1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
3 #include "alloc-util.h"
4 #include "dns-domain.h"
6 #include "event-util.h"
7 #include "glyph-util.h"
8 #include "hostname-util.h"
9 #include "local-addresses.h"
10 #include "resolved-dns-query.h"
11 #include "resolved-dns-synthesize.h"
12 #include "resolved-etc-hosts.h"
13 #include "string-util.h"
15 #define QUERIES_MAX 2048
16 #define AUXILIARY_QUERIES_MAX 64
17 #define CNAME_REDIRECTS_MAX 16
19 assert_cc(AUXILIARY_QUERIES_MAX
< UINT8_MAX
);
20 assert_cc(CNAME_REDIRECTS_MAX
< UINT8_MAX
);
22 static int dns_query_candidate_new(DnsQueryCandidate
**ret
, DnsQuery
*q
, DnsScope
*s
) {
29 c
= new(DnsQueryCandidate
, 1);
33 *c
= (DnsQueryCandidate
) {
39 LIST_PREPEND(candidates_by_query
, q
->candidates
, c
);
40 LIST_PREPEND(candidates_by_scope
, s
->query_candidates
, c
);
46 static void dns_query_candidate_stop(DnsQueryCandidate
*c
) {
51 /* Detach all the DnsTransactions attached to this query */
53 while ((t
= set_steal_first(c
->transactions
))) {
54 set_remove(t
->notify_query_candidates
, c
);
55 set_remove(t
->notify_query_candidates_done
, c
);
56 dns_transaction_gc(t
);
60 static DnsQueryCandidate
* dns_query_candidate_unlink(DnsQueryCandidate
*c
) {
63 /* Detach this DnsQueryCandidate from the Query and Scope objects */
66 LIST_REMOVE(candidates_by_query
, c
->query
->candidates
, c
);
71 LIST_REMOVE(candidates_by_scope
, c
->scope
->query_candidates
, c
);
78 static DnsQueryCandidate
* dns_query_candidate_free(DnsQueryCandidate
*c
) {
82 dns_query_candidate_stop(c
);
83 dns_query_candidate_unlink(c
);
85 set_free(c
->transactions
);
86 dns_search_domain_unref(c
->search_domain
);
91 DEFINE_PUBLIC_TRIVIAL_REF_UNREF_FUNC(DnsQueryCandidate
, dns_query_candidate
, dns_query_candidate_free
);
93 static int dns_query_candidate_next_search_domain(DnsQueryCandidate
*c
) {
94 DnsSearchDomain
*next
;
98 if (c
->search_domain
&& c
->search_domain
->linked
)
99 next
= c
->search_domain
->domains_next
;
101 next
= dns_scope_get_search_domains(c
->scope
);
104 if (!next
) /* We hit the end of the list */
107 if (!next
->route_only
)
110 /* Skip over route-only domains */
111 next
= next
->domains_next
;
114 dns_search_domain_unref(c
->search_domain
);
115 c
->search_domain
= dns_search_domain_ref(next
);
120 static int dns_query_candidate_add_transaction(
121 DnsQueryCandidate
*c
,
125 _cleanup_(dns_transaction_gcp
) DnsTransaction
*t
= NULL
;
129 assert(c
->query
); /* We shan't add transactions to a candidate that has been detached already */
132 /* Regular lookup with a resource key */
135 t
= dns_scope_find_transaction(c
->scope
, key
, c
->query
->flags
);
137 r
= dns_transaction_new(&t
, c
->scope
, key
, NULL
, c
->query
->flags
);
140 } else if (set_contains(c
->transactions
, t
))
143 /* "Bypass" lookup with a query packet */
146 r
= dns_transaction_new(&t
, c
->scope
, NULL
, bypass
, c
->query
->flags
);
151 r
= set_ensure_allocated(&t
->notify_query_candidates_done
, NULL
);
155 r
= set_ensure_put(&t
->notify_query_candidates
, NULL
, c
);
159 r
= set_ensure_put(&c
->transactions
, NULL
, t
);
161 (void) set_remove(t
->notify_query_candidates
, c
);
169 static int dns_query_candidate_go(DnsQueryCandidate
*c
) {
170 _unused_
_cleanup_(dns_query_candidate_unrefp
) DnsQueryCandidate
*keep_c
= NULL
;
177 /* Let's keep a reference to the query while we're operating */
178 keep_c
= dns_query_candidate_ref(c
);
180 /* Start the transactions that are not started yet */
181 SET_FOREACH(t
, c
->transactions
) {
182 if (t
->state
!= DNS_TRANSACTION_NULL
)
185 r
= dns_transaction_go(t
);
192 /* If there was nothing to start, then let's proceed immediately */
194 dns_query_candidate_notify(c
);
199 static DnsTransactionState
dns_query_candidate_state(DnsQueryCandidate
*c
) {
200 DnsTransactionState state
= DNS_TRANSACTION_NO_SERVERS
;
205 if (c
->error_code
!= 0)
206 return DNS_TRANSACTION_ERRNO
;
208 SET_FOREACH(t
, c
->transactions
)
212 case DNS_TRANSACTION_NULL
:
213 /* If there's a NULL transaction pending, then
214 * this means not all transactions where
215 * started yet, and we were called from within
216 * the stackframe that is supposed to start
217 * remaining transactions. In this case,
