diff --git a/meson.build b/meson.build index 3644e8d5cb..c62d2afccd 100644 --- a/meson.build +++ b/meson.build @@ -1137,6 +1137,18 @@ conf.set('DEFAULT_DNSSEC_MODE', 'DNSSEC_' + default_dnssec.underscorify().to_upper()) substs.set('DEFAULT_DNSSEC_MODE', default_dnssec) +default_private_dns = get_option('default-private-dns') +if fuzzer_build + default_private_dns = 'no' +endif +if default_private_dns != 'no' and conf.get('HAVE_GNUTLS') == 0 + message('default-private-dns cannot be set to strict or opportunistic when gnutls is disabled. Setting default-private-dns to no.') + default_private_dns = 'no' +endif +conf.set('DEFAULT_PRIVATE_DNS_MODE', + 'PRIVATE_DNS_' + default_private_dns.underscorify().to_upper()) +substs.set('DEFAULT_PRIVATE_DNS_MODE', default_private_dns) + want_importd = get_option('importd') if want_importd != 'false' have = (conf.get('HAVE_LIBCURL') == 1 and @@ -1585,6 +1597,7 @@ if conf.get('ENABLE_RESOLVE') == 1 libbasic_gcrypt, libsystemd_resolve_core], dependencies : [threads, + libgnutls, libgpg_error, libm, libidn], @@ -2857,6 +2870,7 @@ status = [ 'symbolic gateway hostnames: @0@'.format(', '.join(gateway_hostnames)), 'default DNSSEC mode: @0@'.format(default_dnssec), + 'default private DNS mode: @0@'.format(default_private_dns), 'default cgroup hierarchy: @0@'.format(default_hierarchy), 'default KillUserProcesses setting: @0@'.format(kill_user_processes)] diff --git a/meson_options.txt b/meson_options.txt index 557d7843bc..c1d0cf6d7b 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -193,6 +193,10 @@ option('default-dnssec', type : 'combo', description : 'default DNSSEC mode', choices : ['yes', 'allow-downgrade', 'no'], value : 'allow-downgrade') +option('default-private-dns', type : 'combo', + description : 'default private DNS mode', + choices : ['opportunistic', 'no'], + value : 'no') option('dns-servers', type : 'string', description : 'space-separated list of default DNS servers', value : '8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844') diff --git a/src/resolve/resolved-conf.c b/src/resolve/resolved-conf.c index e9fd148469..2825d2df18 100644 --- a/src/resolve/resolved-conf.c +++ b/src/resolve/resolved-conf.c @@ -396,6 +396,13 @@ int manager_parse_config_file(Manager *m) { m->dnssec_mode = DNSSEC_NO; } #endif + +#if ! HAVE_GNUTLS + if (m->private_dns_mode != PRIVATE_DNS_NO) { + log_warning("Private DNS option cannot be set to opportunistic when systemd-resolved is built without gnutls support. Turning off private DNS support."); + m->private_dns_mode = PRIVATE_DNS_NO; + } +#endif return 0; } diff --git a/src/resolve/resolved-dns-scope.c b/src/resolve/resolved-dns-scope.c index b92bcd557e..ba4c47c2a9 100644 --- a/src/resolve/resolved-dns-scope.c +++ b/src/resolve/resolved-dns-scope.c @@ -56,8 +56,12 @@ int dns_scope_new(Manager *m, DnsScope **ret, Link *l, DnsProtocol protocol, int s->dnssec_mode = link_get_dnssec_mode(l); else s->dnssec_mode = manager_get_dnssec_mode(m); - } else + + s->private_dns_mode = manager_get_private_dns_mode(m); + } else { s->dnssec_mode = DNSSEC_NO; + s->private_dns_mode = PRIVATE_DNS_NO; + } LIST_PREPEND(scopes, m->dns_scopes, s); diff --git a/src/resolve/resolved-dns-scope.h b/src/resolve/resolved-dns-scope.h index 0042193e20..45e6d31c67 100644 --- a/src/resolve/resolved-dns-scope.h +++ b/src/resolve/resolved-dns-scope.h @@ -35,6 +35,7 @@ struct DnsScope { DnsProtocol protocol; int family; DnssecMode dnssec_mode; + PrivateDnsMode private_dns_mode; Link *link; diff --git a/src/resolve/resolved-dns-server.c b/src/resolve/resolved-dns-server.c index aef853a7d2..7e0d2a0752 100644 --- a/src/resolve/resolved-dns-server.c +++ b/src/resolve/resolved-dns-server.c @@ -89,6 +89,11 @@ int dns_server_new( s->linked = true; +#if HAVE_GNUTLS + /* Do not verify cerificate */ + gnutls_certificate_allocate_credentials(&s->tls_cert_cred); +#endif + /* A new DNS server that isn't fallback is added and the one * we used so far was a fallback one? Then let's try to pick * the new one */ @@ -125,6 +130,14 @@ DnsServer* dns_server_unref(DnsServer *s) { dns_stream_unref(s->stream); +#if HAVE_GNUTLS + if (s->tls_cert_cred) + gnutls_certificate_free_credentials(s->tls_cert_cred); + + if (s->tls_session_data.data) + gnutls_free(s->tls_session_data.data); +#endif + free(s->server_string); return mfree(s); } @@ -236,6 +249,7 @@ static void dns_server_reset_counters(DnsServer *s) { s->n_failed_udp = 0; s->n_failed_tcp = 0; + s->n_failed_tls = 0; s->packet_truncated = false; s->verified_usec = 0; @@ -257,29 +271,32 @@ void dns_server_packet_received(DnsServer *s, int protocol, DnsServerFeatureLeve if (protocol == IPPROTO_UDP) { if (s->possible_feature_level == level) s->n_failed_udp = 0; - - /* If the RRSIG data is missing, then we can only validate EDNS0 at max */ - if (s->packet_rrsig_missing && level >= DNS_SERVER_FEATURE_LEVEL_DO) - level = DNS_SERVER_FEATURE_LEVEL_DO - 1; - - /* If the OPT RR got lost, then we can only validate UDP at max */ - if (s->packet_bad_opt && level >= DNS_SERVER_FEATURE_LEVEL_EDNS0) - level = DNS_SERVER_FEATURE_LEVEL_EDNS0 - 1; - - /* Even if we successfully receive a reply to a request announcing support for large packets, - that does not mean we can necessarily receive large packets. */ - if (level == DNS_SERVER_FEATURE_LEVEL_LARGE) - level = DNS_SERVER_FEATURE_LEVEL_LARGE - 1; - } else if (protocol == IPPROTO_TCP) { + if (DNS_SERVER_FEATURE_LEVEL_IS_TLS(level)) { + if (s->possible_feature_level == level) + s->n_failed_tls = 0; + } else { + if (s->possible_feature_level == level) + s->n_failed_tcp = 0; - if (s->possible_feature_level == level) - s->n_failed_tcp = 0; - - /* Successful TCP connections are only useful to verify the TCP feature level. */ - level = DNS_SERVER_FEATURE_LEVEL_TCP; + /* Successful TCP connections are only useful to verify the TCP feature level. */ + level = DNS_SERVER_FEATURE_LEVEL_TCP; + } } + /* If the RRSIG data is missing, then we can only validate EDNS0 at max */ + if (s->packet_rrsig_missing && level >= DNS_SERVER_FEATURE_LEVEL_DO) + level = DNS_SERVER_FEATURE_LEVEL_IS_TLS(level) ? DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN : DNS_SERVER_FEATURE_LEVEL_EDNS0; + + /* If the OPT RR got lost, then we can only validate UDP at max */ + if (s->packet_bad_opt && level >= DNS_SERVER_FEATURE_LEVEL_EDNS0) + level = DNS_SERVER_FEATURE_LEVEL_EDNS0 - 1; + + /* Even if we successfully receive a reply to a request announcing support for large packets, + that does not mean we can necessarily receive large packets. */ + if (level == DNS_SERVER_FEATURE_LEVEL_LARGE) + level = DNS_SERVER_FEATURE_LEVEL_LARGE - 1; + dns_server_verified(s, level); /* Remember the size of the largest UDP packet we received from a server, @@ -304,8 +321,12 @@ void dns_server_packet_lost(DnsServer *s, int protocol, DnsServerFeatureLevel le if (s->possible_feature_level == level) { if (protocol == IPPROTO_UDP) s->n_failed_udp++; - else if (protocol == IPPROTO_TCP) - s->n_failed_tcp++; + else if (protocol == IPPROTO_TCP) { + if (DNS_SERVER_FEATURE_LEVEL_IS_TLS(level)) + s->n_failed_tls++; + else + s->n_failed_tcp++; + } } if (s->resend_timeout > usec) @@ -333,7 +354,7 @@ void dns_server_packet_rrsig_missing(DnsServer *s, DnsServerFeatureLevel level) /* If the RRSIG RRs are missing, we have to downgrade what we previously verified */ if (s->verified_feature_level >= DNS_SERVER_FEATURE_LEVEL_DO) - s->verified_feature_level = DNS_SERVER_FEATURE_LEVEL_DO-1; + s->verified_feature_level = DNS_SERVER_FEATURE_LEVEL_IS_TLS(level) ? DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN : DNS_SERVER_FEATURE_LEVEL_EDNS0; s->packet_rrsig_missing = true; } @@ -395,9 +416,14 @@ DnsServerFeatureLevel dns_server_possible_feature_level(DnsServer *s) { /* Determine the best feature level we care about. If DNSSEC mode is off there's no point in using anything * better than EDNS0, hence don't even try. */ - best = dns_server_get_dnssec_mode(s) == DNSSEC_NO ? - DNS_SERVER_FEATURE_LEVEL_EDNS0 : - DNS_SERVER_FEATURE_LEVEL_BEST; + if (dns_server_get_dnssec_mode(s) != DNSSEC_NO) + best = dns_server_get_private_dns_mode(s) == PRIVATE_DNS_NO ? + DNS_SERVER_FEATURE_LEVEL_LARGE : + DNS_SERVER_FEATURE_LEVEL_TLS_DO; + else + best = dns_server_get_private_dns_mode(s) == PRIVATE_DNS_NO ? + DNS_SERVER_FEATURE_LEVEL_EDNS0 : + DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN; /* Clamp the feature level the highest level we care about. The DNSSEC mode might have changed since the last * time, hence let's downgrade if we are still at a higher level. */ @@ -431,7 +457,14 @@ DnsServerFeatureLevel dns_server_possible_feature_level(DnsServer *s) { * work. Upgrade back to UDP again. */ log_debug("Reached maximum number of failed TCP connection attempts, trying UDP again..."); s->possible_feature_level = DNS_SERVER_FEATURE_LEVEL_UDP; + } else if (s->n_failed_tls > 0 && + DNS_SERVER_FEATURE_LEVEL_IS_TLS(s->possible_feature_level)) { + /* We tried to connect using DNS-over-TLS, and it didn't work. Downgrade to plaintext UDP + * if we don't require DNS-over-TLS */ + + log_debug("Server doesn't support seem to support DNS-over-TLS, downgrading protocol..."); + s->possible_feature_level--; } else if (s->packet_bad_opt && s->possible_feature_level >= DNS_SERVER_FEATURE_LEVEL_EDNS0) { @@ -452,7 +485,7 @@ DnsServerFeatureLevel dns_server_possible_feature_level(DnsServer *s) { * not. */ log_debug("Detected server responses lack RRSIG records, downgrading feature level..."); - s->possible_feature_level = DNS_SERVER_FEATURE_LEVEL_EDNS0; + s->possible_feature_level = DNS_SERVER_FEATURE_LEVEL_IS_TLS(s->possible_feature_level) ? DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN : DNS_SERVER_FEATURE_LEVEL_EDNS0; } else if (s->n_failed_udp >= DNS_SERVER_FEATURE_RETRY_ATTEMPTS && s->possible_feature_level >= (dns_server_get_dnssec_mode(s) == DNSSEC_YES ? DNS_SERVER_FEATURE_LEVEL_LARGE : DNS_SERVER_FEATURE_LEVEL_UDP)) { @@ -795,6 +828,12 @@ DnssecMode dns_server_get_dnssec_mode(DnsServer *s) { return manager_get_dnssec_mode(s->manager); } +PrivateDnsMode dns_server_get_private_dns_mode(DnsServer *s) { + assert(s); + + return manager_get_private_dns_mode(s->manager); +} + void dns_server_flush_cache(DnsServer *s) { DnsServer *current; DnsScope *scope; @@ -904,7 +943,9 @@ static const char* const dns_server_feature_level_table[_DNS_SERVER_FEATURE_LEVE [DNS_SERVER_FEATURE_LEVEL_TCP] = "TCP", [DNS_SERVER_FEATURE_LEVEL_UDP] = "UDP", [DNS_SERVER_FEATURE_LEVEL_EDNS0] = "UDP+EDNS0", + [DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN] = "TLS+EDNS0", [DNS_SERVER_FEATURE_LEVEL_DO] = "UDP+EDNS0+DO", [DNS_SERVER_FEATURE_LEVEL_LARGE] = "UDP+EDNS0+DO+LARGE", + [DNS_SERVER_FEATURE_LEVEL_TLS_DO] = "TLS+EDNS0+D0", }; DEFINE_STRING_TABLE_LOOKUP(dns_server_feature_level, DnsServerFeatureLevel); diff --git a/src/resolve/resolved-dns-server.h b/src/resolve/resolved-dns-server.h index e0e713e9ca..a546eb3209 100644 --- a/src/resolve/resolved-dns-server.h +++ b/src/resolve/resolved-dns-server.h @@ -9,6 +9,10 @@ #include "in-addr-util.h" +#if