]> git.ipfire.org Git - thirdparty/systemd.git/blame - src/resolve/resolved-dns-query.c
projects / thirdparty / systemd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
basic/include: replace _Static_assert() with static_assert()
[thirdparty/systemd.git] / src / resolve / resolved-dns-query.c
CommitLineData
db9ecf05 1/* SPDX-License-Identifier: LGPL-2.1-or-later */
74b2466e 2
284d7641
DDM		 3#include "sd-bus.h"
4#include "sd-varlink.h"
5
b5efdb8a 6#include "alloc-util.h"
2a1037af 7#include "dns-domain.h"
011696f7 8#include "dns-type.h"
ecdfb9a1 9#include "event-util.h"
e2341b6b 10#include "glyph-util.h"
284d7641 11#include "log.h"
68527d30
DDM		 12#include "resolved-dns-answer.h"
13#include "resolved-dns-packet.h"
74b2466e 14#include "resolved-dns-query.h"
68527d30
DDM		 15#include "resolved-dns-question.h"
16#include "resolved-dns-rr.h"
17#include "resolved-dns-scope.h"
18#include "resolved-dns-search-domain.h"
839a4a20 19#include "resolved-dns-synthesize.h"
68527d30 20#include "resolved-dns-transaction.h"
dd0bc0f1 21#include "resolved-etc-hosts.h"
68527d30 22#include "resolved-manager.h"
0da73fab 23#include "resolved-timeouts.h"
284d7641 24#include "set.h"
23b298bc 25#include "string-util.h"
74b2466e 26
39762fdf 27#define QUERIES_MAX 2048
45ec7efb 28#define AUXILIARY_QUERIES_MAX 64
b4d12278 29#define CNAME_REDIRECTS_MAX 16
8ba9fd9c 30
e1004d0a 31assert_cc(AUXILIARY_QUERIES_MAX < UINT8_MAX);
b4d12278 32assert_cc(CNAME_REDIRECTS_MAX < UINT8_MAX);
8ba9fd9c 33
801ad6a6
LP		 34static int dns_query_candidate_new(DnsQueryCandidate **ret, DnsQuery *q, DnsScope *s) {
35 DnsQueryCandidate *c;
74b2466e 36
801ad6a6 37 assert(ret);
faa133f3 38 assert(q);
801ad6a6 39 assert(s);
74b2466e 40
1ed31408 41 c = new(DnsQueryCandidate, 1);
801ad6a6
LP		 42 if (!c)
43 return -ENOMEM;
44
1ed31408 45 *c = (DnsQueryCandidate) {
0e0fd08f 46 .n_ref = 1,
1ed31408
LP		 47 .query = q,
48 .scope = s,
49 };
801ad6a6
LP		 50
51 LIST_PREPEND(candidates_by_query, q->candidates, c);
52 LIST_PREPEND(candidates_by_scope, s->query_candidates, c);
53
54 *ret = c;
55 return 0;
56}
57
58static void dns_query_candidate_stop(DnsQueryCandidate *c) {
59 DnsTransaction *t;
74b2466e 60
801ad6a6
LP		 61 assert(c);
62
0da73fab
MHS		 63 (void) event_source_disable(c->timeout_event_source);
64
c856ef04
ZJS		 65 /* Detach all the DnsTransactions attached to this query */
66
801ad6a6 67 while ((t = set_steal_first(c->transactions))) {
547973de 68 set_remove(t->notify_query_candidates, c);
35aa04e9 69 set_remove(t->notify_query_candidates_done, c);
ec2c5e43 70 dns_transaction_gc(t);
74b2466e 71 }
74b2466e
LP		 72}
73
ce880172
RP		 74static void dns_query_candidate_abandon(DnsQueryCandidate *c) {
75 DnsTransaction *t;
76
77 assert(c);
78
0da73fab
MHS		 79 (void) event_source_disable(c->timeout_event_source);
80
ce880172
RP		 81 /* Abandon all the DnsTransactions attached to this query */
82
83 while ((t = set_steal_first(c->transactions))) {
84 t->wait_for_answer = true;
85 set_remove(t->notify_query_candidates, c);
86 set_remove(t->notify_query_candidates_done, c);
87 dns_transaction_gc(t);
88 }
89}
90
c856ef04
ZJS		 91static DnsQueryCandidate* dns_query_candidate_unlink(DnsQueryCandidate *c) {
92 assert(c);
93
94 /* Detach this DnsQueryCandidate from the Query and Scope objects */
95
96 if (c->query) {
97 LIST_REMOVE(candidates_by_query, c->query->candidates, c);
98 c->query = NULL;
99 }
100
101 if (c->scope) {
102 LIST_REMOVE(candidates_by_scope, c->scope->query_candidates, c);
103 c->scope = NULL;
104 }
105
106 return c;
107}
108
0e0fd08f 109static DnsQueryCandidate* dns_query_candidate_free(DnsQueryCandidate *c) {
801ad6a6
LP		 110 if (!c)
111 return NULL;
112
0da73fab
MHS		 113 c->timeout_event_source = sd_event_source_disable_unref(c->timeout_event_source);
114
801ad6a6 115 dns_query_candidate_stop(c);
c856ef04 116 dns_query_candidate_unlink(c);
801ad6a6
LP		 117
118 set_free(c->transactions);
119 dns_search_domain_unref(c->search_domain);
120
6b430fdb 121 return mfree(c);
801ad6a6
LP		 122}
123
0e0fd08f
ZJS		 124DEFINE_PUBLIC_TRIVIAL_REF_UNREF_FUNC(DnsQueryCandidate, dns_query_candidate, dns_query_candidate_free);
125
801ad6a6 126static int dns_query_candidate_next_search_domain(DnsQueryCandidate *c) {
c805014a 127 DnsSearchDomain *next;
801ad6a6
LP		 128
129 assert(c);
130
ad44b56b 131 if (c->search_domain && c->search_domain->linked)
801ad6a6 132 next = c->search_domain->domains_next;
ad44b56b
LP		 133 else
134 next = dns_scope_get_search_domains(c->scope);
801ad6a6 135
ad44b56b 136 for (;;) {
6627b7e2
LP		 137 if (!next) /* We hit the end of the list */
138 return 0;
801ad6a6 139
ad44b56b
LP		 140 if (!next->route_only)
141 break;
801ad6a6 142
ad44b56b
LP		 143 /* Skip over route-only domains */
144 next = next->domains_next;
801ad6a6
LP		 145 }
146
147 dns_search_domain_unref(c->search_domain);
148 c->search_domain = dns_search_domain_ref(next);
6627b7e2 149
81ae2237 150 return 0;
801ad6a6
LP		 151}
152
775ae354
LP		 153static int dns_query_candidate_add_transaction(
154 DnsQueryCandidate *c,
155 DnsResourceKey *key,
156 DnsPacket *bypass) {
157
29bd6012 158 _cleanup_(dns_transaction_gcp) DnsTransaction *t = NULL;
801ad6a6
LP		 159 int r;
160
161 assert(c);
c856ef04 162 assert(c->query); /* We shan't add transactions to a candidate that has been detached already */
801ad6a6 163
775ae354
LP		 164 if (key) {
165 /* Regular lookup with a resource key */
166 assert(!bypass);
167
168 t = dns_scope_find_transaction(c->scope, key, c->query->flags);
169 if (!t) {
170 r = dns_transaction_new(&t, c->scope, key, NULL, c->query->flags);
171 if (r < 0)
172 return r;
173 } else if (set_contains(c->transactions, t))
174 return 0;
175 } else {
176 /* "Bypass" lookup with a query packet */
177 assert(bypass);
178
179 r = dns_transaction_new(&t, c->scope, NULL, bypass, c->query->flags);
801ad6a6
LP		 180 if (r < 0)
181 return r;
775ae354 182 }
801ad6a6 183
35aa04e9
LP		 184 r = set_ensure_allocated(&t->notify_query_candidates_done, NULL);
185 if (r < 0)
29bd6012 186 return r;
35aa04e9 187
de7fef4b 188 r = set_ensure_put(&t->notify_query_candidates, NULL, c);
801ad6a6 189 if (r < 0)
29bd6012 190 return r;
801ad6a6 191
de7fef4b 192 r = set_ensure_put(&c->transactions, NULL, t);
801ad6a6 193 if (r < 0) {
547973de 194 (void) set_remove(t->notify_query_candidates, c);
29bd6012 195 return r;
801ad6a6
LP		 196 }
197
29bd6012 198 TAKE_PTR(t);
547973de 199 return 1;
801ad6a6
LP		 200}
201
202static int dns_query_candidate_go(DnsQueryCandidate *c) {
d7ac0952 203 _unused_ _cleanup_(dns_query_candidate_unrefp) DnsQueryCandidate *keep_c = NULL;
801ad6a6 204 DnsTransaction *t;
801ad6a6 205 int r;
011696f7 206 unsigned n = 0;
801ad6a6
LP		 207
208 assert(c);
209
0e0fd08f
ZJS		 210 /* Let's keep a reference to the query while we're operating */
211 keep_c = dns_query_candidate_ref(c);
4ea8b443 212
5814acca
YW		 213 uint64_t generation = c->generation;
214
801ad6a6 215 /* Start the transactions that are not started yet */
90e74a66 216 SET_FOREACH(t, c->transactions) {
801ad6a6
LP		 217 if (t->state != DNS_TRANSACTION_NULL)
218 continue;
219
220 r = dns_transaction_go(t);
0e0fd08f 221 if (r < 0)
801ad6a6 222 return r;
011696f7 223
5814acca
YW		 224 if (c->generation != generation)
225 /* The transaction has been completed, and dns_transaction_complete() ->
226 * dns_query_candidate_notify() has been already called. Moreover, the query
227 * candidate has been regenerated, and the query should be already restarted.
