1 /* 2 * Copyright (C) Internet Systems Consortium, Inc. ("ISC") 3 * 4 * SPDX-License-Identifier: MPL-2.0 5 * 6 * This Source Code Form is subject to the terms of the Mozilla Public 7 * License, v. 2.0. If a copy of the MPL was not distributed with this 8 * file, you can obtain one at https://mozilla.org/MPL/2.0/. 9 * 10 * See the COPYRIGHT file distributed with this work for additional 11 * information regarding copyright ownership. 12 */ 13 14 #ifndef DNS_RPZ_H 15 #define DNS_RPZ_H 1 16 17 #include <inttypes.h> 18 #include <stdbool.h> 19 20 #include <isc/deprecated.h> 21 #include <isc/event.h> 22 #include <isc/ht.h> 23 #include <isc/lang.h> 24 #include <isc/refcount.h> 25 #include <isc/rwlock.h> 26 #include <isc/time.h> 27 #include <isc/timer.h> 28 29 #include <dns/fixedname.h> 30 #include <dns/rdata.h> 31 #include <dns/types.h> 32 33 ISC_LANG_BEGINDECLS 34 35 #define DNS_RPZ_PREFIX "rpz-" 36 /* 37 * Sub-zones of various trigger types. 38 */ 39 #define DNS_RPZ_CLIENT_IP_ZONE DNS_RPZ_PREFIX "client-ip" 40 #define DNS_RPZ_IP_ZONE DNS_RPZ_PREFIX "ip" 41 #define DNS_RPZ_NSIP_ZONE DNS_RPZ_PREFIX "nsip" 42 #define DNS_RPZ_NSDNAME_ZONE DNS_RPZ_PREFIX "nsdname" 43 /* 44 * Special policies. 45 */ 46 #define DNS_RPZ_PASSTHRU_NAME DNS_RPZ_PREFIX "passthru" 47 #define DNS_RPZ_DROP_NAME DNS_RPZ_PREFIX "drop" 48 #define DNS_RPZ_TCP_ONLY_NAME DNS_RPZ_PREFIX "tcp-only" 49 50 typedef uint8_t dns_rpz_prefix_t; 51 52 typedef enum { 53 DNS_RPZ_TYPE_BAD, 54 DNS_RPZ_TYPE_CLIENT_IP, 55 DNS_RPZ_TYPE_QNAME, 56 DNS_RPZ_TYPE_IP, 57 DNS_RPZ_TYPE_NSDNAME, 58 DNS_RPZ_TYPE_NSIP 59 } dns_rpz_type_t; 60 61 /* 62 * Require DNS_RPZ_POLICY_PASSTHRU < DNS_RPZ_POLICY_DROP 63 * < DNS_RPZ_POLICY_TCP_ONLY DNS_RPZ_POLICY_NXDOMAIN < DNS_RPZ_POLICY_NODATA 64 * < DNS_RPZ_POLICY_CNAME to choose among competing policies. 65 */ 66 typedef enum { 67 DNS_RPZ_POLICY_GIVEN = 0, /* 'given': what policy record says */ 68 DNS_RPZ_POLICY_DISABLED = 1, /* log what would have happened */ 69 DNS_RPZ_POLICY_PASSTHRU = 2, /* 'passthru': do not rewrite */ 70 DNS_RPZ_POLICY_DROP = 3, /* 'drop': do not respond */ 71 DNS_RPZ_POLICY_TCP_ONLY = 4, /* 'tcp-only': answer UDP with TC=1 */ 72 DNS_RPZ_POLICY_NXDOMAIN = 5, /* 'nxdomain': answer with NXDOMAIN */ 73 DNS_RPZ_POLICY_NODATA = 6, /* 'nodata': answer with ANCOUNT=0 */ 74 DNS_RPZ_POLICY_CNAME = 7, /* 'cname x': answer with x's rrsets */ 75 DNS_RPZ_POLICY_DNS64, /* Apply DN64 to the A rewrite */ 76 DNS_RPZ_POLICY_RECORD, 77 DNS_RPZ_POLICY_WILDCNAME, 78 DNS_RPZ_POLICY_MISS, 79 DNS_RPZ_POLICY_ERROR 80 } dns_rpz_policy_t; 81 82 typedef uint8_t dns_rpz_num_t; 83 84 #define DNS_RPZ_MAX_ZONES 64 85 /* 86 * Type dns_rpz_zbits_t must be an unsigned int wide enough to contain 87 * at least DNS_RPZ_MAX_ZONES bits. 88 */ 89 typedef uint64_t dns_rpz_zbits_t; 90 91 #define DNS_RPZ_ALL_ZBITS ((dns_rpz_zbits_t)-1) 92 93 #define DNS_RPZ_INVALID_NUM DNS_RPZ_MAX_ZONES 94 95 #define DNS_RPZ_ZBIT(n) (((dns_rpz_zbits_t)1) << (dns_rpz_num_t)(n)) 96 97 /* 98 * Mask of the specified and higher numbered policy zones 99 * Avoid hassles with (1<<33) or (1<<65) 100 */ 101 #define DNS_RPZ_ZMASK(n) \ 102 ((dns_rpz_zbits_t)((((n) >= DNS_RPZ_MAX_ZONES - 1) \ 103 ? 