1 /*
2  * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
3  *
4  * This Source Code Form is subject to the terms of the Mozilla Public
5  * License, v. 2.0. If a copy of the MPL was not distributed with this
6  * file, you can obtain one at https://mozilla.org/MPL/2.0/.
7  *
8  * See the COPYRIGHT file distributed with this work for additional
9  * information regarding copyright ownership.
10  */
11 
12 #ifndef DNS_RPZ_H
13 #define DNS_RPZ_H 1
14 
15 #include <inttypes.h>
16 #include <stdbool.h>
17 
18 #include <isc/deprecated.h>
19 #include <isc/event.h>
20 #include <isc/ht.h>
21 #include <isc/lang.h>
22 #include <isc/refcount.h>
23 #include <isc/rwlock.h>
24 #include <isc/time.h>
25 #include <isc/timer.h>
26 
27 #include <dns/fixedname.h>
28 #include <dns/rdata.h>
29 #include <dns/types.h>
30 
31 ISC_LANG_BEGINDECLS
32 
33 #define DNS_RPZ_PREFIX "rpz-"
34 /*
35  * Sub-zones of various trigger types.
36  */
37 #define DNS_RPZ_CLIENT_IP_ZONE DNS_RPZ_PREFIX "client-ip"
38 #define DNS_RPZ_IP_ZONE	       DNS_RPZ_PREFIX "ip"
39 #define DNS_RPZ_NSIP_ZONE      DNS_RPZ_PREFIX "nsip"
40 #define DNS_RPZ_NSDNAME_ZONE   DNS_RPZ_PREFIX "nsdname"
41 /*
42  * Special policies.
43  */
44 #define DNS_RPZ_PASSTHRU_NAME DNS_RPZ_PREFIX "passthru"
45 #define DNS_RPZ_DROP_NAME     DNS_RPZ_PREFIX "drop"
46 #define DNS_RPZ_TCP_ONLY_NAME DNS_RPZ_PREFIX "tcp-only"
47 
48 typedef uint8_t dns_rpz_prefix_t;
49 
50 typedef enum {
51 	DNS_RPZ_TYPE_BAD,
52 	DNS_RPZ_TYPE_CLIENT_IP,
53 	DNS_RPZ_TYPE_QNAME,
54 	DNS_RPZ_TYPE_IP,
55 	DNS_RPZ_TYPE_NSDNAME,
56 	DNS_RPZ_TYPE_NSIP
57 } dns_rpz_type_t;
58 
59 /*
60  * Require DNS_RPZ_POLICY_PASSTHRU < DNS_RPZ_POLICY_DROP
61  * < DNS_RPZ_POLICY_TCP_ONLY DNS_RPZ_POLICY_NXDOMAIN < DNS_RPZ_POLICY_NODATA
62  * < DNS_RPZ_POLICY_CNAME to choose among competing policies.
63  */
64 typedef enum {
65 	DNS_RPZ_POLICY_GIVEN = 0,    /* 'given': what policy record says */
66 	DNS_RPZ_POLICY_DISABLED = 1, /* log what would have happened */
67 	DNS_RPZ_POLICY_PASSTHRU = 2, /* 'passthru': do not rewrite */
68 	DNS_RPZ_POLICY_DROP = 3,     /* 'drop': do not respond */
69 	DNS_RPZ_POLICY_TCP_ONLY = 4, /* 'tcp-only': answer UDP with TC=1 */
70 	DNS_RPZ_POLICY_NXDOMAIN = 5, /* 'nxdomain': answer with NXDOMAIN */
71 	DNS_RPZ_POLICY_NODATA = 6,   /* 'nodata': answer with ANCOUNT=0 */
72 	DNS_RPZ_POLICY_CNAME = 7,    /* 'cname x': answer with x's rrsets */
73 	DNS_RPZ_POLICY_DNS64,	     /* Apply DN64 to the A rewrite */
74 	DNS_RPZ_POLICY_RECORD,
75 	DNS_RPZ_POLICY_WILDCNAME,
76 	DNS_RPZ_POLICY_MISS,
77 	DNS_RPZ_POLICY_ERROR
78 } dns_rpz_policy_t;
79 
80 typedef uint8_t dns_rpz_num_t;
81 
82 #define DNS_RPZ_MAX_ZONES 64
83 /*
84  * Type dns_rpz_zbits_t must be an unsigned int wide enough to contain
85  * at least DNS_RPZ_MAX_ZONES bits.
