--- gvpe/src/vpn_dns.C	2005/03/15 19:23:33	1.33
+++ gvpe/src/vpn_dns.C	2011/10/18 10:54:17	1.53
@@ -1,24 +1,38 @@
 /*
     vpn_dns.C -- handle the dns tunnel part of the protocol.
-    Copyright (C) 2003-2005 Marc Lehmann <gvpe@schmorp.de>
+    Copyright (C) 2003-2011 Marc Lehmann <gvpe@schmorp.de>
  
     This file is part of GVPE.
 
-    GVPE is free software; you can redistribute it and/or modify
-    it under the terms of the GNU General Public License as published by
-    the Free Software Foundation; either version 2 of the License, or
-    (at your option) any later version.
- 
-    This program is distributed in the hope that it will be useful,
-    but WITHOUT ANY WARRANTY; without even the implied warranty of
-    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-    GNU General Public License for more details.
- 
-    You should have received a copy of the GNU General Public License
-    along with gvpe; if not, write to the Free Software
-    Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+    GVPE is free software; you can redistribute it and/or modify it
+    under the terms of the GNU General Public License as published by the
+    Free Software Foundation; either version 3 of the License, or (at your
+    option) any later version.
+   
+    This program is distributed in the hope that it will be useful, but
+    WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General
+    Public License for more details.
+   
+    You should have received a copy of the GNU General Public License along
+    with this program; if not, see <http://www.gnu.org/licenses/>.
+   
+    Additional permission under GNU GPL version 3 section 7
+   
+    If you modify this Program, or any covered work, by linking or
+    combining it with the OpenSSL project's OpenSSL library (or a modified
+    version of that library), containing parts covered by the terms of the
+    OpenSSL or SSLeay licenses, the licensors of this Program grant you
+    additional permission to convey the resulting work.  Corresponding
+    Source for a non-source form of such a combination shall include the
+    source code for the parts of OpenSSL used as well as that of the
+    covered work.
 */
 
+// TODO: EDNS0 option to increase dns mtu?
+// TODO: re-write dns packet parsing/creation using a safe mem-buffer
+//       to ensure no buffer overflows or similar problems.
+
 #include "config.h"
 
 #if ENABLE_DNS
@@ -40,29 +54,25 @@
 
 #include <map>
 
+#include <cstdio> /* bug in libgmp: gmp.h relies on cstdio being included */
 #include <gmp.h>
 
 #include "netcompat.h"
 
 #include "vpn.h"
 
-#define MAX_POLL_INTERVAL 5.  // how often to poll minimally when the server has no data
-#define ACTIVITY_INTERVAL 5.
-
-#define TIMEOUT_FACTOR 8.
+#define MIN_POLL_INTERVAL 0.025 // poll at most this often when no data received
+#define MAX_POLL_INTERVAL 1.  // how often to poll minimally when the server has no data
 
 #define INITIAL_TIMEOUT     0.1 // retry timeouts
-#define INITIAL_SYN_TIMEOUT 10. // retry timeout for initial syn
+#define INITIAL_SYN_TIMEOUT 2. // retry timeout for initial syn
 
-#define MIN_SEND_INTERVAL 0.001 // wait at least this time between sending requests
-#define MAX_SEND_INTERVAL 2. // optimistic?
+#define MAX_SEND_INTERVAL 5. // optimistic?
 
-#define LATENCY_FACTOR   0.5 // RTT * LATENCY_FACTOR == sending rate
-#define MAX_OUTSTANDING  100 // max. outstanding requests
 #define MAX_WINDOW      1000 // max. for MAX_OUTSTANDING, and backlog
-#define MAX_BACKLOG     (32*1024) // size of gvpe protocol backlog (bytes), must be > MAXSIZE
+#define MAX_BACKLOG     (64*1024) // size of gvpe protocol backlog (bytes), must be > MAXSIZE
 
-#define MAX_DOMAIN_SIZE 220 // 255 is legal limit, but bind doesn't compress well
+#define MAX_DOMAIN_SIZE 235 // 255 is legal limit, but bind doesn't compress well
 // 240 leaves about 4 bytes of server reply data
 // every request byte less give room for two reply bytes
 
