm();
}
static void FTL_upstream_error(const union all_addr *addr, const unsigned int flags, const int id, const char* file, const int line)
{
// Process local and upstream errors
// Queries with error are those where the RCODE
// in the DNS header is neither NOERROR nor NXDOMAIN.
// Return early if there is nothing we can analyze here (shouldn't happen)
if(!addr)
return;
// Record response time before queuing for the lock
struct timeval response;
gettimeofday(&response, 0);
// Lock shared memory
lock_shm();
// Search for corresponding query identified by ID
const int queryID = findQueryID(id);
if(queryID < 0)
{
// This may happen e.g. if the original query was an unhandled query type
unlock_shm();
return;
}
// Get query pointer
queriesData* query = getQuery(queryID, true);
if(query == NULL)
{
// Memory error, skip this query
unlock_shm();
return;
}
// Update upstream server if necessary
update_upstream(query, id);
// Translate dnsmasq's rcode into something we can use
const char *rcodestr = NULL;
enum reply_type reply;
switch(addr->log.rcode)
{
case SERVFAIL:
rcodestr = "SERVFAIL";
reply = REPLY_SERVFAIL;
break;
case REFUSED:
rcodestr = "REFUSED";
reply = REPLY_REFUSED;
break;
case NOTIMP:
rcodestr = "NOT IMPLEMENTED";
reply = REPLY_NOTIMP;
break;
default:
rcodestr = "UNKNOWN";
reply = REPLY_OTHER;
break;
}
// Get EDNS data (if available)
ednsData *edns = getEDNS();
if(addr->log.ede != EDE_UNSET) // This function is only called if (flags & F_RCODE)
query->ede = addr->log.ede;
else if(edns != NULL && edns->ede != EDE_UNSET)
query->ede = edns->ede;
// Debug logging
if(config.debug.queries.v.b)
{
// Get domain pointer
const domainsData* domain = getDomain(query->domainID, true);
// Get domain name
const char *domainname;
if(domain != NULL)
domainname = getstr(domain->domainpos);
else
domainname = "<cannot access domain struct>";
if(flags & F_CONFIG)
{
// Log local error, typically "nowhere to forward to"
log_err("**** local error (nowhere to forward to): %s is %s (ID %i, %s:%i)",
domainname, rcodestr, id, file, line);
}
else if(last_server.sa.sa_family == 0)
{
// Log error reply from unknown source
log_debug(DEBUG_QUERIES, "**** got error reply: %s is %s (ID %i, %s:%i)",
domainname, rcodestr, id, file, line);
}
else
{
char ip[ADDRSTRLEN+1] = { 0 };
in_port_t port = 0;
mysockaddr_extract_ip_port(&last_server, ip, &port);
// Log server which replied to our request
log_debug(DEBUG_QUERIES, "**** got error reply from %s#%d: %s is %s (ID %i, %s:%i)",
ip, port, domainname, rcodestr, id, file, line);
}
if(query->reply == REPLY_OTHER)
log_debug(DEBUG_QUERIES, " Unknown rcode = %i", addr->log.rcode);
if(addr->log.ede != EDE_UNSET)
log_debug(DEBUG_QUERIES, " EDE: %s (1/%d)", edestr(addr->log.ede), addr->log.ede);
if(edns != NULL && edns->ede != EDE_UNSET)
log_debug(DEBUG_QUERIES, " EDE: %s (2/%d)", edestr(edns->ede), edns->ede);
}
// Set query reply
query_set_reply(0, reply, addr, query, response);
// Mark query for updating in the database
query->flags.database.changed = true;
// Reset last_server
memset(&last_server, 0, sizeof(last_server));
// Unlock shared memory
unlock_shm();
}
static void FTL_mark_externally_blocked(const int id, const char* file, const int line)
{
// Lock shared memory
lock_shm();
// Search for corresponding query identified by ID
const int queryID = findQueryID(id);
if(queryID < 0)
{
// This may happen e.g. if the original query was an unhandled query type
unlock_shm();
return;
}
// Get query pointer
queriesData* query = getQuery(queryID, true);
if(query == NULL)
{
// Memory error, skip this query
unlock_shm();
return;
}
// Get domain pointer
domainsData *domain = getDomain(query->domainID, true);
if(domain == NULL)
{
