tor

dns.c (81536B)

---

/* Copyright (c) 2003-2004, Roger Dingledine.
* Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
* Copyright (c) 2007-2021, The Tor Project, Inc. */
/* See LICENSE for licensing information */

/**
* \file dns.c
* \brief Implements a local cache for DNS results for Tor servers.
* This is implemented as a wrapper around Adam Langley's eventdns.c code.
* (We can't just use gethostbyname() and friends because we really need to
* be nonblocking.)
*
* There are three main cases when a Tor relay uses dns.c to launch a DNS
* request:
*   <ol>
*    <li>To check whether the DNS server is working more or less correctly.
*      This happens via dns_launch_correctness_checks().  The answer is
*      reported in the return value from later calls to
*      dns_seems_to_be_broken().
*    <li>When a client has asked the relay, in a RELAY_BEGIN cell, to connect
*      to a given server by hostname.  This happens via dns_resolve().
*    <li>When a client has asked the relay, in a RELAY_RESOLVE cell, to look
*      up a given server's IP address(es) by hostname. This also happens via
*      dns_resolve().
*   </ol>
*
* Each of these gets handled a little differently.
*
* To check for correctness, we look up some hostname we expect to exist and
* have real entries, some hostnames which we expect to definitely not exist,
* and some hostnames that we expect to probably not exist.  If too many of
* the hostnames that shouldn't exist do exist, that's a DNS hijacking
* attempt.  If too many of the hostnames that should exist have the same
* addresses as the ones that shouldn't exist, that's a very bad DNS hijacking
* attempt, or a very naughty captive portal.  And if the hostnames that
* should exist simply don't exist, we probably have a broken nameserver.
*
* To handle client requests, we first check our cache for answers. If there
* isn't something up-to-date, we've got to launch A or AAAA requests as
* appropriate.  How we handle responses to those in particular is a bit
* complex; see dns_lookup() and set_exitconn_info_from_resolve().
*
* When a lookup is finally complete, the inform_pending_connections()
* function will tell all of the streams that have been waiting for the
* resolve, by calling connection_exit_connect() if the client sent a
* RELAY_BEGIN cell, and by calling send_resolved_cell() or
* send_hostname_cell() if the client sent a RELAY_RESOLVE cell.
**/

#define DNS_PRIVATE

#include "core/or/or.h"
#include "app/config/config.h"
#include "core/mainloop/connection.h"
#include "core/mainloop/mainloop.h"
#include "core/mainloop/netstatus.h"
#include "core/or/circuitlist.h"
#include "core/or/circuituse.h"
#include "core/or/connection_edge.h"
#include "core/or/policies.h"
#include "core/or/relay.h"
#include "feature/control/control_events.h"
#include "feature/relay/dns.h"
#include "feature/nodelist/networkstatus.h"
#include "feature/relay/router.h"
#include "feature/relay/routermode.h"
#include "feature/stats/rephist.h"
#include "lib/crypt_ops/crypto_rand.h"
#include "lib/evloop/compat_libevent.h"
#include "lib/sandbox/sandbox.h"

#include "core/or/edge_connection_st.h"
#include "core/or/or_circuit_st.h"
#include "core/or/conflux_util.h"

#include "ht.h"

#ifdef HAVE_SYS_STAT_H
#include <sys/stat.h>
#endif

#include <event2/event.h>
#include <event2/dns.h>

/** How long will we wait for an answer from the resolver before we decide
* that the resolver is wedged? */
#define RESOLVE_MAX_TIMEOUT 300

/** The clipped TTL sent back in the RESOLVED cell for every DNS queries.
*
* See https://gitlab.torproject.org/tpo/core/tor/-/issues/40979 for a thorough
* explanation but this is first and foremost a security fix in order to avoid
* an exit DNS cache oracle. */
#define RESOLVED_CLIPPED_TTL (60)

/** Our evdns_base; this structure handles all our name lookups. */
static struct evdns_base *the_evdns_base = NULL;

/** Have we currently configured nameservers with eventdns? */
static int nameservers_configured = 0;
/** Did our most recent attempt to configure nameservers with eventdns fail? */
static int nameserver_config_failed = 0;
/** What was the resolv_conf fname we last used when configuring the
* nameservers? Used to check whether we need to reconfigure. */
static char *resolv_conf_fname = NULL;
/** What was the mtime on the resolv.conf file we last used when configuring
* the nameservers?  Used to check whether we need to reconfigure. */
static time_t resolv_conf_mtime = 0;

static void purge_expired_resolves(time_t now);
static void dns_found_answer(const char *address, uint8_t query_type,
                            int dns_answer,
                            const tor_addr_t *addr,
                            const char *hostname,
                            uint32_t ttl);
static void add_wildcarded_test_address(const char *address);
static int configure_nameservers(int force);
static int answer_is_wildcarded(const char *ip);
static int evdns_err_is_transient(int err);
static void inform_pending_connections(cached_resolve_t *resolve);
static void make_pending_resolve_cached(cached_resolve_t *cached);
static void configure_libevent_options(void);

#ifdef DEBUG_DNS_CACHE
static void assert_cache_ok_(void);
#define assert_cache_ok() assert_cache_ok_()
#else
#define assert_cache_ok() STMT_NIL
#endif /* defined(DEBUG_DNS_CACHE) */
static void assert_resolve_ok(cached_resolve_t *resolve);

/** Hash table of cached_resolve objects. */
static HT_HEAD(cache_map, cached_resolve_t) cache_root;

/** Global: how many IPv6 requests have we made in all? */
static uint64_t n_ipv6_requests_made = 0;
/** Global: how many IPv6 requests have timed out? */
static uint64_t n_ipv6_timeouts = 0;
/** Global: Do we think that IPv6 DNS is broken? */
static int dns_is_broken_for_ipv6 = 0;

/** Function to compare hashed resolves on their addresses; used to
* implement hash tables. */
static inline int
cached_resolves_eq(cached_resolve_t *a, cached_resolve_t *b)
{
 /* make this smarter one day? */
 assert_resolve_ok(a); // Not b; b may be just a search.
 return !strncmp(a->address, b->address, MAX_ADDRESSLEN);
}

/** Hash function for cached_resolve objects */
static inline unsigned int
cached_resolve_hash(cached_resolve_t *a)
{
 return (unsigned) siphash24g((const uint8_t*)a->address, strlen(a->address));
}

HT_PROTOTYPE(cache_map, cached_resolve_t, node, cached_resolve_hash,
            cached_resolves_eq);
HT_GENERATE2(cache_map, cached_resolve_t, node, cached_resolve_hash,
            cached_resolves_eq, 0.6, tor_reallocarray_, tor_free_);

/** Initialize the DNS cache. */
static void
init_cache_map(void)
{
 HT_INIT(cache_map, &cache_root);
}

/** Helper: called by eventdns when eventdns wants to log something. */
static void
evdns_log_cb(int warn, const char *msg)
{
 const char *cp;
 static int all_down = 0;
 int severity = warn ? LOG_WARN : LOG_INFO;
 if (!strcmpstart(msg, "Resolve requested for") &&
     get_options()->SafeLogging) {
   log_info(LD_EXIT, "eventdns: Resolve requested.");
   return;
 } else if (!strcmpstart(msg, "Search: ")) {
   return;
 }
 if (!strcmpstart(msg, "Nameserver ") && (cp=strstr(msg, " has failed: "))) {
   char *ns = tor_strndup(msg+11, cp-(msg+11));
   const char *colon = strchr(cp, ':');
   tor_assert(colon);
   const char *err = colon+2;
   /* Don't warn about a single failed nameserver; we'll warn with 'all
    * nameservers have failed' if we're completely out of nameservers;
    * otherwise, the situation is tolerable. */
   severity = LOG_INFO;
   control_event_server_status(LOG_NOTICE,
                               "NAMESERVER_STATUS NS=%s STATUS=DOWN ERR=%s",
                               ns, escaped(err));
   tor_free(ns);
 } else if (!strcmpstart(msg, "Nameserver ") &&
            (cp=strstr(msg, " is back up"))) {
   char *ns = tor_strndup(msg+11, cp-(msg+11));
   severity = (all_down && warn) ? LOG_NOTICE : LOG_INFO;
   all_down = 0;
   control_event_server_status(LOG_NOTICE,
                               "NAMESERVER_STATUS NS=%s STATUS=UP", ns);
   tor_free(ns);
 } else if (!strcmp(msg, "All nameservers have failed")) {
   control_event_server_status(LOG_WARN, "NAMESERVER_ALL_DOWN");
   all_down = 1;
 } else if (!strcmpstart(msg, "Address mismatch on received DNS")) {
   static ratelim_t mismatch_limit = RATELIM_INIT(3600);
   const char *src = strstr(msg, " Apparent source");
   if (!src || get_options()->SafeLogging) {
     src = "";
   }
   log_fn_ratelim(&mismatch_limit, severity, LD_EXIT,
                  "eventdns: Received a DNS packet from "
                  "an IP address to which we did not send a request. This "
                  "could be a DNS spoofing attempt, or some kind of "
                  "misconfiguration.%s", src);
   return;
 }
 tor_log(severity, LD_EXIT, "eventdns: %s", msg);
}

/** New consensus just appeared, take appropriate actions if need be. */
void
dns_new_consensus_params(const networkstatus_t *ns)
{
 (void) ns;

 /* Consensus has parameters for the Exit relay DNS side and so we only reset
  * the DNS nameservers if we are in server mode. */
 if (server_mode(get_options())) {
   configure_libevent_options();
 }
}

/** Initialize the DNS subsystem; called by the OR process. */
int
dns_init(void)
{
 init_cache_map();
 if (server_mode(get_options())) {
   int r = configure_nameservers(1);
   return r;
 }
 return 0;
}

/** Called when DNS-related options change (or may have changed).  Returns -1
* on failure, 0 on success. */
int
dns_reset(void)
{
 const or_options_t *options = get_options();
 if (! server_mode(options)) {

   if (!the_evdns_base) {
     if (!(the_evdns_base = evdns_base_new(tor_libevent_get_base(), 0))) {
       log_err(LD_BUG, "Couldn't create an evdns_base");
       return -1;
     }
   }

   evdns_base_clear_nameservers_and_suspend(the_evdns_base);
   evdns_base_search_clear(the_evdns_base);
   nameservers_configured = 0;
   tor_free(resolv_conf_fname);
   resolv_conf_mtime = 0;
 } else {
   if (configure_nameservers(0) < 0) {
     return -1;
   }
 }
 return 0;
}

/** Return true iff the most recent attempt to initialize the DNS subsystem
* failed. */
int
has_dns_init_failed(void)
{
 return nameserver_config_failed;
}

/** Helper: free storage held by an entry in the DNS cache. */
static void
free_cached_resolve_(cached_resolve_t *r)
{
 if (!r)
   return;
 while (r->pending_connections) {
   pending_connection_t *victim = r->pending_connections;
   r->pending_connections = victim->next;
   tor_free(victim);
 }
 if (r->res_status_hostname == RES_STATUS_DONE_OK)
   tor_free(r->result_ptr.hostname);
 r->magic = 0xFF00FF00;
 tor_free(r);
}