0 \ 104 : (1ULL << ((n) + 1))) - \ 105 1)) 106 107 /* 108 * The trigger counter type. 109 */ 110 typedef size_t dns_rpz_trigger_counter_t; 111 112 /* 113 * The number of triggers of each type in a response policy zone. 114 */ 115 typedef struct dns_rpz_triggers dns_rpz_triggers_t; 116 struct dns_rpz_triggers { 117 dns_rpz_trigger_counter_t client_ipv4; 118 dns_rpz_trigger_counter_t client_ipv6; 119 dns_rpz_trigger_counter_t qname; 120 dns_rpz_trigger_counter_t ipv4; 121 dns_rpz_trigger_counter_t ipv6; 122 dns_rpz_trigger_counter_t nsdname; 123 dns_rpz_trigger_counter_t nsipv4; 124 dns_rpz_trigger_counter_t nsipv6; 125 }; 126 127 /* 128 * A single response policy zone. 129 */ 130 typedef struct dns_rpz_zone dns_rpz_zone_t; 131 typedef struct dns_rpz_zones dns_rpz_zones_t; 132 133 struct dns_rpz_zone { 134 isc_refcount_t refs; 135 dns_rpz_num_t num; /* ordinal in list of policy zones */ 136 dns_name_t origin; /* Policy zone name */ 137 dns_name_t client_ip; /* DNS_RPZ_CLIENT_IP_ZONE.origin. */ 138 dns_name_t ip; /* DNS_RPZ_IP_ZONE.origin. */ 139 dns_name_t nsdname; /* DNS_RPZ_NSDNAME_ZONE.origin */ 140 dns_name_t nsip; /* DNS_RPZ_NSIP_ZONE.origin. */ 141 dns_name_t passthru; /* DNS_RPZ_PASSTHRU_NAME. */ 142 dns_name_t drop; /* DNS_RPZ_DROP_NAME. */ 143 dns_name_t tcp_only; /* DNS_RPZ_TCP_ONLY_NAME. */ 144 dns_name_t cname; /* override value for ..._CNAME */ 145 dns_ttl_t max_policy_ttl; 146 dns_rpz_policy_t policy; /* DNS_RPZ_POLICY_GIVEN or override */ 147 148 uint32_t min_update_interval; /* minimal interval between 149 * updates */ 150 isc_ht_t *nodes; /* entries in zone */ 151 dns_rpz_zones_t *rpzs; /* owner */ 152 isc_time_t lastupdated; /* last time the zone was processed 153 * */ 154 bool updatepending; /* there is an update 155 * pending/waiting */ 156 bool updaterunning; /* there is an update running */ 157 dns_db_t *db; /* zones database */ 158 dns_dbversion_t *dbversion; /* version we will be updating to */ 159 dns_db_t *updb; /* zones database we're working on */ 160 dns_dbversion_t *updbversion; /* version we're currently working 161 * on */ 162 dns_dbiterator_t *updbit; /* iterator to use when updating */ 163 isc_ht_t *newnodes; /* entries in zone being updated */ 164 bool db_registered; /* is the notify event 165 * registered? */ 166 bool addsoa; /* add soa to the additional section */ 167 isc_timer_t *updatetimer; 168 isc_event_t updateevent; 169 }; 170 171 /* 172 * Radix tree node for response policy IP addresses 173 */ 174 typedef struct dns_rpz_cidr_node dns_rpz_cidr_node_t; 175 176 /* 177 * Bitfields indicating which policy zones have policies of 178 * which type. 179 */ 180 typedef struct dns_rpz_have dns_rpz_have_t; 181 struct dns_rpz_have { 182 dns_rpz_zbits_t client_ipv4; 183 dns_rpz_zbits_t client_ipv6; 184 dns_rpz_zbits_t client_ip; 185 dns_rpz_zbits_t qname; 186 dns_rpz_zbits_t ipv4; 187 dns_rpz_zbits_t ipv6; 188 dns_rpz_zbits_t ip; 189 dns_rpz_zbits_t nsdname; 190 dns_rpz_zbits_t nsipv4; 191 dns_rpz_zbits_t nsipv6; 192 dns_rpz_zbits_t nsip; 193 dns_rpz_zbits_t qname_skip_recurse; 194 }; 195 196 /* 197 * Policy options 198 */ 199 typedef struct dns_rpz_popt dns_rpz_popt_t; 200 struct dns_rpz_popt { 201 dns_rpz_zbits_t no_rd_ok; 202 dns_rpz_zbits_t no_log; 203 dns_rpz_zbits_t nsip_on; 204 dns_rpz_zbits_t nsdname_on; 205 bool dnsrps_enabled; 206 bool break_dnssec; 207 bool qname_wait_recurse; 208 bool nsip_wait_recurse; 209 unsigned int min_ns_labels; 210 dns_rpz_num_t num_zones; 211 }; 212 213 /* 214 * Response policy zones known to a view. 215 */ 216 struct dns_rpz_zones { 217 dns_rpz_popt_t p; 218 dns_rpz_zone_t *zones[DNS_RPZ_MAX_ZONES]; 219 dns_rpz_triggers_t triggers[DNS_RPZ_MAX_ZONES]; 220 221 /* 222 * RPZ policy version number. 