1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
3 #include "alloc-util.h"
4 #include "dns-domain.h"
6 #include "hostname-util.h"
7 #include "local-addresses.h"
8 #include "resolved-dns-query.h"
9 #include "resolved-dns-synthesize.h"
10 #include "resolved-etc-hosts.h"
11 #include "string-util.h"
13 #define QUERIES_MAX 2048
14 #define AUXILIARY_QUERIES_MAX 64
15 #define CNAME_REDIRECTS_MAX 16
17 assert_cc(AUXILIARY_QUERIES_MAX
< UINT8_MAX
);
18 assert_cc(CNAME_REDIRECTS_MAX
< UINT8_MAX
);
20 static int dns_query_candidate_new(DnsQueryCandidate
**ret
, DnsQuery
*q
, DnsScope
*s
) {
27 c
= new(DnsQueryCandidate
, 1);
31 *c
= (DnsQueryCandidate
) {
37 LIST_PREPEND(candidates_by_query
, q
->candidates
, c
);
38 LIST_PREPEND(candidates_by_scope
, s
->query_candidates
, c
);
44 static void dns_query_candidate_stop(DnsQueryCandidate
*c
) {
49 while ((t
= set_steal_first(c
->transactions
))) {
50 set_remove(t
->notify_query_candidates
, c
);
51 set_remove(t
->notify_query_candidates_done
, c
);
52 dns_transaction_gc(t
);
56 static DnsQueryCandidate
* dns_query_candidate_free(DnsQueryCandidate
*c
) {
60 dns_query_candidate_stop(c
);
62 set_free(c
->transactions
);
63 dns_search_domain_unref(c
->search_domain
);
66 LIST_REMOVE(candidates_by_query
, c
->query
->candidates
, c
);
69 LIST_REMOVE(candidates_by_scope
, c
->scope
->query_candidates
, c
);
74 DEFINE_PUBLIC_TRIVIAL_REF_UNREF_FUNC(DnsQueryCandidate
, dns_query_candidate
, dns_query_candidate_free
);
76 static int dns_query_candidate_next_search_domain(DnsQueryCandidate
*c
) {
77 DnsSearchDomain
*next
;
81 if (c
->search_domain
&& c
->search_domain
->linked
)
82 next
= c
->search_domain
->domains_next
;
84 next
= dns_scope_get_search_domains(c
->scope
);
87 if (!next
) /* We hit the end of the list */
90 if (!next
->route_only
)
93 /* Skip over route-only domains */
94 next
= next
->domains_next
;
97 dns_search_domain_unref(c
->search_domain
);
98 c
->search_domain
= dns_search_domain_ref(next
);
103 static int dns_query_candidate_add_transaction(
104 DnsQueryCandidate
*c
,
108 _cleanup_(dns_transaction_gcp
) DnsTransaction
*t
= NULL
;
114 /* Regular lookup with a resource key */
117 t
= dns_scope_find_transaction(c
->scope
, key
, c
->query
->flags
);
119 r
= dns_transaction_new(&t
, c
->scope
, key
, NULL
, c
->query
->flags
);
122 } else if (set_contains(c
->transactions
, t
))
125 /* "Bypass" lookup with a query packet */
128 r
= dns_transaction_new(&t
, c
->scope
, NULL
, bypass
, c
->query
->flags
);
133 r
= set_ensure_allocated(&t
->notify_query_candidates_done
, NULL
);
137 r
= set_ensure_put(&t
->notify_query_candidates
, NULL
, c
);
141 r
= set_ensure_put(&c
->transactions
, NULL
, t
);
143 (void) set_remove(t
->notify_query_candidates
, c
);
151 static int dns_query_candidate_go(DnsQueryCandidate
*c
) {
152 _cleanup_(dns_query_candidate_unrefp
) DnsQueryCandidate
*keep_c
= NULL
;
159 /* Let's keep a reference to the query while we're operating */
160 keep_c
= dns_query_candidate_ref(c
);
162 /* Start the transactions that are not started yet */
163 SET_FOREACH(t
, c
->transactions
) {
164 if (t
->state
!= DNS_TRANSACTION_NULL
)
167 r
= dns_transaction_go(t
);
174 /* If there was nothing to start, then let's proceed immediately */
176 dns_query_candidate_notify(c
);
181 static DnsTransactionState
dns_query_candidate_state(DnsQueryCandidate
*c
) {
182 DnsTransactionState state
= DNS_TRANSACTION_NO_SERVERS
;
187 if (c
->error_code
!= 0)
188 return DNS_TRANSACTION_ERRNO
;
190 SET_FOREACH(t
, c
->transactions
)
194 case DNS_TRANSACTION_NULL
:
195 /* If there's a NULL transaction pending, then
196 * this means not all transactions where
197 * started yet, and we were called from within
198 * the stackframe that is supposed to start
199 * remaining transactions. In this case,