@@ -75,6 +85,7 @@
 #define RR_TYPE_A     1
 #define RR_TYPE_NULL 10
 #define RR_TYPE_TXT  16
+#define RR_TYPE_AAAA 28
 #define RR_TYPE_ANY 255
 
 #define RR_CLASS_IN   1
@@ -82,9 +93,23 @@
 #define CMD_IP_1   207
 #define CMD_IP_2    46
 #define CMD_IP_3   236
-#define CMD_IP_RST  29
-#define CMD_IP_SYN 113
-#define CMD_IP_REJ  32
+
+#define CMD_IP_RST  29 // some error, reset and retry
+#define CMD_IP_REJ  32 // do not want you
+#define CMD_IP_SYN 113 // connection established
+#define CMD_IP_CSE 213 // connection established, but likely case mismatch
+
+static bool
+is_uc (char c)
+{
+  return 'A' <= c && c <= 'Z';
+}
+
+static bool
+is_lc (char c)
+{
+  return 'a' <= c && c <= 'z';
+}
 
 // works for cmaps up to 255 (not 256!)
 struct charmap
@@ -108,8 +133,14 @@
 
   for (size = 0; cmap [size]; size++)
     {
-      enc [size] = cmap [size];
-      dec [(u8)enc [size]] = size;
+      char c = cmap [size];
+
+      enc [size] = c;
+      dec [(u8)c] = size;
+
+      // allow lowercase/uppercase aliases if possible
+      if (is_uc (c) && dec [c + ('a' - 'A')] == INVALID) dec [c + ('a' - 'A')] = size;
+      if (is_lc (c) && dec [c - ('a' - 'A')] == INVALID) dec [c - ('a' - 'A')] = size;
     }
 
   assert (size < 256);
@@ -126,11 +157,11 @@
   unsigned int enc_len [MAX_DEC_LEN];
   unsigned int dec_len [MAX_ENC_LEN];
 
-  unsigned int encode_len (unsigned int len);
-  unsigned int decode_len (unsigned int len);
+  unsigned int encode_len (unsigned int len) const;
+  unsigned int decode_len (unsigned int len) const;
 
-  unsigned int encode (char *dst, u8 *src, unsigned int len);
-  unsigned int decode (u8 *dst, char *src, unsigned int len);
+  unsigned int encode (char *dst, u8 *src, unsigned int len) const;
+  unsigned int decode (u8 *dst, char *src, unsigned int len) const;
 
   basecoder (const char *cmap);
 };
@@ -159,12 +190,14 @@
     }
 }
 
-unsigned int basecoder::encode_len (unsigned int len)
+unsigned int
+basecoder::encode_len (unsigned int len) const
 {
   return enc_len [len];
 }
 
-unsigned int basecoder::decode_len (unsigned int len)
+unsigned int
+basecoder::decode_len (unsigned int len) const
 {
   while (len && !dec_len [len])
     --len;
@@ -172,7 +205,8 @@
   return dec_len [len];
 }
 
-unsigned int basecoder::encode (char *dst, u8 *src, unsigned int len)
+unsigned int
+basecoder::encode (char *dst, u8 *src, unsigned int len) const
 {
   if (!len || len > MAX_DEC_LEN)
     return 0;
@@ -201,7 +235,8 @@
   return elen;
 }
 
-unsigned int basecoder::decode (u8 *dst, char *src, unsigned int len)
+unsigned int
+basecoder::decode (u8 *dst, char *src, unsigned int len) const
 {
   if (!len || len > MAX_ENC_LEN)
     return 0;
@@ -260,39 +295,39 @@
 }
 #endif
 
