1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
3 #include <netinet/tcp.h>
6 #include "alloc-util.h"
7 #include "dns-domain.h"
8 #include "errno-util.h"
10 #include "hostname-util.h"
11 #include "missing_network.h"
12 #include "random-util.h"
13 #include "resolved-dnssd.h"
14 #include "resolved-dns-scope.h"
15 #include "resolved-dns-synthesize.h"
16 #include "resolved-dns-zone.h"
17 #include "resolved-llmnr.h"
18 #include "resolved-mdns.h"
19 #include "socket-util.h"
22 #define MULTICAST_RATELIMIT_INTERVAL_USEC (1*USEC_PER_SEC)
23 #define MULTICAST_RATELIMIT_BURST 1000
25 /* After how much time to repeat LLMNR requests, see RFC 4795 Section 7 */
26 #define MULTICAST_RESEND_TIMEOUT_MIN_USEC (100 * USEC_PER_MSEC)
27 #define MULTICAST_RESEND_TIMEOUT_MAX_USEC (1 * USEC_PER_SEC)
29 int dns_scope_new(Manager
*m
, DnsScope
**ret
, Link
*l
, DnsProtocol protocol
, int family
) {
44 .resend_timeout
= MULTICAST_RESEND_TIMEOUT_MIN_USEC
,
46 /* Enforce ratelimiting for the multicast protocols */
47 .ratelimit
= { MULTICAST_RATELIMIT_INTERVAL_USEC
, MULTICAST_RATELIMIT_BURST
},
50 if (protocol
== DNS_PROTOCOL_DNS
) {
51 /* Copy DNSSEC mode from the link if it is set there,
52 * otherwise take the manager's DNSSEC mode. Note that
53 * we copy this only at scope creation time, and do
54 * not update it from the on, even if the setting
58 s
->dnssec_mode
= link_get_dnssec_mode(l
);
59 s
->dns_over_tls_mode
= link_get_dns_over_tls_mode(l
);
61 s
->dnssec_mode
= manager_get_dnssec_mode(m
);
62 s
->dns_over_tls_mode
= manager_get_dns_over_tls_mode(m
);
66 s
->dnssec_mode
= DNSSEC_NO
;
67 s
->dns_over_tls_mode
= DNS_OVER_TLS_NO
;
70 LIST_PREPEND(scopes
, m
->dns_scopes
, s
);
72 dns_scope_llmnr_membership(s
, true);
73 dns_scope_mdns_membership(s
, true);
75 log_debug("New scope on link %s, protocol %s, family %s", l
? l
->ifname
: "*", dns_protocol_to_string(protocol
), family
== AF_UNSPEC
? "*" : af_to_name(family
));
81 static void dns_scope_abort_transactions(DnsScope
*s
) {
84 while (s
->transactions
) {
85 DnsTransaction
*t
= s
->transactions
;
87 /* Abort the transaction, but make sure it is not
88 * freed while we still look at it */
91 if (DNS_TRANSACTION_IS_LIVE(t
->state
))
92 dns_transaction_complete(t
, DNS_TRANSACTION_ABORTED
);
95 dns_transaction_free(t
);
99 DnsScope
* dns_scope_free(DnsScope
*s
) {
103 log_debug("Removing scope on link %s, protocol %s, family %s", s
->link
? s
->link
->ifname
: "*", dns_protocol_to_string(s
->protocol
), s
->family
== AF_UNSPEC
? "*" : af_to_name(s
->family
));
105 dns_scope_llmnr_membership(s
, false);
106 dns_scope_mdns_membership(s
, false);
107 dns_scope_abort_transactions(s
);
109 while (s
->query_candidates
)
110 dns_query_candidate_unref(s
->query_candidates
);
112 hashmap_free(s
->transactions_by_key
);
114 ordered_hashmap_free_with_destructor(s
->conflict_queue
, dns_resource_record_unref
);
115 sd_event_source_disable_unref(s
->conflict_event_source
);
117 sd_event_source_disable_unref(s
->announce_event_source
);
119 sd_event_source_disable_unref(s
->mdns_goodbye_event_source
);
121 dns_cache_flush(&s
->cache
);
122 dns_zone_flush(&s
->zone
);
124 LIST_REMOVE(scopes
, s
->manager
->dns_scopes
, s
);
128 DnsServer
*dns_scope_get_dns_server(DnsScope
*s
) {
131 if (s
->protocol
!= DNS_PROTOCOL_DNS
)
135 return link_get_dns_server(s
->link
);
137 return manager_get_dns_server(s
->manager
);
140 unsigned dns_scope_get_n_dns_servers(DnsScope
*s
) {
143 if (s
->protocol
!= DNS_PROTOCOL_DNS
)
147 return s
->link
->n_dns_servers
;
149 return s
->manager
->n_dns_servers
;
152 void dns_scope_next_dns_server(DnsScope
*s
, DnsServer
*if_current
) {
155 if (s
->protocol
!= DNS_PROTOCOL_DNS
)
158 /* Changes to the next DNS server in the list. If 'if_current' is passed will do so only if the
159 * current DNS server still matches it. */
162 link_next_dns_server(s
->link
, if_current
);
164 manager_next_dns_server(s
->manager
, if_current
);
167 void dns_scope_packet_received(DnsScope
*s
, usec_t rtt
) {
170 if (rtt
<= s
->max_rtt
)
174 s
->resend_timeout
= MIN(MAX(MULTICAST_RESEND_TIMEOUT_MIN_USEC
, s
->max_rtt
* 2), MULTICAST_RESEND_TIMEOUT_MAX_USEC
);
177 void dns_scope_packet_lost(DnsScope
*s
, usec_t usec
) {
180 if (s
->resend_timeout
<= usec
)
181 s
->resend_timeout
= MIN(s
->resend_timeout
* 2, MULTICAST_RESEND_TIMEOUT_MAX_USEC
);
184 static int dns_scope_emit_one(DnsScope
*s
, int fd
, int family
, DnsPacket
*p
) {
189 assert(p
->protocol
== s
->protocol
);
191 if (family
== AF_UNSPEC
) {
192 if (s
->family
== AF_UNSPEC
)
193 return -EAFNOSUPPORT
;
198 switch (s
->protocol
) {
200 case DNS_PROTOCOL_DNS
: {
201 size_t mtu
, udp_size
, min_mtu
, socket_mtu
= 0;
205 if (DNS_PACKET_QDCOUNT(p
) > 1) /* Classic DNS only allows one question per packet */
208 if (p
->size
> DNS_PACKET_UNICAST_SIZE_MAX
)
211 /* Determine the local most accurate MTU */
215 mtu
= manager_find_mtu(s
->manager
);
217 /* Acquire the socket's PMDU MTU */
218 r
= socket_get_mtu(fd
, family
, &socket_mtu
);
219 if (r
< 0 && !ERRNO_IS_DISCONNECT(r
)) /* Will return ENOTCONN if no information is available yet */
220 return log_debug_errno(r
, "Failed to read socket MTU: %m");
222 /* Determine the appropriate UDP header size */
223 udp_size
= udp_header_size(family
);
224 min_mtu
= udp_size
+ DNS_PACKET_HEADER_SIZE
;
226 log_debug("Emitting UDP, link MTU is %zu, socket MTU is %zu, minimal MTU is %zu",
227 mtu
, socket_mtu
, min_mtu
);
229 /* Clamp by the kernel's idea of the (path) MTU */
230 if (socket_mtu
!= 0 && socket_mtu
< mtu
)
233 /* Put a lower limit, in case all MTU data we acquired was rubbish */
237 /* Now check our packet size against the MTU we determined */
238 if (udp_size
+ p
->size
> mtu
)
239 return -EMSGSIZE
; /* This means: try TCP instead */
241 r
= manager_write(s
->manager
, fd
, p
);
248 case DNS_PROTOCOL_LLMNR
: {
249 union in_addr_union addr
;
253 if (DNS_PACKET_QDCOUNT(p
) > 1)
256 if (!ratelimit_below(&s
->ratelimit
))
259 if (family
== AF_INET
) {
260 addr
.in
= LLMNR_MULTICAST_IPV4_ADDRESS
;
261 fd
= manager_llmnr_ipv4_udp_fd(s
->manager
);
262 } else if (family
== AF_INET6
) {
263 addr
.in6
= LLMNR_MULTICAST_IPV6_ADDRESS
;
264 fd
= manager_llmnr_ipv6_udp_fd(s
->manager
);
266 return -EAFNOSUPPORT
;
270 r
= manager_send(s
->manager
, fd
