dnsredir.c
1 /* 2 * DNS UDP Connection Tracker for GoodbyeDPI 3 * 4 * This is a simple connection tracker for DNS UDP data. 5 * It's not a proper one. The caveats as follows: 6 * * Uses only source IP address and port as a hash key; 7 * * One-shot only. Removes conntrack record as soon as gets the reply; 8 * * Does not properly parse DNS request and response, only checks some bytes; 9 * 10 * But anyway, it works fine for DNS. 11 */ 12 13 #include <windows.h> 14 #include <time.h> 15 #include <stdio.h> 16 #include "goodbyedpi.h" 17 #include "dnsredir.h" 18 #include "utils/uthash.h" 19 20 /* key ('4' for IPv4 or '6' for IPv6 + srcip[16] + srcport[2]) */ 21 #define UDP_CONNRECORD_KEY_LEN 19 22 23 #define DNS_CLEANUP_INTERVAL_SEC 30 24 25 /* HACK! 26 * uthash uses strlen() for HASH_FIND_STR. 27 * We have null bytes in our key, so we can't use strlen() 28 * And since it's always UDP_CONNRECORD_KEY_LEN bytes long, 29 * we don't need to use any string function to determine length. 30 */ 31 #undef uthash_strlen 32 #define uthash_strlen(s) UDP_CONNRECORD_KEY_LEN 33 34 typedef struct udp_connrecord { 35 /* key ('4' for IPv4 or '6' for IPv6 + srcip[16] + srcport[2]) */ 36 char key[UDP_CONNRECORD_KEY_LEN]; 37 time_t time; /* time when this record was added */ 38 uint32_t dstip[4]; 39 uint16_t dstport; 40 UT_hash_handle hh; /* makes this structure hashable */ 41 } udp_connrecord_t; 42 43 static time_t last_cleanup = 0; 44 static udp_connrecord_t *conntrack = NULL; 45 46 void flush_dns_cache() { 47 INT_PTR WINAPI (*DnsFlushResolverCache)(); 48 49 HMODULE dnsapi = LoadLibrary("dnsapi.dll"); 50 if (dnsapi == NULL) 51 { 52 printf("Can't load dnsapi.dll to flush DNS cache!\n"); 53 exit(EXIT_FAILURE); 54 } 55 56 DnsFlushResolverCache = GetProcAddress(dnsapi, "DnsFlushResolverCache"); 57 if (DnsFlushResolverCache == NULL || !DnsFlushResolverCache()) 58 printf("Can't flush DNS cache!"); 59 FreeLibrary(dnsapi); 60 } 61 62 inline static void fill_key_data(char *key, const uint8_t is_ipv6, const uint32_t srcip[4], 63 const uint16_t srcport) 64 { 65 if (is_ipv6) { 66 *(uint8_t*)(key) = '6'; 67 ipv6_copy_addr((uint32_t*)(key + sizeof(uint8_t)), srcip); 68 } 69 else { 70 *(uint8_t*)(key) = '4'; 71 ipv4_copy_addr((uint32_t*)(key + sizeof(uint8_t)), srcip); 72 } 73 74 *(uint16_t*)(key + sizeof(uint8_t) + sizeof(uint32_t) * 4) = srcport; 75 } 76 77 inline static void fill_data_from_key(uint8_t *is_ipv6, uint32_t srcip[4], uint16_t *srcport, 78 const char *key) 79 { 80 if (key[0] == '6') { 81 *is_ipv6 = 1; 82 ipv6_copy_addr(srcip, (uint32_t*)(key + sizeof(uint8_t))); 83 } 84 else { 85 *is_ipv6 = 0; 86 ipv4_copy_addr(srcip, (uint32_t*)(key + sizeof(uint8_t))); 87 } 88 *srcport = *(uint16_t*)(key + sizeof(uint8_t) + sizeof(uint32_t) * 4); 89 } 90 91 inline static void construct_key(const uint32_t srcip[4], const uint16_t srcport, 92 char *key, const uint8_t is_ipv6) 93 { 94 debug("Construct key enter\n"); 95 if (key) { 96 debug("Constructing key\n"); 97 fill_key_data(key, is_ipv6, srcip, srcport); 98 } 99 debug("Construct key end\n"); 100 } 101 102 inline static void deconstruct_key(const char *key, const udp_connrecord_t *connrecord, 103 conntrack_info_t *conn_info) 104 { 105 debug("Deconstruct key enter\n"); 106 if (key && conn_info) { 107 debug("Deconstructing key\n"); 108 fill_data_from_key(&conn_info->is_ipv6, conn_info->srcip, 109 &conn_info->srcport, key); 110 111 if (conn_info->is_ipv6) 112 ipv6_copy_addr(conn_info->dstip, connrecord->dstip); 113 else 114 ipv4_copy_addr(conn_info->dstip, connrecord->dstip); 115 116 conn_info->dstport = connrecord->dstport; 117 } 118 debug("Deconstruct key end\n"); 119 } 120 121 static int check_get_udp_conntrack_key(const char *key, udp_connrecord_t **connrecord) { 122 udp_connrecord_t *tmp_connrecord = NULL; 123 if (!conntrack) return FALSE; 124 125 HASH_FIND_STR(conntrack, key, tmp_connrecord); 126 if (tmp_connrecord) { 127 if (connrecord) 128 *connrecord = tmp_connrecord; 129 debug("check_get_udp_conntrack_key found key\n"); 130 return TRUE; 131 } 132 debug("check_get_udp_conntrack_key key not found\n"); 133 return FALSE; 134 } 135 136 static int add_udp_conntrack(const uint32_t srcip[4], const uint16_t srcport, 137 const uint32_t dstip[4], const uint16_t dstport, 138 const uint8_t is_ipv6 139 ) 140 { 141 if (!