1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
3 #include "alloc-util.h"
4 #include "dns-domain.h"
6 #include "hostname-util.h"
7 #include "local-addresses.h"
8 #include "resolved-dns-query.h"
9 #include "resolved-dns-synthesize.h"
10 #include "resolved-etc-hosts.h"
11 #include "string-util.h"
13 #define QUERIES_MAX 2048
14 #define AUXILIARY_QUERIES_MAX 64
16 static int dns_query_candidate_new(DnsQueryCandidate
**ret
, DnsQuery
*q
, DnsScope
*s
) {
23 c
= new(DnsQueryCandidate
, 1);
27 *c
= (DnsQueryCandidate
) {
33 LIST_PREPEND(candidates_by_query
, q
->candidates
, c
);
34 LIST_PREPEND(candidates_by_scope
, s
->query_candidates
, c
);
40 static void dns_query_candidate_stop(DnsQueryCandidate
*c
) {
45 while ((t
= set_steal_first(c
->transactions
))) {
46 set_remove(t
->notify_query_candidates
, c
);
47 set_remove(t
->notify_query_candidates_done
, c
);
48 dns_transaction_gc(t
);
52 static DnsQueryCandidate
* dns_query_candidate_free(DnsQueryCandidate
*c
) {
56 dns_query_candidate_stop(c
);
58 set_free(c
->transactions
);
59 dns_search_domain_unref(c
->search_domain
);
62 LIST_REMOVE(candidates_by_query
, c
->query
->candidates
, c
);
65 LIST_REMOVE(candidates_by_scope
, c
->scope
->query_candidates
, c
);
70 DEFINE_PUBLIC_TRIVIAL_REF_UNREF_FUNC(DnsQueryCandidate
, dns_query_candidate
, dns_query_candidate_free
);
72 static int dns_query_candidate_next_search_domain(DnsQueryCandidate
*c
) {
73 DnsSearchDomain
*next
;
77 if (c
->search_domain
&& c
->search_domain
->linked
)
78 next
= c
->search_domain
->domains_next
;
80 next
= dns_scope_get_search_domains(c
->scope
);
83 if (!next
) /* We hit the end of the list */
86 if (!next
->route_only
)
89 /* Skip over route-only domains */
90 next
= next
->domains_next
;
93 dns_search_domain_unref(c
->search_domain
);
94 c
->search_domain
= dns_search_domain_ref(next
);
99 static int dns_query_candidate_add_transaction(
100 DnsQueryCandidate
*c
,
104 _cleanup_(dns_transaction_gcp
) DnsTransaction
*t
= NULL
;
110 /* Regular lookup with a resource key */
113 t
= dns_scope_find_transaction(c
->scope
, key
, c
->query
->flags
);
115 r
= dns_transaction_new(&t
, c
->scope
, key
, NULL
, c
->query
->flags
);
118 } else if (set_contains(c
->transactions
, t
))
121 /* "Bypass" lookup with a query packet */
124 r
= dns_transaction_new(&t
, c
->scope
, NULL
, bypass
, c
->query
->flags
);
129 r
= set_ensure_allocated(&t
->notify_query_candidates_done
, NULL
);
133 r
= set_ensure_put(&t
->notify_query_candidates
, NULL
, c
);
137 r
= set_ensure_put(&c
->transactions
, NULL
, t
);
139 (void) set_remove(t
->notify_query_candidates
, c
);
147 static int dns_query_candidate_go(DnsQueryCandidate
*c
) {
148 _cleanup_(dns_query_candidate_unrefp
) DnsQueryCandidate
*keep_c
= NULL
;
155 /* Let's keep a reference to the query while we're operating */
156 keep_c
= dns_query_candidate_ref(c
);
158 /* Start the transactions that are not started yet */
159 SET_FOREACH(t
, c
->transactions
) {
160 if (t
->state
!= DNS_TRANSACTION_NULL
)
163 r
= dns_transaction_go(t
);
170 /* If there was nothing to start, then let's proceed immediately */
172 dns_query_candidate_notify(c
);
177 static DnsTransactionState
dns_query_candidate_state(DnsQueryCandidate
*c
) {
178 DnsTransactionState state
= DNS_TRANSACTION_NO_SERVERS
;
183 if (c
->error_code
!= 0)
184 return DNS_TRANSACTION_ERRNO
;
186 SET_FOREACH(t
, c
->transactions
) {
190 case DNS_TRANSACTION_NULL
:
191 /* If there's a NULL transaction pending, then
192 * this means not all transactions where
193 * started yet, and we were called from within
194 * the stackframe that is supposed to start
195 * remaining transactions. In this case,
196 * simply claim the candidate is pending. */
198 case DNS_TRANSACTION_PENDING
