Merge pull request #762 from NLnetLabs/features/downstream-cookies

Downstream DNS Server Cookies a la RFC7873 and RFC9018

Makefile.in

@@ -122,13 +122,13 @@ iterator/iter_delegpt.c iterator/iter_donotq.c iterator/iter_fwd.c \
 iterator/iter_hints.c iterator/iter_priv.c iterator/iter_resptype.c \
 iterator/iter_scrub.c iterator/iter_utils.c services/listen_dnsport.c \
 services/localzone.c services/mesh.c services/modstack.c services/view.c \
-services/rpz.c \
+services/rpz.c util/rfc_1982.c \
 services/outbound_list.c services/outside_network.c util/alloc.c \
 util/config_file.c util/configlexer.c util/configparser.c \
 util/shm_side/shm_main.c services/authzone.c \
 util/fptr_wlist.c util/locks.c util/log.c util/mini_event.c util/module.c \
 util/netevent.c util/net_help.c util/random.c util/rbtree.c util/regional.c \
-util/rtt.c util/edns.c util/storage/dnstree.c util/storage/lookup3.c \
+util/rtt.c util/siphash.c util/edns.c util/storage/dnstree.c util/storage/lookup3.c \
 util/storage/lruhash.c util/storage/slabhash.c util/tcp_conn_limit.c \
 util/timehist.c util/tube.c util/proxy_protocol.c util/timeval_func.c \
 util/ub_event.c util/ub_event_pluggable.c util/winsock_event.c \
@@ -145,10 +145,10 @@ as112.lo msgparse.lo msgreply.lo packed_rrset.lo iterator.lo iter_delegpt.lo \
 iter_donotq.lo iter_fwd.lo iter_hints.lo iter_priv.lo iter_resptype.lo \
 iter_scrub.lo iter_utils.lo localzone.lo mesh.lo modstack.lo view.lo \
 outbound_list.lo alloc.lo config_file.lo configlexer.lo configparser.lo \
-fptr_wlist.lo edns.lo locks.lo log.lo mini_event.lo module.lo net_help.lo \
+fptr_wlist.lo siphash.lo edns.lo locks.lo log.lo mini_event.lo module.lo net_help.lo \
 random.lo rbtree.lo regional.lo rtt.lo dnstree.lo lookup3.lo lruhash.lo \
 slabhash.lo tcp_conn_limit.lo timehist.lo tube.lo winsock_event.lo \
-autotrust.lo val_anchor.lo rpz.lo proxy_protocol.lo \
+autotrust.lo val_anchor.lo rpz.lo rfc_1982.lo proxy_protocol.lo \
 validator.lo val_kcache.lo val_kentry.lo val_neg.lo val_nsec3.lo val_nsec.lo \
 val_secalgo.lo val_sigcrypt.lo val_utils.lo dns64.lo $(CACHEDB_OBJ) authzone.lo \
 $(SUBNET_OBJ) $(PYTHONMOD_OBJ) $(CHECKLOCK_OBJ) $(DNSTAP_OBJ) $(DNSCRYPT_OBJ) \
@@ -917,7 +917,8 @@ config_file.lo config_file.o: $(srcdir)/util/config_file.c config.h $(srcdir)/ut
 configlexer.lo configlexer.o: util/configlexer.c config.h $(srcdir)/util/configyyrename.h \
  $(srcdir)/util/config_file.h util/configparser.h
 configparser.lo configparser.o: util/configparser.c config.h $(srcdir)/util/configyyrename.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h
+ $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/sldns/str2wire.h \
+ $(srcdir)/sldns/rrdef.h
 shm_main.lo shm_main.o: $(srcdir)/util/shm_side/shm_main.c config.h $(srcdir)/util/shm_side/shm_main.h \
  $(srcdir)/libunbound/unbound.h $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
  $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h  \
@@ -1008,6 +1009,8 @@ rtt.lo rtt.o: $(srcdir)/util/rtt.c config.h $(srcdir)/util/rtt.h $(srcdir)/itera
  $(srcdir)/services/outbound_list.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h \
  $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/module.h \
  $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h
+siphash.lo siphash.o: $(srcdir)/util/siphash.c
+rfc_1982.lo rfc_1982.o: $(srcdir)/util/rfc_1982.c
 edns.lo edns.o: $(srcdir)/util/edns.c config.h $(srcdir)/util/edns.h $(srcdir)/util/storage/dnstree.h \
  $(srcdir)/util/rbtree.h $(srcdir)/util/config_file.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
   $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/util/regional.h \

