bc86c2
From 7d98347aeeb575a022ffae630ee02da215b6f37b Mon Sep 17 00:00:00 2001
bc86c2
From: Simon Kelley <simon@thekelleys.org.uk>
bc86c2
Date: Wed, 18 Nov 2020 18:34:55 +0000
bc86c2
Subject: [PATCH 4/4] Handle multiple identical near simultaneous DNS queries
bc86c2
 better.
bc86c2
bc86c2
Previously, such queries would all be forwarded
bc86c2
independently. This is, in theory, inefficent but in practise
bc86c2
not a problem, _except_ that is means that an answer for any
bc86c2
of the forwarded queries will be accepted and cached.
bc86c2
An attacker can send a query multiple times, and for each repeat,
bc86c2
another {port, ID} becomes capable of accepting the answer he is
bc86c2
sending in the blind, to random IDs and ports. The chance of a
bc86c2
succesful attack is therefore multiplied by the number of repeats
bc86c2
of the query. The new behaviour detects repeated queries and
bc86c2
merely stores the clients sending repeats so that when the
bc86c2
first query completes, the answer can be sent to all the
bc86c2
clients who asked. Refer: CERT VU#434904.
bc86c2
---
bc86c2
 src/dnsmasq.h |  19 ++++---
bc86c2
 src/forward.c | 141 ++++++++++++++++++++++++++++++++++++++++++--------
bc86c2
 2 files changed, 132 insertions(+), 28 deletions(-)
bc86c2
bc86c2
diff --git a/src/dnsmasq.h b/src/dnsmasq.h
bc86c2
index f31503d..6744e2b 100644
bc86c2
--- a/src/dnsmasq.h
bc86c2
+++ b/src/dnsmasq.h
bc86c2
@@ -613,21 +613,26 @@ struct hostsfile {
bc86c2
 #define FREC_DO_QUESTION       64
bc86c2
 #define FREC_ADDED_PHEADER    128
bc86c2
 #define FREC_TEST_PKTSZ       256
bc86c2
-#define FREC_HAS_EXTRADATA    512        
bc86c2
+#define FREC_HAS_EXTRADATA    512
bc86c2
+#define FREC_HAS_PHEADER     1024
bc86c2
 
bc86c2
 #define HASH_SIZE 32 /* SHA-256 digest size */
bc86c2
 
bc86c2
 struct frec {
bc86c2
-  union mysockaddr source;
bc86c2
-  struct all_addr dest;
bc86c2
+  struct frec_src {
bc86c2
+    union mysockaddr source;
bc86c2
+    struct all_addr dest;
bc86c2
+    unsigned int iface, log_id;
bc86c2
+    unsigned short orig_id;
bc86c2
+    struct frec_src *next;
bc86c2
+  } frec_src;
bc86c2
   struct server *sentto; /* NULL means free */
bc86c2
   struct randfd *rfd4;
bc86c2
 #ifdef HAVE_IPV6
bc86c2
   struct randfd *rfd6;
bc86c2
 #endif
bc86c2
-  unsigned int iface;
bc86c2
-  unsigned short orig_id, new_id;
bc86c2
-  int log_id, fd, forwardall, flags;
bc86c2
+  unsigned short new_id;
bc86c2
+  int fd, forwardall, flags;
bc86c2
   time_t time;
bc86c2
   unsigned char *hash[HASH_SIZE];
bc86c2
 #ifdef HAVE_DNSSEC 
bc86c2
@@ -1033,6 +1038,8 @@ extern struct daemon {
bc86c2
 #endif
bc86c2
   unsigned int local_answer, queries_forwarded, auth_answer;
bc86c2
   struct frec *frec_list;
bc86c2
+  struct frec_src *free_frec_src;
bc86c2
+  int frec_src_count;
bc86c2
   struct serverfd *sfds;
bc86c2
   struct irec *interfaces;
bc86c2
   struct listener *listeners;
bc86c2
diff --git a/src/forward.c b/src/forward.c
bc86c2
index 7ffcaf7..db378a5 100644
bc86c2
--- a/src/forward.c
bc86c2
+++ b/src/forward.c
bc86c2
@@ -20,6 +20,8 @@ static struct frec *lookup_frec(unsigned short id, int fd, int family, void *has
bc86c2
 static struct frec *lookup_frec_by_sender(unsigned short id,
bc86c2
 					  union mysockaddr *addr,
bc86c2
 					  void *hash);
bc86c2
+static struct frec *lookup_frec_by_query(void *hash, unsigned int flags);
bc86c2
+
bc86c2
 static unsigned short get_id(void);
bc86c2
 static void free_frec(struct frec *f);
bc86c2
 