:
199 case DNS_TRANSACTION_VALIDATING
:
200 /* If there's one transaction currently in
201 * VALIDATING state, then this means there's
202 * also one in PENDING state, hence we can
203 * return PENDING immediately. */
204 return DNS_TRANSACTION_PENDING
;
206 case DNS_TRANSACTION_SUCCESS
:
211 if (state
!= DNS_TRANSACTION_SUCCESS
)
221 static int dns_query_candidate_setup_transactions(DnsQueryCandidate
*c
) {
222 DnsQuestion
*question
;
228 dns_query_candidate_stop(c
);
230 if (c
->query
->question_bypass
) {
231 /* If this is a bypass query, then pass the original query packet along to the transaction */
233 assert(dns_question_size(c
->query
->question_bypass
->question
) == 1);
235 if (!dns_scope_good_key(c
->scope
, c
->query
->question_bypass
->question
->keys
[0]))
238 r
= dns_query_candidate_add_transaction(c
, NULL
, c
->query
->question_bypass
);
245 question
= dns_query_question_for_protocol(c
->query
, c
->scope
->protocol
);
247 /* Create one transaction per question key */
248 DNS_QUESTION_FOREACH(key
, question
) {
249 _cleanup_(dns_resource_key_unrefp
) DnsResourceKey
*new_key
= NULL
;
250 DnsResourceKey
*qkey
;
252 if (c
->search_domain
) {
253 r
= dns_resource_key_new_append_suffix(&new_key
, key
, c
->search_domain
->name
);
261 if (!dns_scope_good_key(c
->scope
, qkey
))
264 r
= dns_query_candidate_add_transaction(c
, qkey
, NULL
);
274 dns_query_candidate_stop(c
);
278 void dns_query_candidate_notify(DnsQueryCandidate
*c
) {
279 DnsTransactionState state
;
284 state
= dns_query_candidate_state(c
);
286 if (DNS_TRANSACTION_IS_LIVE(state
))
289 if (state
!= DNS_TRANSACTION_SUCCESS
&& c
->search_domain
) {
291 r
= dns_query_candidate_next_search_domain(c
);
296 /* OK, there's another search domain to try, let's do so. */
298 r
= dns_query_candidate_setup_transactions(c
);
303 /* New transactions where queued. Start them and wait */
305 r
= dns_query_candidate_go(c
);
315 dns_query_ready(c
->query
);
319 c
->error_code
= log_warning_errno(r
, "Failed to follow search domains: %m");
320 dns_query_ready(c
->query
);
323 static void dns_query_stop(DnsQuery
*q
) {
324 DnsQueryCandidate
*c
;
328 q
->timeout_event_source
= sd_event_source_disable_unref(q
->timeout_event_source
);
330 LIST_FOREACH(candidates_by_query
, c
, q
->candidates
)
331 dns_query_candidate_stop(c
);
334 static void dns_query_unref_candidates(DnsQuery
*q
) {
337 while (q
->candidates
)
338 dns_query_candidate_unref(q
->candidates
);
341 static void dns_query_reset_answer(DnsQuery
*q
) {
344 q
->answer
= dns_answer_unref(q
->answer
);
346 q
->answer_dnssec_result
= _DNSSEC_RESULT_INVALID
;
348 q
->answer_query_flags
= 0;
349 q
->answer_protocol
= _DNS_PROTOCOL_INVALID
;
350 q
->answer_family
= AF_UNSPEC
;
351 q
->answer_search_domain
= dns_search_domain_unref(q
->answer_search_domain
);
352 q
->answer_full_packet
= dns_packet_unref(q
->answer_full_packet
);
355 DnsQuery
*dns_query_free(DnsQuery
*q
) {
359 while (q
->auxiliary_queries
)
360 dns_query_free(q
->auxiliary_queries
);
362 if (q
->auxiliary_for
) {
363 assert(q
->auxiliary_for
->n_auxiliary_queries
> 0);
364 q
->auxiliary_for
->n_auxiliary_queries
--;
365 LIST_REMOVE(auxiliary_queries
, q
->auxiliary_for
->auxiliary_queries
, q
);
368 dns_query_unref_candidates(q
);
370 dns_question_unref(q
->question_idna
);
371 dns_question_unref(q
->question_utf8
);
372 dns_packet_unref(q
->question_bypass
);
374 dns_query_reset_answer(q
);
376 sd_bus_message_unref(q
->bus_request
);
377 sd_bus_track_unref(q
->bus_track
);
379 if (q
->varlink_request
) {
380 varlink_set_userdata(q
->varlink_request
, NULL
);
381 varlink_unref(q
->varlink_request
);
384 if (q
->request_packet
)
385 hashmap_remove_value(q
->stub_listener_extra
?