-//static basecoder cdc64 ("_dDpPhHzZrR06QqMmjJkKBb34TtSsvVlL81xXaAeEFf92WwGgYyoO57UucCNniI-");
-//static basecoder cdc63 ("_dDpPhHzZrR06QqMmjJkKBb34TtSsvVlL81xXaAeEFf92WwGgYyoO57UucCNniI");
-static basecoder cdc62 ("dDpPhHzZrR06QqMmjJkKBb34TtSsvVlL81xXaAeEFf92WwGgYyoO57UucCNniI");
-//static basecoder cdc36 ("dphzr06qmjkb34tsvl81xaef92wgyo57ucni"); // unused as of yet
-static basecoder cdc26 ("dPhZrQmJkBtSvLxAeFwGyO");
+static basecoder cdc62 ("dDpPhHzZrR06QqMmjJkKBb34TtSsvVlL81xXaAeEFf92WwGgYyoO57UucCNniI"); // a-zA-Z0-9
+static basecoder cdc36 ("dPhZr06QmJkB34tSvL81xAeF92wGyO57uCnI"); // a-z0-9 for case-changers
+static basecoder cdc26 ("dPhZrQmJkBtSvLxAeFwGyOuCnI"); // a-z
 
 /////////////////////////////////////////////////////////////////////////////
 
-#define HDRSIZE 6
+#define HDRSIZE 5
  
-inline void encode_header (char *data, int clientid, int seqno, int retry = 0)
+inline void
+encode_header (char *data, int clientid, int seqno, int retry = 0)
 {
+  assert (clientid < 256);
+
   seqno &= SEQNO_MASK;
 
   u8 hdr[3] = {
-    clientid,
-    (seqno >> 8) | (retry << 6),
     seqno,
+    (seqno >> 8) | (retry << 6),
+    clientid,
   };
 
-  assert (clientid < 256);
-
-  cdc26.encode (data, hdr, 3);
+  cdc36.encode (data, hdr, 3);
 }
 
-inline void decode_header (char *data, int &clientid, int &seqno)
+inline void
+decode_header (char *data, int &clientid, int &seqno)
 {
   u8 hdr[3];
 
-  cdc26.decode (hdr, data, HDRSIZE);
+  cdc36.decode (hdr, data, HDRSIZE);
 
-  clientid = hdr[0];
-  seqno = ((hdr[1] << 8) | hdr[2]) & SEQNO_MASK;
+  clientid = hdr[2];
+  seqno = ((hdr[1] << 8) | hdr[0]) & SEQNO_MASK;
 }
 
 /////////////////////////////////////////////////////////////////////////////
@@ -328,7 +363,8 @@
   delete data;
 }
 
-void byte_stream::remove (int count)
+void
+byte_stream::remove (int count)
 {
   if (count > fill)
     assert (count <= fill);
@@ -336,7 +372,8 @@
   memmove (data, data + count, fill -= count);
 }
 
-bool byte_stream::put (u8 *data, unsigned int datalen)
+bool
+byte_stream::put (u8 *data, unsigned int datalen)
 {
   if (maxsize - fill < datalen)
     return false;
@@ -346,7 +383,8 @@
   return true;
 }
 
-bool byte_stream::put (vpn_packet *pkt)
+bool
+byte_stream::put (vpn_packet *pkt)
 {
   if (maxsize - fill < pkt->len + 2)
     return false;
@@ -412,66 +450,93 @@
 {
   static int next_uid;
 
-  u8 id1, id2, id3, id4;
+  u8 chksum;
+  u8 rrtype;
+  u16 uid; // to make request unique
 
   u8 version;
   u8 flags;
-  u8 rrtype;
-  u8 def_ttl;
+  u16 max_size;
 
-  u16 client;
-  u16 uid; // to make request unique
+  u8 id1, id2, id3, id4;
 
-  u16 max_size;
-  u8 seq_cdc;
-  u8 req_cdc;
+  u16 client;
+  u8 def_ttl;
+  u8 r0;
 
-  u8 rep_cdc;
-  u8 delay; // time in 0.01s units that the server may delay replying packets
-  u8 r3, r4;
+  u8 syn_cdc; // cdc en/decoder for syn (A?) requests
+  u8 hdr_cdc; // cdc en/decoder for regular request headers
+  u8 req_cdc; // cdc en/decoder for regular (ANY?) request data
+  u8 rep_cdc; // cdc en/decoder for regular (TXT) replies, 0 == 8 bit encoding
 
-  u8 r5, r6, r7, r8;
+  u8 r1, r2, r3, r4;
 
   void reset (int clientid);
   bool valid ();
+  u8 get_chksum ();
 };
 
 int dns_cfg::next_uid;
 