bc86c2
@@ -238,15 +240,28 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr,
bc86c2
   int type = SERV_DO_DNSSEC, norebind = 0;
bc86c2
   struct all_addr *addrp = NULL;
bc86c2
   unsigned int flags = 0;
bc86c2
+  unsigned int fwd_flags = 0;
bc86c2
   struct server *start = NULL;
bc86c2
   void *hash = hash_questions(header, plen, daemon->namebuff);
bc86c2
 #ifdef HAVE_DNSSEC
bc86c2
   int do_dnssec = 0;
bc86c2
 #endif
bc86c2
- unsigned int gotname = extract_request(header, plen, daemon->namebuff, NULL);
bc86c2
+  unsigned int gotname = extract_request(header, plen, daemon->namebuff, NULL);
bc86c2
+  unsigned char *oph = find_pseudoheader(header, plen, NULL, NULL, NULL, NULL);
bc86c2
 
bc86c2
  (void)do_bit;
bc86c2
-
bc86c2
+  
bc86c2
+  if (header->hb4 & HB4_CD)
bc86c2
+    fwd_flags |= FREC_CHECKING_DISABLED;
bc86c2
+  if (ad_reqd)
bc86c2
+    fwd_flags |= FREC_AD_QUESTION;
bc86c2
+  if (oph)
bc86c2
+    fwd_flags |= FREC_HAS_PHEADER;
bc86c2
+#ifdef HAVE_DNSSEC
bc86c2
+  if (do_bit)
bc86c2
+    fwd_flags |= FREC_DO_QUESTION;
bc86c2
+#endif
bc86c2
+  
bc86c2
   /* may be no servers available. */
bc86c2
   if (forward || (forward = lookup_frec_by_sender(ntohs(header->id), udpaddr, hash)))
bc86c2
     {
bc86c2
@@ -322,6 +337,39 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr,
bc86c2
     }
bc86c2
   else 
bc86c2
     {
bc86c2
+      /* Query from new source, but the same query may be in progress
bc86c2
+	 from another source. If so, just add this client to the
bc86c2
+	 list that will get the reply.
bc86c2
+	 
bc86c2
+	 Note that is the EDNS client subnet option is in use, we can't do this,
bc86c2
+	 as the clients (and therefore query EDNS options) will be different
bc86c2
+	 for each query. The EDNS subnet code has checks to avoid
bc86c2
+	 attacks in this case. */
bc86c2
+      if (!option_bool(OPT_CLIENT_SUBNET) && (forward = lookup_frec_by_query(hash, fwd_flags)))
bc86c2
+	{
bc86c2
+	  /* Note whine_malloc() zeros memory. */
bc86c2
+	  if (!daemon->free_frec_src &&
bc86c2
+	      daemon->frec_src_count < daemon->ftabsize &&
bc86c2
+	      (daemon->free_frec_src = whine_malloc(sizeof(struct frec_src))))
bc86c2
+	    daemon->frec_src_count++;
bc86c2
+	  
bc86c2
+	  /* If we've been spammed with many duplicates, just drop the query. */
bc86c2
+	  if (daemon->free_frec_src)
bc86c2
+	    {
bc86c2
+	      struct frec_src *new = daemon->free_frec_src;
bc86c2
+	      daemon->free_frec_src = new->next;
bc86c2
+	      new->next = forward->frec_src.next;
bc86c2
+	      forward->frec_src.next = new;
bc86c2
+	      new->orig_id = ntohs(header->id);
bc86c2
+	      new->source = *udpaddr;
bc86c2
+	      new->dest = *dst_addr;
bc86c2
+	      new->log_id = daemon->log_id;
bc86c2
+	      new->iface = dst_iface;
bc86c2
+	    }
bc86c2
+	  
bc86c2
+	  return 1;
bc86c2
+	}
bc86c2
+	
bc86c2
       if (gotname)
bc86c2
 	flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind);
bc86c2
       
bc86c2
@@ -329,22 +377,22 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr,
bc86c2
       do_dnssec = type & SERV_DO_DNSSEC;
bc86c2
 #endif
bc86c2
       type &= ~SERV_DO_DNSSEC;      
bc86c2
-
bc86c2
+      
bc86c2
       if (daemon->servers && !flags)
bc86c2
 	forward = get_new_frec(now, NULL, 0);
bc86c2
       /* table full - flags == 0, return REFUSED */
bc86c2
       
