From 49e8d5d5f507f18e3ff9d00ce103cde0dbd98bf6 Mon Sep 17 00:00:00 2001 From: Kees Monshouwer Date: Mon, 9 Dec 2013 09:49:48 +0100 Subject: [PATCH] remove 'anonymous' mode from server.id and 'disabled' mode from version.bind --- pdns/common_startup.cc | 2 +- pdns/dnspacket.cc | 2 +- pdns/packethandler.cc | 75 ++++++++++++++++++++++-------------------- pdns/packethandler.hh | 2 +- pdns/pdns.conf-dist | 2 +- 5 files changed, 43 insertions(+), 40 deletions(-) diff --git a/pdns/common_startup.cc b/pdns/common_startup.cc index a66a5fb0e..0fd923b76 100644 --- a/pdns/common_startup.cc +++ b/pdns/common_startup.cc @@ -122,7 +122,7 @@ void declareArguments() ::arg().set("negquery-cache-ttl","Seconds to store negative query results in the QueryCache")="60"; ::arg().set("query-cache-ttl","Seconds to store query results in the QueryCache")="20"; ::arg().set("soa-minimum-ttl","Default SOA minimum ttl")="3600"; - ::arg().set("server-id", "Returned when queried for 'server.id' TXT or NSID, defaults to hostname - valid options: anonymous, disabled or custom")=""); + ::arg().set("server-id", "Returned when queried for 'server.id' TXT or NSID, defaults to hostname - disabled or custom")=""; ::arg().set("soa-refresh-default","Default SOA refresh")="10800"; ::arg().set("soa-retry-default","Default SOA retry")="3600"; ::arg().set("soa-expire-default","Default SOA expire")="604800"; diff --git a/pdns/dnspacket.cc b/pdns/dnspacket.cc index 242eab94c..88e831f15 100644 --- a/pdns/dnspacket.cc +++ b/pdns/dnspacket.cc @@ -287,7 +287,7 @@ void DNSPacket::wrapup() DNSPacketWriter::optvect_t opts; if(d_wantsnsid) { const static string mode_server_id=::arg()["server-id"]; - if(mode_server_id != "anonymous" && mode_server_id != "disabled") { + if(mode_server_id != "disabled") { opts.push_back(make_pair(3, mode_server_id)); } } diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc index 471e2e0a4..09b433f55 100644 --- a/pdns/packethandler.cc +++ b/pdns/packethandler.cc @@ -256,56 +256,55 @@ bool PacketHandler::addNSEC3PARAM(DNSPacket *p, DNSPacket *r, const SOAData& sd) } -/** This catches version requests. Returns 1 if it was handled, 0 if it wasn't */ -int PacketHandler::doVersionRequest(DNSPacket *p, DNSPacket *r, string &target) +// This is our chaos class requests handler. Return 1 if content was added, 0 if it wasn't +int PacketHandler::doChaosRequest(DNSPacket *p, DNSPacket *r, string &target) { DNSResourceRecord rr; - - if(p->qclass == QClass::CHAOS && p->qtype.getCode()==QType::TXT && - (target == "version.bind") || (target == "id.server") || (target == "version.pdns") ) {// TXT - // modes: anonymous, powerdns only, full, spoofed - static string mode; - if (target == "id.server") { - mode=::arg()["server-id"]; + if(p->qtype.getCode()==QType::TXT) { + if (pdns_iequals(target, "version.pdns") || pdns_iequals(target, "version.bind")) { + // modes: full, powerdns only, anonymous or custom + const static string mode=::arg()["version-string"]; - if (mode == "anonymous") { + if(mode.empty() || mode=="full") + rr.content=fullVersionString(); + else if(mode=="powerdns") + rr.content="Served by PowerDNS - https://www.powerdns.com/"; + else if(mode=="anonymous") { r->setRcode(RCode::ServFail); - return 1; - } - else if (mode == "disabled") { return 0; } else rr.content=mode; - } // We were asked for a version, not RFC 4892 id.server - else { - mode=::arg()["version-string"]; - - if(mode.empty() || mode=="full") - rr.content=fullVersionString(); - else