- Fix that log-replies prints the correct name for local-alias

names, for names that have a CNAME in local-data configuration.
  It logs the original query name, not the target of the CNAME.
- Add local-zone type inform_redirect, which logs like type inform,
  and redirects like type redirect.


git-svn-id: file:///svn/unbound/trunk@5099 be551aaa-1e26-0410-a405-d3ace91eadb9

daemon/worker.c

@@ -1559,8 +1559,17 @@ send_reply_rc:
 	if(worker->env.cfg->log_replies)
 	{
 		struct timeval tv = {0, 0};
-		log_reply_info(0, &qinfo, &repinfo->addr, repinfo->addrlen,
-			tv, 1, c->buffer);
+		if(qinfo.local_alias && qinfo.local_alias->rrset &&
+			qinfo.local_alias->rrset->rk.dname) {
+			/* log original qname, before the local alias was
+			 * used to resolve that CNAME to something else */
+			qinfo.qname = qinfo.local_alias->rrset->rk.dname;
+			log_reply_info(0, &qinfo, &repinfo->addr, repinfo->addrlen,
+				tv, 1, c->buffer);
+		} else {
+			log_reply_info(0, &qinfo, &repinfo->addr, repinfo->addrlen,
+				tv, 1, c->buffer);
+		}
 	}
 #ifdef USE_DNSCRYPT
 	if(!dnsc_handle_uncurved_request(repinfo)) {

doc/Changelog

@@ -1,3 +1,10 @@
+4 February 2019: Wouter
+	- Fix that log-replies prints the correct name for local-alias
+	  names, for names that have a CNAME in local-data configuration.
+	  It logs the original query name, not the target of the CNAME.
+	- Add local-zone type inform_redirect, which logs like type inform,
+	  and redirects like type redirect.
+
 31 January 2019: Wouter
 	- Set ub_ctx_set_tls call signature in ltrace config file for
 	  libunbound in contrib/libunbound.so.conf.

doc/example.conf.in

@@ -673,6 +673,7 @@ server:
 	# o typetransparent resolves normally for other types and other names
 	# o inform acts like transparent, but logs client IP address
 	# o inform_deny drops queries and logs client IP address
+	# o inform_redirect redirects queries and logs client IP address
 	# o always_transparent, always_refuse, always_nxdomain, resolve in
 	#   that way but ignore local data for that name
 	# o noview breaks out of that view towards global local-zones.

doc/unbound.conf.5.in

@@ -1141,7 +1141,7 @@ address space are not validated.  This is usually required whenever
 Configure a local zone. The type determines the answer to give if
 there is no match from local\-data. The types are deny, refuse, static,
 transparent, redirect, nodefault, typetransparent, inform, inform_deny,
-always_transparent, always_refuse, always_nxdomain, noview,
+inform_redirect, always_transparent, always_refuse, always_nxdomain, noview,
 and are explained below. After that the default settings are listed. Use
 local\-data: to enter data into the local zone. Answers for local zones
 are authoritative DNS answers. By default the zones are class IN.
@@ -1202,6 +1202,10 @@ looking up infected names are logged, eg. to run antivirus on them.
 The query is dropped, like 'deny', and logged, like 'inform'.  Ie. find
 infected machines without answering the queries.
 .TP 10
+\h'5'\fIinform_redirect\fR
+The query is redirected, like 'redirect', and logged, like 'inform'.
+Ie. answer queries with fixed data and also log the machines that ask.
+.TP 10
 \h'5'\fIalways_transparent\fR
 Like transparent, but ignores local data and resolves normally.
 .TP 10

