2017-11-18 17:09:20 +01:00
/* SPDX-License-Identifier: LGPL-2.1+ */
2014-07-16 00:26:02 +02:00
2014-07-16 20:15:47 +02:00
# include <netinet/tcp.h>
2014-07-18 16:15:12 +02:00
# include "af-list.h"
2015-10-27 03:01:06 +01:00
# include "alloc-util.h"
2015-06-02 20:49:43 +02:00
# include "dns-domain.h"
2015-10-25 13:14:12 +01:00
# include "fd-util.h"
# include "hostname-util.h"
2019-10-31 03:07:23 +01:00
# include "missing_network.h"
2015-10-25 13:14:12 +01:00
# include "random-util.h"
2017-10-04 10:34:39 +02:00
# include "resolved-dnssd.h"
2014-07-16 00:26:02 +02:00
# include "resolved-dns-scope.h"
2017-10-04 09:07:44 +02:00
# include "resolved-dns-zone.h"
2015-10-25 13:14:12 +01:00
# include "resolved-llmnr.h"
2015-07-11 19:17:51 +02:00
# include "resolved-mdns.h"
2015-10-25 13:14:12 +01:00
# include "socket-util.h"
# include "strv.h"
2014-07-16 00:26:02 +02:00
2014-08-05 16:34:45 +02:00
# define MULTICAST_RATELIMIT_INTERVAL_USEC (1*USEC_PER_SEC)
# define MULTICAST_RATELIMIT_BURST 1000
2015-07-28 02:32:24 +02:00
/* After how much time to repeat LLMNR requests, see RFC 4795 Section 7 */
# define MULTICAST_RESEND_TIMEOUT_MIN_USEC (100 * USEC_PER_MSEC)
# define MULTICAST_RESEND_TIMEOUT_MAX_USEC (1 * USEC_PER_SEC)
2014-07-18 16:09:30 +02:00
int dns_scope_new ( Manager * m , DnsScope * * ret , Link * l , DnsProtocol protocol , int family ) {
2014-07-16 00:26:02 +02:00
DnsScope * s ;
assert ( m ) ;
assert ( ret ) ;
2018-12-04 13:31:29 +01:00
s = new ( DnsScope , 1 ) ;
2014-07-16 00:26:02 +02:00
if ( ! s )
return - ENOMEM ;
2018-12-04 13:31:29 +01:00
* s = ( DnsScope ) {
. manager = m ,
. link = l ,
. protocol = protocol ,
. family = family ,
. resend_timeout = MULTICAST_RESEND_TIMEOUT_MIN_USEC ,
} ;
2014-07-16 00:26:02 +02:00
2016-01-05 19:57:33 +01:00
if ( protocol = = DNS_PROTOCOL_DNS ) {
/* Copy DNSSEC mode from the link if it is set there,
* otherwise take the manager ' s DNSSEC mode . Note that
* we copy this only at scope creation time , and do
* not update it from the on , even if the setting
* changes . */
2018-05-04 17:31:16 +02:00
if ( l ) {
2016-01-19 21:48:01 +01:00
s - > dnssec_mode = link_get_dnssec_mode ( l ) ;
2018-06-13 20:26:24 +02:00
s - > dns_over_tls_mode = link_get_dns_over_tls_mode ( l ) ;
2018-05-04 17:31:16 +02:00
} else {
2016-01-19 21:48:01 +01:00
s - > dnssec_mode = manager_get_dnssec_mode ( m ) ;
2018-06-13 20:26:24 +02:00
s - > dns_over_tls_mode = manager_get_dns_over_tls_mode ( m ) ;
2018-05-04 17:31:16 +02:00
}
2018-04-27 17:50:38 +02:00
} else {
2016-02-04 01:10:12 +01:00
s - > dnssec_mode = DNSSEC_NO ;
2018-06-13 20:26:24 +02:00
s - > dns_over_tls_mode = DNS_OVER_TLS_NO ;
2018-04-27 17:50:38 +02:00
}
2016-01-05 19:57:33 +01:00
2014-07-16 00:26:02 +02:00
LIST_PREPEND ( scopes , m - > dns_scopes , s ) ;
2014-07-18 12:34:02 +02:00
dns_scope_llmnr_membership ( s , true ) ;
2015-07-11 20:33:58 +02:00
dns_scope_mdns_membership ( s , true ) ;
2014-07-18 12:34:02 +02:00
2019-04-11 07:08:40 +02:00
log_debug ( " New scope on link %s, protocol %s, family %s " , l ? l - > ifname : " * " , dns_protocol_to_string ( protocol ) , family = = AF_UNSPEC ? " * " : af_to_name ( family ) ) ;
2014-07-18 12:34:02 +02:00
2014-08-05 16:34:45 +02:00
/* Enforce ratelimiting for the multicast protocols */
2019-09-19 17:41:20 +02:00
s - > ratelimit = ( RateLimit ) { MULTICAST_RATELIMIT_INTERVAL_USEC , MULTICAST_RATELIMIT_BURST } ;
2014-08-05 16:34:45 +02:00
2014-07-16 00:26:02 +02:00
* ret = s ;
return 0 ;
}
2015-11-25 20:47:27 +01:00
static void dns_scope_abort_transactions ( DnsScope * s ) {
assert ( s ) ;
2014-07-18 12:34:02 +02:00
2015-11-26 23:51:59 +01:00
while ( s - > transactions ) {
DnsTransaction * t = s - > transactions ;
2014-07-22 21:48:41 +02:00
/* Abort the transaction, but make sure it is not
* freed while we still look at it */
2014-07-16 00:26:02 +02:00
2014-07-22 21:48:41 +02:00
t - > block_gc + + ;
2015-12-18 14:26:02 +01:00
if ( DNS_TRANSACTION_IS_LIVE ( t - > state ) )
dns_transaction_complete ( t , DNS_TRANSACTION_ABORTED ) ;
2014-07-22 21:48:41 +02:00
t - > block_gc - - ;
2014-07-16 00:26:02 +02:00
2014-07-31 17:46:40 +02:00
dns_transaction_free ( t ) ;
2014-07-16 00:26:02 +02:00
}
2015-11-25 20:47:27 +01:00
}
DnsScope * dns_scope_free ( DnsScope * s ) {
if ( ! s )
return NULL ;
2019-04-11 07:08:40 +02:00
log_debug ( " Removing scope on link %s, protocol %s, family %s " , s - > link ? s - > link - > ifname : " * " , dns_protocol_to_string ( s - > protocol ) , s - > family = = AF_UNSPEC ? " * " : af_to_name ( s - > family ) ) ;
2015-11-25 20:47:27 +01:00
dns_scope_llmnr_membership ( s , false ) ;
2015-07-11 20:33:58 +02:00
dns_scope_mdns_membership ( s , false ) ;
2015-11-25 20:47:27 +01:00
dns_scope_abort_transactions ( s ) ;
while ( s - > query_candidates )
dns_query_candidate_free ( s - > query_candidates ) ;
2014-07-16 00:26:02 +02:00
2015-11-26 23:51:59 +01:00
hashmap_free ( s - > transactions_by_key ) ;
2015-08-24 23:15:51 +02:00
2017-11-28 12:35:49 +01:00
ordered_hashmap_free_with_destructor ( s - > conflict_queue , dns_resource_record_unref ) ;
2014-08-06 16:15:35 +02:00
sd_event_source_unref ( s - > conflict_event_source ) ;
2016-12-02 14:01:56 +01:00
sd_event_source_unref ( s - > announce_event_source ) ;
2014-07-17 19:38:37 +02:00
dns_cache_flush ( & s - > cache ) ;
2014-07-29 14:24:02 +02:00
dns_zone_flush ( & s - > zone ) ;
2014-07-17 19:38:37 +02:00
2014-07-16 00:26:02 +02:00
LIST_REMOVE ( scopes , s - > manager - > dns_scopes , s ) ;
2016-10-17 00:28:30 +02:00
return mfree ( s ) ;
2014-07-16 00:26:02 +02:00
}
2014-08-01 18:09:07 +02:00
DnsServer * dns_scope_get_dns_server ( DnsScope * s ) {
2014-07-16 00:26:02 +02:00
assert ( s ) ;
2014-07-18 12:34:02 +02:00
if ( s - > protocol ! = DNS_PROTOCOL_DNS )
return NULL ;
2014-07-16 00:26:02 +02:00
if ( s - > link )
return link_get_dns_server ( s - > link ) ;
else
return manager_get_dns_server ( s - > manager ) ;
}
2017-12-08 19:48:15 +01:00
unsigned dns_scope_get_n_dns_servers ( DnsScope * s ) {
unsigned n = 0 ;
DnsServer * i ;
assert ( s ) ;
if ( s - > protocol ! = DNS_PROTOCOL_DNS )
return 0 ;
if ( s - > link )
i = s - > link - > dns_servers ;
else
i = s - > manager - > dns_servers ;
for ( ; i ; i = i - > servers_next )
n + + ;
return n ;
}
2014-07-16 00:26:02 +02:00
void dns_scope_next_dns_server ( DnsScope * s ) {
assert ( s ) ;
2014-07-18 12:34:02 +02:00
if ( s - > protocol ! = DNS_PROTOCOL_DNS )
return ;
2014-07-16 00:26:02 +02:00
if ( s - > link )
link_next_dns_server ( s - > link ) ;
else
manager_next_dns_server ( s - > manager ) ;
}
2015-07-28 02:32:24 +02:00
void dns_scope_packet_received ( DnsScope * s , usec_t rtt ) {
assert ( s ) ;
2015-11-24 17:01:09 +01:00
if ( rtt < = s - > max_rtt )
return ;
s - > max_rtt = rtt ;
s - > resend_timeout = MIN ( MAX ( MULTICAST_RESEND_TIMEOUT_MIN_USEC , s - > max_rtt * 2 ) , MULTICAST_RESEND_TIMEOUT_MAX_USEC ) ;
2015-07-28 02:32:24 +02:00
}
void dns_scope_packet_lost ( DnsScope * s , usec_t usec ) {
assert ( s ) ;
if ( s - > resend_timeout < = usec )
s - > resend_timeout = MIN ( s - > resend_timeout * 2 , MULTICAST_RESEND_TIMEOUT_MAX_USEC ) ;
}
2015-12-26 18:49:32 +01:00
static int dns_scope_emit_one ( DnsScope * s , int fd , DnsPacket * p ) {
2014-07-18 12:34:02 +02:00
union in_addr_union addr ;
int ifindex = 0 , r ;
2014-07-18 16:09:30 +02:00
int family ;
2014-07-18 12:34:02 +02:00
uint32_t mtu ;
2014-07-16 00:26:02 +02:00
assert ( s ) ;
assert ( p ) ;
2014-07-18 12:34:02 +02:00
assert ( p - > protocol = = s - > protocol ) ;
2014-07-16 20:15:47 +02:00
if ( s - > link ) {
2014-07-18 12:34:02 +02:00
mtu = s - > link - > mtu ;
2014-07-16 00:26:02 +02:00
ifindex = s - > link - > ifindex ;
2014-07-18 12:34:02 +02:00
} else
2014-07-17 01:13:22 +02:00
mtu = manager_find_mtu ( s - > manager ) ;
2014-07-16 00:26:02 +02:00
2015-07-11 22:21:26 +02:00
switch ( s - > protocol ) {
2015-12-26 18:49:32 +01:00
2015-07-11 22:21:26 +02:00
case DNS_PROTOCOL_DNS :
2015-12-26 18:49:32 +01:00
assert ( fd > = 0 ) ;
2015-06-23 23:06:09 +02:00
2014-07-29 14:24:02 +02:00
if ( DNS_PACKET_QDCOUNT ( p ) > 1 )
2015-03-13 14:08:00 +01:00
return - EOPNOTSUPP ;
2014-07-29 14:24:02 +02:00
2014-07-18 12:34:02 +02:00
if ( p - > size > DNS_PACKET_UNICAST_SIZE_MAX )
return - EMSGSIZE ;
2015-06-24 21:22:46 +02:00
if ( p - > size + UDP_PACKET_HEADER_SIZE > mtu )
2014-07-18 12:34:02 +02:00
return - EMSGSIZE ;
2015-07-25 05:11:34 +02:00
r = manager_write ( s - > manager , fd , p ) ;
if ( r < 0 )
return r ;
2015-07-11 22:21:26 +02:00
break ;
2014-07-18 12:34:02 +02:00
2015-07-11 22:21:26 +02:00
case DNS_PROTOCOL_LLMNR :
2015-12-26 18:49:32 +01:00
assert ( fd < 0 ) ;
2014-07-18 12:34:02 +02:00
if ( DNS_PACKET_QDCOUNT ( p ) > 1 )
2015-03-13 14:08:00 +01:00
return - EOPNOTSUPP ;
2014-07-18 12:34:02 +02:00
2018-05-11 11:16:52 +02:00
if ( ! ratelimit_below ( & s - > ratelimit ) )
2014-08-05 16:34:45 +02:00
return - EBUSY ;
2014-07-18 12:34:02 +02:00
family = s - > family ;
if ( family = = AF_INET ) {
addr . in = LLMNR_MULTICAST_IPV4_ADDRESS ;
fd = manager_llmnr_ipv4_udp_fd ( s - > manager ) ;
} else if ( family = = AF_INET6 ) {
addr . in6 = LLMNR_MULTICAST_IPV6_ADDRESS ;
fd = manager_llmnr_ipv6_udp_fd ( s - > manager ) ;
} else
return - EAFNOSUPPORT ;
if ( fd < 0 )
return fd ;
2015-07-25 05:11:34 +02:00
resolved: respond to local resolver requests on 127.0.0.53:53
In order to improve compatibility with local clients that speak DNS directly
(and do not use NSS or our bus API) listen locally on 127.0.0.53:53 and process
any queries made that way.
