diff options
-rw-r--r-- | .gitignore | 10 | ||||
-rw-r--r-- | AUTHORS | 2 | ||||
-rw-r--r-- | COPYING | 13 | ||||
-rw-r--r-- | INSTALL | 167 | ||||
-rw-r--r-- | Makefile | 149 | ||||
-rw-r--r-- | NEWS | 6 | ||||
-rw-r--r-- | README | 27 | ||||
-rw-r--r-- | configure | 475 | ||||
-rw-r--r-- | doc/dnsfunnel-daemon.html | 112 | ||||
-rw-r--r-- | doc/dnsfunnel-translate.html | 70 | ||||
-rw-r--r-- | doc/dnsfunneld.html | 160 | ||||
-rw-r--r-- | doc/index.html | 116 | ||||
-rw-r--r-- | doc/upgrade.html | 28 | ||||
-rw-r--r-- | package/deps-build | 2 | ||||
-rw-r--r-- | package/deps.mak | 16 | ||||
-rw-r--r-- | package/info | 4 | ||||
-rw-r--r-- | package/modes | 3 | ||||
-rw-r--r-- | package/targets.mak | 7 | ||||
-rw-r--r-- | src/dnsfunnel/deps-exe/dnsfunnel-daemon | 1 | ||||
-rw-r--r-- | src/dnsfunnel/deps-exe/dnsfunnel-translate | 1 | ||||
-rw-r--r-- | src/dnsfunnel/deps-exe/dnsfunneld | 4 | ||||
-rw-r--r-- | src/dnsfunnel/dnsfunnel-daemon.c | 150 | ||||
-rw-r--r-- | src/dnsfunnel/dnsfunnel-translate.c | 93 | ||||
-rw-r--r-- | src/dnsfunnel/dnsfunneld.c | 305 | ||||
-rw-r--r-- | src/dnsfunnel/dnsfunneld.h | 44 | ||||
-rw-r--r-- | src/dnsfunnel/dnsfunneld_answer.c | 132 | ||||
-rw-r--r-- | src/dnsfunnel/dnsfunneld_process.c | 136 | ||||
-rwxr-xr-x | tools/gen-deps.sh | 93 | ||||
-rwxr-xr-x | tools/install.sh | 64 |
29 files changed, 2390 insertions, 0 deletions
diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..8c7ef95 --- /dev/null +++ b/.gitignore @@ -0,0 +1,10 @@ +*.o +*.a +*.lo +*.so +*.so.* +/config.mak +/src/include/dnsfunnel/config.h +/dnsfunnel-daemon +/dnsfunneld +/dnsfunnel-translate diff --git a/AUTHORS b/AUTHORS new file mode 100644 index 0000000..7a708a1 --- /dev/null +++ b/AUTHORS @@ -0,0 +1,2 @@ +Main author: + Laurent Bercot <ska-skaware@skarnet.org> diff --git a/COPYING b/COPYING new file mode 100644 index 0000000..6b16aad --- /dev/null +++ b/COPYING @@ -0,0 +1,13 @@ +Copyright (c) 2020 Laurent Bercot <ska-skaware@skarnet.org> + +Permission to use, copy, modify, and distribute this software for any +purpose with or without fee is hereby granted, provided that the above +copyright notice and this permission notice appear in all copies. + +THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. diff --git a/INSTALL b/INSTALL new file mode 100644 index 0000000..2c3583d --- /dev/null +++ b/INSTALL @@ -0,0 +1,167 @@ +Build Instructions +------------------ + +* Requirements + ------------ + + - A POSIX-compliant C development environment + - GNU make version 3.81 or later + - skalibs version 2.10.0.0 or later: https://skarnet.org/software/skalibs/ + - s6-dns version 2.3.3.0 or later: https://skarnet.org/software/s6-dns/ + + This software will run on any operating system that implements +POSIX.1-2008, available at: + http://pubs.opengroup.org/onlinepubs/9699919799/ + + +* Standard usage + -------------- + + ./configure && make && sudo make install + + will work for most users. + It will install the binaries in /bin. + + You can strip the binaries and libraries of their extra symbols via +"make strip" before the "make install" phase. It will shave a few bytes +off them. + + +* Customization + ------------- + + You can customize paths via flags given to configure. + See ./configure --help for a list of all available configure options. + + +* Environment variables + --------------------- + + Controlling a build process via environment variables is a big and +dangerous hammer. You should try and pass flags to configure instead; +nevertheless, a few standard environment variables are recognized. + + If the CC environment variable is set, its value will override compiler +detection by configure. The --host=HOST option will still add a HOST- +prefix to the value of CC. + + The values of CFLAGS, CPPFLAGS and LDFLAGS will be appended to flags +auto-detected by configure. To entirely override the flags set by +configure instead, use make variables. + + +* Make variables + -------------- + + You can invoke make with a few variables for more configuration. + + CC, CFLAGS, CPPFLAGS, LDFLAGS, LDLIBS, AR, RANLIB, STRIP, INSTALL and +CROSS_COMPILE can all be overridden on the make command line. This is +an even bigger hammer than running ./configure with environment +variables, so it is advised to only do this when it is the only way of +obtaining the behaviour you want. + + DESTDIR can be given on the "make install" command line in order to +install to a staging directory. + + +* Shared libraries + ---------------- + + Software from skarnet.org is small enough that shared libraries are +generally not worth using. Static linking is simpler and incurs less +runtime overhead and less points of failure: so by default, shared +libraries are not built and binaries are linked against the static +versions of the skarnet.org libraries. Nevertheless, you can: + * build shared libraries: --enable-shared + * link binaries against shared libraries: --disable-allstatic + + +* Static binaries + --------------- + + By default, binaries are linked against static versions of all the +libraries they depend on, except for the libc. You can enforce +linking against the static libc with --enable-static-libc. + + Be aware that the GNU libc behaves badly with static linking and +produces huge executables, which is why it is not the default. +Other libcs are better suited to static linking, for instance +musl: http://musl-libc.org/ + + +* Cross-compilation + ----------------- + + skarnet.org packages centralize all the difficulty of +cross-compilation in one place: skalibs. Once you have +cross-compiled skalibs, the rest is easy. + + * Use the --host=HOST option to configure, HOST being the triplet +for your target. + * Make sure your cross-toolchain binaries (i.e. prefixed with HOST-) +are accessible via your PATH environment variable. + * Make sure to use the correct version of skalibs for your target, +and the correct sysdeps directory, making use of the +--with-include, --with-lib, --with-dynlib and --with-sysdeps +options as necessary. + + +* The slashpackage convention + --------------------------- + + The slashpackage convention (http://cr.yp.to/slashpackage.html) +is a package installation scheme that provides a few guarantees +over other conventions such as the FHS, for instance fixed +absolute pathnames. skarnet.org packages support it: use the +--enable-slashpackage option to configure, or +--enable-slashpackage=DIR for a prefixed DIR/package tree. +This option will activate slashpackage support during the build +and set slashpackage-compatible installation directories. +If $package_home is the home of the package, defined as +DIR/package/$category/$package-$version with the variables +read from the package/info file, then: + + --dynlibdir is set to $package_home/library.so + --bindir is set to $package_home/command + --sbindir is also set to $package_home/command (slashpackage +differentiates root-only binaries by their Unix rights, not their +location in the filesystem) + --libexecdir is also set to $package_home/command (slashpackage +does not need a specific directory for internal binaries) + --libdir is set to $package_home/library + --includedir is set to $package_home/include + + --prefix is pretty much ignored when you use --enable-slashpackage. +You should probably not use both --enable-slashpackage and --prefix. + + When using slashpackage, two additional Makefile targets are +available after "make install": + - "make update" changes the default version of the software to the +freshly installed one. (This is useful when you have several installed +versions of the same software, which slashpackage supports.) + - "make -L global-links" adds links from /command and /library.so to the +default version of the binaries and shared libraries. The "-L" option to +make is necessary because targets are symbolic links, and the default make +behaviour is to check the pointed file's timestamp and not the symlink's +timestamp. + + +* Absolute pathnames + ------------------ + + You may want to use fixed absolute pathnames even if you're not +following the slashpackage convention: for instance, the Nix packaging +system prefers calling binaries with immutable paths rather than rely on +PATH resolution. If you are in that case, use the --enable-absolute-paths +option to configure. This will ensure that programs calling binaries from +this package will call them with their full installation path (in bindir) +without relying on a PATH search. + + +* Out-of-tree builds + ------------------ + + skarnet.org packages do not support out-of-tree builds. They +are small, so it does not cost much to duplicate the entire +source tree if parallel builds are needed. diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..94a820f --- /dev/null +++ b/Makefile @@ -0,0 +1,149 @@ +# +# This Makefile requires GNU make. +# +# Do not make changes here. +# Use the included .mak files. +# + +it: all + +make_need := 3.81 +ifeq "" "$(strip $(filter $(make_need), $(firstword $(sort $(make_need) $(MAKE_VERSION)))))" +fail := $(error Your make ($(MAKE_VERSION)) is too old. You need $(make_need) or newer) +endif + +CC = $(error Please use ./configure first) + +STATIC_LIBS := +SHARED_LIBS := +INTERNAL_LIBS := +EXTRA_TARGETS := +LIB_DEFS := + +define library_definition +LIB$(firstword $(subst =, ,$(1))) := lib$(lastword $(subst =, ,$(1))).