/** Compare two cached_resolve_t pointers by expiry time, and return
* less-than-zero, zero, or greater-than-zero as appropriate. Used for
* the priority queue implementation. */
static int
compare_cached_resolves_by_expiry_(const void *_a, const void *_b)
{
 const cached_resolve_t *a = _a, *b = _b;
 if (a->expire < b->expire)
   return -1;
 else if (a->expire == b->expire)
   return 0;
 else
   return 1;
}

/** Priority queue of cached_resolve_t objects to let us know when they
* will expire. */
static smartlist_t *cached_resolve_pqueue = NULL;

static void
cached_resolve_add_answer(cached_resolve_t *resolve,
                         int query_type,
                         int dns_result,
                         const tor_addr_t *answer_addr,
                         const char *answer_hostname,
                         uint32_t ttl)
{
 if (query_type == DNS_PTR) {
   if (resolve->res_status_hostname != RES_STATUS_INFLIGHT)
     return;

   if (dns_result == DNS_ERR_NONE && answer_hostname) {
     resolve->result_ptr.hostname = tor_strdup(answer_hostname);
     resolve->res_status_hostname = RES_STATUS_DONE_OK;
   } else {
     resolve->result_ptr.err_hostname = dns_result;
     resolve->res_status_hostname = RES_STATUS_DONE_ERR;
   }
   resolve->ttl_hostname = ttl;
 } else if (query_type == DNS_IPv4_A) {
   if (resolve->res_status_ipv4 != RES_STATUS_INFLIGHT)
     return;

   if (dns_result == DNS_ERR_NONE && answer_addr &&
       tor_addr_family(answer_addr) == AF_INET) {
     resolve->result_ipv4.addr_ipv4 = tor_addr_to_ipv4h(answer_addr);
     resolve->res_status_ipv4 = RES_STATUS_DONE_OK;
   } else {
     resolve->result_ipv4.err_ipv4 = dns_result;
     resolve->res_status_ipv4 = RES_STATUS_DONE_ERR;
   }
   resolve->ttl_ipv4 = ttl;
 } else if (query_type == DNS_IPv6_AAAA) {
   if (resolve->res_status_ipv6 != RES_STATUS_INFLIGHT)
     return;

   if (dns_result == DNS_ERR_NONE && answer_addr &&
       tor_addr_family(answer_addr) == AF_INET6) {
     memcpy(&resolve->result_ipv6.addr_ipv6,
            tor_addr_to_in6(answer_addr),
            sizeof(struct in6_addr));
     resolve->res_status_ipv6 = RES_STATUS_DONE_OK;
   } else {
     resolve->result_ipv6.err_ipv6 = dns_result;
     resolve->res_status_ipv6 = RES_STATUS_DONE_ERR;
   }
   resolve->ttl_ipv6 = ttl;
 }
}

/** Return true iff there are no in-flight requests for <b>resolve</b>. */
static int
cached_resolve_have_all_answers(const cached_resolve_t *resolve)
{
 return (resolve->res_status_ipv4 != RES_STATUS_INFLIGHT &&
         resolve->res_status_ipv6 != RES_STATUS_INFLIGHT &&
         resolve->res_status_hostname != RES_STATUS_INFLIGHT);
}

/** Set an expiry time for a cached_resolve_t, and add it to the expiry
* priority queue */
static void
set_expiry(cached_resolve_t *resolve, time_t expires)
{
 tor_assert(resolve && resolve->expire == 0);
 if (!cached_resolve_pqueue)
   cached_resolve_pqueue = smartlist_new();
 resolve->expire = expires;
 smartlist_pqueue_add(cached_resolve_pqueue,
                      compare_cached_resolves_by_expiry_,
                      offsetof(cached_resolve_t, minheap_idx),
                      resolve);
}

/** Free all storage held in the DNS cache and related structures. */
void
dns_free_all(void)
{
 cached_resolve_t **ptr, **next, *item;
 assert_cache_ok();
 if (cached_resolve_pqueue) {
   SMARTLIST_FOREACH(cached_resolve_pqueue, cached_resolve_t *, res,
     {
       if (res->state == CACHE_STATE_DONE)
         free_cached_resolve_(res);
     });
 }
 for (ptr = HT_START(cache_map, &cache_root); ptr != NULL; ptr = next) {
   item = *ptr;
   next = HT_NEXT_RMV(cache_map, &cache_root, ptr);
   free_cached_resolve_(item);
 }
 HT_CLEAR(cache_map, &cache_root);
 smartlist_free(cached_resolve_pqueue);
 cached_resolve_pqueue = NULL;
 tor_free(resolv_conf_fname);
}

/** Remove every cached_resolve whose <b>expire</b> time is before or
* equal to <b>now</b> from the cache. */
static void
purge_expired_resolves(time_t now)
{
 cached_resolve_t *resolve, *removed;
 pending_connection_t *pend;
 edge_connection_t *pendconn;

 assert_cache_ok();
 if (!cached_resolve_pqueue)
   return;

 while (smartlist_len(cached_resolve_pqueue)) {
   resolve = smartlist_get(cached_resolve_pqueue, 0);
   if (resolve->expire > now)
     break;
   smartlist_pqueue_pop(cached_resolve_pqueue,
                        compare_cached_resolves_by_expiry_,
                        offsetof(cached_resolve_t, minheap_idx));

   if (resolve->state == CACHE_STATE_PENDING) {
     log_debug(LD_EXIT,
               "Expiring a dns resolve %s that's still pending. Forgot to "
               "cull it? DNS resolve didn't tell us about the timeout?",
               escaped_safe_str(resolve->address));
   } else if (resolve->state == CACHE_STATE_CACHED) {
     log_debug(LD_EXIT,
               "Forgetting old cached resolve (address %s, expires %lu)",
               escaped_safe_str(resolve->address),
               (unsigned long)resolve->expire);
     tor_assert(!resolve->pending_connections);
   } else {
     tor_assert(resolve->state == CACHE_STATE_DONE);
     tor_assert(!resolve->pending_connections);
   }

   if (resolve->pending_connections) {
     log_debug(LD_EXIT,
               "Closing pending connections on timed-out DNS resolve!");
     while (resolve->pending_connections) {
       pend = resolve->pending_connections;
       resolve->pending_connections = pend->next;
       /* Connections should only be pending if they have no socket. */
       tor_assert(!SOCKET_OK(pend->conn->base_.s));
       pendconn = pend->conn;
       /* Prevent double-remove */
       pendconn->base_.state = EXIT_CONN_STATE_RESOLVEFAILED;
       if (!pendconn->base_.marked_for_close) {
         connection_edge_end(pendconn, END_STREAM_REASON_TIMEOUT);
         circuit_detach_stream(circuit_get_by_edge_conn(pendconn), pendconn);
         connection_free_(TO_CONN(pendconn));
       }
       tor_free(pend);
     }
   }

   if (resolve->state == CACHE_STATE_CACHED ||
       resolve->state == CACHE_STATE_PENDING) {
     removed = HT_REMOVE(cache_map, &cache_root, resolve);
     if (removed != resolve) {
       log_err(LD_BUG, "The expired resolve we purged didn't match any in"
               " the cache. Tried to purge %s (%p); instead got %s (%p).",
               resolve->address, (void*)resolve,
               removed ? removed->address : "NULL", (void*)removed);
     }
     tor_assert(removed == resolve);
   } else {
     /* This should be in state DONE. Make sure it's not in the cache. */
     cached_resolve_t *tmp = HT_FIND(cache_map, &cache_root, resolve);
     tor_assert(tmp != resolve);
   }
   if (resolve->res_status_hostname == RES_STATUS_DONE_OK)
     tor_free(resolve->result_ptr.hostname);
   resolve->magic = 0xF0BBF0BB;
   tor_free(resolve);
 }

 assert_cache_ok();
}

/* argument for send_resolved_cell only, meaning "let the answer type be ipv4
* or ipv6 depending on the connection's address". */
#define RESOLVED_TYPE_AUTO 0xff

/** Send a response to the RESOLVE request of a connection.
* <b>answer_type</b> must be one of
* RESOLVED_TYPE_(AUTO|ERROR|ERROR_TRANSIENT|).
*
* If <b>circ</b> is provided, and we have a cached answer, send the
* answer back along circ; otherwise, send the answer back along
* <b>conn</b>'s attached circuit.
*/
MOCK_IMPL(STATIC void,
send_resolved_cell,(edge_connection_t *conn, uint8_t answer_type,
                   const cached_resolve_t *resolved))
{
 // (We use the minimum here to ensure that we never
 // generate a too-big message.)
 char buf[RELAY_PAYLOAD_SIZE_MIN], *cp = buf;
 size_t buflen = 0;
 uint32_t ttl = RESOLVED_CLIPPED_TTL;

 buf[0] = answer_type;

 switch (answer_type)
   {
   case RESOLVED_TYPE_AUTO:
     if (resolved && resolved->res_status_ipv4 == RES_STATUS_DONE_OK) {
       cp[0] = RESOLVED_TYPE_IPV4;
       cp[1] = 4;
       set_uint32(cp+2, htonl(resolved->result_ipv4.addr_ipv4));
       set_uint32(cp+6, htonl(ttl));
       cp += 10;
     }
     if (resolved && resolved->res_status_ipv6 == RES_STATUS_DONE_OK) {
       const uint8_t *bytes = resolved->result_ipv6.addr_ipv6.s6_addr;
       cp[0] = RESOLVED_TYPE_IPV6;
       cp[1] = 16;
       memcpy(cp+2, bytes, 16);
       set_uint32(cp+18, htonl(ttl));
       cp += 22;
     }
     if (cp != buf) {
       buflen = cp - buf;
       break;
     } else {
       answer_type = RESOLVED_TYPE_ERROR;
       /* We let this fall through and treat it as an error. */
     }
     FALLTHROUGH;
   case RESOLVED_TYPE_ERROR_TRANSIENT:
   case RESOLVED_TYPE_ERROR:
     {
       const char *errmsg = "Error resolving hostname";
       size_t msglen = strlen(errmsg);

       buf[0] = answer_type;
       buf[1] = msglen;
       strlcpy(buf+2, errmsg, sizeof(buf)-2);
       set_uint32(buf+2+msglen, htonl(ttl));
       buflen = 6+msglen;
       break;
     }
   default:
     tor_assert(0);
     return;
   }
 // log_notice(LD_EXIT, "Sending a regular RESOLVED reply: ");

 connection_edge_send_command(conn, RELAY_COMMAND_RESOLVED, buf, buflen);
}

void
dns_send_resolved_error_cell(edge_connection_t *conn, uint8_t answer_type)
{
 send_resolved_cell(conn, answer_type, NULL);
}