(srcip && srcport && dstip && dstport)) 142 return FALSE; 143 144 udp_connrecord_t *tmp_connrecord = malloc(sizeof(udp_connrecord_t)); 145 construct_key(srcip, srcport, tmp_connrecord->key, is_ipv6); 146 147 if (!check_get_udp_conntrack_key(tmp_connrecord->key, NULL)) { 148 tmp_connrecord->time = time(NULL); 149 150 if (is_ipv6) { 151 ipv6_copy_addr(tmp_connrecord->dstip, dstip); 152 } 153 else { 154 ipv4_copy_addr(tmp_connrecord->dstip, dstip); 155 } 156 tmp_connrecord->dstport = dstport; 157 HASH_ADD_STR(conntrack, key, tmp_connrecord); 158 debug("Added UDP conntrack\n"); 159 return TRUE; 160 } 161 debug("Not added UDP conntrack\n"); 162 free(tmp_connrecord); 163 return FALSE; 164 } 165 166 static void dns_cleanup() { 167 udp_connrecord_t *tmp_connrecord, *tmp_connrecord2 = NULL; 168 169 if (last_cleanup == 0) { 170 last_cleanup = time(NULL); 171 return; 172 } 173 174 if (difftime(time(NULL), last_cleanup) >= DNS_CLEANUP_INTERVAL_SEC) { 175 last_cleanup = time(NULL); 176 177 HASH_ITER(hh, conntrack, tmp_connrecord, tmp_connrecord2) { 178 if (difftime(last_cleanup, tmp_connrecord->time) >= DNS_CLEANUP_INTERVAL_SEC) { 179 HASH_DEL(conntrack, tmp_connrecord); 180 free(tmp_connrecord); 181 } 182 } 183 } 184 } 185 186 int dns_is_dns_packet(const char *packet_data, const UINT packet_dataLen, const int outgoing) { 187 if (packet_dataLen < 16) return FALSE; 188 189 if (outgoing && (ntohs(*(const uint16_t*)(packet_data + 2)) & 0xFA00) == 0 && 190 (ntohs(*(const uint32_t*)(packet_data + 6))) == 0) { 191 return TRUE; 192 } 193 else if (!outgoing && 194 (ntohs(*(const uint16_t*)(packet_data + 2)) & 0xF800) == 0x8000) { 195 return TRUE; 196 } 197 return FALSE; 198 } 199 200 int dns_handle_outgoing(const uint32_t srcip[4], const uint16_t srcport, 201 const uint32_t dstip[4], const uint16_t dstport, 202 const char *packet_data, const UINT packet_dataLen, 203 const uint8_t is_ipv6) 204 { 205 if (packet_dataLen < 16) 206 return FALSE; 207 208 dns_cleanup(); 209 210 if (dns_is_dns_packet(packet_data, packet_dataLen, 1)) { 211 /* Looks like DNS request */ 212 debug("trying to add srcport = %hu, dstport = %hu\n", ntohs(srcport), ntohs(dstport)); 213 return add_udp_conntrack(srcip, srcport, dstip, dstport, is_ipv6); 214 } 215 debug("____dns_handle_outgoing FALSE: srcport = %hu, dstport = %hu\n", ntohs(srcport), ntohs(dstport)); 216 return FALSE; 217 } 218 219 int dns_handle_incoming(const uint32_t srcip[4], const uint16_t srcport, 220 const char *packet_data, const UINT packet_dataLen, 221 conntrack_info_t *conn_info, const uint8_t is_ipv6) 222 { 223 char key[UDP_CONNRECORD_KEY_LEN]; 224 udp_connrecord_t *tmp_connrecord = NULL; 225 226 if (packet_dataLen < 16 || !conn_info) 227 return FALSE; 228 229 dns_cleanup(); 230 231 if (dns_is_dns_packet(packet_data, packet_dataLen, 0)) { 232 /* Looks like DNS response */ 233 construct_key(srcip, srcport, key, is_ipv6); 234 if (check_get_udp_conntrack_key(key, &tmp_connrecord) && tmp_connrecord) { 235 /* Connection exists in conntrack, moving on */ 236 deconstruct_key(key, tmp_connrecord, conn_info); 237 HASH_DEL(conntrack, tmp_connrecord); 238 free(tmp_connrecord); 239 return TRUE; 240 } 241 } 242 debug("____dns_handle_incoming FALSE: srcport = %hu\n", ntohs(srcport)); 243 return FALSE; 244 }