]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/resolve/resolved-dns-query.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
tree-wide: use ASSERT_PTR more
[thirdparty/systemd.git] / src / resolve / resolved-dns-query.c
1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
2
3 #include "alloc-util.h"
4 #include "dns-domain.h"
5 #include "dns-type.h"
6 #include "event-util.h"
7 #include "glyph-util.h"
8 #include "hostname-util.h"
9 #include "local-addresses.h"
10 #include "resolved-dns-query.h"
11 #include "resolved-dns-synthesize.h"
12 #include "resolved-etc-hosts.h"
13 #include "string-util.h"
14
15 #define QUERIES_MAX 2048
16 #define AUXILIARY_QUERIES_MAX 64
17 #define CNAME_REDIRECTS_MAX 16
18
19 assert_cc(AUXILIARY_QUERIES_MAX < UINT8_MAX);
20 assert_cc(CNAME_REDIRECTS_MAX < UINT8_MAX);
21
22 static int dns_query_candidate_new(DnsQueryCandidate **ret, DnsQuery *q, DnsScope *s) {
23 DnsQueryCandidate *c;
24
25 assert(ret);
26 assert(q);
27 assert(s);
28
29 c = new(DnsQueryCandidate, 1);
30 if (!c)
31 return -ENOMEM;
32
33 *c = (DnsQueryCandidate) {
34 .n_ref = 1,
35 .query = q,
36 .scope = s,
37 };
38
39 LIST_PREPEND(candidates_by_query, q->candidates, c);
40 LIST_PREPEND(candidates_by_scope, s->query_candidates, c);
41
42 *ret = c;
43 return 0;
44 }
45
46 static void dns_query_candidate_stop(DnsQueryCandidate *c) {
47 DnsTransaction *t;
48
49 assert(c);
50
51 /* Detach all the DnsTransactions attached to this query */
52
53 while ((t = set_steal_first(c->transactions))) {
54 set_remove(t->notify_query_candidates, c);
55 set_remove(t->notify_query_candidates_done, c);
56 dns_transaction_gc(t);
57 }
58 }
59
60 static DnsQueryCandidate* dns_query_candidate_unlink(DnsQueryCandidate *c) {
61 assert(c);
62
63 /* Detach this DnsQueryCandidate from the Query and Scope objects */
64
65 if (c->query) {
66 LIST_REMOVE(candidates_by_query, c->query->candidates, c);
67 c->query = NULL;
68 }
69
70 if (c->scope) {
71 LIST_REMOVE(candidates_by_scope, c->scope->query_candidates, c);
72 c->scope = NULL;
73 }
74
75 return c;
76 }
77
78 static DnsQueryCandidate* dns_query_candidate_free(DnsQueryCandidate *c) {
79 if (!c)
80 return NULL;
81
82 dns_query_candidate_stop(c);
83 dns_query_candidate_unlink(c);
84
85 set_free(c->transactions);
86 dns_search_domain_unref(c->search_domain);
87
88 return mfree(c);
89 }
90
91 DEFINE_PUBLIC_TRIVIAL_REF_UNREF_FUNC(DnsQueryCandidate, dns_query_candidate, dns_query_candidate_free);
92
93 static int dns_query_candidate_next_search_domain(DnsQueryCandidate *c) {
94 DnsSearchDomain *next;
95
96 assert(c);
97
98 if (c->search_domain && c->search_domain->linked)
99 next = c->search_domain->domains_next;
100 else
101 next = dns_scope_get_search_domains(c->scope);
102
103 for (;;) {
104 if (!next) /* We hit the end of the list */
105 return 0;
106
107 if (!next->route_only)
108 break;
109
110 /* Skip over route-only domains */
111 next = next->domains_next;
112 }
113
114 dns_search_domain_unref(c->search_domain);
115 c->search_domain = dns_search_domain_ref(next);
116
117 return 1;
118 }
119
120 static int dns_query_candidate_add_transaction(
121 DnsQueryCandidate *c,
122 DnsResourceKey *key,
123 DnsPacket *bypass) {
124
125 _cleanup_(dns_transaction_gcp) DnsTransaction *t = NULL;
126 int r;
127
128 assert(c);
129 assert(c->query); /* We shan't add transactions to a candidate that has been detached already */
130
131 if (key) {
132 /* Regular lookup with a resource key */
133 assert(!bypass);
134
135 t = dns_scope_find_transaction(c->scope, key, c->query->flags);
136 if (!t) {
137 r = dns_transaction_new(&t, c->scope, key, NULL, c->query->flags);
138 if (r < 0)
139 return r;
140 } else if (set_contains(c->transactions, t))
141 return 0;
142 } else {
143 /* "Bypass" lookup with a query packet */
144 assert(bypass);
145
146 r = dns_transaction_new(&t, c->scope, NULL, bypass, c->query->flags);
147 if (r < 0)
148 return r;
149 }
150
151 r = set_ensure_allocated(&t->notify_query_candidates_done, NULL);
152 if (r < 0)
153 return r;
154
155 r = set_ensure_put(&t->notify_query_candidates, NULL, c);
156 if (r < 0)
157 return r;
158
159 r = set_ensure_put(&c->transactions, NULL, t);
160 if (r < 0) {
161 (void) set_remove(t->notify_query_candidates, c);
162 return r;
163 }
164
165 TAKE_PTR(t);
166 return 1;
167 }
168
169 static int dns_query_candidate_go(DnsQueryCandidate *c) {
170 _unused_ _cleanup_(dns_query_candidate_unrefp) DnsQueryCandidate *keep_c = NULL;
171 DnsTransaction *t;
172 int r;
173 unsigned n = 0;
174
175 assert(c);
176
177 /* Let's keep a reference to the query while we're operating */
178 keep_c = dns_query_candidate_ref(c);
179
180 /* Start the transactions that are not started yet */
181 SET_FOREACH(t, c->transactions) {
182 if (t->state != DNS_TRANSACTION_NULL)
183 continue;
184
185 r = dns_transaction_go(t);
186 if (r < 0)
187 return r;
188
189 n++;
190 }
191
192 /* If there was nothing to start, then let's proceed immediately */
193 if (n == 0)
194 dns_query_candidate_notify(c);
195
196 return 0;
197 }
198
199 static DnsTransactionState dns_query_candidate_state(DnsQueryCandidate *c) {
200 DnsTransactionState state = DNS_TRANSACTION_NO_SERVERS;
201 DnsTransaction *t;
202
203 assert(c);
204
205 if (c->error_code != 0)
206 return DNS_TRANSACTION_ERRNO;
207
208 SET_FOREACH(t, c->transactions)
209
210 switch (t->state) {