/** Send a response to the RESOLVE request of a connection for an in-addr.arpa
* address on connection <b>conn</b> which yielded the result <b>hostname</b>.
* The answer type will be RESOLVED_HOSTNAME.
*
* If <b>circ</b> is provided, and we have a cached answer, send the
* answer back along circ; otherwise, send the answer back along
* <b>conn</b>'s attached circuit.
*/
MOCK_IMPL(STATIC void,
send_resolved_hostname_cell,(edge_connection_t *conn,
                            const char *hostname))
{
 char buf[RELAY_PAYLOAD_SIZE_MAX];
 size_t buflen;
 uint32_t ttl = RESOLVED_CLIPPED_TTL;

 if (BUG(!hostname))
   return;

 size_t namelen = strlen(hostname);

 if (BUG(namelen >= 256)) {
   return;
 }

 buf[0] = RESOLVED_TYPE_HOSTNAME;
 buf[1] = (uint8_t)namelen;
 memcpy(buf+2, hostname, namelen);
 set_uint32(buf+2+namelen, htonl(ttl));
 buflen = 2+namelen+4;

 // log_notice(LD_EXIT, "Sending a reply RESOLVED reply: %s", hostname);
 connection_edge_send_command(conn, RELAY_COMMAND_RESOLVED, buf, buflen);
 // log_notice(LD_EXIT, "Sent");
}

/** See if we have a cache entry for <b>exitconn</b>-\>address. If so,
* if resolve valid, put it into <b>exitconn</b>-\>addr and return 1.
* If resolve failed, free exitconn and return -1.
*
* (For EXIT_PURPOSE_RESOLVE connections, send back a RESOLVED error cell
* on returning -1.  For EXIT_PURPOSE_CONNECT connections, there's no
* need to send back an END cell, since connection_exit_begin_conn will
* do that for us.)
*
* If we have a cached answer, send the answer back along <b>exitconn</b>'s
* circuit.
*
* Else, if seen before and pending, add conn to the pending list,
* and return 0.
*
* Else, if not seen before, add conn to pending list, hand to
* dns farm, and return 0.
*
* Exitconn's on_circuit field must be set, but exitconn should not
* yet be linked onto the n_streams/resolving_streams list of that circuit.
* On success, link the connection to n_streams if it's an exit connection.
* On "pending", link the connection to resolving streams.  Otherwise,
* clear its on_circuit field.
*/
int
dns_resolve(edge_connection_t *exitconn)
{
 or_circuit_t *oncirc = TO_OR_CIRCUIT(exitconn->on_circuit);
 int is_resolve, r;
 int made_connection_pending = 0;
 char *hostname = NULL;
 cached_resolve_t *resolve = NULL;
 is_resolve = exitconn->base_.purpose == EXIT_PURPOSE_RESOLVE;

 r = dns_resolve_impl(exitconn, is_resolve, oncirc, &hostname,
                      &made_connection_pending, &resolve);

 switch (r) {
   case 1:
     /* We got an answer without a lookup -- either the answer was
      * cached, or it was obvious (like an IP address). */
     if (is_resolve) {
       /* Send the answer back right now, and detach. */
       if (hostname)
         send_resolved_hostname_cell(exitconn, hostname);
       else
         send_resolved_cell(exitconn, RESOLVED_TYPE_AUTO, resolve);
       exitconn->on_circuit = NULL;
     } else {
       /* Add to the n_streams list; the calling function will send back a
        * connected cell. */
       exitconn->next_stream = oncirc->n_streams;
       oncirc->n_streams = exitconn;
       conflux_update_n_streams(oncirc, exitconn);
     }
     break;
   case 0:
     /* The request is pending: add the connection into the linked list of
      * resolving_streams on this circuit. */
     exitconn->base_.state = EXIT_CONN_STATE_RESOLVING;
     exitconn->next_stream = oncirc->resolving_streams;
     oncirc->resolving_streams = exitconn;
     conflux_update_resolving_streams(oncirc, exitconn);
     break;
   case -2:
   case -1:
     /* The request failed before it could start: cancel this connection,
      * and stop everybody waiting for the same connection. */
     if (is_resolve) {
       send_resolved_cell(exitconn,
            (r == -1) ? RESOLVED_TYPE_ERROR : RESOLVED_TYPE_ERROR_TRANSIENT,
            NULL);
     }

     exitconn->on_circuit = NULL;

     dns_cancel_pending_resolve(exitconn->base_.address);

     if (!made_connection_pending && !exitconn->base_.marked_for_close) {
       /* If we made the connection pending, then we freed it already in
        * dns_cancel_pending_resolve().  If we marked it for close, it'll
        * get freed from the main loop.  Otherwise, can free it now. */
       connection_free_(TO_CONN(exitconn));
     }
     break;
   default:
     tor_assert(0);
 }

 tor_free(hostname);
 return r;
}

/** Helper function for dns_resolve: same functionality, but does not handle:
*     - marking connections on error and clearing their on_circuit
*     - linking connections to n_streams/resolving_streams,
*     - sending resolved cells if we have an answer/error right away,
*
* Return -2 on a transient error. If it's a reverse resolve and it's
* successful, sets *<b>hostname_out</b> to a newly allocated string
* holding the cached reverse DNS value.
*
* Set *<b>made_connection_pending_out</b> to true if we have placed
* <b>exitconn</b> on the list of pending connections for some resolve; set it
* to false otherwise.
*
* Set *<b>resolve_out</b> to a cached resolve, if we found one.
*/
MOCK_IMPL(STATIC int,
dns_resolve_impl,(edge_connection_t *exitconn, int is_resolve,
                or_circuit_t *oncirc, char **hostname_out,
                int *made_connection_pending_out,
                cached_resolve_t **resolve_out))
{
 cached_resolve_t *resolve;
 cached_resolve_t search;
 pending_connection_t *pending_connection;
 int is_reverse = 0;
 tor_addr_t addr;
 time_t now = time(NULL);
 int r;
 assert_connection_ok(TO_CONN(exitconn), 0);
 tor_assert(!SOCKET_OK(exitconn->base_.s));
 assert_cache_ok();
 tor_assert(oncirc);
 *made_connection_pending_out = 0;

 /* first check if exitconn->base_.address is an IP. If so, we already
  * know the answer. */
 if (tor_addr_parse(&addr, exitconn->base_.address) >= 0) {
   if (tor_addr_family(&addr) == AF_INET ||
       tor_addr_family(&addr) == AF_INET6) {
     tor_addr_copy(&exitconn->base_.addr, &addr);
     exitconn->address_ttl = DEFAULT_DNS_TTL;
     return 1;
   } else {
     /* XXXX unspec? Bogus? */
     return -1;
   }
 }

 /* If we're a non-exit, don't even do DNS lookups. */
 if (router_my_exit_policy_is_reject_star())
   return -1;

 if (address_is_invalid_destination(exitconn->base_.address, 0)) {
   tor_log(LOG_PROTOCOL_WARN, LD_EXIT,
       "Rejecting invalid destination address %s",
       escaped_safe_str(exitconn->base_.address));
   return -1;
 }

 /* then take this opportunity to see if there are any expired
  * resolves in the hash table. */
 purge_expired_resolves(now);

 /* lower-case exitconn->base_.address, so it's in canonical form */
 tor_strlower(exitconn->base_.address);

 /* Check whether this is a reverse lookup.  If it's malformed, or it's a
  * .in-addr.arpa address but this isn't a resolve request, kill the
  * connection.
  */
 if ((r = tor_addr_parse_PTR_name(&addr, exitconn->base_.address,
                                             AF_UNSPEC, 0)) != 0) {
   if (r == 1) {
     is_reverse = 1;
     if (tor_addr_is_internal(&addr, 0)) /* internal address? */
       return -1;
   }

   if (!is_reverse || !is_resolve) {
     if (!is_reverse)
       log_info(LD_EXIT, "Bad .in-addr.arpa address %s; sending error.",
                escaped_safe_str(exitconn->base_.address));
     else if (!is_resolve)
       log_info(LD_EXIT,
                "Attempt to connect to a .in-addr.arpa address %s; "
                "sending error.",
                escaped_safe_str(exitconn->base_.address));

     return -1;
   }
   //log_notice(LD_EXIT, "Looks like an address %s",
   //exitconn->base_.address);
 }
 exitconn->is_reverse_dns_lookup = is_reverse;

 /* now check the hash table to see if 'address' is already there. */
 strlcpy(search.address, exitconn->base_.address, sizeof(search.address));
 resolve = HT_FIND(cache_map, &cache_root, &search);
 if (resolve && resolve->expire > now) { /* already there */
   switch (resolve->state) {
     case CACHE_STATE_PENDING:
       /* add us to the pending list */
       pending_connection = tor_malloc_zero(
                                     sizeof(pending_connection_t));
       pending_connection->conn = exitconn;
       pending_connection->next = resolve->pending_connections;
       resolve->pending_connections = pending_connection;
       *made_connection_pending_out = 1;
       log_debug(LD_EXIT,"Connection (fd "TOR_SOCKET_T_FORMAT") waiting "
                 "for pending DNS resolve of %s", exitconn->base_.s,
                 escaped_safe_str(exitconn->base_.address));
       return 0;
     case CACHE_STATE_CACHED:
       log_debug(LD_EXIT,"Connection (fd "TOR_SOCKET_T_FORMAT") found "
                 "cached answer for %s",
                 exitconn->base_.s,
                 escaped_safe_str(resolve->address));

       *resolve_out = resolve;

       return set_exitconn_info_from_resolve(exitconn, resolve, hostname_out);
     case CACHE_STATE_DONE:
       log_err(LD_BUG, "Found a 'DONE' dns resolve still in the cache.");
       tor_fragile_assert();
   }
   tor_assert(0);
 }
 tor_assert(!resolve);
 /* not there, need to add it */
 resolve = tor_malloc_zero(sizeof(cached_resolve_t));
 resolve->magic = CACHED_RESOLVE_MAGIC;
 resolve->state = CACHE_STATE_PENDING;
 resolve->minheap_idx = -1;
 strlcpy(resolve->address, exitconn->base_.address, sizeof(resolve->address));

 /* add this connection to the pending list */
 pending_connection = tor_malloc_zero(sizeof(pending_connection_t));
 pending_connection->conn = exitconn;
 resolve->pending_connections = pending_connection;
 *made_connection_pending_out = 1;

