The branch, master has been updated via 26f7a67 s4 dns: Only do recursive queries when allowed/desired via 06dd4d8 s4 dns: Check smb.conf if we should allow recursion via 533b2e6 s4 dns: Allow changing the dns operation flags in handlers via 8d9da67 s4 dns: Only forward for zones we don't own via a991391 s4 dns: Forward questions we can't answer to another server via 10b14fa s4 dns: Add a simple dns lookup helper via 7566e6a s4 dns: Add a simple async client library from 95ebb11 selftest.py: Add get_interface.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 26f7a676f9a0f6f8c5ae3bef9247c675734f35cd Author: Kai Blin <k...@samba.org> Date: Tue Mar 27 15:00:01 2012 +0200 s4 dns: Only do recursive queries when allowed/desired If recursive queries are switched off in smb.conf or the client doesn't ask for recursion, don't recurse. Autobuild-User: Kai Blin <k...@samba.org> Autobuild-Date: Tue Mar 27 17:39:26 CEST 2012 on sn-devel-104 commit 06dd4d8ee1c5440809fa87fd8a1f3cfac8e9036a Author: Kai Blin <k...@samba.org> Date: Tue Mar 27 14:42:15 2012 +0200 s4 dns: Check smb.conf if we should allow recursion commit 533b2e6612bd6497c1d53c31912bccba0260a3e9 Author: Kai Blin <k...@samba.org> Date: Tue Mar 27 13:59:03 2012 +0200 s4 dns: Allow changing the dns operation flags in handlers commit 8d9da67185aac48d7d0bc1e7b90262ae9afc6a64 Author: Kai Blin <k...@samba.org> Date: Tue Mar 27 13:36:16 2012 +0200 s4 dns: Only forward for zones we don't own commit a99139160555072339f8f9cc5912c570158fc236 Author: Kai Blin <k...@samba.org> Date: Tue Mar 27 08:42:22 2012 +0200 s4 dns: Forward questions we can't answer to another server This makes use of libdns and currently hardcodes the forward server, but it works. :) commit 10b14fa1c03fa9d686e94be20a2700954ae090fa Author: Kai Blin <k...@samba.org> Date: Mon Mar 26 20:47:42 2012 +0200 s4 dns: Add a simple dns lookup helper commit 7566e6a5347b9d6b2b0b8b27f9211599febd8da1 Author: Kai Blin <k...@samba.org> Date: Sun Mar 11 10:13:51 2012 +0100 s4 dns: Add a simple async client library ----------------------------------------------------------------------- Summary of changes: lib/param/loadparm.c | 21 +++++ libcli/dns/dns.c | 172 ++++++++++++++++++++++++++++++++++++++ libcli/dns/libdns.h | 53 ++++++++++++ libcli/dns/wscript_build | 5 + source4/dns_server/dns_query.c | 109 ++++++++++++++++++++++-- source4/dns_server/dns_server.c | 21 ++++- source4/dns_server/dns_server.h | 7 ++ source4/dns_server/dns_update.c | 1 + source4/dns_server/dns_utils.c | 28 ++++++ source4/dns_server/wscript_build | 2 +- utils/samba-dig.c | 160 +++++++++++++++++++++++++++++++++++ utils/wscript_build | 7 ++ wscript_build | 2 + 13 files changed, 575 insertions(+), 13 deletions(-) create mode 100644 libcli/dns/dns.c create mode 100644 libcli/dns/libdns.h create mode 100644 libcli/dns/wscript_build create mode 100644 utils/samba-dig.c create mode 100644 utils/wscript_build Changeset truncated at 500 lines: diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c index bb59a79..e3792b6 100644 --- a/lib/param/loadparm.c +++ b/lib/param/loadparm.c @@ -1256,6 +1256,22 @@ static struct parm_struct parm_table[] = { .special = NULL, .enum_list = enum_dns_update_settings }, + { + .label = "dns forwarder", + .type = P_STRING, + .p_class = P_GLOBAL, + .offset = GLOBAL_VAR(dns_forwarder), + .special = NULL, + .enum_list = NULL + }, + { + .label = "dns recursive queries", + .type = P_BOOL, + .p_class = P_GLOBAL, + .offset = GLOBAL_VAR(dns_recursive_queries), + .special = NULL, + .enum_list = NULL + }, {NULL, P_BOOL, P_NONE, 0, NULL, NULL, 0} }; @@ -1536,7 +1552,10 @@ FN_GLOBAL_INTEGER(srv_minprotocol, srv_minprotocol) FN_GLOBAL_INTEGER(cli_maxprotocol, cli_maxprotocol) FN_GLOBAL_INTEGER(cli_minprotocol, cli_minprotocol) FN_GLOBAL_BOOL(paranoid_server_security, paranoid_server_security) + FN_GLOBAL_INTEGER(allow_dns_updates, allow_dns_updates) +FN_GLOBAL_CONST_STRING(dns_forwarder, dns_forwarder) +FN_GLOBAL_BOOL(dns_recursive_queries, dns_recursive_queries) FN_GLOBAL_INTEGER(server_signing, server_signing) FN_GLOBAL_INTEGER(client_signing, client_signing) @@ -3403,6 +3422,8 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) lpcfg_do_global_parameter(lp_ctx, "nsupdate command", "/usr/bin/nsupdate -g"); lpcfg_do_global_parameter(lp_ctx, "allow dns updates", "False"); + lpcfg_do_global_parameter(lp_ctx, "dns recursive queries", "False"); + lpcfg_do_global_parameter(lp_ctx, "dns forwarder", ""); for (i = 0; parm_table[i].label; i++) { if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) { diff --git a/libcli/dns/dns.c b/libcli/dns/dns.c new file mode 100644 index 0000000..ac0c9e4 --- /dev/null +++ b/libcli/dns/dns.c @@ -0,0 +1,172 @@ +/* + Unix SMB/CIFS implementation. + + Small async DNS library for Samba with socketwrapper support + + Copyright (C) 2010 Kai Blin <k...@samba.org> + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "replace.h" +#include "system/network.h" +#include <tevent.h> +#include "lib/tsocket/tsocket.h" +#include "libcli/util/werror.h" +#include "libcli/dns/libdns.h" +#include "lib/util/tevent_werror.h" +#include "lib/util/samba_util.h" +#include "libcli/util/error.h" +#include "librpc/gen_ndr/dns.h" + +struct dns_udp_request_state { + struct tevent_context *ev; + struct tdgram_context *dgram; + size_t query_len; + uint8_t *reply; + size_t reply_len; +}; + +/* Declare callback functions used below. */ +static void dns_request_get_reply(struct tevent_req *subreq); +static void dns_request_done(struct tevent_req *subreq); + +struct tevent_req *dns_udp_request_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + const char *server_addr_string, + const uint8_t *query, + size_t query_len) +{ + struct tevent_req *req, *subreq; + struct dns_udp_request_state *state; + struct tsocket_address *local_addr, *server_addr; + struct tdgram_context *dgram; + int ret; + + req = tevent_req_create(mem_ctx, &state, struct dns_udp_request_state); + if (req == NULL) { + return NULL; + } + + state->ev = ev; + + /* Use connected UDP sockets */ + ret = tsocket_address_inet_from_strings(state, "ip", NULL, 0, + &local_addr); + if (ret != 0) { + tevent_req_werror(req, unix_to_werror(ret)); + return tevent_req_post(req, ev); + } + + ret = tsocket_address_inet_from_strings(state, "ip", server_addr_string, + DNS_SERVICE_PORT, &server_addr); + if (ret != 0) { + tevent_req_werror(req, unix_to_werror(ret)); + return tevent_req_post(req, ev); + } + + ret = tdgram_inet_udp_socket(local_addr, server_addr, state, &dgram); + if (ret != 0) { + tevent_req_werror(req, unix_to_werror(ret)); + return tevent_req_post(req, ev); + } + + state->dgram = dgram; + state->query_len = query_len; + + dump_data(10, query, query_len); + + subreq = tdgram_sendto_send(state, ev, dgram, query, query_len, NULL); + if (tevent_req_nomem(subreq, req)) { + return tevent_req_post(req, ev); + } + + tevent_req_set_callback(subreq, dns_request_get_reply, req); + return req; +} + +static void dns_request_get_reply(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct dns_udp_request_state *state = tevent_req_data(req, + struct dns_udp_request_state); + ssize_t len; + int err = 0; + + len = tdgram_sendto_recv(subreq, &err); + TALLOC_FREE(subreq); + + if (len == -1 && err != 0) { + tevent_req_werror(req, unix_to_werror(err)); + return; + } + + if (len != state->query_len) { + tevent_req_werror(req, WERR_NET_WRITE_FAULT); + return; + } + + subreq = tdgram_recvfrom_send(state, state->ev, state->dgram); + if (tevent_req_nomem(subreq, req)) { + return; + } + + tevent_req_set_callback(subreq, dns_request_done, req); + return; +} + +static void dns_request_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct dns_udp_request_state *state = tevent_req_data(req, + struct dns_udp_request_state); + + ssize_t len; + int err = 0; + + len = tdgram_recvfrom_recv(subreq, &err, state, &state->reply, NULL); + TALLOC_FREE(subreq); + + if (len == -1 && err != 0) { + tevent_req_werror(req, unix_to_werror(err)); + return; + } + + state->reply_len = len; + dump_data(10, state->reply, state->reply_len); + tevent_req_done(req); +} + +WERROR dns_udp_request_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + uint8_t **reply, + size_t *reply_len) +{ + struct dns_udp_request_state *state = tevent_req_data(req, + struct dns_udp_request_state); + WERROR w_error; + + if (tevent_req_is_werror(req, &w_error)) { + tevent_req_received(req); + return w_error; + } + + *reply = talloc_move(mem_ctx, &state->reply); + *reply_len = state->reply_len; + tevent_req_received(req); + + return WERR_OK; +} diff --git a/libcli/dns/libdns.h b/libcli/dns/libdns.h new file mode 100644 index 0000000..31474eb --- /dev/null +++ b/libcli/dns/libdns.h @@ -0,0 +1,53 @@ +/* + Unix SMB/CIFS implementation. + + Small async DNS library for Samba with socketwrapper support + + Copyright (C) 2012 Kai Blin <k...@samba.org> + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#ifndef __LIBDNS_H__ +#define __LIBDNS_H__ + +/** Send an dns request to a dns server using UDP + * + *@param mem_ctx talloc memory context to use + *@param ev tevent context to use + *@param server_address address of the server as a string + *@param query dns query to send + *@param query_len length of the query + *@return tevent_req with the active request or NULL on out-of-memory + */ +struct tevent_req *dns_udp_request_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + const char *server_address, + const uint8_t *query, + size_t query_len); + +/** Get the dns response from a dns server via UDP + * + *@param req tevent_req struct returned from dns_request_send + *@param mem_ctx talloc memory context to use for the reply string + *@param reply buffer that will be allocated and filled with the dns reply + *@param reply_len length of the reply buffer + *@return WERROR code depending on the async request result + */ +WERROR dns_udp_request_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + uint8_t **reply, + size_t *reply_len); + +#endif /*__LIBDNS_H__*/ diff --git a/libcli/dns/wscript_build b/libcli/dns/wscript_build new file mode 100644 index 0000000..2e445da --- /dev/null +++ b/libcli/dns/wscript_build @@ -0,0 +1,5 @@ +#!