, s
->link
->ifindex
, family
, &addr
, LLMNR_PORT
, NULL
, p
);
277 case DNS_PROTOCOL_MDNS
: {
278 union in_addr_union addr
;
281 if (!ratelimit_below(&s
->ratelimit
))
284 if (family
== AF_INET
) {
285 if (in4_addr_is_null(&p
->destination
.in
))
286 addr
.in
= MDNS_MULTICAST_IPV4_ADDRESS
;
288 addr
= p
->destination
;
289 fd
= manager_mdns_ipv4_fd(s
->manager
);
290 } else if (family
== AF_INET6
) {
291 if (in6_addr_is_null(&p
->destination
.in6
))
292 addr
.in6
= MDNS_MULTICAST_IPV6_ADDRESS
;
294 addr
= p
->destination
;
295 fd
= manager_mdns_ipv6_fd(s
->manager
);
297 return -EAFNOSUPPORT
;
301 r
= manager_send(s
->manager
, fd
, s
->link
->ifindex
, family
, &addr
, p
->destination_port
?: MDNS_PORT
, NULL
, p
);
309 return -EAFNOSUPPORT
;
315 int dns_scope_emit_udp(DnsScope
*s
, int fd
, int af
, DnsPacket
*p
) {
320 assert(p
->protocol
== s
->protocol
);
321 assert((s
->protocol
== DNS_PROTOCOL_DNS
) == (fd
>= 0));
324 /* If there are multiple linked packets, set the TC bit in all but the last of them */
326 assert(p
->protocol
== DNS_PROTOCOL_MDNS
);
327 dns_packet_set_flags(p
, true, true);
330 r
= dns_scope_emit_one(s
, fd
, af
, p
);
340 static int dns_scope_socket(
344 const union in_addr_union
*address
,
347 union sockaddr_union
*ret_socket_address
) {
349 _cleanup_close_
int fd
= -EBADF
;
350 union sockaddr_union sa
;
357 assert(family
== AF_UNSPEC
);
360 ifindex
= dns_server_ifindex(server
);
362 switch (server
->family
) {
364 sa
= (union sockaddr_union
) {
365 .in
.sin_family
= server
->family
,
366 .in
.sin_port
= htobe16(port
),
367 .in
.sin_addr
= server
->address
.in
,
369 salen
= sizeof(sa
.in
);
372 sa
= (union sockaddr_union
) {
373 .in6
.sin6_family
= server
->family
,
374 .in6
.sin6_port
= htobe16(port
),
375 .in6
.sin6_addr
= server
->address
.in6
,
376 .in6
.sin6_scope_id
= ifindex
,
378 salen
= sizeof(sa
.in6
);
381 return -EAFNOSUPPORT
;
384 assert(family
!= AF_UNSPEC
);
387 ifindex
= dns_scope_ifindex(s
);
391 sa
= (union sockaddr_union
) {
392 .in
.sin_family
= family
,
393 .in
.sin_port
= htobe16(port
),
394 .in
.sin_addr
= address
->in
,
396 salen
= sizeof(sa
.in
);
399 sa
= (union sockaddr_union
) {
400 .in6
.sin6_family
= family
,
401 .in6
.sin6_port
= htobe16(port
),
402 .in6
.sin6_addr
= address
->in6
,
403 .in6
.sin6_scope_id
= ifindex
,
405 salen
= sizeof(sa
.in6
);
408 return -EAFNOSUPPORT
;
412 fd
= socket(sa
.sa
.sa_family
, type
|SOCK_CLOEXEC
|SOCK_NONBLOCK
, 0);
416 if (type
== SOCK_STREAM
) {
417 r
= setsockopt_int(fd
, IPPROTO_TCP
, TCP_NODELAY
, true);
422 bool addr_is_nonlocal
= s
->link
&&
423 !manager_find_link_address(s
->manager
, sa
.sa
.sa_family
, sockaddr_in_addr(&sa
.sa
)) &&
424 in_addr_is_localhost(sa
.sa
.sa_family
, sockaddr_in_addr(&sa
.sa
)) == 0;
426 if (addr_is_nonlocal
&& ifindex
!= 0) {
427 /* As a special exception we don't use UNICAST_IF if we notice that the specified IP address
428 * is on the local host. Otherwise, destination addresses on the local host result in
429 * EHOSTUNREACH, since Linux won't send the packets out of the specified interface, but
430 * delivers them directly to the local socket. */
431 r
= socket_set_unicast_if(fd
, sa
.sa
.sa_family
, ifindex
);
436 if (s
->protocol
== DNS_PROTOCOL_LLMNR
) {
437 /* RFC 4795, section 2.5 requires the TTL to be set to 1 */
438 r
= socket_set_ttl(fd
, sa
.sa
.sa_family
, 1);
443 if (type
== SOCK_DGRAM
) {
444 /* Set IP_RECVERR or IPV6_RECVERR to get ICMP error feedback. See discussion in #10345. */
445 r
= socket_set_recverr(fd
, sa
.sa
.sa_family
, true);
449 r
= socket_set_recvpktinfo(fd
, sa
.sa
.sa_family
, true);
453 /* Turn of path MTU discovery for security reasons */
454 r
= socket_disable_pmtud(fd
, sa
.sa
.sa_family
);
456 log_debug_errno(r
, "Failed to disable UDP PMTUD, ignoring: %m");
458 /* Learn about fragmentation taking place */
459 r
= socket_set_recvfragsize(fd
, sa
.sa
.sa_family
, true);
461 log_debug_errno(r
, "Failed to enable fragment size reception, ignoring: %m");
464 if (ret_socket_address
)
465 *ret_socket_address
= sa
;
469 /* Let's temporarily bind the socket to the specified ifindex. Older kernels only take
470 * the SO_BINDTODEVICE/SO_BINDTOINDEX ifindex into account when making routing decisions
471 * in connect() — and not IP_UNICAST_IF. We don't really want any of the other semantics of
472 * SO_BINDTODEVICE/SO_BINDTOINDEX, hence we immediately unbind the socket after the fact
475 if (addr_is_nonlocal
) {
476 r
= socket_bind_to_ifindex(fd
, ifindex
);
483 r
= connect(fd
, &sa
.sa
, salen
);
484 if (r
< 0 && errno
!= EINPROGRESS
)
488 r
= socket_bind_to_ifindex(fd
, 0);
497 int dns_scope_socket_udp(DnsScope
*s
, DnsServer
*server
) {
498 return dns_scope_socket(s
, SOCK_DGRAM
, AF_UNSPEC
, NULL
, server
, dns_server_port(server
), NULL
);
501 int dns_scope_socket_tcp(DnsScope
*s
, int family
, const union in_addr_union
*address
, DnsServer
*server
, uint16_t port
, union sockaddr_union
*ret_socket_address
) {
502 /* If ret_socket_address is not NULL, the caller is responsible
503 * for calling connect() or sendmsg(). This is required by TCP
504 * Fast Open, to be able to send the initial SYN packet along
505 * with the first data packet. */
506 return dns_scope_socket(s
, SOCK_STREAM
, family
, address
, server
, port
, ret_socket_address
);
509 static DnsScopeMatch
match_link_local_reverse_lookups(const char *domain
) {
512 if (dns_name_endswith(domain
, "254.169.in-addr.arpa") > 0)
513 return DNS_SCOPE_YES_BASE
+ 4; /* 4 labels match */
515 if (dns_name_endswith(domain
, "8.e.f.ip6.arpa") > 0 ||
516 dns_name_endswith(domain
, "9.e.f.ip6.arpa") > 0 ||
517 dns_name_endswith(domain
, "a.e.f.ip6.arpa") > 0 ||
518 dns_name_endswith(domain
, "b.e.f.ip6.arpa") > 0)
519 return DNS_SCOPE_YES_BASE
+ 5; /* 5 labels match */
521 return _DNS_SCOPE_MATCH_INVALID
;
524 static DnsScopeMatch
match_subnet_reverse_lookups(
529 union in_addr_union ia
;
535 /* Checks whether the specified domain is a reverse address domain (i.e. in the .in-addr.arpa or
536 * .ip6.arpa area), and if so, whether the address matches any of the local subnets of the link the
537 * scope is associated with. If so, our scope should consider itself relevant for any lookup in the
538 * domain, since it apparently refers to hosts on this link's subnet.