218 * simply claim the candidate is pending. */
220 case DNS_TRANSACTION_PENDING
:
221 case DNS_TRANSACTION_VALIDATING
:
222 /* If there's one transaction currently in
223 * VALIDATING state, then this means there's
224 * also one in PENDING state, hence we can
225 * return PENDING immediately. */
226 return DNS_TRANSACTION_PENDING
;
228 case DNS_TRANSACTION_SUCCESS
:
233 if (state
!= DNS_TRANSACTION_SUCCESS
)
242 static int dns_query_candidate_setup_transactions(DnsQueryCandidate
*c
) {
243 DnsQuestion
*question
;
248 assert(c
->query
); /* We shan't add transactions to a candidate that has been detached already */
250 dns_query_candidate_stop(c
);
252 if (c
->query
->question_bypass
) {
253 /* If this is a bypass query, then pass the original query packet along to the transaction */
255 assert(dns_question_size(c
->query
->question_bypass
->question
) == 1);
257 if (!dns_scope_good_key(c
->scope
, dns_question_first_key(c
->query
->question_bypass
->question
)))
260 r
= dns_query_candidate_add_transaction(c
, NULL
, c
->query
->question_bypass
);
267 question
= dns_query_question_for_protocol(c
->query
, c
->scope
->protocol
);
269 /* Create one transaction per question key */
270 DNS_QUESTION_FOREACH(key
, question
) {
271 _cleanup_(dns_resource_key_unrefp
) DnsResourceKey
*new_key
= NULL
;
272 DnsResourceKey
*qkey
;
274 if (c
->search_domain
) {
275 r
= dns_resource_key_new_append_suffix(&new_key
, key
, c
->search_domain
->name
);
283 if (!dns_scope_good_key(c
->scope
, qkey
))
286 r
= dns_query_candidate_add_transaction(c
, qkey
, NULL
);
296 dns_query_candidate_stop(c
);
300 void dns_query_candidate_notify(DnsQueryCandidate
*c
) {
301 DnsTransactionState state
;
306 if (!c
->query
) /* This candidate has been abandoned, do nothing. */
309 state
= dns_query_candidate_state(c
);
311 if (DNS_TRANSACTION_IS_LIVE(state
))
314 if (state
!= DNS_TRANSACTION_SUCCESS
&& c
->search_domain
) {
316 r
= dns_query_candidate_next_search_domain(c
);
321 /* OK, there's another search domain to try, let's do so. */
323 r
= dns_query_candidate_setup_transactions(c
);
328 /* New transactions where queued. Start them and wait */
330 r
= dns_query_candidate_go(c
);
340 dns_query_ready(c
->query
);
344 c
->error_code
= log_warning_errno(r
, "Failed to follow search domains: %m");
345 dns_query_ready(c
->query
);
348 static void dns_query_stop(DnsQuery
*q
) {
351 event_source_disable(q
->timeout_event_source
);
353 LIST_FOREACH(candidates_by_query
, c
, q
->candidates
)
354 dns_query_candidate_stop(c
);
357 static void dns_query_unlink_candidates(DnsQuery
*q
) {
360 while (q
->candidates
)
361 /* Here we drop *our* references to each of the candidates. If we had the only reference, the
362 * DnsQueryCandidate object will be freed. */
363 dns_query_candidate_unref(dns_query_candidate_unlink(q
->candidates
));
366 static void dns_query_reset_answer(DnsQuery
*q
) {
369 q
->answer
= dns_answer_unref(q
->answer
);
371 q
->answer_dnssec_result
= _DNSSEC_RESULT_INVALID
;
373 q
->answer_query_flags
= 0;
374 q
->answer_protocol
= _DNS_PROTOCOL_INVALID
;
375 q
->answer_family
= AF_UNSPEC
;
376 q
->answer_search_domain
= dns_search_domain_unref(q
->answer_search_domain
);
377 q
->answer_full_packet
= dns_packet_unref(q
->answer_full_packet
);
380 DnsQuery
*dns_query_free(DnsQuery
*q
) {
384 q
->timeout_event_source
= sd_event_source_disable_unref(q
->timeout_event_source
);
386 while (q
->auxiliary_queries
)
387 dns_query_free(q
->auxiliary_queries
);
389 if (q
->auxiliary_for
) {
390 assert(q
->auxiliary_for
->n_auxiliary_queries
> 0);
391 q
->auxiliary_for
->n_auxiliary_queries
--;
392 LIST_REMOVE(auxiliary_queries
, q
->auxiliary_for
->auxiliary_queries
, q
);
395 dns_query_unlink_candidates(q
);
397 dns_question_unref(q
->question_idna
);
398 dns_question_unref(q
->question_utf8
);
399 dns_packet_unref(q
->question_bypass
);
401 dns_query_reset_answer(q
);
403 sd_bus_message_unref(q
->bus_request
);
404 sd_bus_track_unref(q
->bus_track
);
406 if (q
->varlink_request
) {
407 varlink_set_userdata(q
->varlink_request
, NULL
);
408 varlink_unref(q
->varlink_request
);
411 if (q
->request_packet
)
412 hashmap_remove_value(q
->stub_listener_extra
?