/usr/bin/env python + +bld.SAMBA_SUBSYSTEM('LIBCLI_DNS', + source='dns.c', + deps='LIBTSOCKET tevent-util') diff --git a/source4/dns_server/dns_query.c b/source4/dns_server/dns_query.c index 4277659..b3984a4 100644 --- a/source4/dns_server/dns_query.c +++ b/source4/dns_server/dns_query.c @@ -20,14 +20,18 @@ */ #include "includes.h" +#include "smbd/service_task.h" #include "libcli/util/werror.h" #include "librpc/ndr/libndr.h" #include "librpc/gen_ndr/ndr_dns.h" #include "librpc/gen_ndr/ndr_dnsp.h" #include <ldb.h> +#include "param/param.h" #include "dsdb/samdb/samdb.h" #include "dsdb/common/util.h" #include "dns_server/dns_server.h" +#include "libcli/dns/libdns.h" +#include "lib/util/util_net.h" static WERROR create_response_rr(const struct dns_name_question *question, const struct dnsp_DnssrvRpcRecord *rec, @@ -97,6 +101,80 @@ static WERROR create_response_rr(const struct dns_name_question *question, return WERR_OK; } +static WERROR ask_forwarder(struct dns_server *dns, + TALLOC_CTX *mem_ctx, + struct dns_name_question *question, + struct dns_res_rec **answers, uint16_t *ancount, + struct dns_res_rec **nsrecs, uint16_t *nscount, + struct dns_res_rec **additional, uint16_t *arcount) +{ + struct tevent_context *ev = tevent_context_init(mem_ctx); + struct dns_name_packet *out_packet, *in_packet; + uint16_t id = random(); + DATA_BLOB out, in; + enum ndr_err_code ndr_err; + WERROR werr = WERR_OK; + struct tevent_req *req; + const char *forwarder = lpcfg_dns_forwarder(dns->task->lp_ctx); + + if (!is_ipaddress(forwarder)) { + DEBUG(0, ("Invalid 'dns forwarder' setting '%s', needs to be " + "an IP address\n", forwarder)); + return DNS_ERR(NAME_ERROR); + } + + out_packet = talloc_zero(mem_ctx, struct dns_name_packet); + W_ERROR_HAVE_NO_MEMORY(out_packet); + + out_packet->id = id; + out_packet->operation |= DNS_OPCODE_QUERY | DNS_FLAG_RECURSION_DESIRED; + + out_packet->qdcount = 1; + out_packet->questions = question; + + ndr_err = ndr_push_struct_blob(&out, mem_ctx, out_packet, + (ndr_push_flags_fn_t)ndr_push_dns_name_packet); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + return DNS_ERR(SERVER_FAILURE); + } + + req = dns_udp_request_send(mem_ctx, ev, forwarder, out.data, out.length); + W_ERROR_HAVE_NO_MEMORY(req); + + if(!tevent_req_poll(req, ev)) { + return DNS_ERR(SERVER_FAILURE); + } + + werr = dns_udp_request_recv(req, mem_ctx, &in.data, &in.length); + W_ERROR_NOT_OK_RETURN(werr); + + in_packet = talloc_zero(mem_ctx, struct dns_name_packet); + W_ERROR_HAVE_NO_MEMORY(in_packet); + + ndr_err = ndr_pull_struct_blob(&in, in_packet, in_packet, + (ndr_pull_flags_fn_t)ndr_pull_dns_name_packet); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + return DNS_ERR(SERVER_FAILURE); + } + + if (in_packet->id != id) { + DEBUG(0, ("DNS packet id mismatch: 0x%0x, expected 0x%0x\n", + in_packet->id, id)); + return DNS_ERR(NAME_ERROR); + } + + *ancount = in_packet->ancount; + *answers = talloc_move(mem_ctx, &in_packet->answers); + + *nscount = in_packet->nscount; + *nsrecs = talloc_move(mem_ctx, &in_packet->nsrecs); + + *arcount = in_packet->arcount; + *additional = talloc_move(mem_ctx, &in_packet->additional); + + return werr; +} + static WERROR