tlog: bump tlog to v1.6

when `./Configure --api=1.0.0`, we should not use CRYPTO_set_id_callback().

.github/workflows/c-cpp.yml

@@ -0,0 +1,17 @@
+name: C/C++ CI
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: make
+      run: make

.gitignore

@@ -1,4 +1,4 @@
 .vscode
-.o
+*.o
 .DS_Store
-.swp.
+*.swp.

ReadMe_en.md

@@ -498,7 +498,7 @@ Note: Merlin firmware is derived from ASUS firmware and can theoretically be use
 |bind|DNS listening port number|[::]:53|Support binding multiple ports<br>`IP:PORT`: server IP, port number. <br>`[-group]`: The DNS server group used when requesting. <br>`[-no-rule-addr]`: Skip the address rule. <br>`[-no-rule-nameserver]`: Skip the Nameserver rule. <br>`[-no-rule-ipset]`: Skip the Ipset rule. <br>`[-no-rule-soa]`: Skip address SOA(#) rules.<br>`[-no-dualstack-selection]`: Disable dualstack ip selection.<br>`[-no-speed-check]`: Disable speed measurement. <br>`[-no-cache]`: stop caching |bind :53
 |bind-tcp|TCP mode DNS listening port number|[::]:53|Support binding multiple ports<br>`IP:PORT`: server IP, port number. <br>`[-group]`: The DNS server group used when requesting. <br>`[-no-rule-addr]`: Skip the address rule. <br>`[-no-rule-nameserver]`: Skip the Nameserver rule. <br>`[-no-rule-ipset]`: Skip the Ipset rule. <br>`[-no-rule-soa]`: Skip address SOA(#) rules.<br>`[-no-dualstack-selection]`: Disable dualstack ip selection.<br>`[-no-speed-check]`: Disable speed measurement. <br>`[-no-cache]`: stop caching |bind-tcp :53
 |cache-size|Domain name result cache number|512|integer|cache-size 512
-|cache-persist|enable persist cache|no|[yes\|no]|cache-persist yes
+|cache-persist|enable persist cache|Auto: Enabled if the location of `cache-file` has more than 128MB of free space.|[yes\|no]|cache-persist yes
 |cache-file|cache persist file|/tmp/smartdns.cache|路径|cache-file /tmp/smartdns.cache
 |tcp-idle-time|TCP connection idle timeout|120|integer|tcp-idle-time 120
 |rr-ttl|Domain name TTL|Remote query result|number greater than 0|rr-ttl 600
@@ -520,14 +520,15 @@ Note: Merlin firmware is derived from ASUS firmware and can theoretically be use
 |speed-check-mode|Speed ​​mode|None|[ping\|tcp:[80]\|none]|speed-check-mode ping,tcp:443
 |address|Domain IP address|None|address /domain/[ip\|-\|-4\|-6\|#\|#4\|#6], `-` for ignore, `#` for return SOA, `4` for IPV4, `6` for IPV6| address /www.example.com/1.2.3.4
 |nameserver|To query domain with specific server group|None|nameserver /domain/[group\|-], `group` is the group name, `-` means ignore this rule, use the `-group` parameter in the related server|nameserver /www.example.com/office
-|ipset|Domain IPSet|None|ipset /domain/[ipset\|-], `-` for ignore|ipset /www.example.com/pass
+|ipset|Domain IPSet|None|ipset /domain/[ipset\|-\|#[4\|6]:[ipset\|-][,#[4\|6]:[ipset\|-]]], `-` for ignore|ipset /www.example.com/#4:dns4,#6:-
 |ipset-timeout|ipset timeout enable|auto|[yes]|ipset-timeout yes
-|domain-rules|set domain rules|None|domain-rules /domain/ [-rules...]<br>`[-speed-check-mode]`: set speed check mode，same as parameter `speed-check-mode`<br>`[-address]`: same as  parameter `address` <br>`[-nameserver]`: same as parameter `nameserver`<br>`[-ipset]`: same as parameter `ipset`|domain-rules /www.example.com/ -speed-check-mode none
+|domain-rules|set domain rules|None|domain-rules /domain/ [-rules...]<br>`[-c\|-speed-check-mode]`: set speed check mode，same as parameter `speed-check-mode`<br>`[-a\|-address]`: same as  parameter `address` <br>`[-n\|-nameserver]`: same as parameter `nameserver`<br>`[-p\|-ipset]`: same as parameter `ipset`<br>`[-d\|-dualstack-ip-selection]`: same as parameter `dualstack-ip-selection`|domain-rules /www.example.com/ -speed-check-mode none
 |bogus-nxdomain|bogus IP address|None|[IP/subnet], Repeatable| bogus-nxdomain 1.2.3.4/16
 |ignore-ip|ignore ip address|None|[ip/subnet], Repeatable| ignore-ip 1.2.3.4/16
 |whitelist-ip|ip whitelist|None|[ip/subnet], Repeatable，When the filtering server responds IPs in the IP whitelist, only result in whitelist will be accepted| whitelist-ip 1.2.3.4/16
 |blacklist-ip|ip blacklist|None|[ip/subnet], Repeatable，When the filtering server responds IPs in the IP blacklist, The result will be discarded directly| blacklist-ip 1.2.3.4/16
 |force-AAAA-SOA|force AAAA query return SOA|no|[yes\|no]|force-AAAA-SOA yes
+|force-qtype-SOA|force specific qtype return SOA|qtype id|[qtypeid | ...]|force-qtype-SOA 65 28
 |prefetch-domain|domain prefetch feature|no|[yes\|no]|prefetch-domain yes
 |serve-expired|Cache serve expired feature|no|[yes\|no], Attempts to serve old responses from cache with a TTL of 0 in the response without waiting for the actual resolution to finish.|serve-expired yes
 |serve-expired-ttl|Cache serve expired limite TTL|0|second，0：disable，> 0  seconds after expiration|serve-expired-ttl 0
@@ -638,7 +639,7 @@ Note: Merlin firmware is derived from ASUS firmware and can theoretically be use
     Enable cache serve expired feature with `serve-expired yes` to improve the cache hit rate and reduce the CPU consumption.
     This feature will return TTL = 0 to the client after the TTL timeout, and send a new query request again at the same time, and cache the new results for later query.
 
-1. How does the second DNS customize more behavior?
+1. How does the second DNS customize more behavior?  
     The second DNS can be used as the upstream of other DNS servers to provide more query behaviors. Bind configuration support can bind multiple ports. Different ports can be set with different flags to implement different functions, such as
 
     ```sh
@@ -646,6 +647,13 @@ Note: Merlin firmware is derived from ASUS firmware and can theoretically be use
     bind [::]:6053 -no-speed-check -group office -no-rule-addr
     ```
 
+1. How to get SPKI of DOT  
+    The SPKI can be obtained from the page published by the DNS service provider. If it is not published, it can be obtained by the following command, replace IP with your own IP.
+
+    ````sh
+    echo | openssl s_client -connect '1.0.0.1:853' 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
+    ````
+
 ## Compile
 
 smartdns contains scripts for compiling packages, supports compiling luci, debian, openwrt, opare installation packages, and can execute `package/build-pkg.sh` compilation.

etc/smartdns/smartdns.conf

@@ -84,6 +84,10 @@ cache-size 4096
 # force AAAA query return SOA
 # force-AAAA-SOA [yes|no]
 
+# force specific qtype return soa
+# force-qtype-SOA [qtypeid |...]
+# force-qtype-SOA 65 28
+
 # Enable IPV4, IPV6 dual stack IP optimization selection strategy
 # dualstack-ip-selection-threshold [num] (0~1000)
 # dualstack-ip-selection [yes|no]
@@ -189,8 +193,9 @@ log-level info
 # set domain rules
 # domain-rules /domain/ [-speed-check-mode [...]]
 # rules:
-#   -speed-check-mode [mode]: speed check mode
+#   [-c] -speed-check-mode [mode]: speed check mode
 #                             speed-check-mode [ping|tcp:port|none|,]
-#   -address [address|-]: same as address option
-#   -nameserver [group|-]: same as nameserver option
-#   -ipset [ipset|-]: same as ipset option
+#   [-a] -address [address|-]: same as address option
+#   [-n] -nameserver [group|-]: same as nameserver option
+#   [-p] -ipset [ipset|-]: same as ipset option
+#   [-d] -dualstack-ip-selection [yes|no]: same as dualstack-ip-selection option

package/luci-compat/files/luci/i18n/smartdns.zh-cn.po

@@ -104,13 +104,13 @@ msgid "Cache Size"
 msgstr "缓存大小"
 
 msgid "DNS domain result cache size"
-msgstr "缓存DNS的结果，缓存大小，配置零则不缓存"
+msgstr "缓存DNS的结果，缓存大小，配置零则不缓存（单位：条）"
 
 msgid "Domain TTL"
 msgstr "域名TTL"
 
 msgid "TTL for all domain result."
-msgstr "设置所有域名的TTL值"
+msgstr "设置所有域名的TTL值（单位：秒，下同）"
 
 msgid "Domain TTL Min"
 msgstr "域名TTL最小值"

package/luci/files/luci/i18n/smartdns.zh-cn.po

@@ -110,13 +110,13 @@ msgid "Cache Size"
 msgstr "缓存大小"
 
 msgid "DNS domain result cache size"
-msgstr "缓存DNS的结果，缓存大小，配置零则不缓存"
+msgstr "缓存DNS的结果，缓存大小，配置零则不缓存（单位：条）"
 
 msgid "Domain TTL"
 msgstr "域名TTL"
 
 msgid "TTL for all domain result."
-msgstr "设置所有域名的TTL值"
+msgstr "设置所有域名的TTL值（单位：秒，下同）"
 
 msgid "Domain TTL Min"
 msgstr "域名TTL最小值"

package/luci/files/root/usr/share/luci/menu.d/luci-app-smartdns.json

@@ -6,6 +6,7 @@
 			"path": "smartdns/smartdns"
 		},
 		"depends": {
+			"acl": [ "luci-app-smartdns" ],
 			"uci": { "smartdns": true }
 		}
 	}

package/openwrt/make.sh

@@ -74,7 +74,7 @@ build()
 	cd $ROOT
 
 	tar zcf $ROOT/data.tar.gz -C root --owner=0 --group=0 .
-	tar zcf $OUTPUTDIR/smartdns.$VER.$FILEARCH.ipk --owner=0 --group=0 control.tar.gz data.tar.gz debian-binary
+	tar zcf $OUTPUTDIR/smartdns.$VER.$FILEARCH.ipk --owner=0 --group=0 ./control.tar.gz ./data.tar.gz ./debian-binary
 	rm -fr $ROOT/
 }
 

package/redhat/smartdns.spec

@@ -1,21 +1,24 @@
 Name:           smartdns
-Version:        31
-Release:        1%{?dist}
+Version:        1.2020.09.08
+Release:        2235%{?dist}
 Summary:        smartdns
 
 License:        GPL 3.0
 URL:            https://github.com/pymumu/smartdns
-Source0:        smartdns-Release31.tar.gz
+Source0:        %{name}-%{version}.tar.gz
 
 BuildRequires:  glibc
+BuildRequires:  centos-release >= 7
+BuildRequires:  openssl-devel
 Requires:       glibc
+Requires:       openssl
 Requires:       systemd
 
 %description
 A local DNS server to obtain the fastest website IP for the best Internet experience.
 
 %prep
-%setup -q -n smartdns-Release31
+%setup -q
 
 %build
 cd src

src/.gitignore

@@ -0,0 +1,5 @@
+.vscode
+.o
+.DS_Store
+.swp.
+smartdns

src/Makefile

@@ -20,7 +20,7 @@ OBJS=smartdns.o fast_ping.o dns_client.o dns_server.o dns.o util.o tlog.o dns_co
 
 # cflags
 ifndef CFLAGS
-CFLAGS =-O2 -g -Wall -Wstrict-prototypes -fno-omit-frame-pointer -Wstrict-aliasing 
+CFLAGS =-O2 -g -Wall -Wstrict-prototypes -fno-omit-frame-pointer -Wstrict-aliasing -funwind-tables
 endif
 override CFLAGS +=-Iinclude
 override CFLAGS += -DBASE_FILE_NAME=\"$(notdir $<)\"
@@ -35,7 +35,7 @@ override CXXFLAGS +=-Iinclude
 ifeq ($(STATIC), yes)
 override LDFLAGS += -lssl -lcrypto -Wl,--whole-archive -lpthread -Wl,--no-whole-archive -ldl -static
 else
-override LDFLAGS += -lssl -lcrypto -lpthread 
+override LDFLAGS += -lssl -lcrypto -lpthread -ldl
 endif
 
 .PHONY: all clean

src/dns.c

@@ -253,11 +253,8 @@ static int _dns_add_qr_head(struct dns_data_context *data_context, char *domain,
 		return -1;
 	}
 
-	*((unsigned short *)(data_context->ptr)) = qtype;
-	data_context->ptr += 2;
-
-	*((unsigned short *)(data_context->ptr)) = qclass;
-	data_context->ptr += 2;
+	_dns_write_short(&data_context->ptr, qtype);
+	_dns_write_short(&data_context->ptr, qclass);
 
 	return 0;
 }
@@ -266,6 +263,10 @@ static int _dns_get_qr_head(struct dns_data_context *data_context, char *domain,
 {
 	int i;
 	int is_read_all = 0;
+
+	if (domain == NULL || data_context == NULL) {
+		return -1;
+	}
 	/* question head */
 	/* |domain         |
 	 * |qtype | qclass |
@@ -296,11 +297,8 @@ static int _dns_get_qr_head(struct dns_data_context *data_context, char *domain,
 		return -1;
 	}
 
-	*qtype = *((unsigned short *)(data_context->ptr));
-	data_context->ptr += 2;
-
-	*qclass = *((unsigned short *)(data_context->ptr));
-	data_context->ptr += 2;
+	*qtype = _dns_read_short(&data_context->ptr);
+	*qclass = _dns_read_short(&data_context->ptr);
 
 	return 0;
 }
@@ -325,11 +323,8 @@ static int _dns_add_rr_head(struct dns_data_context *data_context, char *domain,
 		return -1;
 	}
 
-	*((unsigned int *)(data_context->ptr)) = ttl;
-	data_context->ptr += 4;
-
-	*((unsigned short *)(data_context->ptr)) = rr_len;
-	data_context->ptr += 2;
+	_dns_write_int(&data_context->ptr, ttl);
+	_dns_write_short(&data_context->ptr, rr_len);
 
 	return 0;
 }
@@ -351,11 +346,8 @@ static int _dns_get_rr_head(struct dns_data_context *data_context, char *domain,
 		return -1;
 	}
 
-	*ttl = *((unsigned int *)(data_context->ptr));
-	data_context->ptr += 4;
-
-	*rr_len = *((unsigned short *)(data_context->ptr));
-	data_context->ptr += 2;
+	*ttl = _dns_read_int(&data_context->ptr);
+	*rr_len = _dns_read_short(&data_context->ptr);
 
 	return len;
 }
@@ -940,7 +932,7 @@ static int _dns_decode_domain(struct dns_context *context, char *output, int siz
 
 	/*[len]string[len]string...[0]0 */
 	while (1) {
-		if (ptr > context->data + context->maxsize || ptr < context->data || output_len >= size - 1 || ptr_jump > 4) {
+		if (ptr >= context->data + context->maxsize || ptr < context->data || output_len >= size - 1 || ptr_jump > 4) {
 			return -1;
 		}
 
