1 /*
2  * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
3  *
4  * SPDX-License-Identifier: MPL-2.0
5  *
6  * This Source Code Form is subject to the terms of the Mozilla Public
7  * License, v. 2.0. If a copy of the MPL was not distributed with this
8  * file, you can obtain one at https://mozilla.org/MPL/2.0/.
9  *
10  * See the COPYRIGHT file distributed with this work for additional
11  * information regarding copyright ownership.
12  */
13 
14 #ifndef DNS_RPZ_H
15 #define DNS_RPZ_H 1
16 
17 #include <inttypes.h>
18 #include <stdbool.h>
19 
20 #include <isc/deprecated.h>
21 #include <isc/event.h>
22 #include <isc/ht.h>
23 #include <isc/lang.h>
24 #include <isc/refcount.h>
25 #include <isc/rwlock.h>
26 #include <isc/time.h>
27 #include <isc/timer.h>
28 
29 #include <dns/fixedname.h>
30 #include <dns/rdata.h>
31 #include <dns/types.h>
32 
33 ISC_LANG_BEGINDECLS
34 
35 #define DNS_RPZ_PREFIX "rpz-"
36 /*
37  * Sub-zones of various trigger types.
38  */
39 #define DNS_RPZ_CLIENT_IP_ZONE DNS_RPZ_PREFIX "client-ip"
40 #define DNS_RPZ_IP_ZONE	       DNS_RPZ_PREFIX "ip"
41 #define DNS_RPZ_NSIP_ZONE      DNS_RPZ_PREFIX "nsip"
42 #define DNS_RPZ_NSDNAME_ZONE   DNS_RPZ_PREFIX "nsdname"
43 /*
44  * Special policies.
45  */
46 #define DNS_RPZ_PASSTHRU_NAME DNS_RPZ_PREFIX "passthru"
47 #define DNS_RPZ_DROP_NAME     DNS_RPZ_PREFIX "drop"
48 #define DNS_RPZ_TCP_ONLY_NAME DNS_RPZ_PREFIX "tcp-only"
49 
50 typedef uint8_t dns_rpz_prefix_t;
51 
52 typedef enum {
53 	DNS_RPZ_TYPE_BAD,
54 	DNS_RPZ_TYPE_CLIENT_IP,
55 	DNS_RPZ_TYPE_QNAME,
56 	DNS_RPZ_TYPE_IP,
57 	DNS_RPZ_TYPE_NSDNAME,
58 	DNS_RPZ_TYPE_NSIP
59 } dns_rpz_type_t;
60 
61 /*
62  * Require DNS_RPZ_POLICY_PASSTHRU < DNS_RPZ_POLICY_DROP
63  * < DNS_RPZ_POLICY_TCP_ONLY DNS_RPZ_POLICY_NXDOMAIN < DNS_RPZ_POLICY_NODATA
64  * < DNS_RPZ_POLICY_CNAME to choose among competing policies.
65  */
66 typedef enum {
67 	DNS_RPZ_POLICY_GIVEN = 0,    /* 'given': what policy record says */
68 	DNS_RPZ_POLICY_DISABLED = 1, /* log what would have happened */
69 	DNS_RPZ_POLICY_PASSTHRU = 2, /* 'passthru': do not rewrite */
70 	DNS_RPZ_POLICY_DROP = 3,     /* 'drop': do not respond */
71 	DNS_RPZ_POLICY_TCP_ONLY = 4, /* 'tcp-only': answer UDP with TC=1 */
72 	DNS_RPZ_POLICY_NXDOMAIN = 5, /* 'nxdomain': answer with NXDOMAIN */
73 	DNS_RPZ_POLICY_NODATA = 6,   /* 'nodata': answer with ANCOUNT=0 */
74 	DNS_RPZ_POLICY_CNAME = 7,    /* 'cname x': answer with x's rrsets */
75 	DNS_RPZ_POLICY_DNS64,	     /* Apply DN64 to the A rewrite */
76 	DNS_RPZ_POLICY_RECORD,
77 	DNS_RPZ_POLICY_WILDCNAME,
78 	DNS_RPZ_POLICY_MISS,
79 	DNS_RPZ_POLICY_ERROR
80 } dns_rpz_policy_t;
81 
82 typedef uint8_t dns_rpz_num_t;
83 
84 #define DNS_RPZ_MAX_ZONES 64
85 /*
86  * Type dns_rpz_zbits_t must be an unsigned int wide enough to contain
87  * at least DNS_RPZ_MAX_ZONES bits.