// Memory error, skip this query
unlock_shm();
return;
}
// Possible debugging information
if(config.debug.queries.v.b)
{
// Get domain name (domain cannot be NULL here)
const char *domainname = getstr(domain->domainpos);
log_debug(DEBUG_QUERIES, "**** %s externally blocked (ID %i, FTL %i, %s:%i)", domainname, id, queryID, file, line);
}
// Get response time
struct timeval response;
gettimeofday(&response, 0);
// Store query as externally blocked
clientsData *client = getClient(query->clientID, true);
if(client != NULL)
query_blocked(query, domain, client, QUERY_EXTERNAL_BLOCKED_NXRA);
// Store reply type as replied with NXDOMAIN
query_set_reply(F_NEG | F_NXDOMAIN, 0, NULL, query, response);
// Mark query for updating in the database
query->flags.database.changed = true;
// Unlock shared memory
unlock_shm();
}
void _FTL_header_analysis(const unsigned char header4, const unsigned int rcode, const struct server *server,
const int id, const char* file, const int line)
{
// Analyze DNS header bits
// Check if RA bit is unset in DNS header and rcode is NXDOMAIN
// If the response code (rcode) is NXDOMAIN, we may be seeing a response from
// an externally blocked query. As they are not always accompany a necessary
// SOA record, they are not getting added to our cache and, therefore,
// FTL_reply() is never getting called from within the cache routines.
// Hence, we have to store the necessary information about the NXDOMAIN
// reply already here.
if(!(header4 & 0x80) && rcode == NXDOMAIN)
// RA bit is not set and rcode is NXDOMAIN
FTL_mark_externally_blocked(id, file, line);
// Check if AD bit is set in DNS header
adbit = header4 & HB4_AD;
// Store server which sent this reply
if(server)
{
memcpy(&last_server, &server->addr, sizeof(last_server));
if(config.debug.extra.v.b)
{
char ip[ADDRSTRLEN+1] = { 0 };
in_port_t port = 0;
mysockaddr_extract_ip_port(&last_server, ip, &port);
log_debug(DEBUG_EXTRA, "Got forward address: %s#%u (%s:%i)", ip, port, short_path(file), line);
}
}
else
{
memset(&last_server, 0, sizeof(last_server));
log_debug(DEBUG_EXTRA, "Got forward address: NO");
}
}
void print_flags(const unsigned int flags)
{
// Debug function, listing resolver flags in clear text
// e.g. "Flags: F_FORWARD F_NEG F_IPV6"
// Only print flags if corresponding debugging flag is set
if(!(config.debug.flags.v.b))
return;
char *flagstr = calloc(sizeof(flagnames) + 1, sizeof(char));
for (unsigned int i = 0; i < ArraySize(flagnames); i++)
if (flags & (1u << i))
strcat(flagstr, flagnames[i]);
log_debug(DEBUG_FLAGS, " Flags: %s", flagstr);
free(flagstr);
}
static void _query_set_reply(const unsigned int flags, const enum reply_type reply,
const union all_addr *addr,
queriesData *query, const struct timeval response,
const char *file, const int line)
{
enum reply_type new_reply = REPLY_UNKNOWN;
const double now = double_time();
// If reply is set, we use it directly instead of interpreting the flags
if(reply != 0)
{
new_reply = reply;
}
// else: Iterate through possible values by analyzing both the flags and the addr bits
else if(flags & F_NEG ||
(flags & F_NOERR && !(flags & (F_IPV4 | F_IPV6))) || // <-- FTL_make_answer() when no A or AAAA is added
force_next_DNS_reply == REPLY_NXDOMAIN ||
force_next_DNS_reply == REPLY_NODATA)
{
if(flags & F_NXDOMAIN || force_next_DNS_reply == REPLY_NXDOMAIN)
// NXDOMAIN
new_reply = REPLY_NXDOMAIN;
else
// NODATA(-IPv6)
new_reply = REPLY_NODATA;
}
else if(flags & F_CNAME)
// <CNAME>
new_reply = REPLY_CNAME;
else if(flags & F_REVERSE)
// reserve lookup
new_reply = REPLY_DOMAIN;
else if(flags & F_RRNAME)
// TXT query
new_reply = REPLY_RRNAME;
else if((flags & F_RCODE && addr != NULL) || force_next_DNS_reply == REPLY_REFUSED)
{