HAVE_GNUTLS +#include +#endif + typedef struct DnsServer DnsServer; typedef enum DnsServerType { @@ -25,14 +29,17 @@ typedef enum DnsServerFeatureLevel { DNS_SERVER_FEATURE_LEVEL_TCP, DNS_SERVER_FEATURE_LEVEL_UDP, DNS_SERVER_FEATURE_LEVEL_EDNS0, + DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN, DNS_SERVER_FEATURE_LEVEL_DO, DNS_SERVER_FEATURE_LEVEL_LARGE, + DNS_SERVER_FEATURE_LEVEL_TLS_DO, _DNS_SERVER_FEATURE_LEVEL_MAX, _DNS_SERVER_FEATURE_LEVEL_INVALID = -1 } DnsServerFeatureLevel; #define DNS_SERVER_FEATURE_LEVEL_WORST 0 #define DNS_SERVER_FEATURE_LEVEL_BEST (_DNS_SERVER_FEATURE_LEVEL_MAX - 1) +#define DNS_SERVER_FEATURE_LEVEL_IS_TLS(x) IN_SET(x, DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN, DNS_SERVER_FEATURE_LEVEL_TLS_DO) const char* dns_server_feature_level_to_string(int i) _const_; int dns_server_feature_level_from_string(const char *s) _pure_; @@ -55,6 +62,11 @@ struct DnsServer { char *server_string; DnsStream *stream; +#if HAVE_GNUTLS + gnutls_certificate_credentials_t tls_cert_cred; + gnutls_datum_t tls_session_data; +#endif + usec_t resend_timeout; usec_t max_rtt; @@ -65,6 +77,7 @@ struct DnsServer { unsigned n_failed_udp; unsigned n_failed_tcp; + unsigned n_failed_tls; bool packet_truncated:1; bool packet_bad_opt:1; @@ -134,6 +147,7 @@ void manager_next_dns_server(Manager *m); bool dns_server_address_valid(int family, const union in_addr_union *sa); DnssecMode dns_server_get_dnssec_mode(DnsServer *s); +PrivateDnsMode dns_server_get_private_dns_mode(DnsServer *s); DEFINE_TRIVIAL_CLEANUP_FUNC(DnsServer*, dns_server_unref); diff --git a/src/resolve/resolved-dns-stream.c b/src/resolve/resolved-dns-stream.c index 5d2cc1ad8b..bd37077d50 100644 --- a/src/resolve/resolved-dns-stream.c +++ b/src/resolve/resolved-dns-stream.c @@ -16,6 +16,8 @@ #define DNS_STREAM_TIMEOUT_USEC (10 * USEC_PER_SEC) #define DNS_STREAMS_MAX 128 +#define WRITE_TLS_DATA 1 + static void dns_stream_stop(DnsStream *s) { assert(s); @@ -47,7 +49,19 @@ static int dns_stream_update_io(DnsStream *s) { static int dns_stream_complete(DnsStream *s, int error) { assert(s); - dns_stream_stop(s); +#if HAVE_GNUTLS + if (s->tls_session && IN_SET(error, ETIMEDOUT, 0)) { + int r; + + r = gnutls_bye(s->tls_session, GNUTLS_SHUT_RDWR); + if (r == GNUTLS_E_AGAIN && !s->tls_bye) { + dns_stream_ref(s); /* keep reference for closing TLS session */ + s->tls_bye = true; + } else + dns_stream_stop(s); + } else +#endif + dns_stream_stop(s); if (s->complete) s->complete(s, error); @@ -182,12 +196,39 @@ static int dns_stream_identify(DnsStream *s) { return 0; } -static ssize_t dns_stream_writev(DnsStream *s, const struct iovec *iov, size_t iovcnt) { +static ssize_t dns_stream_writev(DnsStream *s, const struct iovec *iov, size_t iovcnt, int flags) { ssize_t r; assert(s); assert(iov); +#if HAVE_GNUTLS + if (s->tls_session && !(flags & WRITE_TLS_DATA)) { + ssize_t ss; + size_t i; + + r = 0; + for (i = 0; i < iovcnt; i++) { + ss = gnutls_record_send(s->tls_session, iov[i].iov_base, iov[i].iov_len); + if (ss < 0) { + switch(ss) { + + case GNUTLS_E_INTERRUPTED: + return -EINTR; + case GNUTLS_E_AGAIN: + return -EAGAIN; + default: + log_debug("Failed to invoke gnutls_record_send: %s", gnutls_strerror(ss)); + return -EIO; + } + } + + r += ss; + if (ss != (ssize_t) iov[i].iov_len) + continue; + } + } else +#endif if (s->tfo_salen > 0) { struct msghdr hdr = { .msg_iov = (struct iovec*) iov, @@ -215,6 +256,54 @@ static ssize_t dns_stream_writev(DnsStream *s, const struct iovec *iov, size_t i return r; } +static ssize_t dns_stream_read(DnsStream *s, void *buf, size_t count) { + ssize_t ss; + +#if HAVE_GNUTLS + if (s->tls_session) { + ss = gnutls_record_recv(s->tls_session, buf, count); + if (ss < 0) { + switch(ss) { + + case GNUTLS_E_INTERRUPTED: + return -EINTR; + case GNUTLS_E_AGAIN: + return -EAGAIN; + default: + log_debug("Failed to invoke gnutls_record_send: %s", gnutls_strerror(ss)); + return -EIO; + } + } else if (s->on_connection) { + int r; + + r = s->on_connection(s); + s->on_connection = NULL; /* only call once */ + if (r < 0) + return r; + } + } else +#endif + ss = read(s->fd, buf, count); + + return ss; +} + +#if HAVE_GNUTLS +static ssize_t dns_stream_tls_writev(gnutls_transport_ptr_t p, const giovec_t * iov, int iovcnt) { + int r; + + assert(p); + + r = dns_stream_writev((DnsStream*) p, (struct iovec*) iov, iovcnt, WRITE_TLS_DATA); + if (r < 0) { + errno = -r; + return -1; + } + + return r; +} +#endif + static int on_stream_timeout(sd_event_source *es, usec_t usec, void *userdata) { DnsStream *s = userdata; @@ -229,6 +318,40 @@ static int on_stream_io(sd_event_source *es, int fd, uint32_t revents, void *use assert(s); +#if HAVE_GNUTLS + if (s->tls_bye) { + assert(s->tls_session); + + r = gnutls_bye(s->tls_session, GNUTLS_SHUT_RDWR); + if (r != GNUTLS_E_AGAIN) { + s->tls_bye = false; + dns_stream_unref(s); + } + + return 0; + } + + if (s->tls_handshake < 0) { + assert(s->tls_session); + + s->tls_handshake = gnutls_handshake(s->tls_session); + if (s->tls_handshake >= 0) { + if (s->on_connection && !(gnutls_session_get_flags(s->tls_session) & GNUTLS_SFLAGS_FALSE_START)) { + r = s->on_connection(s); + s->on_connection = NULL; /* only call once */ + if (r < 0) + return r; + } + } else { + if (gnutls_error_is_fatal(s->tls_handshake)) + return dns_stream_complete(s, ECONNREFUSED); + else + return 0; + } + + } +#endif + /* only identify after connecting */ if (s->tfo_salen == 0) { r = dns_stream_identify(s); @@ -250,7 +373,7 @@ static int on_stream_io(sd_event_source *es, int fd, uint32_t revents, void *use IOVEC_INCREMENT(iov, 2, s->n_written); - ss = dns_stream_writev(s, iov, 2); + ss = dns_stream_writev(s, iov, 2, 0); if (ss < 0) { if (!IN_SET(errno, EINTR, EAGAIN)) return dns_stream_complete(s, errno); @@ -272,7 +395,7 @@ static int on_stream_io(sd_event_source *es, int fd, uint32_t revents, void *use if (s->n_read < sizeof(s->read_size)) { ssize_t ss; - ss = read(fd, (uint8_t*) &s->read_size + s->n_read, sizeof(s->read_size) - s->n_read); + ss = dns_stream_read(s, (uint8_t*) &s->read_size + s->n_read, sizeof(s->read_size) - s->n_read); if (ss < 0) { if (!IN_SET(errno, EINTR, EAGAIN)) return dns_stream_complete(s, errno); @@ -320,7 +443,7 @@ static int on_stream_io(sd_event_source *es, int fd, uint32_t revents, void *use } } - ss = read(fd, + ss = dns_stream_read(s, (uint8_t*) DNS_PACKET_DATA(s->read_packet) + s->n_read - sizeof(s->read_size), sizeof(s->read_size) + be16toh(s->read_size) - s->n_read); if (ss < 0) { @@ -380,6 +503,11 @@ DnsStream *dns_stream_unref(DnsStream *s) { s->manager->n_dns_streams--; } +#if HAVE_GNUTLS + if (s->tls_session) + gnutls_deinit(s->tls_session); +#endif + ORDERED_SET_FOREACH(p, s->write_queue, i) dns_packet_unref(ordered_set_remove(s->write_queue, p)); @@ -456,6 +584,21 @@ int dns_stream_new(Manager *m, DnsStream **ret, DnsProtocol protocol, int fd, co return 0; } +#if HAVE_GNUTLS +int dns_stream_connect_tls(DnsStream *s, gnutls_session_t tls_session) { + gnutls_transport_set_ptr2(tls_session, (gnutls_transport_ptr_t) (long) s->fd, s); + gnutls_transport_set_vec_push_function(tls_session, &dns_stream_tls_writev); + + s->encrypted = true; + s->tls_session = tls_session; + s->tls_handshake = gnutls_handshake(tls_session); + if (s->tls_handshake < 0 && gnutls_error_is_fatal(s->tls_handshake)) + return -ECONNREFUSED; + + return 0; +} +#endif + int dns_stream_write_packet(DnsStream *s, DnsPacket *p) { int r; diff --git a/src/resolve/resolved-dns-stream.h b/src/resolve/resolved-dns-stream.h index 5ba2bd1814..5542e9e2ba 100644 --- a/src/resolve/resolved-dns-stream.h +++ b/src/resolve/resolved-dns-stream.h @@ -15,6 +15,10 @@ typedef struct DnsStream DnsStream; #include "resolved-dns-transaction.h" #include "resolved-manager.h" +#if HAVE_GNUTLS +#include +#endif + /* Streams are used by three subsystems: * * 1. The normal transaction logic when doing a DNS or LLMNR lookup via TCP @@ -41,6 +45,12 @@ struct DnsStream { union sockaddr_union tfo_address; socklen_t tfo_salen; +#if HAVE_GNUTLS + gnutls_session_t tls_session; + int tls_handshake; + bool tls_bye; +#endif + sd_event_source *io_event_source; sd_event_source *timeout_event_source; @@ -49,6 +59,7 @@ struct DnsStream { size_t n_written, n_read; OrderedSet *write_queue; + int (*on_connection)(DnsStream *s); int (*on_packet)(DnsStream *s); int (*complete)(DnsStream *s, int error); @@ -56,10 +67,16 @@ struct DnsStream { DnsServer *server; /* when used by the transaction logic */ DnsQuery *query; /* when used by the DNS stub logic */ + /* used when DNS-over-TLS is enabled */ + bool encrypted:1; + LIST_FIELDS(DnsStream, streams); }; int dns_stream_new(Manager *m, DnsStream **s, DnsProtocol protocol, int fd, const union sockaddr_union *tfo_address); +#if HAVE_GNUTLS +int dns_stream_connect_tls(DnsStream *s, gnutls_session_t tls_session); +#endif DnsStream *dns_stream_unref(DnsStream *s); DnsStream *dns_stream_ref(DnsStream *s); diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c index 5e4125cac5..99c7496090 100644 --- a/src/resolve/resolved-dns-transaction.c +++ b/src/resolve/resolved-dns-transaction.c @@ -18,6 +18,10 @@ #include "resolved-llmnr.h" #include "string-table.h" +#if HAVE_GNUTLS +#include +#endif + #define TRANSACTIONS_MAX 4096 #define TRANSACTION_TCP_TIMEOUT_USEC (10U*USEC_PER_SEC) @@ -499,6 +503,20 @@ static int dns_transaction_on_stream_packet(DnsTransaction *t, DnsPacket *p) { return 0; } +static int on_stream_connection(DnsStream *s) { +#if HAVE_GNUTLS + /* Store TLS Ticket for faster succesive TLS handshakes */ + if (s->tls_session && s->server) { + if (s->server->tls_session_data.data) + gnutls_free(s->server->tls_session_data.data); + + gnutls_session_get_data2(s->tls_session, &s->server->tls_session_data); + } +#endif + + return 0; +} + static int on_stream_complete(DnsStream *s, int error) { DnsTransaction *t, *n; int r = 0; @@ -559,6 +577,9 @@ static int dns_transaction_emit_tcp(DnsTransaction *t) { _cleanup_(dns_stream_unrefp) DnsStream *s = NULL; union sockaddr_union sa; int r; +#if HAVE_GNUTLS + gnutls_session_t gs; +#endif assert(t); @@ -578,10 +599,10 @@ static int dns_transaction_emit_tcp(DnsTransaction *t) { if (r < 0) return r; - if (t->server->stream) + if (t->server->stream && (DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level) == t->server->stream->encrypted)) s = dns_stream_ref(t->server->stream); else - fd = dns_scope_socket_tcp(t->scope, AF_UNSPEC, NULL, t->server, 53, &sa); + fd = dns_scope_socket_tcp(t->scope, AF_UNSPEC, NULL, t->server, DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level) ? 