386 q
->stub_listener_extra
->queries_by_packet
:
387 q
->manager
->stub_queries_by_packet
,
391 dns_packet_unref(q
->request_packet
);
392 dns_answer_unref(q
->reply_answer
);
393 dns_answer_unref(q
->reply_authoritative
);
394 dns_answer_unref(q
->reply_additional
);
396 if (q
->request_stream
) {
397 /* Detach the stream from our query, in case something else keeps a reference to it. */
398 (void) set_remove(q
->request_stream
->queries
, q
);
399 q
->request_stream
= dns_stream_unref(q
->request_stream
);
402 free(q
->request_address_string
);
405 LIST_REMOVE(queries
, q
->manager
->dns_queries
, q
);
406 q
->manager
->n_dns_queries
--;
415 DnsQuestion
*question_utf8
,
416 DnsQuestion
*question_idna
,
417 DnsPacket
*question_bypass
,
421 _cleanup_(dns_query_freep
) DnsQuery
*q
= NULL
;
422 char key_str
[DNS_RESOURCE_KEY_STRING_MAX
];
428 if (question_bypass
) {
429 /* It's either a "bypass" query, or a regular one, but can't be both. */
430 if (question_utf8
|| question_idna
)
436 /* This (primarily) checks two things:
438 * 1. That the question is not empty
439 * 2. That all RR keys in the question objects are for the same domain
441 * Or in other words, a single DnsQuery object may be used to look up A+AAAA combination for
442 * the same domain name, or SRV+TXT (for DNS-SD services), but not for unrelated lookups. */
444 if (dns_question_size(question_utf8
) > 0) {
445 r
= dns_question_is_valid_for_query(question_utf8
);
454 /* If the IDNA and UTF8 questions are the same, merge their references */
455 r
= dns_question_is_equal(question_idna
, question_utf8
);
459 question_idna
= question_utf8
;
461 if (dns_question_size(question_idna
) > 0) {
462 r
= dns_question_is_valid_for_query(question_idna
);
472 if (!good
) /* don't allow empty queries */
476 if (m
->n_dns_queries
>= QUERIES_MAX
)
479 q
= new(DnsQuery
, 1);
484 .question_utf8
= dns_question_ref(question_utf8
),
485 .question_idna
= dns_question_ref(question_idna
),
486 .question_bypass
= dns_packet_ref(question_bypass
),
489 .answer_dnssec_result
= _DNSSEC_RESULT_INVALID
,
490 .answer_protocol
= _DNS_PROTOCOL_INVALID
,
491 .answer_family
= AF_UNSPEC
,
494 if (question_bypass
) {
495 DNS_QUESTION_FOREACH(key
, question_bypass
->question
)
496 log_debug("Looking up bypass packet for %s.",
497 dns_resource_key_to_string(key
, key_str
, sizeof key_str
));
499 /* First dump UTF8 question */
500 DNS_QUESTION_FOREACH(key
, question_utf8
)
501 log_debug("Looking up RR for %s.",
502 dns_resource_key_to_string(key
, key_str
, sizeof key_str
));
504 /* And then dump the IDNA question, but only what hasn't been dumped already through the UTF8 question. */
505 DNS_QUESTION_FOREACH(key
, question_idna
) {
506 r
= dns_question_contains(question_utf8
, key
);
512 log_debug("Looking up IDNA RR for %s.",
513 dns_resource_key_to_string(key
, key_str
, sizeof key_str
));
517 LIST_PREPEND(queries
, m
->dns_queries
, q
);
528 int dns_query_make_auxiliary(DnsQuery
*q
, DnsQuery
*auxiliary_for
) {
530 assert(auxiliary_for
);
532 /* Ensure that the query is not auxiliary yet, and
533 * nothing else is auxiliary to it either */
534 assert(!q
->auxiliary_for
);
535 assert(!q
->auxiliary_queries
);
537 /* Ensure that the unit we shall be made auxiliary for isn't
538 * auxiliary itself */
539 assert(!auxiliary_for
->auxiliary_for
);
541 if (auxiliary_for
->n_auxiliary_queries
>= AUXILIARY_QUERIES_MAX
)
544 LIST_PREPEND(auxiliary_queries
, auxiliary_for
->auxiliary_queries
, q
);
545 q
->auxiliary_for
= auxiliary_for
;
547 auxiliary_for
->n_auxiliary_queries
++;
551 void dns_query_complete(DnsQuery
*q
, DnsTransactionState state
) {
553 assert(!DNS_TRANSACTION_IS_LIVE(state
));
554 assert(DNS_TRANSACTION_IS_LIVE(q
->state
));
556 /* Note that this call might invalidate the query. Callers should hence not attempt to access the
557 * query or transaction after calling this function. */
566 static int on_query_timeout(sd_event_source
*s
, usec_t usec
, void *userdata
) {
567 DnsQuery
*q
= userdata
;