-void dns_cfg::reset (int clientid)
+void
+dns_cfg::reset (int clientid)
 {
+  // this ID must result in some mixed-case characters in cdc26-encoding
   id1 = 'G';
   id2 = 'V';
   id3 = 'P';
   id4 = 'E';
 
-  version  = 1;
+  version  = 2;
 
   rrtype   = RR_TYPE_TXT;
   flags    = 0;
   def_ttl  = 0;
-  seq_cdc  = 26;
-  req_cdc  = 62;
+  syn_cdc  = 26;
+  hdr_cdc  = 36;
+  req_cdc  = conf.dns_case_preserving ? 62 : 36;
   rep_cdc  = 0;
   max_size = htons (MAX_PKT_SIZE);
   client   = htons (clientid);
-  uid      = next_uid++;
-  delay    = 0;
+  uid      = ++next_uid;
+
+  r0 = r1 = r2 = r3 = r4 = 0;
 
-  r3 = r4 = 0;
-  r4 = r5 = r6 = r7 = 0;
+  chksum = get_chksum ();
 }
 
-bool dns_cfg::valid ()
+// simple but not trivial chksum
+u8
+dns_cfg::get_chksum ()
 {
+  unsigned int sum = 0xff00; // only 16 bits required
+
+  u8 old_chksum = chksum;
+  chksum = 0;
+
+  for (unsigned int i = 0; i < sizeof (*this); ++i)
+    sum += ((u8 *)this)[i] * (i + 1);
+
+  chksum = old_chksum;
+
+  return sum + (sum >> 8);
+}
+
+bool
+dns_cfg::valid ()
+{
+  // although the protocol itself allows for some configurability,
+  // only the following encoding/decoding settings are implemented.
   return id1 == 'G'
       && id2 == 'V'
       && id3 == 'P'
       && id4 == 'E'
-      && seq_cdc == 26
-      && req_cdc == 62
+      && version == 2
+      && syn_cdc == 26
+      && hdr_cdc == 36
+      && (req_cdc == 36 || req_cdc == 62)
       && rep_cdc == 0
-      && version == 1;
+      && chksum == get_chksum ();
 }
 
 struct dns_packet : net_packet
@@ -485,7 +550,8 @@
   int decode_label (char *data, int size, int &offs);
 };
 
-int dns_packet::decode_label (char *data, int size, int &offs)
+int
+dns_packet::decode_label (char *data, int size, int &offs)
 {
   char *orig = data;
 
@@ -521,10 +587,12 @@
 
 /////////////////////////////////////////////////////////////////////////////
 
-static u16 dns_id = 0; // TODO: should be per-vpn
-
-static u16 next_id ()
+static
+u16 next_id ()
 {
+  static u16 dns_id = 0; // TODO: should be per-vpn
+
+#if 1
   if (!dns_id)
     dns_id = time (0);
 
@@ -536,6 +604,11 @@
                ^ (dns_id >> 15)) & 1);
 
   return dns_id;
+#else
+  dns_id++;//D
+
+  return htons (dns_id);
+#endif
 }
 
 struct dns_rcv;
@@ -549,6 +622,7 @@
   dns_cfg cfg;
 
   bool established;
+  const basecoder *cdc;
 
   tstamp last_received;
   tstamp last_sent;
@@ -560,9 +634,12 @@
   byte_stream rcvdq; int rcvseq; int repseq;
   byte_stream snddq; int sndseq;
 
-  void time_cb (time_watcher &w); time_watcher tw;
+  inline void time_cb (ev::timer &w, int revents); ev::timer tw;
   void receive_rep (dns_rcv *r);
 
+  void reset (); // quite like tcp RST
+  void set_cfg (); // to be called after any cfg changes
+
   dns_connection (connection *c);
   ~dns_connection ();
 };
@@ -589,7 +666,7 @@
   timeout = 0;
   retry = 0;
   seqno = 0;
-  sent = NOW;
+  sent = ev_now ();
   stdhdr = false;
 
   pkt = new dns_packet;
@@ -602,7 +679,8 @@
   delete pkt;
 }
 
-static void append_domain (dns_packet &pkt, int &offs, const char *domain)
+static void
+append_domain (dns_packet &pkt, int &offs, const char *domain)
 {
   // add tunnel domain
   for (;;)
@@ -625,12 +703,13 @@
     }
 }
 