bc86c2
       if (forward)
bc86c2
 	{
bc86c2
-	  forward->source = *udpaddr;
bc86c2
-	  forward->dest = *dst_addr;
bc86c2
-	  forward->iface = dst_iface;
bc86c2
-	  forward->orig_id = ntohs(header->id);
bc86c2
+	  forward->frec_src.source = *udpaddr;
bc86c2
+	  forward->frec_src.orig_id = ntohs(header->id);
bc86c2
+	  forward->frec_src.dest = *dst_addr;
bc86c2
+	  forward->frec_src.iface = dst_iface;
bc86c2
 	  forward->new_id = get_id();
bc86c2
 	  forward->fd = udpfd;
bc86c2
 	  memcpy(forward->hash, hash, HASH_SIZE);
bc86c2
 	  forward->forwardall = 0;
bc86c2
-	  forward->flags = 0;
bc86c2
+	  forward->flags = fwd_flags;
bc86c2
 	  if (norebind)
bc86c2
 	    forward->flags |= FREC_NOREBIND;
bc86c2
 	  if (header->hb4 & HB4_CD)
bc86c2
@@ -400,9 +448,9 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr,
bc86c2
       unsigned char *pheader;
bc86c2
       
bc86c2
       /* If a query is retried, use the log_id for the retry when logging the answer. */
bc86c2
-      forward->log_id = daemon->log_id;
bc86c2
+      forward->frec_src.log_id = daemon->log_id;
bc86c2
       
bc86c2
-      plen = add_edns0_config(header, plen, ((unsigned char *)header) + PACKETSZ, &forward->source, now, &subnet;;
bc86c2
+      plen = add_edns0_config(header, plen, ((unsigned char *)header) + PACKETSZ, &forward->frec_src.source, now, &subnet;;
bc86c2
       
bc86c2
       if (subnet)
bc86c2
 	forward->flags |= FREC_HAS_SUBNET;
bc86c2
@@ -539,7 +587,7 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr,
bc86c2
 	return 1;
bc86c2
       
bc86c2
       /* could not send on, prepare to return */ 
bc86c2
-      header->id = htons(forward->orig_id);
bc86c2
+      header->id = htons(forward->frec_src.orig_id);
bc86c2
       free_frec(forward); /* cancel */
bc86c2
     }	  
bc86c2
   
bc86c2
@@ -774,8 +822,8 @@ void reply_query(int fd, int family, time_t now)
bc86c2
   
bc86c2
   /* log_query gets called indirectly all over the place, so 
bc86c2
      pass these in global variables - sorry. */
bc86c2
-  daemon->log_display_id = forward->log_id;
bc86c2
-  daemon->log_source_addr = &forward->source;
bc86c2
+  daemon->log_display_id = forward->frec_src.log_id;
bc86c2
+  daemon->log_source_addr = &forward->frec_src.source;
bc86c2
   
bc86c2
   if (daemon->ignore_addr && RCODE(header) == NOERROR &&
bc86c2
       check_for_ignored_address(header, n, daemon->ignore_addr))
bc86c2
@@ -978,6 +1026,7 @@ void reply_query(int fd, int family, time_t now)
bc86c2
 #ifdef HAVE_IPV6
bc86c2
 		      new->rfd6 = NULL;
bc86c2
 #endif
bc86c2
+		      new->frec_src.next = NULL;
bc86c2
 		      new->flags &= ~(FREC_DNSKEY_QUERY | FREC_DS_QUERY);
bc86c2
 		      
bc86c2
 		      new->dependent = forward; /* to find query awaiting new one. */
bc86c2
@@ -1099,9 +1148,11 @@ void reply_query(int fd, int family, time_t now)
bc86c2
       
