]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/resolve/resolved-dns-query.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #18701 from bugaevc/mdns-unicast
[thirdparty/systemd.git] / src / resolve / resolved-dns-query.c
1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
2
3 #include "alloc-util.h"
4 #include "dns-domain.h"
5 #include "dns-type.h"
6 #include "hostname-util.h"
7 #include "local-addresses.h"
8 #include "resolved-dns-query.h"
9 #include "resolved-dns-synthesize.h"
10 #include "resolved-etc-hosts.h"
11 #include "string-util.h"
12
13 #define QUERIES_MAX 2048
14 #define AUXILIARY_QUERIES_MAX 64
15
16 static int dns_query_candidate_new(DnsQueryCandidate **ret, DnsQuery *q, DnsScope *s) {
17 DnsQueryCandidate *c;
18
19 assert(ret);
20 assert(q);
21 assert(s);
22
23 c = new(DnsQueryCandidate, 1);
24 if (!c)
25 return -ENOMEM;
26
27 *c = (DnsQueryCandidate) {
28 .n_ref = 1,
29 .query = q,
30 .scope = s,
31 };
32
33 LIST_PREPEND(candidates_by_query, q->candidates, c);
34 LIST_PREPEND(candidates_by_scope, s->query_candidates, c);
35
36 *ret = c;
37 return 0;
38 }
39
40 static void dns_query_candidate_stop(DnsQueryCandidate *c) {
41 DnsTransaction *t;
42
43 assert(c);
44
45 while ((t = set_steal_first(c->transactions))) {
46 set_remove(t->notify_query_candidates, c);
47 set_remove(t->notify_query_candidates_done, c);
48 dns_transaction_gc(t);
49 }
50 }
51
52 static DnsQueryCandidate* dns_query_candidate_free(DnsQueryCandidate *c) {
53 if (!c)
54 return NULL;
55
56 dns_query_candidate_stop(c);
57
58 set_free(c->transactions);
59 dns_search_domain_unref(c->search_domain);
60
61 if (c->query)
62 LIST_REMOVE(candidates_by_query, c->query->candidates, c);
63
64 if (c->scope)
65 LIST_REMOVE(candidates_by_scope, c->scope->query_candidates, c);
66
67 return mfree(c);
68 }
69
70 DEFINE_PUBLIC_TRIVIAL_REF_UNREF_FUNC(DnsQueryCandidate, dns_query_candidate, dns_query_candidate_free);
71
72 static int dns_query_candidate_next_search_domain(DnsQueryCandidate *c) {
73 DnsSearchDomain *next;
74
75 assert(c);
76
77 if (c->search_domain && c->search_domain->linked)
78 next = c->search_domain->domains_next;
79 else
80 next = dns_scope_get_search_domains(c->scope);
81
82 for (;;) {
83 if (!next) /* We hit the end of the list */
84 return 0;
85
86 if (!next->route_only)
87 break;
88
89 /* Skip over route-only domains */
90 next = next->domains_next;
91 }
92
93 dns_search_domain_unref(c->search_domain);
94 c->search_domain = dns_search_domain_ref(next);
95
96 return 1;
97 }
98
99 static int dns_query_candidate_add_transaction(
100 DnsQueryCandidate *c,
101 DnsResourceKey *key,
102 DnsPacket *bypass) {
103
104 _cleanup_(dns_transaction_gcp) DnsTransaction *t = NULL;
105 int r;
106
107 assert(c);
108
109 if (key) {
110 /* Regular lookup with a resource key */
111 assert(!bypass);
112
113 t = dns_scope_find_transaction(c->scope, key, c->query->flags);
114 if (!t) {
115 r = dns_transaction_new(&t, c->scope, key, NULL, c->query->flags);
116 if (r < 0)
117 return r;
118 } else if (set_contains(c->transactions, t))
119 return 0;
120 } else {
121 /* "Bypass" lookup with a query packet */
122 assert(bypass);
123
124 r = dns_transaction_new(&t, c->scope, NULL, bypass, c->query->flags);
125 if (r < 0)
126 return r;
127 }
128
129 r = set_ensure_allocated(&t->notify_query_candidates_done, NULL);
130 if (r < 0)
131 return r;
132
133 r = set_ensure_put(&t->notify_query_candidates, NULL, c);
134 if (r < 0)
135 return r;
136
137 r = set_ensure_put(&c->transactions, NULL, t);
138 if (r < 0) {
139 (void) set_remove(t->notify_query_candidates, c);
140 return r;
141 }
142
143 TAKE_PTR(t);
144 return 1;
145 }
146
147 static int dns_query_candidate_go(DnsQueryCandidate *c) {
148 _cleanup_(dns_query_candidate_unrefp) DnsQueryCandidate *keep_c = NULL;
149 DnsTransaction *t;
150 int r;
151 unsigned n = 0;
152
153 assert(c);
154
155 /* Let's keep a reference to the query while we're operating */
156 keep_c = dns_query_candidate_ref(c);
157
158 /* Start the transactions that are not started yet */
159 SET_FOREACH(t, c->transactions) {
160 if (t->state != DNS_TRANSACTION_NULL)
161 continue;
162
163 r = dns_transaction_go(t);
164 if (r < 0)
165 return r;
166
167 n++;
168 }
169
170 /* If there was nothing to start, then let's proceed immediately */
171 if (n == 0)
172 dns_query_candidate_notify(c);
173
174 return 0;
175 }
176
177 static DnsTransactionState dns_query_candidate_state(DnsQueryCandidate *c) {
178 DnsTransactionState state = DNS_TRANSACTION_NO_SERVERS;
179 DnsTransaction *t;
180
181 assert(c);
182
183 if (c->error_code != 0)
184 return DNS_TRANSACTION_ERRNO;
185
186 SET_FOREACH(t, c->transactions)
187
188 switch (t->state) {
189
190 case DNS_TRANSACTION_NULL:
191 /* If there's a NULL transaction pending, then
192 * this means not all transactions where