200 * simply claim the candidate is pending. */
202 case DNS_TRANSACTION_PENDING
:
203 case DNS_TRANSACTION_VALIDATING
:
204 /* If there's one transaction currently in
205 * VALIDATING state, then this means there's
206 * also one in PENDING state, hence we can
207 * return PENDING immediately. */
208 return DNS_TRANSACTION_PENDING
;
210 case DNS_TRANSACTION_SUCCESS
:
215 if (state
!= DNS_TRANSACTION_SUCCESS
)
224 static int dns_query_candidate_setup_transactions(DnsQueryCandidate
*c
) {
225 DnsQuestion
*question
;
231 dns_query_candidate_stop(c
);
233 if (c
->query
->question_bypass
) {
234 /* If this is a bypass query, then pass the original query packet along to the transaction */
236 assert(dns_question_size(c
->query
->question_bypass
->question
) == 1);
238 if (!dns_scope_good_key(c
->scope
, dns_question_first_key(c
->query
->question_bypass
->question
)))
241 r
= dns_query_candidate_add_transaction(c
, NULL
, c
->query
->question_bypass
);
248 question
= dns_query_question_for_protocol(c
->query
, c
->scope
->protocol
);
250 /* Create one transaction per question key */
251 DNS_QUESTION_FOREACH(key
, question
) {
252 _cleanup_(dns_resource_key_unrefp
) DnsResourceKey
*new_key
= NULL
;
253 DnsResourceKey
*qkey
;
255 if (c
->search_domain
) {
256 r
= dns_resource_key_new_append_suffix(&new_key
, key
, c
->search_domain
->name
);
264 if (!dns_scope_good_key(c
->scope
, qkey
))
267 r
= dns_query_candidate_add_transaction(c
, qkey
, NULL
);
277 dns_query_candidate_stop(c
);
281 void dns_query_candidate_notify(DnsQueryCandidate
*c
) {
282 DnsTransactionState state
;
287 state
= dns_query_candidate_state(c
);
289 if (DNS_TRANSACTION_IS_LIVE(state
))
292 if (state
!= DNS_TRANSACTION_SUCCESS
&& c
->search_domain
) {
294 r
= dns_query_candidate_next_search_domain(c
);
299 /* OK, there's another search domain to try, let's do so. */
301 r
= dns_query_candidate_setup_transactions(c
);
306 /* New transactions where queued. Start them and wait */
308 r
= dns_query_candidate_go(c
);
318 dns_query_ready(c
->query
);
322 c
->error_code
= log_warning_errno(r
, "Failed to follow search domains: %m");
323 dns_query_ready(c
->query
);
326 static void dns_query_stop(DnsQuery
*q
) {
327 DnsQueryCandidate
*c
;
331 q
->timeout_event_source
= sd_event_source_disable_unref(q
->timeout_event_source
);
333 LIST_FOREACH(candidates_by_query
, c
, q
->candidates
)
334 dns_query_candidate_stop(c
);
337 static void dns_query_unref_candidates(DnsQuery
*q
) {
340 while (q
->candidates
)
341 dns_query_candidate_unref(q
->candidates
);
344 static void dns_query_reset_answer(DnsQuery
*q
) {
347 q
->answer
= dns_answer_unref(q
->answer
);
349 q
->answer_dnssec_result
= _DNSSEC_RESULT_INVALID
;
351 q
->answer_query_flags
= 0;
352 q
->answer_protocol
= _DNS_PROTOCOL_INVALID
;
353 q
->answer_family
= AF_UNSPEC
;
354 q
->answer_search_domain
= dns_search_domain_unref(q
->answer_search_domain
);
355 q
->answer_full_packet
= dns_packet_unref(q
->answer_full_packet
);
358 DnsQuery
*dns_query_free(DnsQuery
*q
) {
362 while (q
->auxiliary_queries
)
363 dns_query_free(q
->auxiliary_queries
);
365 if (q
->auxiliary_for
) {
366 assert(q
->auxiliary_for
->n_auxiliary_queries
> 0);
367 q
->auxiliary_for
->n_auxiliary_queries
--;
368 LIST_REMOVE(auxiliary_queries
, q
->auxiliary_for
->auxiliary_queries
, q
);
371 dns_query_unref_candidates(q
);
373 dns_question_unref(q
->question_idna
);
374 dns_question_unref(q
->question_utf8
);
375 dns_packet_unref(q
->question_bypass
);
377 dns_query_reset_answer(q
);
379 sd_bus_message_unref(q
->bus_request
);
380 sd_bus_track_unref(q
->bus_track
);
382 if (q
->varlink_request
) {
383 varlink_set_userdata(q
->varlink_request
, NULL
);
384 varlink_unref(q
->varlink_request
);
387 if (q
->request_packet
)
388 hashmap_remove_value(q
->stub_listener_extra
?