$(if $(DO_ALLSTATIC),a,so).xyzzy +ifdef DO_SHARED +SHARED_LIBS += lib$(lastword $(subst =, ,$(1))).so.xyzzy +endif +ifdef DO_STATIC +STATIC_LIBS += lib$(lastword $(subst =, ,$(1))).a.xyzzy +endif +endef + +-include config.mak +include package/targets.mak + +$(foreach var,$(LIB_DEFS),$(eval $(call library_definition,$(var)))) + +include package/deps.mak + +version_m := $(basename $(version)) +version_M := $(basename $(version_m)) +version_l := $(basename $(version_M)) +CPPFLAGS_ALL := $(CPPFLAGS_AUTO) $(CPPFLAGS) +CFLAGS_ALL := $(CFLAGS_AUTO) $(CFLAGS) +ifeq ($(strip $(STATIC_LIBS_ARE_PIC)),) +CFLAGS_SHARED := -fPIC +else +CFLAGS_SHARED := +endif +LDFLAGS_ALL := $(LDFLAGS_AUTO) $(LDFLAGS) +AR := $(CROSS_COMPILE)ar +RANLIB := $(CROSS_COMPILE)ranlib +STRIP := $(CROSS_COMPILE)strip +INSTALL := ./tools/install.sh + +ALL_BINS := $(LIBEXEC_TARGETS) $(BIN_TARGETS) +ALL_LIBS := $(SHARED_LIBS) $(STATIC_LIBS) $(INTERNAL_LIBS) +ALL_INCLUDES := $(wildcard src/include/$(package)/*.h) + +all: $(ALL_LIBS) $(ALL_BINS) $(ALL_INCLUDES) + +clean: + @exec rm -f $(ALL_LIBS) $(ALL_BINS) $(wildcard src/*/*.o src/*/*.lo) $(EXTRA_TARGETS) + +distclean: clean + @exec rm -f config.mak src/include/$(package)/config.h + +tgz: distclean + @. package/info && \ + rm -rf /tmp/$$package-$$version && \ + cp -a . /tmp/$$package-$$version && \ + cd /tmp && \ + tar -zpcv --owner=0 --group=0 --numeric-owner --exclude=.git* -f /tmp/$$package-$$version.tar.gz $$package-$$version && \ + exec rm -rf /tmp/$$package-$$version + +strip: $(ALL_LIBS) $(ALL_BINS) +ifneq ($(strip $(STATIC_LIBS)),) + exec $(STRIP) -x -R .note -R .comment -R .note.GNU-stack $(STATIC_LIBS) +endif +ifneq ($(strip $(ALL_BINS)$(SHARED_LIBS)),) + exec $(STRIP) -R .note -R .comment -R .note.GNU-stack $(ALL_BINS) $(SHARED_LIBS) +endif + +install: install-dynlib install-libexec install-bin install-lib install-include +install-dynlib: $(SHARED_LIBS:lib%.so.xyzzy=$(DESTDIR)$(dynlibdir)/lib%.so) +install-libexec: $(LIBEXEC_TARGETS:%=$(DESTDIR)$(libexecdir)/%) +install-bin: $(BIN_TARGETS:%=$(DESTDIR)$(bindir)/%) +install-lib: $(STATIC_LIBS:lib%.a.xyzzy=$(DESTDIR)$(libdir)/lib%.a) +install-include: $(ALL_INCLUDES:src/include/$(package)/%.h=$(DESTDIR)$(includedir)/$(package)/%.h) +install-data: $(ALL_DATA:src/etc/%=$(DESTDIR)$(datadir)/%) + +ifneq ($(exthome),) + +$(DESTDIR)$(exthome): $(DESTDIR)$(home) + exec $(INSTALL) -l $(notdir $(home)) $(DESTDIR)$(exthome) + +update: $(DESTDIR)$(exthome) + +global-links: $(DESTDIR)$(exthome) $(SHARED_LIBS:lib%.so.xyzzy=$(DESTDIR)$(sproot)/library.so/lib%.so.$(version_M)) $(BIN_TARGETS:%=$(DESTDIR)$(sproot)/command/%) + +$(DESTDIR)$(sproot)/command/%: $(DESTDIR)$(home)/command/% + exec $(INSTALL) -D -l ..$(subst $(sproot),,$(exthome))/command/$(<F) $@ + +$(DESTDIR)$(sproot)/library.so/lib%.so.$(version_M): $(DESTDIR)$(dynlibdir)/lib%.so.$(version_M) + exec $(INSTALL) -D -l ..$(subst $(sproot),,$(exthome))/library.so/$(<F) $@ + +.PHONY: update global-links + +endif + +$(DESTDIR)$(datadir)/%: src/etc/% + exec $(INSTALL) -D -m 644 $< $@ + +$(DESTDIR)$(dynlibdir)/lib%.so $(DESTDIR)$(dynlibdir)/lib%.so.$(version_M): lib%.so.xyzzy + $(INSTALL) -D -m 755 $< $@.$(version) && \ + $(INSTALL) -l $(@F).$(version) $@.$(version_M) && \ + exec $(INSTALL) -l $(@F).$(version_M) $@ + +$(DESTDIR)$(libexecdir)/% $(DESTDIR)$(bindir)/%: % package/modes + exec $(INSTALL) -D -m 600 $< $@ + grep -- ^$(@F) < package/modes | { read name mode owner && \ + if [ x$$owner != x ] ; then chown -- $$owner $@ ; fi && \ + chmod $$mode $@ ; } + +$(DESTDIR)$(libdir)/lib%.a: lib%.a.xyzzy + exec $(INSTALL) -D -m 644 $< $@ + +$(DESTDIR)$(includedir)/$(package)/%.h: src/include/$(package)/%.h + exec $(INSTALL) -D -m 644 $< $@ + +%.o: %.c + exec $(CC) $(CPPFLAGS_ALL) $(CFLAGS_ALL) -c -o $@ $< + +%.lo: %.c + exec $(CC) $(CPPFLAGS_ALL) $(CFLAGS_ALL) $(CFLAGS_SHARED) -c -o $@ $< + +$(ALL_BINS): + exec $(CC) -o $@ $(CFLAGS_ALL) $(LDFLAGS_ALL) $(LDFLAGS_NOSHARED) $^ $(EXTRA_LIBS) $(LDLIBS) + +lib%.a.xyzzy: + exec $(AR) rc $@ $^ + exec $(RANLIB) $@ + +lib%.so.xyzzy: + exec $(CC) -o $@ $(CFLAGS_ALL) $(CFLAGS_SHARED) $(LDFLAGS_ALL) $(LDFLAGS_SHARED) -Wl,-soname,$(patsubst lib%.so.xyzzy,lib%.so.$(version_M),$@) $^ $(EXTRA_LIBS) $(LDLIBS) + +.PHONY: it all clean distclean tgz strip install install-dynlib install-bin install-lib install-include install-data + +.DELETE_ON_ERROR: diff --git a/NEWS b/NEWS new file mode 100644 index 0000000..8c45fe2 --- /dev/null +++ b/NEWS @@ -0,0 +1,6 @@ +Changelog for mdevd. + +In 0.0.1.0 +---------- + + - Initial release. diff --git a/README b/README new file mode 100644 index 0000000..bae9170 --- /dev/null +++ b/README @@ -0,0 +1,27 @@ +dnsfunnel - a small local DNS forwarder +--------------------------------------- + + dnsfunnel is a DNS forwarder (aka, a DNS cache without a +cache) meant to listen to local requests and forward them to +real caches. The point is to move from a +"list several caches in /etc/resolv.conf" model to a +"only list 127.0.0.1 in /etc/resolv.conf" one, which has +architectural advantages and isolates the libc's stub resolver +from various DNS implementation infelicities. + + See https://skarnet.org/software/dnsfunnel/ for details. + + +* Installation + ------------ + + See the INSTALL file. + + +* Contact information + ------------------- + + Laurent Bercot <ska-skaware at skarnet.org> + + Please use the <skaware at list.skarnet.org> mailing-list for +questions about dnsfunnel. diff --git a/configure b/configure new file mode 100644 index 0000000..664a43f --- /dev/null +++ b/configure @@ -0,0 +1,475 @@ +#!/bin/sh + +cd `dirname "$0"` +. package/info + +usage () { +cat <<EOF +Usage: $0 [OPTION]... [TARGET] + +Defaults for the options are specified in brackets. + +System types: + --target=TARGET configure to run on target TARGET [detected] + --host=TARGET same as --target + +Installation directories: + --prefix=PREFIX main installation prefix [/] + --exec-prefix=EPREFIX installation prefix for executable files [PREFIX] + +Fine tuning of the installation directories: + --dynlibdir=DIR shared library files [PREFIX/lib] + --bindir=BINDIR user executables [EPREFIX/bin] + --libexecdir=DIR package-scoped executables [EPREFIX/libexec] + --libdir=DIR static library files [PREFIX/lib/$package] + --includedir=DIR C header files [PREFIX/include] + + If no --prefix option is given, by default libdir (but not dynlibdir) will be + /usr/lib/$package, and includedir will be /usr/include. + +Dependencies: + --with-sysdeps=DIR use sysdeps in DIR [PREFIX/lib/skalibs/sysdeps] + --with-include=DIR add DIR to the list of searched directories for headers + --with-lib=DIR add DIR to the list of searched directories for static libraries + --with-dynlib=DIR add DIR to the list of searched directories for shared libraries + + If no --prefix option is given, by default sysdeps will be fetched from + /usr/lib/skalibs/sysdeps. + +Optional features: + --enable-shared build shared libraries [disabled] + --disable-static do not build static libraries [enabled] + --disable-allstatic do not prefer linking against static libraries [enabled] + --enable-static-libc make entirely static binaries [disabled] + --disable-all-pic do not build executables or static libs as PIC [enabled] + --enable-slashpackage[=ROOT] assume /package installation at ROOT [disabled] + --enable-absolute-paths do not rely on PATH to access this package's binaries, + hardcode absolute BINDIR/foobar paths instead [disabled] + + --with-cachelist=FILE use FILE as default cache list [/run/dnsfunnel-caches] +EOF +exit 0 +} + +# Helper functions + +# If your system does not have printf, you can comment this, but it is +# generally not a good idea to use echo. +# See http://etalabs.net/sh_tricks.html +echo () { + IFS=" " + printf %s\\n "$*" +} + +quote () { + tr '\n' ' ' <<EOF | grep '^[-[:alnum:]_=,./:]* $' >/dev/null 2>&1 && { echo "$1" ; return 0 ; } +$1 +EOF + echo "$1" | sed -e "s/'/'\\\\''/g" -e "1s/^/'/" -e "\$s/\$/'/" -e "s#^'\([-[:alnum:]_,./:]*\)=\(.*\)\$#\1='\2#" -e "s|\*/|* /|g" +} + +fail () { + echo "$*" + exit 1 +} + +fnmatch () { + eval "case \"\$2\" in $1) return 0 ;; *) return 1 ;; esac" +} + +cmdexists () { + type "$1" >/dev/null 2>&1 +} + +trycc () { + test -z "$CC_AUTO" && cmdexists "$1" && CC_AUTO="$*" +} + +stripdir () { + while eval "fnmatch '*/' \"\${$1}\"" ; do + eval "$1=\${$1%/}" + done +} + +tryflag () { + echo "Checking whether compiler accepts $2 ..." + echo "typedef int x;" > "$tmpc" + if $CC_AUTO $CPPFLAGS_AUTO $CPPFLAGS $CPPFLAGS_POST $CFLAGS_AUTO $CFLAGS $CFLAGS_POST "$2" -c -o /dev/null "$tmpc" >/dev/null 2>&1 ; then + echo " ... yes" + eval "$1=\"\${$1} \$2\"" + eval "$1=\${$1# }" + return 0 + else + echo " ... no" + return 1 + fi +} + +tryldflag () { + echo "Checking whether linker accepts $2 ..." + echo "typedef int x;" > "$tmpc" + if $CC_AUTO $CFLAGS_AUTO $CFLAGS $CFLAGS_POST $LDFLAGS_AUTO $LDFLAGS $LDFLAGS_POST -nostdlib "$2" -o /dev/null "$tmpc" >/dev/null 2>&1 ; then + echo " ... yes" + eval "$1=\"\${$1} \$2\"" + eval "$1=\${$1# }" + return 0 + else + echo " ... no" + return 1 + fi +} + + +# Actual script + +CC_AUTO= +CPPFLAGS_AUTO="-D_POSIX_C_SOURCE=200809L -D_XOPEN_SOURCE=700 -iquote src/include-local -Isrc/include" +CPPFLAGS_POST="$CPPFLAGS" +CPPFLAGS= +CFLAGS_AUTO="-pipe -Wall" +CFLAGS_POST="$CFLAGS" +CFLAGS=-O2 +LDFLAGS_AUTO= +LDFLAGS_POST="$LDFLAGS" +LDFLAGS= +LDFLAGS_NOSHARED= +LDFLAGS_SHARED=-shared +prefix= +exec_prefix='$prefix' +dynlibdir='$prefix/lib' +libexecdir='$exec_prefix/libexec' +bindir='$exec_prefix/bin' +libdir='$prefix/lib/$package' +includedir='$prefix/include' +sysdeps='$prefix/lib/skalibs/sysdeps' +manualsysdeps=false +shared=false +static=true +allpic=true +slashpackage=false +abspath=false +sproot= +home= +exthome= +allstatic=true +evenmorestatic=false +addincpath='' +addlibspath='' +addlibdpath='' +vpaths='' +vpathd='' +build= +cachelist=/run/dnsfunnel-caches + +for arg ; do + case "$arg" in + --help) usage ;; + --prefix=*) prefix=${arg#*=} ;; + --exec-prefix=*) exec_prefix=${arg#*=} ;; + --dynlibdir=*) dynlibdir=${arg#*=} ;; + --libexecdir=*) libexecdir=${arg#*=} ;; + --bindir=*) bindir=${arg#*=} ;; + --libdir=*) libdir=${arg#*=} ;; + --includedir=*) includedir=${arg#*=} ;; + --with-sysdeps=*) sysdeps=${arg#*=} manualsysdeps=true ;; + --with-include=*) var=${arg#*=} ; stripdir