1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
3 #include "alloc-util.h"
4 #include "dns-domain.h"
6 #include "hostname-util.h"
7 #include "local-addresses.h"
8 #include "resolved-dns-query.h"
9 #include "resolved-dns-synthesize.h"
10 #include "resolved-etc-hosts.h"
11 #include "string-util.h"
13 #define QUERIES_MAX 2048
14 #define AUXILIARY_QUERIES_MAX 64
16 static int dns_query_candidate_new(DnsQueryCandidate
**ret
, DnsQuery
*q
, DnsScope
*s
) {
23 c
= new(DnsQueryCandidate
, 1);
27 *c
= (DnsQueryCandidate
) {
33 LIST_PREPEND(candidates_by_query
, q
->candidates
, c
);
34 LIST_PREPEND(candidates_by_scope
, s
->query_candidates
, c
);
40 static void dns_query_candidate_stop(DnsQueryCandidate
*c
) {
45 while ((t
= set_steal_first(c
->transactions
))) {
46 set_remove(t
->notify_query_candidates
, c
);
47 set_remove(t
->notify_query_candidates_done
, c
);
48 dns_transaction_gc(t
);
52 static DnsQueryCandidate
* dns_query_candidate_free(DnsQueryCandidate
*c
) {
56 dns_query_candidate_stop(c
);
58 set_free(c
->transactions
);
59 dns_search_domain_unref(c
->search_domain
);
62 LIST_REMOVE(candidates_by_query
, c
->query
->candidates
, c
);
65 LIST_REMOVE(candidates_by_scope
, c
->scope
->query_candidates
, c
);
70 DEFINE_PUBLIC_TRIVIAL_REF_UNREF_FUNC(DnsQueryCandidate
, dns_query_candidate
, dns_query_candidate_free
);
72 static int dns_query_candidate_next_search_domain(DnsQueryCandidate
*c
) {
73 DnsSearchDomain
*next
;
77 if (c
->search_domain
&& c
->search_domain
->linked
)
78 next
= c
->search_domain
->domains_next
;
80 next
= dns_scope_get_search_domains(c
->scope
);
83 if (!next
) /* We hit the end of the list */
86 if (!next
->route_only
)
89 /* Skip over route-only domains */
90 next
= next
->domains_next
;
93 dns_search_domain_unref(c
->search_domain
);
94 c
->search_domain
= dns_search_domain_ref(next
);
99 static int dns_query_candidate_add_transaction(
100 DnsQueryCandidate
*c
,
104 _cleanup_(dns_transaction_gcp
) DnsTransaction
*t
= NULL
;
110 /* Regular lookup with a resource key */
113 t
= dns_scope_find_transaction(c
->scope
, key
, c
->query
->flags
);
115 r
= dns_transaction_new(&t
, c
->scope
, key
, NULL
, c
->query
->flags
);
118 } else if (set_contains(c
->transactions
, t
))
121 /* "Bypass" lookup with a query packet */
124 r
= dns_transaction_new(&t
, c
->scope
, NULL
, bypass
, c
->query
->flags
);
129 r
= set_ensure_allocated(&t
->notify_query_candidates_done
, NULL
);
133 r
= set_ensure_put(&t
->notify_query_candidates
, NULL
, c
);
137 r
= set_ensure_put(&c
->transactions
, NULL
, t
);
139 (void) set_remove(t
->notify_query_candidates
, c
);
147 static int dns_query_candidate_go(DnsQueryCandidate
*c
) {
148 _cleanup_(dns_query_candidate_unrefp
) DnsQueryCandidate
*keep_c
= NULL
;
155 /* Let's keep a reference to the query while we're operating */
156 keep_c
= dns_query_candidate_ref(c
);
158 /* Start the transactions that are not started yet */
159 SET_FOREACH(t
, c
->transactions
) {
160 if (t
->state
!= DNS_TRANSACTION_NULL
)
163 r
= dns_transaction_go(t
);
170 /* If there was nothing to start, then let's proceed immediately */
172 dns_query_candidate_notify(c
);
177 static DnsTransactionState
dns_query_candidate_state(DnsQueryCandidate
*c
) {
178 DnsTransactionState state
= DNS_TRANSACTION_NO_SERVERS
;
183 if (c
->error_code
!= 0)
184 return DNS_TRANSACTION_ERRNO
;
186 SET_FOREACH(t
, c
->transactions
)
190 case DNS_TRANSACTION_NULL
:
191 /* If there's a NULL transaction pending, then
192 * this means not all transactions where
193 * started yet, and we were called from within
194 * the stackframe that is supposed to start
195 * remaining transactions. In this case,
196 * simply claim the candidate is pending. */
198 case DNS_TRANSACTION_PENDING