389 q
->stub_listener_extra
->queries_by_packet
:
390 q
->manager
->stub_queries_by_packet
,
394 dns_packet_unref(q
->request_packet
);
395 dns_answer_unref(q
->reply_answer
);
396 dns_answer_unref(q
->reply_authoritative
);
397 dns_answer_unref(q
->reply_additional
);
399 if (q
->request_stream
) {
400 /* Detach the stream from our query, in case something else keeps a reference to it. */
401 (void) set_remove(q
->request_stream
->queries
, q
);
402 q
->request_stream
= dns_stream_unref(q
->request_stream
);
405 free(q
->request_address_string
);
408 LIST_REMOVE(queries
, q
->manager
->dns_queries
, q
);
409 q
->manager
->n_dns_queries
--;
418 DnsQuestion
*question_utf8
,
419 DnsQuestion
*question_idna
,
420 DnsPacket
*question_bypass
,
424 _cleanup_(dns_query_freep
) DnsQuery
*q
= NULL
;
425 char key_str
[DNS_RESOURCE_KEY_STRING_MAX
];
431 if (question_bypass
) {
432 /* It's either a "bypass" query, or a regular one, but can't be both. */
433 if (question_utf8
|| question_idna
)
439 /* This (primarily) checks two things:
441 * 1. That the question is not empty
442 * 2. That all RR keys in the question objects are for the same domain
444 * Or in other words, a single DnsQuery object may be used to look up A+AAAA combination for
445 * the same domain name, or SRV+TXT (for DNS-SD services), but not for unrelated lookups. */
447 if (dns_question_size(question_utf8
) > 0) {
448 r
= dns_question_is_valid_for_query(question_utf8
);
457 /* If the IDNA and UTF8 questions are the same, merge their references */
458 r
= dns_question_is_equal(question_idna
, question_utf8
);
462 question_idna
= question_utf8
;
464 if (dns_question_size(question_idna
) > 0) {
465 r
= dns_question_is_valid_for_query(question_idna
);
475 if (!good
) /* don't allow empty queries */
479 if (m
->n_dns_queries
>= QUERIES_MAX
)
482 q
= new(DnsQuery
, 1);
487 .question_utf8
= dns_question_ref(question_utf8
),
488 .question_idna
= dns_question_ref(question_idna
),
489 .question_bypass
= dns_packet_ref(question_bypass
),
492 .answer_dnssec_result
= _DNSSEC_RESULT_INVALID
,
493 .answer_protocol
= _DNS_PROTOCOL_INVALID
,
494 .answer_family
= AF_UNSPEC
,
497 if (question_bypass
) {
498 DNS_QUESTION_FOREACH(key
, question_bypass
->question
)
499 log_debug("Looking up bypass packet for %s.",
500 dns_resource_key_to_string(key
, key_str
, sizeof key_str
));
502 /* First dump UTF8 question */
503 DNS_QUESTION_FOREACH(key
, question_utf8
)
504 log_debug("Looking up RR for %s.",
505 dns_resource_key_to_string(key
, key_str
, sizeof key_str
));
507 /* And then dump the IDNA question, but only what hasn't been dumped already through the UTF8 question. */
508 DNS_QUESTION_FOREACH(key
, question_idna
) {
509 r
= dns_question_contains_key(question_utf8
, key
);
515 log_debug("Looking up IDNA RR for %s.",
516 dns_resource_key_to_string(key
, key_str
, sizeof key_str
));
520 LIST_PREPEND(queries
, m
->dns_queries
, q
);
531 int dns_query_make_auxiliary(DnsQuery
*q
, DnsQuery
*auxiliary_for
) {
533 assert(auxiliary_for
);
535 /* Ensure that the query is not auxiliary yet, and
536 * nothing else is auxiliary to it either */
537 assert(!q
->auxiliary_for
);
538 assert(!q
->auxiliary_queries
);
540 /* Ensure that the unit we shall be made auxiliary for isn't
541 * auxiliary itself */
542 assert(!auxiliary_for
->auxiliary_for
);
544 if (auxiliary_for
->n_auxiliary_queries
>= AUXILIARY_QUERIES_MAX
)
547 LIST_PREPEND(auxiliary_queries
, auxiliary_for
->auxiliary_queries
, q
);
548 q
->auxiliary_for
= auxiliary_for
;
550 auxiliary_for
->n_auxiliary_queries
++;
554 void dns_query_complete(DnsQuery
*q
, DnsTransactionState state
) {
556 assert(!DNS_TRANSACTION_IS_LIVE(state
));
557 assert(DNS_TRANSACTION_IS_LIVE(q
->state
));
559 /* Note that this call might invalidate the query. Callers should hence not attempt to access the
560 * query or transaction after calling this function. */
569 static int on_query_timeout(sd_event_source
*s
, usec_t usec
, void *userdata
) {
570 DnsQuery
*q
= userdata
