1 /* $NetBSD: rpz.h,v 1.8 2015/07/08 17:28:59 christos Exp $ */ 2 3 /* 4 * Copyright (C) 2011-2013, 2015 Internet Systems Consortium, Inc. ("ISC") 5 * 6 * Permission to use, copy, modify, and/or distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 11 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 12 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 13 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 14 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 15 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 16 * PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 /* Id */ 20 21 22 #ifndef DNS_RPZ_H 23 #define DNS_RPZ_H 1 24 25 #include <isc/lang.h> 26 #include <isc/refcount.h> 27 #include <isc/rwlock.h> 28 29 #include <dns/fixedname.h> 30 #include <dns/rdata.h> 31 #include <dns/types.h> 32 33 ISC_LANG_BEGINDECLS 34 35 #define DNS_RPZ_PREFIX "rpz-" 36 /* 37 * Sub-zones of various trigger types. 38 */ 39 #define DNS_RPZ_CLIENT_IP_ZONE DNS_RPZ_PREFIX"client-ip" 40 #define DNS_RPZ_IP_ZONE DNS_RPZ_PREFIX"ip" 41 #define DNS_RPZ_NSIP_ZONE DNS_RPZ_PREFIX"nsip" 42 #define DNS_RPZ_NSDNAME_ZONE DNS_RPZ_PREFIX"nsdname" 43 /* 44 * Special policies. 45 */ 46 #define DNS_RPZ_PASSTHRU_NAME DNS_RPZ_PREFIX"passthru" 47 #define DNS_RPZ_DROP_NAME DNS_RPZ_PREFIX"drop" 48 #define DNS_RPZ_TCP_ONLY_NAME DNS_RPZ_PREFIX"tcp-only" 49 50 51 typedef isc_uint8_t dns_rpz_prefix_t; 52 53 typedef enum { 54 DNS_RPZ_TYPE_BAD, 55 DNS_RPZ_TYPE_CLIENT_IP, 56 DNS_RPZ_TYPE_QNAME, 57 DNS_RPZ_TYPE_IP, 58 DNS_RPZ_TYPE_NSDNAME, 59 DNS_RPZ_TYPE_NSIP 60 } dns_rpz_type_t; 61 62 /* 63 * Require DNS_RPZ_POLICY_PASSTHRU < DNS_RPZ_POLICY_DROP 64 * < DNS_RPZ_POLICY_TCP_ONLY DNS_RPZ_POLICY_NXDOMAIN < DNS_RPZ_POLICY_NODATA 65 * < DNS_RPZ_POLICY_CNAME to choose among competing policies. 66 */ 67 typedef enum { 68 DNS_RPZ_POLICY_GIVEN = 0, /* 'given': what policy record says */ 69 DNS_RPZ_POLICY_DISABLED = 1, /* log what would have happened */ 70 DNS_RPZ_POLICY_PASSTHRU = 2, /* 'passthru': do not rewrite */ 71 DNS_RPZ_POLICY_DROP = 3, /* 'drop': do not respond */ 72 DNS_RPZ_POLICY_TCP_ONLY = 4, /* 'tcp-only': answer UDP with TC=1 */ 73 DNS_RPZ_POLICY_NXDOMAIN = 5, /* 'nxdomain': answer with NXDOMAIN */ 74 DNS_RPZ_POLICY_NODATA = 6, /* 'nodata': answer with ANCOUNT=0 */ 75 DNS_RPZ_POLICY_CNAME = 7, /* 'cname x': answer with x's rrsets */ 76 DNS_RPZ_POLICY_RECORD, 77 DNS_RPZ_POLICY_WILDCNAME, 78 DNS_RPZ_POLICY_MISS, 79 DNS_RPZ_POLICY_ERROR 80 } dns_rpz_policy_t; 81 82 typedef isc_uint8_t dns_rpz_num_t; 83 84 #define DNS_RPZ_MAX_ZONES 32 85 #if DNS_RPZ_MAX_ZONES > 32 86 # if DNS_RPZ_MAX_ZONES > 64 87 # error "rpz zone bit masks must fit in a word" 88 # endif 89 typedef isc_uint64_t dns_rpz_zbits_t; 90 #else 91 typedef isc_uint32_t dns_rpz_zbits_t; 92 #endif 93 94 #define DNS_RPZ_ALL_ZBITS ((dns_rpz_zbits_t)-1) 95 96 #define DNS_RPZ_INVALID_NUM DNS_RPZ_MAX_ZONES 97 98 #define DNS_RPZ_ZBIT(n) (((dns_rpz_zbits_t)1) << (dns_rpz_num_t)(n)) 99 100 /* 101 * Mask of the specified and higher numbered policy zones 102 * Avoid hassles with (1<<33) or (1<<65) 103 */ 104 #define DNS_RPZ_ZMASK(n) ((dns_rpz_zbits_t)((((n) >= DNS_RPZ_MAX_ZONES-1) ? \ 105 0 : (1<<((n)+1))) -1)) 106 107 /* 108 * The trigger counter type. 109 */ 110 typedef size_t dns_rpz_trigger_counter_t; 111 112 /* 113 * The number of triggers of each type in a response policy zone. 114 */ 115 typedef struct dns_rpz_triggers dns_rpz_triggers_t; 116 struct dns_rpz_triggers { 117 dns_rpz_trigger_counter_t client_ipv4; 118 dns_rpz_trigger_counter_t client_ipv6; 119 dns_rpz_trigger_counter_t qname; 120 dns_rpz_trigger_counter_t ipv4; 121 dns_rpz_trigger_counter_t ipv6; 122 dns_rpz_trigger_counter_t nsdname; 123 dns_rpz_trigger_counter_t nsipv4; 124 dns_rpz_trigger_counter_t nsipv6; 125 }; 126 127 /* 128 * A single response policy zone. 129 */ 130 typedef struct dns_rpz_zone dns_rpz_zone_t; 131 struct dns_rpz_zone { 132 isc_refcount_t refs; 133 dns_rpz_num_t num; /* ordinal in list of policy zones */ 134 dns_name_t origin; /* Policy zone name */ 135 dns_name_t client_ip; /* DNS_RPZ_CLIENT_IP_ZONE.origin. */ 136 dns_name_t ip; /* DNS_RPZ_IP_ZONE.origin. */ 137 dns_name_t nsdname; /* DNS_RPZ_NSDNAME_ZONE.origin */ 138 dns_name_t nsip; /* DNS_RPZ_NSIP_ZONE.origin. */ 139 dns_name_t passthru; /* DNS_RPZ_PASSTHRU_NAME. */ 140 dns_name_t drop; /* DNS_RPZ_DROP_NAME. */ 141 dns_name_t tcp_only; /* DNS_RPZ_TCP_ONLY_NAME. */ 142 dns_name_t cname; /* override value for ..._CNAME */ 143 dns_ttl_t max_policy_ttl; 144 dns_rpz_policy_t policy; /* DNS_RPZ_POLICY_GIVEN or override */ 145 }; 146 147 /* 148 * Radix tree node for response policy IP addresses 149 */ 150 typedef struct dns_rpz_cidr_node dns_rpz_cidr_node_t; 151 152 /* 153 * Bitfields indicating which policy zones have policies of 154 * which type. 155 */ 156 typedef struct dns_rpz_have dns_rpz_have_t; 157 struct dns_rpz_have { 158 dns_rpz_zbits_t client_ipv4; 159 dns_rpz_zbits_t client_ipv6; 160 dns_rpz_zbits_t client_ip; 161 dns_rpz_zbits_t qname; 162 dns_rpz_zbits_t ipv4; 163 dns_rpz_zbits_t ipv6; 164 dns_rpz_zbits_t ip; 165 dns_rpz_zbits_t nsdname; 166 dns_rpz_zbits_t nsipv4; 167 dns_rpz_zbits_t nsipv6; 168 dns_rpz_zbits_t nsip; 169 dns_rpz_zbits_t qname_skip_recurse; 170 }; 171 172 /* 173 * Policy options 174 */ 175 typedef struct dns_rpz_popt dns_rpz_popt_t; 176 struct dns_rpz_popt { 177 dns_rpz_zbits_t no_rd_ok; 178 isc_boolean_t break_dnssec; 179 isc_boolean_t qname_wait_recurse; 180 unsigned int min_ns_labels; 181 dns_rpz_num_t num_zones; 182 }; 183 184 /* 185 * Response policy zones known to a view. 186 */ 187 typedef struct dns_rpz_zones dns_rpz_zones_t; 188 