1 /* 2 * Copyright (C) Internet Systems Consortium, Inc. ("ISC") 3 * 4 * This Source Code Form is subject to the terms of the Mozilla Public 5 * License, v. 2.0. If a copy of the MPL was not distributed with this 6 * file, you can obtain one at https://mozilla.org/MPL/2.0/. 7 * 8 * See the COPYRIGHT file distributed with this work for additional 9 * information regarding copyright ownership. 10 */ 11 12 #ifndef DNS_RPZ_H 13 #define DNS_RPZ_H 1 14 15 #include <inttypes.h> 16 #include <stdbool.h> 17 18 #include <isc/deprecated.h> 19 #include <isc/event.h> 20 #include <isc/ht.h> 21 #include <isc/lang.h> 22 #include <isc/refcount.h> 23 #include <isc/rwlock.h> 24 #include <isc/time.h> 25 #include <isc/timer.h> 26 27 #include <dns/fixedname.h> 28 #include <dns/rdata.h> 29 #include <dns/types.h> 30 31 ISC_LANG_BEGINDECLS 32 33 #define DNS_RPZ_PREFIX "rpz-" 34 /* 35 * Sub-zones of various trigger types. 36 */ 37 #define DNS_RPZ_CLIENT_IP_ZONE DNS_RPZ_PREFIX "client-ip" 38 #define DNS_RPZ_IP_ZONE DNS_RPZ_PREFIX "ip" 39 #define DNS_RPZ_NSIP_ZONE DNS_RPZ_PREFIX "nsip" 40 #define DNS_RPZ_NSDNAME_ZONE DNS_RPZ_PREFIX "nsdname" 41 /* 42 * Special policies. 43 */ 44 #define DNS_RPZ_PASSTHRU_NAME DNS_RPZ_PREFIX "passthru" 45 #define DNS_RPZ_DROP_NAME DNS_RPZ_PREFIX "drop" 46 #define DNS_RPZ_TCP_ONLY_NAME DNS_RPZ_PREFIX "tcp-only" 47 48 typedef uint8_t dns_rpz_prefix_t; 49 50 typedef enum { 51 DNS_RPZ_TYPE_BAD, 52 DNS_RPZ_TYPE_CLIENT_IP, 53 DNS_RPZ_TYPE_QNAME, 54 DNS_RPZ_TYPE_IP, 55 DNS_RPZ_TYPE_NSDNAME, 56 DNS_RPZ_TYPE_NSIP 57 } dns_rpz_type_t; 58 59 /* 60 * Require DNS_RPZ_POLICY_PASSTHRU < DNS_RPZ_POLICY_DROP 61 * < DNS_RPZ_POLICY_TCP_ONLY DNS_RPZ_POLICY_NXDOMAIN < DNS_RPZ_POLICY_NODATA 62 * < DNS_RPZ_POLICY_CNAME to choose among competing policies. 63 */ 64 typedef enum { 65 DNS_RPZ_POLICY_GIVEN = 0, /* 'given': what policy record says */ 66 DNS_RPZ_POLICY_DISABLED = 1, /* log what would have happened */ 67 DNS_RPZ_POLICY_PASSTHRU = 2, /* 'passthru': do not rewrite */ 68 DNS_RPZ_POLICY_DROP = 3, /* 'drop': do not respond */ 69 DNS_RPZ_POLICY_TCP_ONLY = 4, /* 'tcp-only': answer UDP with TC=1 */ 70 DNS_RPZ_POLICY_NXDOMAIN = 5, /* 'nxdomain': answer with NXDOMAIN */ 71 DNS_RPZ_POLICY_NODATA = 6, /* 'nodata': answer with ANCOUNT=0 */ 72 DNS_RPZ_POLICY_CNAME = 7, /* 'cname x': answer with x's rrsets */ 73 DNS_RPZ_POLICY_DNS64, /* Apply DN64 to the A rewrite */ 74 DNS_RPZ_POLICY_RECORD, 75 DNS_RPZ_POLICY_WILDCNAME, 76 DNS_RPZ_POLICY_MISS, 77 DNS_RPZ_POLICY_ERROR 78 } dns_rpz_policy_t; 79 80 typedef uint8_t dns_rpz_num_t; 81 82 #define DNS_RPZ_MAX_ZONES 64 83 /* 84 * Type dns_rpz_zbits_t must be an unsigned int wide enough to contain 85 * at least DNS_RPZ_MAX_ZONES bits. 86 */ 87 typedef uint64_t dns_rpz_zbits_t; 88 89 #define DNS_RPZ_ALL_ZBITS ((dns_rpz_zbits_t)-1) 90 91 #define DNS_RPZ_INVALID_NUM DNS_RPZ_MAX_ZONES 92 93 #define DNS_RPZ_ZBIT(n) (((dns_rpz_zbits_t)1) << (dns_rpz_num_t)(n)) 94 95 /* 96 * Mask of the specified and higher numbered policy zones 97 * Avoid hassles with (1<<33) or (1<<65) 98 */ 99 #define DNS_RPZ_ZMASK(n) \ 100 ((dns_rpz_zbits_t)((((n) >= DNS_RPZ_MAX_ZONES - 1) \ 101 ? 