211
212 case DNS_TRANSACTION_NULL:
213 /* If there's a NULL transaction pending, then
214 * this means not all transactions where
215 * started yet, and we were called from within
216 * the stackframe that is supposed to start
217 * remaining transactions. In this case,
218 * simply claim the candidate is pending. */
219
220 case DNS_TRANSACTION_PENDING:
221 case DNS_TRANSACTION_VALIDATING:
222 /* If there's one transaction currently in
223 * VALIDATING state, then this means there's
224 * also one in PENDING state, hence we can
225 * return PENDING immediately. */
226 return DNS_TRANSACTION_PENDING;
227
228 case DNS_TRANSACTION_SUCCESS:
229 state = t->state;
230 break;
231
232 default:
233 if (state != DNS_TRANSACTION_SUCCESS)
234 state = t->state;
235
236 break;
237 }
238
239 return state;
240 }
241
242 static int dns_query_candidate_setup_transactions(DnsQueryCandidate *c) {
243 DnsQuestion *question;
244 DnsResourceKey *key;
245 int n = 0, r;
246
247 assert(c);
248 assert(c->query); /* We shan't add transactions to a candidate that has been detached already */
249
250 dns_query_candidate_stop(c);
251
252 if (c->query->question_bypass) {
253 /* If this is a bypass query, then pass the original query packet along to the transaction */
254
255 assert(dns_question_size(c->query->question_bypass->question) == 1);
256
257 if (!dns_scope_good_key(c->scope, dns_question_first_key(c->query->question_bypass->question)))
258 return 0;
259
260 r = dns_query_candidate_add_transaction(c, NULL, c->query->question_bypass);
261 if (r < 0)
262 goto fail;
263
264 return 1;
265 }
266
267 question = dns_query_question_for_protocol(c->query, c->scope->protocol);
268
269 /* Create one transaction per question key */
270 DNS_QUESTION_FOREACH(key, question) {
271 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *new_key = NULL;
272 DnsResourceKey *qkey;
273
274 if (c->search_domain) {
275 r = dns_resource_key_new_append_suffix(&new_key, key, c->search_domain->name);
276 if (r < 0)
277 goto fail;
278
279 qkey = new_key;
280 } else
281 qkey = key;
282
283 if (!dns_scope_good_key(c->scope, qkey))
284 continue;
285
286 r = dns_query_candidate_add_transaction(c, qkey, NULL);
287 if (r < 0)
288 goto fail;
289
290 n++;
291 }
292
293 return n;
294
295 fail:
296 dns_query_candidate_stop(c);
297 return r;
298 }
299
300 void dns_query_candidate_notify(DnsQueryCandidate *c) {
301 DnsTransactionState state;
302 int r;
303
304 assert(c);
305
306 if (!c->query) /* This candidate has been abandoned, do nothing. */
307 return;
308
309 state = dns_query_candidate_state(c);
310
311 if (DNS_TRANSACTION_IS_LIVE(state))
312 return;
313
314 if (state != DNS_TRANSACTION_SUCCESS && c->search_domain) {
315
316 r = dns_query_candidate_next_search_domain(c);
317 if (r < 0)
318 goto fail;
319
320 if (r > 0) {
321 /* OK, there's another search domain to try, let's do so. */
322
323 r = dns_query_candidate_setup_transactions(c);
324 if (r < 0)
325 goto fail;
326
327 if (r > 0) {
328 /* New transactions where queued. Start them and wait */
329
330 r = dns_query_candidate_go(c);
331 if (r < 0)
332 goto fail;
333
334 return;
335 }
336 }
337
338 }
339
340 dns_query_ready(c->query);
341 return;
342
343 fail:
344 c->error_code = log_warning_errno(r, "Failed to follow search domains: %m");
345 dns_query_ready(c->query);
346 }
347
348 static void dns_query_stop(DnsQuery *q) {
349 assert(q);
350
351 event_source_disable(q->timeout_event_source);
352
353 LIST_FOREACH(candidates_by_query, c, q->candidates)
354 dns_query_candidate_stop(c);
355 }
356
357 static void dns_query_unlink_candidates(DnsQuery *q) {
358 assert(q);
359
360 while (q->candidates)
361 /* Here we drop *our* references to each of the candidates. If we had the only reference, the
362 * DnsQueryCandidate object will be freed. */
363 dns_query_candidate_unref(dns_query_candidate_unlink(q->candidates));
364 }
365
366 static void dns_query_reset_answer(DnsQuery *q) {
367 assert(q);
368
369 q->answer = dns_answer_unref(q->answer);
370 q->answer_rcode = 0;
371 q->answer_dnssec_result = _DNSSEC_RESULT_INVALID;
372 q->answer_errno = 0;
373 q->answer_query_flags = 0;
374 q->answer_protocol = _DNS_PROTOCOL_INVALID;
375 q->answer_family = AF_UNSPEC;
376 q->answer_search_domain = dns_search_domain_unref(q->answer_search_domain);
377 q->answer_full_packet = dns_packet_unref(q->answer_full_packet);
378 }
379
380 DnsQuery *dns_query_free(DnsQuery *q) {
381 if (!q)
382 return NULL;
383
384 q->timeout_event_source = sd_event_source_disable_unref(q->timeout_event_source);
385
386 while (q->auxiliary_queries)
387 dns_query_free(q->auxiliary_queries);
388
389 if (q->auxiliary_for) {
390 assert(q->auxiliary_for->n_auxiliary_queries > 0);
391 q->auxiliary_for->n_auxiliary_queries--;
392 LIST_REMOVE(auxiliary_queries, q->auxiliary_for->auxiliary_queries, q);
393 }
394
395 dns_query_unlink_candidates(q);
396
397 dns_question_unref(q->question_idna);
398 dns_question_unref(q->question_utf8);
399 dns_packet_unref(q->question_bypass);
400
401 dns_query_reset_answer(q);
402
403 sd_bus_message_unref(q->bus_request);
404 sd_bus_track_unref(q->bus_track);
405
406 if (q->varlink_request) {
407 varlink_set_userdata(q->varlink_request, NULL);
408 varlink_unref(q->varlink_request);
409 }
410
411 if (q->request_packet)
412 hashmap_remove_value(q->stub_listener_extra ?