540 * If 'exclude_own' is true this will return DNS_SCOPE_NO for any IP addresses assigned locally. This
541 * is useful for LLMNR/mDNS as we never want to look up our own hostname on LLMNR/mDNS but always use
542 * the locally synthesized one. */
545 return _DNS_SCOPE_MATCH_INVALID
; /* No link, hence no local addresses to check */
547 r
= dns_name_address(domain
, &f
, &ia
);
549 log_debug_errno(r
, "Failed to determine whether '%s' is an address domain: %m", domain
);
551 return _DNS_SCOPE_MATCH_INVALID
;
553 if (s
->family
!= AF_UNSPEC
&& f
!= s
->family
)
554 return _DNS_SCOPE_MATCH_INVALID
; /* Don't look for IPv4 addresses on LLMNR/mDNS over IPv6 and vice versa */
556 if (in_addr_is_null(f
, &ia
))
559 LIST_FOREACH(addresses
, a
, s
->link
->addresses
) {
564 /* Equals our own address? nah, let's not use this scope. The local synthesizer will pick it up for us. */
566 in_addr_equal(f
, &a
->in_addr
, &ia
) > 0)
569 if (a
->prefixlen
== UCHAR_MAX
) /* don't know subnet mask */
572 /* Don't send mDNS queries for the IPv4 broadcast address */
573 if (f
== AF_INET
&& in_addr_equal(f
, &a
->in_addr_broadcast
, &ia
) > 0)
576 /* Check if the address is in the local subnet */
577 r
= in_addr_prefix_covers(f
, &a
->in_addr
, a
->prefixlen
, &ia
);
579 log_debug_errno(r
, "Failed to determine whether link address covers lookup address '%s': %m", domain
);
581 /* Note that we only claim zero labels match. This is so that this is at the same
582 * priority a DNS scope with "." as routing domain is. */
583 return DNS_SCOPE_YES_BASE
+ 0;
586 return _DNS_SCOPE_MATCH_INVALID
;
589 /* https://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml */
590 /* https://www.iana.org/assignments/locally-served-dns-zones/locally-served-dns-zones.xhtml */
591 static bool dns_refuse_special_use_domain(const char *domain
, DnsQuestion
*question
) {
592 /* RFC9462 § 6.4: resolvers SHOULD respond to queries of any type other than SVCB for
593 * _dns.resolver.arpa. with NODATA and queries of any type for any domain name under
594 * resolver.arpa with NODATA. */
595 if (dns_name_equal(domain
, "_dns.resolver.arpa") > 0) {
598 /* Only SVCB is permitted to _dns.resolver.arpa */
599 DNS_QUESTION_FOREACH(t
, question
)
600 if (t
->type
== DNS_TYPE_SVCB
)
606 if (dns_name_endswith(domain
, "resolver.arpa") > 0)
612 DnsScopeMatch
dns_scope_good_domain(
615 uint64_t query_flags
) {
617 DnsQuestion
*question
;
622 /* This returns the following return values:
624 * DNS_SCOPE_NO → This scope is not suitable for lookups of this domain, at all
625 * DNS_SCOPE_LAST_RESORT→ This scope is not suitable, unless we have no alternative
626 * DNS_SCOPE_MAYBE → This scope is suitable, but only if nothing else wants it
627 * DNS_SCOPE_YES_BASE+n → This scope is suitable, and 'n' suffix labels match
629 * (The idea is that the caller will only use the scopes with the longest 'n' returned. If no scopes return
630 * DNS_SCOPE_YES_BASE+n, then it should use those which returned DNS_SCOPE_MAYBE. It should never use those
631 * which returned DNS_SCOPE_NO.)