Note that resolved does not implement a full DNS server on this port, but
simply enough to allow normal, local clients to resolve RRs through resolved.
Specifically it does not implement queries without the RD bit set (these are
requests where recursive lookups are explicitly disabled), and neither queries
with DNSSEC DO set in combination with DNSSEC CD (i.e. DNSSEC lookups with
validation turned off). It also refuses zone transfers and obsolete RR types.
All lookups done this way will be rejected with a clean error code, so that the
client side can repeat the query with a reduced feature set.
The code will set the DNSSEC AD flag however, depending on whether the data
resolved has been validated (or comes from a local, trusted source).
Lookups made via this mechanisms are propagated to LLMNR and mDNS as necessary,
but this is only partially useful as DNS packets cannot carry IP scope data
(i.e. the ifindex), and hence link-local addresses returned cannot be used
properly (and given that LLMNR/mDNS are mostly about link-local communication
this is quite a limitation). Also, given that DNS tends to use IDNA for
non-ASCII names, while LLMNR/mDNS uses UTF-8 lookups cannot be mapped 1:1.
In general this should improve compatibility with clients bypassing NSS but
it is highly recommended for clients to instead use NSS or our native bus API.
This patch also beefs up the DnsStream logic, as it reuses the code for local
TCP listening. DnsStream now provides proper reference counting for its
objects.
In order to avoid feedback loops resolved will no silently ignore 127.0.0.53
specified as DNS server when reading configuration.
resolved listens on 127.0.0.53:53 instead of 127.0.0.1:53 in order to leave
the latter free for local, external DNS servers or forwarders.
This also changes the "etc.conf" tmpfiles snippet to create a symlink from
/etc/resolv.conf to /usr/lib/systemd/resolv.conf by default, thus making this
stub the default mode of operation if /etc is not populated.
2016-06-21 00:58:47 +02:00
r = manager_send ( s - > manager , fd , ifindex , family , & addr , LLMNR_PORT , NULL , p ) ;
2015-07-11 19:17:51 +02:00
if ( r < 0 )
return r ;
break ;
case DNS_PROTOCOL_MDNS :
2015-12-26 18:49:32 +01:00
assert ( fd < 0 ) ;
2018-05-11 11:16:52 +02:00
if ( ! ratelimit_below ( & s - > ratelimit ) )
2015-07-11 19:17:51 +02:00
return - EBUSY ;
family = s - > family ;
if ( family = = AF_INET ) {
addr . in = MDNS_MULTICAST_IPV4_ADDRESS ;
fd = manager_mdns_ipv4_fd ( s - > manager ) ;
} else if ( family = = AF_INET6 ) {
addr . in6 = MDNS_MULTICAST_IPV6_ADDRESS ;
fd = manager_mdns_ipv6_fd ( s - > manager ) ;
} else
return - EAFNOSUPPORT ;
if ( fd < 0 )
return fd ;
resolved: respond to local resolver requests on 127.0.0.53:53
In order to improve compatibility with local clients that speak DNS directly
(and do not use NSS or our bus API) listen locally on 127.0.0.53:53 and process
any queries made that way.
Note that resolved does not implement a full DNS server on this port, but
simply enough to allow normal, local clients to resolve RRs through resolved.
Specifically it does not implement queries without the RD bit set (these are
requests where recursive lookups are explicitly disabled), and neither queries
with DNSSEC DO set in combination with DNSSEC CD (i.e. DNSSEC lookups with
validation turned off). It also refuses zone transfers and obsolete RR types.
All lookups done this way will be rejected with a clean error code, so that the
client side can repeat the query with a reduced feature set.
The code will set the DNSSEC AD flag however, depending on whether the data
resolved has been validated (or comes from a local, trusted source).
Lookups made via this mechanisms are propagated to LLMNR and mDNS as necessary,
but this is only partially useful as DNS packets cannot carry IP scope data
(i.e. the ifindex), and hence link-local addresses returned cannot be used
properly (and given that LLMNR/mDNS are mostly about link-local communication
this is quite a limitation). Also, given that DNS tends to use IDNA for
non-ASCII names, while LLMNR/mDNS uses UTF-8 lookups cannot be mapped 1:1.
In general this should improve compatibility with clients bypassing NSS but
it is highly recommended for clients to instead use NSS or our native bus API.
This patch also beefs up the DnsStream logic, as it reuses the code for local
TCP listening. DnsStream now provides proper reference counting for its
objects.
In order to avoid feedback loops resolved will no silently ignore 127.0.0.53
specified as DNS server when reading configuration.
resolved listens on 127.0.0.53:53 instead of 127.0.0.1:53 in order to leave
the latter free for local, external DNS servers or forwarders.
This also changes the "etc.conf" tmpfiles snippet to create a symlink from
/etc/resolv.conf to /usr/lib/systemd/resolv.conf by default, thus making this
stub the default mode of operation if /etc is not populated.
2016-06-21 00:58:47 +02:00
r = manager_send ( s - > manager , fd , ifindex , family , & addr , MDNS_PORT , NULL , p ) ;
2015-07-25 05:11:34 +02:00
if ( r < 0 )
return r ;
2015-07-11 22:21:26 +02:00
break ;
default :
2014-07-16 00:26:02 +02:00
return - EAFNOSUPPORT ;
2015-07-11 22:21:26 +02:00
}
2014-07-16 00:26:02 +02:00
return 1 ;
}
2015-12-26 18:49:32 +01:00
int dns_scope_emit_udp ( DnsScope * s , int fd , DnsPacket * p ) {
2015-12-09 12:05:38 +01:00
int r ;
assert ( s ) ;
assert ( p ) ;
assert ( p - > protocol = = s - > protocol ) ;
2015-12-26 18:49:32 +01:00
assert ( ( s - > protocol = = DNS_PROTOCOL_DNS ) = = ( fd > = 0 ) ) ;
2015-12-09 12:05:38 +01:00
do {
/* If there are multiple linked packets, set the TC bit in all but the last of them */
if ( p - > more ) {
assert ( p - > protocol = = DNS_PROTOCOL_MDNS ) ;
2015-12-09 13:09:35 +01:00
dns_packet_set_flags ( p , true , true ) ;
2015-12-09 12:05:38 +01:00
}
2015-12-26 18:49:32 +01:00
r = dns_scope_emit_one ( s , fd , p ) ;
2015-12-09 12:05:38 +01:00
if ( r < 0 )
return r ;
p = p - > more ;
2015-12-26 18:49:32 +01:00
} while ( p ) ;
2015-12-09 12:05:38 +01:00
return 0 ;
}
2015-12-26 18:49:32 +01:00
static int dns_scope_socket (
DnsScope * s ,
int type ,
int family ,
const union in_addr_union * address ,
DnsServer * server ,
2018-04-27 13:20:31 +02:00
uint16_t port ,
union sockaddr_union * ret_socket_address ) {
2015-12-26 18:49:32 +01:00
2014-07-16 20:15:47 +02:00
_cleanup_close_ int fd = - 1 ;
2018-04-27 13:20:31 +02:00
union sockaddr_union sa ;
2014-07-16 20:15:47 +02:00
socklen_t salen ;
2018-03-22 17:04:29 +01:00
int r , ifindex ;
2014-07-16 20:15:47 +02:00
assert ( s ) ;
resolved: fallback to TCP if UDP fails
This is inspired by the logic in BIND [0], follow-up patches
will implement the reset of that scheme.
If we get a server error back, or if after several attempts we don't
get a reply at all, we switch from UDP to TCP for the given
server for the current and all subsequent requests. However, if
we ever successfully received a reply over UDP, we never fall
back to TCP, and once a grace-period has passed, we try to upgrade
again to using UDP. The grace-period starts off at five minutes
after the current feature level was verified and then grows
exponentially to six hours. This is to mitigate problems due
to temporary lack of network connectivity, but at the same time
avoid flooding the network with retries when the feature attempted
feature level genuinely does not work.
Note that UDP is likely much more commonly supported than TCP,
but depending on the path between the client and the server, we
may have more luck with TCP in case something is wrong. We really
do prefer UDP though, as that is much more lightweight, that is
why TCP is only the last resort.
[0]: <https://kb.isc.org/article/AA-01219/0/Refinements-to-EDNS-fallback-behavior-can-cause-different-outcomes-in-Recursive-Servers.html>
2015-07-06 08:15:25 +02:00
2015-12-26 18:49:32 +01:00
if ( server ) {
assert ( family = = AF_UNSPEC ) ;
assert ( ! address ) ;
resolved: fallback to TCP if UDP fails
This is inspired by the logic in BIND [0], follow-up patches
will implement the reset of that scheme.
If we get a server error back, or if after several attempts we don't
get a reply at all, we switch from UDP to TCP for the given
server for the current and all subsequent requests. However, if
we ever successfully received a reply over UDP, we never fall
back to TCP, and once a grace-period has passed, we try to upgrade
again to using UDP. The grace-period starts off at five minutes
after the current feature level was verified and then grows
exponentially to six hours. This is to mitigate problems due
to temporary lack of network connectivity, but at the same time
avoid flooding the network with retries when the feature attempted
feature level genuinely does not work.
Note that UDP is likely much more commonly supported than TCP,
but depending on the path between the client and the server, we
may have more luck with TCP in case something is wrong. We really
do prefer UDP though, as that is much more lightweight, that is
why TCP is only the last resort.
