[181] | 1 | #!/usr/bin/python |
---|
| 2 | from twisted.internet import reactor |
---|
| 3 | from twisted.names import server |
---|
| 4 | from twisted.names import dns |
---|
| 5 | from twisted.names import common |
---|
[1477] | 6 | from twisted.names import authority |
---|
[181] | 7 | from twisted.internet import defer |
---|
| 8 | from twisted.python import failure |
---|
| 9 | |
---|
[2037] | 10 | from invirt.common import InvirtConfigError |
---|
[851] | 11 | from invirt.config import structs as config |
---|
| 12 | import invirt.database |
---|
[302] | 13 | import psycopg2 |
---|
| 14 | import sqlalchemy |
---|
| 15 | import time |
---|
[1490] | 16 | import re |
---|
[181] | 17 | |
---|
| 18 | class DatabaseAuthority(common.ResolverBase): |
---|
| 19 | """An Authority that is loaded from a file.""" |
---|
| 20 | |
---|
| 21 | soa = None |
---|
| 22 | |
---|
[851] | 23 | def __init__(self, domains=None, database=None): |
---|
[181] | 24 | common.ResolverBase.__init__(self) |
---|
| 25 | if database is not None: |
---|
[851] | 26 | invirt.database.connect(database) |
---|
| 27 | else: |
---|
| 28 | invirt.database.connect() |
---|
| 29 | if domains is not None: |
---|
| 30 | self.domains = domains |
---|
| 31 | else: |
---|
| 32 | self.domains = config.dns.domains |
---|
| 33 | ns = config.dns.nameservers[0] |
---|
| 34 | self.soa = dns.Record_SOA(mname=ns.hostname, |
---|
| 35 | rname=config.dns.contact.replace('@','.',1), |
---|
[181] | 36 | serial=1, refresh=3600, retry=900, |
---|
| 37 | expire=3600000, minimum=21600, ttl=3600) |
---|
[851] | 38 | self.ns = dns.Record_NS(name=ns.hostname, ttl=3600) |
---|
| 39 | record = dns.Record_A(address=ns.ip, ttl=3600) |
---|
| 40 | self.ns1 = dns.RRHeader(ns.hostname, dns.A, dns.IN, |
---|
[645] | 41 | 3600, record, auth=True) |
---|
| 42 | |
---|
[582] | 43 | |
---|
[181] | 44 | def _lookup(self, name, cls, type, timeout = None): |
---|
[302] | 45 | for i in range(3): |
---|
| 46 | try: |
---|
| 47 | value = self._lookup_unsafe(name, cls, type, timeout = None) |
---|
| 48 | except (psycopg2.OperationalError, sqlalchemy.exceptions.SQLError): |
---|
| 49 | if i == 2: |
---|
| 50 | raise |
---|
| 51 | print "Reloading database" |
---|
| 52 | time.sleep(0.5) |
---|
| 53 | continue |
---|
| 54 | else: |
---|
| 55 | return value |
---|
| 56 | |
---|
| 57 | def _lookup_unsafe(self, name, cls, type, timeout): |
---|
[851] | 58 | invirt.database.clear_cache() |
---|
[582] | 59 | |
---|
| 60 | ttl = 900 |
---|
[646] | 61 | name = name.lower() |
---|
[922] | 62 | |
---|
[646] | 63 | if name in self.domains: |
---|
| 64 | domain = name |
---|
[505] | 65 | else: |
---|
[2207] | 66 | # Look for the longest-matching domain. |
---|
[922] | 67 | best_domain = '' |
---|
[505] | 68 | for domain in self.domains: |
---|
[922] | 69 | if name.endswith('.'+domain) and len(domain) > len(best_domain): |
---|
| 70 | best_domain = domain |
---|
| 71 | if best_domain == '': |
---|
[2201] | 72 | if name.endswith('.in-addr.arpa'): |
---|
[2207] | 73 | # Act authoritative for the IP address for reverse resolution requests |
---|
| 74 | best_domain = name |
---|
[2201] | 75 | else: |
---|
| 76 | return defer.fail(failure.Failure(dns.DomainError(name))) |
---|
[922] | 77 | domain = best_domain |
---|
[181] | 78 | results = [] |
