resolved-dns-scope.c revision b43d96b0764e63088429f746cd9e515f55286460
af6f0d422c521374ee6a2dd92df5935a5a476ae5Tom Gundersen/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
af6f0d422c521374ee6a2dd92df5935a5a476ae5Tom Gundersen This file is part of systemd.
af6f0d422c521374ee6a2dd92df5935a5a476ae5Tom Gundersen Copyright 2014 Lennart Poettering
af6f0d422c521374ee6a2dd92df5935a5a476ae5Tom Gundersen systemd is free software; you can redistribute it and/or modify it
af6f0d422c521374ee6a2dd92df5935a5a476ae5Tom Gundersen under the terms of the GNU Lesser General Public License as published by
af6f0d422c521374ee6a2dd92df5935a5a476ae5Tom Gundersen the Free Software Foundation; either version 2.1 of the License, or
af6f0d422c521374ee6a2dd92df5935a5a476ae5Tom Gundersen (at your option) any later version.
af6f0d422c521374ee6a2dd92df5935a5a476ae5Tom Gundersen systemd is distributed in the hope that it will be useful, but
af6f0d422c521374ee6a2dd92df5935a5a476ae5Tom Gundersen WITHOUT ANY WARRANTY; without even the implied warranty of
af6f0d422c521374ee6a2dd92df5935a5a476ae5Tom Gundersen MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
af6f0d422c521374ee6a2dd92df5935a5a476ae5Tom Gundersen Lesser General Public License for more details.
af6f0d422c521374ee6a2dd92df5935a5a476ae5Tom Gundersen You should have received a copy of the GNU Lesser General Public License
af6f0d422c521374ee6a2dd92df5935a5a476ae5Tom Gundersen along with systemd; If not, see <http://www.gnu.org/licenses/>.
af6f0d422c521374ee6a2dd92df5935a5a476ae5Tom Gundersen#define MULTICAST_RATELIMIT_INTERVAL_USEC (1*USEC_PER_SEC)
16b9b87aeee9353b5b8dae6089a69752422a5b09Tom Gundersen/* After how much time to repeat LLMNR requests, see RFC 4795 Section 7 */
3aeb37bc4f32b5edc334f2ac7c5d3c7b0a121328Tom Gundersen#define MULTICAST_RESEND_TIMEOUT_MIN_USEC (100 * USEC_PER_MSEC)
c6f7c917a1b494d4455800823472227463f87438Tom Gundersen#define MULTICAST_RESEND_TIMEOUT_MAX_USEC (1 * USEC_PER_SEC)
af6f0d422c521374ee6a2dd92df5935a5a476ae5Tom Gundersenint dns_scope_new(Manager *m, DnsScope **ret, Link *l, DnsProtocol protocol, int family) {
2ad8416dd057e7e3185169609ca3006e7649f576Zbigniew Jędrzejewski-Szmek s->resend_timeout = MULTICAST_RESEND_TIMEOUT_MIN_USEC;
2ad8416dd057e7e3185169609ca3006e7649f576Zbigniew Jędrzejewski-Szmek LIST_PREPEND(scopes, m->dns_scopes, s);
2ad8416dd057e7e3185169609ca3006e7649f576Zbigniew Jędrzejewski-Szmek dns_scope_llmnr_membership(s, true);
2ad8416dd057e7e3185169609ca3006e7649f576Zbigniew Jędrzejewski-Szmek dns_scope_mdns_membership(s, true);
2ad8416dd057e7e3185169609ca3006e7649f576Zbigniew Jędrzejewski-Szmek log_debug("New scope on link %s, protocol %s, family %s", l ? l->name : "*", dns_protocol_to_string(protocol), family == AF_UNSPEC ? "*" : af_to_name(family));
5b9d4dc05560ddda89e48b6b39365824b15e1300Tom Gundersen /* Enforce ratelimiting for the multicast protocols */
5b9d4dc05560ddda89e48b6b39365824b15e1300Tom Gundersen RATELIMIT_INIT(s->ratelimit, MULTICAST_RATELIMIT_INTERVAL_USEC, MULTICAST_RATELIMIT_BURST);
af6f0d422c521374ee6a2dd92df5935a5a476ae5Tom Gundersenstatic void dns_scope_abort_transactions(DnsScope *s) {