413 q->stub_listener_extra->queries_by_packet :
414 q->manager->stub_queries_by_packet,
415 q->request_packet,
416 q);
417
418 dns_packet_unref(q->request_packet);
419 dns_answer_unref(q->reply_answer);
420 dns_answer_unref(q->reply_authoritative);
421 dns_answer_unref(q->reply_additional);
422
423 if (q->request_stream) {
424 /* Detach the stream from our query, in case something else keeps a reference to it. */
425 (void) set_remove(q->request_stream->queries, q);
426 q->request_stream = dns_stream_unref(q->request_stream);
427 }
428
429 free(q->request_address_string);
430 free(q->request_name);
431
432 if (q->manager) {
433 LIST_REMOVE(queries, q->manager->dns_queries, q);
434 q->manager->n_dns_queries--;
435 }
436
437 return mfree(q);
438 }
439
440 int dns_query_new(
441 Manager *m,
442 DnsQuery **ret,
443 DnsQuestion *question_utf8,
444 DnsQuestion *question_idna,
445 DnsPacket *question_bypass,
446 int ifindex,
447 uint64_t flags) {
448
449 _cleanup_(dns_query_freep) DnsQuery *q = NULL;
450 char key_str[DNS_RESOURCE_KEY_STRING_MAX];
451 DnsResourceKey *key;
452 int r;
453
454 assert(m);
455
456 if (question_bypass) {
457 /* It's either a "bypass" query, or a regular one, but can't be both. */
458 if (question_utf8 || question_idna)
459 return -EINVAL;
460
461 } else {
462 bool good = false;
463
464 /* This (primarily) checks two things:
465 *
466 * 1. That the question is not empty
467 * 2. That all RR keys in the question objects are for the same domain
468 *
469 * Or in other words, a single DnsQuery object may be used to look up A+AAAA combination for
470 * the same domain name, or SRV+TXT (for DNS-SD services), but not for unrelated lookups. */
471
472 if (dns_question_size(question_utf8) > 0) {
473 r = dns_question_is_valid_for_query(question_utf8);
474 if (r < 0)
475 return r;
476 if (r == 0)
477 return -EINVAL;
478
479 good = true;
480 }
481
482 /* If the IDNA and UTF8 questions are the same, merge their references */
483 r = dns_question_is_equal(question_idna, question_utf8);
484 if (r < 0)
485 return r;
486 if (r > 0)
487 question_idna = question_utf8;
488 else {
489 if (dns_question_size(question_idna) > 0) {
490 r = dns_question_is_valid_for_query(question_idna);
491 if (r < 0)
492 return r;
493 if (r == 0)
494 return -EINVAL;
495
496 good = true;
497 }
498 }
499
500 if (!good) /* don't allow empty queries */
501 return -EINVAL;
502 }
503
504 if (m->n_dns_queries >= QUERIES_MAX)
505 return -EBUSY;
506
507 q = new(DnsQuery, 1);
508 if (!q)
509 return -ENOMEM;
510
511 *q = (DnsQuery) {
512 .question_utf8 = dns_question_ref(question_utf8),
513 .question_idna = dns_question_ref(question_idna),
514 .question_bypass = dns_packet_ref(question_bypass),
515 .ifindex = ifindex,
516 .flags = flags,
517 .answer_dnssec_result = _DNSSEC_RESULT_INVALID,
518 .answer_protocol = _DNS_PROTOCOL_INVALID,
519 .answer_family = AF_UNSPEC,
520 };
521
522 if (question_bypass) {
523 DNS_QUESTION_FOREACH(key, question_bypass->question)
524 log_debug("Looking up bypass packet for %s.",
525 dns_resource_key_to_string(key, key_str, sizeof key_str));
526 } else {
527 /* First dump UTF8 question */
528 DNS_QUESTION_FOREACH(key, question_utf8)
529 log_debug("Looking up RR for %s.",
530 dns_resource_key_to_string(key, key_str, sizeof key_str));
531
532 /* And then dump the IDNA question, but only what hasn't been dumped already through the UTF8 question. */
533 DNS_QUESTION_FOREACH(key, question_idna) {
534 r = dns_question_contains_key(question_utf8, key);
535 if (r < 0)
536 return r;
537 if (r > 0)
538 continue;
539
540 log_debug("Looking up IDNA RR for %s.",
541 dns_resource_key_to_string(key, key_str, sizeof key_str));
542 }
543 }
544
545 LIST_PREPEND(queries, m->dns_queries, q);
546 m->n_dns_queries++;
547 q->manager = m;
548
549 if (ret)
550 *ret = q;
551
552 TAKE_PTR(q);
553 return 0;
554 }
555
556 int dns_query_make_auxiliary(DnsQuery *q, DnsQuery *auxiliary_for) {
557 assert(q);
558 assert(auxiliary_for);
559
560 /* Ensure that the query is not auxiliary yet, and
561 * nothing else is auxiliary to it either */
562 assert(!q->auxiliary_for);
563 assert(!q->auxiliary_queries);
564
565 /* Ensure that the unit we shall be made auxiliary for isn't
566 * auxiliary itself */
567 assert(!auxiliary_for->auxiliary_for);
568
569 if (auxiliary_for->n_auxiliary_queries >= AUXILIARY_QUERIES_MAX)
570 return -EAGAIN;
571
572 LIST_PREPEND(auxiliary_queries, auxiliary_for->auxiliary_queries, q);
573 q->auxiliary_for = auxiliary_for;
574
575 auxiliary_for->n_auxiliary_queries++;
576 return 0;
577 }
578
579 void dns_query_complete(DnsQuery *q, DnsTransactionState state) {
580 assert(q);