:
199 case DNS_TRANSACTION_VALIDATING
:
200 /* If there's one transaction currently in
201 * VALIDATING state, then this means there's
202 * also one in PENDING state, hence we can
203 * return PENDING immediately. */
204 return DNS_TRANSACTION_PENDING
;
206 case DNS_TRANSACTION_SUCCESS
:
211 if (state
!= DNS_TRANSACTION_SUCCESS
)
220 static int dns_query_candidate_setup_transactions(DnsQueryCandidate
*c
) {
221 DnsQuestion
*question
;
227 dns_query_candidate_stop(c
);
229 if (c
->query
->question_bypass
) {
230 /* If this is a bypass query, then pass the original query packet along to the transaction */
232 assert(dns_question_size(c
->query
->question_bypass
->question
) == 1);
234 if (!dns_scope_good_key(c
->scope
, dns_question_first_key(c
->query
->question_bypass
->question
)))
237 r
= dns_query_candidate_add_transaction(c
, NULL
, c
->query
->question_bypass
);
244 question
= dns_query_question_for_protocol(c
->query
, c
->scope
->protocol
);
246 /* Create one transaction per question key */
247 DNS_QUESTION_FOREACH(key
, question
) {
248 _cleanup_(dns_resource_key_unrefp
) DnsResourceKey
*new_key
= NULL
;
249 DnsResourceKey
*qkey
;
251 if (c
->search_domain
) {
252 r
= dns_resource_key_new_append_suffix(&new_key
, key
, c
->search_domain
->name
);
260 if (!dns_scope_good_key(c
->scope
, qkey
))
263 r
= dns_query_candidate_add_transaction(c
, qkey
, NULL
);
273 dns_query_candidate_stop(c
);
277 void dns_query_candidate_notify(DnsQueryCandidate
*c
) {
278 DnsTransactionState state
;
283 state
= dns_query_candidate_state(c
);
285 if (DNS_TRANSACTION_IS_LIVE(state
))
288 if (state
!= DNS_TRANSACTION_SUCCESS
&& c
->search_domain
) {
290 r
= dns_query_candidate_next_search_domain(c
);
295 /* OK, there's another search domain to try, let's do so. */
297 r
= dns_query_candidate_setup_transactions(c
);
302 /* New transactions where queued. Start them and wait */
304 r
= dns_query_candidate_go(c
);
314 dns_query_ready(c
->query
);
318 c
->error_code
= log_warning_errno(r
, "Failed to follow search domains: %m");
319 dns_query_ready(c
->query
);
322 static void dns_query_stop(DnsQuery
*q
) {
323 DnsQueryCandidate
*c
;
327 q
->timeout_event_source
= sd_event_source_disable_unref(q
->timeout_event_source
);
329 LIST_FOREACH(candidates_by_query
, c
, q
->candidates
)
330 dns_query_candidate_stop(c
);
333 static void dns_query_unref_candidates(DnsQuery
*q
) {
336 while (q
->candidates
)
337 dns_query_candidate_unref(q
->candidates
);
340 static void dns_query_reset_answer(DnsQuery
*q
) {
343 q
->answer
= dns_answer_unref(q
->answer
);
345 q
->answer_dnssec_result
= _DNSSEC_RESULT_INVALID
;
347 q
->answer_query_flags
= 0;
348 q
->answer_protocol
= _DNS_PROTOCOL_INVALID
;
349 q
->answer_family
= AF_UNSPEC
;
350 q
->answer_search_domain
= dns_search_domain_unref(q
->answer_search_domain
);
351 q
->answer_full_packet
= dns_packet_unref(q
->answer_full_packet
);
354 DnsQuery
*dns_query_free(DnsQuery
*q
) {
358 while (q
->auxiliary_queries
)
359 dns_query_free(q
->auxiliary_queries
);
361 if (q
->auxiliary_for
) {
362 assert(q
->auxiliary_for
->n_auxiliary_queries
> 0);
363 q
->auxiliary_for
->n_auxiliary_queries
--;
364 LIST_REMOVE(auxiliary_queries
, q
->auxiliary_for
->auxiliary_queries
, q
);
367 dns_query_unref_candidates(q
);
369 dns_question_unref(q
->question_idna
);
370 dns_question_unref(q
->question_utf8
);
371 dns_packet_unref(q
->question_bypass
);
373 dns_query_reset_answer(q
);
375 sd_bus_message_unref(q
->bus_request
);
376 sd_bus_track_unref(q
->bus_track
);
378 if (q
->varlink_request
) {
379 varlink_set_userdata(q
->varlink_request
, NULL
);
380 varlink_unref(q
->varlink_request
);
383 if (q
->request_packet
)
384 hashmap_remove_value(q
->stub_listener_extra
?