daemon/acl_list.c

@@ -109,6 +109,8 @@ parse_acl_access(const char* str, enum acl_access* control)
 		*control = acl_allow_snoop;
 	else if(strcmp(str, "allow_setrd") == 0)
 		*control = acl_allow_setrd;
+	else if (strcmp(str, "allow_cookie") == 0)
+		*control = acl_allow_cookie;
 	else {
 		log_err("access control type %s unknown", str);
 		return 0;

daemon/acl_list.h

@@ -64,8 +64,12 @@ enum acl_access {
 	acl_allow,
 	/** allow full access for all queries, recursion and cache snooping */
 	acl_allow_snoop,
-	/** allow full access for recursion queries and set RD flag regardless of request */
-	acl_allow_setrd
+	/** allow full access for recursion queries and set RD flag regardless
+	 *  of request */
+	acl_allow_setrd,
+	/** allow full access for recursion (+RD) queries if valid cookie
+	 *  present or stateful transport */
+	acl_allow_cookie
 };
 
 /**

daemon/remote.c

@@ -672,6 +672,12 @@ print_stats(RES* ssl, const char* nm, struct ub_stats_info* s)
 		(unsigned long)s->svr.num_queries)) return 0;
 	if(!ssl_printf(ssl, "%s.num.queries_ip_ratelimited"SQ"%lu\n", nm,
 		(unsigned long)s->svr.num_queries_ip_ratelimited)) return 0;
+	if(!ssl_printf(ssl, "%s.num.queries_cookie_valid"SQ"%lu\n", nm,
+		(unsigned long)s->svr.num_queries_cookie_valid)) return 0;
+	if(!ssl_printf(ssl, "%s.num.queries_cookie_client"SQ"%lu\n", nm,
+		(unsigned long)s->svr.num_queries_cookie_client)) return 0;
+	if(!ssl_printf(ssl, "%s.num.queries_cookie_invalid"SQ"%lu\n", nm,
+		(unsigned long)s->svr.num_queries_cookie_invalid)) return 0;
 	if(!ssl_printf(ssl, "%s.num.cachehits"SQ"%lu\n", nm,
 		(unsigned long)(s->svr.num_queries
 			- s->svr.num_queries_missed_cache))) return 0;

daemon/stats.c

@@ -435,6 +435,9 @@ void server_stats_add(struct ub_stats_info* total, struct ub_stats_info* a)
 {
 	total->svr.num_queries += a->svr.num_queries;
 	total->svr.num_queries_ip_ratelimited += a->svr.num_queries_ip_ratelimited;
+	total->svr.num_queries_cookie_valid += a->svr.num_queries_cookie_valid;
+	total->svr.num_queries_cookie_client += a->svr.num_queries_cookie_client;
+	total->svr.num_queries_cookie_invalid += a->svr.num_queries_cookie_invalid;
 	total->svr.num_queries_missed_cache += a->svr.num_queries_missed_cache;
 	total->svr.num_queries_prefetch += a->svr.num_queries_prefetch;
 	total->svr.num_queries_timed_out += a->svr.num_queries_timed_out;
@@ -568,3 +571,16 @@ void server_stats_insrcode(struct ub_server_stats* stats, sldns_buffer* buf)
 			stats->ans_rcode_nodata ++;
 	}
 }
+
+void server_stats_downstream_cookie(struct ub_server_stats* stats,
+	struct edns_data* edns)
+{
+	if(!(edns->edns_present && edns->cookie_present)) return;
+	if(edns->cookie_valid) {
+		stats->num_queries_cookie_valid++;
+	} else if(edns->cookie_client) {
+		stats->num_queries_cookie_client++;
+	} else {
+		stats->num_queries_cookie_invalid++;
+	}
+}

daemon/stats.h

@@ -126,4 +126,11 @@ void server_stats_insquery(struct ub_server_stats* stats, struct comm_point* c,
  */
 void server_stats_insrcode(struct ub_server_stats* stats, struct sldns_buffer* buf);
 