88  */
89 typedef uint64_t dns_rpz_zbits_t;
90 
91 #define DNS_RPZ_ALL_ZBITS ((dns_rpz_zbits_t)-1)
92 
93 #define DNS_RPZ_INVALID_NUM DNS_RPZ_MAX_ZONES
94 
95 #define DNS_RPZ_ZBIT(n) (((dns_rpz_zbits_t)1) << (dns_rpz_num_t)(n))
96 
97 /*
98  * Mask of the specified and higher numbered policy zones
99  * Avoid hassles with (1<<33) or (1<<65)
100  */
101 #define DNS_RPZ_ZMASK(n)                                     \
102 	((dns_rpz_zbits_t)((((n) >= DNS_RPZ_MAX_ZONES - 1)   \
103 				    ? 0                      \
104 				    : (1ULL << ((n) + 1))) - \
105 			   1))
106 
107 /*
108  * The trigger counter type.
109  */
110 typedef size_t dns_rpz_trigger_counter_t;
111 
112 /*
113  * The number of triggers of each type in a response policy zone.
114  */
115 typedef struct dns_rpz_triggers dns_rpz_triggers_t;
116 struct dns_rpz_triggers {
117 	dns_rpz_trigger_counter_t client_ipv4;
118 	dns_rpz_trigger_counter_t client_ipv6;
119 	dns_rpz_trigger_counter_t qname;
120 	dns_rpz_trigger_counter_t ipv4;
121 	dns_rpz_trigger_counter_t ipv6;
122 	dns_rpz_trigger_counter_t nsdname;
123 	dns_rpz_trigger_counter_t nsipv4;
124 	dns_rpz_trigger_counter_t nsipv6;
125 };
126 
127 /*
128  * A single response policy zone.
129  */
130 typedef struct dns_rpz_zone  dns_rpz_zone_t;
131 typedef struct dns_rpz_zones dns_rpz_zones_t;
132 
133 struct dns_rpz_zone {
134 	isc_refcount_t	 refs;
135 	dns_rpz_num_t	 num;	    /* ordinal in list of policy zones */
136 	dns_name_t	 origin;    /* Policy zone name */
137 	dns_name_t	 client_ip; /* DNS_RPZ_CLIENT_IP_ZONE.origin. */
138 	dns_name_t	 ip;	    /* DNS_RPZ_IP_ZONE.origin. */
139 	dns_name_t	 nsdname;   /* DNS_RPZ_NSDNAME_ZONE.origin */
140 	dns_name_t	 nsip;	    /* DNS_RPZ_NSIP_ZONE.origin. */
141 	dns_name_t	 passthru;  /* DNS_RPZ_PASSTHRU_NAME. */
142 	dns_name_t	 drop;	    /* DNS_RPZ_DROP_NAME. */
143 	dns_name_t	 tcp_only;  /* DNS_RPZ_TCP_ONLY_NAME. */
144 	dns_name_t	 cname;	    /* override value for ..._CNAME */
145 	dns_ttl_t	 max_policy_ttl;
146 	dns_rpz_policy_t policy; /* DNS_RPZ_POLICY_GIVEN or override */
147 
148 	uint32_t min_update_interval;	 /* minimal interval between
149 					  * updates */
150 	isc_ht_t	 *nodes;		 /* entries in zone */
151 	dns_rpz_zones_t *rpzs;		 /* owner */
152 	isc_time_t	 lastupdated;	 /* last time the zone was processed
153 					  * */
154 	bool updatepending;		 /* there is an update
155 					  * pending/waiting */
156 	bool		 updaterunning;	 /* there is an update running */
157 	dns_db_t	 *db;		 /* zones database */
158 	dns_dbversion_t *dbversion;	 /* version we will be updating to */
159 	dns_db_t	 *updb;		 /* zones database we're working on */
160 	dns_dbversion_t *updbversion;	 /* version we're currently working
161 					  * on */
162 	dns_dbiterator_t *updbit;	 /* iterator to use when updating */
163 	isc_ht_t	 *newnodes;	 /* entries in zone being updated */
164 	bool		  db_registered; /* is the notify event
165 					  * registered? */
166 	bool	     addsoa;		 /* add soa to the additional section */
167 	isc_timer_t *updatetimer;
168 	isc_event_t  updateevent;
169 };
170 
171 /*
172  * Radix tree node for response policy IP addresses
173  */
174 typedef struct dns_rpz_cidr_node dns_rpz_cidr_node_t;
175 
176 /*
177  * Bitfields indicating which policy zones have policies of
178  * which type.