@@ -1363,7 +1355,7 @@ static int _dns_decode_opt_ecs(struct dns_context *context, struct dns_opt_ecs *
 	len = (ecs->source_prefix / 8);
 	len += (ecs->source_prefix % 8 > 0) ? 1 : 0;
 
-	if (_dns_left_len(context) < len) {
+	if (_dns_left_len(context) < len || len > sizeof(ecs->addr)) {
 		return -1;
 	}
 
@@ -1377,6 +1369,38 @@ static int _dns_decode_opt_ecs(struct dns_context *context, struct dns_opt_ecs *
 	return 0;
 }
 
+
+static int _dns_decode_opt_cookie(struct dns_context *context, struct dns_opt_cookie *cookie)
+{
+	// TODO
+	int len = _dns_left_len(context);
+	if (len < 8) {
+		return -1;
+	}
+
+	len = 8;
+	memcpy(cookie->client_cookie, context->ptr, len);
+	context->ptr += len;
+
+	len = _dns_left_len(context);
+	if (len == 0) {
+		cookie->server_cookie_len = 0;
+		return 0;
+	}
+
+	if (len < 8) {
+		return -1;
+	}
+
+	memcpy(cookie->server_cookie, context->ptr, len);
+	cookie->server_cookie_len = len;
+	context->ptr += len;
+
+	tlog(TLOG_DEBUG, "OPT COOKIE");
+	return 0;
+}
+
+
 static int _dns_encode_OPT(struct dns_context *context, struct dns_rrs *rrs)
 {
 	int ret;
@@ -1559,6 +1583,14 @@ static int _dns_decode_opt(struct dns_context *context, dns_rr_type type, unsign
 				return -1;
 			}
 		} break;
+		case DNS_OPT_T_COOKIE: {
+			struct dns_opt_cookie cookie;
+			ret = _dns_decode_opt_cookie(context, &cookie);
+			if (ret != 0) {
+				tlog(TLOG_ERROR, "decode cookie failed.");
+				return -1;
+			}
+		} break;
 		default:
 			context->ptr += opt_len;
 			tlog(TLOG_DEBUG, "DNS opt type = %d not supported", opt_code);

src/dns.h

@@ -68,6 +68,7 @@ typedef enum dns_type {
 
 typedef enum dns_opt_code {
 	DNS_OPT_T_ECS = 8, // OPT ECS
+	DNS_OPT_T_COOKIE = 10, //OPT Cookie
 	DNS_OPT_T_TCP_KEEPALIVE = 11,
 	DNS_OPT_T_ALL = 255
 } dns_opt_code_t;
@@ -171,6 +172,13 @@ struct dns_opt_ecs {
 	unsigned char addr[DNS_RR_AAAA_LEN];
 };
 
+/* OPT COOLIE */
+struct dns_opt_cookie {
+	char server_cookie_len;
+	unsigned char client_cookie[8];
+	unsigned char server_cookie[32];
+};
+
 /* OPT */
 struct dns_opt {
 	unsigned short code;

src/dns_cache.c

@@ -142,8 +142,7 @@ void dns_cache_data_free(struct dns_cache_data *data)
 	free(data);
 }
 
-struct dns_cache_data *dns_cache_new_data_addr(uint32_t cache_flag, char *cname, int cname_ttl, unsigned char *addr,
-											   int addr_len)
+struct dns_cache_data *dns_cache_new_data(void)
 {
 	struct dns_cache_addr *cache_addr = malloc(sizeof(struct dns_cache_addr));
 	memset(cache_addr, 0, sizeof(struct dns_cache_addr));
@@ -151,6 +150,50 @@ struct dns_cache_data *dns_cache_new_data_addr(uint32_t cache_flag, char *cname,
 		return NULL;
 	}
 
+	cache_addr->head.cache_type = CACHE_TYPE_NONE;
+	cache_addr->head.size = sizeof(struct dns_cache_addr) - sizeof(struct dns_cache_data_head);
+
+	return (struct dns_cache_data *)cache_addr;
+}
+
+void dns_cache_set_data_soa(struct dns_cache_data *dns_cache, int32_t cache_flag, char *cname, int cname_ttl)
+{
+	if (dns_cache == NULL) {
+		goto errout;
+	}
+
+	struct dns_cache_addr *cache_addr = (struct dns_cache_addr *)dns_cache;
+	if (cache_addr == NULL) {
+		goto errout;
+	}
+
+	memset(cache_addr->addr_data.addr, 0, sizeof(cache_addr->addr_data.addr));
+
+	if (cname) {
+		safe_strncpy(cache_addr->addr_data.cname, cname, DNS_MAX_CNAME_LEN);
+		cache_addr->addr_data.cname_ttl = cname_ttl;
+	}
+
+	cache_addr->head.cache_flag = cache_flag;
+	cache_addr->addr_data.soa = 1;
+	cache_addr->head.cache_type = CACHE_TYPE_ADDR;
+	cache_addr->head.size = sizeof(struct dns_cache_addr) - sizeof(struct dns_cache_data_head);
+errout:
+	return;
+}
+
+void dns_cache_set_data_addr(struct dns_cache_data *dns_cache, uint32_t cache_flag, char *cname, int cname_ttl,
+							 unsigned char *addr, int addr_len)
+{
+	if (dns_cache == NULL) {
+		goto errout;
+	}
+
+	struct dns_cache_addr *cache_addr = (struct dns_cache_addr *)dns_cache;
+	if (cache_addr == NULL) {
+		goto errout;
+	}
+
 	if (addr_len == DNS_RR_A_LEN) {
 		memcpy(cache_addr->addr_data.addr, addr, DNS_RR_A_LEN);
 	} else if (addr_len != DNS_RR_AAAA_LEN) {
@@ -167,16 +210,8 @@ struct dns_cache_data *dns_cache_new_data_addr(uint32_t cache_flag, char *cname,
 	cache_addr->head.cache_flag = cache_flag;
 	cache_addr->head.cache_type = CACHE_TYPE_ADDR;
 	cache_addr->head.size = sizeof(struct dns_cache_addr) - sizeof(struct dns_cache_data_head);
-
-	return (struct dns_cache_data *)cache_addr;
-
 errout:
-	if (cache_addr) {
-		free(cache_addr);
-		cache_addr = NULL;
-	}
-
-	return NULL;
+	return;
 }
 
 struct dns_cache_data *dns_cache_new_data_packet(uint32_t cache_flag, void *packet, size_t packet_len)
@@ -298,6 +333,7 @@ int dns_cache_insert(char *domain, int ttl, dns_type_t qtype, int speed, struct
 	}
 
 	if (dns_cache_head.size <= 0) {
+		dns_cache_data_free(cache_data);
 		return 0;
 	}
 
@@ -376,6 +412,48 @@ int dns_cache_get_ttl(struct dns_cache *dns_cache)
 	return ttl;
 }
 
+int dns_cache_get_cname_ttl(struct dns_cache *dns_cache) 
+{
+	time_t now;
+	int ttl = 0;
+	time(&now);
+
+	struct dns_cache_addr *cache_addr = (struct dns_cache_addr *)dns_cache_get_data(dns_cache);
+
+	if (cache_addr->head.cache_type != CACHE_TYPE_ADDR) {
+		return 0;
+	}
+
+	ttl = dns_cache->info.insert_time + cache_addr->addr_data.cname_ttl - now;
+	if (ttl < 0) {
+		return 0;
+	}
+
+	int addr_ttl = dns_cache_get_ttl(dns_cache);
+	if (ttl < addr_ttl && ttl < 0) {
+		return addr_ttl;
+	}
+
+	if (ttl < 0) {
+		return 0;
+	}
+
+	return ttl;	
+}
+
+int dns_cache_is_soa(struct dns_cache *dns_cache) 
+{
+	if (dns_cache == NULL) {
+		return 0;
+	}
+
+	struct dns_cache_addr *cache_addr = (struct dns_cache_addr *)dns_cache_get_data(dns_cache);
+	if (cache_addr->head.cache_type == CACHE_TYPE_ADDR && cache_addr->addr_data.soa) {
+		return 1;
+	}
+	return 0;
+}
+
 struct dns_cache_data *dns_cache_get_data(struct dns_cache *dns_cache)
 {
 	return dns_cache->cache_data;
@@ -467,7 +545,7 @@ void dns_cache_invalidate(dns_cache_preinvalid_callback callback, int ttl_pre)
 		}
 
 		if (ttl < 0) {
-			if (dns_cache_head.enable_inactive) {
+			if (dns_cache_head.enable_inactive && (dns_cache_is_soa(dns_cache) == 0)) {
 				_dns_cache_move_inactive(dns_cache);
 			} else {
 				_dns_cache_remove(dns_cache);

src/dns_cache.h

@@ -62,6 +62,7 @@ struct dns_cache_addr {
 	struct dns_cache_data_head head;
 	struct dns_cache_addr_data {
 		unsigned int cname_ttl;
+		char soa;
 		char cname[DNS_MAX_CNAME_LEN];
 		union {
 			unsigned char ipv4_addr[DNS_RR_A_LEN];
@@ -116,9 +117,6 @@ uint32_t dns_cache_get_cache_flag(struct dns_cache_data *cache_data);
 
 void dns_cache_data_free(struct dns_cache_data *data);
 
-struct dns_cache_data *dns_cache_new_data_addr(uint32_t cache_flag, char *cname, int cname_ttl, unsigned char *addr,
-											   int addr_len);
-
 struct dns_cache_data *dns_cache_new_data_packet(uint32_t cache_flag, void *packet, size_t packet_len);
 
 int dns_cache_init(int size, int enable_inactive, int inactive_list_expired);
@@ -145,8 +143,19 @@ void dns_cache_invalidate(dns_cache_preinvalid_callback callback, int ttl_pre);
 
 int dns_cache_get_ttl(struct dns_cache *dns_cache);
 
+int dns_cache_get_cname_ttl(struct dns_cache *dns_cache);
+
+int dns_cache_is_soa(struct dns_cache *dns_cache);
+
+struct dns_cache_data *dns_cache_new_data(void);
+
 struct dns_cache_data *dns_cache_get_data(struct dns_cache *dns_cache);
 
+void dns_cache_set_data_addr(struct dns_cache_data *dns_cache, uint32_t cache_flag, char *cname, int cname_ttl,
+							 unsigned char *addr, int addr_len);
+
+void dns_cache_set_data_soa(struct dns_cache_data *dns_cache, int32_t cache_flag, char *cname, int cname_ttl);
+
 void dns_cache_destroy(void);
 
 int dns_cache_load(const char *file);

src/dns_client.c

@@ -184,6 +184,9 @@ struct dns_client {
 	struct list_head dns_server_list;
 	struct dns_server_group *default_group;
 
+	SSL_CTX *ssl_ctx;
+	int ssl_verify_skip;
+
 	/* query list */
 	pthread_mutex_t dns_request_lock;
 	struct list_head dns_request_list;
@@ -253,6 +256,9 @@ static int dns_client_has_bootstrap_dns = 0;
 int _ssl_read(struct dns_server_info *server, void *buff, int num)
 {
 	int ret = 0;
+	if (server == NULL || buff == NULL) {
+		return SSL_ERROR_SYSCALL;
+	}
 	pthread_mutex_lock(&server->lock);
 	ret = SSL_read(server->ssl, buff, num);
 	pthread_mutex_unlock(&server->lock);
@@ -262,6 +268,10 @@ int _ssl_read(struct dns_server_info *server, void *buff, int num)
 int _ssl_write(struct dns_server_info *server, const void *buff, int num)
 {
 	int ret = 0;
+	if (server == NULL || buff == NULL || server->ssl == NULL) {
+		return SSL_ERROR_SYSCALL;
+	}
+
 	pthread_mutex_lock(&server->lock);
 	ret = SSL_write(server->ssl, buff, num);
 	pthread_mutex_unlock(&server->lock);
@@ -271,6 +281,10 @@ int _ssl_write(struct dns_server_info *server, const void *buff, int num)
 int _ssl_shutdown(struct dns_server_info *server)
 {
 	int ret = 0;
+	if (server == NULL || server->ssl == NULL) {
+		return SSL_ERROR_SYSCALL;
+	}
+
 	pthread_mutex_lock(&server->lock);
 	ret = SSL_shutdown(server->ssl);
 	pthread_mutex_unlock(&server->lock);
@@ -280,6 +294,10 @@ int _ssl_shutdown(struct dns_server_info *server)
 int _ssl_get_error(struct dns_server_info *server, int ret)
 {
 	int err = 0;
+	if (server == NULL || server->ssl == NULL) {
+		return SSL_ERROR_SYSCALL;
+	}
+
 	pthread_mutex_lock(&server->lock);
 	err = SSL_get_error(server->ssl, ret);
 	pthread_mutex_unlock(&server->lock);
@@ -289,6 +307,10 @@ int _ssl_get_error(struct dns_server_info *server, int ret)
 int _ssl_do_handshake(struct dns_server_info *server)
 {
 	int err = 0;
+	if (server == NULL || server->ssl == NULL) {
+		return SSL_ERROR_SYSCALL;
+	}
+
 	pthread_mutex_lock(&server->lock);
 	err = SSL_do_handshake(server->ssl);
 	pthread_mutex_unlock(&server->lock);
@@ -298,6 +320,10 @@ int _ssl_do_handshake(struct dns_server_info *server)
 int _ssl_session_reused(struct dns_server_info *server)
 {
 	int err = 0;
+	if (server == NULL || server->ssl == NULL) {
+		return SSL_ERROR_SYSCALL;
+	}
+
 	pthread_mutex_lock(&server->lock);
 	err = SSL_session_reused(server->ssl);
 	pthread_mutex_unlock(&server->lock);
@@ -307,6 +333,10 @@ int _ssl_session_reused(struct dns_server_info *server)
 SSL_SESSION *_ssl_get1_session(struct dns_server_info *server)
 {
 	SSL_SESSION *ret = 0;
+	if (server == NULL || server->ssl == NULL) {
+		return NULL;
+	}
+
 	pthread_mutex_lock(&server->lock);
 	ret = SSL_get1_session(server->ssl);
 	pthread_mutex_unlock(&server->lock);
@@ -407,6 +437,10 @@ static struct dns_server_info *_dns_client_get_server(char *server_ip, int port,
 	struct dns_server_info *server_info, *tmp;
 	struct dns_server_info *server_info_return = NULL;
 
+	if (server_ip == NULL) {
+		return NULL;
+	}
+
 	pthread_mutex_lock(&client.server_list_lock);
 	list_for_each_entry_safe(server_info, tmp, &client.dns_server_list, list)
 	{
@@ -509,6 +543,10 @@ static int _dns_client_add_to_pending_group(char *group_name, char *server_ip, i
 	struct dns_server_pending *pending = NULL;
 	struct dns_server_pending_group *group = NULL;
 
+	if (group_name == NULL || server_ip == NULL) {
+		goto errout;
+	}
+
 	pthread_mutex_lock(&pending_server_mutex);
 	list_for_each_entry_safe(item, tmp, &pending_servers, list)
 	{
@@ -550,6 +588,10 @@ static int _dns_client_add_to_group_pending(char *group_name, char *server_ip, i
 {
 	struct dns_server_info *server_info = NULL;
 
+	if (group_name == NULL || server_ip == NULL) {
+		return -1;
+	}
+
 	server_info = _dns_client_get_server(server_ip, port, server_type);
 	if (server_info == NULL) {
 		if (ispending == 0) {
@@ -630,6 +672,10 @@ int dns_client_add_group(char *group_name)
 	unsigned long key;
 	struct dns_server_group *group = NULL;
 
