From 555970c9c559c0867f3e116154ab4f9eb96bd30d Mon Sep 17 00:00:00 2001
From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Wed, 31 Oct 2018 10:21:54 +0100
Subject: [PATCH] dnsdist: Correctly handle PACKAGEVERSION, check name in
 secpoll reply

---
 pdns/dnsdist.cc                     | 16 ++++++++++------
 pdns/dnsdist.hh                     |  2 ++
 pdns/dnsdistdist/configure.ac       |  5 +++++
 pdns/dnsdistdist/dnsdist-secpoll.cc | 29 +++++++++++++++++++++--------
 4 files changed, 38 insertions(+), 14 deletions(-)

diff --git a/pdns/dnsdist.cc b/pdns/dnsdist.cc
index 1f19cb56b..488056870 100644
--- a/pdns/dnsdist.cc
+++ b/pdns/dnsdist.cc
@@ -1732,6 +1732,15 @@ catch(...)
   return nullptr;
 }
 
+uint16_t getRandomDNSID()
+{
+#ifdef HAVE_LIBSODIUM
+  return (randombytes_random() % 65536);
+#else
+  return (random() % 65536);
+#endif
+}
+
 static bool upCheck(DownstreamState& ds)
 try
 {
@@ -1742,18 +1751,13 @@ try
   memset(&checkHeader, 0, sizeof(checkHeader));
 
   checkHeader.qdcount = htons(1);
-#ifdef HAVE_LIBSODIUM
-  checkHeader.id = randombytes_random() % 65536;
-#else
-  checkHeader.id = random() % 65536;
-#endif
+  checkHeader.id = getRandomDNSID();
 
   checkHeader.rd = true;
   if (ds.setCD) {
     checkHeader.cd = true;
   }
 
-
   if (ds.checkFunction) {
     std::lock_guard<std::mutex> lock(g_luamutex);
     auto ret = ds.checkFunction(checkName, checkType, checkClass, &checkHeader);
diff --git a/pdns/dnsdist.hh b/pdns/dnsdist.hh
index 08393675e..8d0454bab 100644
--- a/pdns/dnsdist.hh
+++ b/pdns/dnsdist.hh
@@ -1012,6 +1012,8 @@ int handleDNSCryptQuery(char* packet, uint16_t len, std::shared_ptr<DNSCryptQuer
 
 bool addXPF(DNSQuestion& dq, uint16_t optionCode);
 
+uint16_t getRandomDNSID();
+
 #include "dnsdist-snmp.hh"
 
 extern bool g_snmpEnabled;
diff --git a/pdns/dnsdistdist/configure.ac b/pdns/dnsdistdist/configure.ac
index 055ee344b..f55e394ee 100644
--- a/pdns/dnsdistdist/configure.ac
+++ b/pdns/dnsdistdist/configure.ac
@@ -96,6 +96,11 @@ AC_SUBST([AM_CPPFLAGS],
   ["AS_ESCAPE([-I$(top_builddir) -I$(top_srcdir)]) -Wall -O3 -pthread $BOOST_CPPFLAGS"]
 )
 
+AC_ARG_VAR(PACKAGEVERSION, [The version used in secpoll queries])
+AS_IF([test "x$PACKAGEVERSION" != "x"],
+  [AC_DEFINE_UNQUOTED([PACKAGEVERSION], "$PACKAGEVERSION", [Set to the package version used for secpoll])]
+)
+
 AC_CONFIG_FILES([Makefile
 	ext/yahttp/Makefile
 	ext/yahttp/yahttp/Makefile])
diff --git a/pdns/dnsdistdist/dnsdist-secpoll.cc b/pdns/dnsdistdist/dnsdist-secpoll.cc
index 49b955956..b40bbf5ab 100644
--- a/pdns/dnsdistdist/dnsdist-secpoll.cc
+++ b/pdns/dnsdistdist/dnsdist-secpoll.cc
@@ -35,8 +35,13 @@
 #include "misc.hh"
 #include "sstuff.hh"
 
+#include "dnsdist.hh"
 #include "dnsdist-secpoll.hh"
 
+#ifndef PACKAGEVERSION
+#define PACKAGEVERSION PACKAGE_VERSION
+#endif
+
 static std::string getFirstTXTAnswer(const std::string& answer)
 {
   if (answer.size() <= sizeof(struct dnsheader)) {
@@ -85,13 +90,10 @@ static std::string getFirstTXTAnswer(const std::string& answer)
 
 static std::string getSecPollStatus(const std::string& queriedName, int timeout=2)
 {
+  const DNSName& sentName = DNSName(queriedName);
   vector<uint8_t> packet;
-  DNSPacketWriter pw(packet, DNSName(queriedName), QType::TXT);
-#ifdef HAVE_LIBSODIUM
-  pw.getHeader()->id = randombytes_random() % 65536;
-#else
-  pw.getHeader()->id = random() % 65536;
-#endif
+  DNSPacketWriter pw(packet, sentName, QType::TXT);
+  pw.getHeader()->id = getRandomDNSID();
   pw.getHeader()->rd = 1;
 
   const auto& resolversForStub = getResolvers("/etc/resolv.conf");
@@ -162,6 +164,17 @@ static std::string getSecPollStatus(const std::string& queriedName, int timeout=
       continue;
     }
 
+    uint16_t receivedType;
+    uint16_t receivedClass;
+    DNSName receivedName(reply.c_str(), reply.size(), sizeof(dnsheader), false, &receivedType, &receivedClass);
+
+    if (receivedName != sentName || receivedType != QType::TXT || receivedClass != QClass::IN) {
+      if (g_verbose) {
+        warnlog("Invalid answer, either the qname (%s / %s), qtype (%s / %s) or qclass (%d / %d) does not match, received from the secpoll stub resolver %s", receivedName, sentName, QType(receivedType).getName(), QType(QType::TXT).getName(), receivedClass, QClass::IN, dest.toString());
+      }
+      continue;
+    }
+
     return getFirstTXTAnswer(reply);
   }
 
@@ -178,13 +191,13 @@ void doSecPoll(const std::string& suffix)
     return;
   }
 
-  const std::string pkgv(PACKAGE_VERSION);
+  const std::string pkgv(PACKAGEVERSION);
   bool releaseVersion = pkgv.find("0.0.") != 0;
 
   struct timeval now;
   gettimeofday(&now, 0);
 
-  const std::string version = "dnsdist-" + std::string(VERSION);
+  const std::string version = "dnsdist-" + std::string(PACKAGEVERSION);
   std::string queriedName = version.substr(0, 63) + ".security-status." + suffix;
 
   if (*queriedName.rbegin() != '.') {
-- 
2.40.0