581 assert(!DNS_TRANSACTION_IS_LIVE(state));
582 assert(DNS_TRANSACTION_IS_LIVE(q->state));
583
584 /* Note that this call might invalidate the query. Callers should hence not attempt to access the
585 * query or transaction after calling this function. */
586
587 q->state = state;
588
589 if (state == DNS_TRANSACTION_SUCCESS && set_size(q->manager->varlink_subscription) > 0) {
590 DnsQuestion *question = q->request_packet ? q->request_packet->question : NULL;
591 const char *query_name = question ? dns_question_first_name(question) : q->request_name;
592 if (query_name)
593 (void) send_dns_notification(q->manager, q->answer, query_name);
594 }
595
596 dns_query_stop(q);
597 if (q->complete)
598 q->complete(q);
599 }
600
601 static int on_query_timeout(sd_event_source *s, usec_t usec, void *userdata) {
602 DnsQuery *q = ASSERT_PTR(userdata);
603
604 assert(s);
605
606 dns_query_complete(q, DNS_TRANSACTION_TIMEOUT);
607 return 0;
608 }
609
610 static int dns_query_add_candidate(DnsQuery *q, DnsScope *s) {
611 _cleanup_(dns_query_candidate_unrefp) DnsQueryCandidate *c = NULL;
612 int r;
613
614 assert(q);
615 assert(s);
616
617 r = dns_query_candidate_new(&c, q, s);
618 if (r < 0)
619 return r;
620
621 /* If this a single-label domain on DNS, we might append a suitable search domain first. */
622 if (!FLAGS_SET(q->flags, SD_RESOLVED_NO_SEARCH) &&
623 dns_scope_name_wants_search_domain(s, dns_question_first_name(q->question_idna))) {
624 /* OK, we want a search domain now. Let's find one for this scope */
625
626 r = dns_query_candidate_next_search_domain(c);
627 if (r < 0)
628 return r;
629 }
630
631 r = dns_query_candidate_setup_transactions(c);
632 if (r < 0)
633 return r;
634
635 TAKE_PTR(c);
636 return 0;
637 }
638
639 static int dns_query_synthesize_reply(DnsQuery *q, DnsTransactionState *state) {
640 _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL;
641 int r;
642
643 assert(q);
644 assert(state);
645
646 /* Tries to synthesize localhost RR replies (and others) where appropriate. Note that this is done *after* the
647 * the normal lookup finished. The data from the network hence takes precedence over the data we
648 * synthesize. (But note that many scopes refuse to resolve certain domain names) */
649
650 if (!IN_SET(*state,
651 DNS_TRANSACTION_RCODE_FAILURE,
652 DNS_TRANSACTION_NO_SERVERS,
653 DNS_TRANSACTION_TIMEOUT,
654 DNS_TRANSACTION_ATTEMPTS_MAX_REACHED,
655 DNS_TRANSACTION_NETWORK_DOWN,
656 DNS_TRANSACTION_NOT_FOUND))
657 return 0;
658
659 if (FLAGS_SET(q->flags, SD_RESOLVED_NO_SYNTHESIZE))
660 return 0;
661
662 r = dns_synthesize_answer(
663 q->manager,
664 q->question_bypass ? q->question_bypass->question : q->question_utf8,
665 q->ifindex,
666 &answer);
667 if (r == -ENXIO) {
668 /* If we get ENXIO this tells us to generate NXDOMAIN unconditionally. */
669
670 dns_query_reset_answer(q);
671 q->answer_rcode = DNS_RCODE_NXDOMAIN;
672 q->answer_protocol = dns_synthesize_protocol(q->flags);
673 q->answer_family = dns_synthesize_family(q->flags);
674 q->answer_query_flags = SD_RESOLVED_AUTHENTICATED|SD_RESOLVED_CONFIDENTIAL|SD_RESOLVED_SYNTHETIC;
675 *state = DNS_TRANSACTION_RCODE_FAILURE;
676
677 return 0;
678 }
679 if (r <= 0)
680 return r;
681
682 dns_query_reset_answer(q);
683
684 q->answer = TAKE_PTR(answer);
685 q->answer_rcode = DNS_RCODE_SUCCESS;
686 q->answer_protocol = dns_synthesize_protocol(q->flags);
687 q->answer_family = dns_synthesize_family(q->flags);
688 q->answer_query_flags = SD_RESOLVED_AUTHENTICATED|SD_RESOLVED_CONFIDENTIAL|SD_RESOLVED_SYNTHETIC;
689
690 *state = DNS_TRANSACTION_SUCCESS;
691
692 return 1;
693 }
694
695 static int dns_query_try_etc_hosts(DnsQuery *q) {
696 _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL;
697 int r;
698
699 assert(q);
700
701 /* Looks in /etc/hosts for matching entries. Note that this is done *before* the normal lookup is
702 * done. The data from /etc/hosts hence takes precedence over the network. */
703
704 if (FLAGS_SET(q->flags, SD_RESOLVED_NO_SYNTHESIZE))
705 return 0;
706
707 r = manager_etc_hosts_lookup(
708 q->manager,
709 q->question_bypass ? q->question_bypass->question : q->question_utf8,
710 &answer);
711 if (r <= 0)
712 return r;
713
714 dns_query_reset_answer(q);
715
716 q->answer = TAKE_PTR(answer);
717 q->answer_rcode = DNS_RCODE_SUCCESS;
718 q->answer_protocol = dns_synthesize_protocol(q->flags);
719 q->answer_family = dns_synthesize_family(q->flags);
720 q->answer_query_flags = SD_RESOLVED_AUTHENTICATED|SD_RESOLVED_CONFIDENTIAL|SD_RESOLVED_SYNTHETIC;
721
722 return 1;
723 }
724
725 int dns_query_go(DnsQuery *q) {
726 DnsScopeMatch found = DNS_SCOPE_NO;
727 DnsScope *first = NULL;
728 int r;
729