---|
| 79 | authority = [] |
---|
[645] | 80 | additional = [self.ns1] |
---|
[541] | 81 | authority.append(dns.RRHeader(domain, dns.NS, dns.IN, |
---|
[582] | 82 | 3600, self.ns, auth=True)) |
---|
[922] | 83 | |
---|
[2209] | 84 | # The order of logic: |
---|
| 85 | # - What class? |
---|
| 86 | # - What domain: in-addr.arpa, domain root, or subdomain? |
---|
| 87 | # - What query type: A, PTR, NS, ...? |
---|
| 88 | |
---|
| 89 | if cls != dns.IN: |
---|
| 90 | # Hahaha. No. |
---|
| 91 | return defer.fail(failure.Failure(dns.AuthoritativeDomainError(name))) |
---|
| 92 | |
---|
| 93 | if name.endswith(".in-addr.arpa"): |
---|
| 94 | if type in (dns.PTR, dns.ALL_RECORDS): |
---|
| 95 | ip = '.'.join(reversed(name.split('.')[:-2])) |
---|
| 96 | value = invirt.database.NIC.query.filter_by(ip=ip).first() |
---|
| 97 | if value and value.hostname: |
---|
| 98 | hostname = value.hostname |
---|
| 99 | if '.' not in hostname: |
---|
| 100 | hostname = hostname + "." + config.dns.domains[0] |
---|
| 101 | record = dns.Record_PTR(hostname, ttl) |
---|
| 102 | results.append(dns.RRHeader(name, dns.PTR, dns.IN, |
---|
[582] | 103 | ttl, record, auth=True)) |
---|
[2209] | 104 | else: # IP address doesn't point to an active host |
---|
| 105 | return defer.fail(failure.Failure(dns.AuthoritativeDomainError(name))) |
---|
| 106 | elif type == dns.SOA: |
---|
| 107 | results.append(dns.RRHeader(domain, dns.SOA, dns.IN, |
---|
| 108 | ttl, self.soa, auth=True)) |
---|
| 109 | # FIXME: Should only return success with no records if the name actually exists |
---|
| 110 | |
---|
| 111 | elif name == domain or name == '.'+domain: |
---|
| 112 | if type in (dns.A, dns.ALL_RECORDS): |
---|
| 113 | record = dns.Record_A(config.dns.nameservers[0].ip, ttl) |
---|
| 114 | results.append(dns.RRHeader(name, dns.A, dns.IN, |
---|
| 115 | ttl, record, auth=True)) |
---|
| 116 | elif type == dns.NS: |
---|
| 117 | results.append(dns.RRHeader(domain, dns.NS, dns.IN, |
---|
| 118 | ttl, self.ns, auth=True)) |
---|
| 119 | authority = [] |
---|
| 120 | elif type == dns.SOA: |
---|
| 121 | results.append(dns.RRHeader(domain, dns.SOA, dns.IN, |
---|
| 122 | ttl, self.soa, auth=True)) |
---|
| 123 | |
---|
| 124 | else: |
---|
| 125 | host = name[:-len(domain)-1] |
---|
| 126 | value = invirt.database.NIC.query.filter_by(hostname=host).first() |
---|
| 127 | if value: |
---|
| 128 | ip = value.ip |
---|
[2208] | 129 | else: |
---|
[2209] | 130 | value = invirt.database.Machine.query().filter_by(name=host).first() |
---|
[2208] | 131 | if value: |
---|
[2209] | 132 | ip = value.nics[0].ip |
---|
[2208] | 133 | else: |
---|
| 134 | return defer.fail(failure.Failure(dns.AuthoritativeDomainError(name))) |
---|
[2209] | 135 | if ip is None: |
---|
| 136 | return defer.fail(failure.Failure(dns.AuthoritativeDomainError(name))) |
---|
| 137 | if type in (dns.A, dns.ALL_RECORDS): |
---|
| 138 | record = dns.Record_A(ip, ttl) |
---|
| 139 | results.append(dns.RRHeader(name, dns.A, dns.IN, |
---|
| 140 | ttl, record, auth=True)) |
---|
| 141 | elif type == dns.SOA: |
---|
| 142 | results.append(dns.RRHeader(domain, dns.SOA, dns.IN, |
---|
| 143 | ttl, self.soa, auth=True)) |
---|
[2208] | 144 | |
---|
[2209] | 145 | if len(results) == 0: |
---|
| 146 | authority = [] |
---|