handle_question(struct dns_server *dns, TALLOC_CTX *mem_ctx, const struct dns_name_question *question, @@ -139,14 +217,15 @@ static WERROR handle_question(struct dns_server *dns, } WERROR dns_server_process_query(struct dns_server *dns, + struct dns_request_state *state, TALLOC_CTX *mem_ctx, struct dns_name_packet *in, struct dns_res_rec **answers, uint16_t *ancount, struct dns_res_rec **nsrecs, uint16_t *nscount, struct dns_res_rec **additional, uint16_t *arcount) { - uint16_t num_answers=0; - struct dns_res_rec *ans=NULL; + uint16_t num_answers=0, num_nsrecs=0, num_additional=0; + struct dns_res_rec *ans=NULL, *ns=NULL, *adds=NULL; WERROR werror; if (in->qdcount != 1) { @@ -158,18 +237,34 @@ WERROR dns_server_process_query(struct dns_server *dns, return DNS_ERR(NOT_IMPLEMENTED); } - werror = handle_question(dns, mem_ctx, &in->questions[0], &ans, &num_answers); + if (dns_authorative_for_zone(dns, in->questions[0].name)) { + state->flags |= DNS_FLAG_AUTHORITATIVE; + werror = handle_question(dns, mem_ctx, &in->questions[0], + &ans, &num_answers); + } else { + if (state->flags & DNS_FLAG_RECURSION_DESIRED && + state->flags & DNS_FLAG_RECURSION_AVAIL) { + DEBUG(2, ("Not authorative for '%s', forwarding\n", + in->questions[0].name)); + werror = ask_forwarder(dns, mem_ctx, &in->questions[0], + &ans, &num_answers, + &ns, &num_nsrecs, + &adds, &num_additional); + } else { + werror = DNS_ERR(NAME_ERROR); + } + } W_ERROR_NOT_OK_GOTO(werror, query_failed); *answers = ans; *ancount = num_answers; /*FIXME: Do something for these */ - *nsrecs = NULL; - *nscount = 0; + *nsrecs = ns; + *nscount = num_nsrecs; - *additional = NULL; - *arcount = 0; + *additional = adds; + *arcount = num_additional; return WERR_OK; diff --git a/source4/dns_server/dns_server.c b/source4/dns_server/dns_server.c index cf43590..789940f 100644 --- a/source4/dns_server/dns_server.c +++ b/source4/dns_server/dns_server.c @@ -100,6 +100,7 @@ static NTSTATUS dns_process(struct dns_server *dns, { enum ndr_err_code ndr_err; WERROR ret; + struct dns_request_state *state; struct dns_name_packet *in_packet; struct dns_name_packet *out_packet; struct dns_res_rec *answers = NULL, *nsrecs = NULL, *additional = NULL; @@ -109,9 +110,11 @@ static NTSTATUS dns_process(struct dns_server *dns, return NT_STATUS_INVALID_PARAMETER; } - in_packet = talloc_zero(mem_ctx, struct dns_name_packet); + state = talloc_zero(mem_ctx, struct dns_request_state); + + in_packet = talloc_zero(state, struct dns_name_packet); /* TODO: We don't really need an out_packet. */ - out_packet = talloc_zero(mem_ctx, struct dns_name_packet); + out_packet = talloc_zero(state, struct dns_name_packet); if (in_packet == NULL) return NT_STATUS_NO_MEMORY; if (out_packet == NULL) return NT_STATUS_NO_MEMORY; @@ -134,19 +137,25 @@ static NTSTATUS dns_process(struct dns_server *dns, NDR_PRINT_DEBUG(dns_name_packet, in_packet); } *out_packet = *in_packet; - out_packet->operation |= DNS_FLAG_REPLY; + state->flags |= in_packet->operation | DNS_FLAG_REPLY; + + if (lpcfg_dns_recursive_queries(dns->task->lp_ctx)) { + state->flags |= DNS_FLAG_RECURSION_AVAIL; + } switch (in_packet->operation & DNS_OPCODE) { case DNS_OPCODE_QUERY: - ret = dns_server_process_query(dns, out_packet, in_packet, + ret = dns_server_process_query(dns, state, + out_packet, in_packet, -- Samba Shared Repository