385 q
->stub_listener_extra
->queries_by_packet
:
386 q
->manager
->stub_queries_by_packet
,
390 dns_packet_unref(q
->request_packet
);
391 dns_answer_unref(q
->reply_answer
);
392 dns_answer_unref(q
->reply_authoritative
);
393 dns_answer_unref(q
->reply_additional
);
395 if (q
->request_stream
) {
396 /* Detach the stream from our query, in case something else keeps a reference to it. */
397 (void) set_remove(q
->request_stream
->queries
, q
);
398 q
->request_stream
= dns_stream_unref(q
->request_stream
);
401 free(q
->request_address_string
);
404 LIST_REMOVE(queries
, q
->manager
->dns_queries
, q
);
405 q
->manager
->n_dns_queries
--;
414 DnsQuestion
*question_utf8
,
415 DnsQuestion
*question_idna
,
416 DnsPacket
*question_bypass
,
420 _cleanup_(dns_query_freep
) DnsQuery
*q
= NULL
;
421 char key_str
[DNS_RESOURCE_KEY_STRING_MAX
];
427 if (question_bypass
) {
428 /* It's either a "bypass" query, or a regular one, but can't be both. */
429 if (question_utf8
|| question_idna
)
435 /* This (primarily) checks two things:
437 * 1. That the question is not empty
438 * 2. That all RR keys in the question objects are for the same domain
440 * Or in other words, a single DnsQuery object may be used to look up A+AAAA combination for
441 * the same domain name, or SRV+TXT (for DNS-SD services), but not for unrelated lookups. */
443 if (dns_question_size(question_utf8
) > 0) {
444 r
= dns_question_is_valid_for_query(question_utf8
);
453 /* If the IDNA and UTF8 questions are the same, merge their references */
454 r
= dns_question_is_equal(question_idna
, question_utf8
);
458 question_idna
= question_utf8
;
460 if (dns_question_size(question_idna
) > 0) {
461 r
= dns_question_is_valid_for_query(question_idna
);
471 if (!good
) /* don't allow empty queries */
475 if (m
->n_dns_queries
>= QUERIES_MAX
)
478 q
= new(DnsQuery
, 1);
483 .question_utf8
= dns_question_ref(question_utf8
),
484 .question_idna
= dns_question_ref(question_idna
),
485 .question_bypass
= dns_packet_ref(question_bypass
),
488 .answer_dnssec_result
= _DNSSEC_RESULT_INVALID
,
489 .answer_protocol
= _DNS_PROTOCOL_INVALID
,
490 .answer_family
= AF_UNSPEC
,
493 if (question_bypass
) {
494 DNS_QUESTION_FOREACH(key
, question_bypass
->question
)
495 log_debug("Looking up bypass packet for %s.",
496 dns_resource_key_to_string(key
, key_str
, sizeof key_str
));
498 /* First dump UTF8 question */
499 DNS_QUESTION_FOREACH(key
, question_utf8
)
500 log_debug("Looking up RR for %s.",
501 dns_resource_key_to_string(key
, key_str
, sizeof key_str
));
503 /* And then dump the IDNA question, but only what hasn't been dumped already through the UTF8 question. */
504 DNS_QUESTION_FOREACH(key
, question_idna
) {
505 r
= dns_question_contains_key(question_utf8
, key
);
511 log_debug("Looking up IDNA RR for %s.",
512 dns_resource_key_to_string(key
, key_str
, sizeof key_str
));
516 LIST_PREPEND(queries
, m
->dns_queries
, q
);
527 int dns_query_make_auxiliary(DnsQuery
*q
, DnsQuery
*auxiliary_for
) {
529 assert(auxiliary_for
);
531 /* Ensure that the query is not auxiliary yet, and
532 * nothing else is auxiliary to it either */
533 assert(!q
->auxiliary_for
);
534 assert(!q
->auxiliary_queries
);
536 /* Ensure that the unit we shall be made auxiliary for isn't
537 * auxiliary itself */
538 assert(!auxiliary_for
->auxiliary_for
);
540 if (auxiliary_for
->n_auxiliary_queries
>= AUXILIARY_QUERIES_MAX
)
543 LIST_PREPEND(auxiliary_queries
, auxiliary_for
->auxiliary_queries
, q
);
544 q
->auxiliary_for
= auxiliary_for
;
546 auxiliary_for
->n_auxiliary_queries
++;
550 void dns_query_complete(DnsQuery
*q
, DnsTransactionState state
) {
552 assert(!DNS_TRANSACTION_IS_LIVE(state
));
553 assert(DNS_TRANSACTION_IS_LIVE(q
->state
));
555 /* Note that this call might invalidate the query. Callers should hence not attempt to access the
556 * query or transaction after calling this function. */
565 static int on_query_timeout(sd_event_source
*s
, usec_t usec
, void *userdata
) {
566 DnsQuery
*q
= userdata