[0]: <https://kb.isc.org/article/AA-01219/0/Refinements-to-EDNS-fallback-behavior-can-cause-different-outcomes-in-Recursive-Servers.html>
2015-07-06 08:15:25 +02:00
2016-06-03 21:29:14 +02:00
ifindex = dns_server_ifindex ( server ) ;
2018-07-12 06:37:01 +02:00
switch ( server - > family ) {
case AF_INET :
sa = ( union sockaddr_union ) {
. in . sin_family = server - > family ,
. in . sin_port = htobe16 ( port ) ,
. in . sin_addr = server - > address . in ,
} ;
2014-07-29 14:24:02 +02:00
salen = sizeof ( sa . in ) ;
2018-07-12 06:37:01 +02:00
break ;
case AF_INET6 :
sa = ( union sockaddr_union ) {
. in6 . sin6_family = server - > family ,
. in6 . sin6_port = htobe16 ( port ) ,
. in6 . sin6_addr = server - > address . in6 ,
. in6 . sin6_scope_id = ifindex ,
} ;
2014-07-29 14:24:02 +02:00
salen = sizeof ( sa . in6 ) ;
2018-07-12 06:37:01 +02:00
break ;
default :
2014-07-29 14:24:02 +02:00
return - EAFNOSUPPORT ;
2018-07-12 06:37:01 +02:00
}
2014-07-29 14:24:02 +02:00
} else {
2015-12-26 18:49:32 +01:00
assert ( family ! = AF_UNSPEC ) ;
assert ( address ) ;
2016-06-03 21:29:14 +02:00
ifindex = s - > link ? s - > link - > ifindex : 0 ;
2014-07-29 14:24:02 +02:00
2018-07-12 06:37:01 +02:00
switch ( family ) {
case AF_INET :
sa = ( union sockaddr_union ) {
. in . sin_family = family ,
. in . sin_port = htobe16 ( port ) ,
. in . sin_addr = address - > in ,
} ;
2014-07-29 14:24:02 +02:00
salen = sizeof ( sa . in ) ;
2018-07-12 06:37:01 +02:00
break ;
case AF_INET6 :
sa = ( union sockaddr_union ) {
. in6 . sin6_family = family ,
. in6 . sin6_port = htobe16 ( port ) ,
. in6 . sin6_addr = address - > in6 ,
. in6 . sin6_scope_id = ifindex ,
} ;
2014-07-29 14:24:02 +02:00
salen = sizeof ( sa . in6 ) ;
2018-07-12 06:37:01 +02:00
break ;
default :
2014-07-29 14:24:02 +02:00
return - EAFNOSUPPORT ;
2018-07-12 06:37:01 +02:00
}
2014-07-29 14:24:02 +02:00
}
2014-07-16 20:15:47 +02:00
2015-07-15 19:22:29 +02:00
fd = socket ( sa . sa . sa_family , type | SOCK_CLOEXEC | SOCK_NONBLOCK , 0 ) ;
2014-07-16 20:15:47 +02:00
if ( fd < 0 )
return - errno ;
2015-07-15 19:22:29 +02:00
if ( type = = SOCK_STREAM ) {
2018-10-18 19:48:18 +02:00
r = setsockopt_int ( fd , IPPROTO_TCP , TCP_NODELAY , true ) ;
2015-07-15 19:22:29 +02:00
if ( r < 0 )
2018-10-18 19:48:18 +02:00
return r ;
2015-07-15 19:22:29 +02:00
}
2014-07-29 14:24:02 +02:00
if ( s - > link ) {
2016-06-03 21:29:14 +02:00
be32_t ifindex_be = htobe32 ( ifindex ) ;
2014-07-29 14:24:02 +02:00
if ( sa . sa . sa_family = = AF_INET ) {
2016-06-03 21:29:14 +02:00
r = setsockopt ( fd , IPPROTO_IP , IP_UNICAST_IF , & ifindex_be , sizeof ( ifindex_be ) ) ;
2014-07-29 14:24:02 +02:00
if ( r < 0 )
return - errno ;
} else if ( sa . sa . sa_family = = AF_INET6 ) {
2016-06-03 21:29:14 +02:00
r = setsockopt ( fd , IPPROTO_IPV6 , IPV6_UNICAST_IF , & ifindex_be , sizeof ( ifindex_be ) ) ;
2014-07-29 14:24:02 +02:00
if ( r < 0 )
return - errno ;
}
}
if ( s - > protocol = = DNS_PROTOCOL_LLMNR ) {
2014-07-29 23:51:34 +02:00
/* RFC 4795, section 2.5 requires the TTL to be set to 1 */
2014-07-29 14:24:02 +02:00
if ( sa . sa . sa_family = = AF_INET ) {
2018-10-18 19:48:18 +02:00
r = setsockopt_int ( fd , IPPROTO_IP , IP_TTL , true ) ;
2014-07-29 14:24:02 +02:00
if ( r < 0 )
2018-10-18 19:48:18 +02:00
return r ;
2014-07-29 14:24:02 +02:00
} else if ( sa . sa . sa_family = = AF_INET6 ) {
2018-10-18 19:48:18 +02:00
r = setsockopt_int ( fd , IPPROTO_IPV6 , IPV6_UNICAST_HOPS , true ) ;
2014-07-29 14:24:02 +02:00
if ( r < 0 )
2018-10-18 19:48:18 +02:00
return r ;
2014-07-29 14:24:02 +02:00
}
}
2014-07-16 20:15:47 +02:00
2018-10-16 19:32:26 +02:00
if ( type = = SOCK_DGRAM ) {
/* Set IP_RECVERR or IPV6_RECVERR to get ICMP error feedback. See discussion in #10345. */
2018-12-04 23:18:50 +01:00
if ( sa . sa . sa_family = = AF_INET ) {
r = setsockopt_int ( fd , IPPROTO_IP , IP_RECVERR , true ) ;
if ( r < 0 )
return r ;
r = setsockopt_int ( fd , IPPROTO_IP , IP_PKTINFO , true ) ;
if ( r < 0 )
return r ;
} else if ( sa . sa . sa_family = = AF_INET6 ) {
r = setsockopt_int ( fd , IPPROTO_IPV6 , IPV6_RECVERR , true ) ;
if ( r < 0 )
return r ;
r = setsockopt_int ( fd , IPPROTO_IPV6 , IPV6_RECVPKTINFO , true ) ;
if ( r < 0 )
return r ;
}
2018-10-16 19:32:26 +02:00
}
2018-04-27 13:20:31 +02:00
if ( ret_socket_address )
* ret_socket_address = sa ;
else {
r = connect ( fd , & sa . sa , salen ) ;
if ( r < 0 & & errno ! = EINPROGRESS )
return - errno ;
}
2014-07-16 20:15:47 +02:00
2018-03-22 17:04:29 +01:00
return TAKE_FD ( fd ) ;
2014-07-16 20:15:47 +02:00
}
2020-07-13 01:58:02 +02:00
int dns_scope_socket_udp ( DnsScope * s , DnsServer * server ) {
return dns_scope_socket ( s , SOCK_DGRAM , AF_UNSPEC , NULL , server , dns_server_port ( server ) , NULL ) ;
2015-07-15 19:22:29 +02:00
}
2018-04-27 13:20:31 +02:00
int dns_scope_socket_tcp ( DnsScope * s , int family , const union in_addr_union * address , DnsServer * server , uint16_t port , union sockaddr_union * ret_socket_address ) {
2019-04-27 02:22:40 +02:00
/* If ret_socket_address is not NULL, the caller is responsible
2018-04-27 13:20:31 +02:00
* for calling connect ( ) or sendmsg ( ) . This is required by TCP
* Fast Open , to be able to send the initial SYN packet along
* with the first data packet . */
return dns_scope_socket ( s , SOCK_STREAM , family , address , server , port , ret_socket_address ) ;
2015-07-15 19:22:29 +02:00
}
2018-12-03 22:27:19 +01:00
static DnsScopeMatch accept_link_local_reverse_lookups ( const char * domain ) {
assert ( domain ) ;
if ( dns_name_endswith ( domain , " 254.169.in-addr.arpa " ) > 0 )
return DNS_SCOPE_YES_BASE + 4 ; /* 4 labels match */
if ( dns_name_endswith ( domain , " 8.e.f.ip6.arpa " ) > 0 | |
dns_name_endswith ( domain , " 9.e.f.ip6.arpa " ) > 0 | |
dns_name_endswith ( domain , " a.e.f.ip6.arpa " ) > 0 | |
dns_name_endswith ( domain , " b.e.f.ip6.arpa " ) > 0 )
return DNS_SCOPE_YES_BASE + 5 ; /* 5 labels match */
return _DNS_SCOPE_MATCH_INVALID ;
}
2018-12-03 16:25:00 +01:00
DnsScopeMatch dns_scope_good_domain (
DnsScope * s ,
int ifindex ,
uint64_t flags ,
const char * domain ) {
2015-11-24 21:12:51 +01:00
DnsSearchDomain * d ;
2014-07-16 00:26:02 +02:00
2018-12-03 16:25:00 +01:00
/* This returns the following return values:
*
* DNS_SCOPE_NO → This scope is not suitable for lookups of this domain , at all
* DNS_SCOPE_MAYBE → This scope is suitable , but only if nothing else wants it
* DNS_SCOPE_YES_BASE + n → This scope is suitable , and ' n ' suffix labels match
*
* ( The idea is that the caller will only use the scopes with the longest ' n ' returned . If no scopes return
* DNS_SCOPE_YES_BASE + n , then it should use those which returned DNS_SCOPE_MAYBE . It should never use those
* which returned DNS_SCOPE_NO . )
*/
2014-07-16 00:26:02 +02:00
assert ( s ) ;
assert ( domain ) ;
2020-04-20 12:16:56 +02:00
/* Checks if the specified domain is something to look up on this scope. Note that this accepts
* non - qualified hostnames , i . e . those without any search path suffixed . */
2015-12-03 18:26:12 +01:00
2014-08-14 01:00:15 +02:00
if ( ifindex ! = 0 & & ( ! s - > link | | s - > link - > ifindex ! = ifindex ) )
return DNS_SCOPE_NO ;
2015-12-03 21:04:52 +01:00
if ( ( SD_RESOLVED_FLAGS_MAKE ( s - > protocol , s - > family , 0 ) & flags ) = = 0 )
2014-08-14 01:00:15 +02:00
return DNS_SCOPE_NO ;
2015-08-17 23:54:08 +02:00
/* Never resolve any loopback hostname or IP address via DNS,
* LLMNR or mDNS . Instead , always rely on synthesized RRs for
* these . */
if ( is_localhost ( domain ) | |
dns_name_endswith ( domain , " 127.in-addr.arpa " ) > 0 | |
2015-07-29 12:22:55 +02:00
dns_name_equal ( domain , " 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa " ) > 0 )
return DNS_SCOPE_NO ;
2015-12-03 17:20:47 +01:00
/* Never respond to some of the domains listed in RFC6303 */
if ( dns_name_endswith ( domain , " 0.in-addr.arpa " ) > 0 | |
dns_name_equal ( domain , " 255.255.255.255.in-addr.arpa " ) > 0 | |
dns_name_equal ( domain , " 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa " ) > 0 )
return DNS_SCOPE_NO ;
2015-12-09 17:38:05 +01:00
/* Never respond to some of the domains listed in RFC6761 */
if ( dns_name_endswith ( domain , " invalid " ) > 0 )
return DNS_SCOPE_NO ;
2015-07-11 22:21:26 +02:00
switch ( s - > protocol ) {
2015-11-25 20:47:27 +01:00
2017-12-08 17:21:42 +01:00
case DNS_PROTOCOL_DNS : {
2019-01-22 09:57:49 +01:00
bool has_search_domains = false ;
2018-12-03 16:25:00 +01:00
int n_best = - 1 ;
2017-12-08 17:21:42 +01:00
/* Never route things to scopes that lack DNS servers */
2018-12-04 12:08:18 +01:00
if ( ! dns_scope_get_dns_server ( s ) )
2017-12-08 17:21:42 +01:00
return DNS_SCOPE_NO ;
/* Always honour search domains for routing queries, except if this scope lacks DNS servers. Note that
* we return DNS_SCOPE_YES here , rather than just DNS_SCOPE_MAYBE , which means other wildcard scopes
* won ' t be considered anymore . */
2019-01-22 09:57:49 +01:00
LIST_FOREACH ( domains , d , dns_scope_get_search_domains ( s ) ) {
if ( ! d - > route_only & & ! dns_name_is_root ( d - > name ) )
has_search_domains = true ;
2018-12-03 16:25:00 +01:00
if ( dns_name_endswith ( domain , d - > name ) > 0 ) {
int c ;
c = dns_name_count_labels ( d - > name ) ;
if ( c < 0 )
continue ;
if ( c > n_best )
n_best = c ;
}
2019-01-22 09:57:49 +01:00
}