223 * It is initially 0 and it increases whenever the server is 224 * reconfigured with new zones or policy. 225 */ 226 int rpz_ver; 227 228 dns_rpz_zbits_t defined; 229 230 /* 231 * The set of records for a policy zone are in one of these states: 232 * never loaded load_begun=0 have=0 233 * during initial loading load_begun=1 have=0 234 * and rbtdb->rpzsp == rbtdb->load_rpzsp 235 * after good load load_begun=1 have!=0 236 * after failed initial load load_begun=1 have=0 237 * and rbtdb->load_rpzsp == NULL 238 * reloading after failure load_begun=1 have=0 239 * reloading after success 240 * main rpzs load_begun=1 have!=0 241 * load rpzs load_begun=1 have=0 242 */ 243 dns_rpz_zbits_t load_begun; 244 dns_rpz_have_t have; 245 246 /* 247 * total_triggers maintains the total number of triggers in all 248 * policy zones in the view. It is only used to print summary 249 * statistics after a zone load of how the trigger counts 250 * changed. 251 */ 252 dns_rpz_triggers_t total_triggers; 253 254 isc_mem_t *mctx; 255 isc_taskmgr_t *taskmgr; 256 isc_timermgr_t *timermgr; 257 isc_task_t *updater; 258 isc_refcount_t refs; 259 isc_refcount_t irefs; 260 /* 261 * One lock for short term read-only search that guarantees the 262 * consistency of the pointers. 263 * A second lock for maintenance that guarantees no other thread 264 * is adding or deleting nodes. 265 */ 266 isc_rwlock_t search_lock; 267 isc_mutex_t maint_lock; 268 269 dns_rpz_cidr_node_t *cidr; 270 dns_rbt_t *rbt; 271 272 /* 273 * DNSRPZ librpz configuration string and handle on librpz connection 274 */ 275 char *rps_cstr; 276 size_t rps_cstr_size; 277 struct librpz_client *rps_client; 278 }; 279 280 /* 281 * context for finding the best policy 282 */ 283 typedef struct { 284 unsigned int state; 285 #define DNS_RPZ_REWRITTEN 0x0001 286 #define DNS_RPZ_DONE_CLIENT_IP 0x0002 /* client IP address checked */ 287 #define DNS_RPZ_DONE_QNAME 0x0004 /* qname checked */ 288 #define DNS_RPZ_DONE_QNAME_IP 0x0008 /* IP addresses of qname checked */ 289 #define DNS_RPZ_DONE_NSDNAME 0x0010 /* NS name missed; checking addresses */ 290 #define DNS_RPZ_DONE_IPv4 0x0020 291 #define DNS_RPZ_RECURSING 0x0040 292 #define DNS_RPZ_ACTIVE 0x0080 293 /* 294 * Best match so far. 295 */ 296 struct { 297 dns_rpz_type_t type; 298 dns_rpz_zone_t *rpz; 299 dns_rpz_prefix_t prefix; 300 dns_rpz_policy_t policy; 301 dns_ttl_t ttl; 302 isc_result_t result; 303 dns_zone_t *zone; 304 dns_db_t *db; 305 dns_dbversion_t *version; 306 dns_dbnode_t *node; 307 dns_rdataset_t *rdataset; 308 } m; 309 /* 310 * State for chasing IP addresses and NS names including recursion. 311 */ 312 struct { 313 unsigned int label; 314 dns_db_t *db; 315 dns_rdataset_t *ns_rdataset; 316 dns_rdatatype_t r_type; 317 isc_result_t r_result; 318 dns_rdataset_t *r_rdataset; 319 } r; 320 321 /* 322 * State of real query while recursing for NSIP or NSDNAME. 