228 * Let's exit from the loop now. */
229 return 0;
230
011696f7 231 n++;
801ad6a6
LP		 232 }
233
011696f7 234 /* If there was nothing to start, then let's proceed immediately */
0e0fd08f 235 if (n == 0)
011696f7
LP		 236 dns_query_candidate_notify(c);
237
801ad6a6
LP		 238 return 0;
239}
240
241static DnsTransactionState dns_query_candidate_state(DnsQueryCandidate *c) {
242 DnsTransactionState state = DNS_TRANSACTION_NO_SERVERS;
243 DnsTransaction *t;
801ad6a6
LP		 244
245 assert(c);
246
247 if (c->error_code != 0)
7cc6ed7b 248 return DNS_TRANSACTION_ERRNO;
801ad6a6 249
adf6d848 250 SET_FOREACH(t, c->transactions)
801ad6a6
LP		 251
252 switch (t->state) {
253
5264131a
LP		 254 case DNS_TRANSACTION_NULL:
255 /* If there's a NULL transaction pending, then
256 * this means not all transactions where
257 * started yet, and we were called from within
258 * the stackframe that is supposed to start
259 * remaining transactions. In this case,
260 * simply claim the candidate is pending. */
261
801ad6a6 262 case DNS_TRANSACTION_PENDING:
547973de
LP		 263 case DNS_TRANSACTION_VALIDATING:
264 /* If there's one transaction currently in
265 * VALIDATING state, then this means there's
266 * also one in PENDING state, hence we can
267 * return PENDING immediately. */
268 return DNS_TRANSACTION_PENDING;
801ad6a6
LP		 269
270 case DNS_TRANSACTION_SUCCESS:
271 state = t->state;
272 break;
273
274 default:
275 if (state != DNS_TRANSACTION_SUCCESS)
276 state = t->state;
801ad6a6 277 }
801ad6a6
LP		 278
279 return state;
280}
281
282static int dns_query_candidate_setup_transactions(DnsQueryCandidate *c) {
23b298bc 283 DnsQuestion *question;
801ad6a6
LP		 284 DnsResourceKey *key;
285 int n = 0, r;
286
287 assert(c);
c856ef04 288 assert(c->query); /* We shan't add transactions to a candidate that has been detached already */
801ad6a6
LP		 289
290 dns_query_candidate_stop(c);
291
5814acca
YW		 292 c->generation++;
293
775ae354
LP		 294 if (c->query->question_bypass) {
295 /* If this is a bypass query, then pass the original query packet along to the transaction */
296
297 assert(dns_question_size(c->query->question_bypass->question) == 1);
298
ab715ddb 299 if (!dns_scope_good_key(c->scope, dns_question_first_key(c->query->question_bypass->question)))
775ae354
LP		 300 return 0;
301
302 r = dns_query_candidate_add_transaction(c, NULL, c->query->question_bypass);
303 if (r < 0)
304 goto fail;
305
306 return 1;
307 }
308
23b298bc
LP		 309 question = dns_query_question_for_protocol(c->query, c->scope->protocol);
310
801ad6a6 311 /* Create one transaction per question key */
23b298bc 312 DNS_QUESTION_FOREACH(key, question) {
801ad6a6 313 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *new_key = NULL;
011696f7
LP		 314 DnsResourceKey *qkey;
315
801ad6a6
LP		 316 if (c->search_domain) {
317 r = dns_resource_key_new_append_suffix(&new_key, key, c->search_domain->name);
318 if (r < 0)
319 goto fail;
801ad6a6 320
011696f7
LP		 321 qkey = new_key;
322 } else
323 qkey = key;
324
325 if (!dns_scope_good_key(c->scope, qkey))
326 continue;
327
775ae354 328 r = dns_query_candidate_add_transaction(c, qkey, NULL);
801ad6a6
LP		 329 if (r < 0)
330 goto fail;
331
332 n++;
333 }
334
335 return n;
336
337fail:
338 dns_query_candidate_stop(c);
339 return r;
340}
341
0da73fab
MHS		 342static void dns_query_accept(DnsQuery *q, DnsQueryCandidate *c);
343
344static int on_candidate_timeout(sd_event_source *s, usec_t usec, void *userdata) {
345 DnsQueryCandidate *c = userdata;
346
347 assert(s);
348 assert(c);
349
350 log_debug("Accepting incomplete query candidate after expedited timeout on partial success.");
351 dns_query_accept(c->query, c);
352
353 return 0;
354}
355
356static bool dns_query_candidate_has_partially_succeeded(DnsQueryCandidate *c) {
357 DnsTransaction *t;
358
359 SET_FOREACH(t, c->transactions)
360 if (t->state == DNS_TRANSACTION_SUCCESS)
361 return true;
362
363 return false;
364}
365
547973de 366void dns_query_candidate_notify(DnsQueryCandidate *c) {
801ad6a6
LP		 367 DnsTransactionState state;
368 int r;
369
370 assert(c);
371
c856ef04
ZJS		 372 if (!c->query) /* This candidate has been abandoned, do nothing. */
373 return;
374
801ad6a6
LP		 375 state = dns_query_candidate_state(c);
376
0da73fab
MHS		 377 if (DNS_TRANSACTION_IS_LIVE(state)) {
378 if (dns_query_candidate_has_partially_succeeded(c))
379 (void) event_reset_time_relative(
380 c->query->manager->event,
381 &c->timeout_event_source,
382 CLOCK_BOOTTIME,
ac3a4034 383 CANDIDATE_EXPEDITED_TIMEOUT_USEC, /* accuracy= */ 0,
0da73fab
MHS		 384 on_candidate_timeout, c,
385 /* priority= */ 0, "candidate-timeout",
386 /* force_reset= */ false);
387
801ad6a6 388 return;
0da73fab 389 }
801ad6a6
LP		 390
391 if (state != DNS_TRANSACTION_SUCCESS && c->search_domain) {
392
0da73fab
MHS		 393 (void) event_source_disable(c->timeout_event_source);
394
801ad6a6
LP		 395 r = dns_query_candidate_next_search_domain(c);
396 if (r < 0)
397 goto fail;
398
399 if (r > 0) {
400 /* OK, there's another search domain to try, let's do so. */
401
402 r = dns_query_candidate_setup_transactions(c);
403 if (r < 0)
404 goto fail;
405
406 if (r > 0) {
231557fe 407 /* New transactions have been queued. Start them and wait */
801ad6a6
LP		 408
409 r = dns_query_candidate_go(c);
410 if (r < 0)
411 goto fail;
412
413 return;
414 }
415 }
416
417 }
418
419 dns_query_ready(c->query);
420 return;
421
422fail:
fed66db0 423 c->error_code = log_warning_errno(r, "Failed to follow search domains: %m");
801ad6a6
LP		 424 dns_query_ready(c->query);
425}
426
427static void dns_query_stop(DnsQuery *q) {
801ad6a6
LP		 428 assert(q);
429
ecdfb9a1 430 event_source_disable(q->timeout_event_source);
801ad6a6
LP		 431
432 LIST_FOREACH(candidates_by_query, c, q->candidates)
433 dns_query_candidate_stop(c);
434}
435
ce880172
RP		 436static void dns_query_abandon(DnsQuery *q) {
437 assert(q);
438
439 /* Thankfully transactions have their own timeouts */
440 event_source_disable(q->timeout_event_source);
441
442 LIST_FOREACH(candidates_by_query, c, q->candidates)
443 dns_query_candidate_abandon(c);
444}
445
c856ef04 446static void dns_query_unlink_candidates(DnsQuery *q) {
7820b320
LP		 447 assert(q);
448
449 while (q->candidates)
c856ef04
ZJS		 450 /* Here we drop *our* references to each of the candidates. If we had the only reference, the
451 * DnsQueryCandidate object will be freed. */
452 dns_query_candidate_unref(dns_query_candidate_unlink(q->candidates));
7820b320
LP		 453}
454
455static void dns_query_reset_answer(DnsQuery *q) {
456 assert(q);
457
458 q->answer = dns_answer_unref(q->answer);
459 q->answer_rcode = 0;
41398e87
YW		 460 q->answer_ede_rcode = _DNS_EDE_RCODE_INVALID;
461 q->answer_ede_msg = mfree(q->answer_ede_msg);
7820b320 462 q->answer_dnssec_result = _DNSSEC_RESULT_INVALID;
7cc6ed7b 463 q->answer_errno = 0;
6f055e43 464 q->answer_query_flags = 0;
7820b320
LP		 465 q->answer_protocol = _DNS_PROTOCOL_INVALID;
466 q->answer_family = AF_UNSPEC;
467 q->answer_search_domain = dns_search_domain_unref(q->answer_search_domain);
775ae354 468 q->answer_full_packet = dns_packet_unref(q->answer_full_packet);
7820b320
LP		 469}
470
74b2466e 471DnsQuery *dns_query_free(DnsQuery *q) {
74b2466e
LP		 472 if (!q)
473 return NULL;
474
73bfd7be
YW		 475 q->timeout_event_source = sd_event_source_disable_unref(q->timeout_event_source);
476
45ec7efb
LP		 477 while (q->auxiliary_queries)
478 dns_query_free(q->auxiliary_queries);
479
480 if (q->auxiliary_for) {
481 assert(q->auxiliary_for->n_auxiliary_queries > 0);
482 q->auxiliary_for->n_auxiliary_queries--;
483 LIST_REMOVE(auxiliary_queries, q->auxiliary_for->auxiliary_queries, q);
484 }
485
c856ef04 486 dns_query_unlink_candidates(q);
322345fd 487
23b298bc
LP		 488 dns_question_unref(q->question_idna);
489 dns_question_unref(q->question_utf8);
775ae354 490 dns_packet_unref(q->question_bypass);
72c2d39e 491 dns_question_unref(q->collected_questions);
7820b320
LP		 492
493 dns_query_reset_answer(q);
322345fd 494
c9de4e0f 495 sd_bus_message_unref(q->bus_request);
82bd6ddd 496 sd_bus_track_unref(q->bus_track);
74b2466e 497
9581bb84 498 if (q->varlink_request) {
25ff515b
LP		 499 sd_varlink_set_userdata(q->varlink_request, NULL);
500 sd_varlink_unref(q->varlink_request);
9581bb84
LP		 501 }
502
bde69bbd
LP		 503 if (q->request_packet)
504 hashmap_remove_value(q->stub_listener_extra ?
