1 /* SPDX-License-Identifier: LGPL-2.1+ */
3 This file is part of systemd.
5 Copyright 2014 Lennart Poettering
7 systemd is free software; you can redistribute it and/or modify it
8 under the terms of the GNU Lesser General Public License as published by
9 the Free Software Foundation; either version 2.1 of the License, or
10 (at your option) any later version.
12 systemd is distributed in the hope that it will be useful, but
13 WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 Lesser General Public License for more details.
17 You should have received a copy of the GNU Lesser General Public License
18 along with systemd; If not, see <http://www.gnu.org/licenses/>.
21 #include <netinet/tcp.h>
24 #include "alloc-util.h"
25 #include "dns-domain.h"
27 #include "hostname-util.h"
29 #include "random-util.h"
30 #include "resolved-dns-scope.h"
31 #include "resolved-llmnr.h"
32 #include "resolved-mdns.h"
33 #include "socket-util.h"
36 #define MULTICAST_RATELIMIT_INTERVAL_USEC (1*USEC_PER_SEC)
37 #define MULTICAST_RATELIMIT_BURST 1000
39 /* After how much time to repeat LLMNR requests, see RFC 4795 Section 7 */
40 #define MULTICAST_RESEND_TIMEOUT_MIN_USEC (100 * USEC_PER_MSEC)
41 #define MULTICAST_RESEND_TIMEOUT_MAX_USEC (1 * USEC_PER_SEC)
43 int dns_scope_new(Manager
*m
, DnsScope
**ret
, Link
*l
, DnsProtocol protocol
, int family
) {
49 s
= new0(DnsScope
, 1);
55 s
->protocol
= protocol
;
57 s
->resend_timeout
= MULTICAST_RESEND_TIMEOUT_MIN_USEC
;
59 if (protocol
== DNS_PROTOCOL_DNS
) {
60 /* Copy DNSSEC mode from the link if it is set there,
61 * otherwise take the manager's DNSSEC mode. Note that
62 * we copy this only at scope creation time, and do
63 * not update it from the on, even if the setting
67 s
->dnssec_mode
= link_get_dnssec_mode(l
);
69 s
->dnssec_mode
= manager_get_dnssec_mode(m
);
71 s
->dnssec_mode
= DNSSEC_NO
;
73 LIST_PREPEND(scopes
, m
->dns_scopes
, s
);
75 dns_scope_llmnr_membership(s
, true);
76 dns_scope_mdns_membership(s
, true);
78 log_debug("New scope on link %s, protocol %s, family %s", l
? l
->name
: "*", dns_protocol_to_string(protocol
), family
== AF_UNSPEC
? "*" : af_to_name(family
));
80 /* Enforce ratelimiting for the multicast protocols */
81 RATELIMIT_INIT(s
->ratelimit
, MULTICAST_RATELIMIT_INTERVAL_USEC
, MULTICAST_RATELIMIT_BURST
);
87 static void dns_scope_abort_transactions(DnsScope
*s
) {
90 while (s
->transactions
) {
91 DnsTransaction
*t
= s
->transactions
;
93 /* Abort the transaction, but make sure it is not
94 * freed while we still look at it */
97 if (DNS_TRANSACTION_IS_LIVE(t
->state
))
98 dns_transaction_complete(t
, DNS_TRANSACTION_ABORTED
);
101 dns_transaction_free(t
);
105 DnsScope
* dns_scope_free(DnsScope
*s
) {
109 log_debug("Removing scope on link %s, protocol %s, family %s", s
->link
? s
->link
->name
: "*", dns_protocol_to_string(s
->protocol
), s
->family
== AF_UNSPEC
? "*" : af_to_name(s
->family
));
111 dns_scope_llmnr_membership(s
, false);
112 dns_scope_mdns_membership(s
, false);
113 dns_scope_abort_transactions(s
);
115 while (s
->query_candidates
)
116 dns_query_candidate_free(s
->query_candidates
);
118 hashmap_free(s
->transactions_by_key
);
120 ordered_hashmap_free_with_destructor(s
->conflict_queue
, dns_resource_record_unref
);
121 sd_event_source_unref(s
->conflict_event_source
);
123 sd_event_source_unref(s
->announce_event_source
);