193 * started yet, and we were called from within
194 * the stackframe that is supposed to start
195 * remaining transactions. In this case,
196 * simply claim the candidate is pending. */
197
198 case DNS_TRANSACTION_PENDING:
199 case DNS_TRANSACTION_VALIDATING:
200 /* If there's one transaction currently in
201 * VALIDATING state, then this means there's
202 * also one in PENDING state, hence we can
203 * return PENDING immediately. */
204 return DNS_TRANSACTION_PENDING;
205
206 case DNS_TRANSACTION_SUCCESS:
207 state = t->state;
208 break;
209
210 default:
211 if (state != DNS_TRANSACTION_SUCCESS)
212 state = t->state;
213
214 break;
215 }
216
217 return state;
218 }
219
220 static int dns_query_candidate_setup_transactions(DnsQueryCandidate *c) {
221 DnsQuestion *question;
222 DnsResourceKey *key;
223 int n = 0, r;
224
225 assert(c);
226
227 dns_query_candidate_stop(c);
228
229 if (c->query->question_bypass) {
230 /* If this is a bypass query, then pass the original query packet along to the transaction */
231
232 assert(dns_question_size(c->query->question_bypass->question) == 1);
233
234 if (!dns_scope_good_key(c->scope, dns_question_first_key(c->query->question_bypass->question)))
235 return 0;
236
237 r = dns_query_candidate_add_transaction(c, NULL, c->query->question_bypass);
238 if (r < 0)
239 goto fail;
240
241 return 1;
242 }
243
244 question = dns_query_question_for_protocol(c->query, c->scope->protocol);
245
246 /* Create one transaction per question key */
247 DNS_QUESTION_FOREACH(key, question) {
248 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *new_key = NULL;
249 DnsResourceKey *qkey;
250
251 if (c->search_domain) {
252 r = dns_resource_key_new_append_suffix(&new_key, key, c->search_domain->name);
253 if (r < 0)
254 goto fail;
255
256 qkey = new_key;
257 } else
258 qkey = key;
259
260 if (!dns_scope_good_key(c->scope, qkey))
261 continue;
262
263 r = dns_query_candidate_add_transaction(c, qkey, NULL);
264 if (r < 0)
265 goto fail;
266
267 n++;
268 }
269
270 return n;
271
272 fail:
273 dns_query_candidate_stop(c);
274 return r;
275 }
276
277 void dns_query_candidate_notify(DnsQueryCandidate *c) {
278 DnsTransactionState state;
279 int r;
280
281 assert(c);
282
283 state = dns_query_candidate_state(c);
284
285 if (DNS_TRANSACTION_IS_LIVE(state))
286 return;
287
288 if (state != DNS_TRANSACTION_SUCCESS && c->search_domain) {
289
290 r = dns_query_candidate_next_search_domain(c);
291 if (r < 0)
292 goto fail;
293
294 if (r > 0) {
295 /* OK, there's another search domain to try, let's do so. */
296
297 r = dns_query_candidate_setup_transactions(c);
298 if (r < 0)
299 goto fail;
300
301 if (r > 0) {
302 /* New transactions where queued. Start them and wait */
303
304 r = dns_query_candidate_go(c);
305 if (r < 0)
306 goto fail;
307
308 return;
309 }
310 }
311
312 }
313
314 dns_query_ready(c->query);
315 return;
316
317 fail:
318 c->error_code = log_warning_errno(r, "Failed to follow search domains: %m");
319 dns_query_ready(c->query);
320 }
321
322 static void dns_query_stop(DnsQuery *q) {
323 DnsQueryCandidate *c;
324
325 assert(q);
326
327 q->timeout_event_source = sd_event_source_disable_unref(q->timeout_event_source);
328
329 LIST_FOREACH(candidates_by_query, c, q->candidates)
330 dns_query_candidate_stop(c);
331 }
332
333 static void dns_query_unref_candidates(DnsQuery *q) {
334 assert(q);
335
336 while (q->candidates)
337 dns_query_candidate_unref(q->candidates);
338 }
339
340 static void dns_query_reset_answer(DnsQuery *q) {
341 assert(q);
342
343 q->answer = dns_answer_unref(q->answer);
344 q->answer_rcode = 0;
345 q->answer_dnssec_result = _DNSSEC_RESULT_INVALID;
346 q->answer_errno = 0;
347 q->answer_query_flags = 0;
348 q->answer_protocol = _DNS_PROTOCOL_INVALID;
349 q->answer_family = AF_UNSPEC;
350 q->answer_search_domain = dns_search_domain_unref(q->answer_search_domain);
351 q->answer_full_packet = dns_packet_unref(q->answer_full_packet);
352 }
353
354 DnsQuery *dns_query_free(DnsQuery *q) {
355 if (!q)
356 return NULL;
357
358 while (q->auxiliary_queries)
359 dns_query_free(q->auxiliary_queries);
360
361 if (q->auxiliary_for) {
362 assert(q->auxiliary_for->n_auxiliary_queries > 0);
363 q->auxiliary_for->n_auxiliary_queries--;
364 LIST_REMOVE(auxiliary_queries, q->auxiliary_for->auxiliary_queries, q);
365 }
366
367 dns_query_unref_candidates(q);
368
369 dns_question_unref(q->question_idna);
370 dns_question_unref(q->question_utf8);
371 dns_packet_unref(q->question_bypass);
372
373 dns_query_reset_answer(q);
374
375 sd_bus_message_unref(q->bus_request);
376 sd_bus_track_unref(q->bus_track);
377
378 if (q->varlink_request) {
379 varlink_set_userdata(q->varlink_request, NULL);
380 varlink_unref(q->varlink_request);
381 }
382
383 if (q->request_packet)
384 hashmap_remove_value(q->stub_listener_extra ?