413 q
->stub_listener_extra
->queries_by_packet
:
414 q
->manager
->stub_queries_by_packet
,
418 dns_packet_unref(q
->request_packet
);
419 dns_answer_unref(q
->reply_answer
);
420 dns_answer_unref(q
->reply_authoritative
);
421 dns_answer_unref(q
->reply_additional
);
423 if (q
->request_stream
) {
424 /* Detach the stream from our query, in case something else keeps a reference to it. */
425 (void) set_remove(q
->request_stream
->queries
, q
);
426 q
->request_stream
= dns_stream_unref(q
->request_stream
);
429 free(q
->request_address_string
);
430 free(q
->request_name
);
433 LIST_REMOVE(queries
, q
->manager
->dns_queries
, q
);
434 q
->manager
->n_dns_queries
--;
443 DnsQuestion
*question_utf8
,
444 DnsQuestion
*question_idna
,
445 DnsPacket
*question_bypass
,
449 _cleanup_(dns_query_freep
) DnsQuery
*q
= NULL
;
450 char key_str
[DNS_RESOURCE_KEY_STRING_MAX
];
456 if (question_bypass
) {
457 /* It's either a "bypass" query, or a regular one, but can't be both. */
458 if (question_utf8
|| question_idna
)
464 /* This (primarily) checks two things:
466 * 1. That the question is not empty
467 * 2. That all RR keys in the question objects are for the same domain
469 * Or in other words, a single DnsQuery object may be used to look up A+AAAA combination for
470 * the same domain name, or SRV+TXT (for DNS-SD services), but not for unrelated lookups. */
472 if (dns_question_size(question_utf8
) > 0) {
473 r
= dns_question_is_valid_for_query(question_utf8
);
482 /* If the IDNA and UTF8 questions are the same, merge their references */
483 r
= dns_question_is_equal(question_idna
, question_utf8
);
487 question_idna
= question_utf8
;
489 if (dns_question_size(question_idna
) > 0) {
490 r
= dns_question_is_valid_for_query(question_idna
);
500 if (!good
) /* don't allow empty queries */
504 if (m
->n_dns_queries
>= QUERIES_MAX
)
507 q
= new(DnsQuery
, 1);
512 .question_utf8
= dns_question_ref(question_utf8
),
513 .question_idna
= dns_question_ref(question_idna
),
514 .question_bypass
= dns_packet_ref(question_bypass
),
517 .answer_dnssec_result
= _DNSSEC_RESULT_INVALID
,
518 .answer_protocol
= _DNS_PROTOCOL_INVALID
,
519 .answer_family
= AF_UNSPEC
,
522 if (question_bypass
) {
523 DNS_QUESTION_FOREACH(key
, question_bypass
->question
)
524 log_debug("Looking up bypass packet for %s.",
525 dns_resource_key_to_string(key
, key_str
, sizeof key_str
));
527 /* First dump UTF8 question */
528 DNS_QUESTION_FOREACH(key
, question_utf8
)
529 log_debug("Looking up RR for %s.",
530 dns_resource_key_to_string(key
, key_str
, sizeof key_str
));
532 /* And then dump the IDNA question, but only what hasn't been dumped already through the UTF8 question. */
533 DNS_QUESTION_FOREACH(key
, question_idna
) {
534 r
= dns_question_contains_key(question_utf8
, key
);
540 log_debug("Looking up IDNA RR for %s.",
541 dns_resource_key_to_string(key
, key_str
, sizeof key_str
));
545 LIST_PREPEND(queries
, m
->dns_queries
, q
);
556 int dns_query_make_auxiliary(DnsQuery
*q
, DnsQuery
*auxiliary_for
) {
558 assert(auxiliary_for
);
560 /* Ensure that the query is not auxiliary yet, and
561 * nothing else is auxiliary to it either */
562 assert(!q
->auxiliary_for
);
563 assert(!q
->auxiliary_queries
);
565 /* Ensure that the unit we shall be made auxiliary for isn't
566 * auxiliary itself */
567 assert(!auxiliary_for
->auxiliary_for
);
569 if (auxiliary_for
->n_auxiliary_queries
>= AUXILIARY_QUERIES_MAX
)
572 LIST_PREPEND(auxiliary_queries
, auxiliary_for
->auxiliary_queries
, q
);
573 q
->auxiliary_for
= auxiliary_for
;
575 auxiliary_for
->n_auxiliary_queries
++;
579 void dns_query_complete(DnsQuery
*q
, DnsTransactionState state
) {
581 assert(!DNS_TRANSACTION_IS_LIVE(state
));
582 assert(DNS_TRANSACTION_IS_LIVE(q
->state
));
584 /* Note that this call might invalidate the query. Callers should hence not attempt to access the
585 * query or transaction after calling this function. */
589 if (state
== DNS_TRANSACTION_SUCCESS
&& set_size(q
->manager