var ; addincpath="$addincpath -I$var" ;; + --with-lib=*) var=${arg#*=} ; stripdir var ; addlibspath="$addlibspath -L$var" ; vpaths="$vpaths $var" ;; + --with-dynlib=*) var=${arg#*=} ; stripdir var ; addlibdpath="$addlibdpath -L$var" ; vpathd="$vpathd $var" ;; + --enable-shared|--enable-shared=yes) shared=true ;; + --disable-shared|--enable-shared=no) shared=false ;; + --enable-static|--enable-static=yes) static=true ;; + --disable-static|--enable-static=no) static=false ;; + --enable-allstatic|--enable-allstatic=yes) allstatic=true ;; + --disable-allstatic|--enable-allstatic=no) allstatic=false ; evenmorestatic=false ;; + --enable-static-libc|--enable-static-libc=yes) allstatic=true ; evenmorestatic=true ;; + --disable-static-libc|--enable-static-libc=no) evenmorestatic=false ;; + --enable-all-pic|--enable-all-pic=yes) allpic=true ;; + --disable-all-pic|--enable-all-pic=no) allpic=false ;; + --enable-slashpackage=*) sproot=${arg#*=} ; slashpackage=true ; ;; + --enable-slashpackage) sproot= ; slashpackage=true ;; + --disable-slashpackage) sproot= ; slashpackage=false ;; + --enable-absolute-paths|--enable-absolute-paths=yes) abspath=true ;; + --disable-absolute-paths|--enable-absolute-paths=no) abspath=false ;; + --with-cachelist=*) cachelist=${arg#*=} ;; + --enable-*|--disable-*|--with-*|--without-*|--*dir=*) ;; + --host=*|--target=*) target=${arg#*=} ;; + --build=*) build=${arg#*=} ;; + -* ) echo "$0: unknown option $arg" ;; + *=*) ;; + *) target=$arg ;; + esac +done + +# Add /usr in the default default case +if test -z "$prefix" ; then + if test "$libdir" = '$prefix/lib/$package' ; then + libdir=/usr/lib/$package + fi + if test "$includedir" = '$prefix/include' ; then + includedir=/usr/include + fi + if test "$sysdeps" = '$prefix/lib/skalibs/sysdeps' ; then + sysdeps=/usr/lib/skalibs/sysdeps + fi +fi + +# Expand installation directories +stripdir prefix +for i in exec_prefix dynlibdir libexecdir bindir libdir includedir sysdeps sproot ; do + eval tmp=\${$i} + eval $i=$tmp + stripdir $i +done + +# Get usable temp filenames +i=0 +set -C +while : ; do + i=$(($i+1)) + tmpc="./tmp-configure-$$-$PPID-$i.c" + tmpe="./tmp-configure-$$-$PPID-$i.tmp" + 2>|/dev/null > "$tmpc" && break + 2>|/dev/null > "$tmpe" && break + test "$i" -gt 50 && fail "$0: cannot create temporary files" +done +set +C +trap 'rm -f "$tmpc" "$tmpe"' EXIT ABRT INT QUIT TERM HUP + +# Set slashpackage values +if $slashpackage ; then + home=${sproot}/package/${category}/${package}-${version} + exthome=${sproot}/package/${category}/${package} + if $manualsysdeps ; then + : + else + sysdeps=${sproot}/package/prog/skalibs/sysdeps + fi + extbinprefix=${exthome}/command + dynlibdir=${home}/library.so + bindir=${home}/command + libdir=${home}/library + libexecdir=$bindir + includedir=${home}/include + while read dep condvar ; do + if test -n "$condvar" ; then + eval "cond=$condvar" + else + cond=true + fi + if $cond ; then + addincpath="$addincpath -I${sproot}${dep}/include" + vpaths="$vpaths ${sproot}${dep}/library" + addlibspath="$addlibspath -L${sproot}${dep}/library" + vpathd="$vpathd ${sproot}${dep}/library.so" + addlibdpath="$addlibdpath -L${sproot}${dep}/library.so" + fi + done < package/deps-build +fi + +# Find a C compiler to use +if test -n "$target" && test x${build} != x${target} ; then + cross=${target}- +else + cross= +fi +echo "Checking for C compiler..." +trycc ${CC} +if test -n "$CC_AUTO" ; then + b=`basename "$CC"` + adjust_cross=false + if test "$b" != "$CC" ; then + adjust_cross=true + echo "$0: warning: compiler $CC is declared with its own path. If it's not accessible via PATH, you will need to pass AR, RANLIB and STRIP make variables to the make invocation." 1>&2 + fi + if test -n "$cross" ; then + if test "$b" = "${b##$cross}" ; then + echo "$0: warning: compiler $CC is declared as a cross-compiler for target $target but does not start with prefix ${cross}" 1>&2 + elif $adjust_cross ; then + cross=`dirname "$CC"`/"$cross" + fi + fi +fi +trycc ${cross}gcc +trycc ${cross}clang +trycc ${cross}cc +test -n "$CC_AUTO" || { echo "$0: cannot find a C compiler" ; exit 1 ; } +echo " ... $CC_AUTO" +echo "Checking whether C compiler works... " +echo "typedef int x;" > "$tmpc" +if $CC_AUTO $CPPFLAGS_AUTO $CPPFLAGS $CPPFLAGS_POST $CFLAGS_AUTO $CFLAGS $CFLAGS_POST -c -o /dev/null "$tmpc" 2>"$tmpe" ; then + echo " ... yes" +else + echo " ... no. Compiler output follows:" + cat < "$tmpe" + exit 1 +fi + +echo "Checking target system type..." +if test -z "$target" ; then + if test -n "$build" ; then + target=$build ; + else + target=$($CC_AUTO -dumpmachine 2>/dev/null) || target=unknown + fi +fi +echo " ... $target" +if test ! -d $sysdeps || test ! -f $sysdeps/target ; then + echo "$0: error: $sysdeps is not a valid sysdeps directory" + exit 1 +fi +if [ "x$target" != "x$(cat $sysdeps/target)" ] ; then + echo "$0: error: target $target does not match the contents of $sysdeps/target" + exit 1 +fi + +spawn_lib=$(cat $sysdeps/spawn.lib) +socket_lib=$(cat $sysdeps/socket.lib) +sysclock_lib=$(cat $sysdeps/sysclock.lib) +timer_lib=$(cat $sysdeps/timer.lib) +util_lib=$(cat $sysdeps/util.lib) + +if $allpic ; then + tryflag CPPFLAGS_AUTO -fPIC +fi +tryflag CFLAGS_AUTO -std=c99 +tryflag CFLAGS -fomit-frame-pointer +tryflag CFLAGS_AUTO -fno-exceptions +tryflag CFLAGS_AUTO -fno-unwind-tables +tryflag CFLAGS_AUTO -fno-asynchronous-unwind-tables +tryflag CFLAGS_AUTO -Wa,--noexecstack +tryflag CPPFLAGS_AUTO -Werror=implicit-function-declaration +tryflag CPPFLAGS_AUTO -Werror=implicit-int +tryflag CPPFLAGS_AUTO -Werror=pointer-sign +tryflag CPPFLAGS_AUTO -Werror=pointer-arith +tryflag CFLAGS_AUTO -ffunction-sections +tryflag CFLAGS_AUTO -fdata-sections + +tryldflag LDFLAGS_AUTO -Wl,--sort-section=alignment +tryldflag LDFLAGS_AUTO -Wl,--sort-common + +CPPFLAGS_AUTO="${CPPFLAGS_AUTO}${addincpath}" + +if $evenmorestatic ; then + LDFLAGS_NOSHARED=-static +fi + +if $shared ; then + tryldflag LDFLAGS -Wl,--hash-style=both +fi + +LDFLAGS_SHARED="${LDFLAGS_SHARED}${addlibdpath}" + +if test -z "$vpaths" ; then + while read dep ; do + base=$(basename $dep) ; + vpaths="$vpaths /usr/lib/$base" + addlibspath="$addlibspath -L/usr/lib/$base" + done < package/deps-build +fi + +if $allstatic ; then + LDFLAGS_NOSHARED="${LDFLAGS_NOSHARED}${addlibspath}" + tryldflag LDFLAGS_NOSHARED -Wl,--gc-sections +else + LDFLAGS_NOSHARED="${LDFLAGS_NOSHARED}${addlibdpath}" +fi + +echo "Creating config.mak..." +cmdline=$(quote "$0") +for i ; do cmdline="$cmdline $(quote "$i")" ; done +exec 3>&1 1>config.mak +cat << EOF +# This file was generated by: +# $cmdline +# Any changes made here will be lost if configure is re-run. + +target := $target +package := $package +prefix := $prefix +exec_prefix := $exec_prefix +dynlibdir := $dynlibdir +libexecdir := $libexecdir +bindir := $bindir +libdir := $libdir +includedir := $includedir +sysdeps := $sysdeps +slashpackage := $slashpackage +sproot := $sproot +version := $version +home := $home +exthome := $exthome +SPAWN_LIB := ${spawn_lib} +SOCKET_LIB := ${socket_lib} +SYSCLOCK_LIB := ${sysclock_lib} +TIMER_LIB := ${timer_lib} +UTIL_LIB := ${util_lib} + +CC := $CC_AUTO +CPPFLAGS_AUTO := $CPPFLAGS_AUTO +CPPFLAGS := $CPPFLAGS $CPPFLAGS_POST +CFLAGS_AUTO := $CFLAGS_AUTO +CFLAGS := $CFLAGS $CFLAGS_POST +LDFLAGS_AUTO := $LDFLAGS_AUTO +LDFLAGS := $LDFLAGS $LDFLAGS_POST +LDFLAGS_SHARED := $LDFLAGS_SHARED +LDFLAGS_NOSHARED := $LDFLAGS_NOSHARED +CROSS_COMPILE := $cross + +vpath lib%.a$vpaths +vpath lib%.so$vpathd +EOF +if $allstatic ; then + echo ".LIBPATTERNS := lib%.a" + echo "DO_ALLSTATIC := 1" +else + echo ".LIBPATTERNS := lib%.so" +fi +if $static ; then + echo "DO_STATIC := 1" +else + echo "DO_STATIC :=" +fi +if $shared ; then + echo "DO_SHARED := 1" +else + echo "DO_SHARED :=" +fi +if $allpic ; then + echo "STATIC_LIBS_ARE_PIC := 1" +else + echo "STATIC_LIBS_ARE_PIC :=" +fi + +exec 1>&3 3>&- +echo " ... done." + +echo "Creating src/include/${package}/config.h..." +mkdir -p -m 0755 src/include/${package} +exec 3>&1 1> src/include/${package}/config.h +cat <<EOF +/* ISC license. */ + +/* Generated by: $cmdline */ + +#ifndef ${package_macro_name}_CONFIG_H +#define ${package_macro_name}_CONFIG_H + +#define ${package_macro_name}_VERSION "$version" +EOF +if $slashpackage ; then + echo "#define ${package_macro_name}_BINPREFIX \"$bindir/\"" + echo "#define ${package_macro_name}_EXTBINPREFIX \"$extbinprefix/\"" +elif $abspath ; then + echo "#define ${package_macro_name}_BINPREFIX \"$bindir/\"" + echo "#define ${package_macro_name}_EXTBINPREFIX \"$bindir/\"" +else + echo "#define ${package_macro_name}_BINPREFIX \"\"" + echo "#define ${package_macro_name}_EXTBINPREFIX \"\"" +fi +echo "#define ${package_macro_name}_LIBEXECPREFIX \"$libexecdir/\"" +echo +echo "#define ${package_macro_name}_DEFAULT_CACHELIST \"$cachelist\"" +echo +echo "#endif" +exec 1>&3 3>&- +echo " ... done." diff --git a/doc/dnsfunnel-daemon.html b/doc/dnsfunnel-daemon.html new file mode 100644 index 0000000..d93d463 --- /dev/null +++ b/doc/dnsfunnel-daemon.html @@ -0,0 +1,112 @@ +<html> + <head> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> + <meta http-equiv="Content-Language" content="en" /> + <title>dnsfunnel: the dnsfunnel-daemon program</title> + <meta name="Description" content="dnsfunnel: the dnsfunnel-daemon program" /> + <meta name="Keywords" content="dnsfunnel daemon /etc/resolv.conf local cache resolver 127.0.0.1" /> + <!