if((addr != NULL && addr->log.rcode == REFUSED)
|| force_next_DNS_reply == REPLY_REFUSED )
{
// REFUSED query
new_reply = REPLY_REFUSED;
}
else if(addr != NULL && addr->log.rcode == SERVFAIL)
{
// SERVFAIL query
new_reply = REPLY_SERVFAIL;
}
}
else if(flags & F_KEYTAG && flags & F_NOEXTRA)
{
// Since 451bd35ad62c1444b3ef1d204ab606c0098b2fd9, F_KEYTAG is
// overloaded to discriminate cache records between an arbitrary
// RR stored entirely in the addr union and one which has a
// point to block storage
new_reply = REPLY_DNSSEC;
}
else if(force_next_DNS_reply == REPLY_NONE)
{
new_reply = REPLY_NONE;
}
else if(flags & (F_IPV4 | F_IPV6))
{
// IP address
new_reply = REPLY_IP;
}
else
{
// Other binary, possibly proprietry, data
new_reply = REPLY_BLOB;
}
if(config.debug.queries.v.b)
{
const char *path = short_path(file);
log_debug(DEBUG_QUERIES, "Set reply to %s (%d) in %s:%d", get_query_reply_str(new_reply), new_reply, path, line);
if(query->reply != REPLY_UNKNOWN && query->reply != new_reply)
log_debug(DEBUG_QUERIES, "Reply of query %i was %s now changing to %s", query->id,
get_query_reply_str(query->reply), get_query_reply_str(new_reply));
}
// Subtract from old reply counter
counters->reply[query->reply]--;
log_debug(DEBUG_STATUS, "reply type %d removed (set_reply), ID = %d, new count = %d", query->reply, query->id, counters->reply[query->reply]);
// Add to new reply counter
counters->reply[new_reply]++;
// Store reply type
query->reply = new_reply;
log_debug(DEBUG_STATUS, "reply type %d added (set_reply), ID = %d, new count = %d", query->reply, query->id, counters->reply[query->reply]);
// Save response time
// Skipped internally if already computed
set_response_time(query, now);
}
static void init_pihole_PTR(void)
{
char *ptrname = NULL;
// Determine name that should be replied to with on Pi-hole PTRs
switch (config.dns.piholePTR.v.ptr_type)
{
default:
case PTR_NONE:
case PTR_PIHOLE:
ptrname = (char*)"pi.hole";
break;
case PTR_HOSTNAME:
ptrname = (char*)hostname();
break;
case PTR_HOSTNAMEFQDN:
{
char *suffix = daemon->domain_suffix;
// If local suffix is not available, we substitute "no_fqdn_available"
// see the comment about PIHOLE_PTR=HOSTNAMEFQDN in the Pi-hole docs
// for further details on why this was chosen
if(!suffix)
suffix = (char*)"no_fqdn_available";
ptrname = calloc(strlen(hostname()) + strlen(suffix) + 2, sizeof(char));
if(ptrname)
{
// Build "<hostname>.<local suffix>" domain
strcpy(ptrname, hostname());
strcat(ptrname, ".");
strcat(ptrname, suffix);
}
else
{
// Fallback to "<hostname>" on memory error
ptrname = (char*)hostname();
}
}
break;
}
// Obtain PTR record used for Pi-hole PTR injection (if enabled)
if(config.dns.piholePTR.v.ptr_type != PTR_NONE)
{
// Add PTR record for pi.hole, the address will be injected later
pihole_ptr = calloc(1, sizeof(struct ptr_record));
pihole_ptr->name = strdup("x.x.x.x.in-addr.arpa");
pihole_ptr->ptr = (char*)"";
pihole_ptr->next = NULL;
// Add our PTR record to the end of the linked list
if(daemon->ptr != NULL)
{
// Iterate to the last PTR entry in dnsmasq's structure
struct ptr_record *ptr;
for(ptr = daemon->ptr; ptr && ptr->next; ptr = ptr->next);
// Add our record after the last existing ptr-record
ptr->next = pihole_ptr;
}
else
{
// Ours is the only record for daemon->ptr
daemon->ptr = pihole_ptr;
}
}
}
void FTL_fork_and_bind_sockets(struct passwd *ent_pw, bool dnsmasq_start)
{
// Going into daemon mode involves storing the
// PID of the generated child process. If FTL
// is asked to stay in foreground, we just save
// the PID of the current process in the PID file
if(daemonmode)
go_daemon();
else
savepid();
// Initialize query database (pihole-FTL.db)
db_init();
// Initialize in-memory databases