-void dns_snd::gen_stream_req (int seqno, byte_stream &stream)
+void
+dns_snd::gen_stream_req (int seqno, byte_stream &stream)
 {
   stdhdr = true;
   this->seqno = seqno;
 
-  timeout = NOW + INITIAL_TIMEOUT;
+  timeout = ev_now () + INITIAL_TIMEOUT;
 
   pkt->flags = htons (DEFAULT_CLIENT_FLAGS);
   pkt->qdcount = htons (1);
@@ -643,12 +722,12 @@
   char enc[256], *encp = enc;
   encode_header (enc, THISNODE->id, seqno);
 
-  int datalen = cdc62.decode_len (dlen - (dlen + MAX_LBL_SIZE - 1) / MAX_LBL_SIZE - HDRSIZE);
+  int datalen = dns->cdc->decode_len (dlen - (dlen + MAX_LBL_SIZE - 1) / MAX_LBL_SIZE - HDRSIZE);
 
   if (datalen > stream.size ())
     datalen = stream.size ();
 
-  int enclen = cdc62.encode (enc + HDRSIZE, stream.begin (), datalen) + HDRSIZE;
+  int enclen = dns->cdc->encode (enc + HDRSIZE, stream.begin (), datalen) + HDRSIZE;
   stream.remove (datalen);
 
   while (enclen)
@@ -673,9 +752,10 @@
   pkt->len = offs;
 }
 
-void dns_snd::gen_syn_req ()
+void
+dns_snd::gen_syn_req ()
 {
-  timeout = NOW + INITIAL_SYN_TIMEOUT;
+  timeout = ev_now () + INITIAL_SYN_TIMEOUT;
 
   pkt->flags = htons (DEFAULT_CLIENT_FLAGS);
   pkt->qdcount = htons (1);
@@ -725,44 +805,58 @@
 : c (c)
 , rcvdq (MAX_BACKLOG * 2)
 , snddq (MAX_BACKLOG)
-, tw (this, &dns_connection::time_cb)
 {
+  tw.set<dns_connection, &dns_connection::time_cb> (this);
+
   vpn = c->vpn;
 
+  reset ();
+}
+
+dns_connection::~dns_connection ()
+{
+  reset ();
+}
+
+void
+dns_connection::reset ()
+{
+  while (!rcvpq.empty ())
+    {
+      delete rcvpq.back ();
+      rcvpq.pop_back ();
+    }
+
+  for (int i = vpn->dns_sndpq.size (); i--; )
+    if (vpn->dns_sndpq [i]->dns == this)
+      {
+        vpn->dns_sndpq [i] = vpn->dns_sndpq.back ();
+        vpn->dns_sndpq.pop_back ();
+      }
+
   established = false;
 
   rcvseq = repseq = sndseq = 0;
 
-  last_sent = last_received = 0;
+  last_sent = 0;
   poll_interval = 0.5; // starting here
   send_interval = 0.5; // starting rate
   min_latency = INITIAL_TIMEOUT;
 }
 
-dns_connection::~dns_connection ()
+void
+dns_connection::set_cfg ()
 {
-  for (vector<dns_rcv *>::iterator i = rcvpq.begin ();
-       i != rcvpq.end ();
-       ++i)
-    delete *i;
+  cdc = cfg.req_cdc == 36 ? &cdc36 : &cdc62;
 }
 
-void dns_connection::receive_rep (dns_rcv *r)
+void
+dns_connection::receive_rep (dns_rcv *r)
 {
   if (r->datalen)
-    {
-      last_received = NOW;
-      tw.trigger ();
-      
-      poll_interval = send_interval;
-    }
+    poll_interval = max (poll_interval * (1. / 1.2), MIN_POLL_INTERVAL);
   else
-    {
-      poll_interval *= 1.5;
-
-      if (poll_interval > MAX_POLL_INTERVAL)
-        poll_interval = MAX_POLL_INTERVAL;
-    }
+    poll_interval = min (poll_interval * 1.1, MAX_POLL_INTERVAL);
 
   rcvpq.push_back (r);
 