;
575 dns_query_complete(q
, DNS_TRANSACTION_TIMEOUT
);
579 static int dns_query_add_candidate(DnsQuery
*q
, DnsScope
*s
) {
580 _cleanup_(dns_query_candidate_unrefp
) DnsQueryCandidate
*c
= NULL
;
586 r
= dns_query_candidate_new(&c
, q
, s
);
590 /* If this a single-label domain on DNS, we might append a suitable search domain first. */
591 if (!FLAGS_SET(q
->flags
, SD_RESOLVED_NO_SEARCH
) &&
592 dns_scope_name_wants_search_domain(s
, dns_question_first_name(q
->question_idna
))) {
593 /* OK, we want a search domain now. Let's find one for this scope */
595 r
= dns_query_candidate_next_search_domain(c
);
600 r
= dns_query_candidate_setup_transactions(c
);
608 static int dns_query_synthesize_reply(DnsQuery
*q
, DnsTransactionState
*state
) {
609 _cleanup_(dns_answer_unrefp
) DnsAnswer
*answer
= NULL
;
615 /* Tries to synthesize localhost RR replies (and others) where appropriate. Note that this is done *after* the
616 * the normal lookup finished. The data from the network hence takes precedence over the data we
617 * synthesize. (But note that many scopes refuse to resolve certain domain names) */
620 DNS_TRANSACTION_RCODE_FAILURE
,
621 DNS_TRANSACTION_NO_SERVERS
,
622 DNS_TRANSACTION_TIMEOUT
,
623 DNS_TRANSACTION_ATTEMPTS_MAX_REACHED
,
624 DNS_TRANSACTION_NETWORK_DOWN
,
625 DNS_TRANSACTION_NOT_FOUND
))
628 if (FLAGS_SET(q
->flags
, SD_RESOLVED_NO_SYNTHESIZE
))
631 r
= dns_synthesize_answer(
633 q
->question_bypass
? q
->question_bypass
->question
: q
->question_utf8
,
637 /* If we get ENXIO this tells us to generate NXDOMAIN unconditionally. */
639 dns_query_reset_answer(q
);
640 q
->answer_rcode
= DNS_RCODE_NXDOMAIN
;
641 q
->answer_protocol
= dns_synthesize_protocol(q
->flags
);
642 q
->answer_family
= dns_synthesize_family(q
->flags
);
643 q
->answer_query_flags
= SD_RESOLVED_AUTHENTICATED
|SD_RESOLVED_CONFIDENTIAL
|SD_RESOLVED_SYNTHETIC
;
644 *state
= DNS_TRANSACTION_RCODE_FAILURE
;
651 dns_query_reset_answer(q
);
653 q
->answer
= TAKE_PTR(answer
);
654 q
->answer_rcode
= DNS_RCODE_SUCCESS
;
655 q
->answer_protocol
= dns_synthesize_protocol(q
->flags
);
656 q
->answer_family
= dns_synthesize_family(q
->flags
);
657 q
->answer_query_flags
= SD_RESOLVED_AUTHENTICATED
|SD_RESOLVED_CONFIDENTIAL
|SD_RESOLVED_SYNTHETIC
;
659 *state
= DNS_TRANSACTION_SUCCESS
;
664 static int dns_query_try_etc_hosts(DnsQuery
*q
) {
665 _cleanup_(dns_answer_unrefp
) DnsAnswer
*answer
= NULL
;
670 /* Looks in /etc/hosts for matching entries. Note that this is done *before* the normal lookup is
671 * done. The data from /etc/hosts hence takes precedence over the network. */
673 if (FLAGS_SET(q
->flags
, SD_RESOLVED_NO_SYNTHESIZE
))
676 r
= manager_etc_hosts_lookup(
678 q
->question_bypass
? q
->question_bypass
->question
: q
->question_utf8
,
683 dns_query_reset_answer(q
);
685 q
->answer
= TAKE_PTR(answer
);
686 q
->answer_rcode
= DNS_RCODE_SUCCESS
;
687 q
->answer_protocol
= dns_synthesize_protocol(q
->flags
);
688 q
->answer_family
= dns_synthesize_family(q
->flags
);
689 q
->answer_query_flags
= SD_RESOLVED_AUTHENTICATED
|SD_RESOLVED_CONFIDENTIAL
|SD_RESOLVED_SYNTHETIC
;
694 int dns_query_go(DnsQuery
*q
) {
695 DnsScopeMatch found
= DNS_SCOPE_NO
;
696 DnsScope
*s
, *first
= NULL
;
697 DnsQueryCandidate
*c
;
702 if (q
->state
!= DNS_TRANSACTION_NULL
)
705 r
= dns_query_try_etc_hosts(q
);
709 dns_query_complete(q
, DNS_TRANSACTION_SUCCESS
);
713 LIST_FOREACH(scopes
, s
, q
->manager
->dns_scopes
) {
717 name
= dns_question_first_name(dns_query_question_for_protocol(q
, s
->protocol
));
721 match
= dns_scope_good_domain(s
, q
->ifindex
, q
->flags
, name
);
723 log_debug("Couldn't check if '%s' matches against scope, ignoring.", name
);
727 if (match
> found
) { /* Does this match better? If so, remember how well it matched, and the first one
728 * that matches this well */
734 if (found
== DNS_SCOPE_NO
) {
735 DnsTransactionState state
= DNS_TRANSACTION_NO_SERVERS
;
737 r
= dns_query_synthesize_reply(q
, &state
);
741 dns_query_complete(q
, state
);