730 assert(q);
731
732 if (q->state != DNS_TRANSACTION_NULL)
733 return 0;
734
735 r = dns_query_try_etc_hosts(q);
736 if (r < 0)
737 return r;
738 if (r > 0) {
739 dns_query_complete(q, DNS_TRANSACTION_SUCCESS);
740 return 1;
741 }
742
743 LIST_FOREACH(scopes, s, q->manager->dns_scopes) {
744 DnsScopeMatch match;
745
746 match = dns_scope_good_domain(s, q);
747 assert(match >= 0);
748 if (match > found) { /* Does this match better? If so, remember how well it matched, and the first one
749 * that matches this well */
750 found = match;
751 first = s;
752 }
753 }
754
755 if (found == DNS_SCOPE_NO) {
756 DnsTransactionState state = DNS_TRANSACTION_NO_SERVERS;
757
758 r = dns_query_synthesize_reply(q, &state);
759 if (r < 0)
760 return r;
761
762 dns_query_complete(q, state);
763 return 1;
764 }
765
766 r = dns_query_add_candidate(q, first);
767 if (r < 0)
768 goto fail;
769
770 LIST_FOREACH(scopes, s, first->scopes_next) {
771 DnsScopeMatch match;
772
773 match = dns_scope_good_domain(s, q);
774 assert(match >= 0);
775 if (match < found)
776 continue;
777
778 r = dns_query_add_candidate(q, s);
779 if (r < 0)
780 goto fail;
781 }
782
783 dns_query_reset_answer(q);
784
785 r = event_reset_time_relative(
786 q->manager->event,
787 &q->timeout_event_source,
788 CLOCK_BOOTTIME,
789 SD_RESOLVED_QUERY_TIMEOUT_USEC,
790 0, on_query_timeout, q,
791 0, "query-timeout", true);
792 if (r < 0)
793 goto fail;
794
795 q->state = DNS_TRANSACTION_PENDING;
796 q->block_ready++;
797
798 /* Start the transactions */
799 LIST_FOREACH(candidates_by_query, c, q->candidates) {
800 r = dns_query_candidate_go(c);
801 if (r < 0) {
802 q->block_ready--;
803 goto fail;
804 }
805 }
806
807 q->block_ready--;
808 dns_query_ready(q);
809
810 return 1;
811
812 fail:
813 dns_query_stop(q);
814 return r;
815 }
816
817 static void dns_query_accept(DnsQuery *q, DnsQueryCandidate *c) {
818 DnsTransactionState state = DNS_TRANSACTION_NO_SERVERS;
819 bool has_authenticated = false, has_non_authenticated = false, has_confidential = false, has_non_confidential = false;
820 DnssecResult dnssec_result_authenticated = _DNSSEC_RESULT_INVALID, dnssec_result_non_authenticated = _DNSSEC_RESULT_INVALID;
821 DnsTransaction *t;
822 int r;
823
824 assert(q);
825
826 if (!c) {
827 r = dns_query_synthesize_reply(q, &state);
828 if (r < 0)
829 goto fail;
830
831 dns_query_complete(q, state);
832 return;
833 }
834
835 if (c->error_code != 0) {
836 /* If the candidate had an error condition of its own, start with that. */
837 state = DNS_TRANSACTION_ERRNO;
838 q->answer = dns_answer_unref(q->answer);
839 q->answer_rcode = 0;
840 q->answer_dnssec_result = _DNSSEC_RESULT_INVALID;
841 q->answer_query_flags = 0;
842 q->answer_errno = c->error_code;
843 q->answer_full_packet = dns_packet_unref(q->answer_full_packet);
844 }
845
846 SET_FOREACH(t, c->transactions) {
847
848 switch (t->state) {
849
850 case DNS_TRANSACTION_SUCCESS: {
851 /* We found a successful reply, merge it into the answer */
852
853 if (state == DNS_TRANSACTION_SUCCESS) {
854 r = dns_answer_extend(&q->answer, t->answer);
855 if (r < 0)
856 goto fail;
857
858 q->answer_query_flags |= dns_transaction_source_to_query_flags(t->answer_source);
859 } else {
860 /* Override non-successful previous answers */
861 DNS_ANSWER_REPLACE(q->answer, dns_answer_ref(t->answer));
862 q->answer_query_flags = dns_transaction_source_to_query_flags(t->answer_source);
863 }
864
865 q->answer_rcode = t->answer_rcode;
866 q->answer_errno = 0;
867
868 DNS_PACKET_REPLACE(q->answer_full_packet, dns_packet_ref(t->received));
869
870 if (FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED)) {
871 has_authenticated = true;
872 dnssec_result_authenticated = t->answer_dnssec_result;
873 } else {
874 has_non_authenticated = true;
875 dnssec_result_non_authenticated = t->answer_dnssec_result;
876 }
877
878 if (FLAGS_SET(t->answer_query_flags, SD_RESOLVED_CONFIDENTIAL))
879 has_confidential = true;
880 else
881 has_non_confidential = true;
882
883 state = DNS_TRANSACTION_SUCCESS;
884 break;
885 }
886
887 case DNS_TRANSACTION_NULL:
888 case DNS_TRANSACTION_PENDING:
889 case DNS_TRANSACTION_VALIDATING:
890 case DNS_TRANSACTION_ABORTED:
891 /* Ignore transactions that didn't complete */
892 continue;
893
894 default:
895 /* Any kind of failure? Store the data away, if there's nothing stored yet. */
896 if (state == DNS_TRANSACTION_SUCCESS)
897 continue;
898
899 /* If there's already an authenticated negative reply stored, then prefer that over any unauthenticated one */
900 if (FLAGS_SET(q->answer_query_flags, SD_RESOLVED_AUTHENTICATED) &&
901 !FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED))
902 continue;