505 q->stub_listener_extra->queries_by_packet :
506 q->manager->stub_queries_by_packet,
507 q->request_packet,
508 q);
509
775ae354
LP		 510 dns_packet_unref(q->request_packet);
511 dns_answer_unref(q->reply_answer);
512 dns_answer_unref(q->reply_authoritative);
513 dns_answer_unref(q->reply_additional);
b30bf55d 514
775ae354 515 if (q->request_stream) {
b30bf55d 516 /* Detach the stream from our query, in case something else keeps a reference to it. */
775ae354
LP		 517 (void) set_remove(q->request_stream->queries, q);
518 q->request_stream = dns_stream_unref(q->request_stream);
b30bf55d
LP		 519 }
520
23b298bc
LP		 521 free(q->request_address_string);
522
39762fdf 523 if (q->manager) {
74b2466e 524 LIST_REMOVE(queries, q->manager->dns_queries, q);
39762fdf
LP		 525 q->manager->n_dns_queries--;
526 }
74b2466e 527
6b430fdb 528 return mfree(q);
74b2466e
LP		 529}
530
2aacaf81
LP		 531typedef enum RefuseRecordTypeResult {
532 REFUSE_BAD,
533 REFUSE_GOOD,
534 REFUSE_PARTIAL,
535} RefuseRecordTypeResult;
536
537static RefuseRecordTypeResult test_refuse_record_types(Set *refuse_record_types, DnsQuestion *question) {
538 bool has_good = false, has_bad = false;
539 DnsResourceKey *key;
540
541 DNS_QUESTION_FOREACH(key, question)
542 if (set_contains(refuse_record_types, INT_TO_PTR(key->type)))
543 has_bad = true;
544 else
545 has_good = true;
546
547 if (has_bad && !has_good)
548 return REFUSE_BAD;
549 if (!has_bad) {
550 assert(has_good); /* The question should have at least one key. */
551 return REFUSE_GOOD;
552 }
553
554 return REFUSE_PARTIAL;
555}
556
225dbd61 557static int manager_validate_and_mangle_question(Manager *manager, DnsQuestion **question, DnsQuestion **ret_allocated) {
81ae2237
MNBKL		 558 int r;
559
225dbd61
YW		 560 assert(manager);
561 assert(question);
562 assert(ret_allocated);
563
95625f3c 564 if (dns_question_isempty(*question)) {
225dbd61
YW		 565 *ret_allocated = NULL;
566 return 0;
567 }
568
569 if (set_isempty(manager->refuse_record_types)) {
570 *ret_allocated = NULL;
81ae2237 571 return 0; /* No filtering configured. Let's shortcut. */
225dbd61 572 }
81ae2237 573
2aacaf81
LP		 574 RefuseRecordTypeResult result = test_refuse_record_types(manager->refuse_record_types, *question);
575 if (result == REFUSE_BAD)
81ae2237 576 return -ENOANO; /* All bad, refuse.*/
2aacaf81 577 if (result == REFUSE_GOOD) {
225dbd61 578 *ret_allocated = NULL;
81ae2237
MNBKL		 579 return 0; /* All good. Not necessary to filter. */
580 }
581
2aacaf81
LP		 582 assert(result == REFUSE_PARTIAL);
583
81ae2237
MNBKL		 584 /* Mangle the question suppressing bad entries, leaving good entries */
585 _cleanup_(dns_question_unrefp) DnsQuestion *new_question = dns_question_new(dns_question_size(*question));
586 if (!new_question)
587 return -ENOMEM;
588
589 DnsQuestionItem *item;
590 DNS_QUESTION_FOREACH_ITEM(item, *question) {
225dbd61 591 if (set_contains(manager->refuse_record_types, INT_TO_PTR(item->key->type)))
81ae2237
MNBKL		 592 continue;
593 r = dns_question_add_raw(new_question, item->key, item->flags);
594 if (r < 0)
595 return r;
596 }
597
225dbd61
YW		 598 *question = new_question;
599 *ret_allocated = TAKE_PTR(new_question);
600 return 0;
81ae2237
MNBKL		 601}
602
23b298bc
LP		 603int dns_query_new(
604 Manager *m,
605 DnsQuery **ret,
606 DnsQuestion *question_utf8,
607 DnsQuestion *question_idna,
775ae354 608 DnsPacket *question_bypass,
17c8de63
LP		 609 int ifindex,
610 uint64_t flags) {
23b298bc 611
74b2466e 612 _cleanup_(dns_query_freep) DnsQuery *q = NULL;
775ae354 613 char key_str[DNS_RESOURCE_KEY_STRING_MAX];
23b298bc 614 DnsResourceKey *key;
faa133f3 615 int r;
74b2466e
LP		 616
617 assert(m);
618
81ae2237 619 /* Check for records that is refused and refuse query for the records if matched in configuration */
225dbd61
YW		 620 _unused_ _cleanup_(dns_question_unrefp) DnsQuestion *filtered_question_utf8 = NULL;
621 r = manager_validate_and_mangle_question(m, &question_utf8, &filtered_question_utf8);
81ae2237
MNBKL		 622 if (r < 0)
623 return r;
624
225dbd61
YW		 625 _unused_ _cleanup_(dns_question_unrefp) DnsQuestion *filtered_question_idna = NULL;
626 r = manager_validate_and_mangle_question(m, &question_idna, &filtered_question_idna);
81ae2237
MNBKL		 627 if (r < 0)
628 return r;
629
775ae354
LP		 630 if (question_bypass) {
631 /* It's either a "bypass" query, or a regular one, but can't be both. */
632 if (question_utf8 || question_idna)
23b298bc
LP		 633 return -EINVAL;
634
576a2bc7
LP		 635 assert(dns_question_size(question_bypass->question) == 1);
636
637 /* In bypass mode we'll never mangle the question, but only deny or allow. (In bypass mode
638 * there's only going to be one entry in the query, hence there's no point in mangling
639 * questions, i.e. leaving some entries in and removing others.) */
640 if (test_refuse_record_types(m->refuse_record_types, question_bypass->question) != REFUSE_GOOD)
641 return -ENOANO;
775ae354
LP		 642 } else {
643 bool good = false;
23b298bc 644
1a71fe4e
LP		 645 /* This (primarily) checks two things:
646 *
647 * 1. That the question is not empty
648 * 2. That all RR keys in the question objects are for the same domain
649 *
650 * Or in other words, a single DnsQuery object may be used to look up A+AAAA combination for
651 * the same domain name, or SRV+TXT (for DNS-SD services), but not for unrelated lookups. */
652
775ae354
LP		 653 if (dns_question_size(question_utf8) > 0) {
654 r = dns_question_is_valid_for_query(question_utf8);
23b298bc
LP		 655 if (r < 0)
656 return r;
657 if (r == 0)
658 return -EINVAL;
659
660 good = true;
661 }
23b298bc 662
775ae354
LP		 663 /* If the IDNA and UTF8 questions are the same, merge their references */
664 r = dns_question_is_equal(question_idna, question_utf8);
665 if (r < 0)
666 return r;
667 if (r > 0)
668 question_idna = question_utf8;
669 else {
670 if (dns_question_size(question_idna) > 0) {
671 r = dns_question_is_valid_for_query(question_idna);
672 if (r < 0)
673 return r;
674 if (r == 0)
675 return -EINVAL;
676
677 good = true;
678 }
679 }
680
681 if (!good) /* don't allow empty queries */
682 return -EINVAL;
683 }
74b2466e 684
39762fdf
LP		 685 if (m->n_dns_queries >= QUERIES_MAX)
686 return -EBUSY;
687
1ed31408 688 q = new(DnsQuery, 1);
74b2466e
LP		 689 if (!q)
690 return -ENOMEM;
691
1ed31408
LP		 692 *q = (DnsQuery) {
693 .question_utf8 = dns_question_ref(question_utf8),
694 .question_idna = dns_question_ref(question_idna),