745 r
= dns_query_add_candidate(q
, first
);
749 LIST_FOREACH(scopes
, s
, first
->scopes_next
) {
753 name
= dns_question_first_name(dns_query_question_for_protocol(q
, s
->protocol
));
757 match
= dns_scope_good_domain(s
, q
->ifindex
, q
->flags
, name
);
759 log_debug("Couldn't check if '%s' matches against scope, ignoring.", name
);
766 r
= dns_query_add_candidate(q
, s
);
771 dns_query_reset_answer(q
);
773 r
= sd_event_add_time_relative(
775 &q
->timeout_event_source
,
776 clock_boottime_or_monotonic(),
777 SD_RESOLVED_QUERY_TIMEOUT_USEC
,
778 0, on_query_timeout
, q
);
782 (void) sd_event_source_set_description(q
->timeout_event_source
, "query-timeout");
784 q
->state
= DNS_TRANSACTION_PENDING
;
787 /* Start the transactions */
788 LIST_FOREACH(candidates_by_query
, c
, q
->candidates
) {
789 r
= dns_query_candidate_go(c
);
806 static void dns_query_accept(DnsQuery
*q
, DnsQueryCandidate
*c
) {
807 DnsTransactionState state
= DNS_TRANSACTION_NO_SERVERS
;
808 bool has_authenticated
= false, has_non_authenticated
= false, has_confidential
= false, has_non_confidential
= false;
809 DnssecResult dnssec_result_authenticated
= _DNSSEC_RESULT_INVALID
, dnssec_result_non_authenticated
= _DNSSEC_RESULT_INVALID
;
816 r
= dns_query_synthesize_reply(q
, &state
);
820 dns_query_complete(q
, state
);
824 if (c
->error_code
!= 0) {
825 /* If the candidate had an error condition of its own, start with that. */
826 state
= DNS_TRANSACTION_ERRNO
;
827 q
->answer
= dns_answer_unref(q
->answer
);
829 q
->answer_dnssec_result
= _DNSSEC_RESULT_INVALID
;
830 q
->answer_query_flags
= 0;
831 q
->answer_errno
= c
->error_code
;
832 q
->answer_full_packet
= dns_packet_unref(q
->answer_full_packet
);
835 SET_FOREACH(t
, c
->transactions
) {
839 case DNS_TRANSACTION_SUCCESS
: {
840 /* We found a successful reply, merge it into the answer */
842 if (state
== DNS_TRANSACTION_SUCCESS
) {
843 r
= dns_answer_extend(&q
->answer
, t
->answer
);
847 q
->answer_query_flags
|= dns_transaction_source_to_query_flags(t
->answer_source
);
849 /* Override non-successful previous answers */
850 dns_answer_unref(q
->answer
);
851 q
->answer
= dns_answer_ref(t
->answer
);
853 q
->answer_query_flags
= dns_transaction_source_to_query_flags(t
->answer_source
);
856 q
->answer_rcode
= t
->answer_rcode
;
859 dns_packet_unref(q
->answer_full_packet
);
860 q
->answer_full_packet
= dns_packet_ref(t
->received
);
862 if (FLAGS_SET(t
->answer_query_flags
, SD_RESOLVED_AUTHENTICATED
)) {
863 has_authenticated
= true;
864 dnssec_result_authenticated
= t
->answer_dnssec_result
;
866 has_non_authenticated
= true;
867 dnssec_result_non_authenticated
= t
->answer_dnssec_result
;
870 if (FLAGS_SET(t
->answer_query_flags
, SD_RESOLVED_CONFIDENTIAL
))
871 has_confidential
= true;
873 has_non_confidential
= true;
875 state
= DNS_TRANSACTION_SUCCESS
;
879 case DNS_TRANSACTION_NULL
:
880 case DNS_TRANSACTION_PENDING
:
881 case DNS_TRANSACTION_VALIDATING
:
882 case DNS_TRANSACTION_ABORTED
:
883 /* Ignore transactions that didn't complete */
887 /* Any kind of failure? Store the data away, if there's nothing stored yet. */
888 if (state
== DNS_TRANSACTION_SUCCESS
)
891 /* If there's already an authenticated negative reply stored, then prefer that over any unauthenticated one */
892 if (FLAGS_SET(q
->answer_query_flags
, SD_RESOLVED_AUTHENTICATED
) &&
893 !FLAGS_SET(t
->answer_query_flags
, SD_RESOLVED_AUTHENTICATED
))
896 dns_answer_unref(q
->answer
);
897 q
->answer
= dns_answer_ref(t
->answer
);
898 q
->answer_rcode
= t
->answer_rcode
;
899 q
->answer_dnssec_result
= t
->answer_dnssec_result
;
900 q
->answer_query_flags
= t
->answer_query_flags
| dns_transaction_source_to_query_flags(t
->answer_source
);
901 q
->answer_errno
= t
->answer_errno
;
902 dns_packet_unref(q
->answer_full_packet
);
903 q
->answer_full_packet
= dns_packet_ref(t
->received
);
910 if (state
== DNS_TRANSACTION_SUCCESS
) {
911 SET_FLAG(q
->answer_query_flags
, SD_RESOLVED_AUTHENTICATED
, has_authenticated
&& !has_non_authenticated
