source: npl/internetserver/djbdns/patches/0008-Cache-SOA-records.patch @ 9c06000

Last change on this file since 9c06000 was 37aaf89, checked in by Edwin Eefting <edwin@datux.nl>, 3 years ago

djbdns patches, so it works correctly with twitter etc
  • Property mode set to 100644
File size: 3.1 KB

  • query.c 

    Description: Cache SOA records
 For more information, how this patch helps to mitigate poisoning attack,
 see http://www.your.org/dnscache.
Author: Jeff King <peff@peff.net>
Date: Tue, 18 Jun 2019 01:11:07 +0000
Debian-Bug: https://bugs.debian.org/516394
Last-Update: 2020-07-26

diff --git a/query.c b/query.c
index 085cf44..372d0a6 100644
    a b static int doit(struct query *z,int state) 
    319319      }
    320320    }
    321321
     322    if (typematch(DNS_T_SOA,dtype)) {
     323      byte_copy(key,2,DNS_T_SOA);
     324      cached = cache_get(key,dlen + 2,&cachedlen,&ttl);
     325      if (cached && (cachedlen || byte_diff(dtype,2,DNS_T_ANY))) {
     326        log_cachedanswer(d,DNS_T_SOA);
     327        if (!rqa(z)) goto DIE;
     328        pos = 0;
     329        while (pos = dns_packet_copy(cached,cachedlen,pos,misc,20)) {
     330          pos = dns_packet_getname(cached,cachedlen,pos,&t2);
     331          if (!pos) break;
     332          pos = dns_packet_getname(cached,cachedlen,pos,&t3);
     333          if (!pos) break;
     334          if (!response_rstart(d,DNS_T_SOA,ttl)) goto DIE;
     335          if (!response_addname(t2)) goto DIE;
     336          if (!response_addname(t3)) goto DIE;
     337          if (!response_addbytes(misc,20)) goto DIE;
     338          response_rfinish(RESPONSE_ANSWER);
     339        }
     340        cleanup(z);
     341        return 1;
     342      }
     343    }
     344
    322345    if (typematch(DNS_T_A,dtype)) {
    323346      byte_copy(key,2,DNS_T_A);
    324347      cached = cache_get(key,dlen + 2,&cachedlen,&ttl);
    static int doit(struct query *z,int state) 
    351374      }
    352375    }
    353376
    354     if (!typematch(DNS_T_ANY,dtype) && !typematch(DNS_T_AXFR,dtype) && !typematch(DNS_T_CNAME,dtype) && !typematch(DNS_T_NS,dtype) && !typematch(DNS_T_PTR,dtype) && !typematch(DNS_T_A,dtype) && !typematch(DNS_T_MX,dtype)) {
     377    if (!typematch(DNS_T_ANY,dtype) && !typematch(DNS_T_AXFR,dtype) && !typematch(DNS_T_CNAME,dtype) && !typematch(DNS_T_NS,dtype) && !typematch(DNS_T_PTR,dtype) && !typematch(DNS_T_A,dtype) && !typematch(DNS_T_MX,dtype) && !typematch(DNS_T_SOA,dtype)) {
    355378      byte_copy(key,2,dtype);
    356379      cached = cache_get(key,dlen + 2,&cachedlen,&ttl);
    357380      if (cached && (cachedlen || byte_diff(dtype,2,DNS_T_ANY))) {
    static int doit(struct query *z,int state) 
    591614    else if (byte_equal(type,2,DNS_T_AXFR))
    592615      ;
    593616    else if (byte_equal(type,2,DNS_T_SOA)) {
     617      int non_authority = 0;
     618      save_start();
    594619      while (i < j) {
    595620        pos = dns_packet_skipname(buf,len,records[i]); if (!pos) goto DIE;
    596621        pos = dns_packet_getname(buf,len,pos + 10,&t2); if (!pos) goto DIE;
    597622        pos = dns_packet_getname(buf,len,pos,&t3); if (!pos) goto DIE;
    598623        pos = dns_packet_copy(buf,len,pos,misc,20); if (!pos) goto DIE;
    599         if (records[i] < posauthority)
     624        if (records[i] < posauthority) {
    600625          log_rrsoa(whichserver,t1,t2,t3,misc,ttl);
     626          save_data(misc,20);
     627          save_data(t2,dns_domain_length(t2));
     628          save_data(t3,dns_domain_length(t3));
     629          non_authority++;
     630        }
    601631        ++i;
    602632      }
     633      if (non_authority)
     634        save_finish(DNS_T_SOA,t1,ttl);
    603635    }
    604636    else if (byte_equal(type,2,DNS_T_CNAME)) {
    605637      pos = dns_packet_skipname(buf,len,records[j - 1]); if (!pos) goto DIE;
Note: See TracBrowser for help on using the repository browser.