775ae354 695 .question_bypass = dns_packet_ref(question_bypass),
1ed31408
LP		 696 .ifindex = ifindex,
697 .flags = flags,
41398e87 698 .answer_ede_rcode = _DNS_EDE_RCODE_INVALID,
1ed31408
LP		 699 .answer_dnssec_result = _DNSSEC_RESULT_INVALID,
700 .answer_protocol = _DNS_PROTOCOL_INVALID,
701 .answer_family = AF_UNSPEC,
702 };
322345fd 703
775ae354
LP		 704 if (question_bypass) {
705 DNS_QUESTION_FOREACH(key, question_bypass->question)
706 log_debug("Looking up bypass packet for %s.",
707 dns_resource_key_to_string(key, key_str, sizeof key_str));
708 } else {
160f3145 709 /* First dump UTF8 question */
775ae354
LP		 710 DNS_QUESTION_FOREACH(key, question_utf8)
711 log_debug("Looking up RR for %s.",
712 dns_resource_key_to_string(key, key_str, sizeof key_str));
713
714 /* And then dump the IDNA question, but only what hasn't been dumped already through the UTF8 question. */
715 DNS_QUESTION_FOREACH(key, question_idna) {
ab715ddb 716 r = dns_question_contains_key(question_utf8, key);
775ae354
LP		 717 if (r < 0)
718 return r;
719 if (r > 0)
720 continue;
23b298bc 721
775ae354
LP		 722 log_debug("Looking up IDNA RR for %s.",
723 dns_resource_key_to_string(key, key_str, sizeof key_str));
724 }
74b2466e
LP		 725 }
726
727 LIST_PREPEND(queries, m->dns_queries, q);
39762fdf 728 m->n_dns_queries++;
74b2466e
LP		 729 q->manager = m;
730
8ba9fd9c
LP		 731 if (ret)
732 *ret = q;
8ba9fd9c 733
775ae354 734 TAKE_PTR(q);
8ba9fd9c
LP		 735 return 0;
736}
737
45ec7efb
LP		 738int dns_query_make_auxiliary(DnsQuery *q, DnsQuery *auxiliary_for) {
739 assert(q);
740 assert(auxiliary_for);
741
61233823 742 /* Ensure that the query is not auxiliary yet, and
45ec7efb
LP		 743 * nothing else is auxiliary to it either */
744 assert(!q->auxiliary_for);
745 assert(!q->auxiliary_queries);
746
747 /* Ensure that the unit we shall be made auxiliary for isn't
748 * auxiliary itself */
749 assert(!auxiliary_for->auxiliary_for);
750
751 if (auxiliary_for->n_auxiliary_queries >= AUXILIARY_QUERIES_MAX)
752 return -EAGAIN;
753
754 LIST_PREPEND(auxiliary_queries, auxiliary_for->auxiliary_queries, q);
755 q->auxiliary_for = auxiliary_for;
756
757 auxiliary_for->n_auxiliary_queries++;
758 return 0;
759}
760
65a01e82 761void dns_query_complete(DnsQuery *q, DnsTransactionState state) {
8ba9fd9c 762 assert(q);
547973de
LP		 763 assert(!DNS_TRANSACTION_IS_LIVE(state));
764 assert(DNS_TRANSACTION_IS_LIVE(q->state));
8ba9fd9c 765
65a01e82
LP		 766 /* Note that this call might invalidate the query. Callers should hence not attempt to access the
767 * query or transaction after calling this function. */
8ba9fd9c 768
8ba9fd9c
LP		 769 q->state = state;
770
d9f9b8ce 771 (void) manager_monitor_send(q->manager, q);
cb456374 772
ce880172 773 dns_query_abandon(q);
322345fd
LP		 774 if (q->complete)
775 q->complete(q);
8ba9fd9c
LP		 776}
777
778static int on_query_timeout(sd_event_source *s, usec_t usec, void *userdata) {
99534007 779 DnsQuery *q = ASSERT_PTR(userdata);
8ba9fd9c
LP		 780
781 assert(s);
8ba9fd9c 782
ec2c5e43 783 dns_query_complete(q, DNS_TRANSACTION_TIMEOUT);
8ba9fd9c
LP		 784 return 0;
785}
786
801ad6a6 787static int dns_query_add_candidate(DnsQuery *q, DnsScope *s) {
0e0fd08f 788 _cleanup_(dns_query_candidate_unrefp) DnsQueryCandidate *c = NULL;
faa133f3
LP		 789 int r;
790
791 assert(q);
ec2c5e43 792 assert(s);
faa133f3 793
801ad6a6 794 r = dns_query_candidate_new(&c, q, s);
faa133f3
LP		 795 if (r < 0)
796 return r;
797
801ad6a6 798 /* If this a single-label domain on DNS, we might append a suitable search domain first. */
3b5bd7d6
ZJS		 799 if (!FLAGS_SET(q->flags, SD_RESOLVED_NO_SEARCH) &&
800 dns_scope_name_wants_search_domain(s, dns_question_first_name(q->question_idna))) {
801 /* OK, we want a search domain now. Let's find one for this scope */
22f711bb 802
6da95857 803 r = dns_query_candidate_next_search_domain(c);
3b5bd7d6 804 if (r < 0)
7877e5ca 805 return r;
faa133f3
LP		 806 }
807
801ad6a6
LP		 808 r = dns_query_candidate_setup_transactions(c);
809 if (r < 0)
7877e5ca 810 return r;
801ad6a6 811
7877e5ca 812 TAKE_PTR(c);
faa133f3 813 return 0;
faa133f3
LP		 814}
815
78c6a153 816static int dns_query_synthesize_reply(DnsQuery *q, DnsTransactionState *state) {
2a1037af 817 _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL;
dd0bc0f1 818 int r;
2a1037af
LP		 819
820 assert(q);
821 assert(state);
822
dd0bc0f1
LP		 823 /* Tries to synthesize localhost RR replies (and others) where appropriate. Note that this is done *after* the
824 * the normal lookup finished. The data from the network hence takes precedence over the data we
825 * synthesize. (But note that many scopes refuse to resolve certain domain names) */
2a1037af
LP		 826
827 if (!IN_SET(*state,
3bbdc31d 828 DNS_TRANSACTION_RCODE_FAILURE,
2a1037af
LP		 829 DNS_TRANSACTION_NO_SERVERS,
830 DNS_TRANSACTION_TIMEOUT,
edbcc1fd 831 DNS_TRANSACTION_ATTEMPTS_MAX_REACHED,
0791110f
LP		 832 DNS_TRANSACTION_NETWORK_DOWN,
833 DNS_TRANSACTION_NOT_FOUND))
78c6a153 834 return 0;
2a1037af 835
775ae354
LP		 836 if (FLAGS_SET(q->flags, SD_RESOLVED_NO_SYNTHESIZE))
837 return 0;
838
839a4a20
LP		 839 r = dns_synthesize_answer(
840 q->manager,
775ae354 841 q->question_bypass ? q->question_bypass->question : q->question_utf8,
839a4a20 842 q->ifindex,
dd0bc0f1 843 &answer);
acf06088
LP		 844 if (r == -ENXIO) {
845 /* If we get ENXIO this tells us to generate NXDOMAIN unconditionally. */
2a1037af 846
acf06088
LP		 847 dns_query_reset_answer(q);
848 q->answer_rcode = DNS_RCODE_NXDOMAIN;
849 q->answer_protocol = dns_synthesize_protocol(q->flags);
850 q->answer_family = dns_synthesize_family(q->flags);
5c1790d1 851 q->answer_query_flags = SD_RESOLVED_AUTHENTICATED|SD_RESOLVED_CONFIDENTIAL|SD_RESOLVED_SYNTHETIC;
acf06088
LP		 852 *state = DNS_TRANSACTION_RCODE_FAILURE;
853
6399be22
LP		 854 log_debug("Found synthetic NXDOMAIN response.");
855
acf06088
LP		 856 return 0;
857 }
839a4a20
LP		 858 if (r <= 0)
859 return r;
2a1037af 860
839a4a20 861 dns_query_reset_answer(q);
2a1037af 862
1cc6c93a 863 q->answer = TAKE_PTR(answer);
2a1037af 864 q->answer_rcode = DNS_RCODE_SUCCESS;
dd0bc0f1
LP		 865 q->answer_protocol = dns_synthesize_protocol(q->flags);
866 q->answer_family = dns_synthesize_family(q->flags);
5c1790d1 867 q->answer_query_flags = SD_RESOLVED_AUTHENTICATED|SD_RESOLVED_CONFIDENTIAL|SD_RESOLVED_SYNTHETIC;
2a1037af
LP		 868
869 *state = DNS_TRANSACTION_SUCCESS;
78c6a153 870
6399be22
LP		 871 log_debug("Found synthetic success response.");