0 \ 102 : (1ULL << ((n) + 1))) - \ 103 1)) 104 105 /* 106 * The trigger counter type. 107 */ 108 typedef size_t dns_rpz_trigger_counter_t; 109 110 /* 111 * The number of triggers of each type in a response policy zone. 112 */ 113 typedef struct dns_rpz_triggers dns_rpz_triggers_t; 114 struct dns_rpz_triggers { 115 dns_rpz_trigger_counter_t client_ipv4; 116 dns_rpz_trigger_counter_t client_ipv6; 117 dns_rpz_trigger_counter_t qname; 118 dns_rpz_trigger_counter_t ipv4; 119 dns_rpz_trigger_counter_t ipv6; 120 dns_rpz_trigger_counter_t nsdname; 121 dns_rpz_trigger_counter_t nsipv4; 122 dns_rpz_trigger_counter_t nsipv6; 123 }; 124 125 /* 126 * A single response policy zone. 127 */ 128 typedef struct dns_rpz_zone dns_rpz_zone_t; 129 typedef struct dns_rpz_zones dns_rpz_zones_t; 130 131 struct dns_rpz_zone { 132 isc_refcount_t refs; 133 dns_rpz_num_t num; /* ordinal in list of policy zones */ 134 dns_name_t origin; /* Policy zone name */ 135 dns_name_t client_ip; /* DNS_RPZ_CLIENT_IP_ZONE.origin. */ 136 dns_name_t ip; /* DNS_RPZ_IP_ZONE.origin. */ 137 dns_name_t nsdname; /* DNS_RPZ_NSDNAME_ZONE.origin */ 138 dns_name_t nsip; /* DNS_RPZ_NSIP_ZONE.origin. */ 139 dns_name_t passthru; /* DNS_RPZ_PASSTHRU_NAME. */ 140 dns_name_t drop; /* DNS_RPZ_DROP_NAME. */ 141 dns_name_t tcp_only; /* DNS_RPZ_TCP_ONLY_NAME. */ 142 dns_name_t cname; /* override value for ..._CNAME */ 143 dns_ttl_t max_policy_ttl; 144 dns_rpz_policy_t policy; /* DNS_RPZ_POLICY_GIVEN or override */ 145 146 uint32_t min_update_interval; /* minimal interval between 147 * updates */ 148 isc_ht_t * nodes; /* entries in zone */ 149 dns_rpz_zones_t *rpzs; /* owner */ 150 isc_time_t lastupdated; /* last time the zone was processed 151 * */ 152 bool updatepending; /* there is an update 153 * pending/waiting */ 154 bool updaterunning; /* there is an update running */ 155 dns_db_t * db; /* zones database */ 156 dns_dbversion_t *dbversion; /* version we will be updating to */ 157 dns_db_t * updb; /* zones database we're working on */ 158 dns_dbversion_t *updbversion; /* version we're currently working 159 * on */ 160 dns_dbiterator_t *updbit; /* iterator to use when updating */ 161 isc_ht_t * newnodes; /* entries in zone being updated */ 162 bool db_registered; /* is the notify event 163 * registered? */ 164 bool addsoa; /* add soa to the additional section */ 165 isc_timer_t *updatetimer; 166 isc_event_t updateevent; 167 }; 168 169 /* 170 * Radix tree node for response policy IP addresses 171 */ 172 typedef struct dns_rpz_cidr_node dns_rpz_cidr_node_t; 173 174 /* 175 * Bitfields indicating which policy zones have policies of 176 * which type. 177 */ 178 typedef struct dns_rpz_have dns_rpz_have_t; 179 struct dns_rpz_have { 180 dns_rpz_zbits_t client_ipv4; 181 dns_rpz_zbits_t client_ipv6; 182 dns_rpz_zbits_t client_ip; 183 dns_rpz_zbits_t qname; 184 dns_rpz_zbits_t ipv4; 185 dns_rpz_zbits_t ipv6; 186 dns_rpz_zbits_t ip; 187 dns_rpz_zbits_t nsdname; 188 dns_rpz_zbits_t nsipv4; 189 dns_rpz_zbits_t nsipv6; 190 dns_rpz_zbits_t nsip; 191 dns_rpz_zbits_t qname_skip_recurse; 192 }; 193 194 /* 195 * Policy options 196 */ 197 typedef struct dns_rpz_popt dns_rpz_popt_t; 198 struct dns_rpz_popt { 199 dns_rpz_zbits_t no_rd_ok; 200 dns_rpz_zbits_t no_log; 201 dns_rpz_zbits_t nsip_on; 202 dns_rpz_zbits_t nsdname_on; 203 bool dnsrps_enabled; 204 bool break_dnssec; 205 bool qname_wait_recurse; 206 bool nsip_wait_recurse; 207 bool nsdname_wait_recurse; 208 unsigned int min_ns_labels; 209 dns_rpz_num_t num_zones; 210 }; 211 212 /* 213 * Response policy zones known to a view. 214 */ 215 struct dns_rpz_zones { 216 dns_rpz_popt_t p; 217 dns_rpz_zone_t * zones[DNS_RPZ_MAX_ZONES]; 218 dns_rpz_triggers_t triggers[DNS_RPZ_MAX_ZONES]; 219 220 /* 221 * RPZ policy version number. 