/* If there's a true search domain defined for this scope, and the query is single-label,
* then let ' s resolve things here , prefereably . Note that LLMNR considers itself
* authoritative for single - label names too , at the same preference , see below . */
if ( has_search_domains & & dns_name_is_single_label ( domain ) )
return DNS_SCOPE_YES_BASE + 1 ;
2018-12-03 16:25:00 +01:00
/* Let's return the number of labels in the best matching result */
if ( n_best > = 0 ) {
assert ( n_best < = DNS_SCOPE_YES_END - DNS_SCOPE_YES_BASE ) ;
return DNS_SCOPE_YES_BASE + n_best ;
}
2017-12-08 17:21:42 +01:00
2018-12-04 12:40:07 +01:00
/* See if this scope is suitable as default route. */
if ( ! dns_scope_is_default_route ( s ) )
2017-12-08 17:21:42 +01:00
return DNS_SCOPE_NO ;
2015-11-25 20:47:27 +01:00
2015-12-03 18:26:12 +01:00
/* Exclude link-local IP ranges */
if ( dns_name_endswith ( domain , " 254.169.in-addr.arpa " ) = = 0 & &
2015-12-03 17:20:47 +01:00
dns_name_endswith ( domain , " 8.e.f.ip6.arpa " ) = = 0 & &
dns_name_endswith ( domain , " 9.e.f.ip6.arpa " ) = = 0 & &
dns_name_endswith ( domain , " a.e.f.ip6.arpa " ) = = 0 & &
2015-12-08 18:29:52 +01:00
dns_name_endswith ( domain , " b.e.f.ip6.arpa " ) = = 0 & &
/* If networks use .local in their private setups, they are supposed to also add .local to their search
* domains , which we already checked above . Otherwise , we consider . local specific to mDNS and won ' t
* send such queries ordinary DNS servers . */
dns_name_endswith ( domain , " local " ) = = 0 )
2014-07-22 21:48:41 +02:00
return DNS_SCOPE_MAYBE ;
2014-07-18 12:34:02 +02:00
2014-07-22 21:48:41 +02:00
return DNS_SCOPE_NO ;
2017-12-08 17:21:42 +01:00
}
2014-07-18 12:34:02 +02:00
2018-12-03 22:27:19 +01:00
case DNS_PROTOCOL_MDNS : {
DnsScopeMatch m ;
m = accept_link_local_reverse_lookups ( domain ) ;
if ( m > = 0 )
return m ;
2015-08-17 23:54:08 +02:00
if ( ( s - > family = = AF_INET & & dns_name_endswith ( domain , " in-addr.arpa " ) > 0 ) | |
2018-12-03 22:27:19 +01:00
( s - > family = = AF_INET6 & & dns_name_endswith ( domain , " ip6.arpa " ) > 0 ) )
return DNS_SCOPE_MAYBE ;
if ( ( dns_name_endswith ( domain , " local " ) > 0 & & /* only resolve names ending in .local via mDNS */
2015-08-17 23:54:08 +02:00
dns_name_equal ( domain , " local " ) = = 0 & & /* but not the single-label "local" name itself */
manager_is_own_hostname ( s - > manager , domain ) < = 0 ) ) /* never resolve the local hostname via mDNS */
2018-12-03 22:27:19 +01:00
return DNS_SCOPE_YES_BASE + 1 ; /* Return +1, as the top-level .local domain matches, i.e. one label */
2014-07-16 00:26:02 +02:00
return DNS_SCOPE_NO ;
2018-12-03 22:27:19 +01:00
}
case DNS_PROTOCOL_LLMNR : {
DnsScopeMatch m ;
m = accept_link_local_reverse_lookups ( domain ) ;
if ( m > = 0 )
return m ;
2014-07-16 00:26:02 +02:00
2015-08-17 23:54:08 +02:00
if ( ( s - > family = = AF_INET & & dns_name_endswith ( domain , " in-addr.arpa " ) > 0 ) | |
2018-12-03 22:27:19 +01:00
( s - > family = = AF_INET6 & & dns_name_endswith ( domain , " ip6.arpa " ) > 0 ) )
return DNS_SCOPE_MAYBE ;
if ( ( dns_name_is_single_label ( domain ) & & /* only resolve single label names via LLMNR */
2015-08-17 23:54:08 +02:00
! is_gateway_hostname ( domain ) & & /* don't resolve "gateway" with LLMNR, let nss-myhostname handle this */
manager_is_own_hostname ( s - > manager , domain ) < = 0 ) ) /* never resolve the local hostname via LLMNR */
2019-01-22 09:57:49 +01:00
return DNS_SCOPE_YES_BASE + 1 ; /* Return +1, as we consider ourselves authoritative
* for single - label names , i . e . one label . This is
2020-06-03 13:10:23 +02:00
* particularly relevant as it means a " . " route on some
2019-01-22 09:57:49 +01:00
* other scope won ' t pull all traffic away from
* us . ( If people actually want to pull traffic away
* from us they should turn off LLMNR on the
* link ) . Note that unicast DNS scopes with search
* domains also consider themselves authoritative for
* single - label domains , at the same preference ( see
* above ) . */
2014-07-16 00:26:02 +02:00
2014-07-18 12:34:02 +02:00
return DNS_SCOPE_NO ;
2018-12-03 22:27:19 +01:00
}
2014-07-16 00:26:02 +02:00
2015-07-11 22:21:26 +02:00
default :
assert_not_reached ( " Unknown scope protocol " ) ;
}
2014-07-18 12:34:02 +02:00
}
2016-02-01 00:00:01 +01:00
bool dns_scope_good_key ( DnsScope * s , const DnsResourceKey * key ) {
int key_family ;
2014-07-18 12:34:02 +02:00
assert ( s ) ;
assert ( key ) ;
2015-12-03 18:26:12 +01:00
/* Check if it makes sense to resolve the specified key on
* this scope . Note that this call assumes as fully qualified
* name , i . e . the search suffixes already appended . */
2016-02-01 00:00:01 +01:00
if ( key - > class ! = DNS_CLASS_IN )
return false ;
2015-12-03 18:26:12 +01:00
if ( s - > protocol = = DNS_PROTOCOL_DNS ) {
2020-06-03 13:10:23 +02:00
/* On classic DNS, looking up non-address RRs is always fine. (Specifically, we want to
* permit looking up DNSKEY and DS records on the root and top - level domains . ) */
2015-12-03 18:26:12 +01:00
if ( ! dns_resource_key_is_address ( key ) )
return true ;
2020-06-03 13:10:23 +02:00
/* Unless explicitly overridden, we refuse to look up A and AAAA RRs on the root and
* single - label domains , under the assumption that those should be resolved via LLMNR or
* search path only , and should not be leaked onto the internet . */
const char * name = dns_resource_key_name ( key ) ;
if ( ! s - > manager - > resolve_unicast_single_label & &
dns_name_is_single_label ( name ) )
return false ;
return ! dns_name_is_root ( name ) ;
2015-12-03 18:26:12 +01:00
}
2014-07-18 12:34:02 +02:00
/* On mDNS and LLMNR, send A and AAAA queries only on the
* respective scopes */
2016-02-01 00:00:01 +01:00
key_family = dns_type_to_af ( key - > type ) ;
if ( key_family < 0 )
return true ;
2014-07-18 12:34:02 +02:00
2016-02-01 00:00:01 +01:00
return key_family = = s - > family ;
2014-07-18 12:34:02 +02:00
}
2015-07-11 20:33:58 +02:00
static int dns_scope_multicast_membership ( DnsScope * s , bool b , struct in_addr in , struct in6_addr in6 ) {
2014-07-18 12:34:02 +02:00
int fd ;
2014-08-14 19:56:22 +02:00
assert ( s ) ;
assert ( s - > link ) ;
2014-07-18 12:34:02 +02:00
if ( s - > family = = AF_INET ) {
struct ip_mreqn mreqn = {
2015-07-11 20:33:58 +02:00
. imr_multiaddr = in ,
2014-07-18 12:34:02 +02:00
. imr_ifindex = s - > link - > ifindex ,
} ;
2016-12-02 13:17:15 +01:00
if ( s - > protocol = = DNS_PROTOCOL_LLMNR )
fd = manager_llmnr_ipv4_udp_fd ( s - > manager ) ;
else
fd = manager_mdns_ipv4_fd ( s - > manager ) ;
2014-07-18 12:34:02 +02:00
if ( fd < 0 )
return fd ;
2014-08-01 19:48:02 +02:00
/* Always first try to drop membership before we add
* one . This is necessary on some devices , such as
* veth . */
if ( b )
2015-03-14 03:20:01 +01:00
( void ) setsockopt ( fd , IPPROTO_IP , IP_DROP_MEMBERSHIP , & mreqn , sizeof ( mreqn ) ) ;
2014-08-01 19:48:02 +02:00
2014-07-18 12:34:02 +02:00
if ( setsockopt ( fd , IPPROTO_IP , b ? IP_ADD_MEMBERSHIP : IP_DROP_MEMBERSHIP , & mreqn , sizeof ( mreqn ) ) < 0 )
return - errno ;
} else if ( s - > family = = AF_INET6 ) {
struct ipv6_mreq mreq = {
2015-07-11 20:33:58 +02:00
. ipv6mr_multiaddr = in6 ,
2014-07-18 12:34:02 +02:00
. ipv6mr_interface = s - > link - > ifindex ,
} ;
2016-12-02 13:17:15 +01:00
if ( s - > protocol = = DNS_PROTOCOL_LLMNR )
fd = manager_llmnr_ipv6_udp_fd ( s - > manager ) ;
else
fd = manager_mdns_ipv6_fd ( s - > manager ) ;
2014-07-18 12:34:02 +02:00
if ( fd < 0 )
return fd ;
2014-08-01 19:48:02 +02:00
if ( b )
2015-03-14 03:20:01 +01:00
( void ) setsockopt ( fd , IPPROTO_IPV6 , IPV6_DROP_MEMBERSHIP , & mreq , sizeof ( mreq ) ) ;
2014-08-01 19:48:02 +02:00
2014-07-18 12:34:02 +02:00
if ( setsockopt ( fd , IPPROTO_IPV6 , b ? IPV6_ADD_MEMBERSHIP : IPV6_DROP_MEMBERSHIP , & mreq , sizeof ( mreq ) ) < 0 )
return - errno ;
} else
return - EAFNOSUPPORT ;
return 0 ;
2014-07-16 00:26:02 +02:00
}
2014-07-29 14:24:02 +02:00
2015-07-11 20:33:58 +02:00
int dns_scope_llmnr_membership ( DnsScope * s , bool b ) {
2016-06-20 21:39:02 +02:00
assert ( s ) ;
2015-07-11 20:33:58 +02:00
if ( s - > protocol ! = DNS_PROTOCOL_LLMNR )
return 0 ;
return dns_scope_multicast_membership ( s , b , LLMNR_MULTICAST_IPV4_ADDRESS , LLMNR_MULTICAST_IPV6_ADDRESS ) ;
}
int dns_scope_mdns_membership ( DnsScope * s , bool b ) {
2016-06-20 21:39:02 +02:00
assert ( s ) ;
2015-07-11 20:33:58 +02:00
if ( s - > protocol ! = DNS_PROTOCOL_MDNS )
return 0 ;
return dns_scope_multicast_membership ( s , b , MDNS_MULTICAST_IPV4_ADDRESS , MDNS_MULTICAST_IPV6_ADDRESS ) ;
}
2016-12-05 16:12:15 +01:00
int dns_scope_make_reply_packet (
2014-07-31 17:46:40 +02:00
DnsScope * s ,
uint16_t id ,
int rcode ,
DnsQuestion * q ,
DnsAnswer * answer ,
DnsAnswer * soa ,
bool tentative ,
DnsPacket * * ret ) {
2014-07-29 14:24:02 +02:00
_cleanup_ ( dns_packet_unrefp ) DnsPacket * p = NULL ;
int r ;
assert ( s ) ;
2014-08-06 16:15:35 +02:00
assert ( ret ) ;
2014-07-29 14:24:02 +02:00
2016-06-20 21:28:53 +02:00
if ( dns_question_isempty ( q ) & &
dns_answer_isempty ( answer ) & &
dns_answer_isempty ( soa ) )
2014-07-29 14:24:02 +02:00
return - EINVAL ;
2017-10-04 12:35:48 +02:00
r = dns_packet_new ( & p , s - > protocol , 0 , DNS_PACKET_SIZE_MAX ) ;
2014-07-29 14:24:02 +02:00
if ( r < 0 )
return r ;
DNS_PACKET_HEADER ( p ) - > id = id ;
2014-07-29 19:50:28 +02:00
