summaryrefslogtreecommitdiffstats
path: root/sbin/unwind/resolver.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Remove useless log_debug() calls.florian2019-12-031-96/+9
| | | | Looks good to otto
* No more status subcommands; ok florian@otto2019-12-031-35/+20
|
* Save the computed median to avoid having it to compute it all the time;otto2019-12-021-6/+11
| | | | ok florian@
* Use a unified cache in all libunbound based resolvers.florian2019-12-021-4/+60
| | | | OK otto
* increment refcount before doing the call to resolve(); ok florian@otto2019-12-021-2/+2
|
* Add an "all" mode for status and a much more compact and readable histogramotto2019-12-021-29/+13
| | | | display; remove the why bogus status message; ok florian@
* Allow forcing specific domains to be resolved by specific resolvers;otto2019-12-011-5/+58
| | | | Handles typical split-horzizon setups. ok florian@
* make sure we only pass normalized timevals for the next resolver interval;otto2019-11-301-4/+10
| | | | ok florian@
* Not being able to create a resolver is not a fatal condition in unwind,florian2019-11-301-3/+6
| | | | | there might be others still working. Make sure check_resolver() handles this correctly.
* While we learn how the "decaying" histogram works it's helpful to showflorian2019-11-291-11/+9
| | | | it in unwindctl status output next to the all time histogram.
* The happy eyeballs code computes a median to assess how well aotto2019-11-281-6/+37
| | | | | | resolver is doing. But circumstances can change, so decay the histogram data over time to slowly forget about that past. Uses fixed point arithmetic to avoid floating point. ok florian@
* show median RTT in unwindctl statusflorian2019-11-281-1/+2
|
* Track all elements of a forwarder configuration individually:florian2019-11-281-51/+44
| | | | | | IP address, port and authentication name. This makes print_config less awkward and fixes a bug were an alternative port number was not printed.
* Instead of only considering if a resolving strategy is dead, works orflorian2019-11-271-107/+349
| | | | | | | | | | | | | | | | | | | | | | | | validates, measure how well it is doing. We keep track of the round trip median time of past queries and sort strategies according to this in addition to the more basic qualities of does it resolve and does it validate. If a query is not answered within the median time the next best strategy gets a chance. The most prefered strategy (either from the config file or defaults) gets an additional head start of 200ms. A response of SERVFAIL also advances to the next best strategy. This is helpful when the picked strategy can only see parts of the internet but another strategy can reach more. This alone gets us past quite a few captive portals already. Additionally we doubt NXDOMAIN from anything but the stub resolver for the first 5 minutes after a network change. This is probably as good as the http check we had previously but more tests are needed. This was inspired by RFC 8305, "Happy Eyeballs". OK otto
* Move resolver preference storage to a struct which makes it easier toflorian2019-11-271-8/+9
| | | | | reuse in the future. OK otto
* Nuke http captive portal detection; something better is coming.florian2019-11-271-299/+9
| | | | OK otto
* simplify histogram code and cut off at < limit, as the histogram display inotto2019-11-251-3/+3
| | | | unwindctl suggests; ok florian@
* Signal what happened, not what needs doing.florian2019-11-251-2/+2
| | | | The frontend doesn't know.
* plug memory leakflorian2019-11-231-3/+5
|
* An if_index of zero signals to remove all previous proposals from aflorian2019-11-231-15/+16
| | | | | daemon. Soon to be used by slaacd(8) which handles all interfaces but can't know which interfaces had been set to autoconf before a restart.
* Use a table for unbound options; ok florian@otto2019-11-221-8/+19
|
* Treat DNS proposals as replacement of previous proposals from the sameflorian2019-11-221-159/+37
| | | | | daemon and interface. An empty list is automatically a withdrawl. prodding deraadt@
* Track on which interface nameservers have been learned.florian2019-11-211-1/+6
| | | | prodding deraadt@
* Check for a too short answer packet in all callback functions becauseflorian2019-11-201-3/+13
| | | | | | | | otherwise we try to parse an invalid packet. This can be triggered by captive_portal_resolve_done() when dhcp provided nameservers do not answer and asr hits a timeout. answer_packet is NULL and answer_len -1 in that case. Found the hard way by claudio
* Print learned forwarders in unwindctl.florian2019-11-191-3/+15
| | | | | Someone please make this pretty. Tested by deraadt as part of a larger diff.
* Proposals from dhclient are sometimes replacements.florian2019-11-191-42/+119
| | | | | slaacd should be changed as well. Tested by deraadt as part of a larger diff.
* Stop dhcp lease file parsing now that dhclient sends proposals.florian2019-11-191-70/+6
| | | | Tested by deraadt as part of a larger diff.