if(!init_memory_database())
log_crit("Cannot initialize in-memory database.");
// Flush messages stored in the long-term database
flush_message_table();
// Try to import queries from long-term database if available
if(config.database.DBimport.v.b)
{
import_queries_from_disk();
DB_read_queries();
}
// Initialize in-memory database starting index
update_disk_db_idx();
// Log some information about the imported queries (if any)
log_counter_info();
// Handle real-time signals in this process (and its children)
// Helper processes are already split from the main instance
// so they will not listen to real-time signals
handle_realtime_signals();
// We will use the attributes object later to start all threads in
// detached mode
pthread_attr_t attr;
// Initialize thread attributes object with default attribute values
pthread_attr_init(&attr);
// Start database thread if database is used
if(pthread_create( &threads[DB], &attr, DB_thread, NULL ) != 0)
{
log_crit("Unable to create database thread. Exiting...");
exit(EXIT_FAILURE);
}
// Start thread that will stay in the background until garbage
// collection needs to be done
if(pthread_create( &threads[GC], &attr, GC_thread, NULL ) != 0)
{
log_crit("Unable to create GC thread. Exiting...");
exit(EXIT_FAILURE);
}
// Start thread that will stay in the background until host names needs to
// be resolved. If configuration does not ask for never resolving hostnames
// (e.g. on CI builds), the thread is never started)
if(dnsmasq_start &&
resolve_names() &&
pthread_create( &threads[DNSclient], &attr, DNSclient_thread, NULL ) != 0)
{
log_crit("Unable to create DNS client thread. Exiting...");
exit(EXIT_FAILURE);
}
// Start thread that checks various timers, e.g., for automatic changing
// blocking mode (enabled/disabled for a given amount of time)
if(pthread_create( &threads[TIMER], &attr, timer, NULL ) != 0)
{
log_crit("Unable to create timer thread. Exiting...");
exit(EXIT_FAILURE);
}
// Chown files if FTL started as user root but a dnsmasq config
// option states to run as a different user/group (e.g. "nobody")
if(getuid() == 0)
{
// Only print this and change ownership of shmem objects when
// we're actually dropping root (user/group my be set to root)
if(ent_pw != NULL && ent_pw->pw_uid != 0)
{
log_info("FTL is going to drop from root to user %s (UID %u)",
ent_pw->pw_name, ent_pw->pw_uid);
if(chown(config.files.log.ftl.v.s, ent_pw->pw_uid, ent_pw->pw_gid) == -1)
log_warn("Setting ownership (%u:%u) of %s failed: %s (%i)",
ent_pw->pw_uid, ent_pw->pw_gid, config.files.log.ftl.v.s, strerror(errno), errno);
if(chown(config.files.database.v.s, ent_pw->pw_uid, ent_pw->pw_gid) == -1)
log_warn("Setting ownership (%u:%u) of %s failed: %s (%i)",
ent_pw->pw_uid, ent_pw->pw_gid, config.files.database.v.s, strerror(errno), errno);
chown_all_shmem(ent_pw);
}
else
{
log_info("FTL is running as root");
}
}
else
{
uid_t uid;
struct passwd *current_user;
if ((current_user = getpwuid(uid = geteuid())) != NULL)
log_info("FTL is running as user %s (UID %d)",
current_user->pw_name, (int)current_user->pw_uid);
else
log_info("Failed to obtain information about FTL user");
}
// Initialize FTL HTTP server
http_init();
// Initialize Pi-hole PTR pointer
init_pihole_PTR();
}
static char *get_ptrname(struct in_addr *addr)
{
static char *ptrname = NULL;
// Determine name that should be replied to with on Pi-hole PTRs
switch (config.dns.piholePTR.v.ptr_type)
{
default:
case PTR_NONE:
case PTR_PIHOLE:
ptrname = (char*)"pi.hole";
break;
case PTR_HOSTNAME:
ptrname = (char*)hostname();
break;
case PTR_HOSTNAMEFQDN:
{
char *suffix;
size_t ptrnamesize = 0;
// get_domain() will also check conditional domains configured like