637 question
= dns_query_question_for_protocol(q
, s
->protocol
);
641 domain
= dns_question_first_name(question
);
645 ifindex
= q
->ifindex
;
648 /* Checks if the specified domain is something to look up on this scope. Note that this accepts
649 * non-qualified hostnames, i.e. those without any search path suffixed. */
651 if (ifindex
!= 0 && (!s
->link
|| s
->link
->ifindex
!= ifindex
))
654 if ((SD_RESOLVED_FLAGS_MAKE(s
->protocol
, s
->family
, false, false) & flags
) == 0)
657 /* Never resolve any loopback hostname or IP address via DNS, LLMNR or mDNS. Instead, always rely on
658 * synthesized RRs for these. */
659 if (is_localhost(domain
) ||
660 dns_name_endswith(domain
, "127.in-addr.arpa") > 0 ||
661 dns_name_equal(domain
, "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa") > 0)
664 /* Never respond to some of the domains listed in RFC6303 + RFC6761 */
665 if (dns_name_dont_resolve(domain
))
668 /* Avoid asking invalid questions of some special use domains */
669 if (dns_refuse_special_use_domain(domain
, question
))
672 /* Never go to network for the _gateway, _outbound, _localdnsstub, _localdnsproxy domain — they're something special, synthesized locally. */
673 if (is_gateway_hostname(domain
) ||
674 is_outbound_hostname(domain
) ||
675 is_dns_stub_hostname(domain
) ||
676 is_dns_proxy_stub_hostname(domain
))
679 /* Don't look up the local host name via the network, unless user turned of local synthesis of it */
680 if (manager_is_own_hostname(s
->manager
, domain
) && shall_synthesize_own_hostname_rrs())
683 /* Never send SOA or NS or DNSSEC request to LLMNR, where they make little sense. */
684 r
= dns_question_types_suitable_for_protocol(question
, s
->protocol
);
688 switch (s
->protocol
) {
690 case DNS_PROTOCOL_DNS
: {
691 bool has_search_domains
= false;
695 if (dns_name_is_root(domain
)) {
699 /* Refuse root name if only A and/or AAAA records are requested. */
701 DNS_QUESTION_FOREACH(t
, question
)
702 if (!IN_SET(t
->type
, DNS_TYPE_A
, DNS_TYPE_AAAA
)) {
711 /* Never route things to scopes that lack DNS servers */
712 if (!dns_scope_get_dns_server(s
))
715 /* Always honour search domains for routing queries, except if this scope lacks DNS servers. Note that
716 * we return DNS_SCOPE_YES here, rather than just DNS_SCOPE_MAYBE, which means other wildcard scopes
717 * won't be considered anymore. */
718 LIST_FOREACH(domains
, d
, dns_scope_get_search_domains(s
)) {
720 if (!d
->route_only
&& !dns_name_is_root(d
->name
))
721 has_search_domains
= true;
723 if (dns_name_endswith(domain
, d
->name
) > 0) {
726 c
= dns_name_count_labels(d
->name
);
735 /* If there's a true search domain defined for this scope, and the query is single-label,
736 * then let's resolve things here, preferably. Note that LLMNR considers itself
737 * authoritative for single-label names too, at the same preference, see below. */
738 if (has_search_domains
&& dns_name_is_single_label(domain
))
739 return DNS_SCOPE_YES_BASE
+ 1;
741 /* If ResolveUnicastSingleLabel=yes and the query is single-label, then bump match result
742 to prevent LLMNR monopoly among candidates. */
743 if ((s
->manager
->resolve_unicast_single_label
|| (query_flags
& SD_RESOLVED_RELAX_SINGLE_LABEL
)) &&
744 dns_name_is_single_label(domain
))
745 return DNS_SCOPE_YES_BASE
+ 1;
747 /* Let's return the number of labels in the best matching result */
749 assert(n_best
<= DNS_SCOPE_YES_END
- DNS_SCOPE_YES_BASE
);
750 return DNS_SCOPE_YES_BASE
+ n_best
;
753 /* Exclude link-local IP ranges */
754 if (match_link_local_reverse_lookups(domain
) >= DNS_SCOPE_YES_BASE
||
755 /* If networks use .local in their private setups, they are supposed to also add .local
756 * to their search domains, which we already checked above. Otherwise, we consider .local
757 * specific to mDNS and won't send such queries ordinary DNS servers. */
758 dns_name_endswith(domain
, "local") > 0)
761 /* If the IP address to look up matches the local subnet, then implicitly synthesizes
762 * DNS_SCOPE_YES_BASE + 0 on this interface, i.e. preferably resolve IP addresses via the DNS
763 * server belonging to this interface. */
764 m
= match_subnet_reverse_lookups(s
, domain
, false);
768 /* If there was no match at all, then see if this scope is suitable as default route. */
769 if (!dns_scope_is_default_route(s
))
772 /* Prefer suitable per-link scopes where possible */
773 if (dns_server_is_fallback(dns_scope_get_dns_server(s
)))
774 return DNS_SCOPE_LAST_RESORT
;
776 return DNS_SCOPE_MAYBE
;
779 case DNS_PROTOCOL_MDNS
: {
782 m
= match_link_local_reverse_lookups(domain
);
786 m
= match_subnet_reverse_lookups(s
, domain
, true);
790 if ((s
->family
== AF_INET
&& dns_name_endswith(domain
, "in-addr.arpa") > 0) ||
791 (s
->family
== AF_INET6
&& dns_name_endswith(domain
, "ip6.arpa") > 0))
792 return DNS_SCOPE_LAST_RESORT
;
794 if ((dns_name_endswith(domain
, "local") > 0 && /* only resolve names ending in .local via mDNS */
795 dns_name_equal(domain
, "local") == 0 && /* but not the single-label "local" name itself */
796 manager_is_own_hostname(s
->manager
, domain
) <= 0)) /* never resolve the local hostname via mDNS */
797 return DNS_SCOPE_YES_BASE
+ 1; /* Return +1, as the top-level .local domain matches, i.e. one label */
802 case DNS_PROTOCOL_LLMNR
: {
805 m
= match_link_local_reverse_lookups(domain
);
809 m
= match_subnet_reverse_lookups(s
, domain
, true);
813 if ((s
->family
== AF_INET
&& dns_name_endswith(domain
, "in-addr.arpa") > 0) ||
814 (s
->family
== AF_INET6
&& dns_name_endswith(domain
, "ip6.arpa") > 0))
815 return DNS_SCOPE_LAST_RESORT
;
817 if ((dns_name_is_single_label(domain
) && /* only resolve single label names via LLMNR */
818 dns_name_equal(domain
, "local") == 0 && /* don't resolve "local" with LLMNR, it's the top-level domain of mDNS after all, see above */
819 manager_is_own_hostname(s
->manager
, domain
) <= 0)) /* never resolve the local hostname via LLMNR */
820 return DNS_SCOPE_YES_BASE
+ 1; /* Return +1, as we consider ourselves authoritative
821 * for single-label names, i.e. one label. This is
822 * particularly relevant as it means a "." route on some
823 * other scope won't pull all traffic away from
824 * us. (If people actually want to pull traffic away
825 * from us they should turn off LLMNR on the
826 * link). Note that unicast DNS scopes with search
827 * domains also consider themselves authoritative for
828 * single-label domains, at the same preference (see
835 assert_not_reached();
839 bool dns_scope_good_key(DnsScope
*s
, const DnsResourceKey
*key
) {
845 /* Check if it makes sense to resolve the specified key on this scope. Note that this call assumes a