->varlink_subscription
) > 0) {
590 DnsQuestion
*question
= q
->request_packet
? q
->request_packet
->question
: NULL
;
591 const char *query_name
= question
? dns_question_first_name(question
) : q
->request_name
;
593 (void) send_dns_notification(q
->manager
, q
->answer
, query_name
);
601 static int on_query_timeout(sd_event_source
*s
, usec_t usec
, void *userdata
) {
602 DnsQuery
*q
= ASSERT_PTR(userdata
);
606 dns_query_complete(q
, DNS_TRANSACTION_TIMEOUT
);
610 static int dns_query_add_candidate(DnsQuery
*q
, DnsScope
*s
) {
611 _cleanup_(dns_query_candidate_unrefp
) DnsQueryCandidate
*c
= NULL
;
617 r
= dns_query_candidate_new(&c
, q
, s
);
621 /* If this a single-label domain on DNS, we might append a suitable search domain first. */
622 if (!FLAGS_SET(q
->flags
, SD_RESOLVED_NO_SEARCH
) &&
623 dns_scope_name_wants_search_domain(s
, dns_question_first_name(q
->question_idna
))) {
624 /* OK, we want a search domain now. Let's find one for this scope */
626 r
= dns_query_candidate_next_search_domain(c
);
631 r
= dns_query_candidate_setup_transactions(c
);
639 static int dns_query_synthesize_reply(DnsQuery
*q
, DnsTransactionState
*state
) {
640 _cleanup_(dns_answer_unrefp
) DnsAnswer
*answer
= NULL
;
646 /* Tries to synthesize localhost RR replies (and others) where appropriate. Note that this is done *after* the
647 * the normal lookup finished. The data from the network hence takes precedence over the data we
648 * synthesize. (But note that many scopes refuse to resolve certain domain names) */
651 DNS_TRANSACTION_RCODE_FAILURE
,
652 DNS_TRANSACTION_NO_SERVERS
,
653 DNS_TRANSACTION_TIMEOUT
,
654 DNS_TRANSACTION_ATTEMPTS_MAX_REACHED
,
655 DNS_TRANSACTION_NETWORK_DOWN
,
656 DNS_TRANSACTION_NOT_FOUND
))
659 if (FLAGS_SET(q
->flags
, SD_RESOLVED_NO_SYNTHESIZE
))
662 r
= dns_synthesize_answer(
664 q
->question_bypass
? q
->question_bypass
->question
: q
->question_utf8
,
668 /* If we get ENXIO this tells us to generate NXDOMAIN unconditionally. */
670 dns_query_reset_answer(q
);
671 q
->answer_rcode
= DNS_RCODE_NXDOMAIN
;
672 q
->answer_protocol
= dns_synthesize_protocol(q
->flags
);
673 q
->answer_family
= dns_synthesize_family(q
->flags
);
674 q
->answer_query_flags
= SD_RESOLVED_AUTHENTICATED
|SD_RESOLVED_CONFIDENTIAL
|SD_RESOLVED_SYNTHETIC
;
675 *state
= DNS_TRANSACTION_RCODE_FAILURE
;
682 dns_query_reset_answer(q
);
684 q
->answer
= TAKE_PTR(answer
);
685 q
->answer_rcode
= DNS_RCODE_SUCCESS
;
686 q
->answer_protocol
= dns_synthesize_protocol(q
->flags
);
687 q
->answer_family
= dns_synthesize_family(q
->flags
);
688 q
->answer_query_flags
= SD_RESOLVED_AUTHENTICATED
|SD_RESOLVED_CONFIDENTIAL
|SD_RESOLVED_SYNTHETIC
;
690 *state
= DNS_TRANSACTION_SUCCESS
;
695 static int dns_query_try_etc_hosts(DnsQuery
*q
) {
696 _cleanup_(dns_answer_unrefp
) DnsAnswer
*answer
= NULL
;
701 /* Looks in /etc/hosts for matching entries. Note that this is done *before* the normal lookup is
702 * done. The data from /etc/hosts hence takes precedence over the network. */
704 if (FLAGS_SET(q
->flags
, SD_RESOLVED_NO_SYNTHESIZE
))
707 r
= manager_etc_hosts_lookup(
709 q
->question_bypass
? q
->question_bypass
->question
: q
->question_utf8
,
714 dns_query_reset_answer(q
);
716 q
->answer
= TAKE_PTR(answer
);
717 q
->answer_rcode
= DNS_RCODE_SUCCESS
;
718 q
->answer_protocol
= dns_synthesize_protocol(q
->flags
);
719 q
->answer_family
= dns_synthesize_family(q
->flags
);
720 q
->answer_query_flags
= SD_RESOLVED_AUTHENTICATED
|SD_RESOLVED_CONFIDENTIAL
|SD_RESOLVED_SYNTHETIC
;
725 int dns_query_go(DnsQuery
*q
) {
726 DnsScopeMatch found
= DNS_SCOPE_NO
;
727 DnsScope
*first
= NULL
;
732 if (q
->state
!= DNS_TRANSACTION_NULL
)
735 r
= dns_query_try_etc_hosts(q
);
739 dns_query_complete(q
, DNS_TRANSACTION_SUCCESS
);
743 LIST_FOREACH(scopes
, s
, q
->manager
->dns_scopes
) {
746 match
= dns_scope_good_domain(s
, q
);
748 if (match
> found
) { /* Does this match better? If so, remember how well it matched, and the first one