 /* Add this resolve to the cache and priority queue. */
 HT_INSERT(cache_map, &cache_root, resolve);
 set_expiry(resolve, now + RESOLVE_MAX_TIMEOUT);

 log_debug(LD_EXIT,"Launching %s.",
           escaped_safe_str(exitconn->base_.address));
 assert_cache_ok();

 return launch_resolve(resolve);
}

/** Given an exit connection <b>exitconn</b>, and a cached_resolve_t
* <b>resolve</b> whose DNS lookups have all either succeeded or failed,
* update the appropriate fields (address_ttl and addr) of <b>exitconn</b>.
*
* The logic can be complicated here, since we might have launched both
* an A lookup and an AAAA lookup, and since either of those might have
* succeeded or failed, and since we want to answer a RESOLVE cell with
* a full answer but answer a BEGIN cell with whatever answer the client
* would accept <i>and</i> we could still connect to.
*
* If this is a reverse lookup, set *<b>hostname_out</b> to a newly allocated
* copy of the name resulting hostname.
*
* Return -2 on a transient error, -1 on a permenent error, and 1 on
* a successful lookup.
*/
MOCK_IMPL(STATIC int,
set_exitconn_info_from_resolve,(edge_connection_t *exitconn,
                               const cached_resolve_t *resolve,
                               char **hostname_out))
{
 int ipv4_ok, ipv6_ok, answer_with_ipv4, r;
 uint32_t begincell_flags;
 const int is_resolve = exitconn->base_.purpose == EXIT_PURPOSE_RESOLVE;
 tor_assert(exitconn);
 tor_assert(resolve);

 if (exitconn->is_reverse_dns_lookup) {
   exitconn->address_ttl = resolve->ttl_hostname;
   if (resolve->res_status_hostname == RES_STATUS_DONE_OK) {
     *hostname_out = tor_strdup(resolve->result_ptr.hostname);
     return 1;
   } else {
     return -1;
   }
 }

 /* If we're here then the connection wants one or either of ipv4, ipv6, and
  * we can give it one or both. */
 if (is_resolve) {
   begincell_flags = BEGIN_FLAG_IPV6_OK;
 } else {
   begincell_flags = exitconn->begincell_flags;
 }

 ipv4_ok = (resolve->res_status_ipv4 == RES_STATUS_DONE_OK) &&
   ! (begincell_flags & BEGIN_FLAG_IPV4_NOT_OK);
 ipv6_ok = (resolve->res_status_ipv6 == RES_STATUS_DONE_OK) &&
   (begincell_flags & BEGIN_FLAG_IPV6_OK) &&
   get_options()->IPv6Exit;

 /* Now decide which one to actually give. */
 if (ipv4_ok && ipv6_ok && is_resolve) {
   answer_with_ipv4 = 1;
 } else if (ipv4_ok && ipv6_ok) {
   /* If we have both, see if our exit policy has an opinion. */
   const uint16_t port = exitconn->base_.port;
   int ipv4_allowed, ipv6_allowed;
   tor_addr_t a4, a6;
   tor_addr_from_ipv4h(&a4, resolve->result_ipv4.addr_ipv4);
   tor_addr_from_in6(&a6, &resolve->result_ipv6.addr_ipv6);
   ipv4_allowed = !router_compare_to_my_exit_policy(&a4, port);
   ipv6_allowed = !router_compare_to_my_exit_policy(&a6, port);
   if (ipv4_allowed && !ipv6_allowed) {
     answer_with_ipv4 = 1;
   } else if (ipv6_allowed && !ipv4_allowed) {
     answer_with_ipv4 = 0;
   } else {
     /* Our exit policy would permit both.  Answer with whichever the user
      * prefers */
     answer_with_ipv4 = !(begincell_flags &
                          BEGIN_FLAG_IPV6_PREFERRED);
   }
 } else {
   /* Otherwise if one is okay, send it back. */
   if (ipv4_ok) {
     answer_with_ipv4 = 1;
   } else if (ipv6_ok) {
     answer_with_ipv4 = 0;
   } else {
     /* Neither one was okay. Choose based on user preference. */
     answer_with_ipv4 = !(begincell_flags &
                          BEGIN_FLAG_IPV6_PREFERRED);
   }
 }

 /* Finally, we write the answer back. */
 r = 1;
 if (answer_with_ipv4) {
   if (resolve->res_status_ipv4 == RES_STATUS_DONE_OK) {
     tor_addr_from_ipv4h(&exitconn->base_.addr,
                         resolve->result_ipv4.addr_ipv4);
   } else {
     r = evdns_err_is_transient(resolve->result_ipv4.err_ipv4) ? -2 : -1;
   }

   exitconn->address_ttl = resolve->ttl_ipv4;
 } else {
   if (resolve->res_status_ipv6 == RES_STATUS_DONE_OK) {
     tor_addr_from_in6(&exitconn->base_.addr,
                       &resolve->result_ipv6.addr_ipv6);
   } else {
     r = evdns_err_is_transient(resolve->result_ipv6.err_ipv6) ? -2 : -1;
   }

   exitconn->address_ttl = resolve->ttl_ipv6;
 }

 return r;
}

/** Log an error and abort if conn is waiting for a DNS resolve.
*/
void
assert_connection_edge_not_dns_pending(edge_connection_t *conn)
{
 pending_connection_t *pend;
 cached_resolve_t search;

#if 1
 cached_resolve_t *resolve;
 strlcpy(search.address, conn->base_.address, sizeof(search.address));
 resolve = HT_FIND(cache_map, &cache_root, &search);
 if (!resolve)
   return;
 for (pend = resolve->pending_connections; pend; pend = pend->next) {
   tor_assert(pend->conn != conn);
 }
#else /* !(1) */
 cached_resolve_t **resolve;
 HT_FOREACH(resolve, cache_map, &cache_root) {
   for (pend = (*resolve)->pending_connections; pend; pend = pend->next) {
     tor_assert(pend->conn != conn);
   }
 }
#endif /* 1 */
}

/** Remove <b>conn</b> from the list of connections waiting for conn-\>address.
*/
void
connection_dns_remove(edge_connection_t *conn)
{
 pending_connection_t *pend, *victim;
 cached_resolve_t search;
 cached_resolve_t *resolve;

 tor_assert(conn->base_.type == CONN_TYPE_EXIT);
 tor_assert(conn->base_.state == EXIT_CONN_STATE_RESOLVING);

 strlcpy(search.address, conn->base_.address, sizeof(search.address));

 resolve = HT_FIND(cache_map, &cache_root, &search);
 if (!resolve) {
   log_notice(LD_BUG, "Address %s is not pending. Dropping.",
              escaped_safe_str(conn->base_.address));
   return;
 }

 tor_assert(resolve->pending_connections);
 assert_connection_ok(TO_CONN(conn),0);

 pend = resolve->pending_connections;

 if (pend->conn == conn) {
   resolve->pending_connections = pend->next;
   tor_free(pend);
   log_debug(LD_EXIT, "First connection (fd "TOR_SOCKET_T_FORMAT") no "
             "longer waiting for resolve of %s",
             conn->base_.s,
             escaped_safe_str(conn->base_.address));
   return;
 } else {
   for ( ; pend->next; pend = pend->next) {
     if (pend->next->conn == conn) {
       victim = pend->next;
       pend->next = victim->next;
       tor_free(victim);
       log_debug(LD_EXIT,
                 "Connection (fd "TOR_SOCKET_T_FORMAT") no longer waiting "
                 "for resolve of %s",
                 conn->base_.s, escaped_safe_str(conn->base_.address));
       return; /* more are pending */
     }
   }
   log_warn(LD_BUG, "Connection (fd "TOR_SOCKET_T_FORMAT") was not waiting "
            "for a resolve of %s, but we tried to remove it.",
            conn->base_.s, escaped_safe_str(conn->base_.address));
 }
}

/** Mark all connections waiting for <b>address</b> for close.  Then cancel
* the resolve for <b>address</b> itself, and remove any cached results for
* <b>address</b> from the cache.
*/
MOCK_IMPL(STATIC void,
dns_cancel_pending_resolve,(const char *address))
{
 pending_connection_t *pend;
 cached_resolve_t search;
 cached_resolve_t *resolve, *tmp;
 edge_connection_t *pendconn;
 circuit_t *circ;

 strlcpy(search.address, address, sizeof(search.address));

 resolve = HT_FIND(cache_map, &cache_root, &search);
 if (!resolve)
   return;

 if (resolve->state != CACHE_STATE_PENDING) {
   /* We can get into this state if we never actually created the pending
    * resolve, due to finding an earlier cached error or something.  Just
    * ignore it. */
   if (resolve->pending_connections) {
     log_warn(LD_BUG,
              "Address %s is not pending but has pending connections!",
              escaped_safe_str(address));
     tor_fragile_assert();
   }
   return;
 }

 if (!resolve->pending_connections) {
   log_warn(LD_BUG,
            "Address %s is pending but has no pending connections!",
            escaped_safe_str(address));
   tor_fragile_assert();
   return;
 }
 tor_assert(resolve->pending_connections);

 /* mark all pending connections to fail */
 log_debug(LD_EXIT,
            "Failing all connections waiting on DNS resolve of %s",
            escaped_safe_str(address));
 while (resolve->pending_connections) {
   pend = resolve->pending_connections;
   pend->conn->base_.state = EXIT_CONN_STATE_RESOLVEFAILED;
   pendconn = pend->conn;
   assert_connection_ok(TO_CONN(pendconn), 0);
   tor_assert(!SOCKET_OK(pendconn->base_.s));
   if (!pendconn->base_.marked_for_close) {
     connection_edge_end(pendconn, END_STREAM_REASON_RESOLVEFAILED);
   }
   circ = circuit_get_by_edge_conn(pendconn);
   if (circ)
     circuit_detach_stream(circ, pendconn);
   if (!pendconn->base_.marked_for_close)
     connection_free_(TO_CONN(pendconn));
   resolve->pending_connections = pend->next;
   tor_free(pend);
 }

 tmp = HT_REMOVE(cache_map, &cache_root, resolve);
 if (tmp != resolve) {
   log_err(LD_BUG, "The cancelled resolve we purged didn't match any in"
           " the cache. Tried to purge %s (%p); instead got %s (%p).",
           resolve->address, (void*)resolve,
           tmp ? tmp->address : "NULL", (void*)tmp);
 }
 tor_assert(tmp == resolve);

 resolve->state = CACHE_STATE_DONE;
}

/** Return true iff <b>address</b> is one of the addresses we use to verify
* that well-known sites aren't being hijacked by our DNS servers. */
static inline int
is_test_address(const char *address)
{
 const or_options_t *options = get_options();
 return options->ServerDNSTestAddresses &&
   smartlist_contains_string_case(options->ServerDNSTestAddresses, address);
}