86  */
87 typedef uint64_t dns_rpz_zbits_t;
88 
89 #define DNS_RPZ_ALL_ZBITS ((dns_rpz_zbits_t)-1)
90 
91 #define DNS_RPZ_INVALID_NUM DNS_RPZ_MAX_ZONES
92 
93 #define DNS_RPZ_ZBIT(n) (((dns_rpz_zbits_t)1) << (dns_rpz_num_t)(n))
94 
95 /*
96  * Mask of the specified and higher numbered policy zones
97  * Avoid hassles with (1<<33) or (1<<65)
98  */
99 #define DNS_RPZ_ZMASK(n)                                     \
100 	((dns_rpz_zbits_t)((((n) >= DNS_RPZ_MAX_ZONES - 1)   \
101 				    ? 0                      \
102 				    : (1ULL << ((n) + 1))) - \
103 			   1))
104 
105 /*
106  * The trigger counter type.
107  */
108 typedef size_t dns_rpz_trigger_counter_t;
109 
110 /*
111  * The number of triggers of each type in a response policy zone.
112  */
113 typedef struct dns_rpz_triggers dns_rpz_triggers_t;
114 struct dns_rpz_triggers {
115 	dns_rpz_trigger_counter_t client_ipv4;
116 	dns_rpz_trigger_counter_t client_ipv6;
117 	dns_rpz_trigger_counter_t qname;
118 	dns_rpz_trigger_counter_t ipv4;
119 	dns_rpz_trigger_counter_t ipv6;
120 	dns_rpz_trigger_counter_t nsdname;
121 	dns_rpz_trigger_counter_t nsipv4;
122 	dns_rpz_trigger_counter_t nsipv6;
123 };
124 
125 /*
126  * A single response policy zone.
127  */
128 typedef struct dns_rpz_zone  dns_rpz_zone_t;
129 typedef struct dns_rpz_zones dns_rpz_zones_t;
130 
131 struct dns_rpz_zone {
132 	isc_refcount_t	 refs;
133 	dns_rpz_num_t	 num;	    /* ordinal in list of policy zones */
134 	dns_name_t	 origin;    /* Policy zone name */
135 	dns_name_t	 client_ip; /* DNS_RPZ_CLIENT_IP_ZONE.origin. */
136 	dns_name_t	 ip;	    /* DNS_RPZ_IP_ZONE.origin. */
137 	dns_name_t	 nsdname;   /* DNS_RPZ_NSDNAME_ZONE.origin */
138 	dns_name_t	 nsip;	    /* DNS_RPZ_NSIP_ZONE.origin. */
139 	dns_name_t	 passthru;  /* DNS_RPZ_PASSTHRU_NAME. */
140 	dns_name_t	 drop;	    /* DNS_RPZ_DROP_NAME. */
141 	dns_name_t	 tcp_only;  /* DNS_RPZ_TCP_ONLY_NAME. */
142 	dns_name_t	 cname;	    /* override value for ..._CNAME */
143 	dns_ttl_t	 max_policy_ttl;
144 	dns_rpz_policy_t policy; /* DNS_RPZ_POLICY_GIVEN or override */
145 
146 	uint32_t min_update_interval;	 /* minimal interval between
147 					  * updates */
148 	isc_ht_t *	 nodes;		 /* entries in zone */
149 	dns_rpz_zones_t *rpzs;		 /* owner */
150 	isc_time_t	 lastupdated;	 /* last time the zone was processed
151 					  * */
152 	bool updatepending;		 /* there is an update
153 					  * pending/waiting */
154 	bool		 updaterunning;	 /* there is an update running */
155 	dns_db_t *	 db;		 /* zones database */
156 	dns_dbversion_t *dbversion;	 /* version we will be updating to */
157 	dns_db_t *	 updb;		 /* zones database we're working on */
158 	dns_dbversion_t *updbversion;	 /* version we're currently working
159 					  * on */
160 	dns_dbiterator_t *updbit;	 /* iterator to use when updating */
161 	isc_ht_t *	  newnodes;	 /* entries in zone being updated */
162 	bool		  db_registered; /* is the notify event
163 					  * registered? */
164 	bool	     addsoa;		 /* add soa to the additional section */
165 	isc_timer_t *updatetimer;
166 	isc_event_t  updateevent;
167 };
168 
169 /*
170  * Radix tree node for response policy IP addresses
171  */
172 typedef struct dns_rpz_cidr_node dns_rpz_cidr_node_t;
173 
174 /*
175  * Bitfields indicating which policy zones have policies of
176  * which type.