DNS_PACKET_HEADER ( p ) - > flags = htobe16 ( DNS_PACKET_MAKE_FLAGS (
1 /* qr */ ,
0 /* opcode */ ,
0 /* c */ ,
0 /* tc */ ,
2014-07-31 17:46:40 +02:00
tentative ,
2014-07-29 19:50:28 +02:00
0 /* (ra) */ ,
0 /* (ad) */ ,
0 /* (cd) */ ,
rcode ) ) ;
2014-07-29 14:24:02 +02:00
2016-06-20 21:39:02 +02:00
r = dns_packet_append_question ( p , q ) ;
if ( r < 0 )
return r ;
DNS_PACKET_HEADER ( p ) - > qdcount = htobe16 ( dns_question_size ( q ) ) ;
2014-07-30 16:30:25 +02:00
2016-06-20 21:39:02 +02:00
r = dns_packet_append_answer ( p , answer ) ;
if ( r < 0 )
return r ;
DNS_PACKET_HEADER ( p ) - > ancount = htobe16 ( dns_answer_size ( answer ) ) ;
2014-07-30 16:30:25 +02:00
2016-06-20 21:39:02 +02:00
r = dns_packet_append_answer ( p , soa ) ;
if ( r < 0 )
return r ;
DNS_PACKET_HEADER ( p ) - > arcount = htobe16 ( dns_answer_size ( soa ) ) ;
2014-07-29 14:24:02 +02:00
2018-04-05 07:26:26 +02:00
* ret = TAKE_PTR ( p ) ;
2014-07-29 14:24:02 +02:00
return 0 ;
}
2014-08-06 16:15:35 +02:00
static void dns_scope_verify_conflicts ( DnsScope * s , DnsPacket * p ) {
2016-06-20 21:59:17 +02:00
DnsResourceRecord * rr ;
DnsResourceKey * key ;
2014-08-06 16:15:35 +02:00
assert ( s ) ;
assert ( p ) ;
2016-06-20 21:59:17 +02:00
DNS_QUESTION_FOREACH ( key , p - > question )
dns_zone_verify_conflicts ( & s - > zone , key ) ;
DNS_ANSWER_FOREACH ( rr , p - > answer )
dns_zone_verify_conflicts ( & s - > zone , rr - > key ) ;
2014-08-06 16:15:35 +02:00
}
2014-07-29 14:24:02 +02:00
void dns_scope_process_query ( DnsScope * s , DnsStream * stream , DnsPacket * p ) {
2014-07-30 16:30:25 +02:00
_cleanup_ ( dns_answer_unrefp ) DnsAnswer * answer = NULL , * soa = NULL ;
resolved: respond to local resolver requests on 127.0.0.53:53
In order to improve compatibility with local clients that speak DNS directly
(and do not use NSS or our bus API) listen locally on 127.0.0.53:53 and process
any queries made that way.
Note that resolved does not implement a full DNS server on this port, but
simply enough to allow normal, local clients to resolve RRs through resolved.
Specifically it does not implement queries without the RD bit set (these are
requests where recursive lookups are explicitly disabled), and neither queries
with DNSSEC DO set in combination with DNSSEC CD (i.e. DNSSEC lookups with
validation turned off). It also refuses zone transfers and obsolete RR types.
All lookups done this way will be rejected with a clean error code, so that the
client side can repeat the query with a reduced feature set.
The code will set the DNSSEC AD flag however, depending on whether the data
resolved has been validated (or comes from a local, trusted source).
Lookups made via this mechanisms are propagated to LLMNR and mDNS as necessary,
but this is only partially useful as DNS packets cannot carry IP scope data
(i.e. the ifindex), and hence link-local addresses returned cannot be used
properly (and given that LLMNR/mDNS are mostly about link-local communication
this is quite a limitation). Also, given that DNS tends to use IDNA for
non-ASCII names, while LLMNR/mDNS uses UTF-8 lookups cannot be mapped 1:1.
In general this should improve compatibility with clients bypassing NSS but
it is highly recommended for clients to instead use NSS or our native bus API.
This patch also beefs up the DnsStream logic, as it reuses the code for local
TCP listening. DnsStream now provides proper reference counting for its
objects.
In order to avoid feedback loops resolved will no silently ignore 127.0.0.53
specified as DNS server when reading configuration.
resolved listens on 127.0.0.53:53 instead of 127.0.0.1:53 in order to leave
the latter free for local, external DNS servers or forwarders.
This also changes the "etc.conf" tmpfiles snippet to create a symlink from
/etc/resolv.conf to /usr/lib/systemd/resolv.conf by default, thus making this
stub the default mode of operation if /etc is not populated.
2016-06-21 00:58:47 +02:00
_cleanup_ ( dns_packet_unrefp ) DnsPacket * reply = NULL ;
2015-11-18 15:30:54 +01:00
DnsResourceKey * key = NULL ;
2014-07-31 17:46:40 +02:00
bool tentative = false ;
resolved: respond to local resolver requests on 127.0.0.53:53
In order to improve compatibility with local clients that speak DNS directly
(and do not use NSS or our bus API) listen locally on 127.0.0.53:53 and process
any queries made that way.
Note that resolved does not implement a full DNS server on this port, but
simply enough to allow normal, local clients to resolve RRs through resolved.
Specifically it does not implement queries without the RD bit set (these are
requests where recursive lookups are explicitly disabled), and neither queries
with DNSSEC DO set in combination with DNSSEC CD (i.e. DNSSEC lookups with
validation turned off). It also refuses zone transfers and obsolete RR types.
All lookups done this way will be rejected with a clean error code, so that the
client side can repeat the query with a reduced feature set.
The code will set the DNSSEC AD flag however, depending on whether the data
resolved has been validated (or comes from a local, trusted source).
Lookups made via this mechanisms are propagated to LLMNR and mDNS as necessary,
but this is only partially useful as DNS packets cannot carry IP scope data
(i.e. the ifindex), and hence link-local addresses returned cannot be used
properly (and given that LLMNR/mDNS are mostly about link-local communication
this is quite a limitation). Also, given that DNS tends to use IDNA for
non-ASCII names, while LLMNR/mDNS uses UTF-8 lookups cannot be mapped 1:1.
In general this should improve compatibility with clients bypassing NSS but
it is highly recommended for clients to instead use NSS or our native bus API.
This patch also beefs up the DnsStream logic, as it reuses the code for local
TCP listening. DnsStream now provides proper reference counting for its
objects.
In order to avoid feedback loops resolved will no silently ignore 127.0.0.53
specified as DNS server when reading configuration.
resolved listens on 127.0.0.53:53 instead of 127.0.0.1:53 in order to leave
the latter free for local, external DNS servers or forwarders.
This also changes the "etc.conf" tmpfiles snippet to create a symlink from
/etc/resolv.conf to /usr/lib/systemd/resolv.conf by default, thus making this
stub the default mode of operation if /etc is not populated.
2016-06-21 00:58:47 +02:00
int r ;
2014-07-29 14:24:02 +02:00
assert ( s ) ;
assert ( p ) ;
if ( p - > protocol ! = DNS_PROTOCOL_LLMNR )
return ;
2014-07-29 23:52:57 +02:00
if ( p - > ipproto = = IPPROTO_UDP ) {
/* Don't accept UDP queries directed to anything but
* the LLMNR multicast addresses . See RFC 4795 ,
2014-12-10 20:00:04 +01:00
* section 2.5 . */
2014-07-29 23:52:57 +02:00
if ( p - > family = = AF_INET & & ! in_addr_equal ( AF_INET , & p - > destination , ( union in_addr_union * ) & LLMNR_MULTICAST_IPV4_ADDRESS ) )
return ;
if ( p - > family = = AF_INET6 & & ! in_addr_equal ( AF_INET6 , & p - > destination , ( union in_addr_union * ) & LLMNR_MULTICAST_IPV6_ADDRESS ) )
return ;
}
2014-07-29 14:24:02 +02:00
r = dns_packet_extract ( p ) ;
if ( r < 0 ) {
resolved: respond to local resolver requests on 127.0.0.53:53
In order to improve compatibility with local clients that speak DNS directly
(and do not use NSS or our bus API) listen locally on 127.0.0.53:53 and process
any queries made that way.
Note that resolved does not implement a full DNS server on this port, but
simply enough to allow normal, local clients to resolve RRs through resolved.
Specifically it does not implement queries without the RD bit set (these are
requests where recursive lookups are explicitly disabled), and neither queries
with DNSSEC DO set in combination with DNSSEC CD (i.e. DNSSEC lookups with
validation turned off). It also refuses zone transfers and obsolete RR types.
All lookups done this way will be rejected with a clean error code, so that the
client side can repeat the query with a reduced feature set.
The code will set the DNSSEC AD flag however, depending on whether the data
resolved has been validated (or comes from a local, trusted source).
Lookups made via this mechanisms are propagated to LLMNR and mDNS as necessary,
but this is only partially useful as DNS packets cannot carry IP scope data
(i.e. the ifindex), and hence link-local addresses returned cannot be used
properly (and given that LLMNR/mDNS are mostly about link-local communication
this is quite a limitation). Also, given that DNS tends to use IDNA for
non-ASCII names, while LLMNR/mDNS uses UTF-8 lookups cannot be mapped 1:1.
In general this should improve compatibility with clients bypassing NSS but
it is highly recommended for clients to instead use NSS or our native bus API.
This patch also beefs up the DnsStream logic, as it reuses the code for local
TCP listening. DnsStream now provides proper reference counting for its
objects.
In order to avoid feedback loops resolved will no silently ignore 127.0.0.53
specified as DNS server when reading configuration.
resolved listens on 127.0.0.53:53 instead of 127.0.0.1:53 in order to leave
the latter free for local, external DNS servers or forwarders.
This also changes the "etc.conf" tmpfiles snippet to create a symlink from
/etc/resolv.conf to /usr/lib/systemd/resolv.conf by default, thus making this
stub the default mode of operation if /etc is not populated.