/** Called on the OR side when the eventdns library tells us the outcome of a
* single DNS resolve: remember the answer, and tell all pending connections
* about the result of the lookup if the lookup is now done.  (<b>address</b>
* is a NUL-terminated string containing the address to look up;
* <b>query_type</b> is one of DNS_{IPv4_A,IPv6_AAAA,PTR}; <b>dns_answer</b>
* is DNS_OK or one of DNS_ERR_*, <b>addr</b> is an IPv4 or IPv6 address if we
* got one; <b>hostname</b> is a hostname fora PTR request if we got one, and
* <b>ttl</b> is the time-to-live of this answer, in seconds.)
*/
static void
dns_found_answer(const char *address, uint8_t query_type,
                int dns_answer,
                const tor_addr_t *addr,
                const char *hostname, uint32_t ttl)
{
 cached_resolve_t search;
 cached_resolve_t *resolve;

 assert_cache_ok();

 strlcpy(search.address, address, sizeof(search.address));

 resolve = HT_FIND(cache_map, &cache_root, &search);
 if (!resolve) {
   int is_test_addr = is_test_address(address);
   if (!is_test_addr)
     log_info(LD_EXIT,"Resolved unasked address %s; ignoring.",
              escaped_safe_str(address));
   return;
 }
 assert_resolve_ok(resolve);

 if (resolve->state != CACHE_STATE_PENDING) {
   /* XXXX Maybe update addr? or check addr for consistency? Or let
    * VALID replace FAILED? */
   int is_test_addr = is_test_address(address);
   if (!is_test_addr)
     log_notice(LD_EXIT,
                "Resolved %s which was already resolved; ignoring",
                escaped_safe_str(address));
   tor_assert(resolve->pending_connections == NULL);
   return;
 }

 cached_resolve_add_answer(resolve, query_type, dns_answer,
                           addr, hostname, ttl);

 if (cached_resolve_have_all_answers(resolve)) {
   inform_pending_connections(resolve);

   make_pending_resolve_cached(resolve);
 }
}

/** Given a pending cached_resolve_t that we just finished resolving,
* inform every connection that was waiting for the outcome of that
* resolution.
*
* Do this by sending a RELAY_RESOLVED cell (if the pending stream had sent us
* a RELAY_RESOLVE cell), or by launching an exit connection (if the pending
* stream had sent us a RELAY_BEGIN cell).
*/
static void
inform_pending_connections(cached_resolve_t *resolve)
{
 pending_connection_t *pend;
 edge_connection_t *pendconn;
 int r;

 while (resolve->pending_connections) {
   char *hostname = NULL;
   pend = resolve->pending_connections;
   pendconn = pend->conn; /* don't pass complex things to the
                             connection_mark_for_close macro */
   assert_connection_ok(TO_CONN(pendconn),time(NULL));

   if (pendconn->base_.marked_for_close) {
     /* prevent double-remove. */
     pendconn->base_.state = EXIT_CONN_STATE_RESOLVEFAILED;
     resolve->pending_connections = pend->next;
     tor_free(pend);
     continue;
   }

   r = set_exitconn_info_from_resolve(pendconn,
                                      resolve,
                                      &hostname);

   if (r < 0) {
     /* prevent double-remove. */
     pendconn->base_.state = EXIT_CONN_STATE_RESOLVEFAILED;
     if (pendconn->base_.purpose == EXIT_PURPOSE_CONNECT) {
       connection_edge_end(pendconn, END_STREAM_REASON_RESOLVEFAILED);
       /* This detach must happen after we send the end cell. */
       circuit_detach_stream(circuit_get_by_edge_conn(pendconn), pendconn);
     } else {
       send_resolved_cell(pendconn, r == -1 ?
                        RESOLVED_TYPE_ERROR : RESOLVED_TYPE_ERROR_TRANSIENT,
                        NULL);
       /* This detach must happen after we send the resolved cell. */
       circuit_detach_stream(circuit_get_by_edge_conn(pendconn), pendconn);
     }
     connection_free_(TO_CONN(pendconn));
   } else {
     circuit_t *circ;
     if (pendconn->base_.purpose == EXIT_PURPOSE_CONNECT) {
       /* prevent double-remove. */
       pend->conn->base_.state = EXIT_CONN_STATE_CONNECTING;

       circ = circuit_get_by_edge_conn(pend->conn);
       tor_assert(circ);
       tor_assert(!CIRCUIT_IS_ORIGIN(circ));
       /* unlink pend->conn from resolving_streams, */
       circuit_detach_stream(circ, pend->conn);
       /* and link it to n_streams */
       pend->conn->next_stream = TO_OR_CIRCUIT(circ)->n_streams;
       pend->conn->on_circuit = circ;
       TO_OR_CIRCUIT(circ)->n_streams = pend->conn;
       conflux_update_n_streams(TO_OR_CIRCUIT(circ), pend->conn);

       connection_exit_connect(pend->conn);
     } else {
       /* prevent double-remove.  This isn't really an accurate state,
        * but it does the right thing. */
       pendconn->base_.state = EXIT_CONN_STATE_RESOLVEFAILED;
       if (pendconn->is_reverse_dns_lookup)
         send_resolved_hostname_cell(pendconn, hostname);
       else
         send_resolved_cell(pendconn, RESOLVED_TYPE_AUTO, resolve);
       circ = circuit_get_by_edge_conn(pendconn);
       tor_assert(circ);
       circuit_detach_stream(circ, pendconn);
       connection_free_(TO_CONN(pendconn));
     }
   }
   resolve->pending_connections = pend->next;
   tor_free(pend);
   tor_free(hostname);
 }
}

/** Remove a pending cached_resolve_t from the hashtable, and add a
* corresponding cached cached_resolve_t.
*
* This function is only necessary because of the perversity of our
* cache timeout code; see inline comment for ideas on eliminating it.
**/
static void
make_pending_resolve_cached(cached_resolve_t *resolve)
{
 cached_resolve_t *removed;

 resolve->state = CACHE_STATE_DONE;
 removed = HT_REMOVE(cache_map, &cache_root, resolve);
 if (removed != resolve) {
   log_err(LD_BUG, "The pending resolve we found wasn't removable from"
           " the cache. Tried to purge %s (%p); instead got %s (%p).",
           resolve->address, (void*)resolve,
           removed ? removed->address : "NULL", (void*)removed);
 }
 assert_resolve_ok(resolve);
 assert_cache_ok();
 /* The resolve will eventually just hit the time-out in the expiry queue and
 * expire. See fd0bafb0dedc7e2 for a brief explanation of how this got that
 * way.  XXXXX we could do better!*/

 {
   cached_resolve_t *new_resolve = tor_memdup(resolve,
                                              sizeof(cached_resolve_t));
   uint32_t ttl = UINT32_MAX;
   new_resolve->expire = 0; /* So that set_expiry won't croak. */
   if (resolve->res_status_hostname == RES_STATUS_DONE_OK)
     new_resolve->result_ptr.hostname =
       tor_strdup(resolve->result_ptr.hostname);

   new_resolve->state = CACHE_STATE_CACHED;

   assert_resolve_ok(new_resolve);
   HT_INSERT(cache_map, &cache_root, new_resolve);

   if ((resolve->res_status_ipv4 == RES_STATUS_DONE_OK ||
        resolve->res_status_ipv4 == RES_STATUS_DONE_ERR) &&
       resolve->ttl_ipv4 < ttl)
     ttl = resolve->ttl_ipv4;

   if ((resolve->res_status_ipv6 == RES_STATUS_DONE_OK ||
        resolve->res_status_ipv6 == RES_STATUS_DONE_ERR) &&
       resolve->ttl_ipv6 < ttl)
     ttl = resolve->ttl_ipv6;

   if ((resolve->res_status_hostname == RES_STATUS_DONE_OK ||
        resolve->res_status_hostname == RES_STATUS_DONE_ERR) &&
       resolve->ttl_hostname < ttl)
     ttl = resolve->ttl_hostname;

   set_expiry(new_resolve, time(NULL) + ttl);
 }

 assert_cache_ok();
}

/** Eventdns helper: return true iff the eventdns result <b>err</b> is
* a transient failure. */
static int
evdns_err_is_transient(int err)
{
 switch (err)
 {
   case DNS_ERR_SERVERFAILED:
   case DNS_ERR_TRUNCATED:
   case DNS_ERR_TIMEOUT:
     return 1;
   default:
     return 0;
 }
}

/**
* Return number of configured nameservers in <b>the_evdns_base</b>.
*/
size_t
number_of_configured_nameservers(void)
{
 return evdns_base_count_nameservers(the_evdns_base);
}

#ifdef HAVE_EVDNS_BASE_GET_NAMESERVER_ADDR
/**
* Return address of configured nameserver in <b>the_evdns_base</b>
* at index <b>idx</b>.
*/
tor_addr_t *
configured_nameserver_address(const size_t idx)
{
struct sockaddr_storage sa;
ev_socklen_t sa_len = sizeof(sa);

if (evdns_base_get_nameserver_addr(the_evdns_base, (int)idx,
                                   (struct sockaddr *)&sa,
                                   sa_len) > 0) {
  tor_addr_t *tor_addr = tor_malloc(sizeof(tor_addr_t));
  if (tor_addr_from_sockaddr(tor_addr,
                             (const struct sockaddr *)&sa,
                             NULL) == 0) {
    return tor_addr;
  }
  tor_free(tor_addr);
}

return NULL;
}
#endif /* defined(HAVE_EVDNS_BASE_GET_NAMESERVER_ADDR) */

/** Return a pointer to a stack allocated buffer containing the string
* representation of the exit_dns_timeout consensus parameter. */
static const char *
get_consensus_param_exit_dns_timeout(void)
{
 static char str[4];

 /* Get the Exit DNS timeout value from the consensus or default. This is in
  * milliseconds. */
#define EXIT_DNS_TIMEOUT_DEFAULT (1000)
#define EXIT_DNS_TIMEOUT_MIN (1)
#define EXIT_DNS_TIMEOUT_MAX (120000)
 int32_t val = networkstatus_get_param(NULL, "exit_dns_timeout",
                                       EXIT_DNS_TIMEOUT_DEFAULT,
                                       EXIT_DNS_TIMEOUT_MIN,
                                       EXIT_DNS_TIMEOUT_MAX);
 /* NOTE: We convert it to seconds because libevent only supports that. In the
  * future, if we support different resolver(s), we might want to specialize
  * this call. */

 /* NOTE: We also don't allow 0 and so we must cap the division to 1 second
  * else all DNS request would fail if the consensus would ever tell us a
  * value below 1000 (1 sec). */
 val = MAX(1, val / 1000);

 tor_snprintf(str, sizeof(str), "%d", val);
 return str;
}

/** Return a pointer to a stack allocated buffer containing the string
* representation of the exit_dns_num_attempts consensus parameter. */
static const char *
get_consensus_param_exit_dns_attempts(void)
{
 static char str[4];

 /* Get the Exit DNS number of attempt value from the consensus or default. */
#define EXIT_DNS_NUM_ATTEMPTS_DEFAULT (2)
#define EXIT_DNS_NUM_ATTEMPTS_MIN (0)
#define EXIT_DNS_NUM_ATTEMPTS_MAX (255)
 int32_t val = networkstatus_get_param(NULL, "exit_dns_num_attempts",
                                       EXIT_DNS_NUM_ATTEMPTS_DEFAULT,
                                       EXIT_DNS_NUM_ATTEMPTS_MIN,
                                       EXIT_DNS_NUM_ATTEMPTS_MAX);
 tor_snprintf(str, sizeof(str), "%d", val);
 return str;
}

/** Configure the libevent options. This can safely be called after
* initialization or even if the evdns base is not set. */
static void
configure_libevent_options(void)
{
 /* This is possible because we can get called when a new consensus is set
  * while the DNS subsystem is not initialized just yet. It should be
  * harmless. */
 if (!the_evdns_base) {
   return;
 }

#define SET(k,v)  evdns_base_set_option(the_evdns_base, (k), (v))