struct dns_rpz_zones { 189 dns_rpz_popt_t p; 190 dns_rpz_zone_t *zones[DNS_RPZ_MAX_ZONES]; 191 dns_rpz_triggers_t triggers[DNS_RPZ_MAX_ZONES]; 192 193 /* 194 * RPZ policy version number (initially 0, increases whenever 195 * the server is reconfigured with new zones or policy) 196 */ 197 int rpz_ver; 198 199 dns_rpz_zbits_t defined; 200 201 /* 202 * The set of records for a policy zone are in one of these states: 203 * never loaded load_begun=0 have=0 204 * during initial loading load_begun=1 have=0 205 * and rbtdb->rpzsp == rbtdb->load_rpzsp 206 * after good load load_begun=1 have!=0 207 * after failed initial load load_begun=1 have=0 208 * and rbtdb->load_rpzsp == NULL 209 * reloading after failure load_begun=1 have=0 210 * reloading after success 211 * main rpzs load_begun=1 have!=0 212 * load rpzs load_begun=1 have=0 213 */ 214 dns_rpz_zbits_t load_begun; 215 dns_rpz_have_t have; 216 217 /* 218 * total_triggers maintains the total number of triggers in all 219 * policy zones in the view. It is only used to print summary 220 * statistics after a zone load of how the trigger counts 221 * changed. 222 */ 223 dns_rpz_triggers_t total_triggers; 224 225 isc_mem_t *mctx; 226 isc_refcount_t refs; 227 /* 228 * One lock for short term read-only search that guarantees the 229 * consistency of the pointers. 230 * A second lock for maintenance that guarantees no other thread 231 * is adding or deleting nodes. 232 */ 233 isc_rwlock_t search_lock; 234 isc_mutex_t maint_lock; 235 236 dns_rpz_cidr_node_t *cidr; 237 dns_rbt_t *rbt; 238 }; 239 240 241 /* 242 * context for finding the best policy 243 */ 244 typedef struct { 245 unsigned int state; 246 # define DNS_RPZ_REWRITTEN 0x0001 247 # define DNS_RPZ_DONE_CLIENT_IP 0x0002 /* client IP address checked */ 248 # define DNS_RPZ_DONE_QNAME 0x0004 /* qname checked */ 249 # define DNS_RPZ_DONE_QNAME_IP 0x0008 /* IP addresses of qname checked */ 250 # define DNS_RPZ_DONE_NSDNAME 0x0010 /* NS name missed; checking addresses */ 251 # define DNS_RPZ_DONE_IPv4 0x0020 252 # define DNS_RPZ_RECURSING 0x0040 253 # define DNS_RPZ_ACTIVE 0x0080 254 /* 255 * Best match so far. 256 */ 257 struct { 258 dns_rpz_type_t type; 259 dns_rpz_zone_t *rpz; 260 dns_rpz_prefix_t prefix; 261 dns_rpz_policy_t policy; 262 dns_ttl_t ttl; 263 isc_result_t result; 264 dns_zone_t *zone; 265 dns_db_t *db; 266 dns_dbversion_t *version; 267 dns_dbnode_t *node; 268 dns_rdataset_t *rdataset; 269 } m; 270 /* 271 * State for chasing IP addresses and NS names including recursion. 272 */ 273 struct { 274 unsigned int label; 275 dns_db_t *db; 276 dns_rdataset_t *ns_rdataset; 277 dns_rdatatype_t r_type; 278 isc_result_t r_result; 279 dns_rdataset_t *r_rdataset; 280 } r; 281 282 /* 283 * State of real query while recursing for NSIP or NSDNAME. 