2016-06-21 00:58:47 +02:00
log_debug_errno ( r , " Failed to extract resource records from incoming packet: %m " ) ;
2014-07-29 14:24:02 +02:00
return ;
}
2015-07-11 02:35:16 +02:00
if ( DNS_PACKET_LLMNR_C ( p ) ) {
2014-08-06 16:15:35 +02:00
/* Somebody notified us about a possible conflict */
dns_scope_verify_conflicts ( s , p ) ;
2014-07-29 19:50:28 +02:00
return ;
}
2016-06-20 21:28:53 +02:00
assert ( dns_question_size ( p - > question ) = = 1 ) ;
2015-11-18 15:30:54 +01:00
key = p - > question - > keys [ 0 ] ;
2016-06-14 23:28:54 +02:00
r = dns_zone_lookup ( & s - > zone , key , 0 , & answer , & soa , & tentative ) ;
2014-07-29 14:24:02 +02:00
if ( r < 0 ) {
2020-03-03 15:00:53 +01:00
log_debug_errno ( r , " Failed to look up key: %m " ) ;
2014-07-29 14:24:02 +02:00
return ;
}
if ( r = = 0 )
return ;
2014-07-30 19:24:05 +02:00
if ( answer )
dns_answer_order_by_scope ( answer , in_addr_is_link_local ( p - > family , & p - > sender ) > 0 ) ;
2014-07-30 00:48:59 +02:00
2014-07-31 17:46:40 +02:00
r = dns_scope_make_reply_packet ( s , DNS_PACKET_ID ( p ) , DNS_RCODE_SUCCESS , p - > question , answer , soa , tentative , & reply ) ;
2014-07-29 14:24:02 +02:00
if ( r < 0 ) {
2014-11-28 13:19:16 +01:00
log_debug_errno ( r , " Failed to build reply packet: %m " ) ;
2014-07-29 14:24:02 +02:00
return ;
}
resolved: respond to local resolver requests on 127.0.0.53:53
In order to improve compatibility with local clients that speak DNS directly
(and do not use NSS or our bus API) listen locally on 127.0.0.53:53 and process
any queries made that way.
Note that resolved does not implement a full DNS server on this port, but
simply enough to allow normal, local clients to resolve RRs through resolved.
Specifically it does not implement queries without the RD bit set (these are
requests where recursive lookups are explicitly disabled), and neither queries
with DNSSEC DO set in combination with DNSSEC CD (i.e. DNSSEC lookups with
validation turned off). It also refuses zone transfers and obsolete RR types.
All lookups done this way will be rejected with a clean error code, so that the
client side can repeat the query with a reduced feature set.
The code will set the DNSSEC AD flag however, depending on whether the data
resolved has been validated (or comes from a local, trusted source).
Lookups made via this mechanisms are propagated to LLMNR and mDNS as necessary,
but this is only partially useful as DNS packets cannot carry IP scope data
(i.e. the ifindex), and hence link-local addresses returned cannot be used
properly (and given that LLMNR/mDNS are mostly about link-local communication
this is quite a limitation). Also, given that DNS tends to use IDNA for
non-ASCII names, while LLMNR/mDNS uses UTF-8 lookups cannot be mapped 1:1.
In general this should improve compatibility with clients bypassing NSS but
it is highly recommended for clients to instead use NSS or our native bus API.
This patch also beefs up the DnsStream logic, as it reuses the code for local
TCP listening. DnsStream now provides proper reference counting for its
objects.
In order to avoid feedback loops resolved will no silently ignore 127.0.0.53
specified as DNS server when reading configuration.
resolved listens on 127.0.0.53:53 instead of 127.0.0.1:53 in order to leave
the latter free for local, external DNS servers or forwarders.
This also changes the "etc.conf" tmpfiles snippet to create a symlink from
/etc/resolv.conf to /usr/lib/systemd/resolv.conf by default, thus making this
stub the default mode of operation if /etc is not populated.
2016-06-21 00:58:47 +02:00
if ( stream ) {
2014-07-29 14:24:02 +02:00
r = dns_stream_write_packet ( stream , reply ) ;
resolved: respond to local resolver requests on 127.0.0.53:53
In order to improve compatibility with local clients that speak DNS directly
(and do not use NSS or our bus API) listen locally on 127.0.0.53:53 and process
any queries made that way.
Note that resolved does not implement a full DNS server on this port, but
simply enough to allow normal, local clients to resolve RRs through resolved.
Specifically it does not implement queries without the RD bit set (these are
requests where recursive lookups are explicitly disabled), and neither queries
with DNSSEC DO set in combination with DNSSEC CD (i.e. DNSSEC lookups with
validation turned off). It also refuses zone transfers and obsolete RR types.
All lookups done this way will be rejected with a clean error code, so that the
client side can repeat the query with a reduced feature set.
The code will set the DNSSEC AD flag however, depending on whether the data
resolved has been validated (or comes from a local, trusted source).
Lookups made via this mechanisms are propagated to LLMNR and mDNS as necessary,
but this is only partially useful as DNS packets cannot carry IP scope data
(i.e. the ifindex), and hence link-local addresses returned cannot be used
properly (and given that LLMNR/mDNS are mostly about link-local communication
this is quite a limitation). Also, given that DNS tends to use IDNA for
non-ASCII names, while LLMNR/mDNS uses UTF-8 lookups cannot be mapped 1:1.
In general this should improve compatibility with clients bypassing NSS but
it is highly recommended for clients to instead use NSS or our native bus API.
This patch also beefs up the DnsStream logic, as it reuses the code for local
TCP listening. DnsStream now provides proper reference counting for its
objects.
In order to avoid feedback loops resolved will no silently ignore 127.0.0.53
specified as DNS server when reading configuration.
resolved listens on 127.0.0.53:53 instead of 127.0.0.1:53 in order to leave
the latter free for local, external DNS servers or forwarders.
This also changes the "etc.conf" tmpfiles snippet to create a symlink from
/etc/resolv.conf to /usr/lib/systemd/resolv.conf by default, thus making this
stub the default mode of operation if /etc is not populated.
2016-06-21 00:58:47 +02:00
if ( r < 0 ) {
log_debug_errno ( r , " Failed to enqueue reply packet: %m " ) ;
return ;
}
/* Let's take an extra reference on this stream, so that it stays around after returning. The reference
* will be dangling until the stream is disconnected , and the default completion handler of the stream
* will then unref the stream and destroy it */
if ( DNS_STREAM_QUEUED ( stream ) )
dns_stream_ref ( stream ) ;
} else {
int fd ;
2018-05-11 11:16:52 +02:00
if ( ! ratelimit_below ( & s - > ratelimit ) )
2014-08-05 16:34:45 +02:00
return ;
2014-07-29 14:24:02 +02:00
if ( p - > family = = AF_INET )
fd = manager_llmnr_ipv4_udp_fd ( s - > manager ) ;
else if ( p - > family = = AF_INET6 )
fd = manager_llmnr_ipv6_udp_fd ( s - > manager ) ;
else {
log_debug ( " Unknown protocol " ) ;
return ;
}
if ( fd < 0 ) {
2014-11-28 13:19:16 +01:00
log_debug_errno ( fd , " Failed to get reply socket: %m " ) ;
2014-07-29 14:24:02 +02:00
return ;
}
2014-08-05 17:01:33 +02:00
/* Note that we always immediately reply to all LLMNR
* requests , and do not wait any time , since we
* verified uniqueness for all records . Also see RFC
* 4795 , Section 2.7 */
resolved: respond to local resolver requests on 127.0.0.53:53
In order to improve compatibility with local clients that speak DNS directly
(and do not use NSS or our bus API) listen locally on 127.0.0.53:53 and process
any queries made that way.
Note that resolved does not implement a full DNS server on this port, but
simply enough to allow normal, local clients to resolve RRs through resolved.
Specifically it does not implement queries without the RD bit set (these are
requests where recursive lookups are explicitly disabled), and neither queries
with DNSSEC DO set in combination with DNSSEC CD (i.e. DNSSEC lookups with
validation turned off). It also refuses zone transfers and obsolete RR types.
All lookups done this way will be rejected with a clean error code, so that the
client side can repeat the query with a reduced feature set.
The code will set the DNSSEC AD flag however, depending on whether the data
resolved has been validated (or comes from a local, trusted source).
Lookups made via this mechanisms are propagated to LLMNR and mDNS as necessary,
but this is only partially useful as DNS packets cannot carry IP scope data
(i.e. the ifindex), and hence link-local addresses returned cannot be used
properly (and given that LLMNR/mDNS are mostly about link-local communication
this is quite a limitation). Also, given that DNS tends to use IDNA for
non-ASCII names, while LLMNR/mDNS uses UTF-8 lookups cannot be mapped 1:1.
In general this should improve compatibility with clients bypassing NSS but
it is highly recommended for clients to instead use NSS or our native bus API.
This patch also beefs up the DnsStream logic, as it reuses the code for local
TCP listening. DnsStream now provides proper reference counting for its
objects.
In order to avoid feedback loops resolved will no silently ignore 127.0.0.53
specified as DNS server when reading configuration.
resolved listens on 127.0.0.53:53 instead of 127.0.0.1:53 in order to leave
the latter free for local, external DNS servers or forwarders.
This also changes the "etc.conf" tmpfiles snippet to create a symlink from
/etc/resolv.conf to /usr/lib/systemd/resolv.conf by default, thus making this
stub the default mode of operation if /etc is not populated.