179  */
180 typedef struct dns_rpz_have dns_rpz_have_t;
181 struct dns_rpz_have {
182 	dns_rpz_zbits_t client_ipv4;
183 	dns_rpz_zbits_t client_ipv6;
184 	dns_rpz_zbits_t client_ip;
185 	dns_rpz_zbits_t qname;
186 	dns_rpz_zbits_t ipv4;
187 	dns_rpz_zbits_t ipv6;
188 	dns_rpz_zbits_t ip;
189 	dns_rpz_zbits_t nsdname;
190 	dns_rpz_zbits_t nsipv4;
191 	dns_rpz_zbits_t nsipv6;
192 	dns_rpz_zbits_t nsip;
193 	dns_rpz_zbits_t qname_skip_recurse;
194 };
195 
196 /*
197  * Policy options
198  */
199 typedef struct dns_rpz_popt dns_rpz_popt_t;
200 struct dns_rpz_popt {
201 	dns_rpz_zbits_t no_rd_ok;
202 	dns_rpz_zbits_t no_log;
203 	dns_rpz_zbits_t nsip_on;
204 	dns_rpz_zbits_t nsdname_on;
205 	bool		dnsrps_enabled;
206 	bool		break_dnssec;
207 	bool		qname_wait_recurse;
208 	bool		nsip_wait_recurse;
209 	unsigned int	min_ns_labels;
210 	dns_rpz_num_t	num_zones;
211 };
212 
213 /*
214  * Response policy zones known to a view.
215  */
216 struct dns_rpz_zones {
217 	dns_rpz_popt_t	   p;
218 	dns_rpz_zone_t    *zones[DNS_RPZ_MAX_ZONES];
219 	dns_rpz_triggers_t triggers[DNS_RPZ_MAX_ZONES];
220 
221 	/*
222 	 * RPZ policy version number.
223 	 * It is initially 0 and it increases whenever the server is
224 	 * reconfigured with new zones or policy.
225 	 */
226 	int rpz_ver;
227 
228 	dns_rpz_zbits_t defined;
229 
230 	/*
231 	 * The set of records for a policy zone are in one of these states:
232 	 *	never loaded		    load_begun=0  have=0
233 	 *	during initial loading	    load_begun=1  have=0
234 	 *				and rbtdb->rpzsp == rbtdb->load_rpzsp
235 	 *	after good load		    load_begun=1  have!=0
236 	 *	after failed initial load   load_begun=1  have=0
237 	 *				and rbtdb->load_rpzsp == NULL
238 	 *	reloading after failure	    load_begun=1  have=0
239 	 *	reloading after success
240 	 *		main rpzs	    load_begun=1  have!=0
241 	 *		load rpzs	    load_begun=1  have=0
242 	 */
243 	dns_rpz_zbits_t load_begun;
244 	dns_rpz_have_t	have;
245 
246 	/*
247 	 * total_triggers maintains the total number of triggers in all
248 	 * policy zones in the view. It is only used to print summary
249 	 * statistics after a zone load of how the trigger counts
250 	 * changed.