846 * fully qualified name, i.e. the search suffixes already appended. */
848 if (!IN_SET(key
->class, DNS_CLASS_IN
, DNS_CLASS_ANY
))
851 if (s
->protocol
== DNS_PROTOCOL_DNS
) {
853 /* On classic DNS, looking up non-address RRs is always fine. (Specifically, we want to
854 * permit looking up DNSKEY and DS records on the root and top-level domains.) */
855 if (!dns_resource_key_is_address(key
))
858 /* Unless explicitly overridden, we refuse to look up A and AAAA RRs on the root and
859 * single-label domains, under the assumption that those should be resolved via LLMNR or
860 * search path only, and should not be leaked onto the internet. */
861 const char* name
= dns_resource_key_name(key
);
863 if (!s
->manager
->resolve_unicast_single_label
&&
864 dns_name_is_single_label(name
))
867 return !dns_name_is_root(name
);
870 /* Never route DNSSEC RR queries to LLMNR/mDNS scopes */
871 if (dns_type_is_dnssec(key
->type
))
874 /* On mDNS and LLMNR, send A and AAAA queries only on the respective scopes */
876 key_family
= dns_type_to_af(key
->type
);
880 return key_family
== s
->family
;
883 static int dns_scope_multicast_membership(DnsScope
*s
, bool b
, struct in_addr in
, struct in6_addr in6
) {
889 if (s
->family
== AF_INET
) {
890 struct ip_mreqn mreqn
= {
892 .imr_ifindex
= s
->link
->ifindex
,
895 if (s
->protocol
== DNS_PROTOCOL_LLMNR
)
896 fd
= manager_llmnr_ipv4_udp_fd(s
->manager
);
898 fd
= manager_mdns_ipv4_fd(s
->manager
);
903 /* Always first try to drop membership before we add
904 * one. This is necessary on some devices, such as
907 (void) setsockopt(fd
, IPPROTO_IP
, IP_DROP_MEMBERSHIP
, &mreqn
, sizeof(mreqn
));
909 if (setsockopt(fd
, IPPROTO_IP
, b
? IP_ADD_MEMBERSHIP
: IP_DROP_MEMBERSHIP
, &mreqn
, sizeof(mreqn
)) < 0)
912 } else if (s
->family
== AF_INET6
) {
913 struct ipv6_mreq mreq
= {
914 .ipv6mr_multiaddr
= in6
,
915 .ipv6mr_interface
= s
->link
->ifindex
,
918 if (s
->protocol
== DNS_PROTOCOL_LLMNR
)
919 fd
= manager_llmnr_ipv6_udp_fd(s
->manager
);
921 fd
= manager_mdns_ipv6_fd(s
->manager
);
927 (void) setsockopt(fd
, IPPROTO_IPV6
, IPV6_DROP_MEMBERSHIP
, &mreq
, sizeof(mreq
));
929 if (setsockopt(fd
, IPPROTO_IPV6
, b
? IPV6_ADD_MEMBERSHIP
: IPV6_DROP_MEMBERSHIP
, &mreq
, sizeof(mreq
)) < 0)
932 return -EAFNOSUPPORT
;
937 int dns_scope_llmnr_membership(DnsScope
*s
, bool b
) {
940 if (s
->protocol
!= DNS_PROTOCOL_LLMNR
)
943 return dns_scope_multicast_membership(s
, b
, LLMNR_MULTICAST_IPV4_ADDRESS
, LLMNR_MULTICAST_IPV6_ADDRESS
);
946 int dns_scope_mdns_membership(DnsScope
*s
, bool b
) {
949 if (s
->protocol
!= DNS_PROTOCOL_MDNS
)
952 return dns_scope_multicast_membership(s
, b
, MDNS_MULTICAST_IPV4_ADDRESS
, MDNS_MULTICAST_IPV6_ADDRESS
);
955 int dns_scope_make_reply_packet(
965 _cleanup_(dns_packet_unrefp
) DnsPacket
*p
= NULL
;
966 unsigned n_answer
= 0, n_soa
= 0;
973 if (dns_question_isempty(q
) &&
974 dns_answer_isempty(answer
) &&
975 dns_answer_isempty(soa
))
978 r
= dns_packet_new(&p
, s
->protocol
, 0, DNS_PACKET_SIZE_MAX
);
982 /* mDNS answers must have the Authoritative Answer bit set, see RFC 6762, section 18.4. */
983 c_or_aa
= s
->protocol
== DNS_PROTOCOL_MDNS
;
985 DNS_PACKET_HEADER(p
)->id
= id
;
986 DNS_PACKET_HEADER(p
)->flags
= htobe16(DNS_PACKET_MAKE_FLAGS(
997 r
= dns_packet_append_question(p
, q
);
1000 DNS_PACKET_HEADER(p
)->qdcount
= htobe16(dns_question_size(q
));
1002 r
= dns_packet_append_answer(p
, answer
, &n_answer
);
1005 DNS_PACKET_HEADER(p
)->ancount
= htobe16(n_answer
);
1007 r
= dns_packet_append_answer(p
, soa
, &n_soa
);
1010 DNS_PACKET_HEADER(p
)->arcount
= htobe16(n_soa
);
1017 static void dns_scope_verify_conflicts(DnsScope
*s
, DnsPacket
*p
) {
1018 DnsResourceRecord
*rr
;
1019 DnsResourceKey
*key
;
1024 DNS_QUESTION_FOREACH(key
, p
->question
)
1025 dns_zone_verify_conflicts(&s
->zone
, key
);
1027 DNS_ANSWER_FOREACH(rr
, p
->answer
)
1028 dns_zone_verify_conflicts(&s
->zone
, rr
->key
);
1031 void dns_scope_process_query(DnsScope
*s
, DnsStream
*stream
, DnsPacket
*p
) {
1032 _cleanup_(dns_answer_unrefp
) DnsAnswer
*answer
= NULL
, *soa
= NULL
;
1033 _cleanup_(dns_packet_unrefp
) DnsPacket
*reply
= NULL
;
1034 DnsResourceKey
*key
= NULL
;
1035 bool tentative
= false;
1041 if (p
->protocol
!= DNS_PROTOCOL_LLMNR
)
1044 if (p
->ipproto
== IPPROTO_UDP
) {
1045 /* Don't accept UDP queries directed to anything but
1046 * the LLMNR multicast addresses. See RFC 4795,
1049 if (p
->family
== AF_INET
&& !in4_addr_equal(&p
->destination
.in
, &LLMNR_MULTICAST_IPV4_ADDRESS
))
1052 if (p
->family
== AF_INET6
&& !in6_addr_equal(&p
->destination
.in6
, &LLMNR_MULTICAST_IPV6_ADDRESS
))
1056 r
= dns_packet_extract(p
);
1058 log_debug_errno(r
, "Failed to extract resource records from incoming packet: %m");
1062 if (DNS_PACKET_LLMNR_C(p
)) {
1063 /* Somebody notified us about a possible conflict */
1064 dns_scope_verify_conflicts(s
, p
);
1068 if (dns_question_size(p
->question
) != 1)
1069 return (void) log_debug("Received LLMNR query without question or multiple questions, ignoring.");
1071 key
= dns_question_first_key(p
->question
);
1073 r
= dns_zone_lookup(&s
->zone
, key
, 0, &answer
, &soa
, &tentative
);
1075 log_debug_errno(r
, "Failed to look up key: %m");
1082 dns_answer_order_by_scope(answer
, in_addr_is_link_local(p
->family
, &p
->sender
) > 0);
1084 r
= dns_scope_make_reply_packet(s
, DNS_PACKET_ID(p
), DNS_RCODE_SUCCESS
, p
->question
, answer
, soa
, tentative
, &reply
);
1086 log_debug_errno(r
, "Failed to build reply packet: %m");
1091 r
= dns_stream_write_packet(stream
, reply
);
1093 log_debug_errno(r
, "Failed to enqueue reply packet: %m");
1097 /* Let's take an extra reference on this stream, so that it stays around after returning. The reference
1098 * will be dangling until the stream is disconnected, and the default completion handler of the stream
1099 * will then unref the stream and destroy it */
1100 if (DNS_STREAM_QUEUED(stream
))
1101 dns_stream_ref(stream
);
1105 if (!ratelimit_below(&s
->ratelimit
))
1108 if (p
->family
== AF_INET
)
1109 fd
= manager_llmnr_ipv4_udp_fd(s
->manager
);
1110 else if (p
->family
== AF_INET6
)
1111 fd
= manager_llmnr_ipv6_udp_fd(s
->manager
);
1113 log_debug("Unknown protocol");
1117 log_debug_errno(fd
, "Failed to get reply socket: %m");
1121 /* Note that we always immediately reply to all LLMNR
1122 * requests, and do not wait any time, since we
1123 * verified uniqueness for all records. Also see RFC
1124 * 4795, Section 2.7 */
1126 r
= manager_send(s
->manager
, fd
, p
->ifindex
, p
->family
, &p
->sender
, p
->sender_port
, NULL
, reply
);
1128 log_debug_errno(r
, "Failed to send reply packet: %m");