// domain=<domain>[,<address range>[,local]]
if(addr)
suffix = get_domain(*addr);
else
suffix = daemon->domain_suffix;
// If local suffix is not available, we try to obtain the domain from
// the kernel similar to how we do it for the hostname
if(!suffix)
suffix = (char*)domainname();
// If local suffix is not available, we substitute "no_fqdn_available"
// see the comment about PIHOLE_PTR=HOSTNAMEFQDN in the Pi-hole docs
// for further details on why this was chosen
if(!suffix || suffix[0] == '\0')
suffix = (char*)"no_fqdn_available";
// Get enough space for domain building
size_t needspace = strlen(hostname()) + strlen(suffix) + 2;
if(ptrnamesize < needspace)
{
ptrname = realloc(ptrname, needspace);
ptrnamesize = needspace;
}
if(ptrname)
{
// Build "<hostname>.<local suffix>" domain
strcpy(ptrname, hostname());
strcat(ptrname, ".");
strcat(ptrname, suffix);
}
else
{
// Fallback to "<hostname>" on memory error
ptrname = (char*)hostname();
}
break;
}
}
return ptrname;
}
void FTL_forwarding_retried(const struct server *serv, const int oldID, const int newID, const bool dnssec)
{
// Forwarding to upstream server failed
if(oldID == newID)
{
log_debug(DEBUG_QUERIES, "%d: Ignoring self-retry", oldID);
return;
}
// Lock shared memory
lock_shm();
// Try to obtain destination IP address if available
char dest[ADDRSTRLEN];
in_port_t upstreamPort = 53;
dest[0] = '\0';
if(serv != NULL)
{
if(serv->addr.sa.sa_family == AF_INET)
{
inet_ntop(AF_INET, &serv->addr.in.sin_addr, dest, ADDRSTRLEN);
upstreamPort = ntohs(serv->addr.in.sin_port);
}
else
{
inet_ntop(AF_INET6, &serv->addr.in6.sin6_addr, dest, ADDRSTRLEN);
upstreamPort = ntohs(serv->addr.in6.sin6_port);
}
}
// Convert upstream to lower case
char *upstreamIP = strdup(dest);
strtolower(upstreamIP);
// Get upstream ID
const int upstreamID = findUpstreamID(upstreamIP, upstreamPort);
// Possible debugging information
log_debug(DEBUG_QUERIES, "**** RETRIED%s query %i as %i to %s#%d",
dnssec ? " DNSSEC" : "", oldID, newID,
upstreamIP, upstreamPort);
// Get upstream pointer
upstreamsData* upstream = getUpstream(upstreamID, true);
// Update counter
if(upstream != NULL)
upstream->failed++;
// Search for corresponding query identified by ID
// Retried DNSSEC queries are ignored, we have to flag themselves (newID)
// Retried normal queries take over, we have to flag the original query (oldID)
const int queryID = findQueryID(dnssec ? newID : oldID);
if(queryID >= 0)
{
// Get query pointer
queriesData* query = getQuery(queryID, true);
// Set retried status
if(query != NULL)
{
if(dnssec)
{
// There is no point in retrying the query when
// we've already got an answer to this query,
// but we're awaiting keys for DNSSEC
// validation. We're retrying the DNSSEC query
// instead
query_set_status(query, QUERY_RETRIED_DNSSEC);
}
else
{
// Normal query retry due to answer not arriving
// soon enough at the requestor
query_set_status(query, QUERY_RETRIED);
}
// Mark query for updating in the database
query->flags.database.changed = true;
}
}
// Clean up and unlock shared memory
free(upstreamIP);
unlock_shm();
return;
}
unsigned int FTL_extract_question_flags(struct dns_header *header, const size_t qlen)
{
// Create working pointer
unsigned char *p = (unsigned char *)(header+1);
uint16_t qtype, qclass;
// Go through the questions
for (uint16_t i = ntohs(header->qdcount); i != 0; i--)
{
// Prime dnsmasq flags
int flags = RCODE(header) == NXDOMAIN ? F_NXDOMAIN : 0;
// Extract name from this question
char name[MAXDNAME];
if (!extract_name(header, qlen, &p, name, 1, 4))
break; // bad packet, go to fallback solution
// Extract query type
GETSHORT(qtype, p);
GETSHORT(qclass, p);
// Only further analyze IN questions here (not CHAOS, etc.)