if(mode=="anonymous") { - r->setRcode(RCode::ServFail); - return 1; - } - else if(mode=="powerdns") { - rr.content="Served by PowerDNS - http://www.powerdns.com"; + } + else if (pdns_iequals(target, "id.server")) { + // modes: disabled, hostname or custom + const static string id=::arg()["server-id"]; + + if (id == "disabled") { + r->setRcode(RCode::Refused); + return 0; } - else - rr.content=mode; + rr.content=id; + } + else { + r->setRcode(RCode::Refused); + return 0; } rr.ttl=5; rr.qname=target; - rr.qtype=QType::TXT; - rr.qclass=QClass::CHAOS; + rr.qtype=QType::TXT; + rr.qclass=QClass::CHAOS; r->addRecord(rr); - return 1; } + + r->setRcode(RCode::NotImp); return 0; } + /** Determines if we are authoritative for a zone, and at what level */ bool PacketHandler::getAuth(DNSPacket *p, SOAData *sd, const string &target, int *zoneId) { @@ -1222,9 +1221,13 @@ DNSPacket *PacketHandler::questionOrRecurse(DNSPacket *p, bool *shouldRecurse) string target=p->qdomain; - // catch version.bind requests - if(doVersionRequest(p,r,target)) - goto sendit; + // catch chaos qclass requests + if(p->qclass == QClass::CHAOS) { + if (doChaosRequest(p,r,target)) + goto sendit; + else + return r; + } // we only know about qclass IN (and ANY), send NotImp for everthing else. if(p->qclass != QClass::IN && p->qclass!=QClass::ANY) { @@ -1232,8 +1235,8 @@ DNSPacket *PacketHandler::questionOrRecurse(DNSPacket *p, bool *shouldRecurse) return r; } - // send TC for udp ANY query if any-to-tcp is enabled. - if((p->qtype.getCode() == QType::ANY || p->qtype.getCode() == QType::RRSIG) && !p->d_tcp && g_anyToTcp) { + // send TC for udp ANY or RRSIG query if any-to-tcp is enabled. + if(g_anyToTcp && !p->d_tcp && ((p->qtype.getCode() == QType::ANY || p->qtype.getCode() == QType::RRSIG))) { r->d.tc = 1; r->commitD(); return r; @@ -1245,7 +1248,7 @@ DNSPacket *PacketHandler::questionOrRecurse(DNSPacket *p, bool *shouldRecurse) return r; } - // for qclass ANY the response should never be authoritative unless the server can guarantee that the response covers all classes. + // for qclass ANY the response should never be authoritative unless the response covers all classes. if(p->qclass==QClass::ANY) r->setA(false); diff --git a/pdns/packethandler.hh b/pdns/packethandler.hh index f6e50e2d4..d8d2ba2a1 100644 --- a/pdns/packethandler.hh +++ b/pdns/packethandler.hh @@ -73,7 +73,7 @@ private: int findMboxFW(DNSPacket *p, DNSPacket *r, string &target); int findUrl(DNSPacket *p, DNSPacket *r, string &target); int doFancyRecords(DNSPacket *p, DNSPacket *r, string &target); - int doVersionRequest(DNSPacket *p, DNSPacket *r, string &target); + int doChaosRequest(DNSPacket *p, DNSPacket *r, string &target); bool addDNSKEY(DNSPacket *p, DNSPacket *r, const SOAData& sd); bool addNSEC3PARAM(DNSPacket *p, DNSPacket *r, const SOAData& sd); bool getAuth(DNSPacket *p, SOAData *sd, const string &target, int *zoneId); diff --git a/pdns/pdns.conf-dist b/pdns/pdns.conf-dist index 355d3a058..113817a36 100644 --- a/pdns/pdns.conf-dist +++ b/pdns/pdns.conf-dist @@ -325,7 +325,7 @@ # send-root-referral=no ################################# -# server-id Returned when queried for 'server.id' TXT or NSID, defaults to hostname - valid options: anonymous, disabled or custom +# server-id Returned when queried for 'server.id' TXT or NSID, defaults to hostname - disabled or custom # # server-id= -- 2.40.0