177  */
178 typedef struct dns_rpz_have dns_rpz_have_t;
179 struct dns_rpz_have {
180 	dns_rpz_zbits_t client_ipv4;
181 	dns_rpz_zbits_t client_ipv6;
182 	dns_rpz_zbits_t client_ip;
183 	dns_rpz_zbits_t qname;
184 	dns_rpz_zbits_t ipv4;
185 	dns_rpz_zbits_t ipv6;
186 	dns_rpz_zbits_t ip;
187 	dns_rpz_zbits_t nsdname;
188 	dns_rpz_zbits_t nsipv4;
189 	dns_rpz_zbits_t nsipv6;
190 	dns_rpz_zbits_t nsip;
191 	dns_rpz_zbits_t qname_skip_recurse;
192 };
193 
194 /*
195  * Policy options
196  */
197 typedef struct dns_rpz_popt dns_rpz_popt_t;
198 struct dns_rpz_popt {
199 	dns_rpz_zbits_t no_rd_ok;
200 	dns_rpz_zbits_t no_log;
201 	dns_rpz_zbits_t nsip_on;
202 	dns_rpz_zbits_t nsdname_on;
203 	bool		dnsrps_enabled;
204 	bool		break_dnssec;
205 	bool		qname_wait_recurse;
206 	bool		nsip_wait_recurse;
207 	bool		nsdname_wait_recurse;
208 	unsigned int	min_ns_labels;
209 	dns_rpz_num_t	num_zones;
210 };
211 
212 /*
213  * Response policy zones known to a view.
214  */
215 struct dns_rpz_zones {
216 	dns_rpz_popt_t	   p;
217 	dns_rpz_zone_t *   zones[DNS_RPZ_MAX_ZONES];
218 	dns_rpz_triggers_t triggers[DNS_RPZ_MAX_ZONES];
219 
220 	/*
221 	 * RPZ policy version number.
222 	 * It is initially 0 and it increases whenever the server is
223 	 * reconfigured with new zones or policy.
224 	 */
225 	int rpz_ver;
226 
227 	dns_rpz_zbits_t defined;
228 
229 	/*
230 	 * The set of records for a policy zone are in one of these states:
231 	 *	never loaded		    load_begun=0  have=0
232 	 *	during initial loading	    load_begun=1  have=0
233 	 *				and rbtdb->rpzsp == rbtdb->load_rpzsp
234 	 *	after good load		    load_begun=1  have!=0
235 	 *	after failed initial load   load_begun=1  have=0
236 	 *				and rbtdb->load_rpzsp == NULL
237 	 *	reloading after failure	    load_begun=1  have=0
238 	 *	reloading after success
239 	 *		main rpzs	    load_begun=1  have!=0
240 	 *		load rpzs	    load_begun=1  have=0
241 	 */
242 	dns_rpz_zbits_t load_begun;
243 	dns_rpz_have_t	have;
244 
245 	/*
246 	 * total_triggers maintains the total number of triggers in all
247 	 * policy zones in the view. It is only used to print summary
248 	 * statistics after a zone load of how the trigger counts
249 	 * changed.