| 147 | additional = [] |
---|
| 148 | return defer.succeed((results, authority, additional)) |
---|
[181] | 149 | |
---|
[1490] | 150 | class QuotingBindAuthority(authority.BindAuthority): |
---|
| 151 | """ |
---|
| 152 | A BindAuthority that (almost) deals with quoting correctly |
---|
| 153 | |
---|
| 154 | This will catch double quotes as marking the start or end of a |
---|
| 155 | quoted phrase, unless the double quote is escaped by a backslash |
---|
| 156 | """ |
---|
[1511] | 157 | # Match either a quoted or unquoted string literal followed by |
---|
| 158 | # whitespace or the end of line. This yields two groups, one of |
---|
| 159 | # which has a match, and the other of which is None, depending on |
---|
| 160 | # whether the string literal was quoted or unquoted; this is what |
---|
| 161 | # necessitates the subsequent filtering out of groups that are |
---|
| 162 | # None. |
---|
| 163 | string_pat = \ |
---|
| 164 | re.compile(r'"((?:[^"\\]|\\.)*)"|((?:[^\\\s]|\\.)+)(?:\s+|\s*$)') |
---|
| 165 | |
---|
| 166 | # For interpreting escapes. |
---|
| 167 | escape_pat = re.compile(r'\\(.)') |
---|
| 168 | |
---|
[1490] | 169 | def collapseContinuations(self, lines): |
---|
| 170 | L = [] |
---|
| 171 | state = 0 |
---|
| 172 | for line in lines: |
---|
| 173 | if state == 0: |
---|
| 174 | if line.find('(') == -1: |
---|
| 175 | L.append(line) |
---|
| 176 | else: |
---|
| 177 | L.append(line[:line.find('(')]) |
---|
| 178 | state = 1 |
---|
| 179 | else: |
---|
| 180 | if line.find(')') != -1: |
---|
| 181 | L[-1] += ' ' + line[:line.find(')')] |
---|
| 182 | state = 0 |
---|
| 183 | else: |
---|
| 184 | L[-1] += ' ' + line |
---|
| 185 | lines = L |
---|
| 186 | L = [] |
---|
[1511] | 187 | |
---|
[1490] | 188 | for line in lines: |
---|
| 189 | in_quote = False |
---|
| 190 | split_line = [] |
---|
[1631] | 191 | for m in self.string_pat.finditer(line): |
---|
[1511] | 192 | [x] = [x for x in m.groups() if x is not None] |
---|
[1631] | 193 | split_line.append(self.escape_pat.sub(r'\1', x)) |
---|
[1490] | 194 | L.append(split_line) |
---|
| 195 | return filter(None, L) |
---|
| 196 | |
---|
[181] | 197 | if '__main__' == __name__: |
---|
[1477] | 198 | resolvers = [] |
---|
[2037] | 199 | try: |
---|
| 200 | for zone in config.dns.zone_files: |
---|
| 201 | for origin in config.dns.domains: |
---|
| 202 | r = QuotingBindAuthority(zone) |
---|
| 203 | # This sucks, but if I want a generic zone file, I have to |
---|
| 204 | # reload the information by hand |
---|
| 205 | r.origin = origin |
---|
| 206 | lines = open(zone).readlines() |
---|
| 207 | lines = r.collapseContinuations(r.stripComments(lines)) |
---|
| 208 | r.parseLines(lines) |
---|
| 209 | |
---|
| 210 | resolvers.append(r) |
---|
| 211 | except InvirtConfigError: |
---|
| 212 | # Don't care if zone_files isn't defined |
---|
| 213 | pass |
---|
[1477] | 214 | resolvers.append(DatabaseAuthority()) |
---|
[181] | 215 | |
---|
| 216 | verbosity = 0 |
---|
[1477] | 217 | f = server.DNSServerFactory(authorities=resolvers, verbose=verbosity) |
---|
[181] | 218 | p = dns.DNSDatagramProtocol(f) |
---|
| 219 | f.noisy = p.noisy = verbosity |
---|
| 220 | |
---|
| 221 | reactor.listenUDP(53, p) |
---|
| 222 | reactor.listenTCP(53, f) |
---|
| 223 | reactor.run() |
---|