-- <link rel="stylesheet" type="text/css" href="//skarnet.org/default.css" /> --> + </head> +<body> + +<p> +<a href="index.html">dnsfunnel</a><br /> +<a href="//skarnet.org/software/">Software</a><br /> +<a href="//skarnet.org/">skarnet.org</a> +</p> + +<h1> The <tt>dnsfunnel-daemon</tt> program </h1> + +<p> +<tt>dnsfunnel-daemon</tt> binds to a local UDP socket, drops its +privileges, then executes into <a href="dnsfunneld.html">dnsfunneld</a>. +</p> + +<h2> Interface </h2> + +<pre> + dnsfunnel-daemon [ -v verbosity ] [ -d notif ] [ -U | -u uid -g gid ] [ -i ip:port ] [ -R root ] [ -b bufsize ] [ -f cachelist ] [ -T | -t ] [ -N | -n ] +</pre> + +<ul> + <li> dnsfunnel-daemon creates a UDP inet domain socket and binds it +to IPv4 address <em>ip</em> (normally 127.0.0.1) and port <em>port</em> +(normally 53). </li> + <li> Depending on the options it has been given, it may chroot and lose +privileges on its gid and uid. </li> + <li> It execs into <a href="dnsfunneld.html">dnsfunneld</a> with the +UDP socket as its standard input. </li> +</ul> + +<p> + The point of <tt>dnsfunnel-daemon</tt> is to separate the administrative +operations of starting a daemon from the actual serving part, which is +handled by <a href="dnsfunneld.html">dnsfunneld</a>. +</p> + +<h2> Exit codes </h2> + +<ul> + <li> 100: wrong usage </li> + <li> 111: system call failed </li> + <li> 126: failed to exec <a href="dnsfunneld.html">dnsfunneld</a> </li> + <li> 127: could not find the <a href="dnsfunneld.html">dnsfunneld</a> executable </li> +</ul> + +<h2> Options </h2> + +<ul> + <li> <tt>-v <em>verbosity</em></tt> : verbosity of the +<a href="dnsfunneld.html">dnsfunneld</a> program. This option is passed as is +to <a href="dnsfunneld.html">dnsfunneld</a>. Default is 1. 0 suppresses warning +messages. Higher values may give more informational messages. </li> + <li> <tt>-d <em>notif</em></tt> : readiness notification. This option +is passed as is to <a href="dnsfunneld.html">dnsfunneld</a>, which will print a +newline to descriptor <em>notif</em> when it is ready. Default is no readiness +notification. </li> + <li> <tt>-U</tt> : read an uid in the UID environment variable and a gid +in the GID environment variable, and drop privileges to that uid/gid. </li> + <li> <tt>-u <em>uid</em></tt> : drop privileges to numerical uid +<em>uid</em>. </li> + <li> <tt>-g <em>gid</em></tt> : drop privileges to numerical gid +<em>gid</em>. </li> + <li> <tt>-i <em>ip</em>:<em>port</em></tt> : bind the socket to +IPv4 <em>ip</em> and port <em>port</em>. Default for <em>ip</em> is +<tt>127.0.0.1</tt>; default for <em>port</em> is 53. </li> + <li> <tt>-R <em>root</em></tt> : chroot to <em>root</em>. Note that +this option only increases security if you also drop privileges. </li> + <li> <tt>-b <em>bufsize</em></tt> : try and reserve a kernel buffer +size of <em>bufsize</em> bytes for the socket. Default is 131072. If the given +<em>bufsize</em> is 0, then <tt>dnsfunnel-daemon</tt> will use whatever the +default is for your kernel. </li> + <li> <tt>-f <em>cachelist</em></tt> : Use <em>cachelist</em> as the +file that <a href="dnsfunneld.html">dnsfunneld</a> reads its cache addresses +from. Default is <tt>/run/dnsfunnel-caches</tt>, or <em>file</em> +if the <tt>--with-cachelist=<em>file</em></tt> option has been given to the +configure script at build time. </li> +</ul> + +<p> + The other options control the activation or deactivation of various +<a href="dnsfunneld.html">dnsfunneld</a> features: +</p> + <li> <tt>-T</tt> : Do not activate truncation of responses. This is +the default. </li> + <li> <tt>-t</tt> : If a DNS response is bigger than 510 bytes, +truncate its last resource records until it fits into 510 bytes and can +be sent in a UDP packet. </li> + <li> <tt>-N</tt> : Do not activate nxdomain workaround. This is the +default. </li> + <li> <tt>-n</tt> : Activate nxdomain workaround. When receiving an A +(resp. AAAA) query to forward, also make an AAAA (resp. A) query, and adjust +the response accordingly. Some DNS servers incorrectly answer NXDOMAIN when +they should just answer NODATA, and querying for another, existing, record +type for the same domain allows dnsfunneld to tell the difference between a +real NXDOMAIN (in which case that response is forwarded to the client) and +an incorrect one (in which case NODATA is answered to the client instead). </li> + <li> Other options may be added in the future. </li> +</ul> + +</body> +</html> diff --git a/doc/dnsfunnel-translate.html b/doc/dnsfunnel-translate.html new file mode 100644 index 0000000..9dde27d --- /dev/null +++ b/doc/dnsfunnel-translate.html @@ -0,0 +1,70 @@ +<html> + <head> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> + <meta http-equiv="Content-Language" content="en" /> + <title>dnsfunnel: the dnsfunnel-translate program</title> + <meta name="Description" content="dnsfunnel: the dnsfunnel-translate program" /> + <meta name="Keywords" content="dnsfunnel translate /etc/resolv.conf nameserver cache address" /> + <!-- <link rel="stylesheet" type="text/css" href="//skarnet.org/default.css" /> --> + </head> +<body> + +<p> +<a href="index.html">dnsfunnel</a><br /> +<a href="//skarnet.org/software/">Software</a><br /> +<a href="//skarnet.org/">skarnet.org</a> +</p> + +<h1> The <tt>dnsfunnel-translate</tt> program </h1> + +<p> +<tt>dnsfunnel-translate</tt> translates a file in <tt>resolv.conf</tt> +format to a file in <a href="dnsfunneld.html">dnsfunneld</a> format. +</p> + +<h2> Interface </h2> + +<pre> + dnsfunnel-translate [ -i inputfile ] [ -o outputfile ] [ -x ignoredip ] +</pre> + +<ul> + <li> dnsfunnel-translate opens <em>inputfile</em> and parses it. It reads +and processes lines beginning with <tt>nameserver</tt> followed by an IP +address (v4 or v6). It ignores other lines. </li> + <li> It writes the IP addresses, without the <tt>nameserver</tt> keyword, +to <tt>outputfile</tt>, one per line. </li> + <li> If a <tt>nameserver</tt> address is <em>ignoredip</em>, it does not +get printed to <tt>outputfile</tt> + <li> dnsfunnel-translate exits 0 when it has finished processing +<em>inputfile</em>. </li> +</ul> + +<h2> Exit codes </h2> + +<ul> + <li> 0: success </li> + <li> 1: no suitable IP found in the input file </li> + <li> 100: wrong usage </li> + <li> 111: system call failed </li> +</ul> + +<h2> Options </h2> + +<ul> + <li> <tt>-i <em>inputfile</em></tt> : process <em>inputfile</em>. +Default is <tt>/etc/resolv.conf</tt>. </li> + <li> <tt>-o <em>outputfile</em></tt> : write the result to +<em>outputfile</em>. Default is <tt>/run/dnsfunnel-caches</tt>, or <em>file</em> +if the <tt>--with-cachelist=<em>file</em></tt> option has been given to the +configure script at build time. </li> + <li> <tt>-x <em>ignoredip</em></tt> : ignore the <em>ignoredip</em> +IPv4 address if it shows up as a <tt>nameserver</tt> in <em>inputfile</em>. +Default is <tt>127.0.0.1</tt>. The point of this option is to avoid copying +to <tt>outputfile</tt> the IPv4 address that the +<a href="dnsfunnel-daemon.html">dnsfunnel-daemon</a> daemon will be bound to. </li> +</ul> + +</body> +</html> diff --git a/doc/dnsfunneld.html b/doc/dnsfunneld.html new file mode 100644 index 0000000..006a6d6 --- /dev/null +++ b/doc/dnsfunneld.html @@ -0,0 +1,160 @@ +<html> + <head> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> + <meta http-equiv="Content-Language" content="en" /> + <title>dnsfunnel: the dnsfunnel-daemon program</title> + <meta name="Description" content="dnsfunnel: the dnsfunnel-daemon program" /> + <meta name="Keywords" content="dnsfunnel daemon /etc/resolv.conf local cache resolver 127.0.0.1" /> + <!-- <link rel="stylesheet" type="text/css" href="//skarnet.org/default.css" /> --> + </head> +<body> + +<p> +<a href="index.html">dnsfunnel</a><br /> +<a href="//skarnet.org/software/">Software</a><br /> +<a href="//skarnet.org/">skarnet.org</a> +</p> + +<h1> The <tt>dnsfunneld</tt> program </h1> + +<p> +<tt>dnsfunneld</tt> is a small DNS forwarder daemon. It receives +DNS queries from clients, then forwards them to one or more DNS caches. +It collects the responses and forwards them back to the clients. Depending +on the options it is given, it may perform light processing on the +queries, the responses, or both. +</p> + +<h2> Interface </h2> + +<pre> + dnsfunneld [ -v verbosity ] [ -d notif ] [ -o ops ] cachelist +</pre> + +<ul> + <li> dnsfunneld reads the <em>cachelist</em> file, expecting to find +a list of IP (v4 or v6) addresses, one per line. These addresses are the +DNS caches it will forward the queries to. </li> + <li> dnsfunneld expects to have a bound UDP inet domain socket as +its standard input. It expects to receive packets no more than 512 +bytes long, only containing DNS normal queries (QUERY) for the IN +class. </li> + <li> Depending on <em>ops</em>, dnsfunneld may send additional queries +to the caches listed in <em>cachelist</em>. It handles the answers +internally: the additional queries are invisible to clients. </li> + <li> dnsfunneld is a long-lived process. </li> +</ul> + +<h2> Signals </h2> + +<ul> + <li> SIGHUP: read the <em>cachelist</em> file again, updating its +in-memory cache list. In-flight queries are still handled by the old +list; the new list will only apply for queries arriving after the SIGHUP. </li> + <li> SIGTERM: enter lame-duck mode, do not accept any more queries. When +all in-flight queries have been answered, exit 0. +</ul> + +<h2> Exit codes </h2> + +<ul> + <li> 0: SIGTERM received and all in-flight queries have been answered </li> + <li> 100: wrong usage </li> + <li> 111: system call failed </li> +</ul> + +<h2> Options </h2> + +<ul> + <li> <tt>-v <em>verbosity</em></tt> : verbosity. +Default is 1. 