572 dns_query_complete(q
, DNS_TRANSACTION_TIMEOUT
);
576 static int dns_query_add_candidate(DnsQuery
*q
, DnsScope
*s
) {
577 _cleanup_(dns_query_candidate_unrefp
) DnsQueryCandidate
*c
= NULL
;
583 r
= dns_query_candidate_new(&c
, q
, s
);
587 /* If this a single-label domain on DNS, we might append a suitable search domain first. */
588 if (!FLAGS_SET(q
->flags
, SD_RESOLVED_NO_SEARCH
) &&
589 dns_scope_name_wants_search_domain(s
, dns_question_first_name(q
->question_idna
))) {
590 /* OK, we want a search domain now. Let's find one for this scope */
592 r
= dns_query_candidate_next_search_domain(c
);
597 r
= dns_query_candidate_setup_transactions(c
);
605 static int dns_query_synthesize_reply(DnsQuery
*q
, DnsTransactionState
*state
) {
606 _cleanup_(dns_answer_unrefp
) DnsAnswer
*answer
= NULL
;
612 /* Tries to synthesize localhost RR replies (and others) where appropriate. Note that this is done *after* the
613 * the normal lookup finished. The data from the network hence takes precedence over the data we
614 * synthesize. (But note that many scopes refuse to resolve certain domain names) */
617 DNS_TRANSACTION_RCODE_FAILURE
,
618 DNS_TRANSACTION_NO_SERVERS
,
619 DNS_TRANSACTION_TIMEOUT
,
620 DNS_TRANSACTION_ATTEMPTS_MAX_REACHED
,
621 DNS_TRANSACTION_NETWORK_DOWN
,
622 DNS_TRANSACTION_NOT_FOUND
))
625 if (FLAGS_SET(q
->flags
, SD_RESOLVED_NO_SYNTHESIZE
))
628 r
= dns_synthesize_answer(
630 q
->question_bypass
? q
->question_bypass
->question
: q
->question_utf8
,
634 /* If we get ENXIO this tells us to generate NXDOMAIN unconditionally. */
636 dns_query_reset_answer(q
);
637 q
->answer_rcode
= DNS_RCODE_NXDOMAIN
;
638 q
->answer_protocol
= dns_synthesize_protocol(q
->flags
);
639 q
->answer_family
= dns_synthesize_family(q
->flags
);
640 q
->answer_query_flags
= SD_RESOLVED_AUTHENTICATED
|SD_RESOLVED_CONFIDENTIAL
|SD_RESOLVED_SYNTHETIC
;
641 *state
= DNS_TRANSACTION_RCODE_FAILURE
;
648 dns_query_reset_answer(q
);
650 q
->answer
= TAKE_PTR(answer
);
651 q
->answer_rcode
= DNS_RCODE_SUCCESS
;
652 q
->answer_protocol
= dns_synthesize_protocol(q
->flags
);
653 q
->answer_family
= dns_synthesize_family(q
->flags
);
654 q
->answer_query_flags
= SD_RESOLVED_AUTHENTICATED
|SD_RESOLVED_CONFIDENTIAL
|SD_RESOLVED_SYNTHETIC
;
656 *state
= DNS_TRANSACTION_SUCCESS
;
661 static int dns_query_try_etc_hosts(DnsQuery
*q
) {
662 _cleanup_(dns_answer_unrefp
) DnsAnswer
*answer
= NULL
;
667 /* Looks in /etc/hosts for matching entries. Note that this is done *before* the normal lookup is
668 * done. The data from /etc/hosts hence takes precedence over the network. */
670 if (FLAGS_SET(q
->flags
, SD_RESOLVED_NO_SYNTHESIZE
))
673 r
= manager_etc_hosts_lookup(
675 q
->question_bypass
? q
->question_bypass
->question
: q
->question_utf8
,
680 dns_query_reset_answer(q
);
682 q
->answer
= TAKE_PTR(answer
);
683 q
->answer_rcode
= DNS_RCODE_SUCCESS
;
684 q
->answer_protocol
= dns_synthesize_protocol(q
->flags
);
685 q
->answer_family
= dns_synthesize_family(q
->flags
);
686 q
->answer_query_flags
= SD_RESOLVED_AUTHENTICATED
|SD_RESOLVED_CONFIDENTIAL
|SD_RESOLVED_SYNTHETIC
;
691 int dns_query_go(DnsQuery
*q
) {
692 DnsScopeMatch found
= DNS_SCOPE_NO
;
693 DnsScope
*s
, *first
= NULL
;
694 DnsQueryCandidate
*c
;
699 if (q
->state
!= DNS_TRANSACTION_NULL
)
702 r
= dns_query_try_etc_hosts(q
);
706 dns_query_complete(q
, DNS_TRANSACTION_SUCCESS
);
710 LIST_FOREACH(scopes
, s
, q
->manager
->dns_scopes
) {
714 name
= dns_question_first_name(dns_query_question_for_protocol(q
, s
->protocol
));
718 match
= dns_scope_good_domain(s
, q
->ifindex
, q
->flags
, name
);
720 log_debug("Couldn't check if '%s' matches against scope, ignoring.", name
);
724 if (match
> found
) { /* Does this match better? If so, remember how well it matched, and the first one
725 * that matches this well */
731 if (found
== DNS_SCOPE_NO
) {
732 DnsTransactionState state
= DNS_TRANSACTION_NO_SERVERS
;
734 r
= dns_query_synthesize_reply(q
, &state
);
738 dns_query_complete(q
, state
);