+/**
+ * Add DNS Cookie stats for this query
+ * @param stats: the stats
+ * @param edns: edns record
+ */
+void server_stats_downstream_cookie(struct ub_server_stats* stats,
+	struct edns_data* edns);
 #endif /* DAEMON_STATS_H */

daemon/worker.c

@@ -1319,6 +1319,40 @@ deny_refuse_non_local(struct comm_point* c, enum acl_access acl,
 		worker, repinfo, acladdr, ede, check_result);
 }
 
+/* Returns 1 if the ip rate limit check can happen before EDNS parsing,
+ * else 0 */
+static int
+pre_edns_ip_ratelimit_check(enum acl_access acl)
+{
+	if(acl == acl_allow_cookie) return 0;
+	return 1;
+}
+
+/* Check if the query is blocked by source IP rate limiting.
+ * Returns 1 if it passes the check, 0 otherwise. */
+static int
+check_ip_ratelimit(struct worker* worker, struct sockaddr_storage* addr,
+	socklen_t addrlen, int has_cookie, sldns_buffer* pkt)
+{
+	if(!infra_ip_ratelimit_inc(worker->env.infra_cache, addr, addrlen,
+			*worker->env.now, has_cookie,
+			worker->env.cfg->ip_ratelimit_backoff, pkt)) {
+		/* See if we can pass through with slip factor */
+		if(!has_cookie && worker->env.cfg->ip_ratelimit_factor != 0 &&
+			ub_random_max(worker->env.rnd,
+			worker->env.cfg->ip_ratelimit_factor) == 0) {
+			char addrbuf[128];
+			addr_to_str(addr, addrlen, addrbuf, sizeof(addrbuf));
+			verbose(VERB_QUERY, "ip_ratelimit allowed through for "
+				"ip address %s because of slip in "
+				"ip_ratelimit_factor", addrbuf);
+			return 1;
+		}
+		return 0;
+	}
+	return 1;
+}
+
 int
 worker_handle_request(struct comm_point* c, void* arg, int error,
 	struct comm_reply* repinfo)
@@ -1332,6 +1366,7 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 	struct edns_option* original_edns_list = NULL;
 	enum acl_access acl;
 	struct acl_addr* acladdr;
+	int pre_edns_ip_ratelimit = 1;
 	int rc = 0;
 	int need_drop = 0;
 	int is_expired_answer = 0;
@@ -1456,33 +1491,21 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 	}
 
 	worker->stats.num_queries++;
-
-	/* check if this query should be dropped based on source ip rate limiting
-	 * NOTE: we always check the repinfo->client_address. IP ratelimiting is
-	 *       implicitly disabled for proxies. */
-	if(!infra_ip_ratelimit_inc(worker->env.infra_cache,
-			&repinfo->client_addr, repinfo->client_addrlen,
-			*worker->env.now,
-			worker->env.cfg->ip_ratelimit_backoff, c->buffer)) {
-		/* See if we are passed through with slip factor */
-		if(worker->env.cfg->ip_ratelimit_factor != 0 &&
-			ub_random_max(worker->env.rnd,
-			worker->env.cfg->ip_ratelimit_factor) == 0) {
-			char addrbuf[128];
-			addr_to_str(&repinfo->client_addr,
-				repinfo->client_addrlen, addrbuf,
-				sizeof(addrbuf));
-			verbose(VERB_QUERY, "ip_ratelimit allowed through for "
-				"ip address %s because of slip in "
-				"ip_ratelimit_factor", addrbuf);
-		} else {
+	pre_edns_ip_ratelimit = pre_edns_ip_ratelimit_check(acl);
+
+	/* If the IP rate limiting check needs extra EDNS information (e.g.,
+	 * DNS Cookies) postpone the check until after EDNS is parsed. */
+	if(pre_edns_ip_ratelimit) {
+		/* NOTE: we always check the repinfo->client_address.
+		 *       IP ratelimiting is implicitly disabled for proxies. */
+		if(!check_ip_ratelimit(worker, &repinfo->client_addr,
+			repinfo->client_addrlen, 0, c->buffer)) {
 			worker->stats.num_queries_ip_ratelimited++;
 			comm_point_drop_reply(repinfo);
 			return 0;
 		}
 	}
 