853 : 53, &sa); break; @@ -630,6 +651,33 @@ static int dns_transaction_emit_tcp(DnsTransaction *t) { s->server = dns_server_ref(t->server); } +#if HAVE_GNUTLS + if (DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level)) { + r = gnutls_init(&gs, GNUTLS_CLIENT | GNUTLS_ENABLE_FALSE_START | GNUTLS_NONBLOCK); + if (r < 0) + return r; + + /* As DNS-over-TLS is a recent protocol, older TLS versions can be disabled */ + r = gnutls_priority_set_direct(gs, "NORMAL:-VERS-ALL:+VERS-TLS1.2", NULL); + if (r < 0) + return r; + + r = gnutls_credentials_set(gs, GNUTLS_CRD_CERTIFICATE, t->server->tls_cert_cred); + if (r < 0) + return r; + + if (t->server && t->server->tls_session_data.size > 0) + gnutls_session_set_data(gs, t->server->tls_session_data.data, t->server->tls_session_data.size); + + gnutls_handshake_set_timeout(gs, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT); + + r = dns_stream_connect_tls(s, gs); + if (r < 0) + return r; + } +#endif + + s->on_connection = on_stream_connection; s->complete = on_stream_complete; s->on_packet = dns_stream_on_packet; @@ -993,7 +1041,17 @@ void dns_transaction_process_reply(DnsTransaction *t, DnsPacket *p) { } /* Reduce this feature level by one and try again. */ - t->clamp_feature_level = t->current_feature_level - 1; + switch (t->current_feature_level) { + case DNS_SERVER_FEATURE_LEVEL_TLS_DO: + t->clamp_feature_level = DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN; + break; + case DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN + 1: + /* Skip plain TLS when TLS is not supported */ + t->clamp_feature_level = DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN - 1; + break; + default: + t->clamp_feature_level = t->current_feature_level - 1; + } log_debug("Server returned error %s, retrying transaction with reduced feature level %s.", dns_rcode_to_string(DNS_PACKET_RCODE(p)), @@ -1209,7 +1267,7 @@ static int dns_transaction_emit_udp(DnsTransaction *t) { if (r < 0) return r; - if (t->current_feature_level < DNS_SERVER_FEATURE_LEVEL_UDP) + if (t->current_feature_level < DNS_SERVER_FEATURE_LEVEL_UDP || DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level)) return -EAGAIN; /* Sorry, can't do UDP, try TCP! */ if (!dns_server_dnssec_supported(t->server) && dns_type_is_dnssec(t->key->type)) @@ -1699,7 +1757,7 @@ int dns_transaction_go(DnsTransaction *t) { if (r == -EMSGSIZE) log_debug("Sending query via TCP since it is too large."); else if (r == -EAGAIN) - log_debug("Sending query via TCP since server doesn't support UDP."); + log_debug("Sending query via TCP since UDP isn't supported."); if (IN_SET(r, -EMSGSIZE, -EAGAIN)) r = dns_transaction_emit_tcp(t); } diff --git a/src/resolve/resolved-gperf.gperf b/src/resolve/resolved-gperf.gperf index a5865ce6c2..e076241fb6 100644 --- a/src/resolve/resolved-gperf.gperf +++ b/src/resolve/resolved-gperf.gperf @@ -23,5 +23,6 @@ Resolve.Domains, config_parse_search_domains, 0, Resolve.LLMNR, config_parse_resolve_support, 0, offsetof(Manager, llmnr_support) Resolve.MulticastDNS, config_parse_resolve_support, 0, offsetof(Manager, mdns_support) Resolve.DNSSEC, config_parse_dnssec_mode, 0, offsetof(Manager, dnssec_mode) +Resolve.PrivateDNS, config_parse_private_dns_mode, 0, offsetof(Manager, private_dns_mode) Resolve.Cache, config_parse_bool, 0, offsetof(Manager, enable_cache) Resolve.DNSStubListener, config_parse_dns_stub_listener_mode, 0, offsetof(Manager, dns_stub_listener_mode) diff --git a/src/resolve/resolved-manager.c b/src/resolve/resolved-manager.c index c17622a074..7532b39be5 100644 --- a/src/resolve/resolved-manager.c +++ b/src/resolve/resolved-manager.c @@ -580,6 +580,7 @@ int manager_new(Manager **ret) { m->llmnr_support = RESOLVE_SUPPORT_YES; m->mdns_support = RESOLVE_SUPPORT_YES; m->dnssec_mode = DEFAULT_DNSSEC_MODE; + m->private_dns_mode = DEFAULT_PRIVATE_DNS_MODE; m->enable_cache = true; m->dns_stub_listener_mode = DNS_STUB_LISTENER_UDP; m->read_resolv_conf = true; @@ -1384,6 +1385,15 @@ bool manager_dnssec_supported(Manager *m) { return true; } +PrivateDnsMode manager_get_private_dns_mode(Manager *m) { + assert(m); + + if (m->private_dns_mode != _PRIVATE_DNS_MODE_INVALID) + return