1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

28 Commits

Author SHA1 Message Date
Aaron Haslett
ef37988003 dns: changing onelevel search for wildcard to subtree
SCOPE_ONELEVEL is used on wildcard dns searches, but onelevel searches
currently have a performance problem related to GUID indexing, so this
patch changes the search scope to SCOPE_SUBTREE.
In this case, as the onelevel and subtree sets of records are roughly
the same, and the query is matching against the DN itself, we don't
believe there's any benefit in using SCOPE_ONELEVEL over SCOPE_SUBTREE.

The onelevel performance problem will be fixed separately later, but in
the meantime this solves the DNS performance problem.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13738

Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-01-11 02:55:01 +01:00
Gary Lockyer
9a12a00146 CVE-2018-16852 dcerpc dnsserver: refactor common properties handling
dnsserver_common.c and dnsutils.c both share similar code to process
zone properties.  This patch extracts the common code and moves it to
dnsserver_common.c.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13669

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-11-28 08:22:24 +01:00
Andrew Bartlett
28e2a518ff dns_server: Avoid ldb_dn_add_child_fmt() on untrusted input
By using the new ldb_dn_add_child_val() we ensure that the user-controlled values are
not parsed as DN seperators.

Additionally, the casefold DN is obtained before the search to trigger
a full parse of the DN before being handled to the LDB search.

This is not normally required but is done here due to the nature
of the untrusted input.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13466

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-08-15 07:08:24 +02:00
Andrew Bartlett
aa01203ff5 dns_server: Be strict when constructing a LDB DN from an untrusted DNS name
This changes our DNS server to be much more careful when constructing DNS names
into LDB DN values.

This avoids a segfault deep in the LDB code if the ldb_dn_get_casefold() fails there.

A seperate patch will address that part of the issue, and a later patch
will re-work this code to use single API: ldb_dn_add_child_val().  This
is not squahed with this work because this patch does not rely on a new
LDB release, and so may be helpful for a backport.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13466

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-08-15 07:08:24 +02:00
Gary Lockyer
cef1b31cd1 dns wildcards: fix BUG 13536
The current position in the dns name was not advanced past the '.'
character

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Jul 20 04:40:31 CEST 2018 on sn-devel-144
2018-07-20 04:40:31 +02:00
Aaron Haslett
f0210f5d17 dns: static records
Modifies bind9 and internal dns to match windows static records behaviour.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10812

Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-07-12 04:31:56 +02:00
Aaron Haslett
418cd93f4c dns: server side implementation of record aging
Code for retrieving aging properties from a zone and using them for timestamp
setting logic during processing of DNS requests.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10812

Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-07-12 04:31:54 +02:00
Aaron Haslett
350029bdd8 dns: moving name_equal func into common
This function is duplicated in the BIND9 and RPC DNS servers.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10812

Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-07-12 04:31:54 +02:00
Andrew Bartlett
3efc879d98 dns_server: Do the exact match query first, then do the wildcard lookup
The wildcard lookup is SCOPE_ONELEVEL combined with an index on the name
attribute.  This is not as efficient as a base DN lookup, so we try for
that first.

A not-found and wildcard response will still fall back to the ONELEVEL
index.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13191

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-12-19 07:19:21 +01:00
Andrew Bartlett
948791aca7 dns_server: Do not look for a wildcard for @
This query is made for every record returned via BIND9 DLZ.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13191

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-12-19 07:19:21 +01:00
Andrew Bartlett
071ad56aef dns_server: Use the indexed "name" attribute in wildcard lookup
(the RDN, being 'dc' in this use case, does not have an index in
the AD schema).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13191

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-12-19 07:19:21 +01:00
Gary Lockyer
edcbc99125 dnsserver: Add support for dns wildcards
Add support for dns wildcard records. i.e. if the following records
exist

  exact.samba.example.com 3600 A 1.1.1.1
  *.samba.example.com     3600 A 1.1.1.2

look up on exact.samba.example.com will return 1.1.1.1
look up on *.samba.example.com     will return 1.1.1.2
look up on other.samba.example.com will return 1.1.1.2

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12952
2017-08-15 08:07:10 +02:00
Gary Lockyer
34acf5a992 dnsserver: Tighten DNS name checking
Add checks for the maximum permitted length, maximum number of labels
and the maximum label length.  These extra checks will be used by the
DNS wild card handling.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12952
2017-08-15 08:07:10 +02:00
Garming Sam
73a7d154a8 dnsserver/common: Use cached dnsHostName to reduce database reads
The code to clobber the host name appears to have caused DNS requests to use 3x as much resources

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Jun 22 13:06:07 CEST 2017 on sn-devel-144
2017-06-22 13:06:07 +02:00
Andrew Bartlett
c1bf6d2493 dns_server: clobber MNAME in the SOA
Otherwise, we always report the first server we created/provisioned the AD domain on
which does not match AD behaviour.  AD is multi-master so all RW servers are a master.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-06-10 21:48:21 +02:00
Andrew Bartlett
970fdfae6a pydsdb_dns: Allow the partition DN to be specified into py_dsdb_dns_lookup
This allows lookups to be confined to one partition, which in turn avoids issues
when running this against MS Windows, which does not match Samba behaviour
for dns_common_zones()

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-06-10 21:48:20 +02:00
Bob Campbell
eacba34a27 dnsserver_common: Add name check in name2dn
Fills in the missing TODO. Note that this may also prevent deletion of
existing corrupted records, but should be resolvable through RPC, or at
worst LDAP.

Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-12-12 05:00:19 +01:00
Bob Campbell
4408df2493 dnsserver: add dns name checking
This may also prevent deletion of existing corrupted records through
DNS, but should be resolvable through RPC, or at worst LDAP.

Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-12-12 05:00:18 +01:00
Günther Deschner
c1c079cf3d werror: replace WERR_NOMEM with WERR_NOT_ENOUGH_MEMORY in source4/dns_server/
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-09-28 00:04:19 +02:00
Garming Sam
ac4dd94e3f dnsserver: Remove C++ style comment
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-05-03 08:10:09 +02:00
Michael Adam
476672b647 dlist: remove unneeded type argument from DLIST_ADD_END()
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-02-06 21:48:17 +01:00
Andrew Bartlett
fff09dae6d dns_server: Give WERR_DNS_ERROR_NAME_DOES_NOT_EXIST on empty records
When not looking for tombstones, a record without a dnsRecord value may as
well not be present, so just return WERR_DNS_ERROR_NAME_DOES_NOT_EXIST

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-10-26 05:11:22 +01:00
Andrew Bartlett
0504065948 dns_server: Put more code in common
This will allow a python module to be written to modify DNS entries in sam.ldb directly

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-10-26 05:11:21 +01:00
Stefan Metzmacher
bb3ca930cc s4:dns_server: add DNS_TYPE_TOMBSTONE support to dns_common_replace()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10749

Pair-Programmed-With: Michael Adam <obnox@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-08-26 09:13:06 +02:00
Stefan Metzmacher
a0a81ab01c s4:dns_server: make sure dns_common_lookup() doesn't return tombstones
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-08-26 09:13:06 +02:00
Stefan Metzmacher
0689e795e0 s4:dns_server: split out dns_common_replace()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-08-26 09:13:06 +02:00
Stefan Metzmacher
342a087349 s4:dns_server: split out dns_common_extract() and dns_common_lookup()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-08-26 09:13:06 +02:00
Stefan Metzmacher
99d5a5ead4 s4:dns_server: split out a private 'dnsserver_common' library
This will contain common code for the internal dns server, the dlz_bind9 module
and the rpc dns management server.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-08-26 09:13:06 +02:00