385 q->stub_listener_extra->queries_by_packet :
386 q->manager->stub_queries_by_packet,
387 q->request_packet,
388 q);
389
390 dns_packet_unref(q->request_packet);
391 dns_answer_unref(q->reply_answer);
392 dns_answer_unref(q->reply_authoritative);
393 dns_answer_unref(q->reply_additional);
394
395 if (q->request_stream) {
396 /* Detach the stream from our query, in case something else keeps a reference to it. */
397 (void) set_remove(q->request_stream->queries, q);
398 q->request_stream = dns_stream_unref(q->request_stream);
399 }
400
401 free(q->request_address_string);
402
403 if (q->manager) {
404 LIST_REMOVE(queries, q->manager->dns_queries, q);
405 q->manager->n_dns_queries--;
406 }
407
408 return mfree(q);
409 }
410
411 int dns_query_new(
412 Manager *m,
413 DnsQuery **ret,
414 DnsQuestion *question_utf8,
415 DnsQuestion *question_idna,
416 DnsPacket *question_bypass,
417 int ifindex,
418 uint64_t flags) {
419
420 _cleanup_(dns_query_freep) DnsQuery *q = NULL;
421 char key_str[DNS_RESOURCE_KEY_STRING_MAX];
422 DnsResourceKey *key;
423 int r;
424
425 assert(m);
426
427 if (question_bypass) {
428 /* It's either a "bypass" query, or a regular one, but can't be both. */
429 if (question_utf8 || question_idna)
430 return -EINVAL;
431
432 } else {
433 bool good = false;
434
435 /* This (primarily) checks two things:
436 *
437 * 1. That the question is not empty
438 * 2. That all RR keys in the question objects are for the same domain
439 *
440 * Or in other words, a single DnsQuery object may be used to look up A+AAAA combination for
441 * the same domain name, or SRV+TXT (for DNS-SD services), but not for unrelated lookups. */
442
443 if (dns_question_size(question_utf8) > 0) {
444 r = dns_question_is_valid_for_query(question_utf8);
445 if (r < 0)
446 return r;
447 if (r == 0)
448 return -EINVAL;
449
450 good = true;
451 }
452
453 /* If the IDNA and UTF8 questions are the same, merge their references */
454 r = dns_question_is_equal(question_idna, question_utf8);
455 if (r < 0)
456 return r;
457 if (r > 0)
458 question_idna = question_utf8;
459 else {
460 if (dns_question_size(question_idna) > 0) {
461 r = dns_question_is_valid_for_query(question_idna);
462 if (r < 0)
463 return r;
464 if (r == 0)
465 return -EINVAL;
466
467 good = true;
468 }
469 }
470
471 if (!good) /* don't allow empty queries */
472 return -EINVAL;
473 }
474
475 if (m->n_dns_queries >= QUERIES_MAX)
476 return -EBUSY;
477
478 q = new(DnsQuery, 1);
479 if (!q)
480 return -ENOMEM;
481
482 *q = (DnsQuery) {
483 .question_utf8 = dns_question_ref(question_utf8),
484 .question_idna = dns_question_ref(question_idna),
485 .question_bypass = dns_packet_ref(question_bypass),
486 .ifindex = ifindex,
487 .flags = flags,
488 .answer_dnssec_result = _DNSSEC_RESULT_INVALID,
489 .answer_protocol = _DNS_PROTOCOL_INVALID,
490 .answer_family = AF_UNSPEC,
491 };
492
493 if (question_bypass) {
494 DNS_QUESTION_FOREACH(key, question_bypass->question)
495 log_debug("Looking up bypass packet for %s.",
496 dns_resource_key_to_string(key, key_str, sizeof key_str));
497 } else {
498 /* First dump UTF8 question */
499 DNS_QUESTION_FOREACH(key, question_utf8)
500 log_debug("Looking up RR for %s.",
501 dns_resource_key_to_string(key, key_str, sizeof key_str));
502
503 /* And then dump the IDNA question, but only what hasn't been dumped already through the UTF8 question. */
504 DNS_QUESTION_FOREACH(key, question_idna) {
505 r = dns_question_contains_key(question_utf8, key);
506 if (r < 0)
507 return r;
508 if (r > 0)
509 continue;
510
511 log_debug("Looking up IDNA RR for %s.",
512 dns_resource_key_to_string(key, key_str, sizeof key_str));
513 }
514 }
515
516 LIST_PREPEND(queries, m->dns_queries, q);
517 m->n_dns_queries++;
518 q->manager = m;
519
520 if (ret)
521 *ret = q;
522
523 TAKE_PTR(q);
524 return 0;
525 }
526
527 int dns_query_make_auxiliary(DnsQuery *q, DnsQuery *auxiliary_for) {
528 assert(q);
529 assert(auxiliary_for);
530
531 /* Ensure that the query is not auxiliary yet, and
532 * nothing else is auxiliary to it either */
533 assert(!q->auxiliary_for);
534 assert(!q->auxiliary_queries);
535
536 /* Ensure that the unit we shall be made auxiliary for isn't
537 * auxiliary itself */
538 assert(!auxiliary_for->auxiliary_for);
539
540 if (auxiliary_for->n_auxiliary_queries >= AUXILIARY_QUERIES_MAX)
541 return -EAGAIN;
542
543 LIST_PREPEND(auxiliary_queries, auxiliary_for->auxiliary_queries, q);
544 q->auxiliary_for = auxiliary_for;
545
546 auxiliary_for->n_auxiliary_queries++;
547 return 0;
548 }
549
550 void dns_query_complete(DnsQuery *q, DnsTransactionState state) {
551 assert(q);
552 assert(!DNS_TRANSACTION_IS_LIVE(state));
553 assert(DNS_TRANSACTION_IS_LIVE(q->state));