-	/* see if query is in the cache */
 	if(!query_info_parse(&qinfo, c->buffer)) {
 		verbose(VERB_ALGO, "worker parse request: formerror.");
 		log_addr(VERB_CLIENT, "from", &repinfo->client_addr,
@@ -1539,16 +1562,16 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 		}
 		goto send_reply;
 	}
-	if((ret=parse_edns_from_query_pkt(c->buffer, &edns, worker->env.cfg, c,
-					worker->scratchpad)) != 0) {
+	if((ret=parse_edns_from_query_pkt(
+			c->buffer, &edns, worker->env.cfg, c, repinfo,
+			(worker->env.now ? *worker->env.now : time(NULL)),
+			worker->scratchpad)) != 0) {
 		struct edns_data reply_edns;
 		verbose(VERB_ALGO, "worker parse edns: formerror.");
 		log_addr(VERB_CLIENT, "from", &repinfo->client_addr,
 			repinfo->client_addrlen);
 		memset(&reply_edns, 0, sizeof(reply_edns));
 		reply_edns.edns_present = 1;
-		reply_edns.udp_size = EDNS_ADVERTISED_SIZE;
-		LDNS_RCODE_SET(sldns_buffer_begin(c->buffer), ret);
 		error_encode(c->buffer, ret, &qinfo,
 			*(uint16_t*)(void *)sldns_buffer_begin(c->buffer),
 			sldns_buffer_read_u16_at(c->buffer, 2), &reply_edns);
@@ -1557,23 +1580,15 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 	}
 	if(edns.edns_present) {
 		if(edns.edns_version != 0) {
-			edns.ext_rcode = (uint8_t)(EDNS_RCODE_BADVERS>>4);
-			edns.edns_version = EDNS_ADVERTISED_VERSION;
-			edns.udp_size = EDNS_ADVERTISED_SIZE;
-			edns.bits &= EDNS_DO;
 			edns.opt_list_in = NULL;
 			edns.opt_list_out = NULL;
 			edns.opt_list_inplace_cb_out = NULL;
-			edns.padding_block_size = 0;
 			verbose(VERB_ALGO, "query with bad edns version.");
 			log_addr(VERB_CLIENT, "from", &repinfo->client_addr,
 				repinfo->client_addrlen);
-			error_encode(c->buffer, EDNS_RCODE_BADVERS&0xf, &qinfo,
+			extended_error_encode(c->buffer, EDNS_RCODE_BADVERS, &qinfo,
 				*(uint16_t*)(void *)sldns_buffer_begin(c->buffer),
-				sldns_buffer_read_u16_at(c->buffer, 2), NULL);
-			if(sldns_buffer_capacity(c->buffer) >=
-			   sldns_buffer_limit(c->buffer)+calc_edns_field_size(&edns))
-				attach_edns_record(c->buffer, &edns);
+				sldns_buffer_read_u16_at(c->buffer, 2), 0, &edns);
 			regional_free_all(worker->scratchpad);
 			goto send_reply;
 		}
@@ -1586,6 +1601,62 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 			edns.udp_size = NORMAL_UDP_SIZE;
 		}
 	}
+
+	/* Get stats for cookies */
+	server_stats_downstream_cookie(&worker->stats, &edns);
+
+	/* If the IP rate limiting check was postponed, check now. */
+	if(!pre_edns_ip_ratelimit) {
+		/* NOTE: we always check the repinfo->client_address.
+		 *       IP ratelimiting is implicitly disabled for proxies. */
+		if(!check_ip_ratelimit(worker, &repinfo->client_addr,
+			repinfo->client_addrlen, edns.cookie_valid,
+			c->buffer)) {
+			worker->stats.num_queries_ip_ratelimited++;
+			comm_point_drop_reply(repinfo);
+			return 0;
+		}
+	}
+
+	/* "if, else if" sequence below deals with downstream DNS Cookies */
+	if(acl != acl_allow_cookie)
+		; /* pass; No cookie downstream processing whatsoever */
+
+	else if(edns.cookie_valid)
+		; /* pass; Valid cookie is good! */
+
+	else if(c->type != comm_udp)
+		; /* pass; Stateful transport */
+
+	else if(edns.cookie_present) {
+		/* Cookie present, but not valid: Cookie was bad! */
+		extended_error_encode(c->buffer,
+			LDNS_EXT_RCODE_BADCOOKIE, &qinfo,
+			*(uint16_t*)(void *)
+			sldns_buffer_begin(c->buffer),
+			sldns_buffer_read_u16_at(c->buffer, 2),
+			0, &edns);
+		regional_free_all(worker->scratchpad);
+		goto send_reply;
+	} else {
+		/* Cookie required, but no cookie present on UDP */
+		verbose(VERB_ALGO, "worker request: "
+			"need cookie or stateful transport");
+		log_addr(VERB_ALGO, "from",&repinfo->remote_addr
+		                          , repinfo->remote_addrlen);
+		EDNS_OPT_LIST_APPEND_EDE(&edns.opt_list_out,
+			worker->scratchpad, LDNS_EDE_OTHER,
+			"DNS Cookie needed for UDP replies");
+		error_encode(c->buffer,
+			(LDNS_RCODE_REFUSED|BIT_TC), &qinfo,
+			*(uint16_t*)(void *)
+			sldns_buffer_begin(c->buffer),
+			sldns_buffer_read_u16_at(c->buffer, 2),
+			&edns);
+		regional_free_all(worker->scratchpad);
+		goto send_reply;
+	}
+
 	if(edns.udp_size > worker->daemon->cfg->max_udp_size &&
 		c->type == comm_udp) {
 		verbose(VERB_QUERY,