af6f0d422c521374ee6a2dd92df5935a5a476ae5Tom Gundersen /* Abort the transaction, but make sure it is not
977085794d2996320e345433403de75f662b0622Tom Gundersen * freed while we still look at it */
f61942250a43a123580d7bbe5d7873dc5118ed97Tom Gundersen dns_transaction_complete(t, DNS_TRANSACTION_ABORTED);
af6f0d422c521374ee6a2dd92df5935a5a476ae5Tom Gundersen log_debug("Removing scope on link %s, protocol %s, family %s", s->link ? s->link->name : "*", dns_protocol_to_string(s->protocol), s->family == AF_UNSPEC ? "*" : af_to_name(s->family));
d2df0d0ed3a88e491405b403e6022e6619750130Tom Gundersen dns_query_candidate_free(s->query_candidates);
af6f0d422c521374ee6a2dd92df5935a5a476ae5Tom Gundersen while ((rr = ordered_hashmap_steal_first(s->conflict_queue)))
af6f0d422c521374ee6a2dd92df5935a5a476ae5Tom Gundersen sd_event_source_unref(s->conflict_event_source);
43b3a5ef61859f06cdbaf26765cab8e1adac4296Tom Gundersen LIST_REMOVE(scopes, s->manager->dns_scopes, s);
af6f0d422c521374ee6a2dd92df5935a5a476ae5Tom GundersenDnsServer *dns_scope_get_dns_server(DnsScope *s) {
187dc6e554f2d5b4b5a3bee72c73ff5df6418aa6Thomas Hindoe Paaboel Andersen return manager_get_dns_server(s->manager);
ed88bcfb7c15029f9fc95ee2380759a9eb782d46Zbigniew Jędrzejewski-Szmek manager_next_dns_server(s->manager);
af6f0d422c521374ee6a2dd92df5935a5a476ae5Tom Gundersenvoid dns_scope_packet_received(DnsScope *s, usec_t rtt) {
5fde13d748749f0e06e2e6cdd15f0980a79ea82cTom Gundersen s->resend_timeout = MIN(MAX(MULTICAST_RESEND_TIMEOUT_MIN_USEC, s->max_rtt * 2), MULTICAST_RESEND_TIMEOUT_MAX_USEC);
e9f3d2d508bfd9fb5b54e82994bda365a71eb864Zbigniew Jędrzejewski-Szmekvoid dns_scope_packet_lost(DnsScope *s, usec_t usec) {
36f822c4bd077f9121757e24b6516e5c7ada63b5Zbigniew Jędrzejewski-Szmek s->resend_timeout = MIN(s->resend_timeout * 2, MULTICAST_RESEND_TIMEOUT_MAX_USEC);
af6f0d422c521374ee6a2dd92df5935a5a476ae5Tom Gundersenint dns_scope_emit(DnsScope *s, int fd, DnsServer *server, DnsPacket *p) {
a2a5291b3f5ab6ed4c92f51d0fd10a03047380d8Zbigniew Jędrzejewski-Szmek assert((s->protocol == DNS_PROTOCOL_DNS) != (fd < 0));
f61942250a43a123580d7bbe5d7873dc5118ed97Tom Gundersen if (server->possible_features >= DNS_SERVER_FEATURE_LEVEL_EDNS0) {
edf029b7fd9a5853a87d3ca99aac2922bb8a277eTom Gundersen edns_do = server->possible_features >= DNS_SERVER_FEATURE_LEVEL_DO;
af6f0d422c521374ee6a2dd92df5935a5a476ae5Tom Gundersen if (server->possible_features >= DNS_SERVER_FEATURE_LEVEL_LARGE)
af6f0d422c521374ee6a2dd92df5935a5a476ae5Tom Gundersen packet_size = DNS_PACKET_UNICAST_SIZE_LARGE_MAX;
f61942250a43a123580d7bbe5d7873dc5118ed97Tom Gundersen packet_size = server->received_udp_packet_max;
3f85ef0f05ffc51e19f86fb83a1c51e8e3cd6817Harald Hoyer r = dns_packet_append_opt_rr(p, packet_size, edns_do, &saved_size);
2ad8416dd057e7e3185169609ca3006e7649f576Zbigniew Jędrzejewski-Szmek DNS_PACKET_HEADER(p)->arcount = htobe16(be16toh(DNS_PACKET_HEADER(p)->arcount) + 1);
2ad8416dd057e7e3185169609ca3006e7649f576Zbigniew Jędrzejewski-Szmek DNS_PACKET_HEADER(p)->arcount = htobe16(be16toh(DNS_PACKET_HEADER(p)->arcount) - 1);