554
555 /* Note that this call might invalidate the query. Callers should hence not attempt to access the
556 * query or transaction after calling this function. */
557
558 q->state = state;
559
560 dns_query_stop(q);
561 if (q->complete)
562 q->complete(q);
563 }
564
565 static int on_query_timeout(sd_event_source *s, usec_t usec, void *userdata) {
566 DnsQuery *q = userdata;
567
568 assert(s);
569 assert(q);
570
571 dns_query_complete(q, DNS_TRANSACTION_TIMEOUT);
572 return 0;
573 }
574
575 static int dns_query_add_candidate(DnsQuery *q, DnsScope *s) {
576 _cleanup_(dns_query_candidate_unrefp) DnsQueryCandidate *c = NULL;
577 int r;
578
579 assert(q);
580 assert(s);
581
582 r = dns_query_candidate_new(&c, q, s);
583 if (r < 0)
584 return r;
585
586 /* If this a single-label domain on DNS, we might append a suitable search domain first. */
587 if (!FLAGS_SET(q->flags, SD_RESOLVED_NO_SEARCH) &&
588 dns_scope_name_wants_search_domain(s, dns_question_first_name(q->question_idna))) {
589 /* OK, we want a search domain now. Let's find one for this scope */
590
591 r = dns_query_candidate_next_search_domain(c);
592 if (r < 0)
593 return r;
594 }
595
596 r = dns_query_candidate_setup_transactions(c);
597 if (r < 0)
598 return r;
599
600 TAKE_PTR(c);
601 return 0;
602 }
603
604 static int dns_query_synthesize_reply(DnsQuery *q, DnsTransactionState *state) {
605 _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL;
606 int r;
607
608 assert(q);
609 assert(state);
610
611 /* Tries to synthesize localhost RR replies (and others) where appropriate. Note that this is done *after* the
612 * the normal lookup finished. The data from the network hence takes precedence over the data we
613 * synthesize. (But note that many scopes refuse to resolve certain domain names) */
614
615 if (!IN_SET(*state,
616 DNS_TRANSACTION_RCODE_FAILURE,
617 DNS_TRANSACTION_NO_SERVERS,
618 DNS_TRANSACTION_TIMEOUT,
619 DNS_TRANSACTION_ATTEMPTS_MAX_REACHED,
620 DNS_TRANSACTION_NETWORK_DOWN,
621 DNS_TRANSACTION_NOT_FOUND))
622 return 0;
623
624 if (FLAGS_SET(q->flags, SD_RESOLVED_NO_SYNTHESIZE))
625 return 0;
626
627 r = dns_synthesize_answer(
628 q->manager,
629 q->question_bypass ? q->question_bypass->question : q->question_utf8,
630 q->ifindex,
631 &answer);
632 if (r == -ENXIO) {
633 /* If we get ENXIO this tells us to generate NXDOMAIN unconditionally. */
634
635 dns_query_reset_answer(q);
636 q->answer_rcode = DNS_RCODE_NXDOMAIN;
637 q->answer_protocol = dns_synthesize_protocol(q->flags);
638 q->answer_family = dns_synthesize_family(q->flags);
639 q->answer_query_flags = SD_RESOLVED_AUTHENTICATED|SD_RESOLVED_CONFIDENTIAL|SD_RESOLVED_SYNTHETIC;
640 *state = DNS_TRANSACTION_RCODE_FAILURE;
641
642 return 0;
643 }
644 if (r <= 0)
645 return r;
646
647 dns_query_reset_answer(q);
648
649 q->answer = TAKE_PTR(answer);
650 q->answer_rcode = DNS_RCODE_SUCCESS;
651 q->answer_protocol = dns_synthesize_protocol(q->flags);
652 q->answer_family = dns_synthesize_family(q->flags);
653 q->answer_query_flags = SD_RESOLVED_AUTHENTICATED|SD_RESOLVED_CONFIDENTIAL|SD_RESOLVED_SYNTHETIC;
654
655 *state = DNS_TRANSACTION_SUCCESS;
656
657 return 1;
658 }
659
660 static int dns_query_try_etc_hosts(DnsQuery *q) {
661 _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL;
662 int r;
663
664 assert(q);
665
666 /* Looks in /etc/hosts for matching entries. Note that this is done *before* the normal lookup is
667 * done. The data from /etc/hosts hence takes precedence over the network. */
668
669 if (FLAGS_SET(q->flags, SD_RESOLVED_NO_SYNTHESIZE))
670 return 0;
671
672 r = manager_etc_hosts_lookup(
673 q->manager,
674 q->question_bypass ? q->question_bypass->question : q->question_utf8,
675 &answer);
676 if (r <= 0)
677 return r;
678
679 dns_query_reset_answer(q);
680
681 q->answer = TAKE_PTR(answer);
682 q->answer_rcode = DNS_RCODE_SUCCESS;
683 q->answer_protocol = dns_synthesize_protocol(q->flags);
684 q->answer_family = dns_synthesize_family(q->flags);
685 q->answer_query_flags = SD_RESOLVED_AUTHENTICATED|SD_RESOLVED_CONFIDENTIAL|SD_RESOLVED_SYNTHETIC;
686
687 return 1;
688 }
689
690 int dns_query_go(DnsQuery *q) {
691 DnsScopeMatch found = DNS_SCOPE_NO;
692 DnsScope *s, *first = NULL;
693 DnsQueryCandidate *c;
694 int r;
695
696 assert(q);
697
698 if (q->state != DNS_TRANSACTION_NULL)
699 return 0;
700
701 r = dns_query_try_etc_hosts(q);
702 if (r < 0)
703 return r;
704 if (r > 0) {
705 dns_query_complete(q, DNS_TRANSACTION_SUCCESS);
706 return 1;
707 }
708
709 LIST_FOREACH(scopes, s, q->manager->dns_scopes) {
710 DnsScopeMatch match;
711 const char *name;
712
713 name = dns_question_first_name(dns_query_question_for_protocol(q, s->protocol));
714 if (!name)
715 continue;