903
904 DNS_ANSWER_REPLACE(q->answer, dns_answer_ref(t->answer));
905 q->answer_rcode = t->answer_rcode;
906 q->answer_dnssec_result = t->answer_dnssec_result;
907 q->answer_query_flags = t->answer_query_flags | dns_transaction_source_to_query_flags(t->answer_source);
908 q->answer_errno = t->answer_errno;
909 DNS_PACKET_REPLACE(q->answer_full_packet, dns_packet_ref(t->received));
910
911 state = t->state;
912 break;
913 }
914 }
915
916 if (state == DNS_TRANSACTION_SUCCESS) {
917 SET_FLAG(q->answer_query_flags, SD_RESOLVED_AUTHENTICATED, has_authenticated && !has_non_authenticated);
918 SET_FLAG(q->answer_query_flags, SD_RESOLVED_CONFIDENTIAL, has_confidential && !has_non_confidential);
919 q->answer_dnssec_result = FLAGS_SET(q->answer_query_flags, SD_RESOLVED_AUTHENTICATED) ? dnssec_result_authenticated : dnssec_result_non_authenticated;
920 }
921
922 q->answer_protocol = c->scope->protocol;
923 q->answer_family = c->scope->family;
924
925 dns_search_domain_unref(q->answer_search_domain);
926 q->answer_search_domain = dns_search_domain_ref(c->search_domain);
927
928 r = dns_query_synthesize_reply(q, &state);
929 if (r < 0)
930 goto fail;
931
932 dns_query_complete(q, state);
933 return;
934
935 fail:
936 q->answer_errno = -r;
937 dns_query_complete(q, DNS_TRANSACTION_ERRNO);
938 }
939
940 void dns_query_ready(DnsQuery *q) {
941 DnsQueryCandidate *bad = NULL;
942 bool pending = false;
943
944 assert(q);
945 assert(DNS_TRANSACTION_IS_LIVE(q->state));
946
947 /* Note that this call might invalidate the query. Callers
948 * should hence not attempt to access the query or transaction
949 * after calling this function, unless the block_ready
950 * counter was explicitly bumped before doing so. */
951
952 if (q->block_ready > 0)
953 return;
954
955 LIST_FOREACH(candidates_by_query, c, q->candidates) {
956 DnsTransactionState state;
957
958 state = dns_query_candidate_state(c);
959 switch (state) {
960
961 case DNS_TRANSACTION_SUCCESS:
962 /* One of the candidates is successful,
963 * let's use it, and copy its data out */
964 dns_query_accept(q, c);
965 return;
966
967 case DNS_TRANSACTION_NULL:
968 case DNS_TRANSACTION_PENDING:
969 case DNS_TRANSACTION_VALIDATING:
970 /* One of the candidates is still going on,
971 * let's maybe wait for it */
972 pending = true;
973 break;
974
975 default:
976 /* Any kind of failure */
977 bad = c;
978 break;
979 }
980 }
981
982 if (pending)
983 return;
984
985 dns_query_accept(q, bad);
986 }
987
988 static int dns_query_cname_redirect(DnsQuery *q, const DnsResourceRecord *cname) {
989 _cleanup_(dns_question_unrefp) DnsQuestion *nq_idna = NULL, *nq_utf8 = NULL;
990 int r, k;
991
992 assert(q);
993
994 if (q->n_cname_redirects >= CNAME_REDIRECTS_MAX)
995 return -ELOOP;
996 q->n_cname_redirects++;
997
998 r = dns_question_cname_redirect(q->question_idna, cname, &nq_idna);
999 if (r < 0)
1000 return r;
1001 if (r > 0)
1002 log_debug("Following CNAME/DNAME %s %s %s.",
1003 dns_question_first_name(q->question_idna),
1004 special_glyph(SPECIAL_GLYPH_ARROW_RIGHT),
1005 dns_question_first_name(nq_idna));
1006
1007 k = dns_question_is_equal(q->question_idna, q->question_utf8);
1008 if (k < 0)
1009 return k;
1010 if (k > 0) {
1011 /* Same question? Shortcut new question generation */
1012 nq_utf8 = dns_question_ref(nq_idna);
1013 k = r;
1014 } else {
1015 k = dns_question_cname_redirect(q->question_utf8, cname, &nq_utf8);
1016 if (k < 0)
1017 return k;
1018 if (k > 0)
1019 log_debug("Following UTF8 CNAME/DNAME %s %s %s.",
1020 dns_question_first_name(q->question_utf8),
1021 special_glyph(SPECIAL_GLYPH_ARROW_RIGHT),
1022 dns_question_first_name(nq_utf8));
1023 }
1024
1025 if (r == 0 && k == 0) /* No actual cname happened? */
1026 return -ELOOP;
1027
1028 if (q->answer_protocol == DNS_PROTOCOL_DNS)
1029 /* Don't permit CNAME redirects from unicast DNS to LLMNR or MulticastDNS, so that global resources
1030 * cannot invade the local namespace. The opposite way we permit: local names may redirect to global
1031 * ones. */
1032 q->flags &= ~(SD_RESOLVED_LLMNR|SD_RESOLVED_MDNS); /* mask away the local protocols */
1033
1034 /* Turn off searching for the new name */
1035 q->flags |= SD_RESOLVED_NO_SEARCH;
1036
1037 dns_question_unref(q->question_idna);
1038 q->question_idna = TAKE_PTR(nq_idna);
1039
1040 dns_question_unref(q->question_utf8);
1041 q->question_utf8 = TAKE_PTR(nq_utf8);
1042
1043 dns_query_unlink_candidates(q);
1044
1045 /* Note that we do *not* reset the answer here, because the answer we previously got might already
1046 * include everything we need, let's check that first */
1047
1048 q->state = DNS_TRANSACTION_NULL;
1049
1050 return 0;
1051 }
1052