222 * It is initially 0 and it increases whenever the server is 223 * reconfigured with new zones or policy. 224 */ 225 int rpz_ver; 226 227 dns_rpz_zbits_t defined; 228 229 /* 230 * The set of records for a policy zone are in one of these states: 231 * never loaded load_begun=0 have=0 232 * during initial loading load_begun=1 have=0 233 * and rbtdb->rpzsp == rbtdb->load_rpzsp 234 * after good load load_begun=1 have!=0 235 * after failed initial load load_begun=1 have=0 236 * and rbtdb->load_rpzsp == NULL 237 * reloading after failure load_begun=1 have=0 238 * reloading after success 239 * main rpzs load_begun=1 have!=0 240 * load rpzs load_begun=1 have=0 241 */ 242 dns_rpz_zbits_t load_begun; 243 dns_rpz_have_t have; 244 245 /* 246 * total_triggers maintains the total number of triggers in all 247 * policy zones in the view. It is only used to print summary 248 * statistics after a zone load of how the trigger counts 249 * changed. 250 */ 251 dns_rpz_triggers_t total_triggers; 252 253 isc_mem_t * mctx; 254 isc_taskmgr_t * taskmgr; 255 isc_timermgr_t *timermgr; 256 isc_task_t * updater; 257 isc_refcount_t refs; 258 isc_refcount_t irefs; 259 /* 260 * One lock for short term read-only search that guarantees the 261 * consistency of the pointers. 262 * A second lock for maintenance that guarantees no other thread 263 * is adding or deleting nodes. 264 */ 265 isc_rwlock_t search_lock; 266 isc_mutex_t maint_lock; 267 268 dns_rpz_cidr_node_t *cidr; 269 dns_rbt_t * rbt; 270 271 /* 272 * DNSRPZ librpz configuration string and handle on librpz connection 273 */ 274 char * rps_cstr; 275 size_t rps_cstr_size; 276 struct librpz_client *rps_client; 277 }; 278 279 /* 280 * context for finding the best policy 281 */ 282 typedef struct { 283 unsigned int state; 284 #define DNS_RPZ_REWRITTEN 0x0001 285 #define DNS_RPZ_DONE_CLIENT_IP 0x0002 /* client IP address checked */ 286 #define DNS_RPZ_DONE_QNAME 0x0004 /* qname checked */ 287 #define DNS_RPZ_DONE_QNAME_IP 0x0008 /* IP addresses of qname checked */ 288 #define DNS_RPZ_DONE_NSDNAME 0x0010 /* NS name missed; checking addresses */ 289 #define DNS_RPZ_DONE_IPv4 0x0020 290 #define DNS_RPZ_RECURSING 0x0040 291 #define DNS_RPZ_ACTIVE 0x0080 292 /* 293 * Best match so far. 294 */ 295 struct { 296 dns_rpz_type_t type; 297 dns_rpz_zone_t * rpz; 298 dns_rpz_prefix_t prefix; 299 dns_rpz_policy_t policy; 300 dns_ttl_t ttl; 301 isc_result_t result; 302 dns_zone_t * zone; 303 dns_db_t * db; 304 dns_dbversion_t *version; 305 dns_dbnode_t * node; 306 dns_rdataset_t * rdataset; 307 } m; 308 /* 309 * State for chasing IP addresses and NS names including recursion. 310 */ 311 struct { 312 unsigned int label; 313 dns_db_t * db; 314 dns_rdataset_t *ns_rdataset; 315 dns_rdatatype_t r_type; 316 isc_result_t r_result; 317 dns_rdataset_t *r_rdataset; 318 } r; 319 320 /* 321 * State of real query while recursing for NSIP or NSDNAME. 