forked from zfl9/chinadns-ng
-
Notifications
You must be signed in to change notification settings - Fork 0
/
dnsutils.c
203 lines (187 loc) · 8.38 KB
/
dnsutils.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
#define _GNU_SOURCE
#include "dnsutils.h"
#include "netutils.h"
#include "logutils.h"
#include "chinadns.h"
#include <string.h>
#include <netinet/in.h>
#undef _GNU_SOURCE
#define DNS_QR_QUERY 0
#define DNS_QR_REPLY 1
#define DNS_OPCODE_QUERY 0
#define DNS_RCODE_NOERROR 0
#define DNS_CLASS_INTERNET 1
#define DNS_RECORD_TYPE_A 1 /* ipv4 address */
#define DNS_RECORD_TYPE_AAAA 28 /* ipv6 address */
#define DNS_DNAME_LABEL_MAXLEN 63 /* domain-name label maxlen */
#define DNS_DNAME_COMPRESSION_MINVAL 192 /* domain-name compression minval */
/* check dns packet */
static bool dns_packet_check(const void *packet_buf, ssize_t packet_len, char *name_buf, bool is_query, const void **answer_ptr) {
/* check packet length */
if (packet_len < (ssize_t)sizeof(dns_header_t) + (ssize_t)sizeof(dns_query_t) + 1) {
LOGERR("[dns_packet_check] the dns packet is too small: %zd", packet_len);
return false;
}
if (packet_len > DNS_PACKET_MAXSIZE) {
LOGERR("[dns_packet_check] the dns packet is too large: %zd", packet_len);
return false;
}
/* check packet header */
const dns_header_t *header = packet_buf;
if (header->qr != (is_query ? DNS_QR_QUERY : DNS_QR_REPLY)) {
LOGERR("[dns_packet_check] this is a %s packet, but header->qr != %d", is_query ? "query" : "reply", is_query ? DNS_QR_QUERY : DNS_QR_REPLY);
return false;
}
if (header->opcode != DNS_OPCODE_QUERY) {
LOGERR("[dns_packet_check] this is not a standard query, opcode: %hhu", header->opcode);
return false;
}
if (ntohs(header->question_count) != 1) {
LOGERR("[dns_packet_check] there should be one and only one question section");
return false;
}
/* move ptr to question section */
packet_buf += sizeof(dns_header_t);
packet_len -= sizeof(dns_header_t);
/* search the queried domain name */
const void *dname_endptr = memchr(packet_buf, 0, (size_t)packet_len);
if (!dname_endptr) {
LOGERR("[dns_packet_check] did not find the domain name to be queried");
return false;
}
if (dname_endptr - packet_buf > DNS_DOMAIN_NAME_MAXLEN) {
LOGERR("[dns_packet_check] the length of the domain name is too long");
return false;
}
/* get and convert the domain name */
if (name_buf) {
if (dname_endptr == packet_buf) {
strcpy(name_buf, ".");
} else {
uint8_t label_len = *(uint8_t *)packet_buf;
if (label_len > DNS_DNAME_LABEL_MAXLEN || label_len + 1 > dname_endptr - packet_buf) {
LOGERR("[dns_packet_check] the length of the domain name label is too long");
return false;
}
strcpy(name_buf, packet_buf + 1); /* name_buf: "www\6google\3com\0" */
name_buf += label_len; /* move to '\6' pos */
label_len = *(uint8_t *)name_buf; /* label length is 6 */
size_t remain_len = strlen(name_buf); /* remaining length include '\6' */
while (label_len != 0) {
if (label_len > DNS_DNAME_LABEL_MAXLEN || label_len + 1 > (ssize_t)remain_len) {
LOGERR("[dns_packet_check] the length of the domain name label is too long");
return false;
}
*name_buf = '.'; /* change '\6' to '.' */
name_buf += label_len + 1; /* move to next '\len' pos */
remain_len -= label_len + 1; /* reduce the remaining len */
label_len = *(uint8_t *)name_buf; /* update current label len */
}
}
}
/* check query class */
packet_buf += dname_endptr - packet_buf + 1;
packet_len -= dname_endptr - packet_buf + 1;
if (packet_len < (ssize_t)sizeof(dns_query_t)) {
LOGERR("[dns_packet_check] the format of the dns packet is incorrect");
return false;
}
const dns_query_t *query_ptr = packet_buf;