;
571 dns_query_complete(q
, DNS_TRANSACTION_TIMEOUT
);
575 static int dns_query_add_candidate(DnsQuery
*q
, DnsScope
*s
) {
576 _cleanup_(dns_query_candidate_unrefp
) DnsQueryCandidate
*c
= NULL
;
582 r
= dns_query_candidate_new(&c
, q
, s
);
586 /* If this a single-label domain on DNS, we might append a suitable search domain first. */
587 if (!FLAGS_SET(q
->flags
, SD_RESOLVED_NO_SEARCH
) &&
588 dns_scope_name_wants_search_domain(s
, dns_question_first_name(q
->question_idna
))) {
589 /* OK, we want a search domain now. Let's find one for this scope */
591 r
= dns_query_candidate_next_search_domain(c
);
596 r
= dns_query_candidate_setup_transactions(c
);
604 static int dns_query_synthesize_reply(DnsQuery
*q
, DnsTransactionState
*state
) {
605 _cleanup_(dns_answer_unrefp
) DnsAnswer
*answer
= NULL
;
611 /* Tries to synthesize localhost RR replies (and others) where appropriate. Note that this is done *after* the
612 * the normal lookup finished. The data from the network hence takes precedence over the data we
613 * synthesize. (But note that many scopes refuse to resolve certain domain names) */
616 DNS_TRANSACTION_RCODE_FAILURE
,
617 DNS_TRANSACTION_NO_SERVERS
,
618 DNS_TRANSACTION_TIMEOUT
,
619 DNS_TRANSACTION_ATTEMPTS_MAX_REACHED
,
620 DNS_TRANSACTION_NETWORK_DOWN
,
621 DNS_TRANSACTION_NOT_FOUND
))
624 if (FLAGS_SET(q
->flags
, SD_RESOLVED_NO_SYNTHESIZE
))
627 r
= dns_synthesize_answer(
629 q
->question_bypass
? q
->question_bypass
->question
: q
->question_utf8
,
633 /* If we get ENXIO this tells us to generate NXDOMAIN unconditionally. */
635 dns_query_reset_answer(q
);
636 q
->answer_rcode
= DNS_RCODE_NXDOMAIN
;
637 q
->answer_protocol
= dns_synthesize_protocol(q
->flags
);
638 q
->answer_family
= dns_synthesize_family(q
->flags
);
639 q
->answer_query_flags
= SD_RESOLVED_AUTHENTICATED
|SD_RESOLVED_CONFIDENTIAL
|SD_RESOLVED_SYNTHETIC
;
640 *state
= DNS_TRANSACTION_RCODE_FAILURE
;
647 dns_query_reset_answer(q
);
649 q
->answer
= TAKE_PTR(answer
);
650 q
->answer_rcode
= DNS_RCODE_SUCCESS
;
651 q
->answer_protocol
= dns_synthesize_protocol(q
->flags
);
652 q
->answer_family
= dns_synthesize_family(q
->flags
);
653 q
->answer_query_flags
= SD_RESOLVED_AUTHENTICATED
|SD_RESOLVED_CONFIDENTIAL
|SD_RESOLVED_SYNTHETIC
;
655 *state
= DNS_TRANSACTION_SUCCESS
;
660 static int dns_query_try_etc_hosts(DnsQuery
*q
) {
661 _cleanup_(dns_answer_unrefp
) DnsAnswer
*answer
= NULL
;
666 /* Looks in /etc/hosts for matching entries. Note that this is done *before* the normal lookup is
667 * done. The data from /etc/hosts hence takes precedence over the network. */
669 if (FLAGS_SET(q
->flags
, SD_RESOLVED_NO_SYNTHESIZE
))
672 r
= manager_etc_hosts_lookup(
674 q
->question_bypass
? q
->question_bypass
->question
: q
->question_utf8
,
679 dns_query_reset_answer(q
);
681 q
->answer
= TAKE_PTR(answer
);
682 q
->answer_rcode
= DNS_RCODE_SUCCESS
;
683 q
->answer_protocol
= dns_synthesize_protocol(q
->flags
);
684 q
->answer_family
= dns_synthesize_family(q
->flags
);
685 q
->answer_query_flags
= SD_RESOLVED_AUTHENTICATED
|SD_RESOLVED_CONFIDENTIAL
|SD_RESOLVED_SYNTHETIC
;
690 int dns_query_go(DnsQuery
*q
) {
691 DnsScopeMatch found
= DNS_SCOPE_NO
;
692 DnsScope
*s
, *first
= NULL
;
693 DnsQueryCandidate
*c
;
698 if (q
->state
!= DNS_TRANSACTION_NULL
)
701 r
= dns_query_try_etc_hosts(q
);
705 dns_query_complete(q
, DNS_TRANSACTION_SUCCESS
);
709 LIST_FOREACH(scopes
, s
, q
->manager
->dns_scopes
) {
713 name
= dns_question_first_name(dns_query_question_for_protocol(q
, s
->protocol
));
717 match
= dns_scope_good_domain(s
, q
->ifindex
, q
->flags
, name
);
719 log_debug("Couldn't check if '%s' matches against scope, ignoring.", name
);
723 if (match
> found
) { /* Does this match better? If so, remember how well it matched, and the first one
724 * that matches this well */
730 if (found
== DNS_SCOPE_NO
) {
731 DnsTransactionState state
= DNS_TRANSACTION_NO_SERVERS
;
733 r
= dns_query_synthesize_reply(q
, &state
);
737 dns_query_complete(q
, state
);