251 	 */
252 	dns_rpz_triggers_t total_triggers;
253 
254 	isc_mem_t	  *mctx;
255 	isc_taskmgr_t  *taskmgr;
256 	isc_timermgr_t *timermgr;
257 	isc_task_t	   *updater;
258 	isc_refcount_t	refs;
259 	isc_refcount_t	irefs;
260 	/*
261 	 * One lock for short term read-only search that guarantees the
262 	 * consistency of the pointers.
263 	 * A second lock for maintenance that guarantees no other thread
264 	 * is adding or deleting nodes.
265 	 */
266 	isc_rwlock_t search_lock;
267 	isc_mutex_t  maint_lock;
268 
269 	dns_rpz_cidr_node_t *cidr;
270 	dns_rbt_t		  *rbt;
271 
272 	/*
273 	 * DNSRPZ librpz configuration string and handle on librpz connection
274 	 */
275 	char		     *rps_cstr;
276 	size_t		      rps_cstr_size;
277 	struct librpz_client *rps_client;
278 };
279 
280 /*
281  * context for finding the best policy
282  */
283 typedef struct {
284 	unsigned int state;
285 #define DNS_RPZ_REWRITTEN      0x0001
286 #define DNS_RPZ_DONE_CLIENT_IP 0x0002 /* client IP address checked */
287 #define DNS_RPZ_DONE_QNAME     0x0004 /* qname checked */
288 #define DNS_RPZ_DONE_QNAME_IP  0x0008 /* IP addresses of qname checked */
289 #define DNS_RPZ_DONE_NSDNAME   0x0010 /* NS name missed; checking addresses */
290 #define DNS_RPZ_DONE_IPv4      0x0020
291 #define DNS_RPZ_RECURSING      0x0040
292 #define DNS_RPZ_ACTIVE	       0x0080
293 	/*
294 	 * Best match so far.
295 	 */
296 	struct {
297 		dns_rpz_type_t	 type;
298 		dns_rpz_zone_t  *rpz;
299 		dns_rpz_prefix_t prefix;
300 		dns_rpz_policy_t policy;
301 		dns_ttl_t	 ttl;
302 		isc_result_t	 result;
303 		dns_zone_t	   *zone;
304 		dns_db_t	 *db;
305 		dns_dbversion_t *version;
306 		dns_dbnode_t    *node;
307 		dns_rdataset_t  *rdataset;
308 	} m;
309 	/*
310 	 * State for chasing IP addresses and NS names including recursion.
311 	 */
312 	struct {
313 		unsigned int	label;
314 		dns_db_t	 *db;
315 		dns_rdataset_t *ns_rdataset;
316 		dns_rdatatype_t r_type;
317 		isc_result_t	r_result;
318 		dns_rdataset_t *r_rdataset;
319 	} r;
320 
321 	/*
322 	 * State of real query while recursing for NSIP or NSDNAME.
323 	 */
324 	struct {
325 		isc_result_t	result;
326 		bool		is_zone;
327 		bool		authoritative;
328 		dns_zone_t	   *zone;
329 		dns_db_t	 *db;
330 		dns_dbnode_t   *node;
331 		dns_rdataset_t *rdataset;
332 		dns_rdataset_t *sigrdataset;
333 		dns_rdatatype_t qtype;
334 	} q;
335 
336 	/*
337 	 * A copy of the 'have' and 'p' structures and the RPZ
338 	 * policy version as of the beginning of RPZ processing,
339 	 * used to avoid problems when policy is updated while
340 	 * RPZ recursion is ongoing.
341 	 */
342 	dns_rpz_have_t have;
343 	dns_rpz_popt_t popt;
344 	int	       rpz_ver;
345 
346 	/*
347 	 * Shim db between BIND and DNRPS librpz.