742 r
= dns_query_add_candidate(q
, first
);
746 LIST_FOREACH(scopes
, s
, first
->scopes_next
) {
750 name
= dns_question_first_name(dns_query_question_for_protocol(q
, s
->protocol
));
754 match
= dns_scope_good_domain(s
, q
->ifindex
, q
->flags
, name
);
756 log_debug("Couldn't check if '%s' matches against scope, ignoring.", name
);
763 r
= dns_query_add_candidate(q
, s
);
768 dns_query_reset_answer(q
);
770 r
= sd_event_add_time_relative(
772 &q
->timeout_event_source
,
773 clock_boottime_or_monotonic(),
774 SD_RESOLVED_QUERY_TIMEOUT_USEC
,
775 0, on_query_timeout
, q
);
779 (void) sd_event_source_set_description(q
->timeout_event_source
, "query-timeout");
781 q
->state
= DNS_TRANSACTION_PENDING
;
784 /* Start the transactions */
785 LIST_FOREACH(candidates_by_query
, c
, q
->candidates
) {
786 r
= dns_query_candidate_go(c
);
803 static void dns_query_accept(DnsQuery
*q
, DnsQueryCandidate
*c
) {
804 DnsTransactionState state
= DNS_TRANSACTION_NO_SERVERS
;
805 bool has_authenticated
= false, has_non_authenticated
= false, has_confidential
= false, has_non_confidential
= false;
806 DnssecResult dnssec_result_authenticated
= _DNSSEC_RESULT_INVALID
, dnssec_result_non_authenticated
= _DNSSEC_RESULT_INVALID
;
813 r
= dns_query_synthesize_reply(q
, &state
);
817 dns_query_complete(q
, state
);
821 if (c
->error_code
!= 0) {
822 /* If the candidate had an error condition of its own, start with that. */
823 state
= DNS_TRANSACTION_ERRNO
;
824 q
->answer
= dns_answer_unref(q
->answer
);
826 q
->answer_dnssec_result
= _DNSSEC_RESULT_INVALID
;
827 q
->answer_query_flags
= 0;
828 q
->answer_errno
= c
->error_code
;
829 q
->answer_full_packet
= dns_packet_unref(q
->answer_full_packet
);
832 SET_FOREACH(t
, c
->transactions
) {
836 case DNS_TRANSACTION_SUCCESS
: {
837 /* We found a successful reply, merge it into the answer */
839 if (state
== DNS_TRANSACTION_SUCCESS
) {
840 r
= dns_answer_extend(&q
->answer
, t
->answer
);
844 q
->answer_query_flags
|= dns_transaction_source_to_query_flags(t
->answer_source
);
846 /* Override non-successful previous answers */
847 dns_answer_unref(q
->answer
);
848 q
->answer
= dns_answer_ref(t
->answer
);
850 q
->answer_query_flags
= dns_transaction_source_to_query_flags(t
->answer_source
);
853 q
->answer_rcode
= t
->answer_rcode
;
856 dns_packet_unref(q
->answer_full_packet
);
857 q
->answer_full_packet
= dns_packet_ref(t
->received
);
859 if (FLAGS_SET(t
->answer_query_flags
, SD_RESOLVED_AUTHENTICATED
)) {
860 has_authenticated
= true;
861 dnssec_result_authenticated
= t
->answer_dnssec_result
;
863 has_non_authenticated
= true;
864 dnssec_result_non_authenticated
= t
->answer_dnssec_result
;
867 if (FLAGS_SET(t
->answer_query_flags
, SD_RESOLVED_CONFIDENTIAL
))
868 has_confidential
= true;
870 has_non_confidential
= true;
872 state
= DNS_TRANSACTION_SUCCESS
;
876 case DNS_TRANSACTION_NULL
:
877 case DNS_TRANSACTION_PENDING
:
878 case DNS_TRANSACTION_VALIDATING
:
879 case DNS_TRANSACTION_ABORTED
:
880 /* Ignore transactions that didn't complete */
884 /* Any kind of failure? Store the data away, if there's nothing stored yet. */
885 if (state
== DNS_TRANSACTION_SUCCESS
)
888 /* If there's already an authenticated negative reply stored, then prefer that over any unauthenticated one */
889 if (FLAGS_SET(q
->answer_query_flags
, SD_RESOLVED_AUTHENTICATED
) &&
890 !FLAGS_SET(t
->answer_query_flags
, SD_RESOLVED_AUTHENTICATED
))
893 dns_answer_unref(q
->answer
);
894 q
->answer
= dns_answer_ref(t
->answer
);
895 q
->answer_rcode
= t
->answer_rcode
;
896 q
->answer_dnssec_result
= t
->answer_dnssec_result
;
897 q
->answer_query_flags
= t
->answer_query_flags
| dns_transaction_source_to_query_flags(t
->answer_source
);
898 q
->answer_errno
= t
->answer_errno
;
899 dns_packet_unref(q
->answer_full_packet
);
900 q
->answer_full_packet
= dns_packet_ref(t
->received
);
907 if (state
== DNS_TRANSACTION_SUCCESS
) {
908 SET_FLAG(q
->answer_query_flags
, SD_RESOLVED_AUTHENTICATED
, has_authenticated
&& !has_non_authenticated