0 suppresses warning messages. Higher values may give more +informational messages in the future. </li> + <li> <tt>-d <em>notif</em></tt> : readiness notification. When +dnsfunneld is ready to process queries, write a newline to file descriptor +<em>notif</em>. <em>notif</em> must be 3 or greater. Default is no notification +at all. </li> + <li> <tt>-o <em>ops</em></tt> : perform various operations on +queries. <em>ops</em> is a decimal integer that is treated as a bitfield. +Default is 0. Operations are listed below. </li> +</ul> + +<h2> DNS forwarding behaviour </h2> + +<ul> + <li> When it receives a query, dnsfunneld forwards it to the first DNS cache +in the list it has read from the <em>cachelist</em> file. </li> + <li> If it receives a response with the TC bit, it resends the query over TCP. </li> + <li> If it receives a suitable response within a given time frame, it forwards +it to the client. </li> + <li> On SERVFAIL, or after a timeout of 1 second, it gives up and sends the +query to the next DNS cache in its list. (If the first cache answers after the time +frame, the answer is dropped.) + <li> If dnsfunneld reaches the end of its cache list, it retries the whole +procedure starting at the beginning of the list, but with a timeout of 3 seconds. +Caches that returned a SERVFAIL are crossed off the list for that query. </li> + <li> If the second pass fails again, dnsfunneld tries again with a timeout of +11 seconds, then with a timeout of 45 seconds. If all of this fails, it returns +a SERVFAIL to the client. </li> + <li> A machine should not use a DNS cache that is too far away. In normal operation, +a timeout of 1 second should be more than enough for a cache to answer, if it already +has the answer. If the answer is absent from all caches and it takes them more than +1 second to resolve the query, the answer will be obtained by dnsfunneld in the second +pass. Realistically, the only cases when caches that are not at the top of the list +are used are: + <ul> + <li> obscure DNS queries, not likely to be in the caches, and that will take +time to resolve; </li> + <li> or the first cache has really gone to lunch. </li> + </ul> +</ul> + +<h2> dnsfunneld operations </h2> + +<p> + <em>ops</em> is an integer used as a bitfield. Depending on which bits are set, +various operations are performed on queries or answers, slightly modifying the +behaviour described above. +</p> + +<ul> + <li> bit 0: activate truncation. If a DNS response is more than 510 bytes +long, dnsfunneld will truncate the <em>last</em> resource records in the response, +until it fits into 510 bytes and can be given to the client in a UDP packet. +The structure of a DNS packet makes it so the RRs are listed in order of +decreasing importance, so keeping as many RRs as will fit in 510 bytes +without reordering them is the natural way of truncating a response. </li> + <li> bit 1: activate workaround for some servers that incorrectly report +NXDOMAIN when they're asked for an AAAA record, and no such record exists +for the domain but an A record exists. When that bit is set in <em>ops</em>, +for every A or AAAA query dnsfunneld receives and forwards, it also sends +an additional AAAA or A query for the same domain. If the main query returns +NXDOMAIN, dnsfunneld waits for the response to the auxiliary query: if this +response is not NXDOMAIN, then dnsfunneld answers NODATA to the client instead +of NXDOMAIN. Be aware that activating this workaround can practically double +the number of queries sent to the DNS caches, and may cause additional delays +before the clients get their answers. </li> +</ul> + +<h2> Notes </h2> + +<ul> + <li> The point of dnsfunneld is to work around ill-designed or unreliable +client setups with several motley <tt>nameserver</tt> entries in +<tt>/etc/resolv.conf</tt>. By converting those entries to a cache list +instead (via the <a href="dnsfunnel-translate.html">dnsfunnel-translate</a> +program), running dnsfunneld on 127.0.0.1, and enforcing a policy of one +single <tt>nameserver 127.0.0.1</tt> entry in <tt>/etc/resolv.conf</tt>, +the setup can be made more reliable and more consistent. </li> + <li> Such a policy can be automated, for instance, by listening to +changes on the <tt>/etc/resolv.conf</tt> file (via inotify or kqueue, +depending on your system) and immediately calling +<a href="dnsfunnel-translate.html">dnsfunnel-translate</a>, sending +a SIGHUP to dnsfunneld, and forcefully overwriting <tt>/etc/resolv.conf</tt>. </li> + <li> It is easy to send a SIGHUP to dnsfunneld even without knowing its +pid, if it is run under a process supervision system such as +<a href="//skarnet.org/software/s6/">s6</a>. </li> +</ul> + +</body> +</html> diff --git a/doc/index.html b/doc/index.html new file mode 100644 index 0000000..fe8e8d4 --- /dev/null +++ b/doc/index.html @@ -0,0 +1,116 @@ +<html> + <head> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> + <meta http-equiv="Content-Language" content="en" /> + <title>dnsfunnel - A small local DNS cache daemon</title> + <meta name="Description" content="dnsfunnel - a small local DNS cache daemon" /> + <meta name="Keywords" content="dnsfunnel DNS domain cache local /etc/resolv.conf resolver forwarder laurent bercot ska skarnet" /> + <!-- <link rel="stylesheet" type="text/css" href="//skarnet.org/default.css" /> --> + </head> +<body> + +<p> +<a href="//skarnet.org/software/">Software</a><br /> +<a href="//skarnet.org/">skarnet.org</a> +</p> + +<h1> dnsfunnel </h1> + +<h2> What is it ? </h2> + +<p> + dnsfunnel is a small daemon listening to DNS client requests over UDP +(typically from the libc's +<a href="https://pubs.opengroup.org/onlinepubs/9699919799/functions/getaddrinfo.html">getaddrinfo()</a> +function) and forwards them to a list of DNS caches. It provides the +client with the first answer it gets, trimming the answer so it fits +in an UDP packet. +</p> + +<p> + dnsfunnel is especially useful for distributions using the +<a href="https://musl-libc.org">musl</a> libc, which does not support +TCP DNS transport. It was originally written to be used in the +<a href="https://alpinelinux.org/">Alpine Linux</a> distribution. +</p> + +<hr /> + +<h2> Installation </h2> + +<h3> Requirements </h3> + +<ul> + <li> A POSIX-compliant system with a standard C development environment. +The system must also support <tt>chroot()</tt> </li> + <li> GNU make, version 3.81 or later </li> + <li> <a href="//skarnet.org/software/skalibs/">skalibs</a> version +2.10.0.0 or later. It's a build-time requirement. It's also a run-time +requirement if you link against the shared version of the skalibs +library. </li> + <li> <a href="//skarnet.org/software/s6-dns/">s6-dns</a> version +2.3.3.0 or later. It's a build-time requirement. It's also a run-time +requirement if you link against the shared version of the s6dns +library. </li> + +</ul> + +<h3> Licensing </h3> + +<p> + dnsfunnel is free software. It is available under the +<a href="https://opensource.org/licenses/ISC">ISC license</a>. +</p> + +<h3> Download </h3> + +<ul> + <li> The current released version of dnsfunnel is +<a href="dnsfunnel-0.0.1.0.tar.gz">0.0.1.0</a>. + (This is a lie. +dnsfunnel is in alpha development at the moment, and only +available through git.) </li> + <li> Alternatively, you can checkout a copy of the +<a href="//git.skarnet.org/cgi-bin/cgit.cgi/dnsfunnel/">dnsfunnel +git repository</a>: +<pre> git clone git://git.skarnet.org/dnsfunnel </pre> </li> + <li> There's also a +<a href="https://github.com/skarnet/dnsfunnel">GitHub mirror</a> +of the dnsfunnel git repository. </li> +</ul> + +<h3> Compilation </h3> + +<ul> + <li> See the enclosed INSTALL file for installation details. </li> +</ul> + +<h3> Upgrade notes </h3> + +<ul> + <li> <a href="upgrade.html">This page</a> lists the differences to be aware of between +the previous versions of dnsfunnel and the current one. </li> +</ul> + +<hr /> + +<h2> Reference </h2> + +<h3> Commands </h3> + +<ul> +<li><a href="dnsfunnel-daemon.html">The <tt>dnsfunnel-daemon</tt> program</a></li> +<li><a href="dnsfunneld.html">The <tt>dnsfunneld</tt> program</a></li> +<li><a href="dnsfunnel-translate.html">The <tt>dnsfunnel-translate</tt> program</a></li> +</ul> + +<h2> Related resources </h2> + +<ul> + <li> <tt>dnsfunnel</tt> is discussed on the +<a href="//skarnet.org/lists.html#skaware">skaware</a> mailing-list. </li> +</ul> + +</body> +</html> diff --git a/doc/upgrade.html b/doc/upgrade.html new file mode 100644 index 0000000..6b46bde --- /dev/null +++ b/doc/upgrade.html @@ -0,0 +1,28 @@ +<html> + <head> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> + <meta http-equiv="Content-Language" content="en" /> + <title>dnsfunnel: how to upgrade</title> + <meta name="Description" content="dnsfunnel: how to upgrade" /> + <meta name="Keywords" content="dnsfunnel installation upgrade" /> + <!-- <link rel="stylesheet" type="text/css" href="//skarnet.org/default.css" /> --> + </head> +<body> + +<p> +<a href="index.html">dnsfunnel</a><br /> +<a href="//skarnet.org/software/">Software</a><br /> +<a href="//skarnet.org/">skarnet.org</a> +</p> + +<h1> What has changed in dnsfunnel </h1> + +<h2> in 0.0.1.0 </h2> + +<ul> + <li> Initial release. </li> +</ul> + +</body> +</html> diff --git a/package/deps-build b/package/deps-build new file mode 100644 index 0000000..6b9f75d --- /dev/null +++ b/package/deps-build @@ -0,0 +1,2 @@ +/package/prog/skalibs +/package/web/s6-dns diff --git a/package/deps.mak b/package/deps.mak new file mode 100644 index 0000000..29eaab1 --- /dev/null +++ b/package/deps.mak @@ -0,0 +1,16 @@ +# +# This file has been generated by tools/gen-deps.sh +# + +src/dnsfunnel/dnsfunnel-daemon.o src/dnsfunnel/dnsfunnel-daemon.lo: src/dnsfunnel/dnsfunnel-daemon.c src/include/dnsfunnel/config.h +src/dnsfunnel/dnsfunnel-translate.o src/dnsfunnel/dnsfunnel-translate.lo: src/dnsfunnel/dnsfunnel-translate.c src/include/dnsfunnel/config.h +src/dnsfunnel/dnsfunneld.o src/dnsfunnel/dnsfunneld.lo: src/dnsfunnel/dnsfunneld.c src/dnsfunnel/dnsfunneld.h +src/dnsfunnel/dnsfunneld_answer.o src/dnsfunnel/dnsfunneld_answer.lo: src/dnsfunnel/dnsfunneld_answer.c src/dnsfunnel/dnsfunneld.h +src/dnsfunnel/dnsfunneld_process.o src/dnsfunnel/dnsfunneld_process.lo: src/dnsfunnel/dnsfunneld_process.c src/dnsfunnel/dnsfunneld.h + +dnsfunnel-daemon: EXTRA_LIBS := -lskarnet +dnsfunnel-daemon: src/dnsfunnel/dnsfunnel-daemon.o +dnsfunnel-translate: EXTRA_LIBS := -lskarnet +dnsfunnel-translate: src/dnsfunnel/dnsfunnel-translate.o +dnsfunneld: EXTRA_LIBS := -ls6dns -lskarnet +dnsfunneld: src/dnsfunnel/dnsfunneld.o src/dnsfunnel/dnsfunneld_answer.o src/dnsfunnel/dnsfunneld_process.o diff --git a/package/info b/package/info new file mode 100644 index 0000000..0705998 --- /dev/null +++ b/package/info @@ -0,0 +1,4 @@ +package=dnsfunnel +version=0.0.1.0 +category=web +package_macro_name=DNSFUNNEL diff --git a/package/modes b/package/modes new file mode 100644 index 0000000..d42c9a1 --- /dev/null +++ b/package/modes @@ -0,0 +1,3 @@ +dnsfunnel-daemon 0755 +dnsfunneld 0755 +dnsfunnel-translate 0755 diff --git a/package/targets.mak b/package/targets.mak new file mode 100644 index 0000000..1a65a56 --- /dev/null +++ b/package/targets.mak @@ -0,0 +1,7 @@ +BIN_TARGETS := \ +dnsfunnel-daemon \ +dnsfunneld \ +dnsfunnel-translate + +LIBEXEC_TARGETS := + diff --git a/src/dnsfunnel/deps-exe/dnsfunnel-daemon b/src/dnsfunnel/deps-exe/dnsfunnel-daemon new file mode 100644 index 0000000..e7187fe --- /dev/null +++ b/src/dnsfunnel/deps-exe/dnsfunnel-daemon @@ -0,0 +1 @@ +-lskarnet diff --git a/src/dnsfunnel/deps-exe/dnsfunnel-translate b/src/dnsfunnel/deps-exe/dnsfunnel-translate new file mode 100644 index 0000000..e7187fe --- /dev/null +++ b/src/dnsfunnel/deps-exe/dnsfunnel-translate @@ -0,0 +1 @@ +-lskarnet diff --git a/src/dnsfunnel/deps-exe/dnsfunneld b/src/dnsfunnel/deps-exe/dnsfunneld new file mode 100644 index 0000000..90302a1 --- /dev/null +++ b/src/dnsfunnel/deps-exe/dnsfunneld @@ -0,0 +1,4 @@ +dnsfunneld_answer.o +dnsfunneld_process.o +-ls6dns +-lskarnet diff --git a/src/dnsfunnel/dnsfunnel-daemon.c b/src/dnsfunnel/dnsfunnel-daemon.c new file mode 100644 index 0000000..1df6a38 --- /dev/null +++ b/src/dnsfunnel/dnsfunnel-daemon.c @@ -0,0 +1,150 @@ +/* ISC license. */ + +#include <skalibs/sysdeps.h> + +#ifndef SKALIBS_HASCHROOT +# error "this program can only be built on systems that provide a chroot() function" +#endif + +#include <skalibs/nonposix.h> /* chroot */ +#include <stdint.h> +#include <unistd.h> +#include <sys/types.h> +#include <stdlib.h> + +#include <skalibs/uint16.h> +#include <skalibs/types.h> +#include <skalibs/fmtscan.h> +#include <skalibs/sgetopt.h> +#include <skalibs/strerr2.h> +#include <skalibs/djbunix.h> +#include <skalibs/socket.h> +#include <skalibs/exec.h> + +#include <dnsfunnel/config.h> + +#define USAGE "dnsfunnel-daemon [ -v verbosity ] [ -d notif ] [ -U | -u uid -g gid ] [ -i ip:port ] [ -R root ] [ -b bufsize ] [ -f cachelist ] [ -T | -t ] [ -N | -n ] " +#define dieusage() strerr_dieusage(100, USAGE) + +int main (int argc, char const *const *argv) +{ + int notif = 0 ; + unsigned int verbosity = 1 ; + unsigned int bufsize = 131072 ; + int flagU = 0 ; + uid_t uid = -1 ; + gid_t gid = -1 ; + char const *ipport = "127.0.0.1:53" ; + char const *newroot = 0 ; + char const *cachelist = DNSFUNNEL_DEFAULT_CACHELIST ; + uint32_t ops = 0 ; + PROG = "dnsfunnel-daemon" ; + { + subgetopt_t l = SUBGETOPT_ZERO ; + for (;;) + { + int opt = subgetopt_r(argc, argv, "v:d:Uu:g:i:R:b:f:TtNn", &l) ; + if (opt == -1) break ; + switch (opt) + { + case 'v' : if (!uint0_scan(l.arg, &verbosity)) dieusage() ; break ; + case 'd' : if (!uint0_scan(l.arg, (unsigned int *)¬if)) dieusage() ; break ; + case 'U' : flagU = 1 ; break ; + case 'u' : if (!uid0_scan(l.arg, &uid)) dieusage() ; break ; + case 'g' : if (!gid0_scan(l.arg, &gid)) dieusage() ; break ; + case 'i' : ipport = l.arg ; break ; + case 'R' : newroot = l.arg ; break ; + case 'b' : if (!uint0_scan(l.arg, &bufsize)) dieusage() ; break ; + case 'f' : cachelist = l.arg ; break ; + case 'T' : ops &= ~1 ; break ; + case 't' : ops |= 1 ; break ; + case 'N' : ops &= ~2 ; break ; + case 'n' : ops |= 2 ; break ; + default : dieusage() ; + } + } + argc -= l.ind ; argv += l.ind ; + } + + { + int fd ; + char ip[4] ; + uint16_t port ; + size_t pos = ip4_scan(ipport, ip) ; + if (!pos) dieusage() ; + if (ipport[pos] != ':') dieusage() ; + if (!uint160_scan(ipport + pos + 1, &port)) dieusage() ; + fd = socket_udp4() ; + if (fd < 0) strerr_diefu1sys(111, "create UDP socket") ; + if (socket_bind4_reuse(fd, ip, port) < 0) + { + char fmti[IP4_FMT] ; + char fmtp[UINT16_FMT] ; + fmti[ip4_fmt(fmti, ip)] = 0 ; + fmtp[uint16_fmt(fmtp, port)] = 0 ; + strerr_diefu4sys(111, "bind on ip ", fmti, " port ", fmtp) ; + } + if (bufsize) socket_tryreservein(fd, bufsize) ; + if (fd_move(0, fd) < 0) + strerr_diefu1sys(111, "move file descriptors") ; + } + + if (newroot) + { + if (chdir(newroot) < 0 || chroot(".") < 0) + strerr_diefu2sys(111, "chroot to ", newroot) ; + } + + if (flagU) + { + char const *x = getenv("UID") ; + if (x && !uid0_scan(x, &uid)) + strerr_dieinvalid(100, "UID") ; + x = getenv("GID") ; + if (x && !gid0_scan(x, &gid)) + strerr_dieinvalid(100, "GID") ; + } + if (gid != (gid_t)-1 && setgid(gid) < 0) + { + char fmt[GID_FMT] ; + fmt[gid_fmt(fmt, gid)] = 0 ; + strerr_diefu2sys(111, "setgid to ", fmt) ; + } + if (uid != (uid_t)-1 && setuid(uid) < 0) + { + char fmt[UID_FMT] ; + fmt[uid_fmt(fmt, uid)] = 0 ; + strerr_diefu2sys(111, "setuid to ", fmt) ; + } + + { + char const *newargv[10] = { "dnsfunneld" } ; + char const *newenvp[1] = { 0 } ; + unsigned int m = 1 ; + char fmtv[UINT_FMT] ; + char fmtn[UINT_FMT] ; + char fmto[UINT_FMT] ; + if (verbosity != 1) + { + fmtv[uint_fmt(fmtv, verbosity)] = 0 ; + newargv[m++] = "-v" ; + newargv[m++] = fmtv ; + } + if (notif) + { + fmtn[uint_fmt(fmtn, notif)] = 0 ; + newargv[m++] = "-d" ; + newargv[m++] = fmtn ; + } + if (ops) + { + fmto[uint_fmt(fmto, ops)] = 0 ; + newargv[m++] = "-o" ; + newargv[m++] = fmto ; + } + newargv[m++] = "--" ; + newargv[m++] = cachelist ; + newargv[m++] = 0 ; + xexec_ae(DNSFUNNEL_BINPREFIX "dnsfunneld", newargv, newenvp) ; + } +} diff --git a/src/dnsfunnel/dnsfunnel-translate.c b/src/dnsfunnel/dnsfunnel-translate.c new file mode 100644 index 0000000..70610b8 --- /dev/null +++ b/src/dnsfunnel/dnsfunnel-translate.c @@ -0,0 +1,93 @@ +/* ISC license. */ + +#include <string.h> + +#include <skalibs/bytestr.h> +#include <skalibs/sgetopt.h> +#include <skalibs/buffer.h> +#include <skalibs/fmtscan.h> +#include <skalibs/strerr2.h> +#include <skalibs/djbunix.h> +#include <skalibs/ip46.h> + +#include <s6-dns/s6dns-constants.h> + +#include <dnsfunnel/config.h> + +#define USAGE "dnsfunnel-translate [ -i resolvconf ] [ -o cachelist ] [ -x ignoredip ]" +#define dieusage() strerr_dieusage(100, USAGE) + + +static size_t parse_nameservers (ip46_t *list, char const *file, char const *ignore) +{ + static char const zero[SKALIBS_IP_SIZE] = { 0 } ; + char buf[4096] ; + size_t n = 0, i = 0 ; + ssize_t len = openreadnclose(file, buf, 4095) ; + if (len < 0) strerr_diefu2sys(111, "open ", file) ; + buf[len++] = '\n' ; + while ((i < len) && (n < S6DNS_MAX_SERVERS)) + { + size_t j = byte_chr(buf + i, len - i, '\n') ; + if ((i + j < len) && (j > 13U) && !memcmp("nameserver", buf + i, 10)) + { + size_t k = 0 ; + while ((buf[i+10+k] == ' ') || (buf[i+10+k] == '\t')) k++ ; + if (k && ip46_scan(buf+i+10+k, list + n) + && memcmp(list[n].ip, zero, SKALIBS_IP_SIZE) + && (ip46_is6(list + n) || memcmp(list[n].ip, ignore, 4)) + ) n++ ; + } + i += j + 1 ; + } + return n ; +} + + +int main (int argc, char const *const *argv) +{ + ip46_t list[S6DNS_MAX_SERVERS] = { IP46_ZERO } ; + char const *resolvconf = "/etc/resolv.conf" ; + char const *cachelist = DNSFUNNEL_DEFAULT_CACHELIST ; + char ignore[4] = "\177\0\0\1" ; + size_t n ; + PROG = "dnsfunnel-translate" ; + { + subgetopt_t l = SUBGETOPT_ZERO ; + for (;;) + { + int opt = subgetopt_r(argc, argv, "i:o:x:", &l) ; + if (opt == -1) break ; + switch (opt) + { + case 'i' : resolvconf = l.arg ; break ; + case 'o' : cachelist = l.arg ; break ; + case 'x' : if (!ip4_scan(l.arg, ignore)) dieusage() ; break ; + default : dieusage() ; + } + } + argc -= l.ind ; argv += l.ind ; + } + + n = parse_nameservers(list, resolvconf, ignore) ; + if (!n) strerr_dief2x(1, "no suitable cache address in ", resolvconf) ; + + { + char buf[4096] ; + buffer b ; + int fd = openc_trunc(cachelist) ; + if (fd < 0) strerr_diefu2sys(111, "open ", cachelist) ; + buffer_init(&b, &buffer_write, fd, buf, 4096) ; + for (size_t i = 0 ; i < n ; i++) + { + char fmt[IP46_FMT] ; + size_t len = ip46_fmt(fmt, list + i) ; + fmt[len++] = '\n' ; + if (buffer_put(&b, fmt, len) < len) + strerr_diefu2sys(111, "write to ", cachelist) ; + } + if (!buffer_flush(&b)) + strerr_diefu2sys(111, "write to ", cachelist) ; + } + return 0 ; +} diff --git a/src/dnsfunnel/dnsfunneld.c b/src/dnsfunnel/dnsfunneld.c new file mode 100644 index 0000000..bd4dc89 --- /dev/null +++ b/src/dnsfunnel/dnsfunneld.c @@ -0,0 +1,305 @@ +/* ISC license. */ + +#include <stdint.h> +#include <string.h> +#include <signal.h> +#include <fcntl.h> +#include <errno.h> + +#include <skalibs/uint32.h> +#include <skalibs/types.h> +#include <skalibs/allreadwrite.h> +#include <skalibs/error.h> +#include <skalibs/bitarray.h> +#include <skalibs/strerr2.h> +#include <skalibs/sgetopt.h> +#include <skalibs/stralloc.h> +#include <skalibs/sig.h> +#include <skalibs/socket.h> +#include <skalibs/tai.h> +#include <skalibs/djbunix.h> +#include <skalibs/iopause.h> +#include <skalibs/selfpipe.h> +#include <skalibs/gensetdyn.h> + +#include <s6-dns/s6dns.h> + +#include "dnsfunneld.h" + +#define USAGE "dnsfunneld [ -v verbosity ] [ -d notif ] [ -o operations ] cachelist" +#define dieusage() strerr_dieusage(100, USAGE) + +#define DNSFUNNELD_INPUT_MAX 64 + +unsigned int verbosity = 1 ; +static tain_t globaltto = TAIN_INFINITE_RELATIVE ; +static int cont = 1 ; +static char const *cachelistfile = 0 ; +static s6dns_ip46list_t cachelist ; +static uint32_t ops = 0 ; + +static inline void X (void) +{ + strerr_dief1x(101, "internal inconsistency. Please submit