+	if (group_name == NULL) {
+		return -1;
+	}
+
 	if (_dns_client_get_group(group_name) != NULL) {
 		tlog(TLOG_ERROR, "add group %s failed, group already exists", group_name);
 		return -1;
@@ -661,6 +707,10 @@ static int _dns_client_remove_group(struct dns_server_group *group)
 	struct dns_server_group_member *group_member;
 	struct dns_server_group_member *tmp;
 
+	if (group == NULL) {
+		return 0;
+	}
+
 	list_for_each_entry_safe(group_member, tmp, &group->head, list)
 	{
 		_dns_client_remove_member(group_member);
@@ -678,6 +728,10 @@ int dns_client_remove_group(char *group_name)
 	struct dns_server_group *group = NULL;
 	struct hlist_node *tmp = NULL;
 
+	if (group_name == NULL) {
+		return -1;
+	}
+
 	key = hash_string(group_name);
 	hash_for_each_possible_safe(client.group, group, tmp, node, key)
 	{
@@ -786,6 +840,10 @@ static int _dns_client_set_trusted_cert(SSL_CTX *ssl_ctx)
 	char *capath = NULL;
 	int cert_path_set = 0;
 
+	if (ssl_ctx == NULL) {
+		return -1;
+	}
+
 	if (dns_conf_ca_file[0]) {
 		cafile = dns_conf_ca_file;
 	}
@@ -796,15 +854,19 @@ static int _dns_client_set_trusted_cert(SSL_CTX *ssl_ctx)
 
 	if (cafile == NULL && capath == NULL) {
 		if (SSL_CTX_set_default_verify_paths(ssl_ctx)) {
+			cert_path_set = 1;
+		}
+
+		const STACK_OF(X509_NAME) *cas = SSL_CTX_get_client_CA_list(ssl_ctx);
+		if (cas && sk_X509_NAME_num(cas) == 0) {
 			cafile = "/etc/ssl/certs/ca-certificates.crt";
 			capath = "/etc/ssl/certs";
-		} else {
-			cert_path_set = 1;
+			cert_path_set = 0;
 		}
 	}
 
 	if (cert_path_set == 0) {
-		if (!SSL_CTX_load_verify_locations(ssl_ctx, cafile, capath)) {
+		if (SSL_CTX_load_verify_locations(ssl_ctx, cafile, capath) == 0) {
 			tlog(TLOG_WARN, "load certificate from %s:%s failed.", cafile, capath);
 			return -1;
 		}
@@ -813,6 +875,47 @@ static int _dns_client_set_trusted_cert(SSL_CTX *ssl_ctx)
 	return 0;
 }
 
+SSL_CTX *_ssl_ctx_get(void)
+{
+	pthread_mutex_lock(&client.server_list_lock);
+	SSL_CTX *ssl_ctx = client.ssl_ctx;
+	if (ssl_ctx) {
+		pthread_mutex_unlock(&client.server_list_lock);
+		return ssl_ctx;
+	}
+
+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+	ssl_ctx = SSL_CTX_new(TLS_client_method());
+#else
+	ssl_ctx = SSL_CTX_new(SSLv23_client_method());
+#endif
+
+	if (ssl_ctx == NULL) {
+		tlog(TLOG_ERROR, "init ssl failed.");
+		goto errout;
+	}
+
+	SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
+	SSL_CTX_set_session_cache_mode(ssl_ctx, SSL_SESS_CACHE_CLIENT);
+	SSL_CTX_sess_set_cache_size(ssl_ctx, DNS_MAX_SERVERS);
+	if (_dns_client_set_trusted_cert(ssl_ctx) != 0) {
+		SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_NONE, NULL);
+		client.ssl_verify_skip = 1;
+	}
+
+	client.ssl_ctx = ssl_ctx;
+	pthread_mutex_unlock(&client.server_list_lock);
+	return client.ssl_ctx;
+errout:
+	
+	pthread_mutex_unlock(&client.server_list_lock);
+	if (ssl_ctx) {
+		SSL_CTX_free(ssl_ctx);
+	}
+
+	return NULL;
+}
+
 /* add dns server information */
 static int _dns_client_server_add(char *server_ip, char *server_host, int port, dns_server_type_t server_type,
 								  struct client_dns_server_flags *flags)
@@ -914,24 +1017,14 @@ static int _dns_client_server_add(char *server_ip, char *server_host, int port,
 
 	/* if server type is TLS, create ssl context */
 	if (server_type == DNS_SERVER_TLS || server_type == DNS_SERVER_HTTPS) {
-#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
-		server_info->ssl_ctx = SSL_CTX_new(TLS_client_method());
-#else
-		server_info->ssl_ctx = SSL_CTX_new(SSLv23_client_method());
-#endif
-
+		server_info->ssl_ctx = _ssl_ctx_get();
 		if (server_info->ssl_ctx == NULL) {
 			tlog(TLOG_ERROR, "init ssl failed.");
 			goto errout;
 		}
 
-		SSL_CTX_set_options(server_info->ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
-		SSL_CTX_set_session_cache_mode(server_info->ssl_ctx, SSL_SESS_CACHE_CLIENT);
-		SSL_CTX_sess_set_cache_size(server_info->ssl_ctx, 32);
-		if (_dns_client_set_trusted_cert(server_info->ssl_ctx) != 0) {
-			tlog(TLOG_WARN, "disable check certificate for %s.", server_info->ip);
+		if (client.ssl_verify_skip) {
 			server_info->skip_check_cert = 1;
-			SSL_CTX_set_verify(server_info->ssl_ctx, SSL_VERIFY_NONE, NULL);
 		}
 	}
 
@@ -976,11 +1069,6 @@ errout:
 			fast_ping_stop(server_info->ping_host);
 		}
 
-		if (server_info->ssl_ctx) {
-			SSL_CTX_free(server_info->ssl_ctx);
-			server_info->ssl_ctx = NULL;
-		}
-
 		pthread_mutex_destroy(&server_info->lock);
 		free(server_info);
 	}
@@ -1066,10 +1154,7 @@ static void _dns_client_server_close(struct dns_server_info *server_info)
 		server_info->ssl_session = NULL;
 	}
 
-	if (server_info->ssl_ctx) {
-		SSL_CTX_free(server_info->ssl_ctx);
-		server_info->ssl_ctx = NULL;
-	}
+	server_info->ssl_ctx = NULL;
 }
 
 /* remove all servers information */
@@ -1663,19 +1748,19 @@ static int _DNS_client_create_socket_tls(struct dns_server_info *server_info, ch
 	const int ip_tos = SOCKET_IP_TOS;
 
 	if (server_info->ssl_ctx == NULL) {
-		tlog(TLOG_ERROR, "create ssl ctx failed.");
+		tlog(TLOG_ERROR, "create ssl ctx failed, %s", server_info->ip);
 		goto errout;
 	}
 
 	ssl = SSL_new(server_info->ssl_ctx);
 	if (ssl == NULL) {
-		tlog(TLOG_ERROR, "new ssl failed.");
+		tlog(TLOG_ERROR, "new ssl failed, %s", server_info->ip);
 		goto errout;
 	}
 
 	fd = socket(server_info->ai_family, SOCK_STREAM, 0);
 	if (fd < 0) {
-		tlog(TLOG_ERROR, "create socket failed.");
+		tlog(TLOG_ERROR, "create socket failed, %s", strerror(errno));
 		goto errout;
 	}
 
@@ -2307,7 +2392,7 @@ static int _dns_client_tls_verify(struct dns_server_info *server_info)
 			pthread_mutex_unlock(&server_info->lock);
 			peer_CN[0] = '\0';
 			_dns_client_tls_get_cert_CN(cert, peer_CN, sizeof(peer_CN));
-			tlog(TLOG_WARN, "peer server %s certificate verify failed", server_info->ip);
+			tlog(TLOG_WARN, "peer server %s certificate verify failed, ret = %ld", server_info->ip, res);
 			tlog(TLOG_WARN, "peer CN: %s", peer_CN);
 			goto errout;
 		}
@@ -2577,7 +2662,7 @@ static int _dns_client_send_tcp(struct dns_server_info *server_info, void *packe
 			/* save data to buffer, and retry when EPOLLOUT is available */
 			return _dns_client_send_data_to_buffer(server_info, inpacket, len);
 		} else if (errno == EPIPE) {
-			shutdown(server_info->fd, SHUT_RDWR);
+			_dns_client_shutdown_socket(server_info);
 		}
 		return -1;
 	} else if (send_len < len) {
@@ -2621,7 +2706,7 @@ static int _dns_client_send_tls(struct dns_server_info *server_info, void *packe
 			/* save data to buffer, and retry when EPOLLOUT is available */
 			return _dns_client_send_data_to_buffer(server_info, inpacket, len);
 		} else if (server_info->ssl && errno != ENOMEM) {
-			SSL_shutdown(server_info->ssl);
+			_dns_client_shutdown_socket(server_info);
 		}
 		return -1;
 	} else if (send_len < len) {
@@ -2672,7 +2757,7 @@ static int _dns_client_send_https(struct dns_server_info *server_info, void *pac
 			/* save data to buffer, and retry when EPOLLOUT is available */
 			return _dns_client_send_data_to_buffer(server_info, inpacket, http_len);
 		} else if (server_info->ssl && errno != ENOMEM) {
-			_ssl_shutdown(server_info);
+			_dns_client_shutdown_socket(server_info);
 		}
 		return -1;
 	} else if (send_len < http_len) {
@@ -2691,15 +2776,19 @@ static int _dns_client_send_packet(struct dns_query_struct *query, void *packet,
 	int ret = 0;
 	int send_err = 0;
 	int i = 0;
+	int total_server = 0;
 
 	query->send_tick = get_tick_count();
 
 	/* send query to all dns servers */
 	for (i = 0; i < 2; i++) {
+		total_server = 0;
 		pthread_mutex_lock(&client.server_list_lock);
 		list_for_each_entry_safe(group_member, tmp, &query->server_group->head, list)
 		{
 			server_info = group_member->server;
+			total_server++;
+			tlog(TLOG_DEBUG, "send query to server %s", server_info->ip);
 			if (server_info->fd <= 0) {
 				ret = _dns_client_create_socket(server_info);
 				if (ret != 0) {
@@ -2765,7 +2854,7 @@ static int _dns_client_send_packet(struct dns_query_struct *query, void *packet,
 	}
 
 	if (atomic_read(&query->dns_request_sent) <= 0) {
-		tlog(TLOG_ERROR, "Send query to upstream server failed.");
+		tlog(TLOG_ERROR, "Send query to upstream server failed, total server number %d", total_server);
 		return -1;
 	}
 
@@ -2851,6 +2940,10 @@ int dns_client_query(char *domain, int qtype, dns_client_callback callback, void
 	int ret = 0;
 	uint32_t key = 0;
 
+	if (domain == NULL) {
+		goto errout;
+	}
+
 	query = malloc(sizeof(*query));
 	if (query == NULL) {
 		goto errout;
@@ -3045,6 +3138,7 @@ static void _dns_client_add_pending_servers(void)
 			if (add_success == 0) {
 				tlog(TLOG_WARN, "add pending DNS server %s failed.", pending->host);
 			}
+			list_del_init(&pending->list);
 			_dns_client_server_pending_release_lck(pending);
 		} else {
 			tlog(TLOG_DEBUG, "add pending DNS server %s failed, retry %d...", pending->host, pending->retry_cnt);
@@ -3247,4 +3341,8 @@ void dns_client_exit(void)
 
 	pthread_mutex_destroy(&client.server_list_lock);
 	pthread_mutex_destroy(&client.domain_map_lock);
+	if (client.ssl_ctx) {
+		SSL_CTX_free(client.ssl_ctx);
+		client.ssl_ctx = NULL;
+	}
 }

src/dns_conf.c

@@ -37,6 +37,8 @@ struct dns_ipset_table {
 };
 static struct dns_ipset_table dns_ipset_table;
 
+struct dns_qtype_soa_table dns_qtype_soa_table;
+
 /* dns groups */
 struct dns_group_table dns_group_table;
 
@@ -482,7 +484,7 @@ errout:
 	return -1;
 }
 
-static int _config_domain_rule_flag_set(char *domain, unsigned int flag)
+static int _config_domain_rule_flag_set(char *domain, unsigned int flag, unsigned int is_clear)
 {
 	struct dns_domain_rule *domain_rule = NULL;
 	struct dns_domain_rule *old_domain_rule = NULL;
@@ -516,12 +518,18 @@ static int _config_domain_rule_flag_set(char *domain, unsigned int flag)
 	/* add new rule to domain */
 	if (domain_rule->rules[DOMAIN_RULE_FLAGS] == NULL) {
 		rule_flags = malloc(sizeof(*rule_flags));
+		memset(rule_flags, 0, sizeof(*rule_flags));
 		rule_flags->flags = 0;
 		domain_rule->rules[DOMAIN_RULE_FLAGS] = rule_flags;
 	}
 
 	rule_flags = domain_rule->rules[DOMAIN_RULE_FLAGS];
-	rule_flags->flags |= flag;
+	if (is_clear == false) {
+		rule_flags->flags |= flag;
+	} else {
+		rule_flags->flags &= ~flag;
+	}
+	rule_flags->is_flag_set |= flag;
 
 	/* update domain rule */
 	if (add_domain_rule) {
@@ -589,11 +597,40 @@ static int _conf_domain_rule_ipset(char *domain, const char *ipsetname)
 {
 	struct dns_ipset_rule *ipset_rule = NULL;
 	const char *ipset = NULL;
+	char *copied_name = NULL;
+	enum domain_rule type;
+	int ignore_flag;
+
+	copied_name = strdup(ipsetname);
+
+	if (copied_name == NULL) {
+		goto errout;
+	}
+
+	for (char *tok = strtok(copied_name, ","); tok; tok = strtok(NULL, ",")) {
+		if (tok[0] == '#') {
+			if (strncmp(tok, "#6:", 3u) == 0) {
+				type = DOMAIN_RULE_IPSET_IPV6;
+				ignore_flag = DOMAIN_FLAG_IPSET_IPV6_IGN;
+			} else if (strncmp(tok, "#4:", 3u) == 0) {
+				type = DOMAIN_RULE_IPSET_IPV4;
+				ignore_flag = DOMAIN_FLAG_IPSET_IPV4_IGN;
+			} else {
+				goto errout;
+			}
+			tok += 3;
+		} else {
+			type = DOMAIN_RULE_IPSET;
+			ignore_flag = DOMAIN_FLAG_IPSET_IGN;
+		}
+
+		if (strncmp(tok, "-", 1) == 0) {
+			_config_domain_rule_flag_set(domain, ignore_flag, 0);
+			continue;
+		}
 
-	/* Process domain option */
-	if (strncmp(ipsetname, "-", sizeof("-")) != 0) {
 		/* new ipset domain */
-		ipset = _dns_conf_get_ipset(ipsetname);
+		ipset = _dns_conf_get_ipset(tok);
 		if (ipset == NULL) {
 			goto errout;
 		}
@@ -604,26 +641,26 @@ static int _conf_domain_rule_ipset(char *domain, const char *ipsetname)
 		}
 
 		ipset_rule->ipsetname = ipset;
-	} else {
-		/* ignore this domain */
-		if (_config_domain_rule_flag_set(domain, DOMAIN_FLAG_IPSET_IGNORE) != 0) {
+
+		if (_config_domain_rule_add(domain, type, ipset_rule) != 0) {
 			goto errout;
 		}
-
-		return 0;
 	}
 