250 	 */
251 	dns_rpz_triggers_t total_triggers;
252 
253 	isc_mem_t *	mctx;
254 	isc_taskmgr_t * taskmgr;
255 	isc_timermgr_t *timermgr;
256 	isc_task_t *	updater;
257 	isc_refcount_t	refs;
258 	isc_refcount_t	irefs;
259 	/*
260 	 * One lock for short term read-only search that guarantees the
261 	 * consistency of the pointers.
262 	 * A second lock for maintenance that guarantees no other thread
263 	 * is adding or deleting nodes.
264 	 */
265 	isc_rwlock_t search_lock;
266 	isc_mutex_t  maint_lock;
267 
268 	dns_rpz_cidr_node_t *cidr;
269 	dns_rbt_t *	     rbt;
270 
271 	/*
272 	 * DNSRPZ librpz configuration string and handle on librpz connection
273 	 */
274 	char *		      rps_cstr;
275 	size_t		      rps_cstr_size;
276 	struct librpz_client *rps_client;
277 };
278 
279 /*
280  * context for finding the best policy
281  */
282 typedef struct {
283 	unsigned int state;
284 #define DNS_RPZ_REWRITTEN      0x0001
285 #define DNS_RPZ_DONE_CLIENT_IP 0x0002 /* client IP address checked */
286 #define DNS_RPZ_DONE_QNAME     0x0004 /* qname checked */
287 #define DNS_RPZ_DONE_QNAME_IP  0x0008 /* IP addresses of qname checked */
288 #define DNS_RPZ_DONE_NSDNAME   0x0010 /* NS name missed; checking addresses */
289 #define DNS_RPZ_DONE_IPv4      0x0020
290 #define DNS_RPZ_RECURSING      0x0040
291 #define DNS_RPZ_ACTIVE	       0x0080
292 	/*
293 	 * Best match so far.
294 	 */
295 	struct {
296 		dns_rpz_type_t	 type;
297 		dns_rpz_zone_t * rpz;
298 		dns_rpz_prefix_t prefix;
299 		dns_rpz_policy_t policy;
300 		dns_ttl_t	 ttl;
301 		isc_result_t	 result;
302 		dns_zone_t *	 zone;
303 		dns_db_t *	 db;
304 		dns_dbversion_t *version;
305 		dns_dbnode_t *	 node;
306 		dns_rdataset_t * rdataset;
307 	} m;
308 	/*
309 	 * State for chasing IP addresses and NS names including recursion.
310 	 */
311 	struct {
312 		unsigned int	label;
313 		dns_db_t *	db;
314 		dns_rdataset_t *ns_rdataset;
315 		dns_rdatatype_t r_type;
316 		isc_result_t	r_result;
317 		dns_rdataset_t *r_rdataset;
318 	} r;
319 
320 	/*
321 	 * State of real query while recursing for NSIP or NSDNAME.
322 	 */
323 	struct {
324 		isc_result_t	result;
325 		bool		is_zone;
326 		bool		authoritative;
327 		dns_zone_t *	zone;
328 		dns_db_t *	db;
329 		dns_dbnode_t *	node;
330 		dns_rdataset_t *rdataset;
331 		dns_rdataset_t *sigrdataset;
332 		dns_rdatatype_t qtype;
333 	} q;
334 
335 	/*
336 	 * A copy of the 'have' and 'p' structures and the RPZ
337 	 * policy version as of the beginning of RPZ processing,
338 	 * used to avoid problems when policy is updated while
339 	 * RPZ recursion is ongoing.
340 	 */
341 	dns_rpz_have_t have;
342 	dns_rpz_popt_t popt;
343 	int	       rpz_ver;
344 
345 	/*
346 	 * Shim db between BIND and DNRPS librpz.