741 r
= dns_query_add_candidate(q
, first
);
745 LIST_FOREACH(scopes
, s
, first
->scopes_next
) {
749 name
= dns_question_first_name(dns_query_question_for_protocol(q
, s
->protocol
));
753 match
= dns_scope_good_domain(s
, q
->ifindex
, q
->flags
, name
);
755 log_debug("Couldn't check if '%s' matches against scope, ignoring.", name
);
762 r
= dns_query_add_candidate(q
, s
);
767 dns_query_reset_answer(q
);
769 r
= sd_event_add_time_relative(
771 &q
->timeout_event_source
,
772 clock_boottime_or_monotonic(),
773 SD_RESOLVED_QUERY_TIMEOUT_USEC
,
774 0, on_query_timeout
, q
);
778 (void) sd_event_source_set_description(q
->timeout_event_source
, "query-timeout");
780 q
->state
= DNS_TRANSACTION_PENDING
;
783 /* Start the transactions */
784 LIST_FOREACH(candidates_by_query
, c
, q
->candidates
) {
785 r
= dns_query_candidate_go(c
);
802 static void dns_query_accept(DnsQuery
*q
, DnsQueryCandidate
*c
) {
803 DnsTransactionState state
= DNS_TRANSACTION_NO_SERVERS
;
804 bool has_authenticated
= false, has_non_authenticated
= false, has_confidential
= false, has_non_confidential
= false;
805 DnssecResult dnssec_result_authenticated
= _DNSSEC_RESULT_INVALID
, dnssec_result_non_authenticated
= _DNSSEC_RESULT_INVALID
;
812 r
= dns_query_synthesize_reply(q
, &state
);
816 dns_query_complete(q
, state
);
820 if (c
->error_code
!= 0) {
821 /* If the candidate had an error condition of its own, start with that. */
822 state
= DNS_TRANSACTION_ERRNO
;
823 q
->answer
= dns_answer_unref(q
->answer
);
825 q
->answer_dnssec_result
= _DNSSEC_RESULT_INVALID
;
826 q
->answer_query_flags
= 0;
827 q
->answer_errno
= c
->error_code
;
828 q
->answer_full_packet
= dns_packet_unref(q
->answer_full_packet
);
831 SET_FOREACH(t
, c
->transactions
) {
835 case DNS_TRANSACTION_SUCCESS
: {
836 /* We found a successful reply, merge it into the answer */
838 if (state
== DNS_TRANSACTION_SUCCESS
) {
839 r
= dns_answer_extend(&q
->answer
, t
->answer
);
843 q
->answer_query_flags
|= dns_transaction_source_to_query_flags(t
->answer_source
);
845 /* Override non-successful previous answers */
846 dns_answer_unref(q
->answer
);
847 q
->answer
= dns_answer_ref(t
->answer
);
849 q
->answer_query_flags
= dns_transaction_source_to_query_flags(t
->answer_source
);
852 q
->answer_rcode
= t
->answer_rcode
;
855 dns_packet_unref(q
->answer_full_packet
);
856 q
->answer_full_packet
= dns_packet_ref(t
->received
);
858 if (FLAGS_SET(t
->answer_query_flags
, SD_RESOLVED_AUTHENTICATED
)) {
859 has_authenticated
= true;
860 dnssec_result_authenticated
= t
->answer_dnssec_result
;
862 has_non_authenticated
= true;
863 dnssec_result_non_authenticated
= t
->answer_dnssec_result
;
866 if (FLAGS_SET(t
->answer_query_flags
, SD_RESOLVED_CONFIDENTIAL
))
867 has_confidential
= true;
869 has_non_confidential
= true;
871 state
= DNS_TRANSACTION_SUCCESS
;
875 case DNS_TRANSACTION_NULL
:
876 case DNS_TRANSACTION_PENDING
:
877 case DNS_TRANSACTION_VALIDATING
:
878 case DNS_TRANSACTION_ABORTED
:
879 /* Ignore transactions that didn't complete */
883 /* Any kind of failure? Store the data away, if there's nothing stored yet. */
884 if (state
== DNS_TRANSACTION_SUCCESS
)
887 /* If there's already an authenticated negative reply stored, then prefer that over any unauthenticated one */
888 if (FLAGS_SET(q
->answer_query_flags
, SD_RESOLVED_AUTHENTICATED
) &&
889 !FLAGS_SET(t
->answer_query_flags
, SD_RESOLVED_AUTHENTICATED
))
892 dns_answer_unref(q
->answer
);
893 q
->answer
= dns_answer_ref(t
->answer
);
894 q
->answer_rcode
= t
->answer_rcode
;
895 q
->answer_dnssec_result
= t
->answer_dnssec_result
;
896 q
->answer_query_flags
= t
->answer_query_flags
| dns_transaction_source_to_query_flags(t
->answer_source
);
897 q
->answer_errno
= t
->answer_errno
;
898 dns_packet_unref(q
->answer_full_packet
);
899 q
->answer_full_packet
= dns_packet_ref(t
->received
);
906 if (state
== DNS_TRANSACTION_SUCCESS
) {
907 SET_FLAG(q
->answer_query_flags
, SD_RESOLVED_AUTHENTICATED
, has_authenticated
&& !has_non_authenticated