323 */ 324 struct { 325 isc_result_t result; 326 bool is_zone; 327 bool authoritative; 328 dns_zone_t *zone; 329 dns_db_t *db; 330 dns_dbnode_t *node; 331 dns_rdataset_t *rdataset; 332 dns_rdataset_t *sigrdataset; 333 dns_rdatatype_t qtype; 334 } q; 335 336 /* 337 * A copy of the 'have' and 'p' structures and the RPZ 338 * policy version as of the beginning of RPZ processing, 339 * used to avoid problems when policy is updated while 340 * RPZ recursion is ongoing. 341 */ 342 dns_rpz_have_t have; 343 dns_rpz_popt_t popt; 344 int rpz_ver; 345 346 /* 347 * Shim db between BIND and DNRPS librpz. 348 */ 349 dns_db_t *rpsdb; 350 351 /* 352 * p_name: current policy owner name 353 * r_name: recursing for this name to possible policy triggers 354 * f_name: saved found name from before recursion 355 */ 356 dns_name_t *p_name; 357 dns_name_t *r_name; 358 dns_name_t *fname; 359 dns_fixedname_t _p_namef; 360 dns_fixedname_t _r_namef; 361 dns_fixedname_t _fnamef; 362 } dns_rpz_st_t; 363 364 #define DNS_RPZ_TTL_DEFAULT 5 365 #define DNS_RPZ_MAX_TTL_DEFAULT DNS_RPZ_TTL_DEFAULT 366 #define DNS_RPZ_MINUPDATEINTERVAL_DEFAULT 60 367 368 /* 369 * So various response policy zone messages can be turned up or down. 370 */ 371 #define DNS_RPZ_ERROR_LEVEL ISC_LOG_WARNING 372 #define DNS_RPZ_INFO_LEVEL ISC_LOG_INFO 373 #define DNS_RPZ_DEBUG_LEVEL1 ISC_LOG_DEBUG(1) 374 #define DNS_RPZ_DEBUG_LEVEL2 ISC_LOG_DEBUG(2) 375 #define DNS_RPZ_DEBUG_LEVEL3 ISC_LOG_DEBUG(3) 376 #define DNS_RPZ_DEBUG_QUIET (DNS_RPZ_DEBUG_LEVEL3 + 1) 377 378 const char * 379 dns_rpz_type2str(dns_rpz_type_t type); 380 381 dns_rpz_policy_t 382 dns_rpz_str2policy(const char *str); 383 384 const char * 385 dns_rpz_policy2str(dns_rpz_policy_t policy); 386 387 dns_rpz_policy_t 388 dns_rpz_decode_cname(dns_rpz_zone_t *rpz, dns_rdataset_t *rdataset, 389 dns_name_t *selfname); 390 391 isc_result_t 392 dns_rpz_new_zones(dns_rpz_zones_t **rpzsp, char *rps_cstr, size_t rps_cstr_size, 393 isc_mem_t *mctx, isc_taskmgr_t *taskmgr, 394 isc_timermgr_t *timermgr); 395 396 isc_result_t 397 dns_rpz_new_zone(dns_rpz_zones_t *rpzs, dns_rpz_zone_t **rpzp); 398 399 isc_result_t 400 dns_rpz_dbupdate_callback(dns_db_t *db, void *fn_arg); 401 402 void 403 dns_rpz_attach_rpzs(dns_rpz_zones_t *source, dns_rpz_zones_t **target); 404 405 void 406 dns_rpz_detach_rpzs(dns_rpz_zones_t **rpzsp); 407 408 isc_result_t 409 dns_rpz_beginload(dns_rpz_zones_t **load_rpzsp, dns_rpz_zones_t *rpzs, 410 dns_rpz_num_t rpz_num) ISC_DEPRECATED; 411 412 isc_result_t 413 dns_rpz_ready(dns_rpz_zones_t *rpzs, dns_rpz_zones_t **load_rpzsp, 414 dns_rpz_num_t rpz_num) ISC_DEPRECATED; 415 416 isc_result_t 417 dns_rpz_add(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num, 418 const dns_name_t *name); 419 420 void 421 dns_rpz_delete(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num, 422 const dns_name_t *name); 423 424 dns_rpz_num_t 425 dns_rpz_find_ip(dns_rpz_zones_t *rpzs, dns_rpz_type_t rpz_type, 426 dns_rpz_zbits_t zbits, const isc_netaddr_t *netaddr, 427 dns_name_t *ip_name, dns_rpz_prefix_t *prefixp); 428 429 dns_rpz_zbits_t 430 dns_rpz_find_name(dns_rpz_zones_t *rpzs, dns_rpz_type_t rpz_type, 431 dns_rpz_zbits_t zbits, dns_name_t *trig_name); 432 433 ISC_LANG_ENDDECLS 434 435 #endif /* DNS_RPZ_H */ 436