resolved: optionally allow single-label A/AAAA queries
This commit is contained in:
Zbigniew Jędrzejewski-Szmek
parent
c2f1e83e27
commit
3b5bd7d6b8
|
|
@ -524,12 +524,12 @@ static int dns_query_add_candidate(DnsQuery *q, DnsScope *s) {
|
||||||
return r;
|
return r;
|
||||||
|
|
||||||
/* If this a single-label domain on DNS, we might append a suitable search domain first. */
|
/* If this a single-label domain on DNS, we might append a suitable search domain first. */
|
||||||
if ((q->flags & SD_RESOLVED_NO_SEARCH) == 0 &&
|
if (!FLAGS_SET(q->flags, SD_RESOLVED_NO_SEARCH) &&
|
||||||
dns_scope_name_needs_search_domain(s, dns_question_first_name(q->question_idna))) {
|
dns_scope_name_wants_search_domain(s, dns_question_first_name(q->question_idna))) {
|
||||||
/* OK, we need a search domain now. Let's find one for this scope */
|
/* OK, we want a search domain now. Let's find one for this scope */
|
||||||
|
|
||||||
r = dns_query_candidate_next_search_domain(c);
|
r = dns_query_candidate_next_search_domain(c);
|
||||||
if (r <= 0) /* if there's no search domain, then we won't add any transaction. */
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -619,7 +619,7 @@ DnsScopeMatch dns_scope_good_domain(
|
||||||
manager_is_own_hostname(s->manager, domain) <= 0)) /* never resolve the local hostname via LLMNR */
|
manager_is_own_hostname(s->manager, domain) <= 0)) /* never resolve the local hostname via LLMNR */
|
||||||
return DNS_SCOPE_YES_BASE + 1; /* Return +1, as we consider ourselves authoritative
|
return DNS_SCOPE_YES_BASE + 1; /* Return +1, as we consider ourselves authoritative
|
||||||
* for single-label names, i.e. one label. This is
|
* for single-label names, i.e. one label. This is
|
||||||
* particular relevant as it means a "." route on some
|
* particularly relevant as it means a "." route on some
|
||||||
* other scope won't pull all traffic away from
|
* other scope won't pull all traffic away from
|
||||||
* us. (If people actually want to pull traffic away
|
* us. (If people actually want to pull traffic away
|
||||||
* from us they should turn off LLMNR on the
|
* from us they should turn off LLMNR on the
|
||||||
|
|
@ -651,20 +651,21 @@ bool dns_scope_good_key(DnsScope *s, const DnsResourceKey *key) {
|
||||||
|
|
||||||
if (s->protocol == DNS_PROTOCOL_DNS) {
|
if (s->protocol == DNS_PROTOCOL_DNS) {
|
||||||
|
|
||||||
/* On classic DNS, looking up non-address RRs is always
|
/* On classic DNS, looking up non-address RRs is always fine. (Specifically, we want to
|
||||||
* fine. (Specifically, we want to permit looking up
|
* permit looking up DNSKEY and DS records on the root and top-level domains.) */
|
||||||
* DNSKEY and DS records on the root and top-level
|
|
||||||
* domains.) */
|
|
||||||
if (!dns_resource_key_is_address(key))
|
if (!dns_resource_key_is_address(key))
|
||||||
return true;
|
return true;
|
||||||
|
|
||||||
/* However, we refuse to look up A and AAAA RRs on the
|
/* Unless explicitly overridden, we refuse to look up A and AAAA RRs on the root and
|
||||||
* root and single-label domains, under the assumption
|
* single-label domains, under the assumption that those should be resolved via LLMNR or
|
||||||
* that those should be resolved via LLMNR or search
|
* search path only, and should not be leaked onto the internet. */
|
||||||
* path only, and should not be leaked onto the
|
const char* name = dns_resource_key_name(key);
|
||||||
* internet. */
|
|
||||||
return !(dns_name_is_single_label(dns_resource_key_name(key)) ||
|
if (!s->manager->resolve_unicast_single_label &&
|
||||||
dns_name_is_root(dns_resource_key_name(key)));
|
dns_name_is_single_label(name))
|
||||||
|
return false;
|
||||||
|
|
||||||
|
return !dns_name_is_root(name);
|