);
912 SET_FLAG(q
->answer_query_flags
, SD_RESOLVED_CONFIDENTIAL
, has_confidential
&& !has_non_confidential
);
913 q
->answer_dnssec_result
= FLAGS_SET(q
->answer_query_flags
, SD_RESOLVED_AUTHENTICATED
) ? dnssec_result_authenticated
: dnssec_result_non_authenticated
;
916 q
->answer_protocol
= c
->scope
->protocol
;
917 q
->answer_family
= c
->scope
->family
;
919 dns_search_domain_unref(q
->answer_search_domain
);
920 q
->answer_search_domain
= dns_search_domain_ref(c
->search_domain
);
922 r
= dns_query_synthesize_reply(q
, &state
);
926 dns_query_complete(q
, state
);
930 q
->answer_errno
= -r
;
931 dns_query_complete(q
, DNS_TRANSACTION_ERRNO
);
934 void dns_query_ready(DnsQuery
*q
) {
936 DnsQueryCandidate
*bad
= NULL
, *c
;
937 bool pending
= false;
940 assert(DNS_TRANSACTION_IS_LIVE(q
->state
));
942 /* Note that this call might invalidate the query. Callers
943 * should hence not attempt to access the query or transaction
944 * after calling this function, unless the block_ready
945 * counter was explicitly bumped before doing so. */
947 if (q
->block_ready
> 0)
950 LIST_FOREACH(candidates_by_query
, c
, q
->candidates
) {
951 DnsTransactionState state
;
953 state
= dns_query_candidate_state(c
);
956 case DNS_TRANSACTION_SUCCESS
:
957 /* One of the candidates is successful,
958 * let's use it, and copy its data out */
959 dns_query_accept(q
, c
);
962 case DNS_TRANSACTION_NULL
:
963 case DNS_TRANSACTION_PENDING
:
964 case DNS_TRANSACTION_VALIDATING
:
965 /* One of the candidates is still going on,
966 * let's maybe wait for it */
971 /* Any kind of failure */
980 dns_query_accept(q
, bad
);
983 static int dns_query_cname_redirect(DnsQuery
*q
, const DnsResourceRecord
*cname
) {
984 _cleanup_(dns_question_unrefp
) DnsQuestion
*nq_idna
= NULL
, *nq_utf8
= NULL
;
989 if (q
->n_cname_redirects
>= CNAME_REDIRECTS_MAX
)
991 q
->n_cname_redirects
++;
993 r
= dns_question_cname_redirect(q
->question_idna
, cname
, &nq_idna
);
997 log_debug("Following CNAME/DNAME %s → %s.", dns_question_first_name(q
->question_idna
), dns_question_first_name(nq_idna
));
999 k
= dns_question_is_equal(q
->question_idna
, q
->question_utf8
);
1003 /* Same question? Shortcut new question generation */
1004 nq_utf8
= dns_question_ref(nq_idna
);
1007 k
= dns_question_cname_redirect(q
->question_utf8
, cname
, &nq_utf8
);
1011 log_debug("Following UTF8 CNAME/DNAME %s → %s.", dns_question_first_name(q
->question_utf8
), dns_question_first_name(nq_utf8
));
1014 if (r
== 0 && k
== 0) /* No actual cname happened? */
1017 if (q
->answer_protocol
== DNS_PROTOCOL_DNS
)
1018 /* Don't permit CNAME redirects from unicast DNS to LLMNR or MulticastDNS, so that global resources
1019 * cannot invade the local namespace. The opposite way we permit: local names may redirect to global
1021 q
->flags
&= ~(SD_RESOLVED_LLMNR
|SD_RESOLVED_MDNS
); /* mask away the local protocols */
1023 /* Turn off searching for the new name */
1024 q
->flags
|= SD_RESOLVED_NO_SEARCH
;
1026 dns_question_unref(q
->question_idna
);
1027 q
->question_idna
= TAKE_PTR(nq_idna
);
1029 dns_question_unref(q
->question_utf8
);
1030 q
->question_utf8
= TAKE_PTR(nq_utf8
);
1032 dns_query_unref_candidates(q
);
1034 /* Note that we do *not* reset the answer here, because the answer we previously got might already
1035 * include everything we need, let's check that first */
1037 q
->state
= DNS_TRANSACTION_NULL
;
1042 int dns_query_process_cname_one(DnsQuery
*q
) {
1043 _cleanup_(dns_resource_record_unrefp
) DnsResourceRecord
*cname
= NULL
;
1044 DnsQuestion
*question
;
1045 DnsResourceRecord
*rr
;
1046 bool full_match
= true;
1052 /* Processes a CNAME redirect if there's one. Returns one of three values:
1054 * CNAME_QUERY_MATCH → direct RR match, caller should just use the RRs in this answer (and not
1055 * bother with any CNAME/DNAME stuff)
1057 * CNAME_QUERY_NOMATCH → no match at all, neither direct nor CNAME/DNAME, caller might decide to
1058 * restart query or take things as NODATA reply.