716
717 match = dns_scope_good_domain(s, q->ifindex, q->flags, name);
718 if (match < 0) {
719 log_debug("Couldn't check if '%s' matches against scope, ignoring.", name);
720 continue;
721 }
722
723 if (match > found) { /* Does this match better? If so, remember how well it matched, and the first one
724 * that matches this well */
725 found = match;
726 first = s;
727 }
728 }
729
730 if (found == DNS_SCOPE_NO) {
731 DnsTransactionState state = DNS_TRANSACTION_NO_SERVERS;
732
733 r = dns_query_synthesize_reply(q, &state);
734 if (r < 0)
735 return r;
736
737 dns_query_complete(q, state);
738 return 1;
739 }
740
741 r = dns_query_add_candidate(q, first);
742 if (r < 0)
743 goto fail;
744
745 LIST_FOREACH(scopes, s, first->scopes_next) {
746 DnsScopeMatch match;
747 const char *name;
748
749 name = dns_question_first_name(dns_query_question_for_protocol(q, s->protocol));
750 if (!name)
751 continue;
752
753 match = dns_scope_good_domain(s, q->ifindex, q->flags, name);
754 if (match < 0) {
755 log_debug("Couldn't check if '%s' matches against scope, ignoring.", name);
756 continue;
757 }
758
759 if (match < found)
760 continue;
761
762 r = dns_query_add_candidate(q, s);
763 if (r < 0)
764 goto fail;
765 }
766
767 dns_query_reset_answer(q);
768
769 r = sd_event_add_time_relative(
770 q->manager->event,
771 &q->timeout_event_source,
772 clock_boottime_or_monotonic(),
773 SD_RESOLVED_QUERY_TIMEOUT_USEC,
774 0, on_query_timeout, q);
775 if (r < 0)
776 goto fail;
777
778 (void) sd_event_source_set_description(q->timeout_event_source, "query-timeout");
779
780 q->state = DNS_TRANSACTION_PENDING;
781 q->block_ready++;
782
783 /* Start the transactions */
784 LIST_FOREACH(candidates_by_query, c, q->candidates) {
785 r = dns_query_candidate_go(c);
786 if (r < 0) {
787 q->block_ready--;
788 goto fail;
789 }
790 }
791
792 q->block_ready--;
793 dns_query_ready(q);
794
795 return 1;
796
797 fail:
798 dns_query_stop(q);
799 return r;
800 }
801
802 static void dns_query_accept(DnsQuery *q, DnsQueryCandidate *c) {
803 DnsTransactionState state = DNS_TRANSACTION_NO_SERVERS;
804 bool has_authenticated = false, has_non_authenticated = false, has_confidential = false, has_non_confidential = false;
805 DnssecResult dnssec_result_authenticated = _DNSSEC_RESULT_INVALID, dnssec_result_non_authenticated = _DNSSEC_RESULT_INVALID;
806 DnsTransaction *t;
807 int r;
808
809 assert(q);
810
811 if (!c) {
812 r = dns_query_synthesize_reply(q, &state);
813 if (r < 0)
814 goto fail;
815
816 dns_query_complete(q, state);
817 return;
818 }
819
820 if (c->error_code != 0) {
821 /* If the candidate had an error condition of its own, start with that. */
822 state = DNS_TRANSACTION_ERRNO;
823 q->answer = dns_answer_unref(q->answer);
824 q->answer_rcode = 0;
825 q->answer_dnssec_result = _DNSSEC_RESULT_INVALID;
826 q->answer_query_flags = 0;
827 q->answer_errno = c->error_code;
828 q->answer_full_packet = dns_packet_unref(q->answer_full_packet);
829 }
830
831 SET_FOREACH(t, c->transactions) {
832
833 switch (t->state) {
834
835 case DNS_TRANSACTION_SUCCESS: {
836 /* We found a successful reply, merge it into the answer */
837
838 if (state == DNS_TRANSACTION_SUCCESS) {
839 r = dns_answer_extend(&q->answer, t->answer);
840 if (r < 0)
841 goto fail;
842
843 q->answer_query_flags |= dns_transaction_source_to_query_flags(t->answer_source);
844 } else {
845 /* Override non-successful previous answers */
846 dns_answer_unref(q->answer);
847 q->answer = dns_answer_ref(t->answer);
848
849 q->answer_query_flags = dns_transaction_source_to_query_flags(t->answer_source);
850 }
851
852 q->answer_rcode = t->answer_rcode;
853 q->answer_errno = 0;
854
855 dns_packet_unref(q->answer_full_packet);
856 q->answer_full_packet = dns_packet_ref(t->received);
857
858 if (FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED)) {
859 has_authenticated = true;
860 dnssec_result_authenticated = t->answer_dnssec_result;
861 } else {
862 has_non_authenticated = true;
863 dnssec_result_non_authenticated = t->answer_dnssec_result;
864 }
865
866 if (FLAGS_SET(t->answer_query_flags, SD_RESOLVED_CONFIDENTIAL))
867 has_confidential = true;
868 else
869 has_non_confidential = true;
870
871 state = DNS_TRANSACTION_SUCCESS;
872 break;
873 }
874
875 case DNS_TRANSACTION_NULL:
876 case DNS_TRANSACTION_PENDING:
877 case DNS_TRANSACTION_VALIDATING:
878 case DNS_TRANSACTION_ABORTED:
879 /* Ignore transactions that didn't complete */
880 continue;
881
882 default:
883 /* Any kind of failure? Store the data away, if there's nothing stored yet. */
884 if (state == DNS_TRANSACTION_SUCCESS)
885 continue;
886
887 /* If there's already an authenticated negative reply stored, then prefer that over any unauthenticated one */