 // If we only have one nameserver, it does not make sense to back off
 // from it for a timeout. Unfortunately, the value for max-timeouts is
 // currently clamped by libevent to 255, but it does not hurt to set
 // it higher in case libevent gets a patch for this.  Higher-than-
 // default maximum of 3 with multiple nameservers to avoid spuriously
 // marking one down on bursts of timeouts resulting from scans/attacks
 // against non-responding authoritative DNS servers.
 if (evdns_base_count_nameservers(the_evdns_base) == 1) {
   SET("max-timeouts:", "1000000");
 } else {
   SET("max-timeouts:", "10");
 }

 // Elongate the queue of maximum inflight dns requests, so if a bunch
 // remain pending at the resolver (happens commonly with Unbound) we won't
 // stall every other DNS request. This potentially means some wasted
 // CPU as there's a walk over a linear queue involved, but this is a
 // much better tradeoff compared to just failing DNS requests because
 // of a full queue.
 SET("max-inflight:", "8192");

 /* Set timeout to be 1 second. This tells libevent that it shouldn't wait
  * more than N second to drop a DNS query and consider it "timed out". It is
  * very important to differentiate here a libevent timeout and a DNS server
  * timeout. And so, by setting this to N second, libevent sends back
  * "DNS_ERR_TIMEOUT" if that N second is reached which does NOT indicate that
  * the query itself timed out in transit. */
 SET("timeout:", get_consensus_param_exit_dns_timeout());

 /* This tells libevent to attempt up to X times a DNS query if the previous
  * one failed to complete within N second. We believe that this should be
  * enough to catch temporary hiccups on the first query. But after that, it
  * should signal us that it won't be able to resolve it. */
 SET("attempts:", get_consensus_param_exit_dns_attempts());

 if (get_options()->ServerDNSRandomizeCase)
   SET("randomize-case:", "1");
 else
   SET("randomize-case:", "0");

#undef SET
}

/** Configure eventdns nameservers if force is true, or if the configuration
* has changed since the last time we called this function, or if we failed on
* our last attempt.  On Unix, this reads from /etc/resolv.conf or
* options->ServerDNSResolvConfFile; on Windows, this reads from
* options->ServerDNSResolvConfFile or the registry.  Return 0 on success or
* -1 on failure. */
static int
configure_nameservers(int force)
{
 const or_options_t *options;
 const char *conf_fname;
 struct stat st;
 int r, flags;
 options = get_options();
 conf_fname = options->ServerDNSResolvConfFile;
#ifndef _WIN32
 if (!conf_fname)
   conf_fname = "/etc/resolv.conf";
#endif
 flags = DNS_OPTIONS_ALL;

 if (!the_evdns_base) {
   if (!(the_evdns_base = evdns_base_new(tor_libevent_get_base(), 0))) {
     log_err(LD_BUG, "Couldn't create an evdns_base");
     return -1;
   }
 }

 evdns_set_log_fn(evdns_log_cb);
 if (conf_fname) {
   log_debug(LD_FS, "stat()ing %s", conf_fname);
   int missing_resolv_conf = 0;
   int stat_res = stat(sandbox_intern_string(conf_fname), &st);

   if (stat_res) {
     log_warn(LD_EXIT, "Unable to stat resolver configuration in '%s': %s",
              conf_fname, strerror(errno));
     missing_resolv_conf = 1;
   } else if (!force && resolv_conf_fname &&
              !strcmp(conf_fname,resolv_conf_fname)
       && st.st_mtime == resolv_conf_mtime) {
     log_info(LD_EXIT, "No change to '%s'", conf_fname);
     return 0;
   }

   if (stat_res == 0 && st.st_size == 0)
     missing_resolv_conf = 1;

   if (nameservers_configured) {
     evdns_base_search_clear(the_evdns_base);
     evdns_base_clear_nameservers_and_suspend(the_evdns_base);
   }
#if defined(DNS_OPTION_HOSTSFILE) && defined(USE_LIBSECCOMP)
   if (flags & DNS_OPTION_HOSTSFILE) {
     flags ^= DNS_OPTION_HOSTSFILE;
     log_debug(LD_FS, "Loading /etc/hosts");
     evdns_base_load_hosts(the_evdns_base,
         sandbox_intern_string("/etc/hosts"));
   }
#endif /* defined(DNS_OPTION_HOSTSFILE) && defined(USE_LIBSECCOMP) */

   if (!missing_resolv_conf) {
     log_info(LD_EXIT, "Parsing resolver configuration in '%s'", conf_fname);
     if ((r = evdns_base_resolv_conf_parse(the_evdns_base, flags,
         sandbox_intern_string(conf_fname)))) {
       log_warn(LD_EXIT, "Unable to parse '%s', or no nameservers "
                         "in '%s' (%d)", conf_fname, conf_fname, r);

       if (r != 6) // "r = 6" means "no DNS servers were in resolv.conf" -
         goto err; // in which case we expect libevent to add 127.0.0.1 as
                   // fallback.
     }
     if (evdns_base_count_nameservers(the_evdns_base) == 0) {
       log_warn(LD_EXIT, "Unable to find any nameservers in '%s'.",
                conf_fname);
     }

     tor_free(resolv_conf_fname);
     resolv_conf_fname = tor_strdup(conf_fname);
     resolv_conf_mtime = st.st_mtime;
   } else {
     log_warn(LD_EXIT, "Could not read your DNS config from '%s' - "
                       "please investigate your DNS configuration. "
                       "This is possibly a problem. Meanwhile, falling"
                       " back to local DNS at 127.0.0.1.", conf_fname);
     evdns_base_nameserver_ip_add(the_evdns_base, "127.0.0.1");
   }

   if (nameservers_configured)
     evdns_base_resume(the_evdns_base);
 }
#ifdef _WIN32
 else {
   if (nameservers_configured) {
     evdns_base_search_clear(the_evdns_base);
     evdns_base_clear_nameservers_and_suspend(the_evdns_base);
   }
   if (evdns_base_config_windows_nameservers(the_evdns_base))  {
     log_warn(LD_EXIT,"Could not config nameservers.");
     goto err;
   }
   if (evdns_base_count_nameservers(the_evdns_base) == 0) {
     log_warn(LD_EXIT, "Unable to find any platform nameservers in "
              "your Windows configuration.");
     goto err;
   }
   if (nameservers_configured)
     evdns_base_resume(the_evdns_base);
   tor_free(resolv_conf_fname);
   resolv_conf_mtime = 0;
 }
#endif /* defined(_WIN32) */

 /* Setup libevent options. */
 configure_libevent_options();

 /* Relaunch periodical DNS check event. */
 dns_servers_relaunch_checks();

 nameservers_configured = 1;
 if (nameserver_config_failed) {
   nameserver_config_failed = 0;
   /* XXX the three calls to republish the descriptor might be producing
    * descriptors that are only cosmetically different, especially on
    * non-exit relays! -RD */
   mark_my_descriptor_dirty("dns resolvers back");
 }
 return 0;
err:
 nameservers_configured = 0;
 if (! nameserver_config_failed) {
   nameserver_config_failed = 1;
   mark_my_descriptor_dirty("dns resolvers failed");
 }
 return -1;
}

/** For eventdns: Called when we get an answer for a request we launched.
* See eventdns.h for arguments; 'arg' holds the address we tried to resolve.
*/
static void
evdns_callback(int result, char type, int count, int ttl, void *addresses,
              void *arg)
{
 char *arg_ = arg;
 uint8_t orig_query_type = arg_[0];
 char *string_address = arg_ + 1;
 tor_addr_t addr;
 const char *hostname = NULL;
 int was_wildcarded = 0;

 tor_addr_make_unspec(&addr);

 /* Keep track of whether IPv6 is working */
 if (type == DNS_IPv6_AAAA) {
   if (result == DNS_ERR_TIMEOUT) {
     ++n_ipv6_timeouts;
   }

   if (n_ipv6_timeouts > 10 &&
       n_ipv6_timeouts > n_ipv6_requests_made / 2) {
     if (! dns_is_broken_for_ipv6) {
       log_notice(LD_EXIT, "More than half of our IPv6 requests seem to "
                  "have timed out. I'm going to assume I can't get AAAA "
                  "responses.");
       dns_is_broken_for_ipv6 = 1;
     }
   }
 }

 if (result == DNS_ERR_NONE) {
   if (type == DNS_IPv4_A && count) {
     char answer_buf[INET_NTOA_BUF_LEN+1];
     char *escaped_address;
     uint32_t *addrs = addresses;
     tor_addr_from_ipv4n(&addr, addrs[0]);

     tor_addr_to_str(answer_buf, &addr, sizeof(answer_buf), 0);
     escaped_address = esc_for_log(string_address);

     if (answer_is_wildcarded(answer_buf)) {
       log_debug(LD_EXIT, "eventdns said that %s resolves to ISP-hijacked "
                 "address %s; treating as a failure.",
                 safe_str(escaped_address),
                 escaped_safe_str(answer_buf));
       was_wildcarded = 1;
       tor_addr_make_unspec(&addr);
       result = DNS_ERR_NOTEXIST;
     } else {
       log_debug(LD_EXIT, "eventdns said that %s resolves to %s",
                 safe_str(escaped_address),
                 escaped_safe_str(answer_buf));
     }
     tor_free(escaped_address);
   } else if (type == DNS_IPv6_AAAA && count) {
     char answer_buf[TOR_ADDR_BUF_LEN];
     char *escaped_address;
     const char *ip_str;
     struct in6_addr *addrs = addresses;
     tor_addr_from_in6(&addr, &addrs[0]);
     ip_str = tor_inet_ntop(AF_INET6, &addrs[0], answer_buf,
                            sizeof(answer_buf));
     escaped_address = esc_for_log(string_address);

     if (BUG(ip_str == NULL)) {
       log_warn(LD_EXIT, "tor_inet_ntop() failed!");
       result = DNS_ERR_NOTEXIST;
     } else if (answer_is_wildcarded(answer_buf)) {
       log_debug(LD_EXIT, "eventdns said that %s resolves to ISP-hijacked "
                 "address %s; treating as a failure.",
                 safe_str(escaped_address),
                 escaped_safe_str(answer_buf));
       was_wildcarded = 1;
       tor_addr_make_unspec(&addr);
       result = DNS_ERR_NOTEXIST;
     } else {
       log_debug(LD_EXIT, "eventdns said that %s resolves to %s",
                 safe_str(escaped_address),
                 escaped_safe_str(answer_buf));
     }
     tor_free(escaped_address);
   } else if (type == DNS_PTR && count) {
     char *escaped_address;
     hostname = ((char**)addresses)[0];
     escaped_address = esc_for_log(string_address);
     log_debug(LD_EXIT, "eventdns said that %s resolves to %s",
               safe_str(escaped_address),
               escaped_safe_str(hostname));
     tor_free(escaped_address);
   } else if (count) {
     log_info(LD_EXIT, "eventdns returned only unrecognized answer types "
              " for %s.",
              escaped_safe_str(string_address));
   } else {
     log_info(LD_EXIT, "eventdns returned no addresses or error for %s.",
              escaped_safe_str(string_address));
   }
 }
 if (was_wildcarded) {
   if (is_test_address(string_address)) {
     /* Ick.  We're getting redirected on known-good addresses.  Our DNS
      * server must really hate us.  */
     add_wildcarded_test_address(string_address);
   }
 }

 if (orig_query_type && type && orig_query_type != type) {
   log_warn(LD_BUG, "Weird; orig_query_type == %d but type == %d",
            (int)orig_query_type, (int)type);
 }
 if (result != DNS_ERR_SHUTDOWN)
   dns_found_answer(string_address, orig_query_type,
                    result, &addr, hostname, clip_dns_fuzzy_ttl(ttl));