-	if (_config_domain_rule_add(domain, DOMAIN_RULE_IPSET, ipset_rule) != 0) {
-		goto errout;
-	}
+	goto clear;
 
-	return 0;
 errout:
+	tlog(TLOG_ERROR, "add ipset %s failed", ipsetname);
+
 	if (ipset_rule) {
 		free(ipset_rule);
 	}
 
-	tlog(TLOG_ERROR, "add ipset %s failed", ipsetname);
+clear:
+	if (copied_name) {
+		free(copied_name);
+	}
+
 	return 0;
 }
 
@@ -670,7 +707,7 @@ static int _conf_domain_rule_address(char *domain, const char *domain_address)
 		}
 
 		/* add SOA rule */
-		if (_config_domain_rule_flag_set(domain, flag) != 0) {
+		if (_config_domain_rule_flag_set(domain, flag, 0) != 0) {
 			goto errout;
 		}
 
@@ -687,7 +724,7 @@ static int _conf_domain_rule_address(char *domain, const char *domain_address)
 		}
 
 		/* ignore rule */
-		if (_config_domain_rule_flag_set(domain, flag) != 0) {
+		if (_config_domain_rule_flag_set(domain, flag, 0) != 0) {
 			goto errout;
 		}
 
@@ -1008,7 +1045,7 @@ static int _conf_domain_rule_nameserver(char *domain, const char *group_name)
 		nameserver_rule->group_name = group;
 	} else {
 		/* ignore this domain */
-		if (_config_domain_rule_flag_set(domain, DOMAIN_FLAG_NAMESERVER_IGNORE) != 0) {
+		if (_config_domain_rule_flag_set(domain, DOMAIN_FLAG_NAMESERVER_IGNORE, 0) != 0) {
 			goto errout;
 		}
 
@@ -1029,6 +1066,26 @@ errout:
 	return 0;
 }
 
+static int _conf_domain_rule_dualstack_selection(char *domain, const char *yesno)
+{
+	if (strncmp(yesno, "yes", sizeof("yes")) == 0 || strncmp(yesno, "Yes", sizeof("Yes")) == 0) {
+		if (_config_domain_rule_flag_set(domain, DOMAIN_FLAG_DUALSTACK_SELECT, 0) != 0) {
+			goto errout;
+		}
+	} else {
+		/* ignore this domain */
+		if (_config_domain_rule_flag_set(domain, DOMAIN_FLAG_DUALSTACK_SELECT, 1) != 0) {
+			goto errout;
+		}
+	}
+
+	return 0;
+
+errout:
+	tlog(TLOG_ERROR, "set dualstack for %s failed. ", domain);
+	return 1;
+}
+
 static int _config_nameserver(void *data, int argc, char *argv[])
 {
 	char domain[DNS_MAX_CONF_CNAME_LEN];
@@ -1116,6 +1173,42 @@ static int _config_iplist_rule(char *subnet, enum address_rule rule)
 	return 0;
 }
 
+static int _config_qtype_soa(void *data, int argc, char *argv[])
+{
+	struct dns_qtype_soa_list *soa_list;
+	if (argc <= 1) {
+		return -1;
+	}
+
+	for (int i = 1; i < argc; i++) {
+		soa_list = malloc(sizeof(*soa_list));
+		if (soa_list == NULL) {
+			tlog(TLOG_ERROR, "cannot malloc memory");
+			return -1;
+		}
+
+		memset(soa_list, 0, sizeof(*soa_list));
+		soa_list->qtypeid = atol(argv[i]);
+		uint32_t key = hash_32_generic(soa_list->qtypeid, 32);
+		hash_add(dns_qtype_soa_table.qtype, &soa_list->node, key);
+	}
+
+	return 0;
+}
+
+static void _config_qtype_soa_table_destroy(void)
+{
+	struct dns_qtype_soa_list *soa_list = NULL;
+	struct hlist_node *tmp = NULL;
+	int i;
+
+	hash_for_each_safe(dns_qtype_soa_table.qtype, i, tmp, soa_list, node)
+	{
+		hlist_del_init(&soa_list->node);
+		free(soa_list);
+	}
+}
+
 static int _config_blacklist_ip(void *data, int argc, char *argv[])
 {
 	if (argc <= 1) {
@@ -1239,6 +1332,7 @@ static int _conf_domain_rules(void *data, int argc, char *argv[])
 		{"address", required_argument, NULL, 'a'},
 		{"ipset", required_argument, NULL, 'p'},
 		{"nameserver", required_argument, NULL, 'n'},
+		{"dualstack-ip-selection", required_argument, NULL, 'd'},
 		{NULL, no_argument, NULL, 0}
 	};
 	/* clang-format on */
@@ -1255,7 +1349,7 @@ static int _conf_domain_rules(void *data, int argc, char *argv[])
 	/* process extra options */
 	optind = 1;
 	while (1) {
-		opt = getopt_long_only(argc, argv, "", long_options, NULL);
+		opt = getopt_long_only(argc, argv, "c:a:p:n:d:", long_options, NULL);
 		if (opt == -1) {
 			break;
 		}
@@ -1313,6 +1407,15 @@ static int _conf_domain_rules(void *data, int argc, char *argv[])
 
 			break;
 		}
+		case 'd': {
+			const char *yesno = optarg;
+			if (_conf_domain_rule_dualstack_selection(domain, yesno) != 0) {
+				tlog(TLOG_ERROR, "set dualstack selection rule failed.");
+				goto errout;
+			}
+
+			break;
+		}
 		default:
 			break;
 		}
@@ -1383,6 +1486,7 @@ static struct config_item _config_item[] = {
 	CONF_INT("rr-ttl-min", &dns_conf_rr_ttl_min, 0, CONF_INT_MAX),
 	CONF_INT("rr-ttl-max", &dns_conf_rr_ttl_max, 0, CONF_INT_MAX),
 	CONF_YESNO("force-AAAA-SOA", &dns_conf_force_AAAA_SOA),
+	CONF_CUSTOM("force-qtype-SOA", _config_qtype_soa, NULL),
 	CONF_CUSTOM("blacklist-ip", _config_blacklist_ip, NULL),
 	CONF_CUSTOM("whitelist-ip", _conf_whitelist_ip, NULL),
 	CONF_CUSTOM("bogus-nxdomain", _conf_bogus_nxdomain, NULL),
@@ -1419,8 +1523,14 @@ int config_addtional_file(void *data, int argc, char *argv[])
 	if (conf_file[0] != '/') {
 		safe_strncpy(file_path_dir, conf_get_conf_file(), DNS_MAX_PATH);
 		dirname(file_path_dir);
-		if (snprintf(file_path, DNS_MAX_PATH, "%s/%s", file_path_dir, conf_file) < 0) {
-			return -1;
+		if (strncmp(file_path_dir, conf_get_conf_file(), sizeof(file_path_dir)) == 0) {
+			if (snprintf(file_path, DNS_MAX_PATH, "%s", conf_file) < 0) {
+				return -1;
+			}
+		} else {
+			if (snprintf(file_path, DNS_MAX_PATH, "%s/%s", file_path_dir, conf_file) < 0) {
+				return -1;
+			}
 		}
 	} else {
 		safe_strncpy(file_path, conf_file, DNS_MAX_PATH);
@@ -1447,6 +1557,7 @@ static int _dns_server_load_conf_init(void)
 	art_tree_init(&dns_conf_domain_rule);
 
 	hash_init(dns_ipset_table.ipset);
+	hash_init(dns_qtype_soa_table.qtype);
 	hash_init(dns_group_table.group);
 
 	return 0;
@@ -1459,6 +1570,7 @@ void dns_server_load_exit(void)
 	Destroy_Radix(dns_conf_address_rule.ipv6, _config_address_destroy, NULL);
 	_config_ipset_table_destroy();
 	_config_group_table_destroy();
+	_config_qtype_soa_table_destroy();
 }
 
 static int _dns_conf_speed_check_mode_verify(void)

src/dns_conf.h

@@ -56,6 +56,8 @@ enum domain_rule {
 	DOMAIN_RULE_ADDRESS_IPV4,
 	DOMAIN_RULE_ADDRESS_IPV6,
 	DOMAIN_RULE_IPSET,
+	DOMAIN_RULE_IPSET_IPV4,
+	DOMAIN_RULE_IPSET_IPV6,
 	DOMAIN_RULE_NAMESERVER,
 	DOMAIN_RULE_CHECKSPEED,
 	DOMAIN_RULE_MAX,
@@ -78,8 +80,11 @@ typedef enum {
 #define DOMAIN_FLAG_ADDR_IGN (1 << 3)
 #define DOMAIN_FLAG_ADDR_IPV4_IGN (1 << 4)
 #define DOMAIN_FLAG_ADDR_IPV6_IGN (1 << 5)
-#define DOMAIN_FLAG_IPSET_IGNORE (1 << 6)
-#define DOMAIN_FLAG_NAMESERVER_IGNORE (1 << 7)
+#define DOMAIN_FLAG_IPSET_IGN (1 << 6)
+#define DOMAIN_FLAG_IPSET_IPV4_IGN (1 << 7)
+#define DOMAIN_FLAG_IPSET_IPV6_IGN (1 << 8)
+#define DOMAIN_FLAG_NAMESERVER_IGNORE (1 << 9)
+#define DOMAIN_FLAG_DUALSTACK_SELECT (1 << 10)
 
 #define SERVER_FLAG_EXCLUDE_DEFAULT (1 << 0)
 
@@ -95,6 +100,7 @@ typedef enum {
 
 struct dns_rule_flags {
 	unsigned int flags;
+	unsigned int is_flag_set;
 };
 
 struct dns_address_IPV4 {
@@ -197,6 +203,16 @@ struct dns_bind_ip {
 	const char *group;
 };
 
+struct dns_qtype_soa_list {
+	struct hlist_node node;
+	uint32_t qtypeid;
+};
+
+struct dns_qtype_soa_table {
+	DECLARE_HASHTABLE(qtype, 8);
+};
+extern struct dns_qtype_soa_table dns_qtype_soa_table;
+
 extern struct dns_bind_ip dns_conf_bind_ip[DNS_MAX_BIND_IP];
 extern int dns_conf_bind_ip_num;
 

src/dns_server.c

@@ -258,6 +258,21 @@ static int _dns_server_epoll_ctl(struct dns_server_conn_head *head, int op, uint
 
 static void _dns_server_set_dualstack_selection(struct dns_request *request)
 {
+	struct dns_rule_flags *rule_flag = NULL;
+
+	rule_flag = request->domain_rule.rules[DOMAIN_RULE_FLAGS];
+	if (rule_flag) {
+		if (rule_flag->flags & DOMAIN_FLAG_DUALSTACK_SELECT) {
+			request->dualstack_selection = 1;
+			return;
+		}
+
+		if (rule_flag->is_flag_set & DOMAIN_FLAG_DUALSTACK_SELECT) {
+			request->dualstack_selection = 0;
+			return;
+		}
+	}
+
 	if (_dns_server_has_bind_flag(request, BIND_FLAG_NO_DUALSTACK_SELECTION) == 0) {
 		request->dualstack_selection = 0;
 		return;
@@ -571,6 +586,7 @@ static int _dns_reply(struct dns_request *request)
 	}
 
 	/* send request */
+	atomic_inc_return(&request->notified);
 	return _dns_reply_inpacket(request, inpacket, encode_len);
 }
 
@@ -666,7 +682,7 @@ static int _dns_server_reply_SOA(int rcode, struct dns_request *request)
 /* add ip to specific ipset */
 static int _dns_setup_ipset(struct dns_request *request)
 {
-	struct dns_ipset_rule *ipset_rule = NULL;
+	struct dns_ipset_rule *rule = NULL, *ipset_rule = NULL, *ipset_rule_v4 = NULL, *ipset_rule_v6 = NULL;
 	struct dns_rule_flags *rule_flags = NULL;
 	int ret = 0;
 
@@ -676,32 +692,56 @@ static int _dns_setup_ipset(struct dns_request *request)
 
 	/* check ipset rule */
 	rule_flags = request->domain_rule.rules[DOMAIN_RULE_FLAGS];
-	if (rule_flags) {
-		if (rule_flags->flags & DOMAIN_FLAG_IPSET_IGNORE) {
-			return 0;
-		}
+	if (!rule_flags || (rule_flags->flags & DOMAIN_FLAG_IPSET_IGN) == 0) {
+		ipset_rule = request->domain_rule.rules[DOMAIN_RULE_IPSET];
+	}
+	if (!rule_flags || (rule_flags->flags & DOMAIN_FLAG_IPSET_IPV4_IGN) == 0) {
+		ipset_rule_v4 = request->domain_rule.rules[DOMAIN_RULE_IPSET_IPV4];
+	}
+	if (!rule_flags || (rule_flags->flags & DOMAIN_FLAG_IPSET_IPV6_IGN) == 0) {
+		ipset_rule_v6 = request->domain_rule.rules[DOMAIN_RULE_IPSET_IPV6];
 	}
 
-	ipset_rule = request->domain_rule.rules[DOMAIN_RULE_IPSET];
-	if (ipset_rule == NULL) {
+	if (!(ipset_rule || ipset_rule_v4 || ipset_rule_v6)) {
 		return 0;
 	}
 
 	/* add IPV4 to ipset */
 	if (request->has_ipv4 && request->qtype == DNS_T_A) {
-		ret |= ipset_add(ipset_rule->ipsetname, request->ipv4_addr, DNS_RR_A_LEN, request->ttl_v4 * 2);
+		rule = ipset_rule_v4 ? ipset_rule_v4 : ipset_rule;
+		if (rule) {
+			ret |= ipset_add(rule->ipsetname, request->ipv4_addr, DNS_RR_A_LEN, request->ttl_v4 * 2);
+			tlog(TLOG_DEBUG, "IPSET-MATCH: domain:%s, ipset:%s, IP: %d.%d.%d.%d, result: %d", request->domain,
+				 rule->ipsetname, request->ipv4_addr[0], request->ipv4_addr[1], request->ipv4_addr[2],
+				 request->ipv4_addr[3], ret);
+		}
 	}
 
 	/* add IPV6 to ipset */
 	if (request->has_ipv6 && request->qtype == DNS_T_AAAA) {
 		if (request->has_ipv4) {
-			ret |= ipset_add(ipset_rule->ipsetname, request->ipv4_addr, DNS_RR_A_LEN, request->ttl_v4 * 2);
+			rule = ipset_rule_v4 ? ipset_rule_v4 : ipset_rule;
+			if (rule) {
+				ret |= ipset_add(rule->ipsetname, request->ipv4_addr, DNS_RR_A_LEN, request->ttl_v4 * 2);
+				tlog(TLOG_DEBUG, "IPSET-MATCH: domain:%s, ipset:%s, IP: %d.%d.%d.%d, result: %d", request->domain,
+					 rule->ipsetname, request->ipv4_addr[0], request->ipv4_addr[1], request->ipv4_addr[2],
+					 request->ipv4_addr[3], ret);
+			}
+		}
+		rule = ipset_rule_v6 ? ipset_rule_v6 : ipset_rule;
+		if (rule) {
+			ret |= ipset_add(rule->ipsetname, request->ipv6_addr, DNS_RR_AAAA_LEN, request->ttl_v6 * 2);
+			tlog(TLOG_DEBUG,
+				 "IPSET-MATCH: domain:%s, ipset:%s, IP: "
+				 "%.2x%.2x:%.2x%.2x:%.2x%.2x:%.2x%.2x:%.2x%.2x:%.2x%.2x:%.2x%.2x:%.2x%.2x, result: %d",
+				 request->domain, rule->ipsetname, request->ipv6_addr[0], request->ipv6_addr[1], request->ipv6_addr[2],
+				 request->ipv6_addr[3], request->ipv6_addr[4], request->ipv6_addr[5], request->ipv6_addr[6],
+				 request->ipv6_addr[7], request->ipv6_addr[8], request->ipv6_addr[9], request->ipv6_addr[10],
+				 request->ipv6_addr[11], request->ipv6_addr[12], request->ipv6_addr[13], request->ipv6_addr[14],
+				 request->ipv6_addr[15], ret);
 		}
-		ret |= ipset_add(ipset_rule->ipsetname, request->ipv6_addr, DNS_RR_AAAA_LEN, request->ttl_v6 * 2);
 	}
 