@@ -772,6 +866,7 @@
   for (vector<dns_rcv *>::iterator i = rcvpq.end (); i-- != rcvpq.begin (); )
     if (SEQNO_EQ (rcvseq, (*i)->seqno))
       {
+        //printf ("seqno eq %x %x\n", rcvseq, (*i)->seqno);//D
         // enter the packet into our input stream
         r = *i;
 
@@ -779,6 +874,7 @@
         for (vector<dns_rcv *>::iterator j = rcvpq.begin (); j != rcvpq.end (); ++j)
           if (SEQNO_EQ ((*j)->seqno, rcvseq - MAX_WINDOW))
             {
+              //printf ("seqno RR %x %x\n", (*j)->seqno, rcvseq - MAX_WINDOW);//D
               delete *j;
               rcvpq.erase (j);
               break;
@@ -788,8 +884,10 @@
 
         if (!rcvdq.put (r->data, r->datalen))
           {
-            slog (L_ERR, "DNS: !rcvdq.put (r->data, r->datalen)");
-            abort (); // MUST never overflow, can be caused by data corruption, TODO
+            // MUST never overflow, can be caused by data corruption, TODO
+            slog (L_CRIT, "DNS: !rcvdq.put (r->data, r->datalen)");
+            reset ();
+            return;
           }
 
         while (vpn_packet *pkt = rcvdq.get ())
@@ -798,7 +896,6 @@
             si.host = htonl (c->conf->id); si.port = 0; si.prot = PROT_DNSv4;
 
             vpn->recv_vpn_packet (pkt, si);
-
             delete pkt;
           }
 
@@ -851,9 +948,6 @@
               int client, seqno;
               decode_header (qname, client, seqno);
 
-              u8 data[MAXSIZE];
-              int datalen = cdc62.decode (data, qname + HDRSIZE, qlen - (dlen + 1 + HDRSIZE));
-
               if (0 < client && client <= conns.size ())
                 {
                   connection *c = conns [client - 1];
@@ -862,6 +956,9 @@
 
                   if (dns)
                     {
+                      u8 data[MAXSIZE];
+                      int datalen = dns->cdc->decode (data, qname + HDRSIZE, qlen - (dlen + 1 + HDRSIZE));
+
                       for (vector<dns_rcv *>::iterator i = dns->rcvpq.end (); i-- != dns->rcvpq.begin (); )
                         if (SEQNO_EQ ((*i)->seqno, seqno))
                           {
@@ -972,8 +1069,6 @@
               pkt [offs++] = 0; pkt [offs++] = cfg.def_ttl; // TTL
               pkt [offs++] = 0; pkt [offs++] = 4; // rdlength
 
-              slog (L_INFO, _("DNS: client %d connects"), client);
-
               pkt [offs++] = CMD_IP_1; pkt [offs++] = CMD_IP_2; pkt [offs++] = CMD_IP_3;
               pkt [offs++] = CMD_IP_REJ;
 
@@ -983,11 +1078,20 @@
 
                   if (cfg.valid ())
                     {
-                      pkt [offs - 1] = CMD_IP_SYN;
+                      slog (L_INFO, _("DNS: client %d connects (version %d, req_cdc %d)"), client, cfg.version, cfg.req_cdc);
+
+                      // check for any encoding mismatches - hints at a case problem
+                      char qname2 [MAX_ENC_LEN];
+                      cdc26.encode (qname2, (u8 *)&cfg, sizeof (dns_cfg));
 
                       delete c->dns;
+
+                      pkt [offs - 1] = memcmp (qname, qname2, cdc26.encode_len (sizeof (dns_cfg)))
+                                       ? CMD_IP_CSE : CMD_IP_SYN;
+
                       c->dns = new dns_connection (c);
                       c->dns->cfg = cfg;
+                      c->dns->set_cfg ();
                     }
                 }
             }
@@ -1016,6 +1120,7 @@
         connection *c = dns->c;
         int seqno = (*i)->seqno;
         u8 data[MAXSIZE], *datap = data;
+        //printf ("rcv pkt %x\n", seqno);//D
 
         if ((*i)->retry)
           {
@@ -1030,16 +1135,16 @@
 #endif
             // the latency surely puts an upper bound on
             // the minimum send interval
-            double latency = NOW - (*i)->sent;
+            double latency = ev_now () - (*i)->sent;
 
             if (latency < dns->min_latency)
               dns->min_latency = latency;
 