);
908 SET_FLAG(q
->answer_query_flags
, SD_RESOLVED_CONFIDENTIAL
, has_confidential
&& !has_non_confidential
);
909 q
->answer_dnssec_result
= FLAGS_SET(q
->answer_query_flags
, SD_RESOLVED_AUTHENTICATED
) ? dnssec_result_authenticated
: dnssec_result_non_authenticated
;
912 q
->answer_protocol
= c
->scope
->protocol
;
913 q
->answer_family
= c
->scope
->family
;
915 dns_search_domain_unref(q
->answer_search_domain
);
916 q
->answer_search_domain
= dns_search_domain_ref(c
->search_domain
);
918 r
= dns_query_synthesize_reply(q
, &state
);
922 dns_query_complete(q
, state
);
926 q
->answer_errno
= -r
;
927 dns_query_complete(q
, DNS_TRANSACTION_ERRNO
);
930 void dns_query_ready(DnsQuery
*q
) {
932 DnsQueryCandidate
*bad
= NULL
, *c
;
933 bool pending
= false;
936 assert(DNS_TRANSACTION_IS_LIVE(q
->state
));
938 /* Note that this call might invalidate the query. Callers
939 * should hence not attempt to access the query or transaction
940 * after calling this function, unless the block_ready
941 * counter was explicitly bumped before doing so. */
943 if (q
->block_ready
> 0)
946 LIST_FOREACH(candidates_by_query
, c
, q
->candidates
) {
947 DnsTransactionState state
;
949 state
= dns_query_candidate_state(c
);
952 case DNS_TRANSACTION_SUCCESS
:
953 /* One of the candidates is successful,
954 * let's use it, and copy its data out */
955 dns_query_accept(q
, c
);
958 case DNS_TRANSACTION_NULL
:
959 case DNS_TRANSACTION_PENDING
:
960 case DNS_TRANSACTION_VALIDATING
:
961 /* One of the candidates is still going on,
962 * let's maybe wait for it */
967 /* Any kind of failure */
976 dns_query_accept(q
, bad
);
979 static int dns_query_cname_redirect(DnsQuery
*q
, const DnsResourceRecord
*cname
) {
980 _cleanup_(dns_question_unrefp
) DnsQuestion
*nq_idna
= NULL
, *nq_utf8
= NULL
;
985 q
->n_cname_redirects
++;
986 if (q
->n_cname_redirects
> CNAME_REDIRECT_MAX
)
989 r
= dns_question_cname_redirect(q
->question_idna
, cname
, &nq_idna
);
993 log_debug("Following CNAME/DNAME %s → %s.", dns_question_first_name(q
->question_idna
), dns_question_first_name(nq_idna
));
995 k
= dns_question_is_equal(q
->question_idna
, q
->question_utf8
);
999 /* Same question? Shortcut new question generation */
1000 nq_utf8
= dns_question_ref(nq_idna
);
1003 k
= dns_question_cname_redirect(q
->question_utf8
, cname
, &nq_utf8
);
1007 log_debug("Following UTF8 CNAME/DNAME %s → %s.", dns_question_first_name(q
->question_utf8
), dns_question_first_name(nq_utf8
));
1010 if (r
== 0 && k
== 0) /* No actual cname happened? */
1013 if (q
->answer_protocol
== DNS_PROTOCOL_DNS
)
1014 /* Don't permit CNAME redirects from unicast DNS to LLMNR or MulticastDNS, so that global resources
1015 * cannot invade the local namespace. The opposite way we permit: local names may redirect to global
1017 q
->flags
&= ~(SD_RESOLVED_LLMNR
|SD_RESOLVED_MDNS
); /* mask away the local protocols */
1019 /* Turn off searching for the new name */
1020 q
->flags
|= SD_RESOLVED_NO_SEARCH
;
1022 dns_question_unref(q
->question_idna
);
1023 q
->question_idna
= TAKE_PTR(nq_idna
);
1025 dns_question_unref(q
->question_utf8
);
1026 q
->question_utf8
= TAKE_PTR(nq_utf8
);
1028 dns_query_unref_candidates(q
);
1030 /* Note that we do *not* reset the answer here, because the answer we previously got might already
1031 * include everything we need, let's check that first */
1033 q
->state
= DNS_TRANSACTION_NULL
;
1038 int dns_query_process_cname_one(DnsQuery
*q
) {
1039 _cleanup_(dns_resource_record_unrefp
) DnsResourceRecord
*cname
= NULL
;
1040 DnsQuestion
*question
;
1041 DnsResourceRecord
*rr
;
1042 bool full_match
= true;
1048 /* Processes a CNAME redirect if there's one. Returns one of three values:
1050 * CNAME_QUERY_MATCH → direct RR match, caller should just use the RRs in this answer (and not
1051 * bother with any CNAME/DNAME stuff)
1053 * CNAME_QUERY_NOMATCH → no match at all, neither direct nor CNAME/DNAME, caller might decide to
1054 * restart query or take things as NODATA reply.