1134 DnsTransaction
*dns_scope_find_transaction(
1136 DnsResourceKey
*key
,
1137 uint64_t query_flags
) {
1139 DnsTransaction
*first
;
1144 /* Iterate through the list of transactions with a matching key */
1145 first
= hashmap_get(scope
->transactions_by_key
, key
);
1146 LIST_FOREACH(transactions_by_key
, t
, first
) {
1148 /* These four flags must match exactly: we cannot use a validated response for a
1149 * non-validating client, and we cannot use a non-validated response for a validating
1150 * client. Similar, if the sources don't match things aren't usable either. */
1151 if (((query_flags
^ t
->query_flags
) &
1152 (SD_RESOLVED_NO_VALIDATE
|
1153 SD_RESOLVED_NO_ZONE
|
1154 SD_RESOLVED_NO_TRUST_ANCHOR
|
1155 SD_RESOLVED_NO_NETWORK
)) != 0)
1158 /* We can reuse a primary query if a regular one is requested, but not vice versa */
1159 if ((query_flags
& SD_RESOLVED_REQUIRE_PRIMARY
) &&
1160 !(t
->query_flags
& SD_RESOLVED_REQUIRE_PRIMARY
))
1163 /* Don't reuse a transaction that allowed caching when we got told not to use it */
1164 if ((query_flags
& SD_RESOLVED_NO_CACHE
) &&
1165 !(t
->query_flags
& SD_RESOLVED_NO_CACHE
))
1168 /* If we are asked to clamp ttls and the existing transaction doesn't do it, we can't
1170 if ((query_flags
& SD_RESOLVED_CLAMP_TTL
) &&
1171 !(t
->query_flags
& SD_RESOLVED_CLAMP_TTL
))
1180 static int dns_scope_make_conflict_packet(
1182 DnsResourceRecord
*rr
,
1185 _cleanup_(dns_packet_unrefp
) DnsPacket
*p
= NULL
;
1192 r
= dns_packet_new(&p
, s
->protocol
, 0, DNS_PACKET_SIZE_MAX
);
1196 DNS_PACKET_HEADER(p
)->flags
= htobe16(DNS_PACKET_MAKE_FLAGS(
1207 /* For mDNS, the transaction ID should always be 0 */
1208 if (s
->protocol
!= DNS_PROTOCOL_MDNS
)
1209 random_bytes(&DNS_PACKET_HEADER(p
)->id
, sizeof(uint16_t));
1211 DNS_PACKET_HEADER(p
)->qdcount
= htobe16(1);
1212 DNS_PACKET_HEADER(p
)->arcount
= htobe16(1);
1214 r
= dns_packet_append_key(p
, rr
->key
, 0, NULL
);
1218 r
= dns_packet_append_rr(p
, rr
, 0, NULL
, NULL
);
1227 static int on_conflict_dispatch(sd_event_source
*es
, usec_t usec
, void *userdata
) {
1228 DnsScope
*scope
= ASSERT_PTR(userdata
);
1233 scope
->conflict_event_source
= sd_event_source_disable_unref(scope
->conflict_event_source
);
1236 _cleanup_(dns_resource_key_unrefp
) DnsResourceKey
*key
= NULL
;
1237 _cleanup_(dns_resource_record_unrefp
) DnsResourceRecord
*rr
= NULL
;
1238 _cleanup_(dns_packet_unrefp
) DnsPacket
*p
= NULL
;
1240 key
= ordered_hashmap_first_key(scope
->conflict_queue
);
1244 rr
= ordered_hashmap_remove(scope
->conflict_queue
, key
);
1247 r
= dns_scope_make_conflict_packet(scope
, rr
, &p
);
1249 log_error_errno(r
, "Failed to make conflict packet: %m");
1253 r
= dns_scope_emit_udp(scope
, -1, AF_UNSPEC
, p
);
1255 log_debug_errno(r
, "Failed to send conflict packet: %m");
1261 int dns_scope_notify_conflict(DnsScope
*scope
, DnsResourceRecord
*rr
) {
1267 /* We don't send these queries immediately. Instead, we queue
1268 * them, and send them after some jitter delay. */
1269 r
= ordered_hashmap_ensure_allocated(&scope
->conflict_queue
, &dns_resource_key_hash_ops
);
1275 /* We only place one RR per key in the conflict
1276 * messages, not all of them. That should be enough to
1277 * indicate where there might be a conflict */
1278 r
= ordered_hashmap_put(scope
->conflict_queue
, rr
->key
, rr
);
1279 if (IN_SET(r
, 0, -EEXIST
))
1282 return log_debug_errno(r
, "Failed to queue conflicting RR: %m");
1284 dns_resource_key_ref(rr
->key
);
1285 dns_resource_record_ref(rr
);
1287 if (scope
->conflict_event_source
)
1290 r
= sd_event_add_time_relative(
1291 scope
->manager
->event
,
1292 &scope
->conflict_event_source
,
1294 random_u64_range(LLMNR_JITTER_INTERVAL_USEC
),
1296 on_conflict_dispatch
, scope
);
1298 return log_debug_errno(r
, "Failed to add conflict dispatch event: %m");
1300 (void) sd_event_source_set_description(scope
->conflict_event_source
, "scope-conflict");
1305 void dns_scope_check_conflicts(DnsScope
*scope
, DnsPacket
*p
) {
1306 DnsResourceRecord
*rr
;
1312 if (!IN_SET(p
->protocol
, DNS_PROTOCOL_LLMNR
, DNS_PROTOCOL_MDNS
))
1315 if (DNS_PACKET_RRCOUNT(p
) <= 0)
1318 if (p
->protocol
== DNS_PROTOCOL_LLMNR
) {
1319 if (DNS_PACKET_LLMNR_C(p
) != 0)
1322 if (DNS_PACKET_LLMNR_T(p
) != 0)
1326 if (manager_packet_from_local_address(scope
->manager
, p
))
1329 r
= dns_packet_extract(p
);
1331 log_debug_errno(r
, "Failed to extract packet: %m");
1335 log_debug("Checking for conflicts...");
1337 DNS_ANSWER_FOREACH(rr
, p
->answer
) {
1338 /* No conflict if it is DNS-SD RR used for service enumeration. */
1339 if (dns_resource_key_is_dnssd_ptr(rr
->key
))
1342 /* Check for conflicts against the local zone. If we
1343 * found one, we won't check any further */
1344 r
= dns_zone_check_conflicts(&scope
->zone
, rr
);
1348 /* Check for conflicts against the local cache. If so,
1349 * send out an advisory query, to inform everybody */
1350 r
= dns_cache_check_conflicts(&scope
->cache
, rr
, p
->family
, &p
->sender
);
1354 dns_scope_notify_conflict(scope
, rr
);
1358 void dns_scope_dump(DnsScope
*s
, FILE *f
) {
1364 fputs("[Scope protocol=", f
);
1365 fputs(dns_protocol_to_string(s
->protocol
), f
);
1368 fputs(" interface=", f
);
1369 fputs(s
->link
->ifname
, f
);
1372 if (s
->family
!= AF_UNSPEC
) {
1373 fputs(" family=", f
);
1374 fputs(af_to_name(s
->family
), f
);
1379 if (!dns_zone_is_empty(&s
->zone
)) {
1380 fputs("ZONE:\n", f
);
1381 dns_zone_dump(&s
->zone
, f
);
1384 if (!dns_cache_is_empty(&s
->cache
)) {
1385 fputs("CACHE:\n", f
);
1386 dns_cache_dump(&s
->cache
, f
);
1390 DnsSearchDomain
*dns_scope_get_search_domains(DnsScope
*s
) {
1393 if (s
->protocol
!= DNS_PROTOCOL_DNS
)
1397 return s
->link
->search_domains
;
1399 return s
->manager
->search_domains
;
1402 bool dns_scope_name_wants_search_domain(DnsScope
*s
, const char *name
) {
1405 if (s
->protocol
!= DNS_PROTOCOL_DNS
)
1408 if (!dns_name_is_single_label(name
))
1411 /* If we allow single-label domain lookups on unicast DNS, and this scope has a search domain that matches
1412 * _exactly_ this name, then do not use search domains. */
1413 if (s
->manager
->resolve_unicast_single_label
)
1414 LIST_FOREACH(domains
, d
, dns_scope_get_search_domains(s
))
1415 if (dns_name_equal(name
, d
->name
) > 0)
1421 bool dns_scope_network_good(DnsScope
*s
) {
1422 /* Checks whether the network is in good state for lookups on this scope. For mDNS/LLMNR/Classic DNS scopes
1423 * bound to links this is easy, as they don't even exist if the link isn't in a suitable state. For the global
1424 * DNS scope we check whether there are any links that are up and have an address.