888 if (FLAGS_SET(q->answer_query_flags, SD_RESOLVED_AUTHENTICATED) &&
889 !FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED))
890 continue;
891
892 dns_answer_unref(q->answer);
893 q->answer = dns_answer_ref(t->answer);
894 q->answer_rcode = t->answer_rcode;
895 q->answer_dnssec_result = t->answer_dnssec_result;
896 q->answer_query_flags = t->answer_query_flags | dns_transaction_source_to_query_flags(t->answer_source);
897 q->answer_errno = t->answer_errno;
898 dns_packet_unref(q->answer_full_packet);
899 q->answer_full_packet = dns_packet_ref(t->received);
900
901 state = t->state;
902 break;
903 }
904 }
905
906 if (state == DNS_TRANSACTION_SUCCESS) {
907 SET_FLAG(q->answer_query_flags, SD_RESOLVED_AUTHENTICATED, has_authenticated && !has_non_authenticated);
908 SET_FLAG(q->answer_query_flags, SD_RESOLVED_CONFIDENTIAL, has_confidential && !has_non_confidential);
909 q->answer_dnssec_result = FLAGS_SET(q->answer_query_flags, SD_RESOLVED_AUTHENTICATED) ? dnssec_result_authenticated : dnssec_result_non_authenticated;
910 }
911
912 q->answer_protocol = c->scope->protocol;
913 q->answer_family = c->scope->family;
914
915 dns_search_domain_unref(q->answer_search_domain);
916 q->answer_search_domain = dns_search_domain_ref(c->search_domain);
917
918 r = dns_query_synthesize_reply(q, &state);
919 if (r < 0)
920 goto fail;
921
922 dns_query_complete(q, state);
923 return;
924
925 fail:
926 q->answer_errno = -r;
927 dns_query_complete(q, DNS_TRANSACTION_ERRNO);
928 }
929
930 void dns_query_ready(DnsQuery *q) {
931
932 DnsQueryCandidate *bad = NULL, *c;
933 bool pending = false;
934
935 assert(q);
936 assert(DNS_TRANSACTION_IS_LIVE(q->state));
937
938 /* Note that this call might invalidate the query. Callers
939 * should hence not attempt to access the query or transaction
940 * after calling this function, unless the block_ready
941 * counter was explicitly bumped before doing so. */
942
943 if (q->block_ready > 0)
944 return;
945
946 LIST_FOREACH(candidates_by_query, c, q->candidates) {
947 DnsTransactionState state;
948
949 state = dns_query_candidate_state(c);
950 switch (state) {
951
952 case DNS_TRANSACTION_SUCCESS:
953 /* One of the candidates is successful,
954 * let's use it, and copy its data out */
955 dns_query_accept(q, c);
956 return;
957
958 case DNS_TRANSACTION_NULL:
959 case DNS_TRANSACTION_PENDING:
960 case DNS_TRANSACTION_VALIDATING:
961 /* One of the candidates is still going on,
962 * let's maybe wait for it */
963 pending = true;
964 break;
965
966 default:
967 /* Any kind of failure */
968 bad = c;
969 break;
970 }
971 }
972
973 if (pending)
974 return;
975
976 dns_query_accept(q, bad);
977 }
978
979 static int dns_query_cname_redirect(DnsQuery *q, const DnsResourceRecord *cname) {
980 _cleanup_(dns_question_unrefp) DnsQuestion *nq_idna = NULL, *nq_utf8 = NULL;
981 int r, k;
982
983 assert(q);
984
985 q->n_cname_redirects++;
986 if (q->n_cname_redirects > CNAME_REDIRECT_MAX)
987 return -ELOOP;
988
989 r = dns_question_cname_redirect(q->question_idna, cname, &nq_idna);
990 if (r < 0)
991 return r;
992 if (r > 0)
993 log_debug("Following CNAME/DNAME %s → %s.", dns_question_first_name(q->question_idna), dns_question_first_name(nq_idna));
994
995 k = dns_question_is_equal(q->question_idna, q->question_utf8);
996 if (k < 0)
997 return k;
998 if (k > 0) {
999 /* Same question? Shortcut new question generation */
1000 nq_utf8 = dns_question_ref(nq_idna);
1001 k = r;
1002 } else {
1003 k = dns_question_cname_redirect(q->question_utf8, cname, &nq_utf8);
1004 if (k < 0)
1005 return k;
1006 if (k > 0)
1007 log_debug("Following UTF8 CNAME/DNAME %s → %s.", dns_question_first_name(q->question_utf8), dns_question_first_name(nq_utf8));
1008 }
1009
1010 if (r == 0 && k == 0) /* No actual cname happened? */
1011 return -ELOOP;
1012
1013 if (q->answer_protocol == DNS_PROTOCOL_DNS)
1014 /* Don't permit CNAME redirects from unicast DNS to LLMNR or MulticastDNS, so that global resources
1015 * cannot invade the local namespace. The opposite way we permit: local names may redirect to global
1016 * ones. */
1017 q->flags &= ~(SD_RESOLVED_LLMNR|SD_RESOLVED_MDNS); /* mask away the local protocols */
1018
1019 /* Turn off searching for the new name */
1020 q->flags |= SD_RESOLVED_NO_SEARCH;
1021
1022 dns_question_unref(q->question_idna);
1023 q->question_idna = TAKE_PTR(nq_idna);
1024
1025 dns_question_unref(q->question_utf8);
1026 q->question_utf8 = TAKE_PTR(nq_utf8);
1027
1028 dns_query_unref_candidates(q);
1029
1030 /* Note that we do *not* reset the answer here, because the answer we previously got might already
1031 * include everything we need, let's check that first */
1032
1033 q->state = DNS_TRANSACTION_NULL;