a bug-report.") ; +} + +static inline void s6dns_ip46list_copy (s6dns_ip46list_t *dst, ip46full_t const *src, size_t n) +{ + if (n >= S6DNS_MAX_SERVERS) n = S6DNS_MAX_SERVERS - 1 ; + for (size_t i = 0 ; i < n ; i++) + { + memcpy(dst->ip + i * SKALIBS_IP_SIZE, src[i].ip, SKALIBS_IP_SIZE) ; +#ifdef SKALIBS_IPV6_ENABLED + bitarray_poke(dst->is6, i, ip46_is6(src + i)) ; +#endif + } + memset(dst->ip + n * SKALIBS_IP_SIZE, 0, SKALIBS_IP_SIZE) ; +} + +static int load_cachelist (int initial) +{ + char buf[4096] ; + ip46full_t list[S6DNS_MAX_SERVERS] ; + size_t n ; + ssize_t r = openreadnclose_nb(cachelistfile, buf, 4095) ; + if (r < 0) return -1 ; + buf[r++] = 0 ; + ip46_scanlist(list, S6DNS_MAX_SERVERS, buf, &n) ; + if (!n) return -2 ; + s6dns_ip46list_copy(&cachelist, list, n) ; + return 0 ; +} + +static inline void handle_signals (void) +{ + for (;;) + { + switch (selfpipe_read()) + { + case -1 : strerr_diefu1sys(111, "read from selfpipe") ; + case 0 : return ; + case SIGTERM : cont = 0 ; break ; + case SIGHUP : + { + switch (load_cachelist(0)) + { + case 0 : query_process_reload() ; break ; + case -1 : strerr_warnwu2sys("read ", cachelistfile) ; break ; + case -2 : strerr_warnw2x("invalid cache list in ", cachelistfile) ; break ; + default : X() ; + } + break ; + } + default : X() ; + } + } +} + +static dfquery_t const dfquery_zero = DFQUERY_ZERO ; +static gensetdyn queries = GENSETDYN_INIT(dfquery_t, 16, 3, 8) ; +static uint32_t sentinel ; +#define inflight (gensetdyn_n(&queries) - 1) +#define QUERY(i) GENSETDYN_P(dfquery_t, &queries, i) + +void query_new (s6dns_domain_t const *d, uint16_t qtype, uint16_t id, uint32_t ip, uint16_t port, uint32_t procid) +{ + dfquery_t q = + { + .next = QUERY(sentinel)->next, + .xindex = 0, + .procid = procid, + .ip = ip, + .port = port, + .id = id, + .dt = S6DNS_ENGINE_ZERO + } ; + tain_t deadline ; + uint32_t i ; + if (!gensetdyn_new(&queries, &i)) + strerr_diefu1sys(111, "create new query") ; + tain_add_g(&deadline, &globaltto) ; + if (!s6dns_engine_init_g(&q.dt, &cachelist, S6DNS_O_RECURSIVE, d->s, d->len, qtype, &deadline)) + strerr_diefu1sys(111, "start new query") ; + *QUERY(i) = q ; + QUERY(sentinel)->next = i ; +} + +static inline void sanitize_and_new (char const *buf, unsigned int len, char const *ippack, uint16_t port) +{ + s6dns_domain_t d ; + uint32_t ip ; + unsigned int pos ; + s6dns_message_header_t hdr ; + s6dns_message_counts_t counts ; + uint16_t qtype ; + if (!s6dns_message_parse_init(&hdr, &counts, buf, len, &pos) + || hdr.qr + || hdr.opcode + || !hdr.rd + || hdr.counts.qd != 1 || hdr.counts.an || hdr.counts.ns || hdr.counts.nr + || !s6dns_message_parse_question(&counts, &d, &qtype, buf, len, &pos)) + return ; + uint32_unpack_big(ippack, &ip) ; + if (ops) query_process_question(ops, &d, qtype, hdr.id, ip, port) ; + else query_new(&d, qtype, hdr.id, ip, port, 0) ; +} + +int main (int argc, char const *const *argv) +{ + int spfd = -1 ; + int notif = -1 ; + PROG = "dnsfunneld" ; + { + subgetopt_t l = SUBGETOPT_ZERO ; + for (;;) + { + int opt = subgetopt_r(argc, argv, "v:d:o:", &l) ; + if (opt == -1) break ; + switch (opt) + { + case 'v' : if (!uint0_scan(l.arg, &verbosity)) dieusage() ; break ; + case 'd' : if (!uint0_scan(l.arg, (unsigned int *)¬if)) dieusage() ; break ; + case 'o' : if (!uint320_scan(l.arg, &ops)) dieusage() ; break ; + default : dieusage() ; + } + } + argc -= l.ind ; argv += l.ind ; + if (!argc) dieusage() ; + } + if (notif >= 0) + { + if (notif < 3) strerr_dief1x(100, "notification fd must be 3 or more") ; + if (fcntl(notif, F_GETFD) < 0) strerr_dief1sys(100, "invalid notification fd") ; + } + + if (ndelay_on(0) < 0) strerr_diefu1sys(111, "turn stdin non-blocking") ; + if (sig_ignore(SIGPIPE) < 0) strerr_diefu1sys(111, "ignore SIGPIPE") ; + cachelistfile = argv[0] ; + switch (load_cachelist(1)) + { + case 0 : break ; + case -1 : strerr_diefu2sys(111, "read ", cachelistfile) ; + case -2 : strerr_dief2x(100, "invalid cache list in ", cachelistfile) ; + default : X() ; + } + if (!s6dns_init()) strerr_diefu1sys(111, "s6dns_init") ; + spfd = selfpipe_init() ; + if (spfd < 0) strerr_diefu1sys(111, "init selfpipe") ; + { + sigset_t set ; + sigemptyset(&set) ; + sigaddset(&set, SIGTERM) ; + sigaddset(&set, SIGHUP) ; + if (selfpipe_trapset(&set) < 0) strerr_diefu1sys(111, "trap signals") ; + } + if (!gensetdyn_new(&queries, &sentinel)) + strerr_diefu1sys(111, "initialize query structure") ; + *QUERY(sentinel) = dfquery_zero ; + QUERY(sentinel)->next = sentinel ; + if (!query_process_init()) + strerr_diefu1sys(111, "initialize query processing") ; + tain_now_set_stopwatch_g() ; + + if (notif >= 0) + { + fd_write(notif, "\n", 1) ; + fd_close(notif) ; + } + + for (;;) + { + tain_t deadline = TAIN_INFINITE ; + uint32_t i = QUERY(sentinel)->next ; + uint32_t j = 2 ; + int r ; + iopause_fd x[2 + inflight] ; + + x[0].fd = spfd ; + x[0].events = IOPAUSE_READ ; + x[1].fd = 0 ; + x[1].events = (cont ? IOPAUSE_READ : 0) | (dfanswer_pending() ? IOPAUSE_WRITE : 0) ; + if (!x[1].events && !inflight) break ; + + while (i != sentinel) + { + dfquery_t *q = QUERY(i) ; + s6dns_engine_nextdeadline(&q->dt, &deadline) ; + x[j].fd = q->dt.fd ; + x[j].events = 0 ; + if (s6dns_engine_isreadable(&q->dt)) x[j].events |= IOPAUSE_READ ; + if (s6dns_engine_iswritable(&q->dt)) x[j].events |= IOPAUSE_WRITE ; + q->xindex = j++ ; + i = q->next ; + } + + r = iopause_g(x, j, &deadline) ; + if (r < 0) strerr_diefu1sys(111, "iopause") ; + + if (!r) + { + i = QUERY(sentinel)->next ; + j = sentinel ; + while (i != sentinel) + { + dfquery_t *q = QUERY(i) ; + uint32_t k = q->next ; + if (s6dns_engine_timeout_g(&q->dt)) + { + query_process_response_failure(ops, q) ; + QUERY(j)->next = k ; + stralloc_free(&q->dt.sa) ; + gensetdyn_delete(&queries, i) ; + } + else j = i ; + i = k ; + } + continue ; + } + + if (x[0].revents & IOPAUSE_READ) handle_signals() ; + + if (x[1].revents & IOPAUSE_WRITE) + { + int r = dfanswer_flush() ; + if (r < 0) strerr_diefu1sys(111, "send DNS answer to client") ; + } + + i = QUERY(sentinel)->next ; + j = sentinel ; + while (i != sentinel) + { + dfquery_t *q = QUERY(i) ; + uint32_t k = q->next ; + int r = s6dns_engine_event_g(&q->dt) ; + if (r) + { + if (r > 0) query_process_response_success(ops, q) ; + else query_process_response_failure(ops, q) ; + QUERY(j)->next = k ; + if (r > 0) s6dns_engine_free(&q->dt) ; + else stralloc_free(&q->dt.sa) ; + gensetdyn_delete(&queries, i) ; + } + else j = i ; + i = k ; + } + + if (x[0].revents & IOPAUSE_READ) + { + uint32_t n = DNSFUNNELD_INPUT_MAX ; + while (n--) + { + char ip[4] ; + uint16_t port ; + char buf[512] ; + ssize_t r = socket_recv4(0, buf, 512, ip, &port) ; + if (r < 0) + if (error_isagain(errno)) break ; + else strerr_diefu1sys(111, "socket_recv") ; + else if (!r) continue ; + else sanitize_and_new(buf, r, ip, port) ; + } + } + } + return 0 ; +} diff --git a/src/dnsfunnel/dnsfunneld.h b/src/dnsfunnel/dnsfunneld.h new file mode 100644 index 0000000..9fc0bbf --- /dev/null +++ b/src/dnsfunnel/dnsfunneld.h @@ -0,0 +1,44 @@ +/* ISC license. */ + +#ifndef DNSFUNNELD_H +#define DNSFUNNELD_H + +#include <stddef.h> +#include <stdint.h> + +#include <skalibs/gensetdyn.h> + +#include <s6-dns/s6dns-domain.h> +#include <s6-dns/s6dns-engine.h> + +typedef struct dfquery_s dfquery_t, *dfquery_t_ref ; +struct dfquery_s +{ + uint32_t next ; + uint32_t xindex ; + uint32_t procid ; + uint32_t ip ; + uint16_t port ; + uint16_t id ; + s6dns_engine_t dt ; +} ; +#define DFQUERY_ZERO { .next = 0, .xindex = 0, .procid = 0, .ip = 0, .port = 0, .id = 0, .dt = S6DNS_ENGINE_ZERO } + +extern unsigned int verbosity ; +extern size_t dfanswer_pending (void) ; +extern int dfanswer_flush (void) ; +extern void dfanswer_fail (dfquery_t const *) ; +extern void dfanswer_nxdomain (dfquery_t const *) ; +extern void dfanswer_nodata (dfquery_t const *) ; +extern void dfanswer_pass (dfquery_t const *, char *, unsigned int) ; + + +extern void query_new (s6dns_domain_t const *, uint16_t, uint16_t, uint32_t, uint16_t, uint32_t) ; + +extern int query_process_init (void) ; +extern void query_process_reload (void) ; +extern void query_process_question (uint32_t, s6dns_domain_t const *, uint16_t, uint16_t, uint32_t, uint16_t) ; +extern void query_process_response_failure (uint32_t, dfquery_t const *) ; +extern void query_process_response_success (uint32_t, dfquery_t const *) ; + +#endif diff --git a/src/dnsfunnel/dnsfunneld_answer.c b/src/dnsfunnel/dnsfunneld_answer.c new file mode 100644 index 0000000..a6ee526 --- /dev/null +++ b/src/dnsfunnel/dnsfunneld_answer.c @@ -0,0 +1,132 @@ +/* ISC license. */ + +#include <errno.h> +#include <stdint.h> +#include <string.h> + +#include <skalibs/uint16.h> +#include <skalibs/uint32.h> +#include <skalibs/error.h> +#include <skalibs/strerr2.h> +#include <skalibs/genqdyn.h> +#include <skalibs/socket.h> + +#include <s6-dns/s6dns-message.h> + +#include "dnsfunneld.h" + +typedef struct dfanswer_s dfanswer_t, *dfanswer_t_ref ; +struct dfanswer_s +{ + char buf[512] ; + char ip[4] ; + uint16_t len ; + uint16_t port ; +} ; +#define DFANSWER_ZERO { .buf = { 0 }, .ip = "\0\0\0", .len = 0, .port = 0 } + +static genqdyn dfanswers = GENQDYN_INIT(dfanswer_t, 1, 8) ; + +size_t dfanswer_pending () +{ + return genqdyn_n(&dfanswers) ; +} + +static void dfanswer_push (char const *s, size_t len, uint32_t ip, uint16_t port) +{ + if (len > 510) + { + if (verbosity) + strerr_warnw1x("answer too big, dropping - enable truncation to avoid this") ; + } + else + { + dfanswer_t ans = { .len = len, .port = port } ; + uint16_pack_big(ans.buf, ans.len) ; + memcpy(ans.buf, s+2, len) ; + uint32_pack_big(ans.ip, ip) ; + if (!genqdyn_push(&dfanswers, &ans)) + strerr_diefu1sys(111, "queue answer to client") ; + } +} + +int dfanswer_flush () +{ + while (dfanswer_pending()) + { + dfanswer_t *ans = GENQDYN_PEEK(dfanswer_t, &dfanswers) ; + if (socket_send4(0, ans->buf, ans->len, ans->ip, ans->port) < 0) + return error_isagain(errno) ? (errno = 0, 0) : -1 ; + genqdyn_pop(&dfanswers) ; + } + return 1 ; +} + +void dfanswer_fail (dfquery_t const *q) +{ + char buf[510] ; + uint16_t len ; + s6dns_message_header_t hdr ; + uint16_unpack_big(q->dt.sa.s, &len) ; + memcpy(buf, q->dt.sa.s + 2, len) ; + s6dns_message_header_unpack(buf, &hdr) ; + hdr.id = q->id ; + hdr.qr = 1 ; + hdr.aa = 0 ; + hdr.tc = 0 ; + hdr.rd = 1 ; + hdr.ra = 1 ; + hdr.z = 0 ; + hdr.rcode = 2 ; /* servfail */ + s6dns_message_header_pack(buf, &hdr) ; + dfanswer_push(buf, len, q->ip, q->port) ; +} + +void dfanswer_nxdomain (dfquery_t const *q) +{ + char buf[510] ; + uint16_t len ; + s6dns_message_header_t hdr ; + uint16_unpack_big(q->dt.sa.s, &len) ; + memcpy(buf, q->dt.sa.s + 2, len) ; + s6dns_message_header_unpack(buf, &hdr) ; + hdr.id = q->id ; + hdr.qr = 1 ; + hdr.aa = 1 ; + hdr.tc = 0 ; + hdr.rd = 1 ; + hdr.ra = 1 ; + hdr.z = 0 ; + hdr.rcode = 3 ; /* nxdomain */ + s6dns_message_header_pack(buf, &hdr) ; + dfanswer_push(buf, len, q->ip, q->port) ; +} + +void dfanswer_nodata (dfquery_t const *q) +{ + char buf[510] ; + uint16_t len ; + s6dns_message_header_t hdr ; + uint16_unpack_big(q->dt.sa.s, &len) ; + memcpy(buf, q->dt.sa.s + 2, len) ; + s6dns_message_header_unpack(buf, &hdr) ; + hdr.id = q->id ; + hdr.qr = 1 ; + hdr.aa = 1 ; + hdr.tc = 0 ; + hdr.rd = 1 ; + hdr.ra = 1 ; + hdr.z = 0 ; + hdr.rcode = 0 ; /* success */ + s6dns_message_header_pack(buf, &hdr) ; + dfanswer_push(buf, len, q->ip, q->port) ; +} + +void dfanswer_pass (dfquery_t const *q, char *s, unsigned int len) +{ + s6dns_message_header_t hdr ; + s6dns_message_header_unpack(s, &hdr) ; + hdr.id = q->id ; + s6dns_message_header_pack(s, &hdr) ; + dfanswer_push(s, len, q->ip, q->port) ; +} diff --git a/src/dnsfunnel/dnsfunneld_process.c b/src/dnsfunnel/dnsfunneld_process.c new file mode 100644 index 0000000..9d90289 --- /dev/null +++ b/src/dnsfunnel/dnsfunneld_process.c @@ -0,0 +1,136 @@ +/* ISC license. */ + +#include <stdint.h> + +#include <skalibs/uint16.h> +#include <skalibs/strerr2.h> +#include <skalibs/gensetdyn.h> + +#include <s6-dns/s6dns-constants.h> +#include <s6-dns/s6dns-domain.h> +#include <s6-dns/s6dns-message.h> +#include <s6-dns/s6dns-engine.h> + +#include "dnsfunneld.h" + +static gensetdyn rinfo = GENSETDYN_INIT(uint8_t, 16, 3, 8) ; +#define RINFO(i) GENSETDYN_P(uint8_t, &rinfo, i) + +int query_process_init () +{ + return 1 ; +} + +void query_process_reload () +{ +} + +void query_process_question (uint32_t ops, s6dns_domain_t const *d, uint16_t qtype, uint16_t id, uint32_t ip, uint16_t port) +{ + if (ops & 2 && (qtype == S6DNS_T_A || qtype == S6DNS_T_AAAA)) + { + uint32_t i ; + if (!gensetdyn_new(&rinfo, &i)) strerr_diefu1sys(111, "process query") ; + *RINFO(i) = (qtype == S6DNS_T_AAAA) << 7 ; + query_new(d, S6DNS_T_A, id, ip, port, i+1) ; + query_new(d, S6DNS_T_AAAA, id, ip, port, i+1) ; + } + else query_new(d, qtype, id, ip, port, 0) ; +} + +static inline unsigned int truncate_packet (char *s, unsigned int olen) +{ + s6dns_message_header_t hdr ; + s6dns_message_counts_t counts ; + unsigned int section ; + unsigned int pos ; + if (!s6dns_message_parse_init(&hdr, &counts, s, olen, &pos)) return 0 ; + if (hdr.rcode) return 0 ; + section = s6dns_message_parse_skipqd(&counts, s, olen, &pos) ; + while (section) + { + s6dns_message_rr_t rr ; + s6dns_message_counts_t newcounts = counts ; + unsigned int tmp = pos ; + if (!s6dns_message_parse_getrr(&rr, s, olen, &tmp)) return 0 ; + section = s6dns_message_parse_next(&newcounts, &rr, s, olen, &tmp) ; + if (tmp > 510) + { + hdr.counts.qd -= counts.qd ; + hdr.counts.an -= counts.an ; + hdr.counts.ns -= counts.ns ; + hdr.counts.nr -= counts.nr ; + s6dns_message_header_pack(s, &hdr) ; + return pos ; + } + pos = tmp ; + counts = newcounts ; + } + return olen ; +} + +static inline uint16_t extract_qtype (dfquery_t const *q) +{ + s6dns_domain_t name ; + uint16_t qtype ; + uint16_t len ; + s6dns_message_header_t hdr ; + s6dns_message_counts_t counts ; + unsigned int pos ; + uint16_unpack_big(q->dt.sa.s, &len) ; + if (!s6dns_message_parse_init(&hdr, &counts, q->dt.sa.s + 2, len, &pos)) return 0 ; + if (!s6dns_message_parse_question(&counts, &name, &qtype, q->dt.sa.s + 2, len, &pos)) return 0 ; + return qtype ; +} + +static int isnxdomain (dfquery_t const *q) +{ + s6dns_message_header_t hdr ; + s6dns_message_counts_t counts ; + unsigned int pos ; + if (!s6dns_message_parse_init(&hdr, &counts, s6dns_engine_packet(&q->dt), s6dns_engine_packetlen(&q->dt), &pos)) return 0 ; + return hdr.rcode == 3 ; +} + +static int input_event (dfquery_t const *q, unsigned int ev) +{ + static uint8_t const table[5][6] = + { + { 0x11, 0x03, 0x81, 0x02, 0x02, 0x04 }, + { 0x06, 0x06, 0x06, 0x05, 0x05, 0x05 }, + { 0x15, 0x25, 0x85, 0x06, 0x06, 0x06 }, + { 0x06, 0x06, 0x06, 0x25, 0x25, 0x45 }, + { 0x15, 0x45, 0x85, 0x06, 0x06, 0x06 } + } ; + uint8_t b = *RINFO(q->procid - 1) ; + uint8_t isaux = 3 * (b >> 7 != (extract_qtype(q) == S6DNS_T_AAAA)) ; + uint8_t state = (b >> isaux) & 7 ; + uint8_t c = table[state][ev + isaux] ; + state = c & 7 ; + *RINFO(q->procid - 1) = (b & ~(7 << isaux)) | (state << isaux) ; + if (c & 0x10) dfanswer_fail(q) ; + if (c & 0x20) dfanswer_nxdomain(q) ; + if (c & 0x40) dfanswer_nodata(q) ; + if (c & 0x80) dfanswer_pass(q, s6dns_engine_packet(&q->dt), s6dns_engine_packetlen(&q->dt)) ; + if (state >= 6) strerr_dief1x(101, "problem in main/aux transition table; please submit a bug-report.") ; + if (state == 5) gensetdyn_delete(&rinfo, q->procid - 1) ; + return !!(c & 0xf0) ; +} + +void query_process_response_failure (uint32_t ops, dfquery_t const *q) +{ + if (ops & 2 && q->procid && input_event(q, 0)) return ; + else dfanswer_fail(q) ; +} + +void query_process_response_success (uint32_t ops, dfquery_t const *q) +{ + if (ops & 2 && q->procid && input_event(q, 1 + !isnxdomain(q))) return ; + if (ops & 1 && s6dns_engine_packetlen(&q->dt) > 510) + { + unsigned int len = truncate_packet(s6dns_engine_packet(&q->dt), s6dns_engine_packetlen(&q->dt)) ; + if (!len) dfanswer_fail(q) ; + else dfanswer_pass(q, s6dns_engine_packet(&q->dt), len) ; + } + else dfanswer_pass(q, s6dns_engine_packet(&q->dt), s6dns_engine_packetlen(&q->dt)) ; +} diff --git a/tools/gen-deps.sh b/tools/gen-deps.sh new file mode 100755 index 0000000..27e5b3e --- /dev/null +++ b/tools/gen-deps.sh @@ -0,0 +1,93 @@ +#!/bin/sh -e + +. package/info + +echo '#' +echo '# This file has been generated by tools/gen-deps.sh' +echo '#' +echo + +for dir in src/include/${package} src/* ; do + for file in $(ls -1 $dir | grep -- \\.h$) ; do + { + grep -F -- "#include <${package}/" < ${dir}/$file | cut -d'<' -f2 | cut -d'>' -f1 ; + grep -- '#include ".*\.h"' < ${dir}/$file | cut -d'"' -f2 + } | sort -u | { + deps= + while read dep ; do + if echo $dep | grep -q "^${package}/" ; then + deps="$deps src/include/$dep" + elif test -f "${dir}/$dep" ; then + deps="$deps ${dir}/$dep" + else + deps="$deps src/include-local/$dep" + fi + done + if test -n "$deps" ; then + echo "${dir}/${file}:${deps}" + fi + } + done +done + +for dir in src/* ; do + for file in $(ls -1 $dir | grep -- \\.c$) ; do + { + grep -F -- "#include <${package}/" < ${dir}/$file | cut -d'<' -f2 | cut -d'>' -f1 ; + grep -- '#include ".*\.h"' < ${dir}/$file | cut -d'"' -f2 + } | sort -u | { + deps=" ${dir}/$file" + while read dep ; do + if echo $dep | grep -q "^${package}/" ; then + deps="$deps src/include/$dep" + elif test -f "${dir}/$dep" ; then + deps="$deps ${dir}/$dep" + else + deps="$deps src/include-local/$dep" + fi + done + o=$(echo $file | sed s/\\.c$/.o/) + lo=$(echo $file | sed s/\\.c$/.lo/) + echo "${dir}/${o} ${dir}/${lo}:${deps}" + } + done +done +echo + +for dir in $(ls -1 src | grep -v ^include) ; do + for file in $(ls -1 src/$dir/deps-lib) ; do + deps= + libs= + while read dep ; do + if echo $dep | grep -q -e ^-l -e '^\${.*_LIB}' ; then + libs="$libs $dep" + else + deps="$deps src/$dir/$dep" + fi + done < src/$dir/deps-lib/$file + echo 'ifeq ($(strip $(STATIC_LIBS_ARE_PIC)),)' + echo "lib${file}.a.xyzzy:$deps" + echo else + echo "lib${file}.a.xyzzy:$(echo "$deps" | sed 's/\.o/.lo/g')" + echo endif + echo "lib${file}.so.xyzzy: EXTRA_LIBS :=$libs" + echo "lib${file}.so.xyzzy:$(echo "$deps" | sed 's/\.o/.lo/g')" + done + + for file in $(ls -1 src/$dir/deps-exe) ; do + deps= + libs= + while read dep ; do + if echo $dep | grep -q -- \\.o$ ; then + dep="src/$dir/$dep" + fi + if echo $dep | grep -q -e ^-l -e '^\${.*_LIB}' ; then + libs="$libs $dep" + else + deps="$deps $dep" + fi + done < src/$dir/deps-exe/$file + echo "$file: EXTRA_LIBS :=$libs" + echo "$file: src/$dir/$file.o$deps" + done +done diff --git a/tools/install.sh b/tools/install.sh new file mode 100755 index 0000000..89f9428 --- /dev/null +++ b/tools/install.sh @@ -0,0 +1,64 @@ +#!/bin/sh + +usage() { + echo "usage: $0 [-D] [-l] [-m mode] src dst" 1>&2 + exit 1 +} + +mkdirp=false +symlink=false +mode=0755 + +while getopts Dlm: name ; do + case "$name" in + D) mkdirp=true ;; + l) symlink=true ;; + m) mode=$OPTARG ;; + ?) usage ;; + esac +done +shift $(($OPTIND - 1)) + +test "$#" -eq 2 || usage +src=$1 +dst=$2 +tmp="$dst.tmp.$$" + +case "$dst" in + */) echo "$0: $dst ends in /" 1>&2 ; exit 1 ;; +esac + +set -C +set -e + +if $mkdirp ; then + umask 022 + case "$2" in + */*) mkdir -p "${dst%/*}" ;; + esac +fi + +trap 'rm -f "$tmp"' EXIT INT QUIT TERM HUP + +umask 077 + +if $symlink ; then + ln -s "$src" "$tmp" +else + cat < "$1" > "$tmp" + chmod "$mode" "$tmp" +fi + +mv -f "$tmp" "$dst" +if test -d "$dst" ; then + rm -f "$dst/$(basename $tmp)" + if $symlink ; then + mkdir "$tmp" + ln -s "$src" "$tmp/$(basename $dst)" + mv -f "$tmp/$(basename $dst)" "${dst%/*}" + rmdir "$tmp" + else + echo "$0: $dst is a directory" 1>&2 + exit 1 + fi +fi |