1060 * CNAME_QUERY_CNAME → no direct RR match, but a CNAME/DNAME match that we now followed for one step.
1062 * The function might also return a failure, in particular -ELOOP if we encountered too many
1063 * CNAMEs/DNAMEs in a chain or if following CNAMEs/DNAMEs was turned off.
1065 * Note that this function doesn't actually restart the query. The caller can decide to do that in
1066 * case of CNAME_QUERY_CNAME, though. */
1068 if (!IN_SET(q
->state
, DNS_TRANSACTION_SUCCESS
, DNS_TRANSACTION_NULL
))
1069 return DNS_QUERY_NOMATCH
;
1071 question
= dns_query_question_for_protocol(q
, q
->answer_protocol
);
1073 /* Small reminder: our question will consist of one or more RR keys that match in name, but not in
1074 * record type. Specifically, when we do an address lookup the question will typically consist of one
1075 * A and one AAAA key lookup for the same domain name. When we get a response from a server we need
1076 * to check if the answer answers all our questions to use it. Note that a response of CNAME/DNAME
1077 * can answer both an A and the AAAA question for us, but an A/AAAA response only the relevant
1080 * Hence we first check of the answers we collected are sufficient to answer all our questions
1081 * directly. If one question wasn't answered we go on, waiting for more replies. However, if there's
1082 * a CNAME/DNAME response we use it, and redirect to it, regardless if it was a response to the A or
1085 DNS_QUESTION_FOREACH(k
, question
) {
1088 DNS_ANSWER_FOREACH(rr
, q
->answer
) {
1089 r
= dns_resource_key_match_rr(k
, rr
, DNS_SEARCH_DOMAIN_NAME(q
->answer_search_domain
));
1093 match
= true; /* Yay, we found an RR that matches the key we are looking for */
1099 /* Hmm. :-( there's no response for this key. This doesn't match. */
1106 return DNS_QUERY_MATCH
; /* The answer can answer our question in full, no need to follow CNAMEs/DNAMEs */
1108 /* Let's see if there is a CNAME/DNAME to match. This case is simpler: we accept the CNAME/DNAME that
1109 * matches any of our questions. */
1110 DNS_ANSWER_FOREACH(rr
, q
->answer
) {
1111 r
= dns_question_matches_cname_or_dname(question
, rr
, DNS_SEARCH_DOMAIN_NAME(q
->answer_search_domain
));
1114 if (r
> 0 && !cname
)
1115 cname
= dns_resource_record_ref(rr
);
1119 return DNS_QUERY_NOMATCH
; /* No match and no CNAME/DNAME to follow */
1121 if (q
->flags
& SD_RESOLVED_NO_CNAME
)
1124 if (!FLAGS_SET(q
->answer_query_flags
, SD_RESOLVED_AUTHENTICATED
))
1125 q
->previous_redirect_unauthenticated
= true;
1126 if (!FLAGS_SET(q
->answer_query_flags
, SD_RESOLVED_CONFIDENTIAL
))
1127 q
->previous_redirect_non_confidential
= true;
1128 if (!FLAGS_SET(q
->answer_query_flags
, SD_RESOLVED_SYNTHETIC
))
1129 q
->previous_redirect_non_synthetic
= true;
1131 /* OK, let's actually follow the CNAME */
1132 r
= dns_query_cname_redirect(q
, cname
);
1136 return DNS_QUERY_CNAME
; /* Tell caller that we did a single CNAME/DNAME redirection step */
1139 int dns_query_process_cname_many(DnsQuery
*q
) {
1144 /* Follows CNAMEs through the current packet: as long as the current packet can fulfill our
1145 * redirected CNAME queries we keep going, and restart the query once the current packet isn't good
1146 * enough anymore. It's a wrapper around dns_query_process_cname_one() and returns the same values,
1147 * but with extended semantics. Specifically:
1149 * DNS_QUERY_MATCH → as above
1151 * DNS_QUERY_CNAME → we ran into a CNAME/DNAME redirect that we could not answer from the current
1152 * message, and thus restarted the query to resolve it.