872
78c6a153 873 return 1;
2a1037af
LP		 874}
875
dd0bc0f1
LP		 876static int dns_query_try_etc_hosts(DnsQuery *q) {
877 _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL;
878 int r;
879
880 assert(q);
881
c805014a
ZJS		 882 /* Looks in /etc/hosts for matching entries. Note that this is done *before* the normal lookup is
883 * done. The data from /etc/hosts hence takes precedence over the network. */
dd0bc0f1 884
775ae354
LP		 885 if (FLAGS_SET(q->flags, SD_RESOLVED_NO_SYNTHESIZE))
886 return 0;
887
dd0bc0f1
LP		 888 r = manager_etc_hosts_lookup(
889 q->manager,
775ae354 890 q->question_bypass ? q->question_bypass->question : q->question_utf8,
dd0bc0f1
LP		 891 &answer);
892 if (r <= 0)
893 return r;
894
895 dns_query_reset_answer(q);
896
1cc6c93a 897 q->answer = TAKE_PTR(answer);
dd0bc0f1
LP		 898 q->answer_rcode = DNS_RCODE_SUCCESS;
899 q->answer_protocol = dns_synthesize_protocol(q->flags);
900 q->answer_family = dns_synthesize_family(q->flags);
5c1790d1 901 q->answer_query_flags = SD_RESOLVED_AUTHENTICATED|SD_RESOLVED_CONFIDENTIAL|SD_RESOLVED_SYNTHETIC;
dd0bc0f1
LP		 902
903 return 1;
904}
905
322345fd 906int dns_query_go(DnsQuery *q) {
8ba9fd9c 907 DnsScopeMatch found = DNS_SCOPE_NO;
03677889 908 DnsScope *first = NULL;
8ba9fd9c
LP		 909 int r;
910
911 assert(q);
912
ec2c5e43 913 if (q->state != DNS_TRANSACTION_NULL)
8ba9fd9c
LP		 914 return 0;
915
dd0bc0f1
LP		 916 r = dns_query_try_etc_hosts(q);
917 if (r < 0)
918 return r;
919 if (r > 0) {
920 dns_query_complete(q, DNS_TRANSACTION_SUCCESS);
921 return 1;
922 }
923
8ba9fd9c 924 LIST_FOREACH(scopes, s, q->manager->dns_scopes) {
74b2466e 925 DnsScopeMatch match;
23b298bc 926
d0eae64c 927 match = dns_scope_good_domain(s, q, q->flags);
830f50ab 928 assert(match >= 0);
a97a3b25
LP		 929 if (match > found) { /* Does this match better? If so, remember how well it matched, and the first one
930 * that matches this well */
931 found = match;
74b2466e 932 first = s;
74b2466e
LP		 933 }
934 }
935
2a1037af
LP		 936 if (found == DNS_SCOPE_NO) {
937 DnsTransactionState state = DNS_TRANSACTION_NO_SERVERS;
938
7cc6ed7b
LP		 939 r = dns_query_synthesize_reply(q, &state);
940 if (r < 0)
941 return r;
942
d634711b
LP		 943 dns_query_complete(q, state);
944 return 1;
2a1037af 945 }
74b2466e 946
801ad6a6 947 r = dns_query_add_candidate(q, first);
74b2466e 948 if (r < 0)
ec2c5e43 949 goto fail;
74b2466e 950
74b2466e
LP		 951 LIST_FOREACH(scopes, s, first->scopes_next) {
952 DnsScopeMatch match;
953
d0eae64c 954 match = dns_scope_good_domain(s, q, q->flags);
830f50ab 955 assert(match >= 0);
a97a3b25 956 if (match < found)
74b2466e
LP		 957 continue;
958
801ad6a6 959 r = dns_query_add_candidate(q, s);
74b2466e 960 if (r < 0)
ec2c5e43 961 goto fail;
74b2466e
LP		 962 }
963
ab88b6d0 964 dns_query_reset_answer(q);
74b2466e 965
ecdfb9a1 966 r = event_reset_time_relative(
9a015429
LP		 967 q->manager->event,
968 &q->timeout_event_source,
ba4e0427 969 CLOCK_BOOTTIME,
39cf0351 970 SD_RESOLVED_QUERY_TIMEOUT_USEC,
ecdfb9a1
YW		 971 0, on_query_timeout, q,
972 0, "query-timeout", true);
74b2466e
LP		 973 if (r < 0)
974 goto fail;
975
ec2c5e43 976 q->state = DNS_TRANSACTION_PENDING;
faa133f3 977 q->block_ready++;
74b2466e 978
801ad6a6
LP		 979 /* Start the transactions */
980 LIST_FOREACH(candidates_by_query, c, q->candidates) {
981 r = dns_query_candidate_go(c);
982 if (r < 0) {
983 q->block_ready--;
ec2c5e43 984 goto fail;
801ad6a6 985 }
74b2466e
LP		 986 }
987
faa133f3
LP		 988 q->block_ready--;
989 dns_query_ready(q);
322345fd 990
8ba9fd9c 991 return 1;
74b2466e
LP		 992
993fail:
8ba9fd9c 994 dns_query_stop(q);
74b2466e
LP		 995 return r;
996}
997
801ad6a6 998static void dns_query_accept(DnsQuery *q, DnsQueryCandidate *c) {
ec2c5e43 999 DnsTransactionState state = DNS_TRANSACTION_NO_SERVERS;
43fc4baa 1000 bool has_authenticated = false, has_non_authenticated = false, has_confidential = false, has_non_confidential = false;
019036a4 1001 DnssecResult dnssec_result_authenticated = _DNSSEC_RESULT_INVALID, dnssec_result_non_authenticated = _DNSSEC_RESULT_INVALID;
801ad6a6 1002 DnsTransaction *t;
547973de 1003 int r;
74b2466e
LP		 1004
1005 assert(q);
1006
801ad6a6 1007 if (!c) {
7cc6ed7b
LP		 1008 r = dns_query_synthesize_reply(q, &state);
1009 if (r < 0)
1010 goto fail;
1011
801ad6a6 1012 dns_query_complete(q, state);
74b2466e 1013 return;
801ad6a6 1014 }
74b2466e 1015
a7bf2ada
LP		 1016 if (c->error_code != 0) {
1017 /* If the candidate had an error condition of its own, start with that. */
1018 state = DNS_TRANSACTION_ERRNO;
1019 q->answer = dns_answer_unref(q->answer);
1020 q->answer_rcode = 0;
1021 q->answer_dnssec_result = _DNSSEC_RESULT_INVALID;
6f055e43 1022 q->answer_query_flags = 0;
a7bf2ada 1023 q->answer_errno = c->error_code;
775ae354 1024 q->answer_full_packet = dns_packet_unref(q->answer_full_packet);
a7bf2ada
LP		 1025 }
1026
90e74a66 1027 SET_FOREACH(t, c->transactions) {
74b2466e 1028
801ad6a6 1029 switch (t->state) {
934e9b10 1030
801ad6a6 1031 case DNS_TRANSACTION_SUCCESS: {
775ae354
LP		 1032 /* We found a successful reply, merge it into the answer */
1033
1034 if (state == DNS_TRANSACTION_SUCCESS) {
1035 r = dns_answer_extend(&q->answer, t->answer);
1036 if (r < 0)
1037 goto fail;
5c1790d1
LP		 1038
1039 q->answer_query_flags |= dns_transaction_source_to_query_flags(t->answer_source);
775ae354
LP		 1040 } else {
1041 /* Override non-successful previous answers */
1117a960 1042 DNS_ANSWER_REPLACE(q->answer, dns_answer_ref(t->answer));
5c1790d1 1043 q->answer_query_flags = dns_transaction_source_to_query_flags(t->answer_source);
775ae354 1044 }
019036a4 1045
ae6a4bbf 1046 q->answer_rcode = t->answer_rcode;
7cc6ed7b 1047 q->answer_errno = 0;
801ad6a6 1048
899e3cda 1049 DNS_PACKET_REPLACE(q->answer_full_packet, dns_packet_ref(t->received));
775ae354 1050
6f055e43 1051 if (FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED)) {
931851e8 1052 has_authenticated = true;
019036a4
LP		 1053 dnssec_result_authenticated = t->answer_dnssec_result;
1054 } else {
931851e8 1055 has_non_authenticated = true;
019036a4
LP		 1056 dnssec_result_non_authenticated = t->answer_dnssec_result;
1057 }
931851e8 1058
43fc4baa
LP		 1059 if (FLAGS_SET(t->answer_query_flags, SD_RESOLVED_CONFIDENTIAL))
1060 has_confidential = true;
1061 else
1062 has_non_confidential = true;
1063
801ad6a6
LP		 1064 state = DNS_TRANSACTION_SUCCESS;
1065 break;
1066 }
1067
801ad6a6 1068 case DNS_TRANSACTION_NULL:
547973de