348 	 */
349 	dns_db_t *rpsdb;
350 
351 	/*
352 	 * p_name: current policy owner name
353 	 * r_name: recursing for this name to possible policy triggers
354 	 * f_name: saved found name from before recursion
355 	 */
356 	dns_name_t	   *p_name;
357 	dns_name_t	   *r_name;
358 	dns_name_t	   *fname;
359 	dns_fixedname_t _p_namef;
360 	dns_fixedname_t _r_namef;
361 	dns_fixedname_t _fnamef;
362 } dns_rpz_st_t;
363 
364 #define DNS_RPZ_TTL_DEFAULT		  5
365 #define DNS_RPZ_MAX_TTL_DEFAULT		  DNS_RPZ_TTL_DEFAULT
366 #define DNS_RPZ_MINUPDATEINTERVAL_DEFAULT 60
367 
368 /*
369  * So various response policy zone messages can be turned up or down.
370  */
371 #define DNS_RPZ_ERROR_LEVEL  ISC_LOG_WARNING
372 #define DNS_RPZ_INFO_LEVEL   ISC_LOG_INFO
373 #define DNS_RPZ_DEBUG_LEVEL1 ISC_LOG_DEBUG(1)
374 #define DNS_RPZ_DEBUG_LEVEL2 ISC_LOG_DEBUG(2)
375 #define DNS_RPZ_DEBUG_LEVEL3 ISC_LOG_DEBUG(3)
376 #define DNS_RPZ_DEBUG_QUIET  (DNS_RPZ_DEBUG_LEVEL3 + 1)
377 
378 const char *
379 dns_rpz_type2str(dns_rpz_type_t type);
380 
381 dns_rpz_policy_t
382 dns_rpz_str2policy(const char *str);
383 
384 const char *
385 dns_rpz_policy2str(dns_rpz_policy_t policy);
386 
387 dns_rpz_policy_t
388 dns_rpz_decode_cname(dns_rpz_zone_t *rpz, dns_rdataset_t *rdataset,
389 		     dns_name_t *selfname);
390 
391 isc_result_t
392 dns_rpz_new_zones(dns_rpz_zones_t **rpzsp, char *rps_cstr, size_t rps_cstr_size,
393 		  isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
394 		  isc_timermgr_t *timermgr);
395 
396 isc_result_t
397 dns_rpz_new_zone(dns_rpz_zones_t *rpzs, dns_rpz_zone_t **rpzp);
398 
399 isc_result_t
400 dns_rpz_dbupdate_callback(dns_db_t *db, void *fn_arg);
401 
402 void
403 dns_rpz_attach_rpzs(dns_rpz_zones_t *source, dns_rpz_zones_t **target);
404 
405 void
406 dns_rpz_detach_rpzs(dns_rpz_zones_t **rpzsp);
407 
408 isc_result_t
409 dns_rpz_beginload(dns_rpz_zones_t **load_rpzsp, dns_rpz_zones_t *rpzs,
410 		  dns_rpz_num_t rpz_num) ISC_DEPRECATED;
411 
412 isc_result_t
413 dns_rpz_ready(dns_rpz_zones_t *rpzs, dns_rpz_zones_t **load_rpzsp,
414 	      dns_rpz_num_t rpz_num) ISC_DEPRECATED;
415 
416 isc_result_t
417 dns_rpz_add(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num,
418 	    const dns_name_t *name);
419 
420 void
421 dns_rpz_delete(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num,
422 	       const dns_name_t *name);
423 
424 dns_rpz_num_t
425 dns_rpz_find_ip(dns_rpz_zones_t *rpzs, dns_rpz_type_t rpz_type,
426 		dns_rpz_zbits_t zbits, const isc_netaddr_t *netaddr,
427 		dns_name_t *ip_name, dns_rpz_prefix_t *prefixp);
428 
429 dns_rpz_zbits_t
430 dns_rpz_find_name(dns_rpz_zones_t *rpzs, dns_rpz_type_t rpz_type,
431 		  dns_rpz_zbits_t zbits, dns_name_t *trig_name);
432 
433 ISC_LANG_ENDDECLS
434 
435 #endif /* DNS_RPZ_H */
436