7eb08da4b388b920c8a894b1500c9cc7dc1f31efTom Gundersen r = manager_send(s->manager, fd, ifindex, family, &addr, LLMNR_PORT, p);
3c9b886068d99e5d3cbabcac32a4decf37244c54Tom Gundersen r = manager_send(s->manager, fd, ifindex, family, &addr, MDNS_PORT, p);
04b67d49254d956d31bcfe80340fb9df7ed332d3Tom Gundersenstatic int dns_scope_socket(DnsScope *s, int type, int family, const union in_addr_union *address, uint16_t port, DnsServer **server) {
3c9b886068d99e5d3cbabcac32a4decf37244c54Tom Gundersen srv->possible_features = dns_server_possible_features(srv);
3c9b886068d99e5d3cbabcac32a4decf37244c54Tom Gundersen if (type == SOCK_DGRAM && srv->possible_features < DNS_SERVER_FEATURE_LEVEL_UDP)
9bf3b53533cdc9b95c921b71da755401f223f765Lennart Poettering sa.in6.sin6_scope_id = s->link ? s->link->ifindex : 0;
16b9b87aeee9353b5b8dae6089a69752422a5b09Tom Gundersen sa.in6.sin6_scope_id = s->link ? s->link->ifindex : 0;
16b9b87aeee9353b5b8dae6089a69752422a5b09Tom Gundersen fd = socket(sa.sa.sa_family, type|SOCK_CLOEXEC|SOCK_NONBLOCK, 0);
5fde13d748749f0e06e2e6cdd15f0980a79ea82cTom Gundersen r = setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &one, sizeof(one));
3e137a1b9a0eac2bf43d493d3302c3c959b6ccdbTom Gundersen r = setsockopt(fd, IPPROTO_IP, IP_UNICAST_IF, &ifindex, sizeof(ifindex));
af6f0d422c521374ee6a2dd92df5935a5a476ae5Tom Gundersen r = setsockopt(fd, IPPROTO_IPV6, IPV6_UNICAST_IF, &ifindex, sizeof(ifindex));
755bde375f4db393ad06e73340bfcf4d0cf91bb2Lennart Poettering /* RFC 4795, section 2.5 requires the TTL to be set to 1 */
5fde13d748749f0e06e2e6cdd15f0980a79ea82cTom Gundersen r = setsockopt(fd, IPPROTO_IP, IP_TTL, &one, sizeof(one));
43b3a5ef61859f06cdbaf26765cab8e1adac4296Tom Gundersen r = setsockopt(fd, IPPROTO_IPV6, IPV6_UNICAST_HOPS, &one, sizeof(one));
5fde13d748749f0e06e2e6cdd15f0980a79ea82cTom Gundersenint dns_scope_udp_dns_socket(DnsScope *s, DnsServer **server) {
daeb71a36a98834664e4d95773a3629b746f4db8Tom Gundersen return dns_scope_socket(s, SOCK_DGRAM, AF_UNSPEC, NULL, 53, server);
daeb71a36a98834664e4d95773a3629b746f4db8Tom Gundersenint dns_scope_tcp_socket(DnsScope *s, int family, const union in_addr_union *address, uint16_t port, DnsServer **server) {
5fde13d748749f0e06e2e6cdd15f0980a79ea82cTom Gundersen return dns_scope_socket(s, SOCK_STREAM, family, address, port, server);
5fde13d748749f0e06e2e6cdd15f0980a79ea82cTom GundersenDnsScopeMatch dns_scope_good_domain(DnsScope *s, int ifindex, uint64_t flags, const char *domain) {
daeb71a36a98834664e4d95773a3629b746f4db8Tom Gundersen /* Checks if the specified domain is something to look up on
daeb71a36a98834664e4d95773a3629b746f4db8Tom Gundersen * this scope. Note that this accepts non-qualified hostnames,
daeb71a36a98834664e4d95773a3629b746f4db8Tom Gundersen * i.e. those without any search path prefixed yet. */
3c9b886068d99e5d3cbabcac32a4decf37244c54Tom Gundersen if (ifindex != 0 && (!s->link || s->link->ifindex != ifindex))
04b67d49254d956d31bcfe80340fb9df7ed332d3Tom Gundersen if ((SD_RESOLVED_FLAGS_MAKE(s->protocol, s->family, 0) & flags) == 0)