749 * that matches this well */
755 if (found
== DNS_SCOPE_NO
) {
756 DnsTransactionState state
= DNS_TRANSACTION_NO_SERVERS
;
758 r
= dns_query_synthesize_reply(q
, &state
);
762 dns_query_complete(q
, state
);
766 r
= dns_query_add_candidate(q
, first
);
770 LIST_FOREACH(scopes
, s
, first
->scopes_next
) {
773 match
= dns_scope_good_domain(s
, q
);
778 r
= dns_query_add_candidate(q
, s
);
783 dns_query_reset_answer(q
);
785 r
= event_reset_time_relative(
787 &q
->timeout_event_source
,
789 SD_RESOLVED_QUERY_TIMEOUT_USEC
,
790 0, on_query_timeout
, q
,
791 0, "query-timeout", true);
795 q
->state
= DNS_TRANSACTION_PENDING
;
798 /* Start the transactions */
799 LIST_FOREACH(candidates_by_query
, c
, q
->candidates
) {
800 r
= dns_query_candidate_go(c
);
817 static void dns_query_accept(DnsQuery
*q
, DnsQueryCandidate
*c
) {
818 DnsTransactionState state
= DNS_TRANSACTION_NO_SERVERS
;
819 bool has_authenticated
= false, has_non_authenticated
= false, has_confidential
= false, has_non_confidential
= false;
820 DnssecResult dnssec_result_authenticated
= _DNSSEC_RESULT_INVALID
, dnssec_result_non_authenticated
= _DNSSEC_RESULT_INVALID
;
827 r
= dns_query_synthesize_reply(q
, &state
);
831 dns_query_complete(q
, state
);
835 if (c
->error_code
!= 0) {
836 /* If the candidate had an error condition of its own, start with that. */
837 state
= DNS_TRANSACTION_ERRNO
;
838 q
->answer
= dns_answer_unref(q
->answer
);
840 q
->answer_dnssec_result
= _DNSSEC_RESULT_INVALID
;
841 q
->answer_query_flags
= 0;
842 q
->answer_errno
= c
->error_code
;
843 q
->answer_full_packet
= dns_packet_unref(q
->answer_full_packet
);
846 SET_FOREACH(t
, c
->transactions
) {
850 case DNS_TRANSACTION_SUCCESS
: {
851 /* We found a successful reply, merge it into the answer */
853 if (state
== DNS_TRANSACTION_SUCCESS
) {
854 r
= dns_answer_extend(&q
->answer
, t
->answer
);
858 q
->answer_query_flags
|= dns_transaction_source_to_query_flags(t
->answer_source
);
860 /* Override non-successful previous answers */
861 DNS_ANSWER_REPLACE(q
->answer
, dns_answer_ref(t
->answer
));
862 q
->answer_query_flags
= dns_transaction_source_to_query_flags(t
->answer_source
);
865 q
->answer_rcode
= t
->answer_rcode
;
868 DNS_PACKET_REPLACE(q
->answer_full_packet
, dns_packet_ref(t
->received
));
870 if (FLAGS_SET(t
->answer_query_flags
, SD_RESOLVED_AUTHENTICATED
)) {
871 has_authenticated
= true;
872 dnssec_result_authenticated
= t
->answer_dnssec_result
;
874 has_non_authenticated
= true;
875 dnssec_result_non_authenticated
= t
->answer_dnssec_result
;
878 if (FLAGS_SET(t
->answer_query_flags
, SD_RESOLVED_CONFIDENTIAL
))
879 has_confidential
= true;
881 has_non_confidential
= true;
883 state
= DNS_TRANSACTION_SUCCESS
;
887 case DNS_TRANSACTION_NULL
:
888 case DNS_TRANSACTION_PENDING
:
889 case DNS_TRANSACTION_VALIDATING
:
890 case DNS_TRANSACTION_ABORTED
:
891 /* Ignore transactions that didn't complete */
895 /* Any kind of failure? Store the data away, if there's nothing stored yet. */
896 if (state
== DNS_TRANSACTION_SUCCESS
)
899 /* If there's already an authenticated negative reply stored, then prefer that over any unauthenticated one */
900 if (FLAGS_SET(q
->answer_query_flags
, SD_RESOLVED_AUTHENTICATED
) &&
901 !FLAGS_SET(t
->answer_query_flags
, SD_RESOLVED_AUTHENTICATED
))
904 DNS_ANSWER_REPLACE(q
->answer
, dns_answer_ref(t
->answer
));
905 q
->answer_rcode
= t
->answer_rcode
;
906 q
->answer_dnssec_result
= t
->answer_dnssec_result
;
907 q
->answer_query_flags
= t
->answer_query_flags
| dns_transaction_source_to_query_flags(t
->answer_source
);
908 q
->answer_errno
= t
->answer_errno
;
909 DNS_PACKET_REPLACE(q
->answer_full_packet
, dns_packet_ref(t
->received
));
916 if (state
== DNS_TRANSACTION_SUCCESS
) {
917 SET_FLAG(q
->answer_query_flags
, SD_RESOLVED_AUTHENTICATED
, has_authenticated
&& !has_non_authenticated
);
918 SET_FLAG(q
->answer_query_flags
, SD_RESOLVED_CONFIDENTIAL
, has_confidential
&& !has_non_confidential
);
919 q