);
909 SET_FLAG(q
->answer_query_flags
, SD_RESOLVED_CONFIDENTIAL
, has_confidential
&& !has_non_confidential
);
910 q
->answer_dnssec_result
= FLAGS_SET(q
->answer_query_flags
, SD_RESOLVED_AUTHENTICATED
) ? dnssec_result_authenticated
: dnssec_result_non_authenticated
;
913 q
->answer_protocol
= c
->scope
->protocol
;
914 q
->answer_family
= c
->scope
->family
;
916 dns_search_domain_unref(q
->answer_search_domain
);
917 q
->answer_search_domain
= dns_search_domain_ref(c
->search_domain
);
919 r
= dns_query_synthesize_reply(q
, &state
);
923 dns_query_complete(q
, state
);
927 q
->answer_errno
= -r
;
928 dns_query_complete(q
, DNS_TRANSACTION_ERRNO
);
931 void dns_query_ready(DnsQuery
*q
) {
933 DnsQueryCandidate
*bad
= NULL
, *c
;
934 bool pending
= false;
937 assert(DNS_TRANSACTION_IS_LIVE(q
->state
));
939 /* Note that this call might invalidate the query. Callers
940 * should hence not attempt to access the query or transaction
941 * after calling this function, unless the block_ready
942 * counter was explicitly bumped before doing so. */
944 if (q
->block_ready
> 0)
947 LIST_FOREACH(candidates_by_query
, c
, q
->candidates
) {
948 DnsTransactionState state
;
950 state
= dns_query_candidate_state(c
);
953 case DNS_TRANSACTION_SUCCESS
:
954 /* One of the candidates is successful,
955 * let's use it, and copy its data out */
956 dns_query_accept(q
, c
);
959 case DNS_TRANSACTION_NULL
:
960 case DNS_TRANSACTION_PENDING
:
961 case DNS_TRANSACTION_VALIDATING
:
962 /* One of the candidates is still going on,
963 * let's maybe wait for it */
968 /* Any kind of failure */
977 dns_query_accept(q
, bad
);
980 static int dns_query_cname_redirect(DnsQuery
*q
, const DnsResourceRecord
*cname
) {
981 _cleanup_(dns_question_unrefp
) DnsQuestion
*nq_idna
= NULL
, *nq_utf8
= NULL
;
986 q
->n_cname_redirects
++;
987 if (q
->n_cname_redirects
> CNAME_REDIRECT_MAX
)
990 r
= dns_question_cname_redirect(q
->question_idna
, cname
, &nq_idna
);
994 log_debug("Following CNAME/DNAME %s → %s.", dns_question_first_name(q
->question_idna
), dns_question_first_name(nq_idna
));
996 k
= dns_question_is_equal(q
->question_idna
, q
->question_utf8
);
1000 /* Same question? Shortcut new question generation */
1001 nq_utf8
= dns_question_ref(nq_idna
);
1004 k
= dns_question_cname_redirect(q
->question_utf8
, cname
, &nq_utf8
);
1008 log_debug("Following UTF8 CNAME/DNAME %s → %s.", dns_question_first_name(q
->question_utf8
), dns_question_first_name(nq_utf8
));
1011 if (r
== 0 && k
== 0) /* No actual cname happened? */
1014 if (q
->answer_protocol
== DNS_PROTOCOL_DNS
)
1015 /* Don't permit CNAME redirects from unicast DNS to LLMNR or MulticastDNS, so that global resources
1016 * cannot invade the local namespace. The opposite way we permit: local names may redirect to global
1018 q
->flags
&= ~(SD_RESOLVED_LLMNR
|SD_RESOLVED_MDNS
); /* mask away the local protocols */
1020 /* Turn off searching for the new name */
1021 q
->flags
|= SD_RESOLVED_NO_SEARCH
;
1023 dns_question_unref(q
->question_idna
);
1024 q
->question_idna
= TAKE_PTR(nq_idna
);
1026 dns_question_unref(q
->question_utf8
);
1027 q
->question_utf8
= TAKE_PTR(nq_utf8
);
1029 dns_query_unref_candidates(q
);
1031 /* Note that we do *not* reset the answer here, because the answer we previously got might already
1032 * include everything we need, let's check that first */
1034 q
->state
= DNS_TRANSACTION_NULL
;
1039 int dns_query_process_cname_one(DnsQuery
*q
) {
1040 _cleanup_(dns_resource_record_unrefp
) DnsResourceRecord
*cname
= NULL
;
1041 DnsQuestion
*question
;
1042 DnsResourceRecord
*rr
;
1043 bool full_match
= true;
1049 /* Processes a CNAME redirect if there's one. Returns one of three values:
1051 * CNAME_QUERY_MATCH → direct RR match, caller should just use the RRs in this answer (and not
1052 * bother with any CNAME/DNAME stuff)
1054 * CNAME_QUERY_NOMATCH → no match at all, neither direct nor CNAME/DNAME, caller might decide to
1055 * restart query or take things as NODATA reply.