1056 * CNAME_QUERY_CNAME → no direct RR match, but a CNAME/DNAME match that we now followed for one step.
1058 * The function might also return a failure, in particular -ELOOP if we encountered too many
1059 * CNAMEs/DNAMEs in a chain or if following CNAMEs/DNAMEs was turned off.
1061 * Note that this function doesn't actually restart the query. The caller can decide to do that in
1062 * case of CNAME_QUERY_CNAME, though. */
1064 if (!IN_SET(q
->state
, DNS_TRANSACTION_SUCCESS
, DNS_TRANSACTION_NULL
))
1065 return DNS_QUERY_NOMATCH
;
1067 question
= dns_query_question_for_protocol(q
, q
->answer_protocol
);
1069 /* Small reminder: our question will consist of one or more RR keys that match in name, but not in
1070 * record type. Specifically, when we do an address lookup the question will typically consist of one
1071 * A and one AAAA key lookup for the same domain name. When we get a response from a server we need
1072 * to check if the answer answers all our questions to use it. Note that a response of CNAME/DNAME
1073 * can answer both an A and the AAAA question for us, but an A/AAAA response only the relevant
1076 * Hence we first check of the answers we collected are sufficient to answer all our questions
1077 * directly. If one question wasn't answered we go on, waiting for more replies. However, if there's
1078 * a CNAME/DNAME response we use it, and redirect to it, regardless if it was a response to the A or
1081 DNS_QUESTION_FOREACH(k
, question
) {
1084 DNS_ANSWER_FOREACH(rr
, q
->answer
) {
1085 r
= dns_resource_key_match_rr(k
, rr
, DNS_SEARCH_DOMAIN_NAME(q
->answer_search_domain
));
1089 match
= true; /* Yay, we found an RR that matches the key we are looking for */
1095 /* Hmm. :-( there's no response for this key. This doesn't match. */
1102 return DNS_QUERY_MATCH
; /* The answer can answer our question in full, no need to follow CNAMEs/DNAMEs */
1104 /* Let's see if there is a CNAME/DNAME to match. This case is simpler: we accept the CNAME/DNAME that
1105 * matches any of our questions. */
1106 DNS_ANSWER_FOREACH(rr
, q
->answer
) {
1107 r
= dns_question_matches_cname_or_dname(question
, rr
, DNS_SEARCH_DOMAIN_NAME(q
->answer_search_domain
));
1110 if (r
> 0 && !cname
)
1111 cname
= dns_resource_record_ref(rr
);
1115 return DNS_QUERY_NOMATCH
; /* No match and no CNAME/DNAME to follow */
1117 if (q
->flags
& SD_RESOLVED_NO_CNAME
)
1120 if (!FLAGS_SET(q
->answer_query_flags
, SD_RESOLVED_AUTHENTICATED
))
1121 q
->previous_redirect_unauthenticated
= true;
1122 if (!FLAGS_SET(q
->answer_query_flags
, SD_RESOLVED_CONFIDENTIAL
))
1123 q
->previous_redirect_non_confidential
= true;
1124 if (!FLAGS_SET(q
->answer_query_flags
, SD_RESOLVED_SYNTHETIC
))
1125 q
->previous_redirect_non_synthetic
= true;
1127 /* OK, let's actually follow the CNAME */
1128 r
= dns_query_cname_redirect(q
, cname
);
1132 return DNS_QUERY_CNAME
; /* Tell caller that we did a single CNAME/DNAME redirection step */
1135 int dns_query_process_cname_many(DnsQuery
*q
) {
1140 /* Follows CNAMEs through the current packet: as long as the current packet can fulfill our
1141 * redirected CNAME queries we keep going, and restart the query once the current packet isn't good
1142 * enough anymore. It's a wrapper around dns_query_process_cname_one() and returns the same values,
1143 * but with extended semantics. Specifically:
1145 * DNS_QUERY_MATCH → as above
1147 * DNS_QUERY_CNAME → we ran into a CNAME/DNAME redirect that we could not answer from the current
1148 * message, and thus restarted the query to resolve it.