1034
1035 return 0;
1036 }
1037
1038 int dns_query_process_cname_one(DnsQuery *q) {
1039 _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *cname = NULL;
1040 DnsQuestion *question;
1041 DnsResourceRecord *rr;
1042 bool full_match = true;
1043 DnsResourceKey *k;
1044 int r;
1045
1046 assert(q);
1047
1048 /* Processes a CNAME redirect if there's one. Returns one of three values:
1049 *
1050 * CNAME_QUERY_MATCH → direct RR match, caller should just use the RRs in this answer (and not
1051 * bother with any CNAME/DNAME stuff)
1052 *
1053 * CNAME_QUERY_NOMATCH → no match at all, neither direct nor CNAME/DNAME, caller might decide to
1054 * restart query or take things as NODATA reply.
1055 *
1056 * CNAME_QUERY_CNAME → no direct RR match, but a CNAME/DNAME match that we now followed for one step.
1057 *
1058 * The function might also return a failure, in particular -ELOOP if we encountered too many
1059 * CNAMEs/DNAMEs in a chain or if following CNAMEs/DNAMEs was turned off.
1060 *
1061 * Note that this function doesn't actually restart the query. The caller can decide to do that in
1062 * case of CNAME_QUERY_CNAME, though. */
1063
1064 if (!IN_SET(q->state, DNS_TRANSACTION_SUCCESS, DNS_TRANSACTION_NULL))
1065 return DNS_QUERY_NOMATCH;
1066
1067 question = dns_query_question_for_protocol(q, q->answer_protocol);
1068
1069 /* Small reminder: our question will consist of one or more RR keys that match in name, but not in
1070 * record type. Specifically, when we do an address lookup the question will typically consist of one
1071 * A and one AAAA key lookup for the same domain name. When we get a response from a server we need
1072 * to check if the answer answers all our questions to use it. Note that a response of CNAME/DNAME
1073 * can answer both an A and the AAAA question for us, but an A/AAAA response only the relevant
1074 * type.
1075 *
1076 * Hence we first check of the answers we collected are sufficient to answer all our questions
1077 * directly. If one question wasn't answered we go on, waiting for more replies. However, if there's
1078 * a CNAME/DNAME response we use it, and redirect to it, regardless if it was a response to the A or
1079 * the AAAA query.*/
1080
1081 DNS_QUESTION_FOREACH(k, question) {
1082 bool match = false;
1083
1084 DNS_ANSWER_FOREACH(rr, q->answer) {
1085 r = dns_resource_key_match_rr(k, rr, DNS_SEARCH_DOMAIN_NAME(q->answer_search_domain));
1086 if (r < 0)
1087 return r;
1088 if (r > 0) {
1089 match = true; /* Yay, we found an RR that matches the key we are looking for */
1090 break;
1091 }
1092 }
1093
1094 if (!match) {
1095 /* Hmm. :-( there's no response for this key. This doesn't match. */
1096 full_match = false;
1097 break;
1098 }
1099 }
1100
1101 if (full_match)
1102 return DNS_QUERY_MATCH; /* The answer can answer our question in full, no need to follow CNAMEs/DNAMEs */
1103
1104 /* Let's see if there is a CNAME/DNAME to match. This case is simpler: we accept the CNAME/DNAME that
1105 * matches any of our questions. */
1106 DNS_ANSWER_FOREACH(rr, q->answer) {
1107 r = dns_question_matches_cname_or_dname(question, rr, DNS_SEARCH_DOMAIN_NAME(q->answer_search_domain));
1108 if (r < 0)
1109 return r;
1110 if (r > 0 && !cname)
1111 cname = dns_resource_record_ref(rr);
1112 }
1113
1114 if (!cname)
1115 return DNS_QUERY_NOMATCH; /* No match and no CNAME/DNAME to follow */
1116
1117 if (q->flags & SD_RESOLVED_NO_CNAME)
1118 return -ELOOP;
1119
1120 if (!FLAGS_SET(q->answer_query_flags, SD_RESOLVED_AUTHENTICATED))
1121 q->previous_redirect_unauthenticated = true;
1122 if (!FLAGS_SET(q->answer_query_flags, SD_RESOLVED_CONFIDENTIAL))
1123 q->previous_redirect_non_confidential = true;
1124 if (!FLAGS_SET(q->answer_query_flags, SD_RESOLVED_SYNTHETIC))
1125 q->previous_redirect_non_synthetic = true;
1126
1127 /* OK, let's actually follow the CNAME */
1128 r = dns_query_cname_redirect(q, cname);
1129 if (r < 0)
1130 return r;
1131
1132 return DNS_QUERY_CNAME; /* Tell caller that we did a single CNAME/DNAME redirection step */
1133 }
1134
1135 int dns_query_process_cname_many(DnsQuery *q) {
1136 int r;
1137
1138 assert(q);
1139
1140 /* Follows CNAMEs through the current packet: as long as the current packet can fulfill our
1141 * redirected CNAME queries we keep going, and restart the query once the current packet isn't good
1142 * enough anymore. It's a wrapper around dns_query_process_cname_one() and returns the same values,
1143 * but with extended semantics. Specifically:
1144 *
1145 * DNS_QUERY_MATCH → as above
1146 *
1147 * DNS_QUERY_CNAME → we ran into a CNAME/DNAME redirect that we could not answer from the current
1148 * message, and thus restarted the query to resolve it.