2016-06-21 00:58:47 +02:00
r = manager_send ( s - > manager , fd , p - > ifindex , p - > family , & p - > sender , p - > sender_port , NULL , reply ) ;
if ( r < 0 ) {
log_debug_errno ( r , " Failed to send reply packet: %m " ) ;
return ;
}
2014-07-29 14:24:02 +02:00
}
}
2014-07-31 17:46:40 +02:00
2015-08-21 22:55:01 +02:00
DnsTransaction * dns_scope_find_transaction ( DnsScope * scope , DnsResourceKey * key , bool cache_ok ) {
2014-07-31 17:46:40 +02:00
DnsTransaction * t ;
assert ( scope ) ;
2015-08-21 22:55:01 +02:00
assert ( key ) ;
2014-07-31 17:46:40 +02:00
2015-08-24 23:15:51 +02:00
/* Try to find an ongoing transaction that is a equal to the
* specified question */
2015-11-26 23:51:59 +01:00
t = hashmap_get ( scope - > transactions_by_key , key ) ;
2017-02-13 20:34:39 +01:00
if ( ! t )
return NULL ;
2014-08-05 01:51:40 +02:00
2015-08-24 23:15:51 +02:00
/* Refuse reusing transactions that completed based on cached
* data instead of a real packet , if that ' s requested . */
if ( ! cache_ok & &
2015-12-18 19:49:25 +01:00
IN_SET ( t - > state , DNS_TRANSACTION_SUCCESS , DNS_TRANSACTION_RCODE_FAILURE ) & &
2015-11-26 23:33:55 +01:00
t - > answer_source ! = DNS_TRANSACTION_NETWORK )
2015-08-24 23:15:51 +02:00
return NULL ;
2014-07-31 17:46:40 +02:00
2015-08-24 23:15:51 +02:00
return t ;
2014-07-31 17:46:40 +02:00
}
2014-08-06 16:15:35 +02:00
static int dns_scope_make_conflict_packet (
DnsScope * s ,
DnsResourceRecord * rr ,
DnsPacket * * ret ) {
_cleanup_ ( dns_packet_unrefp ) DnsPacket * p = NULL ;
int r ;
assert ( s ) ;
assert ( rr ) ;
assert ( ret ) ;
2017-10-04 12:35:48 +02:00
r = dns_packet_new ( & p , s - > protocol , 0 , DNS_PACKET_SIZE_MAX ) ;
2014-08-06 16:15:35 +02:00
if ( r < 0 )
return r ;
DNS_PACKET_HEADER ( p ) - > flags = htobe16 ( DNS_PACKET_MAKE_FLAGS (
0 /* qr */ ,
0 /* opcode */ ,
1 /* conflict */ ,
0 /* tc */ ,
0 /* t */ ,
0 /* (ra) */ ,
0 /* (ad) */ ,
0 /* (cd) */ ,
0 ) ) ;
2015-12-10 15:59:30 +01:00
/* For mDNS, the transaction ID should always be 0 */
if ( s - > protocol ! = DNS_PROTOCOL_MDNS )
random_bytes ( & DNS_PACKET_HEADER ( p ) - > id , sizeof ( uint16_t ) ) ;
2014-08-06 16:15:35 +02:00
DNS_PACKET_HEADER ( p ) - > qdcount = htobe16 ( 1 ) ;
DNS_PACKET_HEADER ( p ) - > arcount = htobe16 ( 1 ) ;
2016-12-02 14:28:14 +01:00
r = dns_packet_append_key ( p , rr - > key , 0 , NULL ) ;
2014-08-06 16:15:35 +02:00
if ( r < 0 )
return r ;
2016-12-02 14:28:14 +01:00
r = dns_packet_append_rr ( p , rr , 0 , NULL , NULL ) ;
2014-08-06 16:15:35 +02:00
if ( r < 0 )
return r ;
2018-04-05 07:26:26 +02:00
* ret = TAKE_PTR ( p ) ;
2014-08-06 16:15:35 +02:00
return 0 ;
}
static int on_conflict_dispatch ( sd_event_source * es , usec_t usec , void * userdata ) {
DnsScope * scope = userdata ;
int r ;
assert ( es ) ;
assert ( scope ) ;
scope - > conflict_event_source = sd_event_source_unref ( scope - > conflict_event_source ) ;
for ( ; ; ) {
2018-01-03 13:26:53 +01:00
_cleanup_ ( dns_resource_key_unrefp ) DnsResourceKey * key = NULL ;
2014-08-06 16:15:35 +02:00
_cleanup_ ( dns_resource_record_unrefp ) DnsResourceRecord * rr = NULL ;
_cleanup_ ( dns_packet_unrefp ) DnsPacket * p = NULL ;
2018-01-03 13:26:53 +01:00
key = ordered_hashmap_first_key ( scope - > conflict_queue ) ;
if ( ! key )
2014-08-06 16:15:35 +02:00
break ;
2018-01-03 13:26:53 +01:00
rr = ordered_hashmap_remove ( scope - > conflict_queue , key ) ;
assert ( rr ) ;
2014-08-06 16:15:35 +02:00
r = dns_scope_make_conflict_packet ( scope , rr , & p ) ;
if ( r < 0 ) {
2014-11-28 13:19:16 +01:00
log_error_errno ( r , " Failed to make conflict packet: %m " ) ;
2014-08-06 16:15:35 +02:00
return 0 ;
}
2015-12-26 18:49:32 +01:00
r = dns_scope_emit_udp ( scope , - 1 , p ) ;
2014-08-06 16:15:35 +02:00
if ( r < 0 )
2014-11-28 13:19:16 +01:00
log_debug_errno ( r , " Failed to send conflict packet: %m " ) ;
2014-08-06 16:15:35 +02:00
}
return 0 ;
}
int dns_scope_notify_conflict ( DnsScope * scope , DnsResourceRecord * rr ) {
usec_t jitter ;
int r ;
assert ( scope ) ;
assert ( rr ) ;
/* We don't send these queries immediately. Instead, we queue
* them , and send them after some jitter delay . */
2014-08-22 13:56:51 +02:00
r = ordered_hashmap_ensure_allocated ( & scope - > conflict_queue , & dns_resource_key_hash_ops ) ;
2014-08-06 16:15:35 +02:00
if ( r < 0 ) {
log_oom ( ) ;
return r ;
}
/* We only place one RR per key in the conflict
* messages , not all of them . That should be enough to
* indicate where there might be a conflict */
2014-08-22 13:56:51 +02:00
r = ordered_hashmap_put ( scope - > conflict_queue , rr - > key , rr ) ;
2017-10-04 16:01:32 +02:00
if ( IN_SET ( r , 0 , - EEXIST ) )
2014-08-06 16:15:35 +02:00
return 0 ;
2014-11-28 18:50:43 +01:00
if ( r < 0 )
return log_debug_errno ( r , " Failed to queue conflicting RR: %m " ) ;
2014-08-06 16:15:35 +02:00
2018-01-03 13:26:53 +01:00
dns_resource_key_ref ( rr - > key ) ;
2014-08-06 16:15:35 +02:00
dns_resource_record_ref ( rr ) ;
if ( scope - > conflict_event_source )
return 0 ;
random_bytes ( & jitter , sizeof ( jitter ) ) ;
jitter % = LLMNR_JITTER_INTERVAL_USEC ;
2020-07-28 11:18:26 +02:00
r = sd_event_add_time_relative (
scope - > manager - > event ,
& scope - > conflict_event_source ,
clock_boottime_or_monotonic ( ) ,
jitter ,
LLMNR_JITTER_INTERVAL_USEC ,
on_conflict_dispatch , scope ) ;
2014-11-28 18:50:43 +01:00
if ( r < 0 )
return log_debug_errno ( r , " Failed to add conflict dispatch event: %m " ) ;
2014-08-06 16:15:35 +02:00
2016-01-08 02:20:39 +01:00
( void ) sd_event_source_set_description ( scope - > conflict_event_source , " scope-conflict " ) ;
2014-08-06 16:15:35 +02:00
return 0 ;
}
void dns_scope_check_conflicts ( DnsScope * scope , DnsPacket * p ) {
2018-01-03 14:00:27 +01:00
DnsResourceRecord * rr ;
2014-08-06 16:15:35 +02:00
int r ;
assert ( scope ) ;
assert ( p ) ;
2016-12-02 14:01:56 +01:00
if ( ! IN_SET ( p - > protocol , DNS_PROTOCOL_LLMNR , DNS_PROTOCOL_MDNS ) )
2014-08-06 16:15:35 +02:00
return ;
if ( DNS_PACKET_RRCOUNT ( p ) < = 0 )
return ;
2016-12-02 14:01:56 +01:00
if ( p - > protocol = = DNS_PROTOCOL_LLMNR ) {
if ( DNS_PACKET_LLMNR_C ( p ) ! = 0 )
return ;
2014-08-06 16:15:35 +02:00
2016-12-02 14:01:56 +01:00
if ( DNS_PACKET_LLMNR_T ( p ) ! = 0 )
return ;
}
2014-08-06 16:15:35 +02:00
if ( manager_our_packet ( scope - > manager , p ) )
return ;
r = dns_packet_extract ( p ) ;
if ( r < 0 ) {
2014-11-28 13:19:16 +01:00
log_debug_errno ( r , " Failed to extract packet: %m " ) ;
2014-08-06 16:15:35 +02:00
return ;
}
log_debug ( " Checking for conflicts... " ) ;
2018-01-03 14:00:27 +01:00
DNS_ANSWER_FOREACH ( rr , p - > answer ) {
2018-01-03 13:42:13 +01:00
/* No conflict if it is DNS-SD RR used for service enumeration. */
2018-01-03 14:00:27 +01:00
if ( dns_resource_key_is_dnssd_ptr ( rr - > key ) )
2018-01-03 13:42:13 +01:00
continue ;
2014-08-06 16:15:35 +02:00
/* Check for conflicts against the local zone. If we
* found one , we won ' t check any further */
2018-01-03 14:00:27 +01:00
r = dns_zone_check_conflicts ( & scope - > zone , rr ) ;
2014-08-06 16:15:35 +02:00
if ( r ! = 0 )
continue ;
/* Check for conflicts against the local cache. If so,
* send out an advisory query , to inform everybody */
2018-01-03 14:00:27 +01:00
r = dns_cache_check_conflicts ( & scope - > cache , rr , p - > family , & p - > sender ) ;
2014-08-06 16:15:35 +02:00
if ( r < = 0 )
continue ;
2018-01-03 14:00:27 +01:00
dns_scope_notify_conflict ( scope , rr ) ;
2014-08-06 16:15:35 +02:00
}
}
2015-08-26 09:41:45 +02:00
void dns_scope_dump ( DnsScope * s , FILE * f ) {
assert ( s ) ;
if ( ! f )
f = stdout ;
fputs ( " [Scope protocol= " , f ) ;
fputs ( dns_protocol_to_string ( s - > protocol ) , f ) ;
if ( s - > link ) {
fputs ( " interface= " , f ) ;
2019-04-11 07:08:40 +02:00
fputs ( s - > link - > ifname , f ) ;
2015-08-26 09:41:45 +02:00
}
if ( s - > family ! = AF_UNSPEC ) {
fputs ( " family= " , f ) ;
fputs ( af_to_name ( s - > family ) , f ) ;
}
fputs ( " ] \n " , f ) ;
if ( ! dns_zone_is_empty ( & s - > zone ) ) {
fputs ( " ZONE: \n " , f ) ;
dns_zone_dump ( & s - > zone , f ) ;
}
if ( ! dns_cache_is_empty ( & s - > cache ) ) {
fputs ( " CACHE: \n " , f ) ;
dns_cache_dump ( & s - > cache , f ) ;
}
}
2015-11-24 21:12:51 +01:00
DnsSearchDomain * dns_scope_get_search_domains ( DnsScope * s ) {
2015-11-25 20:47:27 +01:00
assert ( s ) ;
2015-11-24 21:12:51 +01:00
if ( s - > protocol ! = DNS_PROTOCOL_DNS )
return NULL ;
if ( s - > link )
return s - > link - > search_domains ;
2015-12-03 18:26:12 +01:00
return s - > manager - > search_domains ;
2015-11-25 20:47:27 +01:00
}
2020-06-03 13:10:23 +02:00
bool dns_scope_name_wants_search_domain ( DnsScope * s , const char * name ) {
2015-11-25 20:47:27 +01:00
assert ( s ) ;
if ( s - > protocol ! = DNS_PROTOCOL_DNS )
2015-11-25 21:07:17 +01:00
return false ;
2015-11-25 20:47:27 +01:00
2015-11-25 21:07:17 +01:00
return dns_name_is_single_label ( name ) ;
2015-11-25 20:47:27 +01:00
}
2016-01-20 21:28:22 +01:00
bool dns_scope_network_good ( DnsScope * s ) {
/* Checks whether the network is in good state for lookups on this scope. For mDNS/LLMNR/Classic DNS scopes
* bound to links this is easy , as they don ' t even exist if the link isn ' t in a suitable state . For the global
* DNS scope we check whether there are any links that are up and have an address . */
if ( s - > link )
return true ;
2016-02-01 00:00:01 +01:00
return manager_routable ( s - > manager , AF_UNSPEC ) ;
2016-01-20 21:28:22 +01:00
}
2016-06-14 23:28:54 +02:00
int dns_scope_ifindex ( DnsScope * s ) {
assert ( s ) ;
if ( s - > link )
return s - > link - > ifindex ;
return 0 ;
}
2016-12-02 14:01:56 +01:00
static int on_announcement_timeout ( sd_event_source * s , usec_t usec , void * userdata ) {
DnsScope * scope = userdata ;
assert ( s ) ;