1053 int dns_query_process_cname_one(DnsQuery *q) {
1054 _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *cname = NULL;
1055 DnsQuestion *question;
1056 DnsResourceRecord *rr;
1057 bool full_match = true;
1058 DnsResourceKey *k;
1059 int r;
1060
1061 assert(q);
1062
1063 /* Processes a CNAME redirect if there's one. Returns one of three values:
1064 *
1065 * CNAME_QUERY_MATCH → direct RR match, caller should just use the RRs in this answer (and not
1066 * bother with any CNAME/DNAME stuff)
1067 *
1068 * CNAME_QUERY_NOMATCH → no match at all, neither direct nor CNAME/DNAME, caller might decide to
1069 * restart query or take things as NODATA reply.
1070 *
1071 * CNAME_QUERY_CNAME → no direct RR match, but a CNAME/DNAME match that we now followed for one step.
1072 *
1073 * The function might also return a failure, in particular -ELOOP if we encountered too many
1074 * CNAMEs/DNAMEs in a chain or if following CNAMEs/DNAMEs was turned off.
1075 *
1076 * Note that this function doesn't actually restart the query. The caller can decide to do that in
1077 * case of CNAME_QUERY_CNAME, though. */
1078
1079 if (!IN_SET(q->state, DNS_TRANSACTION_SUCCESS, DNS_TRANSACTION_NULL))
1080 return DNS_QUERY_NOMATCH;
1081
1082 question = dns_query_question_for_protocol(q, q->answer_protocol);
1083
1084 /* Small reminder: our question will consist of one or more RR keys that match in name, but not in
1085 * record type. Specifically, when we do an address lookup the question will typically consist of one
1086 * A and one AAAA key lookup for the same domain name. When we get a response from a server we need
1087 * to check if the answer answers all our questions to use it. Note that a response of CNAME/DNAME
1088 * can answer both an A and the AAAA question for us, but an A/AAAA response only the relevant
1089 * type.
1090 *
1091 * Hence we first check of the answers we collected are sufficient to answer all our questions
1092 * directly. If one question wasn't answered we go on, waiting for more replies. However, if there's
1093 * a CNAME/DNAME response we use it, and redirect to it, regardless if it was a response to the A or
1094 * the AAAA query. */
1095
1096 DNS_QUESTION_FOREACH(k, question) {
1097 bool match = false;
1098
1099 DNS_ANSWER_FOREACH(rr, q->answer) {
1100 r = dns_resource_key_match_rr(k, rr, DNS_SEARCH_DOMAIN_NAME(q->answer_search_domain));
1101 if (r < 0)
1102 return r;
1103 if (r > 0) {
1104 match = true; /* Yay, we found an RR that matches the key we are looking for */
1105 break;
1106 }
1107 }
1108
1109 if (!match) {
1110 /* Hmm. :-( there's no response for this key. This doesn't match. */
1111 full_match = false;
1112 break;
1113 }
1114 }
1115
1116 if (full_match)
1117 return DNS_QUERY_MATCH; /* The answer can answer our question in full, no need to follow CNAMEs/DNAMEs */
1118
1119 /* Let's see if there is a CNAME/DNAME to match. This case is simpler: we accept the CNAME/DNAME that
1120 * matches any of our questions. */
1121 DNS_ANSWER_FOREACH(rr, q->answer) {
1122 r = dns_question_matches_cname_or_dname(question, rr, DNS_SEARCH_DOMAIN_NAME(q->answer_search_domain));
1123 if (r < 0)
1124 return r;
1125 if (r > 0 && !cname)
1126 cname = dns_resource_record_ref(rr);
1127 }
1128
1129 if (!cname)
1130 return DNS_QUERY_NOMATCH; /* No match and no CNAME/DNAME to follow */
1131
1132 if (q->flags & SD_RESOLVED_NO_CNAME)
1133 return -ELOOP;
1134
1135 if (!FLAGS_SET(q->answer_query_flags, SD_RESOLVED_AUTHENTICATED))
1136 q->previous_redirect_unauthenticated = true;
1137 if (!FLAGS_SET(q->answer_query_flags, SD_RESOLVED_CONFIDENTIAL))
1138 q->previous_redirect_non_confidential = true;
1139 if (!FLAGS_SET(q->answer_query_flags, SD_RESOLVED_SYNTHETIC))
1140 q->previous_redirect_non_synthetic = true;
1141
1142 /* OK, let's actually follow the CNAME */
1143 r = dns_query_cname_redirect(q, cname);
1144 if (r < 0)
1145 return r;
1146
1147 return DNS_QUERY_CNAME; /* Tell caller that we did a single CNAME/DNAME redirection step */
1148 }
1149
1150 int dns_query_process_cname_many(DnsQuery *q) {
1151 int r;
1152
1153 assert(q);
1154
1155 /* Follows CNAMEs through the current packet: as long as the current packet can fulfill our
1156 * redirected CNAME queries we keep going, and restart the query once the current packet isn't good
1157 * enough anymore. It's a wrapper around dns_query_process_cname_one() and returns the same values,
1158 * but with extended semantics. Specifically:
1159 *
1160 * DNS_QUERY_MATCH → as above
1161 *
1162 * DNS_QUERY_CNAME → we ran into a CNAME/DNAME redirect that we could not answer from the current
1163 * message, and thus restarted the query to resolve it.