m->private_dns_mode; + + return _PRIVATE_DNS_MODE_INVALID; +} + void manager_dnssec_verdict(Manager *m, DnssecVerdict verdict, const DnsResourceKey *key) { assert(verdict >= 0); diff --git a/src/resolve/resolved-manager.h b/src/resolve/resolved-manager.h index 372d43c1a5..4bba8b897d 100644 --- a/src/resolve/resolved-manager.h +++ b/src/resolve/resolved-manager.h @@ -35,6 +35,7 @@ struct Manager { ResolveSupport llmnr_support; ResolveSupport mdns_support; DnssecMode dnssec_mode; + PrivateDnsMode private_dns_mode; bool enable_cache; DnsStubListenerMode dns_stub_listener_mode; @@ -172,6 +173,8 @@ int manager_compile_search_domains(Manager *m, OrderedSet **domains, int filter_ DnssecMode manager_get_dnssec_mode(Manager *m); bool manager_dnssec_supported(Manager *m); +PrivateDnsMode manager_get_private_dns_mode(Manager *m); + void manager_dnssec_verdict(Manager *m, DnssecVerdict verdict, const DnsResourceKey *key); bool manager_routable(Manager *m, int family); diff --git a/src/resolve/resolved.conf.in b/src/resolve/resolved.conf.in index e6b20620e2..86b37ccd72 100644 --- a/src/resolve/resolved.conf.in +++ b/src/resolve/resolved.conf.in @@ -18,5 +18,6 @@ #LLMNR=yes #MulticastDNS=yes #DNSSEC=@DEFAULT_DNSSEC_MODE@ +#PrivateDNS=@DEFAULT_PRIVATE_DNS@ #Cache=yes #DNSStubListener=udp diff --git a/src/shared/resolve-util.c b/src/shared/resolve-util.c index 37a0e4e350..c626da5ed4 100644 --- a/src/shared/resolve-util.c +++ b/src/shared/resolve-util.c @@ -11,6 +11,7 @@ DEFINE_CONFIG_PARSE_ENUM(config_parse_resolve_support, resolve_support, ResolveSupport, "Failed to parse resolve support setting"); DEFINE_CONFIG_PARSE_ENUM(config_parse_dnssec_mode, dnssec_mode, DnssecMode, "Failed to parse DNSSEC mode setting"); +DEFINE_CONFIG_PARSE_ENUM(config_parse_private_dns_mode, private_dns_mode, PrivateDnsMode, "Failed to parse private DNS mode setting"); static const char* const resolve_support_table[_RESOLVE_SUPPORT_MAX] = { [RESOLVE_SUPPORT_NO] = "no", @@ -25,3 +26,9 @@ static const char* const dnssec_mode_table[_DNSSEC_MODE_MAX] = { [DNSSEC_YES] = "yes", }; DEFINE_STRING_TABLE_LOOKUP_WITH_BOOLEAN(dnssec_mode, DnssecMode, DNSSEC_YES); + +static const char* const private_dns_mode_table[_PRIVATE_DNS_MODE_MAX] = { + [PRIVATE_DNS_NO] = "no", + [PRIVATE_DNS_OPPORTUNISTIC] = "opportunistic", +}; +DEFINE_STRING_TABLE_LOOKUP_WITH_BOOLEAN(private_dns_mode, PrivateDnsMode, PRIVATE_DNS_OPPORTUNISTIC); diff --git a/src/shared/resolve-util.h b/src/shared/resolve-util.h index 069e32963e..784bb2d6bd 100644 --- a/src/shared/resolve-util.h +++ b/src/shared/resolve-util.h @@ -12,6 +12,7 @@ typedef enum ResolveSupport ResolveSupport; typedef enum DnssecMode DnssecMode; +typedef enum PrivateDnsMode PrivateDnsMode; enum ResolveSupport { RESOLVE_SUPPORT_NO, @@ -39,11 +40,27 @@ enum DnssecMode { _DNSSEC_MODE_INVALID = -1 }; +enum PrivateDnsMode { + /* No connection is made for DNS-over-TLS */ + PRIVATE_DNS_NO, + + /* Try to connect using DNS-over-TLS, but if connection fails, + * fallback to using an unencrypted connection */ + PRIVATE_DNS_OPPORTUNISTIC, + + _PRIVATE_DNS_MODE_MAX, + _PRIVATE_DNS_MODE_INVALID = -1 +}; + CONFIG_PARSER_PROTOTYPE(config_parse_resolve_support); CONFIG_PARSER_PROTOTYPE(config_parse_dnssec_mode); +CONFIG_PARSER_PROTOTYPE(config_parse_private_dns_mode); const char* resolve_support_to_string(ResolveSupport p) _const_; ResolveSupport resolve_support_from_string(const char *s) _pure_; const char* dnssec_mode_to_string(DnssecMode p) _const_; DnssecMode dnssec_mode_from_string(const char *s) _pure_; + +const char* private_dns_mode_to_string(PrivateDnsMode p) _const_; +PrivateDnsMode private_dns_mode_from_string(const char *s) _pure_;