From 93249f1901cc3f1f08d5f8f66f7cd6f7bd918946 Mon Sep 17 00:00:00 2001 From: Dan Williams Date: Thu, 16 Dec 2010 17:47:59 -0600 Subject: [PATCH] dns: direct IPv4 reverse DNS queries to split DNS servers When split DNS is used for a local caching nameserver, make sure that reverse DNS queries for hosts within the VPN tunnel are directed to the VPN's nameservers, not to the public upstream nameservers. --- src/dns-manager/Makefile.am | 4 +- src/dns-manager/nm-dns-dnsmasq.c | 22 +++++++-- src/dns-manager/nm-dns-utils.c | 99 ++++++++++++++++++++++++++++++++++++++ src/dns-manager/nm-dns-utils.h | 28 +++++++++++ 4 files changed, 148 insertions(+), 5 deletions(-) create mode 100644 src/dns-manager/nm-dns-utils.c create mode 100644 src/dns-manager/nm-dns-utils.h diff --git a/src/dns-manager/Makefile.am b/src/dns-manager/Makefile.am index 1ffe62d..7b5fc4f 100644 --- a/src/dns-manager/Makefile.am +++ b/src/dns-manager/Makefile.am @@ -14,7 +14,9 @@ libdns_manager_la_SOURCES = \ nm-dns-dnsmasq.h \ nm-dns-dnsmasq.c \ nm-dns-bind.h \ - nm-dns-bind.c + nm-dns-bind.c \ + nm-dns-utils.h \ + nm-dns-utils.c libdns_manager_la_CPPFLAGS = \ $(DBUS_CFLAGS) \ diff --git a/src/dns-manager/nm-dns-dnsmasq.c b/src/dns-manager/nm-dns-dnsmasq.c index 41c8e2a..9cc0197 100644 --- a/src/dns-manager/nm-dns-dnsmasq.c +++ b/src/dns-manager/nm-dns-dnsmasq.c @@ -33,6 +33,7 @@ #include "nm-logging.h" #include "nm-ip4-config.h" #include "nm-ip6-config.h" +#include "nm-dns-utils.h" G_DEFINE_TYPE (NMDnsDnsmasq, nm_dns_dnsmasq, NM_TYPE_DNS_PLUGIN) @@ -75,9 +76,11 @@ add_ip4_config (GString *str, NMIP4Config *ip4, gboolean split) gboolean added = FALSE; if (split) { + char **domains, **iter; + /* FIXME: it appears that dnsmasq can only handle one nameserver - * per domain (at the manpage seems to indicate that) so only use - * the first nameserver here. + * per domain (and the manpage says this too) so only use the first + * nameserver here. */ addr.s_addr = nm_ip4_config_get_nameserver (ip4, 0); memset (&buf[0], 0, sizeof (buf)); @@ -103,6 +106,17 @@ add_ip4_config (GString *str, NMIP4Config *ip4, gboolean split) added = TRUE; } } + + /* Ensure reverse-DNS works by directing queries for in-addr.arpa + * domains to the split domain's nameserver. + */ + domains = nm_dns_utils_get_ip4_rdns_domains (ip4); + if (domains) { + for (iter = domains; iter && *iter; iter++) + g_string_append_printf (str, "server=/%s/%s\n", *iter, buf); + g_strfreev (domains); + added = TRUE; + } } /* If no searches or domains, just add the namservers */ @@ -216,7 +230,7 @@ update (NMDnsPlugin *plugin, } /* Now add interface configs without split DNS */ - for (iter = (GSList *) dev_configs; iter;iter = g_slist_next (iter)) { + for (iter = (GSList *) dev_configs; iter; iter = g_slist_next (iter)) { if (NM_IS_IP4_CONFIG (iter->data)) add_ip4_config (conf, NM_IP4_CONFIG (iter->data), FALSE); else if (NM_IS_IP6_CONFIG (iter->data)) @@ -224,7 +238,7 @@ update (NMDnsPlugin *plugin, } /* And any other random configs */ - for (iter = (GSList *) other_configs; iter;iter = g_slist_next (iter)) { + for (iter = (GSList *) other_configs; iter; iter = g_slist_next (iter)) { if (NM_IS_IP4_CONFIG (iter->data)) add_ip4_config (conf, NM_IP4_CONFIG (iter->data), FALSE); else if (NM_IS_IP6_CONFIG (iter->data)) diff --git a/src/dns-manager/nm-dns-utils.c