125 dns_cache_flush(&s
->cache
);
126 dns_zone_flush(&s
->zone
);
128 LIST_REMOVE(scopes
, s
->manager
->dns_scopes
, s
);
132 DnsServer
*dns_scope_get_dns_server(DnsScope
*s
) {
135 if (s
->protocol
!= DNS_PROTOCOL_DNS
)
139 return link_get_dns_server(s
->link
);
141 return manager_get_dns_server(s
->manager
);
144 void dns_scope_next_dns_server(DnsScope
*s
) {
147 if (s
->protocol
!= DNS_PROTOCOL_DNS
)
151 link_next_dns_server(s
->link
);
153 manager_next_dns_server(s
->manager
);
156 void dns_scope_packet_received(DnsScope
*s
, usec_t rtt
) {
159 if (rtt
<= s
->max_rtt
)
163 s
->resend_timeout
= MIN(MAX(MULTICAST_RESEND_TIMEOUT_MIN_USEC
, s
->max_rtt
* 2), MULTICAST_RESEND_TIMEOUT_MAX_USEC
);
166 void dns_scope_packet_lost(DnsScope
*s
, usec_t usec
) {
169 if (s
->resend_timeout
<= usec
)
170 s
->resend_timeout
= MIN(s
->resend_timeout
* 2, MULTICAST_RESEND_TIMEOUT_MAX_USEC
);
173 static int dns_scope_emit_one(DnsScope
*s
, int fd
, DnsPacket
*p
) {
174 union in_addr_union addr
;
181 assert(p
->protocol
== s
->protocol
);
185 ifindex
= s
->link
->ifindex
;
187 mtu
= manager_find_mtu(s
->manager
);
189 switch (s
->protocol
) {
191 case DNS_PROTOCOL_DNS
:
194 if (DNS_PACKET_QDCOUNT(p
) > 1)
197 if (p
->size
> DNS_PACKET_UNICAST_SIZE_MAX
)
200 if (p
->size
+ UDP_PACKET_HEADER_SIZE
> mtu
)
203 r
= manager_write(s
->manager
, fd
, p
);
209 case DNS_PROTOCOL_LLMNR
:
212 if (DNS_PACKET_QDCOUNT(p
) > 1)
215 if (!ratelimit_test(&s
->ratelimit
))
220 if (family
== AF_INET
) {
221 addr
.in
= LLMNR_MULTICAST_IPV4_ADDRESS
;
222 fd
= manager_llmnr_ipv4_udp_fd(s
->manager
);
223 } else if (family
== AF_INET6
) {
224 addr
.in6
= LLMNR_MULTICAST_IPV6_ADDRESS
;
225 fd
= manager_llmnr_ipv6_udp_fd(s
->manager
);
227 return -EAFNOSUPPORT
;
231 r
= manager_send(s
->manager
, fd
, ifindex
, family
, &addr
, LLMNR_PORT
, NULL
, p
);
237 case DNS_PROTOCOL_MDNS
:
240 if (!ratelimit_test(&s
->ratelimit
))
245 if (family
== AF_INET
) {
246 addr
.in
= MDNS_MULTICAST_IPV4_ADDRESS
;
247 fd
= manager_mdns_ipv4_fd(s
->manager
);
248 } else if (family
== AF_INET6
) {
249 addr
.in6
= MDNS_MULTICAST_IPV6_ADDRESS
;
250 fd
= manager_mdns_ipv6_fd(s
->manager
);
252 return -EAFNOSUPPORT
;
256 r
= manager_send(s
->manager
, fd
, ifindex
, family
, &addr
, MDNS_PORT
, NULL
, p
);
263 return -EAFNOSUPPORT
;
269 int dns_scope_emit_udp(DnsScope
*s
, int fd
, DnsPacket
*p
) {
274 assert(p
->protocol
== s
->protocol
);
275 assert((s
->protocol
== DNS_PROTOCOL_DNS
) == (fd
>= 0));
278 /* If there are multiple linked packets, set the TC bit in all but the last of them */
280 assert(p
->protocol
== DNS_PROTOCOL_MDNS
);
281 dns_packet_set_flags(p
, true, true);
284 r
= dns_scope_emit_one(s
, fd
, p
);
294 static int dns_scope_socket(
298 const union in_addr_union
*address
,
302 _cleanup_close_
int fd
= -1;
303 union sockaddr_union sa
= {};
305 static const int one
= 1;
311 assert(family
== AF_UNSPEC
);
314 ifindex
= dns_server_ifindex(server
);
316 sa
.sa
.sa_family
= server
->family
;
317 if (server
->family
== AF_INET
) {
318 sa
.in
.sin_port
= htobe16(port
);
319 sa
.in
.sin_addr
= server
->address
.in
;
320 salen
= sizeof(sa
.in
);
321 } else if (server
->family
== AF_INET6
) {
322 sa
.in6
.sin6_port
= htobe16(port
);
323 sa
.in6
.sin6_addr
= server
->address
.in6
;
324 sa
.in6
.sin6_scope_id
= ifindex
;
325 salen
= sizeof(sa
.in6
);
327 return -EAFNOSUPPORT