1150 * DNS_QUERY_NOMATCH → we reached the end of CNAME/DNAME chain, and there are no direct matches nor a
1151 * CNAME/DNAME match. i.e. this is a NODATA case.
1153 * Note that this function will restart the query for the caller if needed, and that's the case
1154 * DNS_QUERY_CNAME is returned.
1157 r
= dns_query_process_cname_one(q
);
1158 if (r
!= DNS_QUERY_CNAME
)
1159 return r
; /* The first redirect is special: if it doesn't answer the question that's no
1160 * reason to restart the query, we just accept this as a NODATA answer. */
1163 r
= dns_query_process_cname_one(q
);
1164 if (r
< 0 || r
== DNS_QUERY_MATCH
)
1166 if (r
== DNS_QUERY_NOMATCH
) {
1167 /* OK, so we followed one or more CNAME/DNAME RR but the existing packet can't answer
1168 * this. Let's restart the query hence, with the new question. Why the different
1169 * handling than the first chain element? Because if the server answers a direct
1170 * question with an empty answer then this is a NODATA response. But if it responds
1171 * with a CNAME chain that ultimately is incomplete (i.e. a non-empty but truncated
1172 * CNAME chain) then we better follow up ourselves and ask for the rest of the
1173 * chain. This is particular relevant since our cache will store CNAME/DNAME
1174 * redirects that we learnt about for lookups of certain DNS types, but later on we
1175 * can reuse this data even for other DNS types, but in that case need to follow up
1176 * with the final lookup of the chain ourselves with the RR type we ourselves are
1178 r
= dns_query_go(q
);
1182 return DNS_QUERY_CNAME
;
1185 /* So we found a CNAME that the existing packet already answers, again via a CNAME, let's
1186 * continue going then. */
1187 assert(r
== DNS_QUERY_CNAME
);
1191 DnsQuestion
* dns_query_question_for_protocol(DnsQuery
*q
, DnsProtocol protocol
) {
1194 if (q
->question_bypass
)
1195 return q
->question_bypass
->question
;
1199 case DNS_PROTOCOL_DNS
:
1200 return q
->question_idna
;
1202 case DNS_PROTOCOL_MDNS
:
1203 case DNS_PROTOCOL_LLMNR
:
1204 return q
->question_utf8
;
1211 const char *dns_query_string(DnsQuery
*q
) {
1215 /* Returns a somewhat useful human-readable lookup key string for this query */
1217 if (q
->question_bypass
)
1218 return dns_question_first_name(q
->question_bypass
->question
);
1220 if (q
->request_address_string
)
1221 return q
->request_address_string
;
1223 if (q
->request_address_valid
) {
1224 r
= in_addr_to_string(q
->request_family
, &q
->request_address
, &q
->request_address_string
);
1226 return q
->request_address_string
;
1229 name
= dns_question_first_name(q
->question_utf8
);
1233 return dns_question_first_name(q
->question_idna
);
1236 bool dns_query_fully_authenticated(DnsQuery
*q
) {
1239 return FLAGS_SET(q
->answer_query_flags
, SD_RESOLVED_AUTHENTICATED
) && !q
->previous_redirect_unauthenticated
;
1242 bool dns_query_fully_confidential(DnsQuery
*q
) {
1245 return FLAGS_SET(q
->answer_query_flags
, SD_RESOLVED_CONFIDENTIAL
) && !q
->previous_redirect_non_confidential
;
1248 bool dns_query_fully_authoritative(DnsQuery
*q
) {
1251 /* We are authoritative for everything synthetic (except if a previous CNAME/DNAME) wasn't
1252 * synthetic. (Note: SD_RESOLVED_SYNTHETIC is reset on each CNAME/DNAME, hence the explicit check for
1253 * previous synthetic DNAME/CNAME redirections.)*/
1254 if ((q
->answer_query_flags
& SD_RESOLVED_SYNTHETIC
) && !q
->previous_redirect_non_synthetic
)
1257 /* We are also authoritative for everything coming only from the trust anchor and the local
1258 * zones. (Note: the SD_RESOLVED_FROM_xyz flags we merge on each redirect, hence no need to
1259 * explicitly check previous redirects here.)*/
1260 return (q
->answer_query_flags
& SD_RESOLVED_FROM_MASK
& ~(SD_RESOLVED_FROM_TRUST_ANCHOR
| SD_RESOLVED_FROM_ZONE
)) == 0;