respip/respip.c

@@ -183,6 +183,8 @@ respip_action_cfg(struct respip_set* set, const char* ipstr,
                 action = respip_inform;
         else if(strcmp(actnstr, "inform_deny") == 0)
                 action = respip_inform_deny;
+        else if(strcmp(actnstr, "inform_redirect") == 0)
+                action = respip_inform_redirect;
         else if(strcmp(actnstr, "always_transparent") == 0)
                 action = respip_always_transparent;
         else if(strcmp(actnstr, "always_refuse") == 0)
@@ -245,7 +247,8 @@ respip_enter_rr(struct regional* region, struct resp_addr* raddr,
 	struct packed_rrset_data* pd;
 	struct sockaddr* sa;
 	int ret;
-	if(raddr->action != respip_redirect) {
+	if(raddr->action != respip_redirect
+		&& raddr->action != respip_inform_redirect) {
 		log_err("cannot parse response-ip-data %s: response-ip "
 			"action for %s is not redirect", rrstr, netblock);
 		return 0;
@@ -750,7 +753,8 @@ respip_nodata_answer(uint16_t qtype, enum respip_action action,
 		*new_repp = new_rep;
 		return 1;
 	} else if(action == respip_static || action == respip_redirect ||
-		action == respip_always_nxdomain) {
+		action == respip_always_nxdomain ||
+		action == respip_inform_redirect) {
 		/* Since we don't know about other types of the owner name,
 		 * we generally return NOERROR/NODATA unless an NXDOMAIN action
 		 * is explicitly specified. */

services/localzone.c

@@ -464,7 +464,8 @@ lz_enter_rr_into_zone(struct local_zone* z, const char* rrstr)
 		return 0;
 	}
 	log_assert(z->dclass == rrclass);
-	if(z->type == local_zone_redirect &&
+	if((z->type == local_zone_redirect ||
+		z->type == local_zone_inform_redirect) &&
 		query_dname_compare(z->name, nm) != 0) {
 		log_err("local-data in redirect zone must reside at top of zone"
 			", not at %s", rrstr);
@@ -481,7 +482,8 @@ lz_enter_rr_into_zone(struct local_zone* z, const char* rrstr)
 
 	/* Reject it if we would end up having CNAME and other data (including
 	 * another CNAME) for a redirect zone. */
-	if(z->type == local_zone_redirect && node->rrsets) {
+	if((z->type == local_zone_redirect ||
+		z->type == local_zone_inform_redirect) && node->rrsets) {
 		const char* othertype = NULL;
 		if (rrtype == LDNS_RR_TYPE_CNAME)
 			othertype = "other";
@@ -1323,7 +1325,8 @@ local_data_answer(struct local_zone* z, struct module_env* env,
 	key.name = qinfo->qname;
 	key.namelen = qinfo->qname_len;
 	key.namelabs = labs;
-	if(lz_type == local_zone_redirect) {
+	if(lz_type == local_zone_redirect ||
+		lz_type == local_zone_inform_redirect) {
 		key.name = z->name;
 		key.namelen = z->namelen;
 		key.namelabs = z->namelabs;
@@ -1355,7 +1358,8 @@ local_data_answer(struct local_zone* z, struct module_env* env,
 		return 0;
 
 	/* Special case for alias matching.  See local_data_answer(). */
-	if(lz_type == local_zone_redirect &&
+	if((lz_type == local_zone_redirect ||
+		lz_type == local_zone_inform_redirect) &&
 		qinfo->qtype != LDNS_RR_TYPE_CNAME &&
 		lr->rrset->rk.type == htons(LDNS_RR_TYPE_CNAME)) {
 		qinfo->local_alias =
@@ -1370,7 +1374,8 @@ local_data_answer(struct local_zone* z, struct module_env* env,
 		qinfo->local_alias->rrset->rk.dname_len = qinfo->qname_len;
 		return 1;
 	}
-	if(lz_type == local_zone_redirect) {
+	if(lz_type == local_zone_redirect ||
+		lz_type == local_zone_inform_redirect) {
 		/* convert rrset name to query name; like a wildcard */
 		struct ub_packed_rrset_key r = *lr->rrset;
 		r.rk.dname = qinfo->qname;
@@ -1442,6 +1447,7 @@ lz_zone_answer(struct local_zone* z, struct module_env* env,
 		return 1;
 	} else if(lz_type == local_zone_static ||
 		lz_type == local_zone_redirect ||
+		lz_type == local_zone_inform_redirect ||
 		lz_type == local_zone_always_nxdomain) {
 		/* for static, reply nodata or nxdomain
 		 * for redirect, reply nodata */
@@ -1450,7 +1456,8 @@ lz_zone_answer(struct local_zone* z, struct module_env* env,
 		 * or using closest match for NSEC.
 		 * or using closest match for returning delegation downwards
 		 */
-		int rcode = (ld || lz_type == local_zone_redirect)?
+		int rcode = (ld || lz_type == local_zone_redirect ||
+			lz_type == local_zone_inform_redirect)?
 			LDNS_RCODE_NOERROR:LDNS_RCODE_NXDOMAIN;
 		if(z->soa)
 			return local_encode(qinfo, env, edns, repinfo, buf, temp,
@@ -1624,7 +1631,9 @@ local_zones_answer(struct local_zones* zones, struct module_env* env,
 		}
 	}
 	if((env->cfg->log_local_actions ||
-			lzt == local_zone_inform || lzt == local_zone_inform_deny)
+			lzt == local_zone_inform ||
+			lzt == local_zone_inform_deny ||
+			lzt == local_zone_inform_redirect)
 			&& repinfo)
 		lz_inform_print(z, qinfo, repinfo);
 