;
329 assert(family
!= AF_UNSPEC
);
332 sa
.sa
.sa_family
= family
;
333 ifindex
= s
->link
? s
->link
->ifindex
: 0;
335 if (family
== AF_INET
) {
336 sa
.in
.sin_port
= htobe16(port
);
337 sa
.in
.sin_addr
= address
->in
;
338 salen
= sizeof(sa
.in
);
339 } else if (family
== AF_INET6
) {
340 sa
.in6
.sin6_port
= htobe16(port
);
341 sa
.in6
.sin6_addr
= address
->in6
;
342 sa
.in6
.sin6_scope_id
= ifindex
;
343 salen
= sizeof(sa
.in6
);
345 return -EAFNOSUPPORT
;
348 fd
= socket(sa
.sa
.sa_family
, type
|SOCK_CLOEXEC
|SOCK_NONBLOCK
, 0);
352 if (type
== SOCK_STREAM
) {
353 r
= setsockopt(fd
, IPPROTO_TCP
, TCP_NODELAY
, &one
, sizeof(one
));
359 be32_t ifindex_be
= htobe32(ifindex
);
361 if (sa
.sa
.sa_family
== AF_INET
) {
362 r
= setsockopt(fd
, IPPROTO_IP
, IP_UNICAST_IF
, &ifindex_be
, sizeof(ifindex_be
));
365 } else if (sa
.sa
.sa_family
== AF_INET6
) {
366 r
= setsockopt(fd
, IPPROTO_IPV6
, IPV6_UNICAST_IF
, &ifindex_be
, sizeof(ifindex_be
));
372 if (s
->protocol
== DNS_PROTOCOL_LLMNR
) {
373 /* RFC 4795, section 2.5 requires the TTL to be set to 1 */
375 if (sa
.sa
.sa_family
== AF_INET
) {
376 r
= setsockopt(fd
, IPPROTO_IP
, IP_TTL
, &one
, sizeof(one
));
379 } else if (sa
.sa
.sa_family
== AF_INET6
) {
380 r
= setsockopt(fd
, IPPROTO_IPV6
, IPV6_UNICAST_HOPS
, &one
, sizeof(one
));
386 r
= connect(fd
, &sa
.sa
, salen
);
387 if (r
< 0 && errno
!= EINPROGRESS
)
396 int dns_scope_socket_udp(DnsScope
*s
, DnsServer
*server
, uint16_t port
) {
397 return dns_scope_socket(s
, SOCK_DGRAM
, AF_UNSPEC
, NULL
, server
, port
);
400 int dns_scope_socket_tcp(DnsScope
*s
, int family
, const union in_addr_union
*address
, DnsServer
*server
, uint16_t port
) {
401 return dns_scope_socket(s
, SOCK_STREAM
, family
, address
, server
, port
);
404 DnsScopeMatch
dns_scope_good_domain(DnsScope
*s
, int ifindex
, uint64_t flags
, const char *domain
) {
410 /* Checks if the specified domain is something to look up on
411 * this scope. Note that this accepts non-qualified hostnames,
412 * i.e. those without any search path prefixed yet. */
414 if (ifindex
!= 0 && (!s
->link
|| s
->link
->ifindex
!= ifindex
))
417 if ((SD_RESOLVED_FLAGS_MAKE(s
->protocol
, s
->family
, 0) & flags
) == 0)
420 /* Never resolve any loopback hostname or IP address via DNS,
421 * LLMNR or mDNS. Instead, always rely on synthesized RRs for
423 if (is_localhost(domain
) ||
424 dns_name_endswith(domain
, "127.in-addr.arpa") > 0 ||
425 dns_name_equal(domain
, "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa") > 0)
428 /* Never respond to some of the domains listed in RFC6303 */
429 if (dns_name_endswith(domain
, "0.in-addr.arpa") > 0 ||
430 dns_name_equal(domain
, "255.255.255.255.in-addr.arpa") > 0 ||
431 dns_name_equal(domain
, "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa") > 0)
434 /* Never respond to some of the domains listed in RFC6761 */
435 if (dns_name_endswith(domain
, "invalid") > 0)
438 switch (s
->protocol
) {
440 case DNS_PROTOCOL_DNS
: {
441 DnsServer
*dns_server
;
443 /* Never route things to scopes that lack DNS servers */
444 dns_server
= dns_scope_get_dns_server(s
);
448 /* Always honour search domains for routing queries, except if this scope lacks DNS servers. Note that
449 * we return DNS_SCOPE_YES here, rather than just DNS_SCOPE_MAYBE, which means other wildcard scopes
450 * won't be considered anymore. */