-            if (dns->send_interval > dns->min_latency * LATENCY_FACTOR)
-              dns->send_interval = dns->min_latency * LATENCY_FACTOR;
+            if (dns->send_interval > dns->min_latency * conf.dns_overlap_factor)
+              dns->send_interval = dns->min_latency * conf.dns_overlap_factor;
 
-            if (dns->send_interval < MIN_SEND_INTERVAL)
-              dns->send_interval = MIN_SEND_INTERVAL;
+            if (dns->send_interval < conf.dns_send_interval)
+              dns->send_interval = conf.dns_send_interval;
           }
 
         delete *i;
@@ -1067,7 +1172,7 @@
                     ttl |= pkt [offs++];
                 u16 rdlen = pkt [offs++] << 8; rdlen |= pkt [offs++];
 
-                if (qtype == RR_TYPE_NULL || qtype == RR_TYPE_TXT)
+                if (qtype == RR_TYPE_NULL || qtype == RR_TYPE_TXT || qtype == dns->cfg.rrtype)
                   {
                     if (rdlen <= MAXSIZE - offs)
                       {
@@ -1103,10 +1208,9 @@
 
                         if (ip [3] == CMD_IP_RST)
                           {
-                            slog (L_DEBUG, _("DNS: got tunnel RST request"));
-
-                            delete dns; c->dns = 0;
+                            slog (L_DEBUG, _("DNS: got tunnel RST request."));
 
+                            dns->reset ();
                             return;
                           }
                         else if (ip [3] == CMD_IP_SYN)
@@ -1114,13 +1218,31 @@
                             slog (L_DEBUG, _("DNS: got tunnel SYN reply, server likes us."));
                             dns->established = true;
                           }
+                        else if (ip [3] == CMD_IP_CSE)
+                          {
+                            if (conf.dns_case_preserving)
+                              {
+                                slog (L_INFO, _("DNS: got tunnel CSE reply, globally downgrading to case-insensitive protocol."));
+                                conf.dns_case_preserving = false;
+                                dns->reset ();
+                                return;
+                              }
+                            else
+                              {
+                                slog (L_DEBUG, _("DNS: got tunnel CSE reply, server likes us."));
+                                dns->established = true;
+                              }
+                          }
                         else if (ip [3] == CMD_IP_REJ)
                           {
-                            slog (L_DEBUG, _("DNS: got tunnel REJ reply, server does not like us, aborting."));
-                            abort ();
+                            slog (L_ERR, _("DNS: got tunnel REJ reply, server does not like us."));
+                            dns->tw.start (60.);
                           }
                         else
-                          slog (L_INFO, _("DNS: got unknown meta command %02x"), ip [3]);
+                          {
+                            slog (L_INFO, _("DNS: got unknown meta command %02x"), ip [3]);
+                            dns->tw.start (60.);
+                          }
                       }
                     else
                       slog (L_INFO, _("DNS: got spurious a record %d.%d.%d.%d"),
@@ -1154,9 +1276,9 @@
 }
 
 void
-vpn::dnsv4_ev (io_watcher &w, short revents)
+vpn::dnsv4_ev (ev::io &w, int revents)
 {
-  if (revents & EVENT_READ)
+  if (revents & EV_READ)
     {
       dns_packet *pkt = new dns_packet;
       struct sockaddr_in sa;
@@ -1192,29 +1314,24 @@
     c->dns = new dns_connection (c);
   
   if (c->dns->snddq.put (pkt))
-    c->dns->tw.trigger ();
+    {
+      min_it (c->dns->poll_interval, 0.25);
+      c->dns->tw ();
+    }
 
   // always return true even if the buffer overflows
   return true;
 }
 
 void
-connection::dnsv4_reset_connection ()
-{
-  //delete dns; dns = 0; //TODO
-}
-
-#define NEXT(w) do { if (next > (w)) next = w; } while (0)
-
-void
-dns_connection::time_cb (time_watcher &w)
+dns_connection::time_cb (ev::timer &w, int revents)
 {
   // servers have to be polled
   if (THISNODE->dns_port)
     return;
 