-	tlog(TLOG_DEBUG, "IPSET-MATCH: domain:%s, ipset:%s, result: %d", request->domain, ipset_rule->ipsetname, ret);
-
 	return ret;
 }
 
@@ -721,6 +761,10 @@ static int _dns_server_request_update_cache(struct dns_request *request, dns_typ
 		goto errout;
 	}
 
+	if (request->has_soa) {
+		ttl = dns_conf_rr_ttl;
+	}
+
 	/* if doing prefetch, update cache only */
 	if (request->prefetch) {
 		if (dns_cache_replace(request->domain, ttl, qtype, speed, cache_data) != 0) {
@@ -744,7 +788,7 @@ errout:
 static int _dns_server_request_complete_A(struct dns_request *request)
 {
 	char *cname = NULL;
-	int cname_ttl = 0;
+	int cname_ttl = dns_conf_rr_ttl;
 	struct dns_cache_data *cache_data = NULL;
 
 	if (request->has_cname) {
@@ -752,27 +796,29 @@ static int _dns_server_request_complete_A(struct dns_request *request)
 		cname_ttl = request->ttl_cname;
 	}
 
-	if (request->has_ipv4 == 0) {
-		return 0;
+	cache_data = dns_cache_new_data();
+	if (cache_data == NULL) {
+		goto errout;
 	}
 
-	tlog(TLOG_INFO, "result: %s, rcode: %d,  %d.%d.%d.%d\n", request->domain, request->rcode, request->ipv4_addr[0],
-		 request->ipv4_addr[1], request->ipv4_addr[2], request->ipv4_addr[3]);
+	if (request->has_ipv4 != 0) {
+		tlog(TLOG_INFO, "result: %s, rcode: %d,  %d.%d.%d.%d\n", request->domain, request->rcode, request->ipv4_addr[0],
+			 request->ipv4_addr[1], request->ipv4_addr[2], request->ipv4_addr[3]);
 
-	request->has_soa = 0;
-	if (request->has_ping_result == 0 && request->ttl_v4 > DNS_SERVER_TMOUT_TTL) {
-		request->ttl_v4 = DNS_SERVER_TMOUT_TTL;
+		request->has_soa = 0;
+		if (request->has_ping_result == 0 && request->ttl_v4 > DNS_SERVER_TMOUT_TTL) {
+			request->ttl_v4 = DNS_SERVER_TMOUT_TTL;
+		}
+		dns_cache_set_data_addr(cache_data, request->server_flags, cname, cname_ttl, request->ipv4_addr, DNS_RR_A_LEN);
+	} else if (request->has_soa) {
+		dns_cache_set_data_soa(cache_data, request->server_flags, cname, cname_ttl);
 	}
 
 	if (_dns_server_has_bind_flag(request, BIND_FLAG_NO_CACHE) == 0) {
+		dns_cache_data_free(cache_data);
 		return 0;
 	}
 
-	cache_data = dns_cache_new_data_addr(request->server_flags, cname, cname_ttl, request->ipv4_addr, DNS_RR_A_LEN);
-	if (cache_data == NULL) {
-		goto errout;
-	}
-
 	if (_dns_server_request_update_cache(request, DNS_T_A, cache_data) != 0) {
 		goto errout;
 	}
@@ -792,7 +838,7 @@ static int _dns_server_request_complete_AAAA(struct dns_request *request)
 {
 	int ret = -1;
 	char *cname = NULL;
-	int cname_ttl = 0;
+	int cname_ttl = dns_conf_rr_ttl;
 	struct dns_cache_data *cache_data = NULL;
 
 	if (request->has_cname) {
@@ -800,6 +846,11 @@ static int _dns_server_request_complete_AAAA(struct dns_request *request)
 		cname_ttl = request->ttl_cname;
 	}
 
+	cache_data = dns_cache_new_data();
+	if (cache_data == NULL) {
+		goto errout;
+	}
+
 	if (request->has_ipv6) {
 		tlog(TLOG_INFO,
 			 "result: %s, rcode: %d,  %.2x%.2x:%.2x%.2x:%.2x%.2x:%.2x%.2x:%.2x%.2x:%.2x%.2x:%.2x%.2x:%.2x%.2x",
@@ -814,19 +865,21 @@ static int _dns_server_request_complete_AAAA(struct dns_request *request)
 		}
 
 		/* if doing prefetch, update cache only */
-		if (_dns_server_has_bind_flag(request, BIND_FLAG_NO_CACHE) != 0) {
-			cache_data =
-				dns_cache_new_data_addr(request->server_flags, cname, cname_ttl, request->ipv6_addr, DNS_T_AAAA);
-			if (cache_data == NULL) {
-				goto errout;
-			}
-
-			if (_dns_server_request_update_cache(request, DNS_T_AAAA, cache_data) != 0) {
-				goto errout;
-			}
-		}
+		dns_cache_set_data_addr(cache_data, request->server_flags, cname, cname_ttl, request->ipv6_addr, DNS_T_AAAA);
 
 		request->has_soa = 0;
+	} else if (request->has_soa) {
+		dns_cache_set_data_soa(cache_data, request->server_flags, cname, cname_ttl);
+	}
+
+	if (_dns_server_has_bind_flag(request, BIND_FLAG_NO_CACHE) != 0) {
+		if (_dns_server_request_update_cache(request, DNS_T_AAAA, cache_data) != 0) {
+			goto errout;
+		}
+		cache_data = NULL;
+	} else {
+		dns_cache_data_free(cache_data);
+		cache_data = NULL;
 	}
 
 	if (request->has_ipv4 && (request->ping_ttl_v4 > 0)) {
@@ -838,15 +891,17 @@ static int _dns_server_request_complete_AAAA(struct dns_request *request)
 			request->ping_ttl_v6 < 0) {
 			tlog(TLOG_DEBUG, "Force IPV4 perfered.");
 			if (_dns_server_has_bind_flag(request, BIND_FLAG_NO_CACHE) != 0) {
-				cache_data =
-					dns_cache_new_data_addr(request->server_flags, cname, cname_ttl, request->ipv4_addr, DNS_T_A);
+				cache_data = dns_cache_new_data();
 				if (cache_data == NULL) {
 					goto errout;
 				}
 
+				dns_cache_set_data_addr(cache_data, request->server_flags, cname, cname_ttl, request->ipv4_addr,
+										DNS_T_A);
 				if (_dns_server_request_update_cache(request, DNS_T_A, cache_data) != 0) {
 					goto errout;
 				}
+				cache_data = NULL;
 			}
 
 			if (request->dualstack_selection) {
@@ -866,7 +921,7 @@ static int _dns_server_request_complete_AAAA(struct dns_request *request)
 	return 0;
 
 errout:
-	if (cache_data == NULL) {
+	if (cache_data != NULL) {
 		dns_cache_data_free(cache_data);
 		cache_data = NULL;
 	}
@@ -882,11 +937,6 @@ static int _dns_server_request_complete(struct dns_request *request)
 		return 0;
 	}
 
-	/* if passthrouth, return */
-	if (request->passthrough) {
-		return 0;
-	}
-
 	if (request->qtype == DNS_T_A) {
 		if (_dns_server_request_complete_A(request) != 0) {
 			tlog(TLOG_ERROR, "complete DNS A failed.");
@@ -1008,6 +1058,9 @@ static void _dns_server_select_possible_ipaddress(struct dns_request *request)
 static void _dns_server_delete_request(struct dns_request *request)
 {
 	if (request->conn) {
+		if (atomic_read(&request->notified) == 0) {
+			_dns_server_request_complete(request);
+		}
 		_dns_server_conn_release(request->conn);
 	}
 	pthread_mutex_destroy(&request->ip_map_lock);
@@ -1613,6 +1666,7 @@ static int _dns_server_passthrough_rule_check(struct dns_request *request, char
 	int j = 0;
 	struct dns_rrs *rrs = NULL;
 	int ip_check_result = 0;
+	int is_result_strict = 0;
 
 	if (packet->head.rcode != DNS_RC_NOERROR && packet->head.rcode != DNS_RC_NXDOMAIN) {
 		if (request->rcode == DNS_RC_SERVFAIL) {
@@ -1626,6 +1680,10 @@ static int _dns_server_passthrough_rule_check(struct dns_request *request, char
 	for (j = 1; j < DNS_RRS_END; j++) {
 		rrs = dns_get_rrs_start(packet, j, &rr_count);
 		for (i = 0; i < rr_count && rrs; i++, rrs = dns_get_rrs_next(packet, rrs)) {
+			if (rrs->type == request->qtype || rrs->type == DNS_T_SOA) {
+				is_result_strict = 1;
+			}
+
 			switch (rrs->type) {
 			case DNS_T_A: {
 				unsigned char addr[4];
@@ -1686,6 +1744,10 @@ static int _dns_server_passthrough_rule_check(struct dns_request *request, char
 		}
 	}
 
+	if (is_result_strict == 0) {
+		return 0;
+	}
+
 	return -1;
 }
 
@@ -1741,7 +1803,7 @@ static int _dns_server_get_answer(struct dns_request *request, struct dns_packet
 				dns_get_CNAME(rrs, name, DNS_MAX_CNAME_LEN, &ttl, cname, DNS_MAX_CNAME_LEN);
 				tlog(TLOG_DEBUG, "name:%s ttl: %d cname: %s\n", name, ttl, cname);
 				safe_strncpy(request->cname, cname, DNS_MAX_CNAME_LEN);
-				request->ttl_cname = ttl;
+				request->ttl_cname = _dns_server_get_conf_ttl(ttl);
 				request->has_cname = 1;
 			} break;
 			case DNS_T_SOA: {
@@ -1775,7 +1837,7 @@ static int _dns_server_setup_ipset_packet(struct dns_request *request, struct dn
 	int i = 0;
 	int j = 0;
 	struct dns_rrs *rrs = NULL;
-	struct dns_ipset_rule *ipset_rule = NULL;
+	struct dns_ipset_rule *rule = NULL, *ipset_rule = NULL, *ipset_rule_v4 = NULL, *ipset_rule_v6 = NULL;
 	struct dns_rule_flags *rule_flags = NULL;
 
 	if (_dns_server_has_bind_flag(request, BIND_FLAG_NO_RULE_IPSET) == 0) {
@@ -1783,14 +1845,17 @@ static int _dns_server_setup_ipset_packet(struct dns_request *request, struct dn
 	}
 	/* check ipset rule */
 	rule_flags = request->domain_rule.rules[DOMAIN_RULE_FLAGS];
-	if (rule_flags) {
-		if (rule_flags->flags & DOMAIN_FLAG_IPSET_IGNORE) {
-			return 0;
-		}
+	if (!rule_flags || (rule_flags->flags & DOMAIN_FLAG_IPSET_IGN) == 0) {
+		ipset_rule = request->domain_rule.rules[DOMAIN_RULE_IPSET];
+	}
+	if (!rule_flags || (rule_flags->flags & DOMAIN_FLAG_IPSET_IPV4_IGN) == 0) {
+		ipset_rule_v4 = request->domain_rule.rules[DOMAIN_RULE_IPSET_IPV4];
+	}
+	if (!rule_flags || (rule_flags->flags & DOMAIN_FLAG_IPSET_IPV6_IGN) == 0) {
+		ipset_rule_v6 = request->domain_rule.rules[DOMAIN_RULE_IPSET_IPV6];
 	}
 
-	ipset_rule = request->domain_rule.rules[DOMAIN_RULE_IPSET];
-	if (ipset_rule == NULL) {
+	if (!(ipset_rule || ipset_rule_v4 || ipset_rule_v6)) {
 		return 0;
 	}
 
@@ -1809,11 +1874,14 @@ static int _dns_server_setup_ipset_packet(struct dns_request *request, struct dn
 				/* get A result */
 				dns_get_A(rrs, name, DNS_MAX_CNAME_LEN, &ttl, addr);
 
-				/* add IPV4 to ipset */
-				ipset_add(ipset_rule->ipsetname, addr, DNS_RR_A_LEN, request->ttl_v4 * 2);
+				rule = ipset_rule_v4 ? ipset_rule_v4 : ipset_rule;
 
-				tlog(TLOG_DEBUG, "IPSET-MATCH-PASSTHROUTH: domain: %s, ipset: %s, IP: %d.%d.%d.%d", request->domain,
-					 ipset_rule->ipsetname, addr[0], addr[1], addr[2], addr[3]);
+				if (rule) {
+					/* add IPV4 to ipset */
+					ipset_add(rule->ipsetname, addr, DNS_RR_A_LEN, request->ttl_v4 * 2);
+					tlog(TLOG_DEBUG, "IPSET-MATCH-PASSTHROUTH: domain: %s, ipset: %s, IP: %d.%d.%d.%d", request->domain,
+						 rule->ipsetname, addr[0], addr[1], addr[2], addr[3]);
+				}
 			} break;
 			case DNS_T_AAAA: {
 				unsigned char addr[16];
@@ -1826,16 +1894,25 @@ static int _dns_server_setup_ipset_packet(struct dns_request *request, struct dn
 				/* add IPV6 to ipset */
 				if (request->has_ipv6) {
 					if (request->has_ipv4) {
-						ipset_add(ipset_rule->ipsetname, addr, DNS_RR_A_LEN, request->ttl_v4 * 2);
+						rule = ipset_rule_v4 ? ipset_rule_v4 : ipset_rule;
+						if (rule) {
+							/* add IPV4 to ipset */
+							ipset_add(rule->ipsetname, addr, DNS_RR_A_LEN, request->ttl_v4 * 2);
+							tlog(TLOG_DEBUG, "IPSET-MATCH-PASSTHROUTH: domain: %s, ipset: %s, IP: %d.%d.%d.%d",
+								 request->domain, rule->ipsetname, addr[0], addr[1], addr[2], addr[3]);
+						}
+					}
+					rule = ipset_rule_v6 ? ipset_rule_v6 : ipset_rule;
+					if (rule) {
+						ipset_add(rule->ipsetname, addr, DNS_RR_AAAA_LEN, request->ttl_v6 * 2);
+						tlog(TLOG_DEBUG,
+							 "IPSET-MATCH-PASSTHROUTH: domain: %s, ipset: %s, IP: "
+							 "%.2x%.2x:%.2x%.2x:%.2x%.2x:%.2x%.2x:%.2x%.2x:%.2x%.2x:%.2x%.2x:%.2x%.2x",
+							 request->domain, rule->ipsetname, addr[0], addr[1], addr[2], addr[3], addr[4], addr[5],
+							 addr[6], addr[7], addr[8], addr[9], addr[10], addr[11], addr[12], addr[13], addr[14],
+							 addr[15]);
 					}
-					ipset_add(ipset_rule->ipsetname, addr, DNS_RR_AAAA_LEN, request->ttl_v6 * 2);
 				}
-
-				tlog(TLOG_DEBUG,
-					 "IPSET-MATCH-PASSTHROUTH: domain: %s, ipset: %s, IP: "
-					 "%.2x%.2x:%.2x%.2x:%.2x%.2x:%.2x%.2x:%.2x%.2x:%.2x%.2x:%.2x%.2x:%.2x%.2x",
-					 request->domain, ipset_rule->ipsetname, addr[0], addr[1], addr[2], addr[3], addr[4], addr[5],
-					 addr[6], addr[7], addr[8], addr[9], addr[10], addr[11], addr[12], addr[13], addr[14], addr[15]);
 			} break;
 			default:
 				break;
@@ -1860,13 +1937,13 @@ static int _dns_server_reply_passthrouth(struct dns_request *request, struct dns
 		_dns_result_callback(request);
 	}
 