||||||
}
|
}
|
||||||
|
|
||||||
/* On mDNS and LLMNR, send A and AAAA queries only on the
|
/* On mDNS and LLMNR, send A and AAAA queries only on the
|
||||||
|
|
@ -1169,7 +1170,7 @@ DnsSearchDomain *dns_scope_get_search_domains(DnsScope *s) {
|
||||||
return s->manager->search_domains;
|
return s->manager->search_domains;
|
||||||
}
|
}
|
||||||
|
|
||||||
bool dns_scope_name_needs_search_domain(DnsScope *s, const char *name) {
|
bool dns_scope_name_wants_search_domain(DnsScope *s, const char *name) {
|
||||||
assert(s);
|
assert(s);
|
||||||
|
|
||||||
if (s->protocol != DNS_PROTOCOL_DNS)
|
if (s->protocol != DNS_PROTOCOL_DNS)
|
||||||
|
|
|
||||||
|
|
@ -99,7 +99,7 @@ void dns_scope_dump(DnsScope *s, FILE *f);
|
||||||
|
|
||||||
DnsSearchDomain *dns_scope_get_search_domains(DnsScope *s);
|
DnsSearchDomain *dns_scope_get_search_domains(DnsScope *s);
|
||||||
|
|
||||||
bool dns_scope_name_needs_search_domain(DnsScope *s, const char *name);
|
bool dns_scope_name_wants_search_domain(DnsScope *s, const char *name);
|
||||||
|
|
||||||
bool dns_scope_network_good(DnsScope *s);
|
bool dns_scope_network_good(DnsScope *s);
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -18,13 +18,14 @@ struct ConfigPerfItem;
|
||||||
%struct-type
|
%struct-type
|
||||||
%includes
|
%includes
|
||||||
%%
|
%%
|
||||||
Resolve.DNS, config_parse_dns_servers, DNS_SERVER_SYSTEM, 0
|
Resolve.DNS, config_parse_dns_servers, DNS_SERVER_SYSTEM, 0
|
||||||
Resolve.FallbackDNS, config_parse_dns_servers, DNS_SERVER_FALLBACK, 0
|
Resolve.FallbackDNS, config_parse_dns_servers, DNS_SERVER_FALLBACK, 0
|
||||||
Resolve.Domains, config_parse_search_domains, 0, 0
|
Resolve.Domains, config_parse_search_domains, 0, 0
|
||||||
Resolve.LLMNR, config_parse_resolve_support, 0, offsetof(Manager, llmnr_support)
|
Resolve.LLMNR, config_parse_resolve_support, 0, offsetof(Manager, llmnr_support)
|
||||||
Resolve.MulticastDNS, config_parse_resolve_support, 0, offsetof(Manager, mdns_support)
|
Resolve.MulticastDNS, config_parse_resolve_support, 0, offsetof(Manager, mdns_support)
|
||||||
Resolve.DNSSEC, config_parse_dnssec_mode, 0, offsetof(Manager, dnssec_mode)
|
Resolve.DNSSEC, config_parse_dnssec_mode, 0, offsetof(Manager, dnssec_mode)
|
||||||
Resolve.DNSOverTLS, config_parse_dns_over_tls_mode, 0, offsetof(Manager, dns_over_tls_mode)
|
Resolve.DNSOverTLS, config_parse_dns_over_tls_mode, 0, offsetof(Manager, dns_over_tls_mode)
|
||||||
Resolve.Cache, config_parse_dns_cache_mode, DNS_CACHE_MODE_YES, offsetof(Manager, enable_cache)
|
Resolve.Cache, config_parse_dns_cache_mode, DNS_CACHE_MODE_YES, offsetof(Manager, enable_cache)
|
||||||
Resolve.DNSStubListener, config_parse_dns_stub_listener_mode, 0, offsetof(Manager, dns_stub_listener_mode)
|
Resolve.DNSStubListener, config_parse_dns_stub_listener_mode, 0, offsetof(Manager, dns_stub_listener_mode)
|
||||||
Resolve.ReadEtcHosts, config_parse_bool, 0, offsetof(Manager, read_etc_hosts)
|
Resolve.ReadEtcHosts, config_parse_bool, 0, offsetof(Manager, read_etc_hosts)
|
||||||
|
Resolve.ResolveUnicastSingleLabel, config_parse_bool, 0, offsetof(Manager, resolve_unicast_single_label)
|
||||||
|
|
|
||||||
|
|
@ -72,6 +72,7 @@ struct Manager {
|
||||||
|
|
||||||
bool need_builtin_fallbacks;
|
bool need_builtin_fallbacks;
|
||||||
bool read_resolv_conf;
|
bool read_resolv_conf;
|
||||||
|
bool resolve_unicast_single_label;
|
||||||
|
|
||||||
struct stat resolv_conf_stat;
|
struct stat resolv_conf_stat;
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -22,3 +22,4 @@
|
||||||
#Cache=yes
|
#Cache=yes
|
||||||
#DNSStubListener=yes
|
#DNSStubListener=yes
|
||||||
#ReadEtcHosts=yes
|
#ReadEtcHosts=yes
|
||||||
|
#ResolveUnicastSingleLabel=no
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue