74b2466e14a1961bf3ac0e8a60cfaceec705bd59Lennart Poettering This file is part of systemd.
74b2466e14a1961bf3ac0e8a60cfaceec705bd59Lennart Poettering Copyright 2014 Lennart Poettering
74b2466e14a1961bf3ac0e8a60cfaceec705bd59Lennart Poettering systemd is free software; you can redistribute it and/or modify it
74b2466e14a1961bf3ac0e8a60cfaceec705bd59Lennart Poettering under the terms of the GNU Lesser General Public License as published by
74b2466e14a1961bf3ac0e8a60cfaceec705bd59Lennart Poettering the Free Software Foundation; either version 2.1 of the License, or
74b2466e14a1961bf3ac0e8a60cfaceec705bd59Lennart Poettering (at your option) any later version.
74b2466e14a1961bf3ac0e8a60cfaceec705bd59Lennart Poettering systemd is distributed in the hope that it will be useful, but
74b2466e14a1961bf3ac0e8a60cfaceec705bd59Lennart Poettering WITHOUT ANY WARRANTY; without even the implied warranty of
74b2466e14a1961bf3ac0e8a60cfaceec705bd59Lennart Poettering MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
74b2466e14a1961bf3ac0e8a60cfaceec705bd59Lennart Poettering Lesser General Public License for more details.
74b2466e14a1961bf3ac0e8a60cfaceec705bd59Lennart Poettering You should have received a copy of the GNU Lesser General Public License
74b2466e14a1961bf3ac0e8a60cfaceec705bd59Lennart Poettering along with systemd; If not, see <http://www.gnu.org/licenses/>.
9df3ba6c6cb65eecec06f39dfe85a3596cedac4eTom Gundersen/* After how much time to repeat classic DNS requests */
9df3ba6c6cb65eecec06f39dfe85a3596cedac4eTom Gundersen#define DNS_TIMEOUT_MIN_USEC (500 * USEC_PER_MSEC)
9df3ba6c6cb65eecec06f39dfe85a3596cedac4eTom Gundersen#define DNS_TIMEOUT_MAX_USEC (5 * USEC_PER_SEC)
be808ea083fa07271116b4519c3c27fd20c5f077Tom Gundersen/* The amount of time to wait before retrying with a full feature set */
be808ea083fa07271116b4519c3c27fd20c5f077Tom Gundersen#define DNS_SERVER_FEATURE_GRACE_PERIOD_MAX_USEC (6 * USEC_PER_HOUR)
be808ea083fa07271116b4519c3c27fd20c5f077Tom Gundersen#define DNS_SERVER_FEATURE_GRACE_PERIOD_MIN_USEC (5 * USEC_PER_MINUTE)
be808ea083fa07271116b4519c3c27fd20c5f077Tom Gundersen/* The number of times we will attempt a certain feature set before degrading */
4e945a6f7971fd7d1f6b2c62ee3afdaff3c95ce4Lennart Poettering assert((type == DNS_SERVER_LINK) == !!l);
eed857b71702f8551b46b66b31fa0d08583cf23cLennart Poettering if (l->n_dns_servers >= LINK_DNS_SERVERS_MAX)
eed857b71702f8551b46b66b31fa0d08583cf23cLennart Poettering if (m->n_dns_servers >= MANAGER_DNS_SERVERS_MAX)
f4461e5641d53f27d6e76e0607bdaa9c0c58c1f6Lennart Poettering s->verified_feature_level = _DNS_SERVER_FEATURE_LEVEL_INVALID;
f4461e5641d53f27d6e76e0607bdaa9c0c58c1f6Lennart Poettering s->possible_feature_level = DNS_SERVER_FEATURE_LEVEL_BEST;
be808ea083fa07271116b4519c3c27fd20c5f077Tom Gundersen s->features_grace_period_usec = DNS_SERVER_FEATURE_GRACE_PERIOD_MIN_USEC;
d74fb368b18f0fbd9a4fe6f15691bbea7f3c4a01Tom Gundersen s->received_udp_packet_max = DNS_PACKET_UNICAST_SIZE_MAX;
eed857b71702f8551b46b66b31fa0d08583cf23cLennart Poettering LIST_APPEND(servers, m->fallback_dns_servers, s);
4e945a6f7971fd7d1f6b2c62ee3afdaff3c95ce4Lennart Poettering assert_not_reached("Unknown server type");
4e945a6f7971fd7d1f6b2c62ee3afdaff3c95ce4Lennart Poettering /* A new DNS server that isn't fallback is added and the one
4e945a6f7971fd7d1f6b2c62ee3afdaff3c95ce4Lennart Poettering * we used so far was a fallback one? Then let's try to pick
4e945a6f7971fd7d1f6b2c62ee3afdaff3c95ce4Lennart Poettering * the new one */
3e684349c2cead2e6fd2f816c34eb17daba23a49Lennart Poettering m->current_dns_server->type == DNS_SERVER_FALLBACK)
0eac462399c8e87bcce252cf058eba9f2678f2bdLennart PoetteringDnsServer* dns_server_unref(DnsServer *s) {
0eac462399c8e87bcce252cf058eba9f2678f2bdLennart Poettering /* This removes the specified server from the linked list of
0eac462399c8e87bcce252cf058eba9f2678f2bdLennart Poettering * servers, but any server might still stay around if it has
0eac462399c8e87bcce252cf058eba9f2678f2bdLennart Poettering * refs, for example from an ongoing transaction. */
0eac462399c8e87bcce252cf058eba9f2678f2bdLennart Poettering LIST_REMOVE(servers, s->link->dns_servers, s);
0eac462399c8e87bcce252cf058eba9f2678f2bdLennart Poettering LIST_REMOVE(servers, s->manager->dns_servers, s);
0eac462399c8e87bcce252cf058eba9f2678f2bdLennart Poettering LIST_REMOVE(servers, s->manager->fallback_dns_servers, s);
0eac462399c8e87bcce252cf058eba9f2678f2bdLennart Poettering if (s->link && s->link->current_dns_server == s)
0eac462399c8e87bcce252cf058eba9f2678f2bdLennart Poettering manager_set_dns_server(s->manager, NULL);
0b58db658b5c3f586ac3a837427f1f7fec2abb2eLennart Poetteringvoid dns_server_move_back_and_unmark(DnsServer *s) {
0b58db658b5c3f586ac3a837427f1f7fec2abb2eLennart Poettering /* Move us to the end of the list, so that the order is
0b58db658b5c3f586ac3a837427f1f7fec2abb2eLennart Poettering * strictly kept, if we are not at the end anyway. */
0b58db658b5c3f586ac3a837427f1f7fec2abb2eLennart Poettering LIST_REMOVE(servers, s->link->dns_servers, s);
0b58db658b5c3f586ac3a837427f1f7fec2abb2eLennart Poettering LIST_INSERT_AFTER(servers, s->link->dns_servers, tail, s);
0b58db658b5c3f586ac3a837427f1f7fec2abb2eLennart Poettering LIST_REMOVE(servers, s->manager->dns_servers, s);
0b58db658b5c3f586ac3a837427f1f7fec2abb2eLennart Poettering LIST_INSERT_AFTER(servers, s->manager->dns_servers, tail, s);
0b58db658b5c3f586ac3a837427f1f7fec2abb2eLennart Poettering LIST_REMOVE(servers, s->manager->fallback_dns_servers, s);
0b58db658b5c3f586ac3a837427f1f7fec2abb2eLennart Poettering LIST_INSERT_AFTER(servers, s->manager->fallback_dns_servers, tail, s);
0b58db658b5c3f586ac3a837427f1f7fec2abb2eLennart Poettering assert_not_reached("Unknown server type");
6bb2c08597c999c429e889cd2403b2fef5f3e1a0Lennart Poetteringstatic void dns_server_verified(DnsServer *s, DnsServerFeatureLevel level) {
6bb2c08597c999c429e889cd2403b2fef5f3e1a0Lennart Poettering if (s->verified_feature_level != level) {
de54e62b4bd7856fb897c9a2ee93cc228adb2135Lennart Poettering log_debug("Verified we get a response at feature level %s from DNS server %s.",
de54e62b4bd7856fb897c9a2ee93cc228adb2135Lennart Poettering dns_server_feature_level_to_string(level),
6bb2c08597c999c429e889cd2403b2fef5f3e1a0Lennart Poettering assert_se(sd_event_now(s->manager->event, clock_boottime_or_monotonic(), &s->verified_usec) >= 0);
6bb2c08597c999c429e889cd2403b2fef5f3e1a0Lennart Poetteringvoid dns_server_packet_received(DnsServer *s, int protocol, DnsServerFeatureLevel level, usec_t rtt, size_t size) {
b64513580ce627578351b76a502455e7bc62cae4Lennart Poettering /* If the RRSIG data is missing, then we can only validate EDNS0 at max */
b64513580ce627578351b76a502455e7bc62cae4Lennart Poettering if (s->packet_rrsig_missing && level >= DNS_SERVER_FEATURE_LEVEL_DO)
b64513580ce627578351b76a502455e7bc62cae4Lennart Poettering /* If the OPT RR got lost, then we can only validate UDP at max */
b64513580ce627578351b76a502455e7bc62cae4Lennart Poettering if (s->packet_bad_opt && level >= DNS_SERVER_FEATURE_LEVEL_EDNS0)
b64513580ce627578351b76a502455e7bc62cae4Lennart Poettering level = DNS_SERVER_FEATURE_LEVEL_EDNS0 - 1;
b64513580ce627578351b76a502455e7bc62cae4Lennart Poettering /* Even if we successfully receive a reply to a request announcing support for large packets,
b64513580ce627578351b76a502455e7bc62cae4Lennart Poettering that does not mean we can necessarily receive large packets. */
6bb2c08597c999c429e889cd2403b2fef5f3e1a0Lennart Poettering if (level == DNS_SERVER_FEATURE_LEVEL_LARGE)
b64513580ce627578351b76a502455e7bc62cae4Lennart Poettering level = DNS_SERVER_FEATURE_LEVEL_LARGE - 1;
6bb2c08597c999c429e889cd2403b2fef5f3e1a0Lennart Poettering /* Successful TCP connections are only useful to verify the TCP feature level. */
d74fb368b18f0fbd9a4fe6f15691bbea7f3c4a01Tom Gundersen /* Remember the size of the largest UDP packet we received from a server,
d74fb368b18f0fbd9a4fe6f15691bbea7f3c4a01Tom Gundersen we know that we can always announce support for packets with at least
d74fb368b18f0fbd9a4fe6f15691bbea7f3c4a01Tom Gundersen this size. */
6bb2c08597c999c429e889cd2403b2fef5f3e1a0Lennart Poettering if (protocol == IPPROTO_UDP && s->received_udp_packet_max < size)
efd46a696d31097c38f653b36921e00c4df62319Lennart Poettering s->resend_timeout = CLAMP(s->max_rtt * 2, DNS_TIMEOUT_MIN_USEC, DNS_TIMEOUT_MAX_USEC);
6bb2c08597c999c429e889cd2403b2fef5f3e1a0Lennart Poetteringvoid dns_server_packet_lost(DnsServer *s, int protocol, DnsServerFeatureLevel level, usec_t usec) {
6bb2c08597c999c429e889cd2403b2fef5f3e1a0Lennart Poettering if (s->possible_feature_level == level) {
84129d46cd6e95e142973da93aede4c7433c9600Lennart Poettering s->resend_timeout = MIN(s->resend_timeout * 2, DNS_TIMEOUT_MAX_USEC);
f4461e5641d53f27d6e76e0607bdaa9c0c58c1f6Lennart Poetteringvoid dns_server_packet_failed(DnsServer *s, DnsServerFeatureLevel level) {
6bb2c08597c999c429e889cd2403b2fef5f3e1a0Lennart Poettering /* Invoked whenever we get a FORMERR, SERVFAIL or NOTIMP rcode from a server. */
6bb2c08597c999c429e889cd2403b2fef5f3e1a0Lennart Poetteringvoid dns_server_packet_truncated(DnsServer *s, DnsServerFeatureLevel level) {
6bb2c08597c999c429e889cd2403b2fef5f3e1a0Lennart Poettering /* Invoked whenever we get a packet with TC bit set. */
de54e62b4bd7856fb897c9a2ee93cc228adb2135Lennart Poetteringvoid dns_server_packet_rrsig_missing(DnsServer *s, DnsServerFeatureLevel level) {
b64513580ce627578351b76a502455e7bc62cae4Lennart Poettering /* If the RRSIG RRs are missing, we have to downgrade what we previously verified */
b64513580ce627578351b76a502455e7bc62cae4Lennart Poettering if (s->verified_feature_level >= DNS_SERVER_FEATURE_LEVEL_DO)
b64513580ce627578351b76a502455e7bc62cae4Lennart Poettering s->verified_feature_level = DNS_SERVER_FEATURE_LEVEL_DO-1;
de54e62b4bd7856fb897c9a2ee93cc228adb2135Lennart Poetteringvoid dns_server_packet_bad_opt(DnsServer *s, DnsServerFeatureLevel level) {
de54e62b4bd7856fb897c9a2ee93cc228adb2135Lennart Poettering if (level < DNS_SERVER_FEATURE_LEVEL_EDNS0)
b64513580ce627578351b76a502455e7bc62cae4Lennart Poettering /* If the OPT RR got lost, we have to downgrade what we previously verified */
b64513580ce627578351b76a502455e7bc62cae4Lennart Poettering if (s->verified_feature_level >= DNS_SERVER_FEATURE_LEVEL_EDNS0)
b64513580ce627578351b76a502455e7bc62cae4Lennart Poettering s->verified_feature_level = DNS_SERVER_FEATURE_LEVEL_EDNS0-1;
be808ea083fa07271116b4519c3c27fd20c5f077Tom Gundersenstatic bool dns_server_grace_period_expired(DnsServer *s) {
be808ea083fa07271116b4519c3c27fd20c5f077Tom Gundersen return false;
be808ea083fa07271116b4519c3c27fd20c5f077Tom Gundersen assert_se(sd_event_now(s->manager->event, clock_boottime_or_monotonic(), &ts) >= 0);
be808ea083fa07271116b4519c3c27fd20c5f077Tom Gundersen if (s->verified_usec + s->features_grace_period_usec > ts)
be808ea083fa07271116b4519c3c27fd20c5f077Tom Gundersen return false;
be808ea083fa07271116b4519c3c27fd20c5f077Tom Gundersen s->features_grace_period_usec = MIN(s->features_grace_period_usec * 2, DNS_SERVER_FEATURE_GRACE_PERIOD_MAX_USEC);
011842775f750711833526d5bba1b818713947f5Lennart Poetteringstatic void dns_server_reset_counters(DnsServer *s) {
cc450722a02ab9c59bca1d9a5b5012f356336a8cLennart Poettering /* Note that we do not reset s->packet_bad_opt and s->packet_rrsig_missing here. We reset them only when the
cc450722a02ab9c59bca1d9a5b5012f356336a8cLennart Poettering * grace period ends, but not when lowering the possible feature level, as a lower level feature level should
cc450722a02ab9c59bca1d9a5b5012f356336a8cLennart Poettering * not make RRSIGs appear or OPT appear, but rather make them disappear. If the reappear anyway, then that's
cc450722a02ab9c59bca1d9a5b5012f356336a8cLennart Poettering * indication for a differently broken OPT/RRSIG implementation, and we really don't want to support that
cc450722a02ab9c59bca1d9a5b5012f356336a8cLennart Poettering * This is particularly important to deal with certain Belkin routers which break OPT for certain lookups (A),
cc450722a02ab9c59bca1d9a5b5012f356336a8cLennart Poettering * but pass traffic through for others (AAAA). If we detect the broken behaviour on one lookup we should not
cc450722a02ab9c59bca1d9a5b5012f356336a8cLennart Poettering * reenable it for another, because we cannot validate things anyway, given that the RRSIG/OPT data will be
cc450722a02ab9c59bca1d9a5b5012f356336a8cLennart Poettering * incomplete. */
f4461e5641d53f27d6e76e0607bdaa9c0c58c1f6Lennart PoetteringDnsServerFeatureLevel dns_server_possible_feature_level(DnsServer *s) {
f4461e5641d53f27d6e76e0607bdaa9c0c58c1f6Lennart Poettering if (s->possible_feature_level != DNS_SERVER_FEATURE_LEVEL_BEST &&
f4461e5641d53f27d6e76e0607bdaa9c0c58c1f6Lennart Poettering s->possible_feature_level = DNS_SERVER_FEATURE_LEVEL_BEST;
de54e62b4bd7856fb897c9a2ee93cc228adb2135Lennart Poettering log_info("Grace period over, resuming full feature set (%s) for DNS server %s.",
6cb08a8930bdaca950b152b1e8b82466ed59511cLennart Poettering dns_server_feature_level_to_string(s->possible_feature_level),
f4461e5641d53f27d6e76e0607bdaa9c0c58c1f6Lennart Poettering } else if (s->possible_feature_level <= s->verified_feature_level)
f4461e5641d53f27d6e76e0607bdaa9c0c58c1f6Lennart Poettering s->possible_feature_level = s->verified_feature_level;
6bb2c08597c999c429e889cd2403b2fef5f3e1a0Lennart Poettering DnsServerFeatureLevel p = s->possible_feature_level;
6bb2c08597c999c429e889cd2403b2fef5f3e1a0Lennart Poettering if (s->n_failed_tcp >= DNS_SERVER_FEATURE_RETRY_ATTEMPTS &&
de54e62b4bd7856fb897c9a2ee93cc228adb2135Lennart Poettering s->possible_feature_level == DNS_SERVER_FEATURE_LEVEL_TCP) {
6bb2c08597c999c429e889cd2403b2fef5f3e1a0Lennart Poettering /* We are at the TCP (lowest) level, and we tried a couple of TCP connections, and it didn't
6bb2c08597c999c429e889cd2403b2fef5f3e1a0Lennart Poettering * work. Upgrade back to UDP again. */
de54e62b4bd7856fb897c9a2ee93cc228adb2135Lennart Poettering log_debug("Reached maximum number of failed TCP connection attempts, trying UDP again...");
de54e62b4bd7856fb897c9a2ee93cc228adb2135Lennart Poettering s->possible_feature_level = DNS_SERVER_FEATURE_LEVEL_UDP;
de54e62b4bd7856fb897c9a2ee93cc228adb2135Lennart Poettering } else if (s->packet_bad_opt &&
de54e62b4bd7856fb897c9a2ee93cc228adb2135Lennart Poettering s->possible_feature_level >= DNS_SERVER_FEATURE_LEVEL_EDNS0) {
de54e62b4bd7856fb897c9a2ee93cc228adb2135Lennart Poettering /* A reply to one of our EDNS0 queries didn't carry a valid OPT RR, then downgrade to below
de54e62b4bd7856fb897c9a2ee93cc228adb2135Lennart Poettering * EDNS0 levels. After all, some records generate different responses with and without OPT RR
de54e62b4bd7856fb897c9a2ee93cc228adb2135Lennart Poettering * in the request. Example:
de54e62b4bd7856fb897c9a2ee93cc228adb2135Lennart Poettering * https://open.nlnetlabs.nl/pipermail/dnssec-trigger/2014-November/000376.html */
de54e62b4bd7856fb897c9a2ee93cc228adb2135Lennart Poettering log_debug("Server doesn't support EDNS(0) properly, downgrading feature level...");
6a1a5eec43892dee3ff6e208bceb1931c25c782eLennart Poettering s->possible_feature_level = DNS_SERVER_FEATURE_LEVEL_UDP;
de54e62b4bd7856fb897c9a2ee93cc228adb2135Lennart Poettering s->possible_feature_level >= DNS_SERVER_FEATURE_LEVEL_DO) {
de54e62b4bd7856fb897c9a2ee93cc228adb2135Lennart Poettering /* RRSIG data was missing on a EDNS0 packet with DO bit set. This means the server doesn't
de54e62b4bd7856fb897c9a2ee93cc228adb2135Lennart Poettering * augment responses with DNSSEC RRs. If so, let's better not ask the server for it anymore,
de54e62b4bd7856fb897c9a2ee93cc228adb2135Lennart Poettering * after all some servers generate different replies depending if an OPT RR is in the query or
de54e62b4bd7856fb897c9a2ee93cc228adb2135Lennart Poettering log_debug("Detected server responses lack RRSIG records, downgrading feature level...");
de54e62b4bd7856fb897c9a2ee93cc228adb2135Lennart Poettering s->possible_feature_level = DNS_SERVER_FEATURE_LEVEL_EDNS0;
de54e62b4bd7856fb897c9a2ee93cc228adb2135Lennart Poettering } else if (s->n_failed_udp >= DNS_SERVER_FEATURE_RETRY_ATTEMPTS &&
de54e62b4bd7856fb897c9a2ee93cc228adb2135Lennart Poettering s->possible_feature_level >= DNS_SERVER_FEATURE_LEVEL_UDP) {
de54e62b4bd7856fb897c9a2ee93cc228adb2135Lennart Poettering /* We lost too many UDP packets in a row, and are on a feature level of UDP or higher. If the
de54e62b4bd7856fb897c9a2ee93cc228adb2135Lennart Poettering * packets are lost, maybe the server cannot parse them, hence downgrading sounds like a good
de54e62b4bd7856fb897c9a2ee93cc228adb2135Lennart Poettering * idea. We might downgrade all the way down to TCP this way. */
de54e62b4bd7856fb897c9a2ee93cc228adb2135Lennart Poettering log_debug("Lost too many UDP packets, downgrading feature level...");
de54e62b4bd7856fb897c9a2ee93cc228adb2135Lennart Poettering } else if (s->packet_failed &&
de54e62b4bd7856fb897c9a2ee93cc228adb2135Lennart Poettering s->possible_feature_level > DNS_SERVER_FEATURE_LEVEL_UDP) {
de54e62b4bd7856fb897c9a2ee93cc228adb2135Lennart Poettering /* We got a failure packet, and are at a feature level above UDP. Note that in this case we
de54e62b4bd7856fb897c9a2ee93cc228adb2135Lennart Poettering * downgrade no further than UDP, under the assumption that a failure packet indicates an
de54e62b4bd7856fb897c9a2ee93cc228adb2135Lennart Poettering * incompatible packet contents, but not a problem with the transport. */
de54e62b4bd7856fb897c9a2ee93cc228adb2135Lennart Poettering log_debug("Got server failure, downgrading feature level...");
de54e62b4bd7856fb897c9a2ee93cc228adb2135Lennart Poettering } else if (s->n_failed_tcp >= DNS_SERVER_FEATURE_RETRY_ATTEMPTS &&
de54e62b4bd7856fb897c9a2ee93cc228adb2135Lennart Poettering s->possible_feature_level > DNS_SERVER_FEATURE_LEVEL_UDP) {
de54e62b4bd7856fb897c9a2ee93cc228adb2135Lennart Poettering /* We got too many TCP connection failures in a row, we had at least one truncated packet, and
de54e62b4bd7856fb897c9a2ee93cc228adb2135Lennart Poettering * are on a feature level above UDP. By downgrading things and getting rid of DNSSEC or EDNS0
de54e62b4bd7856fb897c9a2ee93cc228adb2135Lennart Poettering * data we hope to make the packet smaller, so that it still works via UDP given that TCP
de54e62b4bd7856fb897c9a2ee93cc228adb2135Lennart Poettering * appears not to be a fallback. Note that if we are already at the lowest UDP level, we don't
de54e62b4bd7856fb897c9a2ee93cc228adb2135Lennart Poettering * go further down, since that's TCP, and TCP failed too often after all. */
de54e62b4bd7856fb897c9a2ee93cc228adb2135Lennart Poettering log_debug("Got too many failed TCP connection failures and truncated UDP packets, downgrading feature level...");
6bb2c08597c999c429e889cd2403b2fef5f3e1a0Lennart Poettering /* We changed the feature level, reset the counting */
de54e62b4bd7856fb897c9a2ee93cc228adb2135Lennart Poettering log_warning("Using degraded feature set (%s) for DNS server %s.",
6cb08a8930bdaca950b152b1e8b82466ed59511cLennart Poettering dns_server_feature_level_to_string(s->possible_feature_level),
519ef04651b07a547f010d6462603669d7fde4e5Lennart Poetteringint dns_server_adjust_opt(DnsServer *server, DnsPacket *packet, DnsServerFeatureLevel level) {
519ef04651b07a547f010d6462603669d7fde4e5Lennart Poettering assert(packet->protocol == DNS_PROTOCOL_DNS);
519ef04651b07a547f010d6462603669d7fde4e5Lennart Poettering /* Fix the OPT field in the packet to match our current feature level. */
519ef04651b07a547f010d6462603669d7fde4e5Lennart Poettering if (level < DNS_SERVER_FEATURE_LEVEL_EDNS0)
519ef04651b07a547f010d6462603669d7fde4e5Lennart Poettering edns_do = level >= DNS_SERVER_FEATURE_LEVEL_DO;
519ef04651b07a547f010d6462603669d7fde4e5Lennart Poettering if (level >= DNS_SERVER_FEATURE_LEVEL_LARGE)
519ef04651b07a547f010d6462603669d7fde4e5Lennart Poettering packet_size = DNS_PACKET_UNICAST_SIZE_LARGE_MAX;