5fde13d748749f0e06e2e6cdd15f0980a79ea82cTom Gundersen /* Never resolve any loopback hostname or IP address via DNS,
5fde13d748749f0e06e2e6cdd15f0980a79ea82cTom Gundersen * LLMNR or mDNS. Instead, always rely on synthesized RRs for
a669ea9860900d5cdebbc4cb9aaea72db7e28a02Tom Gundersen dns_name_endswith(domain, "127.in-addr.arpa") > 0 ||
a669ea9860900d5cdebbc4cb9aaea72db7e28a02Tom Gundersen dns_name_equal(domain, "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa") > 0)
5fde13d748749f0e06e2e6cdd15f0980a79ea82cTom Gundersen /* Never respond to some of the domains listed in RFC6303 */
16b9b87aeee9353b5b8dae6089a69752422a5b09Tom Gundersen if (dns_name_endswith(domain, "0.in-addr.arpa") > 0 ||
5fde13d748749f0e06e2e6cdd15f0980a79ea82cTom Gundersen dns_name_equal(domain, "255.255.255.255.in-addr.arpa") > 0 ||
5fde13d748749f0e06e2e6cdd15f0980a79ea82cTom Gundersen dns_name_equal(domain, "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa") > 0)
a669ea9860900d5cdebbc4cb9aaea72db7e28a02Tom Gundersen /* Always honour search domains for routing queries. Note that
a669ea9860900d5cdebbc4cb9aaea72db7e28a02Tom Gundersen * we return DNS_SCOPE_YES here, rather than just
a669ea9860900d5cdebbc4cb9aaea72db7e28a02Tom Gundersen * DNS_SCOPE_MAYBE, which means wildcard scopes won't be
16b9b87aeee9353b5b8dae6089a69752422a5b09Tom Gundersen * considered anymore. */
5fde13d748749f0e06e2e6cdd15f0980a79ea82cTom Gundersen LIST_FOREACH(domains, d, dns_scope_get_search_domains(s))
464cf22f17e0cf2d8bfa6d72b5e7a662d634f149Tom Gundersen /* Exclude link-local IP ranges */
f647962d64e844689f3e2acfce6102fc47e76df2Michal Schmidt if (dns_name_endswith(domain, "254.169.in-addr.arpa") == 0 &&
f647962d64e844689f3e2acfce6102fc47e76df2Michal Schmidt dns_name_endswith(domain, "8.e.f.ip6.arpa") == 0 &&
43b3a5ef61859f06cdbaf26765cab8e1adac4296Tom Gundersen dns_name_endswith(domain, "9.e.f.ip6.arpa") == 0 &&
d95b83b87d7d7c50e550f7128827f73a321c8934Tom Gundersen dns_name_endswith(domain, "a.e.f.ip6.arpa") == 0 &&
d95b83b87d7d7c50e550f7128827f73a321c8934Tom Gundersen dns_name_endswith(domain, "b.e.f.ip6.arpa") == 0 &&
af6f0d422c521374ee6a2dd92df5935a5a476ae5Tom Gundersen /* If networks use .local in their private setups, they are supposed to also add .local to their search
af6f0d422c521374ee6a2dd92df5935a5a476ae5Tom Gundersen * domains, which we already checked above. Otherwise, we consider .local specific to mDNS and won't
be32eb9b7fbcb22e4b648086d644135e38279633Tom Gundersen * send such queries ordinary DNS servers. */
847a8a5fed4d265dfa659917515c6f9bd1b8d5c4Tom Gundersen if ((s->family == AF_INET && dns_name_endswith(domain, "in-addr.arpa") > 0) ||
847a8a5fed4d265dfa659917515c6f9bd1b8d5c4Tom Gundersen (s->family == AF_INET6 && dns_name_endswith(domain, "ip6.arpa") > 0) ||
847a8a5fed4d265dfa659917515c6f9bd1b8d5c4Tom Gundersen (dns_name_endswith(domain, "local") > 0 && /* only resolve names ending in .local via mDNS */
aedca89268ed4fd6be41e55a605f011033ad1fb5Tom Gundersen dns_name_equal(domain, "local") == 0 && /* but not the single-label "local" name itself */
847a8a5fed4d265dfa659917515c6f9bd1b8d5c4Tom Gundersen manager_is_own_hostname(s->manager, domain) <= 0)) /* never resolve the local hostname via mDNS */