 /* The result can be changed within this function thus why we note the result
  * at the end. */
 rep_hist_note_dns_error(type, result);

 tor_free(arg_);
}

/** Start a single DNS resolve for <b>address</b> (if <b>query_type</b> is
* DNS_IPv4_A or DNS_IPv6_AAAA) <b>ptr_address</b> (if <b>query_type</b> is
* DNS_PTR). Return 0 if we launched the request, -1 otherwise. */
static int
launch_one_resolve(const char *address, uint8_t query_type,
                  const tor_addr_t *ptr_address)
{
 const int options = get_options()->ServerDNSSearchDomains ? 0
   : DNS_QUERY_NO_SEARCH;
 const size_t addr_len = strlen(address);
 struct evdns_request *req = 0;
 char *addr = tor_malloc(addr_len + 2);
 addr[0] = (char) query_type;
 memcpy(addr+1, address, addr_len + 1);

 /* Note the query for our statistics. */
 rep_hist_note_dns_request(query_type);

 switch (query_type) {
 case DNS_IPv4_A:
   req = evdns_base_resolve_ipv4(the_evdns_base,
                                 address, options, evdns_callback, addr);
   break;
 case DNS_IPv6_AAAA:
   req = evdns_base_resolve_ipv6(the_evdns_base,
                                 address, options, evdns_callback, addr);
   ++n_ipv6_requests_made;
   break;
 case DNS_PTR:
   if (tor_addr_family(ptr_address) == AF_INET)
     req = evdns_base_resolve_reverse(the_evdns_base,
                                      tor_addr_to_in(ptr_address),
                                      DNS_QUERY_NO_SEARCH,
                                      evdns_callback, addr);
   else if (tor_addr_family(ptr_address) == AF_INET6)
     req = evdns_base_resolve_reverse_ipv6(the_evdns_base,
                                           tor_addr_to_in6(ptr_address),
                                           DNS_QUERY_NO_SEARCH,
                                           evdns_callback, addr);
   else
     log_warn(LD_BUG, "Called with PTR query and unexpected address family");
   break;
 default:
   log_warn(LD_BUG, "Called with unexpected query type %d", (int)query_type);
   break;
 }

 if (req) {
   return 0;
 } else {
   tor_free(addr);
   return -1;
 }
}

/** For eventdns: start resolving as necessary to find the target for
* <b>exitconn</b>.  Returns -1 on error, -2 on transient error,
* 0 on "resolve launched." */
MOCK_IMPL(STATIC int,
launch_resolve,(cached_resolve_t *resolve))
{
 tor_addr_t a;
 int r;

 if (net_is_disabled())
   return -1;

 /* What? Nameservers not configured?  Sounds like a bug. */
 if (!nameservers_configured) {
   log_warn(LD_EXIT, "(Harmless.) Nameservers not configured, but resolve "
            "launched.  Configuring.");
   if (configure_nameservers(1) < 0) {
     return -1;
   }
 }

 r = tor_addr_parse_PTR_name(
                           &a, resolve->address, AF_UNSPEC, 0);

 tor_assert(the_evdns_base);
 if (r == 0) {
   log_info(LD_EXIT, "Launching eventdns request for %s",
            escaped_safe_str(resolve->address));
   resolve->res_status_ipv4 = RES_STATUS_INFLIGHT;
   if (get_options()->IPv6Exit)
     resolve->res_status_ipv6 = RES_STATUS_INFLIGHT;

   if (launch_one_resolve(resolve->address, DNS_IPv4_A, NULL) < 0) {
     resolve->res_status_ipv4 = 0;
     r = -1;
   }

   if (r==0 && get_options()->IPv6Exit) {
     /* We ask for an IPv6 address for *everything*. */
     if (launch_one_resolve(resolve->address, DNS_IPv6_AAAA, NULL) < 0) {
       resolve->res_status_ipv6 = 0;
       r = -1;
     }
   }
 } else if (r == 1) {
   r = 0;
   log_info(LD_EXIT, "Launching eventdns reverse request for %s",
            escaped_safe_str(resolve->address));
   resolve->res_status_hostname = RES_STATUS_INFLIGHT;
   if (launch_one_resolve(resolve->address, DNS_PTR, &a) < 0) {
     resolve->res_status_hostname = 0;
     r = -1;
   }
 } else if (r == -1) {
   log_warn(LD_BUG, "Somehow a malformed in-addr.arpa address reached here.");
 }

 if (r < 0) {
   log_fn(LOG_PROTOCOL_WARN, LD_EXIT, "eventdns rejected address %s.",
          escaped_safe_str(resolve->address));
 }
 return r;
}

/** How many requests for bogus addresses have we launched so far? */
static int n_wildcard_requests = 0;

/** Map from dotted-quad IP address in response to an int holding how many
* times we've seen it for a randomly generated (hopefully bogus) address.  It
* would be easier to use definitely-invalid addresses (as specified by
* RFC2606), but see comment in dns_launch_wildcard_checks(). */
static strmap_t *dns_wildcard_response_count = NULL;

/** If present, a list of dotted-quad IP addresses that we are pretty sure our
* nameserver wants to return in response to requests for nonexistent domains.
*/
static smartlist_t *dns_wildcard_list = NULL;
/** True iff we've logged about a single address getting wildcarded.
* Subsequent warnings will be less severe.  */
static int dns_wildcard_one_notice_given = 0;
/** True iff we've warned that our DNS server is wildcarding too many failures.
*/
static int dns_wildcard_notice_given = 0;

/** List of supposedly good addresses that are getting wildcarded to the
* same addresses as nonexistent addresses. */
static smartlist_t *dns_wildcarded_test_address_list = NULL;
/** True iff we've warned about a test address getting wildcarded */
static int dns_wildcarded_test_address_notice_given = 0;
/** True iff all addresses seem to be getting wildcarded. */
static int dns_is_completely_invalid = 0;

/** Called when we see <b>id</b> (a dotted quad or IPv6 address) in response
* to a request for a hopefully bogus address. */
static void
wildcard_increment_answer(const char *id)
{
 int *ip;
 if (!dns_wildcard_response_count)
   dns_wildcard_response_count = strmap_new();

 ip = strmap_get(dns_wildcard_response_count, id); // may be null (0)
 if (!ip) {
   ip = tor_malloc_zero(sizeof(int));
   strmap_set(dns_wildcard_response_count, id, ip);
 }
 ++*ip;

 if (*ip > 5 && n_wildcard_requests > 10) {
   if (!dns_wildcard_list) dns_wildcard_list = smartlist_new();
   if (!smartlist_contains_string(dns_wildcard_list, id)) {
   tor_log(dns_wildcard_notice_given ? LOG_INFO : LOG_NOTICE, LD_EXIT,
       "Your DNS provider has given \"%s\" as an answer for %d different "
       "invalid addresses. Apparently they are hijacking DNS failures. "
       "I'll try to correct for this by treating future occurrences of "
       "\"%s\" as 'not found'.", id, *ip, id);
     smartlist_add_strdup(dns_wildcard_list, id);
   }
   if (!dns_wildcard_notice_given)
     control_event_server_status(LOG_NOTICE, "DNS_HIJACKED");
   dns_wildcard_notice_given = 1;
 }
}

/** Note that a single test address (one believed to be good) seems to be
* getting redirected to the same IP as failures are. */
static void
add_wildcarded_test_address(const char *address)
{
 int n, n_test_addrs;
 if (!dns_wildcarded_test_address_list)
   dns_wildcarded_test_address_list = smartlist_new();

 if (smartlist_contains_string_case(dns_wildcarded_test_address_list,
                                    address))
   return;

 n_test_addrs = get_options()->ServerDNSTestAddresses ?
   smartlist_len(get_options()->ServerDNSTestAddresses) : 0;

 smartlist_add_strdup(dns_wildcarded_test_address_list, address);
 n = smartlist_len(dns_wildcarded_test_address_list);
 if (n > n_test_addrs/2) {
   tor_log(dns_wildcarded_test_address_notice_given ? LOG_INFO : LOG_NOTICE,
       LD_EXIT, "Your DNS provider tried to redirect \"%s\" to a junk "
       "address.  It has done this with %d test addresses so far.  I'm "
       "going to stop being an exit node for now, since our DNS seems so "
       "broken.", address, n);
   if (!dns_is_completely_invalid) {
     dns_is_completely_invalid = 1;
     mark_my_descriptor_dirty("dns hijacking confirmed");
   }
   if (!dns_wildcarded_test_address_notice_given)
     control_event_server_status(LOG_WARN, "DNS_USELESS");
   dns_wildcarded_test_address_notice_given = 1;
 }
}

/** Callback function when we get an answer (possibly failing) for a request
* for a (hopefully) nonexistent domain. */
static void
evdns_wildcard_check_callback(int result, char type, int count, int ttl,
                             void *addresses, void *arg)
{
 (void)ttl;
 const char *ip_str;
 ++n_wildcard_requests;
 if (result == DNS_ERR_NONE && count) {
   char *string_address = arg;
   int i;
   if (type == DNS_IPv4_A) {
     const uint32_t *addrs = addresses;
     for (i = 0; i < count; ++i) {
       char answer_buf[INET_NTOA_BUF_LEN+1];
       struct in_addr in;
       int ntoa_res;
       in.s_addr = addrs[i];
       ntoa_res = tor_inet_ntoa(&in, answer_buf, sizeof(answer_buf));
       tor_assert_nonfatal(ntoa_res >= 0);
       if (ntoa_res > 0)
         wildcard_increment_answer(answer_buf);
     }
   } else if (type == DNS_IPv6_AAAA) {
     const struct in6_addr *addrs = addresses;
     for (i = 0; i < count; ++i) {
       char answer_buf[TOR_ADDR_BUF_LEN+1];
       ip_str = tor_inet_ntop(AF_INET6, &addrs[i], answer_buf,
                              sizeof(answer_buf));
       tor_assert_nonfatal(ip_str);
       if (ip_str)
         wildcard_increment_answer(answer_buf);
     }
   }

   tor_log(dns_wildcard_one_notice_given ? LOG_INFO : LOG_NOTICE, LD_EXIT,
       "Your DNS provider gave an answer for \"%s\", which "
       "is not supposed to exist. Apparently they are hijacking "
       "DNS failures. Trying to correct for this. We've noticed %d "
       "possibly bad address%s so far.",
       string_address, strmap_size(dns_wildcard_response_count),
       (strmap_size(dns_wildcard_response_count) == 1) ? "" : "es");
   dns_wildcard_one_notice_given = 1;
 }
 tor_free(arg);
}