519ef04651b07a547f010d6462603669d7fde4e5Lennart Poettering packet_size = server->received_udp_packet_max;
519ef04651b07a547f010d6462603669d7fde4e5Lennart Poettering return dns_packet_append_opt(packet, packet_size, edns_do, NULL);
6cb08a8930bdaca950b152b1e8b82466ed59511cLennart Poetteringconst char *dns_server_string(DnsServer *server) {
6cb08a8930bdaca950b152b1e8b82466ed59511cLennart Poettering (void) in_addr_to_string(server->family, &server->address, &server->server_string);
92ec902aad1ade7acbe50efd7b8ef87fbdc63af3Lennart Poetteringbool dns_server_dnssec_supported(DnsServer *server) {
92ec902aad1ade7acbe50efd7b8ef87fbdc63af3Lennart Poettering /* Returns whether the server supports DNSSEC according to what we know about it */
92ec902aad1ade7acbe50efd7b8ef87fbdc63af3Lennart Poettering if (server->possible_feature_level < DNS_SERVER_FEATURE_LEVEL_DO)
92ec902aad1ade7acbe50efd7b8ef87fbdc63af3Lennart Poettering /* DNSSEC servers need to support TCP properly (see RFC5966), if they don't, we assume DNSSEC is borked too */
92ec902aad1ade7acbe50efd7b8ef87fbdc63af3Lennart Poettering if (server->n_failed_tcp >= DNS_SERVER_FEATURE_RETRY_ATTEMPTS)
1e02e182f1e06fcbe389474175de228103be39cbLennart Poetteringvoid dns_server_warn_downgrade(DnsServer *server) {
1e02e182f1e06fcbe389474175de228103be39cbLennart Poettering LOG_MESSAGE_ID(SD_MESSAGE_DNSSEC_DOWNGRADE),
1e02e182f1e06fcbe389474175de228103be39cbLennart Poettering LOG_MESSAGE("Server %s does not support DNSSEC, downgrading to non-DNSSEC mode.", dns_server_string(server)),
1e02e182f1e06fcbe389474175de228103be39cbLennart Poettering "DNS_SERVER=%s", dns_server_string(server),
1e02e182f1e06fcbe389474175de228103be39cbLennart Poettering "DNS_SERVER_FEATURE_LEVEL=%s", dns_server_feature_level_to_string(server->possible_feature_level),
b826ab586c9e0a9c0d438a75c28cf3a8ab485929Tom Gundersenstatic void dns_server_hash_func(const void *p, struct siphash *state) {
b826ab586c9e0a9c0d438a75c28cf3a8ab485929Tom Gundersen siphash24_compress(&s->family, sizeof(s->family), state);
b826ab586c9e0a9c0d438a75c28cf3a8ab485929Tom Gundersen siphash24_compress(&s->address, FAMILY_ADDRESS_SIZE(s->family), state);
d5099efc47d4e6ac60816b5381a5f607ab03f06eMichal Schmidtstatic int dns_server_compare_func(const void *a, const void *b) {
87f5a19343acf8ba697acc5a62bdb1a2b8c9eda3Lennart Poettering const DnsServer *x = a, *y = b;
87f5a19343acf8ba697acc5a62bdb1a2b8c9eda3Lennart Poettering return memcmp(&x->address, &y->address, FAMILY_ADDRESS_SIZE(x->family));
4b95f1798f22c1bb75295f448188560cb6ec9eceLennart Poetteringvoid dns_server_unlink_all(DnsServer *first) {
4b95f1798f22c1bb75295f448188560cb6ec9eceLennart Poetteringvoid dns_server_unlink_marked(DnsServer *first) {
4b95f1798f22c1bb75295f448188560cb6ec9eceLennart Poetteringvoid dns_server_mark_all(DnsServer *first) {
4b95f1798f22c1bb75295f448188560cb6ec9eceLennart Poettering dns_server_mark_all(first->servers_next);
4b95f1798f22c1bb75295f448188560cb6ec9eceLennart PoetteringDnsServer *dns_server_find(DnsServer *first, int family, const union in_addr_union *in_addr) {
4b95f1798f22c1bb75295f448188560cb6ec9eceLennart Poettering if (s->family == family && in_addr_equal(family, &s->address, in_addr) > 0)
4b95f1798f22c1bb75295f448188560cb6ec9eceLennart PoetteringDnsServer *manager_get_first_dns_server(Manager *m, DnsServerType t) {