->answer_dnssec_result
= FLAGS_SET(q
->answer_query_flags
, SD_RESOLVED_AUTHENTICATED
) ? dnssec_result_authenticated
: dnssec_result_non_authenticated
;
922 q
->answer_protocol
= c
->scope
->protocol
;
923 q
->answer_family
= c
->scope
->family
;
925 dns_search_domain_unref(q
->answer_search_domain
);
926 q
->answer_search_domain
= dns_search_domain_ref(c
->search_domain
);
928 r
= dns_query_synthesize_reply(q
, &state
);
932 dns_query_complete(q
, state
);
936 q
->answer_errno
= -r
;
937 dns_query_complete(q
, DNS_TRANSACTION_ERRNO
);
940 void dns_query_ready(DnsQuery
*q
) {
941 DnsQueryCandidate
*bad
= NULL
;
942 bool pending
= false;
945 assert(DNS_TRANSACTION_IS_LIVE(q
->state
));
947 /* Note that this call might invalidate the query. Callers
948 * should hence not attempt to access the query or transaction
949 * after calling this function, unless the block_ready
950 * counter was explicitly bumped before doing so. */
952 if (q
->block_ready
> 0)
955 LIST_FOREACH(candidates_by_query
, c
, q
->candidates
) {
956 DnsTransactionState state
;
958 state
= dns_query_candidate_state(c
);
961 case DNS_TRANSACTION_SUCCESS
:
962 /* One of the candidates is successful,
963 * let's use it, and copy its data out */
964 dns_query_accept(q
, c
);
967 case DNS_TRANSACTION_NULL
:
968 case DNS_TRANSACTION_PENDING
:
969 case DNS_TRANSACTION_VALIDATING
:
970 /* One of the candidates is still going on,
971 * let's maybe wait for it */
976 /* Any kind of failure */
985 dns_query_accept(q
, bad
);
988 static int dns_query_cname_redirect(DnsQuery
*q
, const DnsResourceRecord
*cname
) {
989 _cleanup_(dns_question_unrefp
) DnsQuestion
*nq_idna
= NULL
, *nq_utf8
= NULL
;
994 if (q
->n_cname_redirects
>= CNAME_REDIRECTS_MAX
)
996 q
->n_cname_redirects
++;
998 r
= dns_question_cname_redirect(q
->question_idna
, cname
, &nq_idna
);
1002 log_debug("Following CNAME/DNAME %s %s %s.",
1003 dns_question_first_name(q
->question_idna
),
1004 special_glyph(SPECIAL_GLYPH_ARROW_RIGHT
),
1005 dns_question_first_name(nq_idna
));
1007 k
= dns_question_is_equal(q
->question_idna
, q
->question_utf8
);
1011 /* Same question? Shortcut new question generation */
1012 nq_utf8
= dns_question_ref(nq_idna
);
1015 k
= dns_question_cname_redirect(q
->question_utf8
, cname
, &nq_utf8
);
1019 log_debug("Following UTF8 CNAME/DNAME %s %s %s.",
1020 dns_question_first_name(q
->question_utf8
),
1021 special_glyph(SPECIAL_GLYPH_ARROW_RIGHT
),
1022 dns_question_first_name(nq_utf8
));
1025 if (r
== 0 && k
== 0) /* No actual cname happened? */
1028 if (q
->answer_protocol
== DNS_PROTOCOL_DNS
)
1029 /* Don't permit CNAME redirects from unicast DNS to LLMNR or MulticastDNS, so that global resources
1030 * cannot invade the local namespace. The opposite way we permit: local names may redirect to global
1032 q
->flags
&= ~(SD_RESOLVED_LLMNR
|SD_RESOLVED_MDNS
); /* mask away the local protocols */
1034 /* Turn off searching for the new name */
1035 q
->flags
|= SD_RESOLVED_NO_SEARCH
;
1037 dns_question_unref(q
->question_idna
);
1038 q
->question_idna
= TAKE_PTR(nq_idna
);
1040 dns_question_unref(q
->question_utf8
);
1041 q
->question_utf8
= TAKE_PTR(nq_utf8
);
1043 dns_query_unlink_candidates(q
);
1045 /* Note that we do *not* reset the answer here, because the answer we previously got might already
1046 * include everything we need, let's check that first */
1048 q
->state
= DNS_TRANSACTION_NULL
;
1053 int dns_query_process_cname_one(DnsQuery
*q
) {
1054 _cleanup_(dns_resource_record_unrefp
) DnsResourceRecord
*cname
= NULL
;
1055 DnsQuestion
*question
;
1056 DnsResourceRecord
*rr
;
1057 bool full_match
= true;
1063 /* Processes a CNAME redirect if there's one. Returns one of three values:
1065 * CNAME_QUERY_MATCH → direct RR match, caller should just use the RRs in this answer (and not
1066 * bother with any CNAME/DNAME stuff)
1068 * CNAME_QUERY_NOMATCH → no match at all, neither direct nor CNAME/DNAME, caller might decide to
1069 * restart query or take things as NODATA reply.