if (qclass != C_IN)
continue;
// Very simple decision: If the question is AAAA, the reply
// should be IPv6. We use IPv4 in all other cases
if(qtype == T_AAAA)
flags |= F_IPV6;
else
flags |= F_IPV4;
// Debug logging if enabled
if(config.debug.queries.v.b)
{
char *qtype_str = querystr(NULL, qtype);
log_debug(DEBUG_QUERIES, "CNAME header: Question was <IN> %s %s", qtype_str, name);
}
return flags;
}
// Fall back to IPv4 (type A) when for the unlikely event that we cannot
// find any questions in this header
log_debug(DEBUG_QUERIES, "CNAME header: No valid IN question found in header");
return F_IPV4;
}
// Called when a (forked) TCP worker is terminated by receiving SIGALRM
// We close the dedicated database connection this client had opened
// to avoid dangling database locks
volatile atomic_flag worker_already_terminating = ATOMIC_FLAG_INIT;
void FTL_TCP_worker_terminating(bool finished)
{
if(dnsmasq_debug)
{
// Nothing to be done here, forking does not happen in debug mode
return;
}
if(atomic_flag_test_and_set(&worker_already_terminating))
{
log_debug(DEBUG_ANY, "TCP worker already terminating!");
return;
}
// Possible debug logging
if(config.debug.queries.v.b)
{
const char *reason = finished ? "client disconnected" : "timeout";
log_debug(DEBUG_ANY, "TCP worker terminating (%s)", reason);
}
if(main_pid() == getpid())
{
// If this is not really a fork (e.g. in debug mode), we don't
// actually close gravity here
return;
}
// First check if we already locked before. This can happen when a fork
// is running into a timeout while it is still processing something and
// still holding a lock.
if(!is_our_lock())
lock_shm();
// Close dedicated database connections of this fork
gravityDB_close();
unlock_shm();
}
// Called when a (forked) TCP worker is created
// FTL forked to handle TCP connections with dedicated (forked) workers
// SQLite3's mentions that carrying an open database connection across a
// fork() can lead to all kinds of locking problems as SQLite3 was not
// intended to work under such circumstances. Doing so may easily lead
// to ending up with a corrupted database.
void FTL_TCP_worker_created(const int confd)
{
if(dnsmasq_debug)
{
// Nothing to be done here, TCP worker forking does not happen
// in debug mode
return;
}
// Print this if debugging is enabled
if(config.debug.queries.v.b)
{
// Get peer IP address (client)
char peer_ip[ADDRSTRLEN] = { 0 };
union mysockaddr peer_sockaddr = {{ 0 }};
socklen_t peer_len = sizeof(union mysockaddr);
if (getpeername(confd, (struct sockaddr *)&peer_sockaddr, &peer_len) != -1)
{
union all_addr peer_addr = {{ 0 }};
if (peer_sockaddr.sa.sa_family == AF_INET6)
peer_addr.addr6 = peer_sockaddr.in6.sin6_addr;
else
peer_addr.addr4 = peer_sockaddr.in.sin_addr;
inet_ntop(peer_sockaddr.sa.sa_family, &peer_addr, peer_ip, ADDRSTRLEN);
}
// Get local IP address (interface)
char local_ip[ADDRSTRLEN] = { 0 };
union mysockaddr iface_sockaddr = {{ 0 }};
socklen_t iface_len = sizeof(union mysockaddr);
if(getsockname(confd, (struct sockaddr *)&iface_sockaddr, &iface_len) != -1)
{
union all_addr iface_addr = {{ 0 }};
if (iface_sockaddr.sa.sa_family == AF_INET6)
iface_addr.addr6 = iface_sockaddr.in6.sin6_addr;
else
iface_addr.addr4 = iface_sockaddr.in.sin_addr;
inet_ntop(iface_sockaddr.sa.sa_family, &iface_addr, local_ip, ADDRSTRLEN);
}
// Print log
log_debug(DEBUG_ANY, "TCP worker forked for client %s on interface %s with IP %s", peer_ip, next_iface.name, local_ip);
}
if(main_pid() == getpid())
{
// If this is not really a fork (e.g. in debug mode), we don't
// actually re-open gravity or close sockets here
return;
}
// Reopen gravity database handle in this fork as the main process's
// handle isn't valid here