doc/unbound-control.8.in

@@ -369,6 +369,15 @@ number of queries received by thread
 .I threadX.num.queries_ip_ratelimited
 number of queries rate limited by thread
 .TP
+.I threadX.num.queries_cookie_valid
+number of queries with a valid DNS Cookie by thread
+.TP
+.I threadX.num.queries_cookie_client
+number of queries with a client part only DNS Cookie by thread
+.TP
+.I threadX.num.queries_cookie_invalid
+number of queries with an invalid DNS Cookie by thread
+.TP
 .I threadX.num.cachehits
 number of queries that were successfully answered using a cache lookup
 .TP
@@ -446,6 +455,18 @@ buffers are full.
 .I total.num.queries
 summed over threads.
 .TP
+.I total.num.queries_ip_ratelimited
+summed over threads.
+.TP
+.I total.num.queries_cookie_valid
+summed over threads.
+.TP
+.I total.num.queries_cookie_client
+summed over threads.
+.TP
+.I total.num.queries_cookie_invalid
+summed over threads.
+.TP
 .I total.num.cachehits
 summed over threads.
 .TP
@@ -611,7 +632,7 @@ ratelimiting.
 .TP
 .I num.query.dnscrypt.shared_secret.cachemiss
 The number of dnscrypt queries that did not find a shared secret in the cache.
-The can be use to compute the shared secret hitrate.
+This can be used to compute the shared secret hitrate.
 .TP
 .I num.query.dnscrypt.replay
 The number of dnscrypt queries that found a nonce hit in the nonce cache and