1071 * CNAME_QUERY_CNAME → no direct RR match, but a CNAME/DNAME match that we now followed for one step.
1073 * The function might also return a failure, in particular -ELOOP if we encountered too many
1074 * CNAMEs/DNAMEs in a chain or if following CNAMEs/DNAMEs was turned off.
1076 * Note that this function doesn't actually restart the query. The caller can decide to do that in
1077 * case of CNAME_QUERY_CNAME, though. */
1079 if (!IN_SET(q
->state
, DNS_TRANSACTION_SUCCESS
, DNS_TRANSACTION_NULL
))
1080 return DNS_QUERY_NOMATCH
;
1082 question
= dns_query_question_for_protocol(q
, q
->answer_protocol
);
1084 /* Small reminder: our question will consist of one or more RR keys that match in name, but not in
1085 * record type. Specifically, when we do an address lookup the question will typically consist of one
1086 * A and one AAAA key lookup for the same domain name. When we get a response from a server we need
1087 * to check if the answer answers all our questions to use it. Note that a response of CNAME/DNAME
1088 * can answer both an A and the AAAA question for us, but an A/AAAA response only the relevant
1091 * Hence we first check of the answers we collected are sufficient to answer all our questions
1092 * directly. If one question wasn't answered we go on, waiting for more replies. However, if there's
1093 * a CNAME/DNAME response we use it, and redirect to it, regardless if it was a response to the A or
1094 * the AAAA query. */
1096 DNS_QUESTION_FOREACH(k
, question
) {
1099 DNS_ANSWER_FOREACH(rr
, q
->answer
) {
1100 r
= dns_resource_key_match_rr(k
, rr
, DNS_SEARCH_DOMAIN_NAME(q
->answer_search_domain
));
1104 match
= true; /* Yay, we found an RR that matches the key we are looking for */
1110 /* Hmm. :-( there's no response for this key. This doesn't match. */
1117 return DNS_QUERY_MATCH
; /* The answer can answer our question in full, no need to follow CNAMEs/DNAMEs */
1119 /* Let's see if there is a CNAME/DNAME to match. This case is simpler: we accept the CNAME/DNAME that
1120 * matches any of our questions. */
1121 DNS_ANSWER_FOREACH(rr
, q
->answer
) {
1122 r
= dns_question_matches_cname_or_dname(question
, rr
, DNS_SEARCH_DOMAIN_NAME(q
->answer_search_domain
));
1125 if (r
> 0 && !cname
)
1126 cname
= dns_resource_record_ref(rr
);
1130 return DNS_QUERY_NOMATCH
; /* No match and no CNAME/DNAME to follow */
1132 if (q
->flags
& SD_RESOLVED_NO_CNAME
)
1135 if (!FLAGS_SET(q
->answer_query_flags
, SD_RESOLVED_AUTHENTICATED
))
1136 q
->previous_redirect_unauthenticated
= true;
1137 if (!FLAGS_SET(q
->answer_query_flags
, SD_RESOLVED_CONFIDENTIAL
))
1138 q
->previous_redirect_non_confidential
= true;
1139 if (!FLAGS_SET(q
->answer_query_flags
, SD_RESOLVED_SYNTHETIC
))
1140 q
->previous_redirect_non_synthetic
= true;
1142 /* OK, let's actually follow the CNAME */
1143 r
= dns_query_cname_redirect(q
, cname
);
1147 return DNS_QUERY_CNAME
; /* Tell caller that we did a single CNAME/DNAME redirection step */
1150 int dns_query_process_cname_many(DnsQuery
*q
) {
1155 /* Follows CNAMEs through the current packet: as long as the current packet can fulfill our
1156 * redirected CNAME queries we keep going, and restart the query once the current packet isn't good
1157 * enough anymore. It's a wrapper around dns_query_process_cname_one() and returns the same values,
1158 * but with extended semantics. Specifically:
1160 * DNS_QUERY_MATCH → as above
1162 * DNS_QUERY_CNAME → we ran into a CNAME/DNAME redirect that we could not answer from the current
1163 * message, and thus restarted the query to resolve it.