-	if (request->conn == NULL) {
-		return 0;
-	}
+	_dns_server_audit_log(request);
 
-	/* When passthrough, modify the id to be the id of the client request. */
-	dns_server_update_reply_packet_id(request, inpacket, inpacket_len);
-	ret = _dns_reply_inpacket(request, inpacket, inpacket_len);
+	if (request->conn) {
+		/* When passthrough, modify the id to be the id of the client request. */
+		dns_server_update_reply_packet_id(request, inpacket, inpacket_len);
+		ret = _dns_reply_inpacket(request, inpacket, inpacket_len);
+	}
 
 	if (packet->head.rcode != DNS_RC_NOERROR && packet->head.rcode != DNS_RC_NXDOMAIN) {
 		return ret;
@@ -2062,10 +2139,18 @@ static void _dns_server_update_rule_by_flags(struct dns_request *request)
 		request->domain_rule.rules[DOMAIN_RULE_ADDRESS_IPV6] = NULL;
 	}
 
-	if (flags & DOMAIN_FLAG_IPSET_IGNORE) {
+	if (flags & DOMAIN_FLAG_IPSET_IGN) {
 		request->domain_rule.rules[DOMAIN_RULE_IPSET] = NULL;
 	}
 
+	if (flags & DOMAIN_FLAG_IPSET_IPV4_IGN) {
+		request->domain_rule.rules[DOMAIN_RULE_IPSET_IPV4] = NULL;
+	}
+
+	if (flags & DOMAIN_FLAG_IPSET_IPV6_IGN) {
+		request->domain_rule.rules[DOMAIN_RULE_IPSET_IPV6] = NULL;
+	}
+
 	if (flags & DOMAIN_FLAG_NAMESERVER_IGNORE) {
 		request->domain_rule.rules[DOMAIN_RULE_NAMESERVER] = NULL;
 	}
@@ -2251,6 +2336,25 @@ errout:
 	return -1;
 }
 
+static int _dns_server_qtype_soa(struct dns_request *request)
+{
+	struct dns_qtype_soa_list *soa_list = NULL;
+
+	uint32_t key = hash_32_generic(request->qtype, 32);
+	hash_for_each_possible(dns_qtype_soa_table.qtype, soa_list, node, key)
+	{
+		if (request->qtype != soa_list->qtypeid) {
+			continue;
+		}
+
+		_dns_server_reply_SOA(DNS_RC_NOERROR, request);
+		tlog(TLOG_DEBUG, "force qtype %d soa", request->qtype);
+		return 0;
+	}
+
+	return -1;
+}
+
 static void _dns_server_process_speed_check_rule(struct dns_request *request)
 {
 	struct dns_domain_check_order *check_order = NULL;
@@ -2274,6 +2378,16 @@ static int _dns_server_get_expired_ttl_reply(struct dns_cache *dns_cache)
 	return dns_conf_serve_expired_reply_ttl;
 }
 
+static int _dns_server_get_expired_cname_ttl_reply(struct dns_cache *dns_cache)
+{
+	int ttl = dns_cache_get_cname_ttl(dns_cache);
+	if (ttl > 0) {
+		return ttl;
+	}
+
+	return _dns_server_get_expired_ttl_reply(dns_cache);
+}
+
 static int _dns_server_process_cache_addr(struct dns_request *request, struct dns_cache *dns_cache)
 {
 	struct dns_cache_addr *cache_addr = (struct dns_cache_addr *)dns_cache_get_data(dns_cache);
@@ -2301,7 +2415,7 @@ static int _dns_server_process_cache_addr(struct dns_request *request, struct dn
 	if (cache_addr->addr_data.cname[0] != 0) {
 		safe_strncpy(request->cname, cache_addr->addr_data.cname, DNS_MAX_CNAME_LEN);
 		request->has_cname = 1;
-		request->ttl_cname = cache_addr->addr_data.cname_ttl;
+		request->ttl_cname = _dns_server_get_expired_cname_ttl_reply(dns_cache);
 	}
 
 	request->rcode = DNS_RC_NOERROR;
@@ -2333,15 +2447,17 @@ static int _dns_server_process_cache_packet(struct dns_request *request, struct
 		return 0;
 	}
 
+	unsigned char packet_buff[DNS_PACKSIZE];
+	struct dns_packet *packet = (struct dns_packet *)packet_buff;
+
+	if (dns_decode(packet, DNS_PACKSIZE, cache_packet->data, cache_packet->head.size) != 0) {
+		goto errout;
+	}
+
+	_dns_server_get_answer(request, packet);
+
+	_dns_server_audit_log(request);
 	if (request->result_callback) {
-		unsigned char packet_buff[DNS_PACKSIZE];
-		struct dns_packet *packet = (struct dns_packet *)packet_buff;
-
-		if (dns_decode(packet, DNS_PACKSIZE, cache_packet->data, cache_packet->head.size) != 0) {
-			goto errout;
-		}
-
-		_dns_server_get_answer(request, packet);
 		_dns_result_callback(request);
 	}
 
@@ -2400,7 +2516,7 @@ static int _dns_server_process_cache(struct dns_request *request)
 	if (dns_cache == NULL) {
 		if (request->dualstack_selection && request->qtype == DNS_T_AAAA) {
 			dns_cache_A = dns_cache_lookup(request->domain, DNS_T_A);
-			if (dns_cache_A) {
+			if (dns_cache_A && dns_cache_is_soa(dns_cache_A) == 0 && dns_cache_is_soa(dns_cache)) {
 				tlog(TLOG_DEBUG, "No IPV6 Found, Force IPV4 perfered.");
 				if (dns_cache_get_ttl(dns_cache_A) == 0) {
 					uint32_t server_flags = request->server_flags;
@@ -2420,9 +2536,14 @@ static int _dns_server_process_cache(struct dns_request *request)
 		goto out;
 	}
 
+	if (dns_cache_is_soa(dns_cache)) {
+		ret = _dns_server_reply_SOA(DNS_RC_NOERROR, request);
+		goto out;
+	}
+
 	if (request->dualstack_selection && request->qtype == DNS_T_AAAA) {
 		dns_cache_A = dns_cache_lookup(request->domain, DNS_T_A);
-		if (dns_cache_A && (dns_cache_A->info.speed > 0)) {
+		if (dns_cache_A && dns_cache_is_soa(dns_cache_A) == 0 && (dns_cache_A->info.speed > 0)) {
 			if ((dns_cache_A->info.speed + (dns_conf_dualstack_ip_selection_threshold * 10)) < dns_cache->info.speed ||
 				dns_cache->info.speed < 0) {
 				tlog(TLOG_DEBUG, "Force IPV4 perfered.");
@@ -2591,6 +2712,8 @@ static int _dns_server_do_query(struct dns_request *request, const char *domain,
 		group_name = dns_group;
 	}
 
+	_dns_server_set_dualstack_selection(request);
+
 	if (_dns_server_process_special_query(request) == 0) {
 		goto clean_exit;
 	}
@@ -2605,6 +2728,11 @@ static int _dns_server_do_query(struct dns_request *request, const char *domain,
 		goto clean_exit;
 	}
 
+	/* process qtype soa */
+	if (_dns_server_qtype_soa(request) == 0) {
+		goto clean_exit;
+	}
+
 	/* process speed check rule */
 	_dns_server_process_speed_check_rule(request);
 
@@ -2717,7 +2845,6 @@ static int _dns_server_recv(struct dns_server_conn_head *conn, unsigned char *in
 	_dns_server_request_set_client(request, conn);
 	_dns_server_request_set_client_addr(request, from, from_len);
 	_dns_server_request_set_id(request, packet->head.id);
-	_dns_server_set_dualstack_selection(request);
 	ret = _dns_server_do_query(request, domain, qtype);
 	if (ret != 0) {
 		tlog(TLOG_ERROR, "do query %s failed.\n", domain);

src/fast_ping.c

@@ -365,7 +365,12 @@ static void _fast_ping_close_host_sock(struct ping_host_struct *ping_host)
 
 static void _fast_ping_host_put(struct ping_host_struct *ping_host)
 {
-	if (!atomic_dec_and_test(&ping_host->ref)) {
+	int ref_cnt = atomic_dec_and_test(&ping_host->ref);
+	if (!ref_cnt) {
+		if (ref_cnt < 0) {
+			tlog(TLOG_ERROR, "invalid refcount of ping_host %s", ping_host->host);
+			abort();
+		}
 		return;
 	}
 
@@ -1081,15 +1086,19 @@ struct ping_host_struct *fast_ping_start(PING_TYPE type, const char *host, int c
 	pthread_mutex_unlock(&ping.map_lock);
 
 	_fast_ping_host_get(ping_host);
+	_fast_ping_host_get(ping_host);
+	// for ping race condition, get reference count twice
 	if (_fast_ping_sendping(ping_host) != 0) {
 		goto errout_remove;
 	}
 
 	ping_host->run = 1;
 	freeaddrinfo(gai);
+	_fast_ping_host_put(ping_host);
 	return ping_host;
 errout_remove:
 	fast_ping_stop(ping_host);
+	_fast_ping_host_put(ping_host);
 	ping_host = NULL;
 errout:
 	if (gai) {

src/smartdns.c

@@ -363,7 +363,7 @@ static void _sig_error_exit(int signo, siginfo_t *siginfo, void *ct)
 		 "%s %s)\n",
 		 signo, siginfo->si_code, siginfo->si_errno, siginfo->si_pid, getpid(), PC, (unsigned long)siginfo->si_addr,
 		 __DATE__, __TIME__, arch);
-
+	print_stack();
 	sleep(1);
 	_exit(0);
 }

src/tlog.c

@@ -10,6 +10,7 @@
 #include <dirent.h>
 #include <errno.h>
 #include <fcntl.h>
+#include <libgen.h>
 #include <limits.h>
 #include <pthread.h>
 #include <stdarg.h>
@@ -21,7 +22,6 @@
 #include <sys/time.h>
 #include <sys/types.h>
 #include <sys/wait.h>
-#include <libgen.h>
 #include <unistd.h>
 
 #ifndef likely
@@ -40,6 +40,8 @@
 #define TLOG_BUFF_LEN (PATH_MAX + TLOG_LOG_NAME_LEN * 3)
 #define TLOG_SUFFIX_GZ ".gz"
 #define TLOG_SUFFIX_LOG ""
+#define TLOG_MAX_LINE_SIZE_SET (1024 * 8)
+#define TLOG_MIN_LINE_SIZE_SET (128)
 
 #define TLOG_SEGMENT_MAGIC 0xFF446154
 
@@ -57,6 +59,9 @@ struct tlog_log {
     char logdir[PATH_MAX];
     char logname[TLOG_LOG_NAME_LEN];
     char suffix[TLOG_LOG_NAME_LEN];
+    char pending_logfile[PATH_MAX];
+    int rename_pending;
+    int fail;
     int logsize;
     int logcount;
     int block;
@@ -66,12 +71,15 @@ struct tlog_log {
     int multi_log;
     int logscreen;
     int segment_log;
- 
+    unsigned int max_line_size;
+
     tlog_output_func output_func;
     void *private_data;
 
     time_t last_try;
     time_t last_waitpid;
+    mode_t file_perm;
+    mode_t archive_perm;
 
     int waiters;
     int is_exit;
@@ -97,13 +105,13 @@ struct tlog_segment_log_head {
     struct tlog_loginfo info;
     unsigned short len;
     char data[0];
-}  __attribute__((packed));
+} __attribute__((packed));
 
 struct tlog_segment_head {
     unsigned int magic;
     unsigned short len;
     char data[0];
-}  __attribute__((packed));
+} __attribute__((packed));
 
 struct oldest_log {
     char name[TLOG_LOG_NAME_LEN];
@@ -166,8 +174,8 @@ static int _tlog_mkdir(const char *path)
     if (access(path, F_OK) == 0) {
         return 0;
     }
-    
-    while(*path == ' ' && *path != '\0') {
+
+    while (*path == ' ' && *path != '\0') {
         path++;
     }
 
@@ -283,11 +291,37 @@ static int _tlog_gettime(struct tlog_time *cur_time)
     return 0;
 }
 
+void tlog_set_maxline_size(struct tlog_log *log, int size)
+{
+    if (log == NULL) {
+        return;
+    }
+
+    if (size < TLOG_MIN_LINE_SIZE_SET) {
+        size = TLOG_MIN_LINE_SIZE_SET;
+    } else if (size > TLOG_MAX_LINE_SIZE_SET) {
+        size = TLOG_MAX_LINE_SIZE_SET;
+    }
+
+    log->max_line_size = size;
+}
+
+void tlog_set_permission(struct tlog_log *log, unsigned int file, unsigned int archive)
+{
+    log->file_perm = file;
+    log->archive_perm = archive;
+}
+
 int tlog_localtime(struct tlog_time *tm)
 {
     return _tlog_gettime(tm);
 }
 
+tlog_log *tlog_get_root(void)
+{
+    return tlog.root;
+}
+
 void tlog_set_private(tlog_log *log, void *private_data)
 {
     if (log == NULL) {
@@ -311,19 +345,19 @@ static int _tlog_format(char *buff, int maxlen, struct tlog_loginfo *info, void
     int len = 0;
     int total_len = 0;
     struct tlog_time *tm = &info->time;
-    void* unused __attribute__ ((unused));
+    void *unused __attribute__((unused));
 
     unused = userptr;
 
     if (tlog.root->multi_log) {
         /* format prefix */
-        len = snprintf(buff, maxlen, "[%.4d-%.2d-%.2d %.2d:%.2d:%.2d,%.3d][%5d][%4s][%17s:%-4d] ", 
-            tm->year, tm->mon, tm->mday, tm->hour, tm->min, tm->sec, tm->usec / 1000, getpid(), 
+        len = snprintf(buff, maxlen, "[%.4d-%.2d-%.2d %.2d:%.2d:%.2d,%.3d][%5d][%4s][%17s:%-4d] ",
+            tm->year, tm->mon, tm->mday, tm->hour, tm->min, tm->sec, tm->usec / 1000, getpid(),
             tlog_get_level_string(info->level), info->file, info->line);
     } else {
         /* format prefix */
-        len = snprintf(buff, maxlen, "[%.4d-%.2d-%.2d %.2d:%.2d:%.2d,%.3d][%5s][%17s:%-4d] ", 
-            tm->year, tm->mon, tm->mday, tm->hour, tm->min, tm->sec, tm->usec / 1000, 
+        len = snprintf(buff, maxlen, "[%.4d-%.2d-%.2d %.2d:%.2d:%.2d,%.3d][%5s][%17s:%-4d] ",
+            tm->year, tm->mon, tm->mday, tm->hour, tm->min, tm->sec, tm->usec / 1000,
             tlog_get_level_string(info->level), info->file, info->line);
     }
 