322 */ 323 struct { 324 isc_result_t result; 325 bool is_zone; 326 bool authoritative; 327 dns_zone_t * zone; 328 dns_db_t * db; 329 dns_dbnode_t * node; 330 dns_rdataset_t *rdataset; 331 dns_rdataset_t *sigrdataset; 332 dns_rdatatype_t qtype; 333 } q; 334 335 /* 336 * A copy of the 'have' and 'p' structures and the RPZ 337 * policy version as of the beginning of RPZ processing, 338 * used to avoid problems when policy is updated while 339 * RPZ recursion is ongoing. 340 */ 341 dns_rpz_have_t have; 342 dns_rpz_popt_t popt; 343 int rpz_ver; 344 345 /* 346 * Shim db between BIND and DNRPS librpz. 347 */ 348 dns_db_t *rpsdb; 349 350 /* 351 * p_name: current policy owner name 352 * r_name: recursing for this name to possible policy triggers 353 * f_name: saved found name from before recursion 354 */ 355 dns_name_t * p_name; 356 dns_name_t * r_name; 357 dns_name_t * fname; 358 dns_fixedname_t _p_namef; 359 dns_fixedname_t _r_namef; 360 dns_fixedname_t _fnamef; 361 } dns_rpz_st_t; 362 363 #define DNS_RPZ_TTL_DEFAULT 5 364 #define DNS_RPZ_MAX_TTL_DEFAULT DNS_RPZ_TTL_DEFAULT 365 #define DNS_RPZ_MINUPDATEINTERVAL_DEFAULT 60 366 367 /* 368 * So various response policy zone messages can be turned up or down. 369 */ 370 #define DNS_RPZ_ERROR_LEVEL ISC_LOG_WARNING 371 #define DNS_RPZ_INFO_LEVEL ISC_LOG_INFO 372 #define DNS_RPZ_DEBUG_LEVEL1 ISC_LOG_DEBUG(1) 373 #define DNS_RPZ_DEBUG_LEVEL2 ISC_LOG_DEBUG(2) 374 #define DNS_RPZ_DEBUG_LEVEL3 ISC_LOG_DEBUG(3) 375 #define DNS_RPZ_DEBUG_QUIET (DNS_RPZ_DEBUG_LEVEL3 + 1) 376 377 const char * 378 dns_rpz_type2str(dns_rpz_type_t type); 379 380 dns_rpz_policy_t 381 dns_rpz_str2policy(const char *str); 382 383 const char * 384 dns_rpz_policy2str(dns_rpz_policy_t policy); 385 386 dns_rpz_policy_t 387 dns_rpz_decode_cname(dns_rpz_zone_t *rpz, dns_rdataset_t *rdataset, 388 dns_name_t *selfname); 389 390 isc_result_t 391 dns_rpz_new_zones(dns_rpz_zones_t **rpzsp, char *rps_cstr, size_t rps_cstr_size, 392 isc_mem_t *mctx, isc_taskmgr_t *taskmgr, 393 isc_timermgr_t *timermgr); 394 395 isc_result_t 396 dns_rpz_new_zone(dns_rpz_zones_t *rpzs, dns_rpz_zone_t **rpzp); 397 398 isc_result_t 399 dns_rpz_dbupdate_callback(dns_db_t *db, void *fn_arg); 400 401 void 402 dns_rpz_attach_rpzs(dns_rpz_zones_t *source, dns_rpz_zones_t **target); 403 404 void 405 dns_rpz_detach_rpzs(dns_rpz_zones_t **rpzsp); 406 407 isc_result_t 408 dns_rpz_beginload(dns_rpz_zones_t **load_rpzsp, dns_rpz_zones_t *rpzs, 409 dns_rpz_num_t rpz_num) ISC_DEPRECATED; 410 411 isc_result_t 412 dns_rpz_ready(dns_rpz_zones_t *rpzs, dns_rpz_zones_t **load_rpzsp, 413 dns_rpz_num_t rpz_num) ISC_DEPRECATED; 414 415 isc_result_t 416 dns_rpz_add(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num, 417 const dns_name_t *name); 418 419 void 420 dns_rpz_delete(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num, 421 const dns_name_t *name); 422 423 dns_rpz_num_t 424 dns_rpz_find_ip(dns_rpz_zones_t *rpzs, dns_rpz_type_t rpz_type, 425 dns_rpz_zbits_t zbits, const isc_netaddr_t *netaddr, 426 dns_name_t *ip_name, dns_rpz_prefix_t *prefixp); 427 428 dns_rpz_zbits_t 429 dns_rpz_find_name(dns_rpz_zones_t *rpzs, dns_rpz_type_t rpz_type, 430 dns_rpz_zbits_t zbits, dns_name_t *trig_name); 431 432 ISC_LANG_ENDDECLS 433 434 #endif /* DNS_RPZ_H */ 435