1165 * DNS_QUERY_NOMATCH → we reached the end of CNAME/DNAME chain, and there are no direct matches nor a
1166 * CNAME/DNAME match. i.e. this is a NODATA case.
1168 * Note that this function will restart the query for the caller if needed, and that's the case
1169 * DNS_QUERY_CNAME is returned.
1172 r
= dns_query_process_cname_one(q
);
1173 if (r
!= DNS_QUERY_CNAME
)
1174 return r
; /* The first redirect is special: if it doesn't answer the question that's no
1175 * reason to restart the query, we just accept this as a NODATA answer. */
1178 r
= dns_query_process_cname_one(q
);
1179 if (r
< 0 || r
== DNS_QUERY_MATCH
)
1181 if (r
== DNS_QUERY_NOMATCH
) {
1182 /* OK, so we followed one or more CNAME/DNAME RR but the existing packet can't answer
1183 * this. Let's restart the query hence, with the new question. Why the different
1184 * handling than the first chain element? Because if the server answers a direct
1185 * question with an empty answer then this is a NODATA response. But if it responds
1186 * with a CNAME chain that ultimately is incomplete (i.e. a non-empty but truncated
1187 * CNAME chain) then we better follow up ourselves and ask for the rest of the
1188 * chain. This is particular relevant since our cache will store CNAME/DNAME
1189 * redirects that we learnt about for lookups of certain DNS types, but later on we
1190 * can reuse this data even for other DNS types, but in that case need to follow up
1191 * with the final lookup of the chain ourselves with the RR type we ourselves are
1193 r
= dns_query_go(q
);
1197 return DNS_QUERY_CNAME
;
1200 /* So we found a CNAME that the existing packet already answers, again via a CNAME, let's
1201 * continue going then. */
1202 assert(r
== DNS_QUERY_CNAME
);
1206 DnsQuestion
* dns_query_question_for_protocol(DnsQuery
*q
, DnsProtocol protocol
) {
1209 if (q
->question_bypass
)
1210 return q
->question_bypass
->question
;
1214 case DNS_PROTOCOL_DNS
:
1215 return q
->question_idna
;
1217 case DNS_PROTOCOL_MDNS
:
1218 case DNS_PROTOCOL_LLMNR
:
1219 return q
->question_utf8
;
1226 const char *dns_query_string(DnsQuery
*q
) {
1230 /* Returns a somewhat useful human-readable lookup key string for this query */
1232 if (q
->question_bypass
)
1233 return dns_question_first_name(q
->question_bypass
->question
);
1235 if (q
->request_address_string
)
1236 return q
->request_address_string
;
1238 if (q
->request_address_valid
) {
1239 r
= in_addr_to_string(q
->request_family
, &q
->request_address
, &q
->request_address_string
);
1241 return q
->request_address_string
;
1244 name
= dns_question_first_name(q
->question_utf8
);
1248 return dns_question_first_name(q
->question_idna
);
1251 bool dns_query_fully_authenticated(DnsQuery
*q
) {
1254 return FLAGS_SET(q
->answer_query_flags
, SD_RESOLVED_AUTHENTICATED
) && !q
->previous_redirect_unauthenticated
;
1257 bool dns_query_fully_confidential(DnsQuery
*q
) {
1260 return FLAGS_SET(q
->answer_query_flags
, SD_RESOLVED_CONFIDENTIAL
) && !q
->previous_redirect_non_confidential
;
1263 bool dns_query_fully_authoritative(DnsQuery
*q
) {
1266 /* We are authoritative for everything synthetic (except if a previous CNAME/DNAME) wasn't
1267 * synthetic. (Note: SD_RESOLVED_SYNTHETIC is reset on each CNAME/DNAME, hence the explicit check for
1268 * previous synthetic DNAME/CNAME redirections.) */
1269 if ((q
->answer_query_flags
& SD_RESOLVED_SYNTHETIC
) && !q
->previous_redirect_non_synthetic
)
1272 /* We are also authoritative for everything coming only from the trust anchor and the local
1273 * zones. (Note: the SD_RESOLVED_FROM_xyz flags we merge on each redirect, hence no need to
1274 * explicitly check previous redirects here.) */
1275 return (q
->answer_query_flags
& SD_RESOLVED_FROM_MASK
& ~(SD_RESOLVED_FROM_TRUST_ANCHOR
| SD_RESOLVED_FROM_ZONE
)) == 0;