1426 * Note that Linux routing is complex and even systems that superficially have no IPv4 address might
1427 * be able to route IPv4 (and similar for IPv6), hence let's make a check here independent of address
1433 return manager_routable(s
->manager
);
1436 int dns_scope_ifindex(DnsScope
*s
) {
1440 return s
->link
->ifindex
;
1445 const char* dns_scope_ifname(DnsScope
*s
) {
1449 return s
->link
->ifname
;
1454 static int on_announcement_timeout(sd_event_source
*s
, usec_t usec
, void *userdata
) {
1455 DnsScope
*scope
= userdata
;
1459 scope
->announce_event_source
= sd_event_source_disable_unref(scope
->announce_event_source
);
1461 (void) dns_scope_announce(scope
, false);
1465 int dns_scope_announce(DnsScope
*scope
, bool goodbye
) {
1466 _cleanup_(dns_answer_unrefp
) DnsAnswer
*answer
= NULL
;
1467 _cleanup_(dns_packet_unrefp
) DnsPacket
*p
= NULL
;
1468 _cleanup_set_free_ Set
*types
= NULL
;
1477 if (scope
->protocol
!= DNS_PROTOCOL_MDNS
)
1480 r
= sd_event_get_state(scope
->manager
->event
);
1482 return log_debug_errno(r
, "Failed to get event loop state: %m");
1484 /* If this is called on exit, through manager_free() -> link_free(), then we cannot announce. */
1485 if (r
== SD_EVENT_FINISHED
)
1488 /* Check if we're done with probing. */
1489 LIST_FOREACH(transactions_by_scope
, t
, scope
->transactions
)
1490 if (t
->probing
&& DNS_TRANSACTION_IS_LIVE(t
->state
))
1493 /* Check if there're services pending conflict resolution. */
1494 if (manager_next_dnssd_names(scope
->manager
))
1495 return 0; /* we reach this point only if changing hostname didn't help */
1497 /* Calculate answer's size. */
1498 HASHMAP_FOREACH(z
, scope
->zone
.by_key
) {
1499 if (z
->state
!= DNS_ZONE_ITEM_ESTABLISHED
)
1502 if (z
->rr
->key
->type
== DNS_TYPE_PTR
&&
1503 !dns_zone_contains_name(&scope
->zone
, z
->rr
->ptr
.name
)) {
1504 char key_str
[DNS_RESOURCE_KEY_STRING_MAX
];
1506 log_debug("Skip PTR RR <%s> since its counterparts seem to be withdrawn", dns_resource_key_to_string(z
->rr
->key
, key_str
, sizeof key_str
));
1507 z
->state
= DNS_ZONE_ITEM_WITHDRAWN
;
1511 /* Collect service types for _services._dns-sd._udp.local RRs in a set. Only two-label names
1512 * (not selective names) are considered according to RFC6763 § 9. */
1513 if (!scope
->announced
&&
1514 dns_resource_key_is_dnssd_two_label_ptr(z
->rr
->key
)) {
1515 if (!set_contains(types
, dns_resource_key_name(z
->rr
->key
))) {
1516 r
= set_ensure_put(&types
, &dns_name_hash_ops
, dns_resource_key_name(z
->rr
->key
));
1518 return log_debug_errno(r
, "Failed to add item to set: %m");
1522 LIST_FOREACH(by_key
, i
, z
)
1526 answer
= dns_answer_new(size
+ set_size(types
));
1530 /* Second iteration, actually add RRs to the answer. */
1531 HASHMAP_FOREACH(z
, scope
->zone
.by_key
)
1532 LIST_FOREACH (by_key
, i
, z
) {
1533 DnsAnswerFlags flags
;
1535 if (i
->state
!= DNS_ZONE_ITEM_ESTABLISHED
)
1538 if (dns_resource_key_is_dnssd_ptr(i
->rr
->key
))
1539 flags
= goodbye
? DNS_ANSWER_GOODBYE
: 0;
1541 flags
= goodbye
? (DNS_ANSWER_GOODBYE
|DNS_ANSWER_CACHE_FLUSH
) : DNS_ANSWER_CACHE_FLUSH
;
1543 r
= dns_answer_add(answer
, i
->rr
, 0, flags
, NULL
);
1545 return log_debug_errno(r
, "Failed to add RR to announce: %m");
1548 /* Since all the active services are in the zone make them discoverable now. */
1549 SET_FOREACH(service_type
, types
) {
1550 _cleanup_(dns_resource_record_unrefp
) DnsResourceRecord
*rr
= NULL
;
1552 rr
= dns_resource_record_new_full(DNS_CLASS_IN
, DNS_TYPE_PTR
,
1553 "_services._dns-sd._udp.local");
1557 rr
->ptr
.name
= strdup(service_type
);
1561 rr
->ttl
= MDNS_DEFAULT_TTL
;
1563 r
= dns_zone_put(&scope
->zone
, scope
, rr
, false);
1565 log_warning_errno(r
, "Failed to add DNS-SD PTR record to MDNS zone, ignoring: %m");
1567 r
= dns_answer_add(answer
, rr
, 0, 0, NULL
);
1569 return log_debug_errno(r
, "Failed to add RR to announce: %m");
1572 if (dns_answer_isempty(answer
))
1575 r
= dns_scope_make_reply_packet(scope
, 0, DNS_RCODE_SUCCESS
, NULL
, answer
, NULL
, false, &p
);
1577 return log_debug_errno(r
, "Failed to build reply packet: %m");
1579 r
= dns_scope_emit_udp(scope
, -1, AF_UNSPEC
, p
);
1581 return log_debug_errno(r
, "Failed to send reply packet: %m");
1583 /* In section 8.3 of RFC6762: "The Multicast DNS responder MUST send at least two unsolicited
1584 * responses, one second apart." */
1585 if (!scope
->announced
) {
1586 scope
->announced
= true;
1588 r
= sd_event_add_time_relative(
1589 scope
->manager
->event
,
1590 &scope
->announce_event_source
,
1592 MDNS_ANNOUNCE_DELAY
,
1594 on_announcement_timeout
, scope
);
1596 return log_debug_errno(r
, "Failed to schedule second announcement: %m");
1598 (void) sd_event_source_set_description(scope
->announce_event_source
, "mdns-announce");
1604 int dns_scope_add_dnssd_services(DnsScope
*scope
) {
1605 DnssdService
*service
;
1610 if (hashmap_isempty(scope
->manager
->dnssd_services
))
1613 scope
->announced
= false;
1615 HASHMAP_FOREACH(service
, scope
->manager
->dnssd_services
) {
1616 service
->withdrawn
= false;
1618 r