@@ -359,7 +393,7 @@ static int _tlog_root_log_buffer(char *buff, int maxlen, void *userptr, const ch
     }
 
     if (tlog.root->segment_log) {
-        log_head = (struct tlog_segment_log_head *) buff;
+        log_head = (struct tlog_segment_log_head *)buff;
         len += sizeof(*log_head);
         memcpy(&log_head->info, &info_inter->info, sizeof(log_head->info));
     }
@@ -400,7 +434,7 @@ static int _tlog_print_buffer(char *buff, int maxlen, void *userptr, const char
 {
     int len;
     int total_len = 0;
-    void* unused __attribute__ ((unused));
+    void *unused __attribute__((unused));
 
     unused = userptr;
 
@@ -438,7 +472,7 @@ static int _tlog_need_drop(struct tlog_log *log)
     }
 
     /* if free buffer length is less than min line length */
-    if (maxlen < TLOG_MAX_LINE_LEN) {
+    if (maxlen < log->max_line_size) {
         log->dropped++;
         ret = 0;
     }
@@ -450,14 +484,14 @@ static int _tlog_vprintf(struct tlog_log *log, vprint_callback print_callback, v
 {
     int len;
     int maxlen = 0;
-    char buff[TLOG_MAX_LINE_LEN];
-
     struct tlog_segment_head *segment_head = NULL;
 
     if (log == NULL || format == NULL) {
         return -1;
     }
 
+    char buff[log->max_line_size];
+
     if (log->buff == NULL) {
         return -1;
     }
@@ -469,7 +503,7 @@ static int _tlog_vprintf(struct tlog_log *log, vprint_callback print_callback, v
     len = print_callback(buff, sizeof(buff), userptr, format, ap);
     if (len <= 0) {
         return -1;
-    } else if (len >= TLOG_MAX_LINE_LEN) {
+    } else if (len >= log->max_line_size) {
         strncpy(buff, "[LOG TOO LONG, DISCARD]\n", sizeof(buff));
         buff[sizeof(buff) - 1] = '\0';
         len = strnlen(buff, sizeof(buff));
@@ -490,7 +524,7 @@ static int _tlog_vprintf(struct tlog_log *log, vprint_callback print_callback, v
         }
 
         /* if free buffer length is less than min line length */
-        if (maxlen < TLOG_MAX_LINE_LEN) {
+        if (maxlen < log->max_line_size) {
             if (log->end != log->start) {
                 tlog.notify_log = log;
                 pthread_cond_signal(&tlog.cond);
@@ -502,7 +536,7 @@ static int _tlog_vprintf(struct tlog_log *log, vprint_callback print_callback, v
                 pthread_mutex_unlock(&tlog.lock);
                 return -1;
             }
-            
+
             pthread_mutex_unlock(&tlog.lock);
             pthread_mutex_lock(&log->lock);
             log->waiters++;
@@ -516,7 +550,7 @@ static int _tlog_vprintf(struct tlog_log *log, vprint_callback print_callback, v
 
             pthread_mutex_lock(&tlog.lock);
         }
-    } while (maxlen < TLOG_MAX_LINE_LEN);
+    } while (maxlen < log->max_line_size);
 
     if (log->segment_log) {
         segment_head = (struct tlog_segment_head *)(log->buff + log->end);
@@ -532,7 +566,7 @@ static int _tlog_vprintf(struct tlog_log *log, vprint_callback print_callback, v
     }
 
     /* if remain buffer is not enough for a line, move end to start of buffer. */
-    if (log->end > log->buffsize - TLOG_MAX_LINE_LEN) {
+    if (log->end > log->buffsize - log->max_line_size) {
         log->ext_end = log->end;
         log->end = 0;
     }
@@ -562,12 +596,12 @@ int tlog_printf(struct tlog_log *log, const char *format, ...)
     return len;
 }
 
-static int _tlog_early_print(const char *format, va_list ap) 
+static int _tlog_early_print(const char *format, va_list ap)
 {
     char log_buf[TLOG_MAX_LINE_LEN];
     size_t len = 0;
     size_t out_len = 0;
-    int unused __attribute__ ((unused));
+    int unused __attribute__((unused));
 
     if (tlog_disable_early_print) {
         return 0;
@@ -643,13 +677,13 @@ static int _tlog_rename_logfile(struct tlog_log *log, const char *log_file)
         return -1;
     }
 
-    snprintf(archive_file, sizeof(archive_file), "%s/%s-%.4d%.2d%.2d-%.2d%.2d%.2d%s", 
+    snprintf(archive_file, sizeof(archive_file), "%s/%s-%.4d%.2d%.2d-%.2d%.2d%.2d%s",
         log->logdir, log->logname, logtime.year, logtime.mon, logtime.mday,
         logtime.hour, logtime.min, logtime.sec, log->suffix);
 
     while (access(archive_file, F_OK) == 0) {
         i++;
-        snprintf(archive_file, sizeof(archive_file), "%s/%s-%.4d%.2d%.2d-%.2d%.2d%.2d-%d%s", 
+        snprintf(archive_file, sizeof(archive_file), "%s/%s-%.4d%.2d%.2d-%.2d%.2d%.2d-%d%s",
             log->logdir, log->logname, logtime.year, logtime.mon,
             logtime.mday, logtime.hour, logtime.min, logtime.sec, i, log->suffix);
     }
@@ -658,6 +692,8 @@ static int _tlog_rename_logfile(struct tlog_log *log, const char *log_file)
         return -1;
     }
 
+    chmod(archive_file, log->archive_perm);
+
     return 0;
 }
 
@@ -666,7 +702,7 @@ static int _tlog_list_dir(const char *path, list_callback callback, void *userpt
     DIR *dir = NULL;
     struct dirent *ent;
     int ret = 0;
-    const char* unused __attribute__ ((unused)) = path;
+    const char *unused __attribute__((unused)) = path;
 
     dir = opendir(path);
     if (dir == NULL) {
@@ -699,7 +735,7 @@ static int _tlog_count_log_callback(const char *path, struct dirent *entry, void
     struct count_log *count_log = (struct count_log *)userptr;
     struct tlog_log *log = count_log->log;
     char logname[TLOG_LOG_NAME_LEN * 2];
-    const char* unused __attribute__ ((unused)) = path;
+    const char *unused __attribute__((unused)) = path;
 
     if (strstr(entry->d_name, log->suffix) == NULL) {
         return 0;
@@ -1023,16 +1059,41 @@ static int _tlog_archive_log(struct tlog_log *log)
     }
 }
 
+void _tlog_get_log_name_dir(struct tlog_log *log)
+{
+    char log_file[PATH_MAX];
+    if (log->fd > 0) {
+        close(log->fd);
+        log->fd = -1;
+    }
+
+    pthread_mutex_lock(&tlog.lock);
+    strncpy(log_file, log->pending_logfile, sizeof(log_file) - 1);
+    log_file[sizeof(log_file) - 1] = '\0';
+    strncpy(log->logdir, dirname(log_file), sizeof(log->logdir));
+    log->logdir[sizeof(log->logdir) - 1] = '\0';
+    strncpy(log_file, log->pending_logfile, PATH_MAX);
+    log_file[sizeof(log_file) - 1] = '\0';
+    strncpy(log->logname, basename(log_file), sizeof(log->logname));
+    log->logname[sizeof(log->logname) - 1] = '\0';
+    pthread_mutex_unlock(&tlog.lock);
+}
+
 static int _tlog_write(struct tlog_log *log, const char *buff, int bufflen)
 {
     int len;
-    int unused __attribute__ ((unused));
+    int unused __attribute__((unused));
 
-    if (bufflen <= 0) {
+    if (bufflen <= 0 || log->fail) {
         return 0;
     }
 
-     /* output log to screen */
+    if (log->rename_pending) {
+        _tlog_get_log_name_dir(log);
+        log->rename_pending = 0;
+    }
+
+    /* output log to screen */
     if (log->logscreen) {
         unused = write(STDOUT_FILENO, buff, bufflen);
     }
@@ -1072,7 +1133,7 @@ static int _tlog_write(struct tlog_log *log, const char *buff, int bufflen)
         }
         snprintf(logfile, sizeof(logfile), "%s/%s", log->logdir, log->logname);
         log->filesize = 0;
-        log->fd = open(logfile, O_APPEND | O_CREAT | O_WRONLY | O_CLOEXEC, 0640);
+        log->fd = open(logfile, O_APPEND | O_CREAT | O_WRONLY | O_CLOEXEC, log->file_perm);
         if (log->fd < 0) {
             if (print_errmsg == 0) {
                 return -1;
@@ -1131,7 +1192,6 @@ static int _tlog_any_has_data_locked(void)
     return 0;
 }
 
-
 static int _tlog_any_has_data(void)
 {
     int ret = 0;
@@ -1162,7 +1222,7 @@ static int _tlog_wait_pids(void)
             continue;
         }
 
-        last_log           = next;
+        last_log = next;
         next->last_waitpid = now;
         pthread_mutex_unlock(&tlog.lock);
         _tlog_wait_pid(next, 0);
@@ -1263,7 +1323,6 @@ static void _tlog_wakeup_waiters(struct tlog_log *log)
     pthread_mutex_unlock(&log->lock);
 }
 
-
 static void _tlog_write_one_segment_log(struct tlog_log *log, char *buff, int bufflen)
 {
     struct tlog_segment_head *segment_head = NULL;
@@ -1336,6 +1395,35 @@ static int _tlog_root_write_log(struct tlog_log *log, const char *buff, int buff
     return tlog.output_func(&empty_info.info, buff, bufflen, tlog_get_private(log));
 }
 
+static void tlog_wait_zip_fini(void)
+{
+    tlog_log *next;
+    if (tlog.root == NULL) {
+        return;
+    }
+
+    int wait_zip = 1;
+    int time_out = 0;
+    while (wait_zip) {
+        wait_zip = 0;
+        time_out++;
+        next = tlog.log;
+        while (next) {
+            if (next->zip_pid > 0 && wait_zip == 0) {
+                wait_zip = 1;
+                usleep(1000);
+            }
+
+            if (kill(next->zip_pid, 0) != 0 || time_out >= 5000) {
+                next->zip_pid = -1;
+            }
+            next = next->next;
+        }
+    }
+
+    return;
+}
+
 static void *_tlog_work(void *arg)
 {
     int log_len = 0;
@@ -1345,10 +1433,13 @@ static void *_tlog_work(void *arg)
     int log_dropped = 0;
     struct tlog_log *log = NULL;
     struct tlog_log *loop_log = NULL;
-    void* unused __attribute__ ((unused));
+    void *unused __attribute__((unused));
 
     unused = arg;
-    
+
+    // for child process
+    tlog_wait_zip_fini();
+
     while (1) {
         log_len = 0;
         log_extlen = 0;
@@ -1430,7 +1521,7 @@ static void *_tlog_work(void *arg)
 
 void tlog_set_early_printf(int enable)
 {
-    tlog_disable_early_print = (enable == 0) ? 1 : 0;    
+    tlog_disable_early_print = (enable == 0) ? 1 : 0;
 }
 
 const char *tlog_get_level_string(tlog_level level)
@@ -1518,10 +1609,14 @@ tlog_level tlog_getlevel(void)
     return tlog_set_level;
 }
 
+void tlog_set_logfile(const char *logfile)
+{
+    tlog_rename_logfile(tlog.root, logfile);
+}
+
 tlog_log *tlog_open(const char *logfile, int maxlogsize, int maxlogcount, int buffsize, unsigned int flag)
 {
     struct tlog_log *log = NULL;
-    char log_file[PATH_MAX];
 
     if (tlog.run == 0) {
         fprintf(stderr, "tlog is not initialized.");
@@ -1546,22 +1641,19 @@ tlog_log *tlog_open(const char *logfile, int maxlogsize, int maxlogcount, int bu
     log->filesize = 0;
     log->zip_pid = -1;
     log->is_exit = 0;
+    log->fail = 0;
     log->waiters = 0;
     log->block = ((flag & TLOG_NONBLOCK) == 0) ? 1 : 0;
     log->nocompress = ((flag & TLOG_NOCOMPRESS) == 0) ? 0 : 1;
     log->logscreen = ((flag & TLOG_SCREEN) == 0) ? 0 : 1;
     log->multi_log = ((flag & TLOG_MULTI_WRITE) == 0) ? 0 : 1;
     log->segment_log = ((flag & TLOG_SEGMENT) == 0) ? 0 : 1;
+    log->max_line_size = TLOG_MAX_LINE_LEN;
     log->output_func = _tlog_write;
+    log->file_perm = S_IRUSR | S_IWUSR | S_IRGRP;
+    log->archive_perm = S_IRUSR | S_IRGRP;
 
-    strncpy(log_file, logfile, sizeof(log_file) - 1);
-    log_file[sizeof(log_file) - 1] = '\0';
-    strncpy(log->logdir, dirname(log_file), sizeof(log->logdir));
-    log->logdir[sizeof(log->logdir) - 1] = '\0';
-    strncpy(log_file, logfile, PATH_MAX);
-    log_file[sizeof(log_file) - 1] = '\0';
-    strncpy(log->logname, basename(log_file), sizeof(log->logname));
-    log->logname[sizeof(log->logname) - 1] = '\0';
+    tlog_rename_logfile(log, logfile);
     if (log->nocompress) {
         strncpy(log->suffix, TLOG_SUFFIX_LOG, sizeof(log->suffix));
     } else {
@@ -1605,6 +1697,74 @@ void tlog_close(tlog_log *log)
     log->is_exit = 1;
 }
 
+void tlog_rename_logfile(struct tlog_log *log, const char *logfile)
+{
+    pthread_mutex_lock(&tlog.lock);
+    strncpy(log->pending_logfile, logfile, sizeof(log->pending_logfile) - 1);
+    pthread_mutex_unlock(&tlog.lock);
+    log->rename_pending = 1;
+}
+
+static void tlog_fork_prepare(void)
+{
+    if (tlog.root == NULL) {
+        return;
+    }
+
+    pthread_mutex_lock(&tlog.lock);
+    tlog_log *next;
+    next = tlog.log;
+    while (next) {
+        next->multi_log = 1;
+        next = next->next;
+    }
+}
+
+static void tlog_fork_parent(void)
+{
+    if (tlog.root == NULL) {
+        return;
+    }
+
+    pthread_mutex_unlock(&tlog.lock);
+}
+
+static void tlog_fork_child(void)
+{
+    pthread_attr_t attr;
+    tlog_log *next;
+    if (tlog.root == NULL) {
+        return;
+    }
+
+    next = tlog.log;
+    while (next) {
+        next->start = 0;
+        next->end = 0;
+        next->ext_end = 0;
+        next->dropped = 0;
+        next->filesize = 0;
+        next = next->next;
+    }
+
+    pthread_attr_init(&attr);
+    int ret = pthread_create(&tlog.tid, &attr, _tlog_work, NULL);
+    if (ret != 0) {
+        fprintf(stderr, "create tlog work thread failed, %s\n", strerror(errno));
+        goto errout;
+    }
+
+    goto out;
+errout:
+    next = tlog.log;
+    while (next) {
+        next->fail = 1;
+        next = next->next;
+    }
+out:
+    pthread_mutex_unlock(&tlog.lock);
+}
+
 int tlog_init(const char *logfile, int maxlogsize, int maxlogcount, int buffsize, unsigned int flag)
 {
     pthread_attr_t attr;
@@ -1616,7 +1776,7 @@ int tlog_init(const char *logfile, int maxlogsize, int maxlogcount, int buffsize
         return -1;
     }
 