1164 *
1165 * DNS_QUERY_NOMATCH → we reached the end of CNAME/DNAME chain, and there are no direct matches nor a
1166 * CNAME/DNAME match. i.e. this is a NODATA case.
1167 *
1168 * Note that this function will restart the query for the caller if needed, and that's the case
1169 * DNS_QUERY_CNAME is returned.
1170 */
1171
1172 r = dns_query_process_cname_one(q);
1173 if (r != DNS_QUERY_CNAME)
1174 return r; /* The first redirect is special: if it doesn't answer the question that's no
1175 * reason to restart the query, we just accept this as a NODATA answer. */
1176
1177 for (;;) {
1178 r = dns_query_process_cname_one(q);
1179 if (r < 0 || r == DNS_QUERY_MATCH)
1180 return r;
1181 if (r == DNS_QUERY_NOMATCH) {
1182 /* OK, so we followed one or more CNAME/DNAME RR but the existing packet can't answer
1183 * this. Let's restart the query hence, with the new question. Why the different
1184 * handling than the first chain element? Because if the server answers a direct
1185 * question with an empty answer then this is a NODATA response. But if it responds
1186 * with a CNAME chain that ultimately is incomplete (i.e. a non-empty but truncated
1187 * CNAME chain) then we better follow up ourselves and ask for the rest of the
1188 * chain. This is particular relevant since our cache will store CNAME/DNAME
1189 * redirects that we learnt about for lookups of certain DNS types, but later on we
1190 * can reuse this data even for other DNS types, but in that case need to follow up
1191 * with the final lookup of the chain ourselves with the RR type we ourselves are
1192 * interested in. */
1193 r = dns_query_go(q);
1194 if (r < 0)
1195 return r;
1196
1197 return DNS_QUERY_CNAME;
1198 }
1199
1200 /* So we found a CNAME that the existing packet already answers, again via a CNAME, let's
1201 * continue going then. */
1202 assert(r == DNS_QUERY_CNAME);
1203 }
1204 }
1205
1206 DnsQuestion* dns_query_question_for_protocol(DnsQuery *q, DnsProtocol protocol) {
1207 assert(q);
1208
1209 if (q->question_bypass)
1210 return q->question_bypass->question;
1211
1212 switch (protocol) {
1213
1214 case DNS_PROTOCOL_DNS:
1215 return q->question_idna;
1216
1217 case DNS_PROTOCOL_MDNS:
1218 case DNS_PROTOCOL_LLMNR:
1219 return q->question_utf8;
1220
1221 default:
1222 return NULL;
1223 }
1224 }
1225
1226 const char *dns_query_string(DnsQuery *q) {
1227 const char *name;
1228 int r;
1229
1230 /* Returns a somewhat useful human-readable lookup key string for this query */
1231
1232 if (q->question_bypass)
1233 return dns_question_first_name(q->question_bypass->question);
1234
1235 if (q->request_address_string)
1236 return q->request_address_string;
1237
1238 if (q->request_address_valid) {
1239 r = in_addr_to_string(q->request_family, &q->request_address, &q->request_address_string);
1240 if (r >= 0)
1241 return q->request_address_string;
1242 }
1243
1244 name = dns_question_first_name(q->question_utf8);
1245 if (name)
1246 return name;
1247
1248 return dns_question_first_name(q->question_idna);
1249 }
1250
1251 bool dns_query_fully_authenticated(DnsQuery *q) {
1252 assert(q);
1253
1254 return FLAGS_SET(q->answer_query_flags, SD_RESOLVED_AUTHENTICATED) && !q->previous_redirect_unauthenticated;
1255 }
1256
1257 bool dns_query_fully_confidential(DnsQuery *q) {
1258 assert(q);
1259
1260 return FLAGS_SET(q->answer_query_flags, SD_RESOLVED_CONFIDENTIAL) && !q->previous_redirect_non_confidential;
1261 }
1262
1263 bool dns_query_fully_authoritative(DnsQuery *q) {
1264 assert(q);
1265
1266 /* We are authoritative for everything synthetic (except if a previous CNAME/DNAME) wasn't
1267 * synthetic. (Note: SD_RESOLVED_SYNTHETIC is reset on each CNAME/DNAME, hence the explicit check for
1268 * previous synthetic DNAME/CNAME redirections.) */
1269 if ((q->answer_query_flags & SD_RESOLVED_SYNTHETIC) && !q->previous_redirect_non_synthetic)
1270 return true;
1271
1272 /* We are also authoritative for everything coming only from the trust anchor and the local
1273 * zones. (Note: the SD_RESOLVED_FROM_xyz flags we merge on each redirect, hence no need to
1274 * explicitly check previous redirects here.) */
1275 return (q->answer_query_flags & SD_RESOLVED_FROM_MASK & ~(SD_RESOLVED_FROM_TRUST_ANCHOR | SD_RESOLVED_FROM_ZONE)) == 0;
1276 }
Unnamed repository; edit this file 'description' to name the repository.