1154 * DNS_QUERY_NOMATCH → we reached the end of CNAME/DNAME chain, and there are no direct matches nor a
1155 * CNAME/DNAME match. i.e. this is a NODATA case.
1157 * Note that this function will restart the query for the caller if needed, and that's the case
1158 * DNS_QUERY_CNAME is returned.
1161 r
= dns_query_process_cname_one(q
);
1162 if (r
!= DNS_QUERY_CNAME
)
1163 return r
; /* The first redirect is special: if it doesn't answer the question that's no
1164 * reason to restart the query, we just accept this as a NODATA answer. */
1167 r
= dns_query_process_cname_one(q
);
1168 if (r
< 0 || r
== DNS_QUERY_MATCH
)
1170 if (r
== DNS_QUERY_NOMATCH
) {
1171 /* OK, so we followed one or more CNAME/DNAME RR but the existing packet can't answer
1172 * this. Let's restart the query hence, with the new question. Why the different
1173 * handling than the first chain element? Because if the server answers a direct
1174 * question with an empty answer then this is a NODATA response. But if it responds
1175 * with a CNAME chain that ultimately is incomplete (i.e. a non-empty but truncated
1176 * CNAME chain) then we better follow up ourselves and ask for the rest of the
1177 * chain. This is particular relevant since our cache will store CNAME/DNAME
1178 * redirects that we learnt about for lookups of certain DNS types, but later on we
1179 * can reuse this data even for other DNS types, but in that case need to follow up
1180 * with the final lookup of the chain ourselves with the RR type we ourselves are
1182 r
= dns_query_go(q
);
1186 return DNS_QUERY_CNAME
;
1189 /* So we found a CNAME that the existing packet already answers, again via a CNAME, let's
1190 * continue going then. */
1191 assert(r
== DNS_QUERY_CNAME
);
1195 DnsQuestion
* dns_query_question_for_protocol(DnsQuery
*q
, DnsProtocol protocol
) {
1198 if (q
->question_bypass
)
1199 return q
->question_bypass
->question
;
1203 case DNS_PROTOCOL_DNS
:
1204 return q
->question_idna
;
1206 case DNS_PROTOCOL_MDNS
:
1207 case DNS_PROTOCOL_LLMNR
:
1208 return q
->question_utf8
;
1215 const char *dns_query_string(DnsQuery
*q
) {
1219 /* Returns a somewhat useful human-readable lookup key string for this query */
1221 if (q
->question_bypass
)
1222 return dns_question_first_name(q
->question_bypass
->question
);
1224 if (q
->request_address_string
)
1225 return q
->request_address_string
;
1227 if (q
->request_address_valid
) {
1228 r
= in_addr_to_string(q
->request_family
, &q
->request_address
, &q
->request_address_string
);
1230 return q
->request_address_string
;
1233 name
= dns_question_first_name(q
->question_utf8
);
1237 return dns_question_first_name(q
->question_idna
);
1240 bool dns_query_fully_authenticated(DnsQuery
*q
) {
1243 return FLAGS_SET(q
->answer_query_flags
, SD_RESOLVED_AUTHENTICATED
) && !q
->previous_redirect_unauthenticated
;
1246 bool dns_query_fully_confidential(DnsQuery
*q
) {
1249 return FLAGS_SET(q
->answer_query_flags
, SD_RESOLVED_CONFIDENTIAL
) && !q
->previous_redirect_non_confidential
;
1252 bool dns_query_fully_authoritative(DnsQuery
*q
) {
1255 /* We are authoritative for everything synthetic (except if a previous CNAME/DNAME) wasn't
1256 * synthetic. (Note: SD_RESOLVED_SYNTHETIC is reset on each CNAME/DNAME, hence the explicit check for
1257 * previous synthetic DNAME/CNAME redirections.)*/
1258 if ((q
->answer_query_flags
& SD_RESOLVED_SYNTHETIC
) && !q
->previous_redirect_non_synthetic
)
1261 /* We are also authoritative for everything coming only from the trust anchor and the local
1262 * zones. (Note: the SD_RESOLVED_FROM_xyz flags we merge on each redirect, hence no need to
1263 * explicitly check previous redirects here.)*/
1264 return (q
->answer_query_flags
& SD_RESOLVED_FROM_MASK
& ~(SD_RESOLVED_FROM_TRUST_ANCHOR
| SD_RESOLVED_FROM_ZONE
)) == 0;