LP		 1069 case DNS_TRANSACTION_PENDING:
1070 case DNS_TRANSACTION_VALIDATING:
801ad6a6
LP		 1071 case DNS_TRANSACTION_ABORTED:
1072 /* Ignore transactions that didn't complete */
1073 continue;
1074
1075 default:
cbb1aabb 1076 /* Any kind of failure? Store the data away, if there's nothing stored yet. */
019036a4
LP		 1077 if (state == DNS_TRANSACTION_SUCCESS)
1078 continue;
934e9b10 1079
cbb1aabb 1080 /* If there's already an authenticated negative reply stored, then prefer that over any unauthenticated one */
6f055e43
LP		 1081 if (FLAGS_SET(q->answer_query_flags, SD_RESOLVED_AUTHENTICATED) &&
1082 !FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED))
cbb1aabb
LP		 1083 continue;
1084
1117a960 1085 DNS_ANSWER_REPLACE(q->answer, dns_answer_ref(t->answer));
019036a4 1086 q->answer_rcode = t->answer_rcode;
9ca133e9 1087 q->answer_ede_rcode = t->answer_ede_rcode;
41398e87
YW		 1088 r = free_and_strdup_warn(&q->answer_ede_msg, t->answer_ede_msg);
1089 if (r < 0)
1090 goto fail;
1091 q->answer_dnssec_result = t->answer_dnssec_result;
5c1790d1 1092 q->answer_query_flags = t->answer_query_flags | dns_transaction_source_to_query_flags(t->answer_source);
7cc6ed7b 1093 q->answer_errno = t->answer_errno;
899e3cda 1094 DNS_PACKET_REPLACE(q->answer_full_packet, dns_packet_ref(t->received));
934e9b10 1095
019036a4 1096 state = t->state;
74b2466e 1097 }
801ad6a6 1098 }
74b2466e 1099
019036a4 1100 if (state == DNS_TRANSACTION_SUCCESS) {
6f055e43 1101 SET_FLAG(q->answer_query_flags, SD_RESOLVED_AUTHENTICATED, has_authenticated && !has_non_authenticated);
43fc4baa 1102 SET_FLAG(q->answer_query_flags, SD_RESOLVED_CONFIDENTIAL, has_confidential && !has_non_confidential);
6f055e43 1103 q->answer_dnssec_result = FLAGS_SET(q->answer_query_flags, SD_RESOLVED_AUTHENTICATED) ? dnssec_result_authenticated : dnssec_result_non_authenticated;
019036a4
LP		 1104 }
1105
801ad6a6
LP		 1106 q->answer_protocol = c->scope->protocol;
1107 q->answer_family = c->scope->family;
934e9b10 1108
801ad6a6
LP		 1109 dns_search_domain_unref(q->answer_search_domain);
1110 q->answer_search_domain = dns_search_domain_ref(c->search_domain);
7e8e0422 1111
7cc6ed7b
LP		 1112 r = dns_query_synthesize_reply(q, &state);
1113 if (r < 0)
1114 goto fail;
1115
801ad6a6 1116 dns_query_complete(q, state);
7cc6ed7b
LP		 1117 return;
1118
1119fail:
1120 q->answer_errno = -r;
1121 dns_query_complete(q, DNS_TRANSACTION_ERRNO);
801ad6a6 1122}
934e9b10 1123
801ad6a6 1124void dns_query_ready(DnsQuery *q) {
03677889 1125 DnsQueryCandidate *bad = NULL;
801ad6a6 1126 bool pending = false;
74b2466e 1127
801ad6a6 1128 assert(q);
547973de 1129 assert(DNS_TRANSACTION_IS_LIVE(q->state));
e4501ed4 1130
801ad6a6
LP		 1131 /* Note that this call might invalidate the query. Callers
1132 * should hence not attempt to access the query or transaction
1133 * after calling this function, unless the block_ready
1134 * counter was explicitly bumped before doing so. */
1135
1136 if (q->block_ready > 0)
1137 return;
1138
1139 LIST_FOREACH(candidates_by_query, c, q->candidates) {
1140 DnsTransactionState state;
1141
1142 state = dns_query_candidate_state(c);
1143 switch (state) {
1144
1145 case DNS_TRANSACTION_SUCCESS:
547973de 1146 /* One of the candidates is successful,
801ad6a6
LP		 1147 * let's use it, and copy its data out */
1148 dns_query_accept(q, c);
e4501ed4
LP		 1149 return;
1150
801ad6a6 1151 case DNS_TRANSACTION_NULL:
547973de
LP		 1152 case DNS_TRANSACTION_PENDING:
1153 case DNS_TRANSACTION_VALIDATING:
1154 /* One of the candidates is still going on,
1155 * let's maybe wait for it */
801ad6a6
LP		 1156 pending = true;
1157 break;
e4501ed4 1158
801ad6a6 1159 default:
635b42ed
LP		 1160 /* Any kind of failure: save the most recent error, as long as we never saved one
1161 * before or our current one is "conclusive" in the sense that we definitely did a
1162 * lookup, and thus have a real answer (which might be a failure, but is still *some*
1163 * answer). */
1164
1165 if (!bad || !IN_SET(state, DNS_TRANSACTION_NO_SERVERS, DNS_TRANSACTION_NETWORK_DOWN, DNS_TRANSACTION_NO_SOURCE))
1166 bad = c;
1167 break;
801ad6a6 1168 }
faa133f3 1169 }
74b2466e 1170
801ad6a6
LP		 1171 if (pending)
1172 return;
2a1037af 1173
801ad6a6 1174 dns_query_accept(q, bad);
74b2466e 1175}
8ba9fd9c 1176
72c2d39e
LP		 1177static int dns_query_collect_question(DnsQuery *q, DnsQuestion *question) {
1178 _cleanup_(dns_question_unrefp) DnsQuestion *merged = NULL;
1179 int r;
1180
1181 assert(q);
1182
1183 if (dns_question_size(question) == 0)
1184 return 0;
1185
1186 /* When redirecting, save the first element in the chain, for informational purposes when monitoring */
1187 r = dns_question_merge(q->collected_questions, question, &merged);
1188 if (r < 0)
1189 return r;
1190
1191 dns_question_unref(q->collected_questions);
1192 q->collected_questions = TAKE_PTR(merged);
1193
1194 return 0;
1195}
1196
45ec7efb 1197static int dns_query_cname_redirect(DnsQuery *q, const DnsResourceRecord *cname) {
23b298bc
LP		 1198 _cleanup_(dns_question_unrefp) DnsQuestion *nq_idna = NULL, *nq_utf8 = NULL;
1199 int r, k;
8ba9fd9c
LP		 1200
1201 assert(q);
1202
b4d12278 1203 if (q->n_cname_redirects >= CNAME_REDIRECTS_MAX)
8ba9fd9c 1204 return -ELOOP;
b4d12278 1205 q->n_cname_redirects++;
8ba9fd9c 1206
23b298bc 1207 r = dns_question_cname_redirect(q->question_idna, cname, &nq_idna);
faa133f3
LP		 1208 if (r < 0)
1209 return r;
4cba52cc 1210 if (r > 0)
e2341b6b
DT		 1211 log_debug("Following CNAME/DNAME %s %s %s.",
1212 dns_question_first_name(q->question_idna),
1ae9b0cf 1213 glyph(GLYPH_ARROW_RIGHT),
e2341b6b 1214 dns_question_first_name(nq_idna));
23b298bc
LP		 1215
1216 k = dns_question_is_equal(q->question_idna, q->question_utf8);
1217 if (k < 0)
4cba52cc 1218 return k;
23b298bc
LP		 1219 if (k > 0) {
1220 /* Same question? Shortcut new question generation */
1221 nq_utf8 = dns_question_ref(nq_idna);
1222 k = r;
1223 } else {
1224 k = dns_question_cname_redirect(q->question_utf8, cname, &nq_utf8);
1225 if (k < 0)
1226 return k;
4cba52cc 1227 if (k > 0)
e2341b6b
DT		 1228 log_debug("Following UTF8 CNAME/DNAME %s %s %s.",
1229 dns_question_first_name(q->question_utf8),
1ae9b0cf 1230 glyph(GLYPH_ARROW_RIGHT),
e2341b6b 1231 dns_question_first_name(nq_utf8));
23b298bc 1232 }
8ba9fd9c 1233
23b298bc
LP		 1234 if (r == 0 && k == 0) /* No actual cname happened? */
1235 return -ELOOP;
1236
d46b79bb 1237 if (q->answer_protocol == DNS_PROTOCOL_DNS)
8e5de09f