scope - > announce_event_source = sd_event_source_unref ( scope - > announce_event_source ) ;
2017-02-13 20:44:11 +01:00
( void ) dns_scope_announce ( scope , false ) ;
2016-12-02 14:01:56 +01:00
return 0 ;
}
2017-02-13 20:44:11 +01:00
int dns_scope_announce ( DnsScope * scope , bool goodbye ) {
2016-12-02 14:01:56 +01:00
_cleanup_ ( dns_answer_unrefp ) DnsAnswer * answer = NULL ;
_cleanup_ ( dns_packet_unrefp ) DnsPacket * p = NULL ;
2017-10-04 09:07:44 +02:00
_cleanup_set_free_ Set * types = NULL ;
DnsTransaction * t ;
2017-11-29 10:03:44 +01:00
DnsZoneItem * z , * i ;
2017-10-04 09:07:44 +02:00
unsigned size = 0 ;
Iterator iterator ;
char * service_type ;
2016-12-02 14:01:56 +01:00
int r ;
if ( ! scope )
2017-02-13 20:44:11 +01:00
return 0 ;
2016-12-02 14:01:56 +01:00
if ( scope - > protocol ! = DNS_PROTOCOL_MDNS )
2017-02-13 20:44:11 +01:00
return 0 ;
2016-12-02 14:01:56 +01:00
2017-10-04 09:07:44 +02:00
/* Check if we're done with probing. */
LIST_FOREACH ( transactions_by_scope , t , scope - > transactions )
if ( DNS_TRANSACTION_IS_LIVE ( t - > state ) )
return 0 ;
2017-10-31 08:47:37 +01:00
/* Check if there're services pending conflict resolution. */
if ( manager_next_dnssd_names ( scope - > manager ) )
return 0 ; /* we reach this point only if changing hostname didn't help */
2017-10-04 09:07:44 +02:00
/* Calculate answer's size. */
HASHMAP_FOREACH ( z , scope - > zone . by_key , iterator ) {
if ( z - > state ! = DNS_ZONE_ITEM_ESTABLISHED )
continue ;
if ( z - > rr - > key - > type = = DNS_TYPE_PTR & &
! dns_zone_contains_name ( & scope - > zone , z - > rr - > ptr . name ) ) {
char key_str [ DNS_RESOURCE_KEY_STRING_MAX ] ;
log_debug ( " Skip PTR RR <%s> since its counterparts seem to be withdrawn " , dns_resource_key_to_string ( z - > rr - > key , key_str , sizeof key_str ) ) ;
z - > state = DNS_ZONE_ITEM_WITHDRAWN ;
continue ;
}
/* Collect service types for _services._dns-sd._udp.local RRs in a set */
if ( ! scope - > announced & &
dns_resource_key_is_dnssd_ptr ( z - > rr - > key ) ) {
if ( ! set_contains ( types , dns_resource_key_name ( z - > rr - > key ) ) ) {
2020-06-05 15:12:29 +02:00
r = set_ensure_put ( & types , & dns_name_hash_ops , dns_resource_key_name ( z - > rr - > key ) ) ;
2017-10-04 09:07:44 +02:00
if ( r < 0 )
return log_debug_errno ( r , " Failed to add item to set: %m " ) ;
}
}
2017-11-29 10:03:44 +01:00
LIST_FOREACH ( by_key , i , z )
size + + ;
2017-10-04 09:07:44 +02:00
}
answer = dns_answer_new ( size + set_size ( types ) ) ;
2017-02-13 20:44:11 +01:00
if ( ! answer )
return log_oom ( ) ;
2017-10-04 09:07:44 +02:00
/* Second iteration, actually add RRs to the answer. */
2017-11-29 10:03:44 +01:00
HASHMAP_FOREACH ( z , scope - > zone . by_key , iterator )
LIST_FOREACH ( by_key , i , z ) {
DnsAnswerFlags flags ;
2017-10-04 09:07:44 +02:00
2017-11-29 10:03:44 +01:00
if ( i - > state ! = DNS_ZONE_ITEM_ESTABLISHED )
continue ;
2017-10-04 09:07:44 +02:00
2017-11-29 10:03:44 +01:00
if ( dns_resource_key_is_dnssd_ptr ( i - > rr - > key ) )
flags = goodbye ? DNS_ANSWER_GOODBYE : 0 ;
else
flags = goodbye ? ( DNS_ANSWER_GOODBYE | DNS_ANSWER_CACHE_FLUSH ) : DNS_ANSWER_CACHE_FLUSH ;
2017-10-04 09:07:44 +02:00
2017-11-29 10:03:44 +01:00
r = dns_answer_add ( answer , i - > rr , 0 , flags ) ;
if ( r < 0 )
return log_debug_errno ( r , " Failed to add RR to announce: %m " ) ;
}
2017-10-04 09:07:44 +02:00
/* Since all the active services are in the zone make them discoverable now. */
SET_FOREACH ( service_type , types , iterator ) {
_cleanup_ ( dns_resource_record_unrefp ) DnsResourceRecord * rr ;
rr = dns_resource_record_new_full ( DNS_CLASS_IN , DNS_TYPE_PTR ,
" _services._dns-sd._udp.local " ) ;
rr - > ptr . name = strdup ( service_type ) ;
rr - > ttl = MDNS_DEFAULT_TTL ;
r = dns_zone_put ( & scope - > zone , scope , rr , false ) ;
2017-02-13 20:44:11 +01:00
if ( r < 0 )
2017-10-04 09:07:44 +02:00
log_warning_errno ( r , " Failed to add DNS-SD PTR record to MDNS zone: %m " ) ;
2017-02-13 20:44:11 +01:00
2017-10-04 09:07:44 +02:00
r = dns_answer_add ( answer , rr , 0 , 0 ) ;
2017-02-13 20:44:11 +01:00
if ( r < 0 )
2017-10-04 09:07:44 +02:00
return log_debug_errno ( r , " Failed to add RR to announce: %m " ) ;
2016-12-02 14:01:56 +01:00
}
if ( dns_answer_isempty ( answer ) )
2017-02-13 20:44:11 +01:00
return 0 ;
2016-12-02 14:01:56 +01:00
r = dns_scope_make_reply_packet ( scope , 0 , DNS_RCODE_SUCCESS , NULL , answer , NULL , false , & p ) ;
2017-02-13 20:44:11 +01:00
if ( r < 0 )
return log_debug_errno ( r , " Failed to build reply packet: %m " ) ;
2016-12-02 14:01:56 +01:00
r = dns_scope_emit_udp ( scope , - 1 , p ) ;
2017-02-13 20:44:11 +01:00
if ( r < 0 )
return log_debug_errno ( r , " Failed to send reply packet: %m " ) ;
2016-12-02 14:01:56 +01:00
/* In section 8.3 of RFC6762: "The Multicast DNS responder MUST send at least two unsolicited
* responses , one second apart . " */
if ( ! scope - > announced ) {
scope - > announced = true ;
2020-07-28 11:18:26 +02:00
r = sd_event_add_time_relative (
2016-12-02 14:01:56 +01:00
scope - > manager - > event ,
& scope - > announce_event_source ,
clock_boottime_or_monotonic ( ) ,
2020-07-28 11:18:26 +02:00
MDNS_ANNOUNCE_DELAY ,
2016-12-02 14:01:56 +01:00
MDNS_JITTER_RANGE_USEC ,
on_announcement_timeout , scope ) ;
if ( r < 0 )
2017-02-13 20:44:11 +01:00
return log_debug_errno ( r , " Failed to schedule second announcement: %m " ) ;
2017-02-13 20:45:25 +01:00
( void ) sd_event_source_set_description ( scope - > announce_event_source , " mdns-announce " ) ;
2016-12-02 14:01:56 +01:00
}
2017-02-13 20:44:11 +01:00
return 0 ;
2016-12-02 14:01:56 +01:00
}
2017-10-04 10:34:39 +02:00
int dns_scope_add_dnssd_services ( DnsScope * scope ) {
Iterator i ;
DnssdService * service ;
2017-11-29 10:03:44 +01:00
DnssdTxtData * txt_data ;
2017-10-04 10:34:39 +02:00
int r ;
assert ( scope ) ;
if ( hashmap_size ( scope - > manager - > dnssd_services ) = = 0 )
return 0 ;
scope - > announced = false ;
HASHMAP_FOREACH ( service , scope - > manager - > dnssd_services , i ) {
2017-10-23 13:46:13 +02:00
service - > withdrawn = false ;
2017-10-04 10:34:39 +02:00
r = dns_zone_put ( & scope - > zone , scope , service - > ptr_rr , false ) ;
if ( r < 0 )
log_warning_errno ( r , " Failed to add PTR record to MDNS zone: %m " ) ;
r = dns_zone_put ( & scope - > zone , scope , service - > srv_rr , true ) ;
if ( r < 0 )
log_warning_errno ( r , " Failed to add SRV record to MDNS zone: %m " ) ;
2017-11-29 10:03:44 +01:00
LIST_FOREACH ( items , txt_data , service - > txt_data_items ) {
r = dns_zone_put ( & scope - > zone , scope , txt_data - > rr , true ) ;
if ( r < 0 )
log_warning_errno ( r , " Failed to add TXT record to MDNS zone: %m " ) ;
}
2017-10-04 10:34:39 +02:00
}
return 0 ;
}
int dns_scope_remove_dnssd_services ( DnsScope * scope ) {
_cleanup_ ( dns_resource_key_unrefp ) DnsResourceKey * key = NULL ;
Iterator i ;
DnssdService * service ;
2017-11-29 10:03:44 +01:00
DnssdTxtData * txt_data ;
2017-10-04 10:34:39 +02:00
int r ;
assert ( scope ) ;
key = dns_resource_key_new ( DNS_CLASS_IN , DNS_TYPE_PTR ,
" _services._dns-sd._udp.local " ) ;
if ( ! key )
return log_oom ( ) ;
r = dns_zone_remove_rrs_by_key ( & scope - > zone , key ) ;
if ( r < 0 )
return r ;
HASHMAP_FOREACH ( service , scope - > manager - > dnssd_services , i ) {
dns_zone_remove_rr ( & scope - > zone , service - > ptr_rr ) ;
dns_zone_remove_rr ( & scope - > zone , service - > srv_rr ) ;
2017-11-29 10:03:44 +01:00
LIST_FOREACH ( items , txt_data , service - > txt_data_items )
dns_zone_remove_rr ( & scope - > zone , txt_data - > rr ) ;
2017-10-04 10:34:39 +02:00
}
return 0 ;
}
2018-12-04 12:08:18 +01:00
2018-12-04 12:40:07 +01:00
static bool dns_scope_has_route_only_domains ( DnsScope * scope ) {
2018-12-04 12:08:18 +01:00
DnsSearchDomain * domain , * first ;
bool route_only = false ;
2018-12-04 12:40:07 +01:00
assert ( scope ) ;
assert ( scope - > protocol = = DNS_PROTOCOL_DNS ) ;
2018-12-04 12:08:18 +01:00
2018-12-04 12:40:07 +01:00
/* Returns 'true' if this scope is suitable for queries to specific domains only. For that we check
* if there are any route - only domains on this interface , as a heuristic to discern VPN - style links
* from non - VPN - style links . Returns ' false ' for all other cases , i . e . if the scope is intended to
* take queries to arbitrary domains , i . e . has no routing domains set . */
2018-12-04 12:08:18 +01:00
if ( scope - > link )
first = scope - > link - > search_domains ;
else
first = scope - > manager - > search_domains ;
LIST_FOREACH ( domains , domain , first ) {
2018-12-04 12:40:07 +01:00
/* "." means "any domain", thus the interface takes any kind of traffic. Thus, we exit early
* here , as it doesn ' t really matter whether this link has any route - only domains or not ,
* " ~. " really trumps everything and clearly indicates that this interface shall receive all
* traffic it can get . */
2018-12-04 12:08:18 +01:00
if ( dns_name_is_root ( DNS_SEARCH_DOMAIN_NAME ( domain ) ) )
return false ;
if ( domain - > route_only )
route_only = true ;
}
return route_only ;
}
2018-12-04 12:40:07 +01:00
bool dns_scope_is_default_route ( DnsScope * scope ) {
assert ( scope ) ;
/* Only use DNS scopes as default routes */
if ( scope - > protocol ! = DNS_PROTOCOL_DNS )
return false ;
/* The global DNS scope is always suitable as default route */
if ( ! scope - > link )
return true ;
/* Honour whatever is explicitly configured. This is really the best approach, and trumps any
* automatic logic . */
if ( scope - > link - > default_route > = 0 )
return scope - > link - > default_route ;
/* Otherwise check if we have any route-only domains, as a sensible heuristic: if so, let's not
* volunteer as default route . */
return ! dns_scope_has_route_only_domains ( scope ) ;
}