1149 *
1150 * DNS_QUERY_NOMATCH → we reached the end of CNAME/DNAME chain, and there are no direct matches nor a
1151 * CNAME/DNAME match. i.e. this is a NODATA case.
1152 *
1153 * Note that this function will restart the query for the caller if needed, and that's the case
1154 * DNS_QUERY_CNAME is returned.
1155 */
1156
1157 r = dns_query_process_cname_one(q);
1158 if (r != DNS_QUERY_CNAME)
1159 return r; /* The first redirect is special: if it doesn't answer the question that's no
1160 * reason to restart the query, we just accept this as a NODATA answer. */
1161
1162 for (;;) {
1163 r = dns_query_process_cname_one(q);
1164 if (r < 0 || r == DNS_QUERY_MATCH)
1165 return r;
1166 if (r == DNS_QUERY_NOMATCH) {
1167 /* OK, so we followed one or more CNAME/DNAME RR but the existing packet can't answer
1168 * this. Let's restart the query hence, with the new question. Why the different
1169 * handling than the first chain element? Because if the server answers a direct
1170 * question with an empty answer then this is a NODATA response. But if it responds
1171 * with a CNAME chain that ultimately is incomplete (i.e. a non-empty but truncated
1172 * CNAME chain) then we better follow up ourselves and ask for the rest of the
1173 * chain. This is particular relevant since our cache will store CNAME/DNAME
1174 * redirects that we learnt about for lookups of certain DNS types, but later on we
1175 * can reuse this data even for other DNS types, but in that case need to follow up
1176 * with the final lookup of the chain ourselves with the RR type we ourselves are
1177 * interested in. */
1178 r = dns_query_go(q);
1179 if (r < 0)
1180 return r;
1181
1182 return DNS_QUERY_CNAME;
1183 }
1184
1185 /* So we found a CNAME that the existing packet already answers, again via a CNAME, let's
1186 * continue going then. */
1187 assert(r == DNS_QUERY_CNAME);
1188 }
1189 }
1190
1191 DnsQuestion* dns_query_question_for_protocol(DnsQuery *q, DnsProtocol protocol) {
1192 assert(q);
1193
1194 if (q->question_bypass)
1195 return q->question_bypass->question;
1196
1197 switch (protocol) {
1198
1199 case DNS_PROTOCOL_DNS:
1200 return q->question_idna;
1201
1202 case DNS_PROTOCOL_MDNS:
1203 case DNS_PROTOCOL_LLMNR:
1204 return q->question_utf8;
1205
1206 default:
1207 return NULL;
1208 }
1209 }
1210
1211 const char *dns_query_string(DnsQuery *q) {
1212 const char *name;
1213 int r;
1214
1215 /* Returns a somewhat useful human-readable lookup key string for this query */
1216
1217 if (q->question_bypass)
1218 return dns_question_first_name(q->question_bypass->question);
1219
1220 if (q->request_address_string)
1221 return q->request_address_string;
1222
1223 if (q->request_address_valid) {
1224 r = in_addr_to_string(q->request_family, &q->request_address, &q->request_address_string);
1225 if (r >= 0)
1226 return q->request_address_string;
1227 }
1228
1229 name = dns_question_first_name(q->question_utf8);
1230 if (name)
1231 return name;
1232
1233 return dns_question_first_name(q->question_idna);
1234 }
1235
1236 bool dns_query_fully_authenticated(DnsQuery *q) {
1237 assert(q);
1238
1239 return FLAGS_SET(q->answer_query_flags, SD_RESOLVED_AUTHENTICATED) && !q->previous_redirect_unauthenticated;
1240 }
1241
1242 bool dns_query_fully_confidential(DnsQuery *q) {
1243 assert(q);
1244
1245 return FLAGS_SET(q->answer_query_flags, SD_RESOLVED_CONFIDENTIAL) && !q->previous_redirect_non_confidential;
1246 }
1247
1248 bool dns_query_fully_authoritative(DnsQuery *q) {
1249 assert(q);
1250
1251 /* We are authoritative for everything synthetic (except if a previous CNAME/DNAME) wasn't
1252 * synthetic. (Note: SD_RESOLVED_SYNTHETIC is reset on each CNAME/DNAME, hence the explicit check for
1253 * previous synthetic DNAME/CNAME redirections.)*/
1254 if ((q->answer_query_flags & SD_RESOLVED_SYNTHETIC) && !q->previous_redirect_non_synthetic)
1255 return true;
1256
1257 /* We are also authoritative for everything coming only from the trust anchor and the local
1258 * zones. (Note: the SD_RESOLVED_FROM_xyz flags we merge on each redirect, hence no need to
1259 * explicitly check previous redirects here.)*/
1260 return (q->answer_query_flags & SD_RESOLVED_FROM_MASK & ~(SD_RESOLVED_FROM_TRUST_ANCHOR | SD_RESOLVED_FROM_ZONE)) == 0;
1261 }
Unnamed repository; edit this file 'description' to name the repository.