347 	 */
348 	dns_db_t *rpsdb;
349 
350 	/*
351 	 * p_name: current policy owner name
352 	 * r_name: recursing for this name to possible policy triggers
353 	 * f_name: saved found name from before recursion
354 	 */
355 	dns_name_t *	p_name;
356 	dns_name_t *	r_name;
357 	dns_name_t *	fname;
358 	dns_fixedname_t _p_namef;
359 	dns_fixedname_t _r_namef;
360 	dns_fixedname_t _fnamef;
361 } dns_rpz_st_t;
362 
363 #define DNS_RPZ_TTL_DEFAULT		  5
364 #define DNS_RPZ_MAX_TTL_DEFAULT		  DNS_RPZ_TTL_DEFAULT
365 #define DNS_RPZ_MINUPDATEINTERVAL_DEFAULT 60
366 
367 /*
368  * So various response policy zone messages can be turned up or down.
369  */
370 #define DNS_RPZ_ERROR_LEVEL  ISC_LOG_WARNING
371 #define DNS_RPZ_INFO_LEVEL   ISC_LOG_INFO
372 #define DNS_RPZ_DEBUG_LEVEL1 ISC_LOG_DEBUG(1)
373 #define DNS_RPZ_DEBUG_LEVEL2 ISC_LOG_DEBUG(2)
374 #define DNS_RPZ_DEBUG_LEVEL3 ISC_LOG_DEBUG(3)
375 #define DNS_RPZ_DEBUG_QUIET  (DNS_RPZ_DEBUG_LEVEL3 + 1)
376 
377 const char *
378 dns_rpz_type2str(dns_rpz_type_t type);
379 
380 dns_rpz_policy_t
381 dns_rpz_str2policy(const char *str);
382 
383 const char *
384 dns_rpz_policy2str(dns_rpz_policy_t policy);
385 
386 dns_rpz_policy_t
387 dns_rpz_decode_cname(dns_rpz_zone_t *rpz, dns_rdataset_t *rdataset,
388 		     dns_name_t *selfname);
389 
390 isc_result_t
391 dns_rpz_new_zones(dns_rpz_zones_t **rpzsp, char *rps_cstr, size_t rps_cstr_size,
392 		  isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
393 		  isc_timermgr_t *timermgr);
394 
395 isc_result_t
396 dns_rpz_new_zone(dns_rpz_zones_t *rpzs, dns_rpz_zone_t **rpzp);
397 
398 isc_result_t
399 dns_rpz_dbupdate_callback(dns_db_t *db, void *fn_arg);
400 
401 void
402 dns_rpz_attach_rpzs(dns_rpz_zones_t *source, dns_rpz_zones_t **target);
403 
404 void
405 dns_rpz_detach_rpzs(dns_rpz_zones_t **rpzsp);
406 
407 isc_result_t
408 dns_rpz_beginload(dns_rpz_zones_t **load_rpzsp, dns_rpz_zones_t *rpzs,
409 		  dns_rpz_num_t rpz_num) ISC_DEPRECATED;
410 
411 isc_result_t
412 dns_rpz_ready(dns_rpz_zones_t *rpzs, dns_rpz_zones_t **load_rpzsp,
413 	      dns_rpz_num_t rpz_num) ISC_DEPRECATED;
414 
415 isc_result_t
416 dns_rpz_add(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num,
417 	    const dns_name_t *name);
418 
419 void
420 dns_rpz_delete(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num,
421 	       const dns_name_t *name);
422 
423 dns_rpz_num_t
424 dns_rpz_find_ip(dns_rpz_zones_t *rpzs, dns_rpz_type_t rpz_type,
425 		dns_rpz_zbits_t zbits, const isc_netaddr_t *netaddr,
426 		dns_name_t *ip_name, dns_rpz_prefix_t *prefixp);
427 
428 dns_rpz_zbits_t
429 dns_rpz_find_name(dns_rpz_zones_t *rpzs, dns_rpz_type_t rpz_type,
430 		  dns_rpz_zbits_t zbits, dns_name_t *trig_name);
431 
432 ISC_LANG_ENDDECLS
433 
434 #endif /* DNS_RPZ_H */
435