847a8a5fed4d265dfa659917515c6f9bd1b8d5c4Tom Gundersen if ((s->family == AF_INET && dns_name_endswith(domain, "in-addr.arpa") > 0) ||
2c5859afecee81e345fc9526b1083bf79990ffb8Daniel Mack (s->family == AF_INET6 && dns_name_endswith(domain, "ip6.arpa") > 0) ||
be32eb9b7fbcb22e4b648086d644135e38279633Tom Gundersen (dns_name_is_single_label(domain) && /* only resolve single label names via LLMNR */
be32eb9b7fbcb22e4b648086d644135e38279633Tom Gundersen !is_gateway_hostname(domain) && /* don't resolve "gateway" with LLMNR, let nss-myhostname handle this */
be32eb9b7fbcb22e4b648086d644135e38279633Tom Gundersen manager_is_own_hostname(s->manager, domain) <= 0)) /* never resolve the local hostname via LLMNR */
be32eb9b7fbcb22e4b648086d644135e38279633Tom Gundersenint dns_scope_good_key(DnsScope *s, DnsResourceKey *key) {
be32eb9b7fbcb22e4b648086d644135e38279633Tom Gundersen /* Check if it makes sense to resolve the specified key on
be32eb9b7fbcb22e4b648086d644135e38279633Tom Gundersen * this scope. Note that this call assumes as fully qualified
464cf22f17e0cf2d8bfa6d72b5e7a662d634f149Tom Gundersen * name, i.e. the search suffixes already appended. */
static int dns_scope_multicast_membership(DnsScope *s, bool b, struct in_addr in, struct in6_addr in6) {
int fd;
assert(s);
if (fd < 0)
return fd;
if (setsockopt(fd, IPPROTO_IP, b ? IP_ADD_MEMBERSHIP : IP_DROP_MEMBERSHIP, &mreqn, sizeof(mreqn)) < 0)
return -errno;
if (fd < 0)
return fd;
if (setsockopt(fd, IPPROTO_IPV6, b ? IPV6_ADD_MEMBERSHIP : IPV6_DROP_MEMBERSHIP, &mreq, sizeof(mreq)) < 0)
return -errno;
return -EAFNOSUPPORT;
return dns_scope_multicast_membership(s, b, LLMNR_MULTICAST_IPV4_ADDRESS, LLMNR_MULTICAST_IPV6_ADDRESS);
return dns_scope_multicast_membership(s, b, MDNS_MULTICAST_IPV4_ADDRESS, MDNS_MULTICAST_IPV6_ADDRESS);
static int dns_scope_make_reply_packet(
DnsScope *s,
int rcode,
DnsQuestion *q,
bool tentative,
assert(s);
if ((!q || q->n_keys <= 0)
return -EINVAL;
rcode));
for (i = 0; i < q->n_keys; i++) {
if (answer) {
if (soa) {
*ret = p;
p = NULL;
assert(s);
assert(p);
if (p->question)
if (p->answer)
bool tentative = false;
int r, fd;
assert(s);
assert(p);
if (p->family == AF_INET && !in_addr_equal(AF_INET, &p->destination, (union in_addr_union*) &LLMNR_MULTICAST_IPV4_ADDRESS))
if (p->family == AF_INET6 && !in_addr_equal(AF_INET6, &p->destination, (union in_addr_union*) &LLMNR_MULTICAST_IPV6_ADDRESS))
r = dns_packet_extract(p);
if (DNS_PACKET_LLMNR_C(p)) {
dns_scope_verify_conflicts(s, p);
if (answer)
r = dns_scope_make_reply_packet(s, DNS_PACKET_ID(p), DNS_RCODE_SUCCESS, p->question, answer, soa, tentative, &reply);
if (stream)
if (fd < 0) {
DnsTransaction *t;
return NULL;
if (!cache_ok &&
return NULL;
static int dns_scope_make_conflict_packet(
DnsScope *s,
assert(s);
*ret = p;
p = NULL;
if (!rr)
log_oom();
if (r == -EEXIST || r == 0)
assert(p);
if (DNS_PACKET_RRCOUNT(p) <= 0)
if (DNS_PACKET_LLMNR_C(p) != 0)
if (DNS_PACKET_LLMNR_T(p) != 0)
r = dns_packet_extract(p);
assert(s);
f = stdout;
if (s->link) {
assert(s);
return NULL;
if (s->link)
assert(s);