log_debug(DEBUG_ANY, "Reopening Gravity database for this fork");
gravityDB_forked();
}
bool FTL_unlink_DHCP_lease(const char *ipaddr, const char **hint)
{
struct dhcp_lease *lease;
union all_addr addr;
const time_t now = dnsmasq_time();
if(!daemon->dhcp)
{
*hint = "DHCP is not enabled";
return false;
}
// Try to extract IP address
if (inet_pton(AF_INET, ipaddr, &addr.addr4) > 0)
{
lease = lease_find_by_addr(addr.addr4);
}
#ifdef HAVE_DHCP6
else if (inet_pton(AF_INET6, ipaddr, &addr.addr6) > 0)
{
lease = lease6_find_by_addr(&addr.addr6, 128, 0);
}
#endif
else
{
// Invalid IP address
*hint = "invalid target address (neither IPv4 nor IPv6)";
return false;
}
// If a lease exists for this IP address, we unlink it and immediately
// update the lease file to reflect the removal of this lease
if (lease)
{
// Unlink the lease for dnsmasq's database
lease_prune(lease, now);
// Update the lease file
lease_update_file(now);
// Argument force == 0 ensures the DNS records are only updated
// when unlinking the lease above actually changed something
// (variable lease.c:dns_dirty is used here)
lease_update_dns(0);
}
else
{
*hint = NULL;
return false;
}
// Return success
return true;
}
void FTL_query_in_progress(const int id)
{
// Query (possibly from new source), but the same query may be in
// progress from another source.
// Lock shared memory
lock_shm();
// Search for corresponding query identified by ID
const int queryID = findQueryID(id);
if(queryID < 0)
{
// This may happen e.g. if the original query was an unhandled query type
unlock_shm();
return;
}
// Get query pointer
queriesData* query = getQuery(queryID, true);
if(query == NULL)
{
// Memory error, skip this DNSSEC details
unlock_shm();
return;
}
// Debug logging
if(config.debug.queries.v.b)
{
// Get domain pointer
const domainsData* domain = getDomain(query->domainID, true);
if(domain != NULL)
{
log_debug(DEBUG_QUERIES, "**** query for %s is already in progress (ID %i)", getstr(domain->domainpos), id);
}
}
// Store status
query_set_status(query, QUERY_IN_PROGRESS);
// Mark query for updating in the database
query->flags.database.changed = true;
// Unlock shared memory
unlock_shm();
}
void FTL_multiple_replies(const int id, int *firstID)
{
// We are in the loop that iterates over all aggregated queries for the same
// type + domain. Every query will receive the reply here so we need to
// update the original queries to set their status
// Don't process self-duplicates
if(*firstID == id)
return;
// Skip if the original query was not found in FTL's memory
if(*firstID == -2)
return;
// Lock shared memory
lock_shm();
// Search for corresponding query identified by ID
const int queryID = findQueryID(id);
if(queryID < 0)
{
// This may happen e.g. if the original query was an unhandled query type
unlock_shm();
*firstID = -2;
return;
}
if(*firstID == -1)
{
// This is not yet a duplicate, we just store the ID
// of the successful reply here so we can get it quicker
// during the next loop iterations
unlock_shm();
*firstID = queryID;
return;
}
// Get (read-only) pointer of the query that contains all relevant
// information (all others are mere duplicates and were only added to the
// list of duplicates rather than havong been forwarded on their own)
const queriesData* source_query = getQuery(*firstID, true);
// Get query pointer of duplicated reply
queriesData* duplicated_query = getQuery(queryID, true);
if(duplicated_query == NULL || source_query == NULL)
{
// Memory error, skip this duplicate
unlock_shm();
return;
}
// Debug logging
log_debug(DEBUG_QUERIES, "**** sending reply %d also to %d", *firstID, queryID);
// Copy relevant information over
counters->reply[duplicated_query->reply]--;