1057 * CNAME_QUERY_CNAME → no direct RR match, but a CNAME/DNAME match that we now followed for one step.
1059 * The function might also return a failure, in particular -ELOOP if we encountered too many
1060 * CNAMEs/DNAMEs in a chain or if following CNAMEs/DNAMEs was turned off.
1062 * Note that this function doesn't actually restart the query. The caller can decide to do that in
1063 * case of CNAME_QUERY_CNAME, though. */
1065 if (!IN_SET(q
->state
, DNS_TRANSACTION_SUCCESS
, DNS_TRANSACTION_NULL
))
1066 return DNS_QUERY_NOMATCH
;
1068 question
= dns_query_question_for_protocol(q
, q
->answer_protocol
);
1070 /* Small reminder: our question will consist of one or more RR keys that match in name, but not in
1071 * record type. Specifically, when we do an address lookup the question will typically consist of one
1072 * A and one AAAA key lookup for the same domain name. When we get a response from a server we need
1073 * to check if the answer answers all our questions to use it. Note that a response of CNAME/DNAME
1074 * can answer both an A and the AAAA question for us, but an A/AAAA response only the relevant
1077 * Hence we first check of the answers we collected are sufficient to answer all our questions
1078 * directly. If one question wasn't answered we go on, waiting for more replies. However, if there's
1079 * a CNAME/DNAME response we use it, and redirect to it, regardless if it was a response to the A or
1082 DNS_QUESTION_FOREACH(k
, question
) {
1085 DNS_ANSWER_FOREACH(rr
, q
->answer
) {
1086 r
= dns_resource_key_match_rr(k
, rr
, DNS_SEARCH_DOMAIN_NAME(q
->answer_search_domain
));
1090 match
= true; /* Yay, we found an RR that matches the key we are looking for */
1096 /* Hmm. :-( there's no response for this key. This doesn't match. */
1103 return DNS_QUERY_MATCH
; /* The answer can answer our question in full, no need to follow CNAMEs/DNAMEs */
1105 /* Let's see if there is a CNAME/DNAME to match. This case is simpler: we accept the CNAME/DNAME that
1106 * matches any of our questions. */
1107 DNS_ANSWER_FOREACH(rr
, q
->answer
) {
1108 r
= dns_question_matches_cname_or_dname(question
, rr
, DNS_SEARCH_DOMAIN_NAME(q
->answer_search_domain
));
1111 if (r
> 0 && !cname
)
1112 cname
= dns_resource_record_ref(rr
);
1116 return DNS_QUERY_NOMATCH
; /* No match and no CNAME/DNAME to follow */
1118 if (q
->flags
& SD_RESOLVED_NO_CNAME
)
1121 if (!FLAGS_SET(q
->answer_query_flags
, SD_RESOLVED_AUTHENTICATED
))
1122 q
->previous_redirect_unauthenticated
= true;
1123 if (!FLAGS_SET(q
->answer_query_flags
, SD_RESOLVED_CONFIDENTIAL
))
1124 q
->previous_redirect_non_confidential
= true;
1125 if (!FLAGS_SET(q
->answer_query_flags
, SD_RESOLVED_SYNTHETIC
))
1126 q
->previous_redirect_non_synthetic
= true;
1128 /* OK, let's actually follow the CNAME */
1129 r
= dns_query_cname_redirect(q
, cname
);
1133 return DNS_QUERY_CNAME
; /* Tell caller that we did a single CNAME/DNAME redirection step */
1136 int dns_query_process_cname_many(DnsQuery
*q
) {
1141 /* Follows CNAMEs through the current packet: as long as the current packet can fulfill our
1142 * redirected CNAME queries we keep going, and restart the query once the current packet isn't good
1143 * enough anymore. It's a wrapper around dns_query_process_cname_one() and returns the same values,
1144 * but with extended semantics. Specifically:
1146 * DNS_QUERY_MATCH → as above
1148 * DNS_QUERY_CNAME → we ran into a CNAME/DNAME redirect that we could not answer from the current
1149 * message, and thus restarted the query to resolve it.