LP		 1238 /* Don't permit CNAME redirects from unicast DNS to LLMNR or MulticastDNS, so that global resources
1239 * cannot invade the local namespace. The opposite way we permit: local names may redirect to global
1240 * ones. */
8e5de09f 1241 q->flags &= ~(SD_RESOLVED_LLMNR|SD_RESOLVED_MDNS); /* mask away the local protocols */
8e5de09f
LP		 1242
1243 /* Turn off searching for the new name */
1244 q->flags |= SD_RESOLVED_NO_SEARCH;
1245
72c2d39e
LP		 1246 r = dns_query_collect_question(q, q->question_idna);
1247 if (r < 0)
1248 return r;
1249 r = dns_query_collect_question(q, q->question_utf8);
1250 if (r < 0)
1251 return r;
1252
1253 /* Install the redirected question */
23b298bc 1254 dns_question_unref(q->question_idna);
1cc6c93a 1255 q->question_idna = TAKE_PTR(nq_idna);
bc7669cf 1256
23b298bc 1257 dns_question_unref(q->question_utf8);
1cc6c93a 1258 q->question_utf8 = TAKE_PTR(nq_utf8);
8ba9fd9c 1259
c856ef04 1260 dns_query_unlink_candidates(q);
b1eea703
LP		 1261
1262 /* Note that we do *not* reset the answer here, because the answer we previously got might already
1263 * include everything we need, let's check that first */
322345fd 1264
8e5de09f 1265 q->state = DNS_TRANSACTION_NULL;
59a89990 1266
8ba9fd9c
LP		 1267 return 0;
1268}
82bd6ddd 1269
1db8e6d1 1270int dns_query_process_cname_one(DnsQuery *q) {
45ec7efb 1271 _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *cname = NULL;
23b298bc 1272 DnsQuestion *question;
45ec7efb 1273 DnsResourceRecord *rr;
1a71fe4e
LP		 1274 bool full_match = true;
1275 DnsResourceKey *k;
45ec7efb
LP		 1276 int r;
1277
1278 assert(q);
1279
1db8e6d1
LP		 1280 /* Processes a CNAME redirect if there's one. Returns one of three values:
1281 *
1282 * CNAME_QUERY_MATCH → direct RR match, caller should just use the RRs in this answer (and not
1283 * bother with any CNAME/DNAME stuff)
1284 *
1285 * CNAME_QUERY_NOMATCH → no match at all, neither direct nor CNAME/DNAME, caller might decide to
1286 * restart query or take things as NODATA reply.
1287 *
1288 * CNAME_QUERY_CNAME → no direct RR match, but a CNAME/DNAME match that we now followed for one step.
1289 *
1290 * The function might also return a failure, in particular -ELOOP if we encountered too many
1291 * CNAMEs/DNAMEs in a chain or if following CNAMEs/DNAMEs was turned off.
1292 *
1293 * Note that this function doesn't actually restart the query. The caller can decide to do that in
1294 * case of CNAME_QUERY_CNAME, though. */
1295
7588460a
TG		 1296 if (!IN_SET(q->state, DNS_TRANSACTION_SUCCESS, DNS_TRANSACTION_NULL))
1297 return DNS_QUERY_NOMATCH;
45ec7efb 1298
23b298bc 1299 question = dns_query_question_for_protocol(q, q->answer_protocol);
45ec7efb 1300
1a71fe4e
LP		 1301 /* Small reminder: our question will consist of one or more RR keys that match in name, but not in
1302 * record type. Specifically, when we do an address lookup the question will typically consist of one
1303 * A and one AAAA key lookup for the same domain name. When we get a response from a server we need
1304 * to check if the answer answers all our questions to use it. Note that a response of CNAME/DNAME
1305 * can answer both an A and the AAAA question for us, but an A/AAAA response only the relevant
1306 * type.
1307 *
1308 * Hence we first check of the answers we collected are sufficient to answer all our questions
1309 * directly. If one question wasn't answered we go on, waiting for more replies. However, if there's
1310 * a CNAME/DNAME response we use it, and redirect to it, regardless if it was a response to the A or
7802194a 1311 * the AAAA query. */
1a71fe4e
LP		 1312
1313 DNS_QUESTION_FOREACH(k, question) {
1314 bool match = false;
1315
1316 DNS_ANSWER_FOREACH(rr, q->answer) {
1317 r = dns_resource_key_match_rr(k, rr, DNS_SEARCH_DOMAIN_NAME(q->answer_search_domain));
1318 if (r < 0)
1319 return r;
1320 if (r > 0) {
1321 match = true; /* Yay, we found an RR that matches the key we are looking for */
1322 break;
1323 }
1324 }
1325
1326 if (!match) {
1327 /* Hmm. :-( there's no response for this key. This doesn't match. */
1328 full_match = false;
1329 break;
1330 }
1331 }
45ec7efb 1332
1a71fe4e
LP		 1333 if (full_match)
1334 return DNS_QUERY_MATCH; /* The answer can answer our question in full, no need to follow CNAMEs/DNAMEs */
1335
1336 /* Let's see if there is a CNAME/DNAME to match. This case is simpler: we accept the CNAME/DNAME that
1337 * matches any of our questions. */
1338 DNS_ANSWER_FOREACH(rr, q->answer) {
542e0c84 1339 r = dns_question_matches_cname_or_dname(question, rr, DNS_SEARCH_DOMAIN_NAME(q->answer_search_domain));
45ec7efb
LP		 1340 if (r < 0)
1341 return r;
1342 if (r > 0 && !cname)
1343 cname = dns_resource_record_ref(rr);
1344 }
1345
1346 if (!cname)
1a71fe4e 1347 return DNS_QUERY_NOMATCH; /* No match and no CNAME/DNAME to follow */
45ec7efb
LP		 1348
1349 if (q->flags & SD_RESOLVED_NO_CNAME)
1350 return -ELOOP;
1351
6f055e43 1352 if (!FLAGS_SET(q->answer_query_flags, SD_RESOLVED_AUTHENTICATED))
28830a64 1353 q->previous_redirect_unauthenticated = true;
43fc4baa
LP		 1354 if (!FLAGS_SET(q->answer_query_flags, SD_RESOLVED_CONFIDENTIAL))
1355 q->previous_redirect_non_confidential = true;
9ddf099f
LP		 1356 if (!FLAGS_SET(q->answer_query_flags, SD_RESOLVED_SYNTHETIC))
1357 q->previous_redirect_non_synthetic = true;
28830a64 1358
45ec7efb
LP		 1359 /* OK, let's actually follow the CNAME */
1360 r = dns_query_cname_redirect(q, cname);
1361 if (r < 0)
1362 return r;
1363
1db8e6d1
LP		 1364 return DNS_QUERY_CNAME; /* Tell caller that we did a single CNAME/DNAME redirection step */
1365}
45ec7efb 1366
1db8e6d1
LP		 1367int dns_query_process_cname_many(DnsQuery *q) {
1368 int r;
45ec7efb 1369
1db8e6d1
LP		 1370 assert(q);
1371
1372 /* Follows CNAMEs through the current packet: as long as the current packet can fulfill our
1373 * redirected CNAME queries we keep going, and restart the query once the current packet isn't good
1374 * enough anymore. It's a wrapper around dns_query_process_cname_one() and returns the same values,
1375 * but with extended semantics. Specifically:
1376 *
1377 * DNS_QUERY_MATCH → as above
1378 *
1379 * DNS_QUERY_CNAME → we ran into a CNAME/DNAME redirect that we could not answer from the current
1380 * message, and thus restarted the query to resolve it.
1381 *
1382 * DNS_QUERY_NOMATCH → we reached the end of CNAME/DNAME chain, and there are no direct matches nor a
1383 * CNAME/DNAME match. i.e. this is a NODATA case.