b/src/dns-manager/nm-dns-utils.c new file mode 100644 index 0000000..615adfd --- /dev/null +++ b/src/dns-manager/nm-dns-utils.c @@ -0,0 +1,99 @@ +/* -*- Mode: C; tab-width: 4; indent-tabs-mode: t; c-basic-offset: 4 -*- */ +/* This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2, or (at your option) + * any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Copyright (C) 2010 Red Hat, Inc. + * + */ + +#include +#include + +#include "nm-dns-utils.h" +#include "nm-utils.h" + +static void +add_ip4_to_rdns_array (guint32 ip, GPtrArray *domains) /* network byte order */ +{ + guint32 defprefix; + guchar *p; + char *str = NULL; + int i; + + defprefix = nm_utils_ip4_get_default_prefix (ip); + + /* Convert to host byte order, mask the host bits, and convert back */ + ip = ntohl (ip); + ip &= 0xFFFFFFFF << (32 - defprefix); + ip = htonl (ip); + p = (guchar *) &ip; + + if (defprefix == 8) + str = g_strdup_printf ("%u.in-addr.arpa", p[0] & 0xFF); + else if (defprefix == 16) + str = g_strdup_printf ("%u.%u.in-addr.arpa", p[1] & 0xFF, p[0] & 0xFF); + else if (defprefix == 24) + str = g_strdup_printf ("%u.%u.%u.in-addr.arpa", p[2] & 0xFF, p[1] & 0xFF, p[0] & 0xFF); + + g_return_if_fail (str != NULL); + + /* Suppress duplicates */ + for (i = 0; i < domains->len; i++) { + if (strcmp (str, g_ptr_array_index (domains, i)) == 0) + break; + } + + if (i == domains->len) + g_ptr_array_add (domains, str); + else + g_free (str); +} + +char ** +nm_dns_utils_get_ip4_rdns_domains (NMIP4Config *ip4) +{ + GPtrArray *domains = NULL; + int i; + + g_return_val_if_fail (ip4 != NULL, NULL); + + domains = g_ptr_array_sized_new (5); + + /* To calculate the reverse DNS domains for this IP4 config, we take + * all the IP addresses and routes in the config, calculate the network + * portion, and convert that to classful, and use the network bits for + * the final domain. FIXME: better handle classless routing, which might + * require us to add multiple domains for each actual network prefix to + * cover all the separate networks in that block. + */ + + for (i = 0; i < nm_ip4_config_get_num_addresses (ip4); i++) { + NMIP4Address *addr = nm_ip4_config_get_address (ip4, i); + + add_ip4_to_rdns_array (nm_ip4_address_get_address (addr), domains); + } + + for (i = 0; i < nm_ip4_config_get_num_routes (ip4); i++) { + NMIP4Route *route = nm_ip4_config_get_route (ip4, i); + + add_ip4_to_rdns_array (nm_ip4_route_get_dest (route), domains); + } + + /* Terminating NULL so we can use g_strfreev() to free it */ + g_ptr_array_add (domains, NULL); + + /* Free the array and return NULL if the only element was the ending NULL */ + return (char **) g_ptr_array_free (domains, (domains->len == 1)); +} + diff --git a/src/dns-manager/nm-dns-utils.h b/src/dns-manager/nm-dns-utils.h new file mode 100644 index 0000000..daa6711 --- /dev/null +++ b/src/dns-manager/nm-dns-utils.h @@ -0,0 +1,28 @@ +/* -*- Mode: C; tab-width: 4; indent-tabs-mode: t; c-basic-offset: 4 -*- */ +/* This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2, or (at your option) + * any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Copyright (C) 2010 Red Hat, Inc. + * + */ + +#ifndef NM_DNS_UTILS_H +#define NM_DNS_UTILS_H + +#include "nm-ip4-config.h" + +char **nm_dns_utils_get_ip4_rdns_domains (NMIP4Config *ip4); + +#endif /* NM_DNS_UTILS_H */ + -- 1.7.3.4