@@ -1656,6 +1665,7 @@ const char* local_zone_type2str(enum localzone_type t)
 		case local_zone_nodefault: return "nodefault";
 		case local_zone_inform: return "inform";
 		case local_zone_inform_deny: return "inform_deny";
+		case local_zone_inform_redirect: return "inform_redirect";
 		case local_zone_always_transparent: return "always_transparent";
 		case local_zone_always_refuse: return "always_refuse";
 		case local_zone_always_nxdomain: return "always_nxdomain";
@@ -1682,6 +1692,8 @@ int local_zone_str2type(const char* type, enum localzone_type* t)
 		*t = local_zone_inform;
 	else if(strcmp(type, "inform_deny") == 0)
 		*t = local_zone_inform_deny;
+	else if(strcmp(type, "inform_redirect") == 0)
+		*t = local_zone_inform_redirect;
 	else if(strcmp(type, "always_transparent") == 0)
 		*t = local_zone_always_transparent;
 	else if(strcmp(type, "always_refuse") == 0)

services/localzone.h

@@ -83,6 +83,8 @@ enum localzone_type {
 	local_zone_inform,
 	/** log client address, and block (drop) */
 	local_zone_inform_deny,
+	/** log client address, and direct */
+	local_zone_inform_redirect,
 	/** resolve normally, even when there is local data */	
 	local_zone_always_transparent,
 	/** answer with error, even when there is local data */	
@@ -491,6 +493,8 @@ enum respip_action {
 	respip_inform = local_zone_inform,
         /** log query source and don't answer query */
 	respip_inform_deny = local_zone_inform_deny,
+        /** log query source and redirect */
+	respip_inform_redirect = local_zone_inform_redirect,
         /** resolve normally, even when there is response-ip data */
 	respip_always_transparent = local_zone_always_transparent,
         /** answer with 'refused' response */

util/configparser.y

@@ -1783,12 +1783,14 @@ server_local_zone: VAR_LOCAL_ZONE STRING_ARG STRING_ARG
 		   && strcmp($3, "always_refuse")!=0
 		   && strcmp($3, "always_nxdomain")!=0
 		   && strcmp($3, "noview")!=0
-		   && strcmp($3, "inform")!=0 && strcmp($3, "inform_deny")!=0) {
+		   && strcmp($3, "inform")!=0 && strcmp($3, "inform_deny")!=0
+		   && strcmp($3, "inform_redirect") != 0) {
 			yyerror("local-zone type: expected static, deny, "
 				"refuse, redirect, transparent, "
 				"typetransparent, inform, inform_deny, "
-				"always_transparent, always_refuse, "
-				"always_nxdomain, noview or nodefault");
+				"inform_redirect, always_transparent, "
+				"always_refuse, always_nxdomain, noview "
+				"or nodefault");
 			free($2);
 			free($3);
 		} else if(strcmp($3, "nodefault")==0) {