-    if (buffsize > 0 && buffsize < TLOG_MAX_LINE_LEN * 2) {
+    if (buffsize > 0 && buffsize < TLOG_MAX_LINE_SIZE_SET * 2) {
         fprintf(stderr, "buffer size is invalid.\n");
         return -1;
     }
@@ -1645,6 +1805,9 @@ int tlog_init(const char *logfile, int maxlogsize, int maxlogcount, int buffsize
     }
 
     tlog.root = log;
+    if (flag & TLOG_SUPPORT_FORK) {
+        pthread_atfork(&tlog_fork_prepare, &tlog_fork_parent, &tlog_fork_child);
+    }
     return 0;
 errout:
     if (tlog.tid > 0) {

src/tlog.h

@@ -1,19 +1,20 @@
 /*
  * tinylog
- * Copyright (C) 2018-2020 Ruilin Peng (Nick) <pymumu@gmail.com>
+ * Copyright (C) 2018-2021 Ruilin Peng (Nick) <pymumu@gmail.com>
  * https://github.com/pymumu/tinylog
  */
 
 #ifndef TLOG_H
 #define TLOG_H
 #include <stdarg.h>
+#include <sys/stat.h>
 
 #ifdef __cplusplus
-#include <string>
+#include <functional>
+#include <iostream>
 #include <memory>
 #include <sstream>
-#include <iostream>
-#include <functional>
+#include <string>
 extern "C" {
 #endif /*__cplusplus */
 
@@ -60,6 +61,9 @@ struct tlog_time {
 /* enable log to screen */
 #define TLOG_SCREEN (1 << 4)
 
+/* enable suppport fork process */
+#define TLOG_SUPPORT_FORK (1 << 5)
+
 struct tlog_loginfo {
     tlog_level level;
     const char *file;
@@ -74,12 +78,14 @@ level: Current log Levels
 format: Log formats
 */
 #ifndef BASE_FILE_NAME
-#define BASE_FILE_NAME __FILE__
+#define BASE_FILE_NAME                                                     \
+  (__builtin_strrchr(__FILE__, '/') ? __builtin_strrchr(__FILE__, '/') + 1 \
+                                    : __FILE__)
 #endif
 #define tlog(level, format, ...) tlog_ext(level, BASE_FILE_NAME, __LINE__, __func__, NULL, format, ##__VA_ARGS__)
 
 extern int tlog_ext(tlog_level level, const char *file, int line, const char *func, void *userptr, const char *format, ...)
-    __attribute__((format(printf, 6, 7))) __attribute__((nonnull (6)));
+    __attribute__((format(printf, 6, 7))) __attribute__((nonnull(6)));
 extern int tlog_vext(tlog_level level, const char *file, int line, const char *func, void *userptr, const char *format, va_list ap);
 
 /* write buff to log file */
@@ -91,6 +97,9 @@ extern int tlog_setlevel(tlog_level level);
 /* get log level */
 extern tlog_level tlog_getlevel(void);
 
+/* set log file */
+extern void tlog_set_logfile(const char *logfile);
+
 /* enalbe log to screen */
 extern void tlog_setlogscreen(int enable);
 
@@ -132,6 +141,10 @@ extern int tlog_reg_log_output_func(tlog_log_output_func output, void *private_d
 
 struct tlog_log;
 typedef struct tlog_log tlog_log;
+
+/* get root log handler */
+extern tlog_log *tlog_get_root(void);
+
 /*
 Function: open a new log stream, handler should close by tlog_close
 logfile: log file.
@@ -149,12 +162,15 @@ extern int tlog_write(struct tlog_log *log, const char *buff, int bufflen);
 /* close log stream */
 extern void tlog_close(tlog_log *log);
 
+/* change log file */
+extern void tlog_rename_logfile(struct tlog_log *log, const char *logfile);
+
 /*
 Function: Print log to log stream
 log: log stream
 format: Log formats
 */
-extern int tlog_printf(tlog_log *log, const char *format, ...) __attribute__((format(printf, 2, 3))) __attribute__((nonnull (1, 2)));
+extern int tlog_printf(tlog_log *log, const char *format, ...) __attribute__((format(printf, 2, 3))) __attribute__((nonnull(1, 2)));
 
 /*
 Function: Print log to log stream with ap
@@ -180,49 +196,78 @@ extern void *tlog_get_private(tlog_log *log);
 /* get local time */
 extern int tlog_localtime(struct tlog_time *tm);
 
+/* set max line size */
+extern void tlog_set_maxline_size(struct tlog_log *log, int size);
+
+/*
+Function: set log file and archive permission
+log: log stream
+file: log file permission, default is 640
+archive: archive file permission, default is 440
+*/
+
+extern void tlog_set_permission(struct  tlog_log *log, mode_t file, mode_t archive);
+
 #ifdef __cplusplus
 class Tlog {
-    using Stream = std::ostringstream;
-    using Buffer = std::unique_ptr<Stream, std::function<void(Stream*)>>;
 public:
-    Tlog(){}
-    ~Tlog(){}
-
-    static Tlog &Instance() {
-        static Tlog logger;
-        return logger;
+    Tlog(tlog_level level, const char *file, int line, const char *func, void *userptr)
+    {
+        level_ = level;
+        file_ = file;
+        line_ = line;
+        func_ = func;
+        userptr_ = userptr;
     }
 
-    Buffer LogStream(tlog_level level, const char *file, int line, const char *func, void *userptr) {
-        return Buffer(new Stream, [=](Stream *st) {
-            tlog_ext(level, file, line, func, userptr, "%s", st->str().c_str());
-            delete st;
-        });
+    ~Tlog()
+    {
+        tlog_ext(level_, file_, line_, func_, userptr_, "%s", msg_.str().c_str());
     }
+
+    std::ostream &Stream()
+    {
+        return msg_;
+    }
+
+private:
+    tlog_level level_;
+    const char *file_;
+    int line_;
+    const char *func_;
+    void *userptr_;
+    std::ostringstream msg_;
 };
 
 class TlogOut {
-    using Stream = std::ostringstream;
-    using Buffer = std::unique_ptr<Stream, std::function<void(Stream*)>>;
 public:
-    TlogOut(){}
-    ~TlogOut(){}
-
-    static TlogOut &Instance() {
-        static TlogOut logger;
-        return logger;
+    TlogOut(tlog_log *log)
+    {
+        log_ = log;
     }
 
-    Buffer Out(tlog_log *log) {
-        return Buffer(new Stream, [=](Stream *st) {
-            tlog_printf(log, "%s", st->str().c_str());
-            delete st;
-        });
+    ~TlogOut()
+    {
+        if (log_ == nullptr) {
+            return;
+        }
+
+        tlog_printf(log_, "%s", msg_.str().c_str());
     }
+
+    std::ostream &Stream()
+    {
+        return msg_;
+    }
+
+private:
+    tlog_log *log_;
+    std::ostringstream msg_;
 };
 
-#define Tlog_logger (Tlog::Instance())
-#define Tlog_stream(level) if (tlog_getlevel() <= level) *Tlog_logger.LogStream(level, BASE_FILE_NAME, __LINE__, __func__, NULL) 
+#define Tlog_stream(level)        \
+    if (tlog_getlevel() <= level) \
+    Tlog(level, BASE_FILE_NAME, __LINE__, __func__, NULL).Stream()
 #define tlog_debug Tlog_stream(TLOG_DEBUG)
 #define tlog_info Tlog_stream(TLOG_INFO)
 #define tlog_notice Tlog_stream(TLOG_NOTICE)
@@ -230,8 +275,7 @@ public:
 #define tlog_error Tlog_stream(TLOG_ERROR)
 #define tlog_fatal Tlog_stream(TLOG_FATAL)
 
-#define Tlog_out_logger (TlogOut::Instance())
-#define tlog_out(stream)  (*Tlog_out_logger.Out(stream))
+#define tlog_out(stream) TlogOut(stream).Stream()
 
 } /*__cplusplus */
 #else
@@ -241,5 +285,5 @@ public:
 #define tlog_warn(...) tlog(TLOG_WARN, ##__VA_ARGS__)
 #define tlog_error(...) tlog(TLOG_ERROR, ##__VA_ARGS__)
 #define tlog_fatal(...) tlog(TLOG_FATAL, ##__VA_ARGS__)
-#endif 
+#endif
 #endif // !TLOG_H

src/util.c

@@ -21,11 +21,14 @@
 #endif
 #include "util.h"
 #include "dns_conf.h"
+#include "tlog.h"
 #include <arpa/inet.h>
+#include <dlfcn.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <inttypes.h>
 #include <linux/capability.h>
+#include <linux/limits.h>
 #include <linux/netlink.h>
 #include <netinet/tcp.h>
 #include <openssl/crypto.h>
@@ -39,6 +42,7 @@
 #include <sys/types.h>
 #include <time.h>
 #include <unistd.h>
+#include <unwind.h>
 
 #define TMP_BUFF_LEN_32 32
 
@@ -514,6 +518,7 @@ static int _ipset_operate(const char *ipsetname, const unsigned char addr[], int
 	ssize_t rc;
 	int af = 0;
 	static const struct sockaddr_nl snl = {.nl_family = AF_NETLINK};
+	uint32_t expire;
 
 	if (addr_len != IPV4_ADDR_LEN && addr_len != IPV6_ADDR_LEN) {
 		errno = EINVAL;
@@ -568,8 +573,8 @@ static int _ipset_operate(const char *ipsetname, const unsigned char addr[], int
 	nested[1]->len = (void *)buffer + NETLINK_ALIGN(netlink_head->nlmsg_len) - (void *)nested[1];
 
 	if (timeout > 0 && _ipset_support_timeout(ipsetname) == 0) {
-		timeout = htonl(timeout);
-		_ipset_add_attr(netlink_head, IPSET_ATTR_TIMEOUT | NLA_F_NET_BYTEORDER, sizeof(timeout), &timeout);
+		expire = htonl(timeout);
+		_ipset_add_attr(netlink_head, IPSET_ATTR_TIMEOUT | NLA_F_NET_BYTEORDER, sizeof(expire), &expire);
 	}
 
 	nested[0]->len = (void *)buffer + NETLINK_ALIGN(netlink_head->nlmsg_len) - (void *)nested[0];
@@ -604,15 +609,22 @@ int ipset_del(const char *ipsetname, const unsigned char addr[], int addr_len)
 
 unsigned char *SSL_SHA256(const unsigned char *d, size_t n, unsigned char *md)
 {
-	SHA256_CTX c;
 	static unsigned char m[SHA256_DIGEST_LENGTH];
 
 	if (md == NULL)
 		md = m;
-	SHA256_Init(&c);
-	SHA256_Update(&c, d, n);
-	SHA256_Final(md, &c);
-	OPENSSL_cleanse(&c, sizeof(c));
+
+	EVP_MD_CTX* ctx = EVP_MD_CTX_create();
+	if (ctx == NULL) {
+		return NULL;
+	}
+
+	EVP_MD_CTX_init(ctx);
+	EVP_DigestInit_ex(ctx, EVP_sha256(), NULL);
+	EVP_DigestUpdate(ctx, d, n);
+	EVP_DigestFinal_ex(ctx, m, NULL);
+	EVP_MD_CTX_destroy(ctx);
+
 	return (md);
 }
 
@@ -733,7 +745,11 @@ void SSL_CRYPTO_thread_setup(void)
 		pthread_mutex_init(&(lock_cs[i]), NULL);
 	}
 
+#if OPENSSL_API_COMPAT < 0x10000000
 	CRYPTO_set_id_callback(_pthreads_thread_id);
+#else
+	CRYPTO_THREADID_set_callback(_pthreads_thread_id);
+#endif
 	CRYPTO_set_locking_callback(_pthreads_locking_callback);
 }
 
@@ -936,7 +952,7 @@ void get_compiled_time(struct tm *tm)
 	int hour, min, sec;
 	static const char *month_names = "JanFebMarAprMayJunJulAugSepOctNovDec";
 
-	sscanf(__DATE__, "%5s %d %d", s_month, &day, &year);
+	sscanf(__DATE__, "%4s %d %d", s_month, &day, &year);
 	month = (strstr(month_names, s_month) - month_names) / 3;
 	sscanf(__TIME__, "%d:%d:%d", &hour, &min, &sec);
 	tm->tm_year = year - 1900;
@@ -1009,3 +1025,50 @@ uint64_t get_free_space(const char *path)
 
 	return size;
 }
+
+struct backtrace_state {
+	void **current;
+	void **end;
+};
+
+static _Unwind_Reason_Code unwind_callback(struct _Unwind_Context *context, void *arg)
+{
+	struct backtrace_state *state = (struct backtrace_state *)(arg);
+	uintptr_t pc = _Unwind_GetIP(context);
+	if (pc) {
+		if (state->current == state->end) {
+			return _URC_END_OF_STACK;
+		} else {
+			*state->current++ = (void *)(pc);
+		}
+	}
+	return _URC_NO_REASON;
+}
+
+void print_stack(void)
+{
+	const size_t max_buffer = 30;
+	void *buffer[max_buffer];
+
+	struct backtrace_state state = {buffer, buffer + max_buffer};
+	_Unwind_Backtrace(unwind_callback, &state);
+	int frame_num = state.current - buffer;
+	if (frame_num == 0) {
+		return;
+	}
+	
+	tlog(TLOG_FATAL, "Stack:");
+	for (int idx = 0; idx < frame_num; ++idx) {
+		const void *addr = buffer[idx];
+		const char *symbol = "";
+
+		Dl_info info;
+		memset(&info, 0, sizeof(info));
+		if (dladdr(addr, &info) && info.dli_sname) {
+			symbol = info.dli_sname;
+		}
+
+		void *offset = (void *)((char *)(addr) - (char *)(info.dli_fbase));
+		tlog(TLOG_FATAL, "#%.2d: %p %s from %s+%p", idx + 1, addr, symbol, info.dli_fname, offset);
+	}
+}

src/util.h

@@ -108,6 +108,8 @@ int set_sock_lingertime(int fd, int time);
 
 uint64_t get_free_space(const char *path);
 
+void print_stack(void);
+
 #ifdef __cplusplus
 }
 #endif /*__cplusplus */

systemd/smartdns.service.in

@@ -1,9 +1,8 @@
 [Unit]
-Description=smartdns server
+Description=SmartDNS Server
 After=network.target 
 StartLimitBurst=0
 StartLimitIntervalSec=60
-TimeoutStopSec=5
 
 [Service]
 Type=forking
@@ -13,6 +12,7 @@ ExecStart=@SBINDIR@/smartdns -p @RUNSTATEDIR@/smartdns.pid $SMART_DNS_OPTS
 KillMode=process
 Restart=always
 RestartSec=2
+TimeoutStopSec=5
 
 [Install]
 WantedBy=multi-user.target