284 */ 285 struct { 286 isc_result_t result; 287 isc_boolean_t is_zone; 288 isc_boolean_t authoritative; 289 dns_zone_t *zone; 290 dns_db_t *db; 291 dns_dbnode_t *node; 292 dns_rdataset_t *rdataset; 293 dns_rdataset_t *sigrdataset; 294 dns_rdatatype_t qtype; 295 } q; 296 297 /* 298 * A copy of the 'have' and 'p' structures and the RPZ 299 * policy version as of the beginning of RPZ processing, 300 * used to avoid problems when policy is updated while 301 * RPZ recursion is ongoing. 302 */ 303 dns_rpz_have_t have; 304 dns_rpz_popt_t popt; 305 int rpz_ver; 306 307 /* 308 * p_name: current policy owner name 309 * r_name: recursing for this name to possible policy triggers 310 * f_name: saved found name from before recursion 311 */ 312 dns_name_t *p_name; 313 dns_name_t *r_name; 314 dns_name_t *fname; 315 dns_fixedname_t _p_namef; 316 dns_fixedname_t _r_namef; 317 dns_fixedname_t _fnamef; 318 } dns_rpz_st_t; 319 320 #define DNS_RPZ_TTL_DEFAULT 5 321 #define DNS_RPZ_MAX_TTL_DEFAULT DNS_RPZ_TTL_DEFAULT 322 323 /* 324 * So various response policy zone messages can be turned up or down. 325 */ 326 #define DNS_RPZ_ERROR_LEVEL ISC_LOG_WARNING 327 #define DNS_RPZ_INFO_LEVEL ISC_LOG_INFO 328 #define DNS_RPZ_DEBUG_LEVEL1 ISC_LOG_DEBUG(1) 329 #define DNS_RPZ_DEBUG_LEVEL2 ISC_LOG_DEBUG(2) 330 #define DNS_RPZ_DEBUG_LEVEL3 ISC_LOG_DEBUG(3) 331 #define DNS_RPZ_DEBUG_QUIET (DNS_RPZ_DEBUG_LEVEL3+1) 332 333 const char * 334 dns_rpz_type2str(dns_rpz_type_t type); 335 336 dns_rpz_policy_t 337 dns_rpz_str2policy(const char *str); 338 339 const char * 340 dns_rpz_policy2str(dns_rpz_policy_t policy); 341 342 dns_rpz_policy_t 343 dns_rpz_decode_cname(dns_rpz_zone_t *rpz, dns_rdataset_t *rdataset, 344 dns_name_t *selfname); 345 346 isc_result_t 347 dns_rpz_new_zones(dns_rpz_zones_t **rpzsp, isc_mem_t *mctx); 348 349 void 350 dns_rpz_attach_rpzs(dns_rpz_zones_t *source, dns_rpz_zones_t **target); 351 352 void 353 dns_rpz_detach_rpzs(dns_rpz_zones_t **rpzsp); 354 355 isc_result_t 356 dns_rpz_beginload(dns_rpz_zones_t **load_rpzsp, 357 dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num); 358 359 isc_result_t 360 dns_rpz_ready(dns_rpz_zones_t *rpzs, 361 dns_rpz_zones_t **load_rpzsp, dns_rpz_num_t rpz_num); 362 363 isc_result_t 364 dns_rpz_add(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num, dns_name_t *name); 365 366 void 367 dns_rpz_delete(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num, dns_name_t *name); 368 369 dns_rpz_num_t 370 dns_rpz_find_ip(dns_rpz_zones_t *rpzs, dns_rpz_type_t rpz_type, 371 dns_rpz_zbits_t zbits, const isc_netaddr_t *netaddr, 372 dns_name_t *ip_name, dns_rpz_prefix_t *prefixp); 373 374 dns_rpz_zbits_t 375 dns_rpz_find_name(dns_rpz_zones_t *rpzs, dns_rpz_type_t rpz_type, 376 dns_rpz_zbits_t zbits, dns_name_t *trig_name); 377 378 ISC_LANG_ENDDECLS 379 380 #endif /* DNS_RPZ_H */ 381 382