/** Launch a single request for a nonexistent hostname consisting of between
* <b>min_len</b> and <b>max_len</b> random (plausible) characters followed by
* <b>suffix</b> */
static void
launch_wildcard_check(int min_len, int max_len, int is_ipv6,
                     const char *suffix)
{
 char *addr;
 struct evdns_request *req;

 addr = crypto_random_hostname(min_len, max_len, "", suffix);
 log_info(LD_EXIT, "Testing whether our DNS server is hijacking nonexistent "
          "domains with request for bogus hostname \"%s\"", addr);

 tor_assert(the_evdns_base);
 if (is_ipv6)
   req = evdns_base_resolve_ipv6(
                        the_evdns_base,
                        /* This "addr" tells us which address to resolve */
                        addr,
                        DNS_QUERY_NO_SEARCH, evdns_wildcard_check_callback,
                        /* This "addr" is an argument to the callback*/ addr);
 else
   req = evdns_base_resolve_ipv4(
                        the_evdns_base,
                        /* This "addr" tells us which address to resolve */
                        addr,
                        DNS_QUERY_NO_SEARCH, evdns_wildcard_check_callback,
                        /* This "addr" is an argument to the callback*/ addr);
 if (!req) {
   /* There is no evdns request in progress; stop addr from getting leaked */
   tor_free(addr);
 }
}

/** Launch attempts to resolve a bunch of known-good addresses (configured in
* ServerDNSTestAddresses).  [Callback for a libevent timer] */
static void
launch_test_addresses(evutil_socket_t fd, short event, void *args)
{
 const or_options_t *options = get_options();
 (void)fd;
 (void)event;
 (void)args;

 if (net_is_disabled())
   return;

 log_info(LD_EXIT, "Launching checks to see whether our nameservers like to "
          "hijack *everything*.");
 /* This situation is worse than the failure-hijacking situation.  When this
  * happens, we're no good for DNS requests at all, and we shouldn't really
  * be an exit server.*/
 if (options->ServerDNSTestAddresses) {

   tor_assert(the_evdns_base);
   SMARTLIST_FOREACH_BEGIN(options->ServerDNSTestAddresses,
                           const char *, address) {
     if (launch_one_resolve(address, DNS_IPv4_A, NULL) < 0) {
       log_info(LD_EXIT, "eventdns rejected test address %s",
                escaped_safe_str(address));
     }

     if (launch_one_resolve(address, DNS_IPv6_AAAA, NULL) < 0) {
       log_info(LD_EXIT, "eventdns rejected test address %s",
                escaped_safe_str(address));
     }
   } SMARTLIST_FOREACH_END(address);
 }
}

#define N_WILDCARD_CHECKS 2

/** Launch DNS requests for a few nonexistent hostnames and a few well-known
* hostnames, and see if we can catch our nameserver trying to hijack them and
* map them to a stupid "I couldn't find ggoogle.com but maybe you'd like to
* buy these lovely encyclopedias" page. */
static void
dns_launch_wildcard_checks(void)
{
 int i, ipv6;
 log_info(LD_EXIT, "Launching checks to see whether our nameservers like "
          "to hijack DNS failures.");
 for (ipv6 = 0; ipv6 <= 1; ++ipv6) {
   for (i = 0; i < N_WILDCARD_CHECKS; ++i) {
     /* RFC2606 reserves these.  Sadly, some DNS hijackers, in a silly
      * attempt to 'comply' with rfc2606, refrain from giving A records for
      * these.  This is the standards-compliance equivalent of making sure
      * that your crackhouse's elevator inspection certificate is up to date.
      */
     launch_wildcard_check(2, 16, ipv6, ".invalid");
     launch_wildcard_check(2, 16, ipv6, ".test");

     /* These will break specs if there are ever any number of
      * 8+-character top-level domains. */
     launch_wildcard_check(8, 16, ipv6, "");

     /* Try some random .com/org/net domains. This will work fine so long as
      * not too many resolve to the same place. */
     launch_wildcard_check(8, 16, ipv6, ".com");
     launch_wildcard_check(8, 16, ipv6, ".org");
     launch_wildcard_check(8, 16, ipv6, ".net");
   }
 }
}

/** If appropriate, start testing whether our DNS servers tend to lie to
* us. */
void
dns_launch_correctness_checks(void)
{
 static struct event *launch_event = NULL;
 struct timeval timeout;
 if (!get_options()->ServerDNSDetectHijacking)
   return;
 dns_launch_wildcard_checks();

 /* Wait a while before launching requests for test addresses, so we can
  * get the results from checking for wildcarding. */
 if (!launch_event)
   launch_event = tor_evtimer_new(tor_libevent_get_base(),
                                  launch_test_addresses, NULL);
 timeout.tv_sec = 30;
 timeout.tv_usec = 0;
 if (evtimer_add(launch_event, &timeout) < 0) {
   log_warn(LD_BUG, "Couldn't add timer for checking for dns hijacking");
 }
}

/** Return true iff our DNS servers lie to us too much to be trusted. */
int
dns_seems_to_be_broken(void)
{
 return dns_is_completely_invalid;
}

/** Return true iff we think that IPv6 hostname lookup is broken */
int
dns_seems_to_be_broken_for_ipv6(void)
{
 return dns_is_broken_for_ipv6;
}

/** Forget what we've previously learned about our DNS servers' correctness. */
void
dns_reset_correctness_checks(void)
{
 strmap_free(dns_wildcard_response_count, tor_free_);
 dns_wildcard_response_count = NULL;

 n_wildcard_requests = 0;

 n_ipv6_requests_made = n_ipv6_timeouts = 0;

 if (dns_wildcard_list) {
   SMARTLIST_FOREACH(dns_wildcard_list, char *, cp, tor_free(cp));
   smartlist_clear(dns_wildcard_list);
 }
 if (dns_wildcarded_test_address_list) {
   SMARTLIST_FOREACH(dns_wildcarded_test_address_list, char *, cp,
                     tor_free(cp));
   smartlist_clear(dns_wildcarded_test_address_list);
 }
 dns_wildcard_one_notice_given = dns_wildcard_notice_given =
   dns_wildcarded_test_address_notice_given = dns_is_completely_invalid =
   dns_is_broken_for_ipv6 = 0;
}

/** Return true iff we have noticed that the dotted-quad <b>ip</b> has been
* returned in response to requests for nonexistent hostnames. */
static int
answer_is_wildcarded(const char *ip)
{
 return dns_wildcard_list && smartlist_contains_string(dns_wildcard_list, ip);
}

/** Exit with an assertion if <b>resolve</b> is corrupt. */
static void
assert_resolve_ok(cached_resolve_t *resolve)
{
 tor_assert(resolve);
 tor_assert(resolve->magic == CACHED_RESOLVE_MAGIC);
 tor_assert(strlen(resolve->address) < MAX_ADDRESSLEN);
 tor_assert(tor_strisnonupper(resolve->address));
 if (resolve->state != CACHE_STATE_PENDING) {
   tor_assert(!resolve->pending_connections);
 }
 if (resolve->state == CACHE_STATE_PENDING ||
     resolve->state == CACHE_STATE_DONE) {
#if 0
   tor_assert(!resolve->ttl);
   if (resolve->is_reverse)
     tor_assert(!resolve->hostname);
   else
     tor_assert(!resolve->result_ipv4.addr_ipv4);
#endif /* 0 */
   /*XXXXX ADD MORE */
 }
}

/** Return the number of DNS cache entries as an int */
static int
dns_cache_entry_count(void)
{
  return HT_SIZE(&cache_root);
}

/* Return the total size in bytes of the DNS cache. */
size_t
dns_cache_total_allocation(void)
{
 return sizeof(struct cached_resolve_t) * dns_cache_entry_count() +
        HT_MEM_USAGE(&cache_root);
}

/** Log memory information about our internal DNS cache at level 'severity'. */
void
dump_dns_mem_usage(int severity)
{
 /* This should never be larger than INT_MAX. */
 int hash_count = dns_cache_entry_count();
 size_t hash_mem = dns_cache_total_allocation();

 /* Print out the count and estimated size of our &cache_root.  It undercounts
    hostnames in cached reverse resolves.
  */
 tor_log(severity, LD_MM, "Our DNS cache has %d entries.", hash_count);
 tor_log(severity, LD_MM, "Our DNS cache size is approximately %u bytes.",
     (unsigned)hash_mem);
}

/* Do a round of OOM cleanup on all DNS entries. Return the amount of removed
* bytes. It is possible that the returned value is lower than min_remove_bytes
* if the caches get emptied out so the caller should be aware of this. */
size_t
dns_cache_handle_oom(time_t now, size_t min_remove_bytes)
{
 time_t time_inc = 0;
 size_t total_bytes_removed = 0;
 size_t current_size = dns_cache_total_allocation();

 do {
   /* If no DNS entries left, break loop. */
   if (!dns_cache_entry_count())
     break;

   /* Get cutoff interval and remove entries. */
   time_t cutoff = now + time_inc;
   purge_expired_resolves(cutoff);

   /* Update amount of bytes removed and array size. */
   size_t bytes_removed = current_size - dns_cache_total_allocation();
   current_size -= bytes_removed;
   total_bytes_removed += bytes_removed;

   /* Increase time_inc by a reasonable fraction. */
   time_inc += (MAX_DNS_TTL / 4);
 } while (total_bytes_removed < min_remove_bytes);

 return total_bytes_removed;
}

#ifdef DEBUG_DNS_CACHE
/** Exit with an assertion if the DNS cache is corrupt. */
static void
assert_cache_ok_(void)
{
 cached_resolve_t **resolve;
 int bad_rep = HT_REP_IS_BAD_(cache_map, &cache_root);
 if (bad_rep) {
   log_err(LD_BUG, "Bad rep type %d on dns cache hash table", bad_rep);
   tor_assert(!bad_rep);
 }

 HT_FOREACH(resolve, cache_map, &cache_root) {
   assert_resolve_ok(*resolve);
   tor_assert((*resolve)->state != CACHE_STATE_DONE);
 }
 if (!cached_resolve_pqueue)
   return;

 smartlist_pqueue_assert_ok(cached_resolve_pqueue,
                            compare_cached_resolves_by_expiry_,
                            offsetof(cached_resolve_t, minheap_idx));

 SMARTLIST_FOREACH(cached_resolve_pqueue, cached_resolve_t *, res,
   {
     if (res->state == CACHE_STATE_DONE) {
       cached_resolve_t *found = HT_FIND(cache_map, &cache_root, res);
       tor_assert(!found || found != res);
     } else {
       cached_resolve_t *found = HT_FIND(cache_map, &cache_root, res);
       tor_assert(found);
     }
   });
}

#endif /* defined(DEBUG_DNS_CACHE) */

cached_resolve_t *
dns_get_cache_entry(cached_resolve_t *query)
{
 return HT_FIND(cache_map, &cache_root, query);
}

void
dns_insert_cache_entry(cached_resolve_t *new_entry)
{
 HT_INSERT(cache_map, &cache_root, new_entry);
}