* Improve readability by using a typedef for the callback type; ok florian@otto2019-11-151-7/+7
|
* With the stub resolver we have since some time we can resolve theflorian2019-11-141-7/+68
| | | | | | | | captive portal host internaly via the resolver process. deraadt and me observed weird captive portal checking hangs inside of unwind if only 127.0.0.1 was listed as a nameserver in resolv.conf with the old code.
* Checking a resolver that we are already checking can lead to aflorian2019-11-141-3/+14
| | | | self-DoS under high query rate and constant failures.
* Since resolve() switched to a callback mechanism all uw_resolver objectsflorian2019-11-141-119/+97
| | | | | | | | | | | | | | | | | pass through resolve() and either asr_resolve_done() or ub_resolve_done(). With that we can pull resolver_ref() and resolver_unref() into those functions to make the reference counting easier. Only check_resolver is special since it needs to refcount the to be checked resolver. But the resolver doing the actual work is automatically refcounted by resolve() and *_resolve_done(). One last piece of the puzzle is to track the uw_resolver object in cb_data so that the *_resolve_done() functions have access to it. This also allowes us to remove the ad-hoc passing of the resolver in query_imsg. Since the callback functions all need access to the resolver that did the work we pass it in as first argument. OK otto
* we might not have a best resolver at allflorian2019-11-121-4/+9
|
* do not leak buf or region if either fails to allocateflorian2019-11-121-53/+52
|
* we are not using was_ratelimitedflorian2019-11-121-14/+13
|
* Pass in a callback function to resolve() instead of a flag toflorian2019-11-121-37/+54
| | | | | distinguish between an external query and check_resolver(). Also switch trust_anchor_resolve() over which was special.
* Error logging is done inside of resolve since it depends on theflorian2019-11-121-9/+8
| | | | resolver type.
* It is possible to cancel libunbound queries by tracking an id.florian2019-11-121-12/+11
| | | | We are not using that feature so stop tracking the value.
* Implement DNS proposals to learn nameservers from networkflorian2019-11-111-15/+197
| | | | | autoconfiguration daemons. Currently only slaacd is switched over so we need to keep the lease file parsing.
* Mechanically change the forwarder SIMPLEQ to a TAILQ. Needed forflorian2019-11-091-23/+23
| | | | | future work to be able to easily delete elements while iterating. OK kn
* failure to allocate memory is not an XXXflorian2019-11-091-2/+6
|
* useless debug outputflorian2019-11-061-2/+1
|
* When we are talking to an upstream nameserver we should not refuse toflorian2019-11-031-1/+121
| | | | | | | | | | | | | | | | forward queries for certain reverse zones (e.g. RFC1918 space). The local network might use them and it's the policy of the upstream nameserver what should be done with these. Of course if we are recursively resolving ourselves these should not leak to the global internet so we continue to synthesize NXDOMAIN ourselves. For now we also always synthesize NXDOMAIN for special use domains like test and onion. Pointed out by henning. Input & OK sthen
* *** empty log message ***otto2019-11-031-27/+128
|
* unused globalflorian2019-11-021-2/+1
|
* When we are behind a captive portal we very likely need to use the asrflorian2019-11-021-2/+3
| | | | | | | | | | | | | | | | | strategy to get past it. This is also true when we don't know yet if we are behind a captive portal. However, when the nameserver dhcp hands us are unreachable (e.g. because they are down) asr is dead, we are still using it and we are now stuck. Only force to asr if we know that it is working. If we are behind a captive portal and the dhcp nameserver are dead we probably won't get past it. But if we are in a network with unreachable dhcp nameservers we will make progress. Stumbled upon by remi while blocking port 53 in pf. OK remi
* With the asr fallback we can skip the service port up & down dance,florian2019-10-311-22/+4
| | | | | | | | | unwind should now be able to work in networks with crappy middle boxes. We also need to switch to the ASR resolver, not DHCP when we are behind a captive portal. Some captive portals let through DNS queries with edns0 options but the "click here to accept the terms of service page" is not resolvable with edns0.
* Add asr resolver type which completely bypasses libunbound and uses theflorian2019-10-311-46/+167
| | | | | | | | libc asynchronous resolver directly with DHCP provided nameservers. This is a last-ditch effort when we find ourself behind a completely broken middle-box. Input & OK otto OK benno
* Plug mem leak when the list of dhcp resolvers didn't change. ok florian@otto2019-10-191-2/+8
|
* Introduce defines for DNSSEC validation states.florian2019-09-301-4/+9
| | | | | | This also fixes a brain fart in trust_anchor_resolve_done() which was arguably created by "sec" carrying 3 values and "true" does not mean secure. Why this does not use enum sec_status is beyond me.
* Fix histogram code to do an inclusive check for the upper bound tootto2019-09-291-4/+6
| | | | | avoid an out-of-bound write for specific values and also check for oob writes in general; with input from kettenis; ok florian@ kn@
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.