bc86c2
       if ((nn = process_reply(header, now, forward->sentto, (size_t)n, check_rebind, no_cache_dnssec, cache_secure, bogusanswer, 
bc86c2
 			      forward->flags & FREC_AD_QUESTION, forward->flags & FREC_DO_QUESTION, 
bc86c2
-			      forward->flags & FREC_ADDED_PHEADER, forward->flags & FREC_HAS_SUBNET, &forward->source)))
bc86c2
+			      forward->flags & FREC_ADDED_PHEADER, forward->flags & FREC_HAS_SUBNET, &forward->frec_src.source)))
bc86c2
 	{
bc86c2
-	  header->id = htons(forward->orig_id);
bc86c2
+	  struct frec_src *src;
bc86c2
+
bc86c2
+	  header->id = htons(forward->frec_src.orig_id);
bc86c2
 	  header->hb4 |= HB4_RA; /* recursion if available */
bc86c2
 #ifdef HAVE_DNSSEC
bc86c2
 	  /* We added an EDNSO header for the purpose of getting DNSSEC RRs, and set the value of the UDP payload size
bc86c2
@@ -1116,9 +1167,22 @@ void reply_query(int fd, int family, time_t now)
bc86c2
 	      nn = resize_packet(header, nn, NULL, 0);
bc86c2
 	    }
bc86c2
 #endif
bc86c2
-	  send_from(forward->fd, option_bool(OPT_NOWILD) || option_bool (OPT_CLEVERBIND), daemon->packet, nn, 
bc86c2
-		    &forward->source, &forward->dest, forward->iface);
bc86c2
+	  for (src = &forward->frec_src; src; src = src->next)
bc86c2
+	    {
bc86c2
+	      header->id = htons(src->orig_id);
bc86c2
+	      
bc86c2
+	      send_from(forward->fd, option_bool(OPT_NOWILD) || option_bool (OPT_CLEVERBIND), daemon->packet, nn, 
bc86c2
+			&src->source, &src->dest, src->iface);
bc86c2
+
bc86c2
+	      if (option_bool(OPT_EXTRALOG) && src != &forward->frec_src)
bc86c2
+		{
bc86c2
+		  daemon->log_display_id = src->log_id;
bc86c2
+		  daemon->log_source_addr = &src->source;
bc86c2
+		  log_query(F_UPSTREAM, "query", NULL, "duplicate");
bc86c2
+		}
bc86c2
+	    }
bc86c2
 	}
bc86c2
+
bc86c2
       free_frec(forward); /* cancel */
bc86c2
     }
bc86c2
 }
bc86c2
@@ -2053,6 +2117,17 @@ void free_rfd(struct randfd *rfd)
bc86c2
 
bc86c2
 static void free_frec(struct frec *f)
bc86c2
 {
bc86c2
+  struct frec_src *src, *tmp;
bc86c2
+
bc86c2
+   /* add back to freelist of not the record builtin to every frec. */
bc86c2
+  for (src = f->frec_src.next; src; src = tmp)
bc86c2
+    {
bc86c2
+      tmp = src->next;
bc86c2
+      src->next = daemon->free_frec_src;
bc86c2
+      daemon->free_frec_src = src;
bc86c2
+    }
bc86c2
+  
bc86c2
+  f->frec_src.next = NULL;    
bc86c2
   free_rfd(f->rfd4);
bc86c2
   f->rfd4 = NULL;
bc86c2
   f->sentto = NULL;
bc86c2
@@ -2196,17 +2271,39 @@ static struct frec *lookup_frec_by_sender(unsigned short id,
bc86c2
 					  void *hash)
bc86c2
 {
bc86c2
   struct frec *f;
bc86c2
+  struct frec_src *src;
bc86c2
+
bc86c2
+  for (f = daemon->frec_list; f; f = f->next)
bc86c2
+    if (f->sentto &&
bc86c2
+	!(f->flags & (FREC_DNSKEY_QUERY | FREC_DS_QUERY)) &&
bc86c2
+	memcmp(hash, f->hash, HASH_SIZE) == 0)
bc86c2
+      for (src = &f->frec_src; src; src = src->next)
bc86c2
+	if (src->orig_id == id && 
bc86c2
+	    sockaddr_isequal(&src->source, addr))
bc86c2
+	  return f;
bc86c2
+  
bc86c2
+  return NULL;
bc86c2
+}
bc86c2
+
bc86c2
+static struct frec *lookup_frec_by_query(void *hash, unsigned int flags)
bc86c2
+{
bc86c2
+  struct frec *f;
bc86c2
+
bc86c2
+  /* FREC_DNSKEY and FREC_DS_QUERY are never set in flags, so the test below 
bc86c2
+     ensures that no frec created for internal DNSSEC query can be returned here. */
bc86c2
+
bc86c2
+#define FLAGMASK (FREC_CHECKING_DISABLED | FREC_AD_QUESTION | FREC_DO_QUESTION \
bc86c2
+		  | FREC_HAS_PHEADER | FREC_DNSKEY_QUERY | FREC_DS_QUERY)
bc86c2
   
bc86c2
   for(f = daemon->frec_list; f; f = f->next)
bc86c2
     if (f->sentto &&
bc86c2
-	f->orig_id == id && 
bc86c2
-	memcmp(hash, f->hash, HASH_SIZE) == 0 &&
bc86c2
-	sockaddr_isequal(&f->source, addr))
bc86c2
+	(f->flags & FLAGMASK) == flags &&
bc86c2
+	memcmp(hash, f->hash, HASH_SIZE) == 0)
bc86c2
       return f;
bc86c2
-   
bc86c2
+  
bc86c2
   return NULL;
bc86c2
 }
bc86c2
- 
bc86c2
+
bc86c2
 /* Send query packet again, if we can. */
bc86c2
 void resend_query()
bc86c2
 {
bc86c2
-- 
bc86c2
2.26.2
bc86c2