f2f1dbe50fea13abadc9c1e845a29031b90b40f3Lennart PoetteringDnsServer *manager_set_dns_server(Manager *m, DnsServer *s) {
e3309036cda30bdb737ef6e441716b93943677e7Zbigniew Jędrzejewski-Szmek log_info("Switching to %s DNS server %s.",
e3309036cda30bdb737ef6e441716b93943677e7Zbigniew Jędrzejewski-Szmek dns_server_type_to_string(s->type),
0eac462399c8e87bcce252cf058eba9f2678f2bdLennart Poettering m->current_dns_server = dns_server_ref(s);
f2f1dbe50fea13abadc9c1e845a29031b90b40f3Lennart Poettering dns_cache_flush(&m->unicast_scope->cache);
f2f1dbe50fea13abadc9c1e845a29031b90b40f3Lennart PoetteringDnsServer *manager_get_dns_server(Manager *m) {
f2f1dbe50fea13abadc9c1e845a29031b90b40f3Lennart Poettering /* Try to read updates resolv.conf */
e3309036cda30bdb737ef6e441716b93943677e7Zbigniew Jędrzejewski-Szmek /* If no DNS server was chosen so far, pick the first one */
f2f1dbe50fea13abadc9c1e845a29031b90b40f3Lennart Poettering manager_set_dns_server(m, m->dns_servers);
f2f1dbe50fea13abadc9c1e845a29031b90b40f3Lennart Poettering /* No DNS servers configured, let's see if there are
f2f1dbe50fea13abadc9c1e845a29031b90b40f3Lennart Poettering * any on any links. If not, we use the fallback
f2f1dbe50fea13abadc9c1e845a29031b90b40f3Lennart Poettering manager_set_dns_server(m, m->fallback_dns_servers);
f2f1dbe50fea13abadc9c1e845a29031b90b40f3Lennart Poetteringvoid manager_next_dns_server(Manager *m) {
f2f1dbe50fea13abadc9c1e845a29031b90b40f3Lennart Poettering /* If there's currently no DNS server set, then the next
f2f1dbe50fea13abadc9c1e845a29031b90b40f3Lennart Poettering * manager_get_dns_server() will find one */
0eac462399c8e87bcce252cf058eba9f2678f2bdLennart Poettering /* Change to the next one, but make sure to follow the linked
0eac462399c8e87bcce252cf058eba9f2678f2bdLennart Poettering * list only if the server is still linked. */
0eac462399c8e87bcce252cf058eba9f2678f2bdLennart Poettering if (m->current_dns_server->linked && m->current_dns_server->servers_next) {
f2f1dbe50fea13abadc9c1e845a29031b90b40f3Lennart Poettering manager_set_dns_server(m, m->current_dns_server->servers_next);
f2f1dbe50fea13abadc9c1e845a29031b90b40f3Lennart Poettering /* If there was no next one, then start from the beginning of
f2f1dbe50fea13abadc9c1e845a29031b90b40f3Lennart Poettering if (m->current_dns_server->type == DNS_SERVER_FALLBACK)
f2f1dbe50fea13abadc9c1e845a29031b90b40f3Lennart Poettering manager_set_dns_server(m, m->fallback_dns_servers);
f2f1dbe50fea13abadc9c1e845a29031b90b40f3Lennart Poettering manager_set_dns_server(m, m->dns_servers);
e3309036cda30bdb737ef6e441716b93943677e7Zbigniew Jędrzejewski-Szmekstatic const char* const dns_server_type_table[_DNS_SERVER_TYPE_MAX] = {
e3309036cda30bdb737ef6e441716b93943677e7Zbigniew Jędrzejewski-Szmek [DNS_SERVER_FALLBACK] = "fallback",
e3309036cda30bdb737ef6e441716b93943677e7Zbigniew Jędrzejewski-SzmekDEFINE_STRING_TABLE_LOOKUP(dns_server_type, DnsServerType);
be808ea083fa07271116b4519c3c27fd20c5f077Tom Gundersenstatic const char* const dns_server_feature_level_table[_DNS_SERVER_FEATURE_LEVEL_MAX] = {
9c5e12a4314e7192e834e1b855e5e80111e636a6Tom Gundersen [DNS_SERVER_FEATURE_LEVEL_EDNS0] = "UDP+EDNS0",
7586f4d172dd9c3ccc3126fc47dca9e49adec132Tom Gundersen [DNS_SERVER_FEATURE_LEVEL_DO] = "UDP+EDNS0+DO",
d74fb368b18f0fbd9a4fe6f15691bbea7f3c4a01Tom Gundersen [DNS_SERVER_FEATURE_LEVEL_LARGE] = "UDP+EDNS0+DO+LARGE",