log_debug(DEBUG_STATUS, "duplicated_query reply type %d removed, ID = %d, new count = %d", duplicated_query->reply, duplicated_query->id, counters->reply[duplicated_query->reply]);
duplicated_query->reply = source_query->reply;
counters->reply[duplicated_query->reply]++;
log_debug(DEBUG_STATUS, "duplicated_query reply type %d set, ID = %d, new count = %d", duplicated_query->reply, duplicated_query->id, counters->reply[duplicated_query->reply]);
duplicated_query->dnssec = source_query->dnssec;
duplicated_query->flags.complete = true;
duplicated_query->CNAME_domainID = source_query->CNAME_domainID;
// The original query may have been blocked during CNAME inspection,
// correct status in this case
if(source_query->status != QUERY_FORWARDED)
query_set_status(duplicated_query, source_query->status);
// Mark query for updating in the database
duplicated_query->flags.database.changed = true;
// Unlock shared memory
unlock_shm();
}
const char *get_edestr(const int ede)
{
return edestr(ede);
}
static void _query_set_dnssec(queriesData *query, const enum dnssec_status dnssec, const char *file, const int line)
{
// Return early if DNSSEC validation is disabled
if(!option_bool(OPT_DNSSEC_VALID) && !option_bool(OPT_DNSSEC_PROXY))
return;
if(config.debug.dnssec.v.b)
{
const char *path = short_path(file);
const char *status = get_query_dnssec_str(dnssec);
log_debug(DEBUG_DNSSEC, "Setting DNSSEC status to %s in %s:%d", status, path, line);
}
// Set DNSSEC status
query->dnssec = dnssec;
}
// Add dnsmasq log line to internal FIFO buffer (can be queried via the API)
void FTL_dnsmasq_log(const char *payload, const int length)
{
// Lock SHM
lock_shm();
// Add to FIFO buffer
add_to_fifo_buffer(FIFO_DNSMASQ, payload, NULL, length);
// Unlock SHM
unlock_shm();
}
static const char *check_dnsmasq_name(const char *name)
{
// Special domain name handling
if(!name)
// 1. Substitute "(NULL)" if no name is available (should not happen)
return "(NULL)";
else if(!name[0])
// 2. Substitute "." if we are querying the root domain (e.g. DNSKEY)
return ".";
// else
return name;
}
void get_dnsmasq_metrics_obj(cJSON *json)
{
for (unsigned int i = 0; i < __METRIC_MAX; i++)
cJSON_AddNumberToObject(json, get_metric_name(i), daemon->metrics[i]);
}
void FTL_connection_error(const char *reason, const union mysockaddr *addr)
{
// Make a private copy of the error
const int errnum = errno;
const char *error = strerror(errnum);
// Set log priority
int priority = LOG_ERR;
// If this is a TCP connection error and errno == 0, this isn't a
// connection error but the remote side closed the connection
if(errnum == 0 && strstr(reason, "TCP(read_write)") != NULL)
{
error = "Connection prematurely closed by remote server";
priority = LOG_INFO;
}
// Format the address into a string (if available)
in_port_t port = 0;
char ip[ADDRSTRLEN + 1] = { 0 };
if(addr != NULL)
mysockaddr_extract_ip_port(addr, ip, &port);
// Log to FTL.log
const int id = daemon->log_display_id;
log_debug(DEBUG_QUERIES, "Connection error (%s#%u, ID %d): %s (%s)", ip, port, id, reason, error);
// Log to pihole.log
my_syslog(priority, "%s: %s", reason, error);
// Add to Pi-hole diagnostics but do not add messages more often than
// once every five seconds to avoid hammering the database with errors
// on continuously failing connections
static time_t last = 0;
if(time(NULL) - last > 5)
{
last = time(NULL);
char *server = NULL;
if(ip[0] != '\0')
{
const size_t len = strlen(ip) + 6;
server = calloc(len, sizeof(char));
if(server != NULL)
{
snprintf(server, len, "%s#%u", ip, port);
server[len - 1] = '\0';
}
}
log_connection_error(server, reason, error);
if(server != NULL)
free(server);
}
}
Reference in New Issue View Git Blame Copy Permalink