= dns_zone_put(&scope
->zone
, scope
, service
->ptr_rr
, false);
1620 log_warning_errno(r
, "Failed to add PTR record to MDNS zone: %m");
1622 if (service
->sub_ptr_rr
) {
1623 r
= dns_zone_put(&scope
->zone
, scope
, service
->sub_ptr_rr
, false);
1625 log_warning_errno(r
, "Failed to add selective PTR record to MDNS zone: %m");
1628 r
= dns_zone_put(&scope
->zone
, scope
, service
->srv_rr
, true);
1630 log_warning_errno(r
, "Failed to add SRV record to MDNS zone: %m");
1632 LIST_FOREACH(items
, txt_data
, service
->txt_data_items
) {
1633 r
= dns_zone_put(&scope
->zone
, scope
, txt_data
->rr
, true);
1635 log_warning_errno(r
, "Failed to add TXT record to MDNS zone: %m");
1642 int dns_scope_remove_dnssd_services(DnsScope
*scope
) {
1643 _cleanup_(dns_resource_key_unrefp
) DnsResourceKey
*key
= NULL
;
1644 DnssdService
*service
;
1649 key
= dns_resource_key_new(DNS_CLASS_IN
, DNS_TYPE_PTR
,
1650 "_services._dns-sd._udp.local");
1654 r
= dns_zone_remove_rrs_by_key(&scope
->zone
, key
);
1658 HASHMAP_FOREACH(service
, scope
->manager
->dnssd_services
) {
1659 dns_zone_remove_rr(&scope
->zone
, service
->ptr_rr
);
1660 dns_zone_remove_rr(&scope
->zone
, service
->sub_ptr_rr
);
1661 dns_zone_remove_rr(&scope
->zone
, service
->srv_rr
);
1662 LIST_FOREACH(items
, txt_data
, service
->txt_data_items
)
1663 dns_zone_remove_rr(&scope
->zone
, txt_data
->rr
);
1669 static bool dns_scope_has_route_only_domains(DnsScope
*scope
) {
1670 DnsSearchDomain
*first
;
1671 bool route_only
= false;
1674 assert(scope
->protocol
== DNS_PROTOCOL_DNS
);
1676 /* Returns 'true' if this scope is suitable for queries to specific domains only. For that we check
1677 * if there are any route-only domains on this interface, as a heuristic to discern VPN-style links
1678 * from non-VPN-style links. Returns 'false' for all other cases, i.e. if the scope is intended to
1679 * take queries to arbitrary domains, i.e. has no routing domains set. */
1682 first
= scope
->link
->search_domains
;
1684 first
= scope
->manager
->search_domains
;
1686 LIST_FOREACH(domains
, domain
, first
) {
1687 /* "." means "any domain", thus the interface takes any kind of traffic. Thus, we exit early
1688 * here, as it doesn't really matter whether this link has any route-only domains or not,
1689 * "~." really trumps everything and clearly indicates that this interface shall receive all
1690 * traffic it can get. */
1691 if (dns_name_is_root(DNS_SEARCH_DOMAIN_NAME(domain
)))
1694 if (domain
->route_only
)
1701 bool dns_scope_is_default_route(DnsScope
*scope
) {
1704 /* Only use DNS scopes as default routes */
1705 if (scope
->protocol
!= DNS_PROTOCOL_DNS
)
1708 /* The global DNS scope is always suitable as default route */
1712 /* Honour whatever is explicitly configured. This is really the best approach, and trumps any
1713 * automatic logic. */
1714 if (scope
->link
->default_route
>= 0)
1715 return scope
->link
->default_route
;
1717 /* Otherwise check if we have any route-only domains, as a sensible heuristic: if so, let's not
1718 * volunteer as default route. */
1719 return !dns_scope_has_route_only_domains(scope
);
1722 int dns_scope_dump_cache_to_json(DnsScope
*scope
, sd_json_variant
**ret
) {
1723 _cleanup_(sd_json_variant_unrefp
) sd_json_variant
*cache
= NULL
;
1729 r
= dns_cache_dump_to_json(&scope
->cache
, &cache
);
1733 return sd_json_buildo(
1735 SD_JSON_BUILD_PAIR_STRING("protocol", dns_protocol_to_string(scope
->protocol
)),
1736 SD_JSON_BUILD_PAIR_CONDITION(scope
->family
!= AF_UNSPEC
, "family", SD_JSON_BUILD_INTEGER(scope
->family
)),
1737 SD_JSON_BUILD_PAIR_CONDITION(!!scope
->link
, "ifindex", SD_JSON_BUILD_INTEGER(dns_scope_ifindex(scope
))),
1738 SD_JSON_BUILD_PAIR_CONDITION(!!scope
->link
, "ifname", SD_JSON_BUILD_STRING(dns_scope_ifname(scope
))),
1739 SD_JSON_BUILD_PAIR_VARIANT("cache", cache
));
1742 int dns_type_suitable_for_protocol(uint16_t type
, DnsProtocol protocol
) {
1744 /* Tests whether it makes sense to route queries for the specified DNS RR types to the specified
1745 * protocol. For classic DNS pretty much all RR types are suitable, but for LLMNR/mDNS let's
1746 * allowlist only a few that make sense. We use this when routing queries so that we can more quickly
1747 * return errors for queries that will almost certainly fail/time-out otherwise. For example, this
1748 * ensures that SOA, NS, or DS/DNSKEY queries are never routed to mDNS/LLMNR where they simply make
1751 if (dns_type_is_obsolete(type
))
1754 if (!dns_type_is_valid_query(type
))
1759 case DNS_PROTOCOL_DNS
:
1762 case DNS_PROTOCOL_LLMNR
:
1771 case DNS_PROTOCOL_MDNS
:
1784 return -EPROTONOSUPPORT
;
1788 int dns_question_types_suitable_for_protocol(DnsQuestion
*q
, DnsProtocol protocol
) {
1789 DnsResourceKey
*key
;
1792 /* Tests whether the types in the specified question make any sense to be routed to the specified
1793 * protocol, i.e. if dns_type_suitable_for_protocol() is true for any of the contained RR types */
1795 DNS_QUESTION_FOREACH(key
, q
) {
1796 r
= dns_type_suitable_for_protocol(key
->type
, protocol
);