if (ntohs(query_ptr->qclass) != DNS_CLASS_INTERNET) {
LOGERR("[dns_packet_check] only supports standard internet query class");
return false;
}
/* save answer section ptr (used for reply) */
if (answer_ptr) *answer_ptr = packet_buf + sizeof(dns_query_t);
return true;
}
/* check the ipaddr of the first A/AAAA record is in `chnroute` ipset */
static bool dns_ipset_check(const void *packet_ptr, const void *ans_ptr, ssize_t ans_len) {
const dns_header_t *header = packet_ptr;
/* count number of answers */
uint16_t answer_count = ntohs(header->answer_count);
/* check dns packet length */
if (ans_len < answer_count * ((ssize_t)sizeof(dns_record_t) + 1)) {
LOGERR("[dns_ipset_check] the format of the dns packet is incorrect");
return false;
}
/* only filter A/AAAA reply */
uint16_t qtype = ntohs(((dns_query_t *)(ans_ptr - sizeof(dns_query_t)))->qtype);
if (qtype != DNS_RECORD_TYPE_A && qtype != DNS_RECORD_TYPE_AAAA) return true;
/* find the first A/AAAA record */
for (uint16_t i = 0; i < answer_count; ++i) {
while (true) {
uint8_t label_len = *(uint8_t *)ans_ptr;
if (label_len >= DNS_DNAME_COMPRESSION_MINVAL) {
ans_ptr += 2;
ans_len -= 2;
if (ans_len < (ssize_t)sizeof(dns_record_t)) {
LOGERR("[dns_ipset_check] the format of the dns packet is incorrect");
return false;
}
break;
}
if (label_len > DNS_DNAME_LABEL_MAXLEN) {
LOGERR("[dns_ipset_check] the length of the domain name label is too long");
return false;
}
if (label_len == 0) {
++ans_ptr;
--ans_len;
if (ans_len < (ssize_t)sizeof(dns_record_t)) {
LOGERR("[dns_ipset_check] the format of the dns packet is incorrect");
return false;
}
break;
}
ans_ptr += label_len + 1;
ans_len -= label_len + 1;
if (ans_len < (ssize_t)sizeof(dns_record_t) + 1) {
LOGERR("[dns_ipset_check] the format of the dns packet is incorrect");
return false;
}
}
const dns_record_t *record = ans_ptr;
if (ntohs(record->rclass) != DNS_CLASS_INTERNET) {
LOGERR("[dns_ipset_check] only supports standard internet query class");
return false;
}
uint16_t rdatalen = ntohs(record->rdatalen);
if (ans_len < (ssize_t)sizeof(dns_record_t) + rdatalen) {
LOGERR("[dns_ipset_check] the format of the dns packet is incorrect");
return false;
}
switch (ntohs(record->rtype)) {
case DNS_RECORD_TYPE_A:
if (rdatalen != IPV4_BINADDR_LEN) {
LOGERR("[dns_ipset_check] the format of the dns packet is incorrect");
return false;
}
return ipset_addr_is_exists(record->rdataptr, true); /* in chnroute? */
case DNS_RECORD_TYPE_AAAA:
if (rdatalen != IPV6_BINADDR_LEN) {
LOGERR("[dns_ipset_check] the format of the dns packet is incorrect");
return false;
}
return ipset_addr_is_exists(record->rdataptr, false); /* in chnroute6? */
default:
ans_ptr += sizeof(dns_record_t) + rdatalen;
ans_len -= sizeof(dns_record_t) + rdatalen;
if (i != answer_count - 1 && ans_len < (ssize_t)sizeof(dns_record_t) + 1) {
LOGERR("[dns_ipset_check] the format of the dns packet is incorrect");
return false;
}
}
}
return g_noip_as_chnip; /* not found A/AAAA record */
}
/* check dns query, `name_buf` used to get domain name, return true if valid */
bool dns_query_check(const void *packet_buf, ssize_t packet_len, char *name_buf) {
return dns_packet_check(packet_buf, packet_len, name_buf, true, NULL);
}
/* check dns reply, `name_buf` used to get domain name, return true if accept */
bool dns_reply_check(const void *packet_buf, ssize_t packet_len, char *name_buf, bool chk_ipset) {
const void *answer_ptr = NULL;
if (!dns_packet_check(packet_buf, packet_len, name_buf, false, &answer_ptr)) return false;
return chk_ipset ? dns_ipset_check(packet_buf, answer_ptr, packet_len - (answer_ptr - packet_buf)) : true;
}