1384 *
1385 * Note that this function will restart the query for the caller if needed, and that's the case
1386 * DNS_QUERY_CNAME is returned.
1387 */
1388
1389 r = dns_query_process_cname_one(q);
1390 if (r != DNS_QUERY_CNAME)
1391 return r; /* The first redirect is special: if it doesn't answer the question that's no
1392 * reason to restart the query, we just accept this as a NODATA answer. */
1393
1394 for (;;) {
1395 r = dns_query_process_cname_one(q);
1396 if (r < 0 || r == DNS_QUERY_MATCH)
1397 return r;
1398 if (r == DNS_QUERY_NOMATCH) {
1399 /* OK, so we followed one or more CNAME/DNAME RR but the existing packet can't answer
1400 * this. Let's restart the query hence, with the new question. Why the different
1401 * handling than the first chain element? Because if the server answers a direct
1402 * question with an empty answer then this is a NODATA response. But if it responds
1403 * with a CNAME chain that ultimately is incomplete (i.e. a non-empty but truncated
1404 * CNAME chain) then we better follow up ourselves and ask for the rest of the
1405 * chain. This is particular relevant since our cache will store CNAME/DNAME
1406 * redirects that we learnt about for lookups of certain DNS types, but later on we
1407 * can reuse this data even for other DNS types, but in that case need to follow up
1408 * with the final lookup of the chain ourselves with the RR type we ourselves are
1409 * interested in. */
1410 r = dns_query_go(q);
1411 if (r < 0)
1412 return r;
1413
1414 return DNS_QUERY_CNAME;
1415 }
1416
1417 /* So we found a CNAME that the existing packet already answers, again via a CNAME, let's
1418 * continue going then. */
1419 assert(r == DNS_QUERY_CNAME);
1420 }
45ec7efb
LP		 1421}
1422
23b298bc
LP		 1423DnsQuestion* dns_query_question_for_protocol(DnsQuery *q, DnsProtocol protocol) {
1424 assert(q);
1425
775ae354
LP		 1426 if (q->question_bypass)
1427 return q->question_bypass->question;
1428
23b298bc
LP		 1429 switch (protocol) {
1430
1431 case DNS_PROTOCOL_DNS:
1432 return q->question_idna;
1433
1434 case DNS_PROTOCOL_MDNS:
1435 case DNS_PROTOCOL_LLMNR:
1436 return q->question_utf8;
1437
1438 default:
1439 return NULL;
1440 }
1441}
1442
bfd5a068 1443const char* dns_query_string(DnsQuery *q) {
23b298bc
LP		 1444 const char *name;
1445 int r;
1446
1447 /* Returns a somewhat useful human-readable lookup key string for this query */
1448
775ae354
LP		 1449 if (q->question_bypass)
1450 return dns_question_first_name(q->question_bypass->question);
1451
23b298bc
LP		 1452 if (q->request_address_string)
1453 return q->request_address_string;
1454
1455 if (q->request_address_valid) {
1456 r = in_addr_to_string(q->request_family, &q->request_address, &q->request_address_string);
1457 if (r >= 0)
1458 return q->request_address_string;
1459 }
1460
1461 name = dns_question_first_name(q->question_utf8);
1462 if (name)
1463 return name;
1464
1465 return dns_question_first_name(q->question_idna);
1466}
28830a64
LP		 1467
1468bool dns_query_fully_authenticated(DnsQuery *q) {
1469 assert(q);
1470
6f055e43 1471 return FLAGS_SET(q->answer_query_flags, SD_RESOLVED_AUTHENTICATED) && !q->previous_redirect_unauthenticated;
28830a64 1472}
43fc4baa
LP		 1473
1474bool dns_query_fully_confidential(DnsQuery *q) {
1475 assert(q);
1476
1477 return FLAGS_SET(q->answer_query_flags, SD_RESOLVED_CONFIDENTIAL) && !q->previous_redirect_non_confidential;
1478}
4ad017cd 1479
9ddf099f 1480bool dns_query_fully_authoritative(DnsQuery *q) {
4ad017cd
SB		 1481 assert(q);
1482
9ddf099f
LP		 1483 /* We are authoritative for everything synthetic (except if a previous CNAME/DNAME) wasn't
1484 * synthetic. (Note: SD_RESOLVED_SYNTHETIC is reset on each CNAME/DNAME, hence the explicit check for
7802194a 1485 * previous synthetic DNAME/CNAME redirections.) */
9ddf099f
LP		 1486 if ((q->answer_query_flags & SD_RESOLVED_SYNTHETIC) && !q->previous_redirect_non_synthetic)
1487 return true;
1488
1489 /* We are also authoritative for everything coming only from the trust anchor and the local
1490 * zones. (Note: the SD_RESOLVED_FROM_xyz flags we merge on each redirect, hence no need to
7802194a 1491 * explicitly check previous redirects here.) */
9ddf099f 1492 return (q->answer_query_flags & SD_RESOLVED_FROM_MASK & ~(SD_RESOLVED_FROM_TRUST_ANCHOR | SD_RESOLVED_FROM_ZONE)) == 0;
4ad017cd 1493}
7cf95470
YW		 1494
1495int validate_and_mangle_query_flags(
1496 Manager *manager,
1497 uint64_t *flags,
1498 const char *name,
1499 uint64_t ok) {
1500
1501 assert(manager);
1502 assert(flags);
1503
1504 /* Checks that the client supplied interface index and flags parameter actually are valid and make
1505 * sense in our method call context. Specifically:
1506 *
1507 * 1. Checks that the interface index is either 0 (meaning *all* interfaces) or positive
1508 *
1509 * 2. Only the protocols flags and a bunch of NO_XYZ flags are set, at most. Plus additional flags
1510 * specific to our method, passed in the "ok" parameter.
1511 *
1512 * 3. If zero protocol flags are specified it is automatically turned into *all* protocols. This way
1513 * clients can simply pass 0 as flags and all will work as it should. They can also use this so
1514 * that clients don't have to know all the protocols resolved implements, but can just specify 0
1515 * to mean "all supported protocols".
1516 */
1517
1518 if (*flags & ~(SD_RESOLVED_PROTOCOLS_ALL|
1519 SD_RESOLVED_NO_CNAME|
1520 SD_RESOLVED_NO_VALIDATE|
1521 SD_RESOLVED_NO_SYNTHESIZE|
1522 SD_RESOLVED_NO_CACHE|
1523 SD_RESOLVED_NO_ZONE|
1524 SD_RESOLVED_NO_TRUST_ANCHOR|
1525 SD_RESOLVED_NO_NETWORK|
1526 SD_RESOLVED_NO_STALE|
1527 SD_RESOLVED_RELAX_SINGLE_LABEL|
1528 ok))
1529 return -EINVAL;
1530
1531 if ((*flags & SD_RESOLVED_PROTOCOLS_ALL) == 0) /* If no protocol is enabled, enable all */
1532 *flags |= SD_RESOLVED_PROTOCOLS_ALL;
1533
1534 /* Imply SD_RESOLVED_NO_SEARCH if permitted and name is dot suffixed. */
1535 if (name && FLAGS_SET(ok, SD_RESOLVED_NO_SEARCH) && dns_name_dot_suffixed(name) > 0)
1536 *flags |= SD_RESOLVED_NO_SEARCH;
1537
9ec25fba
YW		 1538 /* If both A and AAAA are refused, set SD_RESOLVED_NO_ADDRESS flag if it is allowed. */
1539 if (set_contains(manager->refuse_record_types, INT_TO_PTR(DNS_TYPE_A)) &&
1540 set_contains(manager->refuse_record_types, INT_TO_PTR(DNS_TYPE_AAAA)) &&
1541 FLAGS_SET(ok, SD_RESOLVED_NO_ADDRESS))
1542 *flags |= SD_RESOLVED_NO_ADDRESS;
1543
1544 /* Similarly, if TXT is refused, set SD_RESOLVED_NO_TXT flag if it is allowed. */
1545 if (set_contains(manager->refuse_record_types, INT_TO_PTR(DNS_TYPE_TXT)) &&
1546 FLAGS_SET(ok, SD_RESOLVED_NO_TXT))
1547 *flags |= SD_RESOLVED_NO_TXT;
1548
7cf95470
YW		 1549 return 0;
1550}
68527d30
DDM		 1551
1552uint64_t dns_query_reply_flags_make(DnsQuery *q) {
1553 assert(q);
1554
1555 return SD_RESOLVED_FLAGS_MAKE(q->answer_protocol,
1556 q->answer_family,
1557 dns_query_fully_authenticated(q),
1558 dns_query_fully_confidential(q)) |
1559 (q->answer_query_flags & (SD_RESOLVED_FROM_MASK|SD_RESOLVED_SYNTHETIC));
1560}
Unnamed repository; edit this file 'description' to name the repository.