   // check for timeouts and (re)transmit
-  tstamp next = NOW + poll_interval;
+  tstamp next = 86400 * 365;
   dns_snd *send = 0;
   
   for (vector<dns_snd *>::iterator i = vpn->dns_sndpq.begin ();
@@ -1223,27 +1340,24 @@
     {
       dns_snd *r = *i;
 
-      if (r->timeout <= NOW)
+      if (r->timeout <= ev_now ())
         {
           if (!send)
             {
               send = r;
 
               r->retry++;
-              r->timeout = NOW + (r->retry * min_latency * TIMEOUT_FACTOR);
-              printf ("TO %d %f\n", r->retry, r->timeout - NOW);//D
+              r->timeout = ev_now () + r->retry * min_latency * conf.dns_timeout_factor;
+              //printf ("RETRY %x (%d, %f)\n", r->seqno, r->retry, r->timeout - ev_now ());//D
 
               // the following code changes the query section a bit, forcing
               // the forwarder to generate a new request
               if (r->stdhdr)
-                {
-                  //printf ("reencoded header for ID %d retry %d:%d:%d (%p)\n", htons (r->pkt->id), THISNODE->id, r->seqno, r->retry);
-                  //encode_header ((char *)r->pkt->at (6 * 2 + 1), THISNODE->id, r->seqno, r->retry);
-                }
+                encode_header ((char *)r->pkt->at (6 * 2 + 1), THISNODE->id, r->seqno, r->retry);
             }
         }
       else
-        NEXT (r->timeout);
+        min_it (next, r->timeout - ev_now ());
     }
 
   if (!send)
@@ -1257,29 +1371,28 @@
               send = new dns_snd (this);
 
               cfg.reset (THISNODE->id);
+              set_cfg ();
               send->gen_syn_req ();
             }
         }
-      else if (vpn->dns_sndpq.size () < MAX_OUTSTANDING
+      else if (vpn->dns_sndpq.size () < conf.dns_max_outstanding
                && !SEQNO_EQ (rcvseq, sndseq - (MAX_WINDOW - 1)))
         {
-          if (last_sent + send_interval <= NOW)
+          if (last_sent + send_interval <= ev_now ())
             {
               //printf ("sending data request etc.\n"); //D
-              if (!snddq.empty () || last_received + 1. > NOW)
-                {
-                  poll_interval = send_interval;
-                  NEXT (NOW + send_interval);
-                }
+              if (!snddq.empty ())
+                min_it (next, send_interval);
 
               send = new dns_snd (this);
               send->gen_stream_req (sndseq, snddq);
-              send->timeout = NOW + min_latency * TIMEOUT_FACTOR;
+              send->timeout = ev_now () + min_latency * conf.dns_timeout_factor;
+              //printf ("SEND %x (%f)\n", send->seqno, send->timeout - ev_now (), min_latency, conf.dns_timeout_factor);//D
 
               sndseq = (sndseq + 1) & SEQNO_MASK;
             }
           else
-            NEXT (last_sent + send_interval);
+            min_it (next, last_sent + send_interval - ev_now ());
         }
 
       if (send)
@@ -1288,21 +1401,19 @@
 
   if (send)
     {
-      last_sent = NOW;
+      last_sent = ev_now ();
       sendto (vpn->dnsv4_fd,
               send->pkt->at (0), send->pkt->len, 0,
               vpn->dns_forwarder.sav4 (), vpn->dns_forwarder.salenv4 ());
     }
 
+  min_it (next, last_sent + max (poll_interval, send_interval) - ev_now ());
+
   slog (L_NOISE, "DNS: pi %f si %f N %f (%d:%d %d)",
-        poll_interval, send_interval, next - NOW,
+        poll_interval, send_interval, next - ev_now (),
         vpn->dns_sndpq.size (), snddq.size (),
         rcvpq.size ());
 
-  // TODO: no idea when this happens, but when next < NOW, we have a problem
-  if (next < NOW + 0.001)
-    next = NOW + 0.1;
-
   w.start (next);
 }