1151 * DNS_QUERY_NOMATCH → we reached the end of CNAME/DNAME chain, and there are no direct matches nor a
1152 * CNAME/DNAME match. i.e. this is a NODATA case.
1154 * Note that this function will restart the query for the caller if needed, and that's the case
1155 * DNS_QUERY_CNAME is returned.
1158 r
= dns_query_process_cname_one(q
);
1159 if (r
!= DNS_QUERY_CNAME
)
1160 return r
; /* The first redirect is special: if it doesn't answer the question that's no
1161 * reason to restart the query, we just accept this as a NODATA answer. */
1164 r
= dns_query_process_cname_one(q
);
1165 if (r
< 0 || r
== DNS_QUERY_MATCH
)
1167 if (r
== DNS_QUERY_NOMATCH
) {
1168 /* OK, so we followed one or more CNAME/DNAME RR but the existing packet can't answer
1169 * this. Let's restart the query hence, with the new question. Why the different
1170 * handling than the first chain element? Because if the server answers a direct
1171 * question with an empty answer then this is a NODATA response. But if it responds
1172 * with a CNAME chain that ultimately is incomplete (i.e. a non-empty but truncated
1173 * CNAME chain) then we better follow up ourselves and ask for the rest of the
1174 * chain. This is particular relevant since our cache will store CNAME/DNAME
1175 * redirects that we learnt about for lookups of certain DNS types, but later on we
1176 * can reuse this data even for other DNS types, but in that case need to follow up
1177 * with the final lookup of the chain ourselves with the RR type we ourselves are
1179 r
= dns_query_go(q
);
1183 return DNS_QUERY_CNAME
;
1186 /* So we found a CNAME that the existing packet already answers, again via a CNAME, let's
1187 * continue going then. */
1188 assert(r
== DNS_QUERY_CNAME
);
1192 DnsQuestion
* dns_query_question_for_protocol(DnsQuery
*q
, DnsProtocol protocol
) {
1195 if (q
->question_bypass
)
1196 return q
->question_bypass
->question
;
1200 case DNS_PROTOCOL_DNS
:
1201 return q
->question_idna
;
1203 case DNS_PROTOCOL_MDNS
:
1204 case DNS_PROTOCOL_LLMNR
:
1205 return q
->question_utf8
;
1212 const char *dns_query_string(DnsQuery
*q
) {
1216 /* Returns a somewhat useful human-readable lookup key string for this query */
1218 if (q
->question_bypass
)
1219 return dns_question_first_name(q
->question_bypass
->question
);
1221 if (q
->request_address_string
)
1222 return q
->request_address_string
;
1224 if (q
->request_address_valid
) {
1225 r
= in_addr_to_string(q
->request_family
, &q
->request_address
, &q
->request_address_string
);
1227 return q
->request_address_string
;
1230 name
= dns_question_first_name(q
->question_utf8
);
1234 return dns_question_first_name(q
->question_idna
);
1237 bool dns_query_fully_authenticated(DnsQuery
*q
) {
1240 return FLAGS_SET(q
->answer_query_flags
, SD_RESOLVED_AUTHENTICATED
) && !q
->previous_redirect_unauthenticated
;
1243 bool dns_query_fully_confidential(DnsQuery
*q
) {
1246 return FLAGS_SET(q
->answer_query_flags
, SD_RESOLVED_CONFIDENTIAL
) && !q
->previous_redirect_non_confidential
;
1249 bool dns_query_fully_authoritative(DnsQuery
*q
) {
1252 /* We are authoritative for everything synthetic (except if a previous CNAME/DNAME) wasn't
1253 * synthetic. (Note: SD_RESOLVED_SYNTHETIC is reset on each CNAME/DNAME, hence the explicit check for
1254 * previous synthetic DNAME/CNAME redirections.)*/
1255 if ((q
->answer_query_flags
& SD_RESOLVED_SYNTHETIC
) && !q
->previous_redirect_non_synthetic
)
1258 /* We are also authoritative for everything coming only from the trust anchor and the local
1259 * zones. (Note: the SD_RESOLVED_FROM_xyz flags we merge on each redirect, hence no need to
1260 * explicitly check previous redirects here.)*/
1261 return (q
->answer_query_flags
& SD_RESOLVED_FROM_MASK
& ~(SD_RESOLVED_FROM_TRUST_ANCHOR
| SD_RESOLVED_FROM_ZONE
)) == 0;