451 LIST_FOREACH(domains
, d
, dns_scope_get_search_domains(s
))
452 if (dns_name_endswith(domain
, d
->name
) > 0)
453 return DNS_SCOPE_YES
;
455 /* If the DNS server has route-only domains, don't send other requests to it. This would be a privacy
456 * violation, will most probably fail anyway, and adds unnecessary load. */
457 if (dns_server_limited_domains(dns_server
))
460 /* Exclude link-local IP ranges */
461 if (dns_name_endswith(domain
, "254.169.in-addr.arpa") == 0 &&
462 dns_name_endswith(domain
, "8.e.f.ip6.arpa") == 0 &&
463 dns_name_endswith(domain
, "9.e.f.ip6.arpa") == 0 &&
464 dns_name_endswith(domain
, "a.e.f.ip6.arpa") == 0 &&
465 dns_name_endswith(domain
, "b.e.f.ip6.arpa") == 0 &&
466 /* If networks use .local in their private setups, they are supposed to also add .local to their search
467 * domains, which we already checked above. Otherwise, we consider .local specific to mDNS and won't
468 * send such queries ordinary DNS servers. */
469 dns_name_endswith(domain
, "local") == 0)
470 return DNS_SCOPE_MAYBE
;
475 case DNS_PROTOCOL_MDNS
:
476 if ((s
->family
== AF_INET
&& dns_name_endswith(domain
, "in-addr.arpa") > 0) ||
477 (s
->family
== AF_INET6
&& dns_name_endswith(domain
, "ip6.arpa") > 0) ||
478 (dns_name_endswith(domain
, "local") > 0 && /* only resolve names ending in .local via mDNS */
479 dns_name_equal(domain
, "local") == 0 && /* but not the single-label "local" name itself */
480 manager_is_own_hostname(s
->manager
, domain
) <= 0)) /* never resolve the local hostname via mDNS */
481 return DNS_SCOPE_MAYBE
;
485 case DNS_PROTOCOL_LLMNR
:
486 if ((s
->family
== AF_INET
&& dns_name_endswith(domain
, "in-addr.arpa") > 0) ||
487 (s
->family
== AF_INET6
&& dns_name_endswith(domain
, "ip6.arpa") > 0) ||
488 (dns_name_is_single_label(domain
) && /* only resolve single label names via LLMNR */
489 !is_gateway_hostname(domain
) && /* don't resolve "gateway" with LLMNR, let nss-myhostname handle this */
490 manager_is_own_hostname(s
->manager
, domain
) <= 0)) /* never resolve the local hostname via LLMNR */
491 return DNS_SCOPE_MAYBE
;
496 assert_not_reached("Unknown scope protocol");
500 bool dns_scope_good_key(DnsScope
*s
, const DnsResourceKey
*key
) {
506 /* Check if it makes sense to resolve the specified key on
507 * this scope. Note that this call assumes as fully qualified
508 * name, i.e. the search suffixes already appended. */
510 if (key
->class != DNS_CLASS_IN
)
513 if (s
->protocol
== DNS_PROTOCOL_DNS
) {
515 /* On classic DNS, looking up non-address RRs is always
516 * fine. (Specifically, we want to permit looking up
517 * DNSKEY and DS records on the root and top-level
519 if (!dns_resource_key_is_address(key
))
522 /* However, we refuse to look up A and AAAA RRs on the
523 * root and single-label domains, under the assumption
524 * that those should be resolved via LLMNR or search
525 * path only, and should not be leaked onto the
527 return !(dns_name_is_single_label(dns_resource_key_name(key
)) ||
528 dns_name_is_root(dns_resource_key_name(key
)));
531 /* On mDNS and LLMNR, send A and AAAA queries only on the
532 * respective scopes */
534 key_family
= dns_type_to_af(key
->type
);
538 return key_family
== s
->family
;
541 static int dns_scope_multicast_membership(DnsScope
*s
, bool b
, struct in_addr in
, struct in6_addr in6
) {
547 if (s
->family
== AF_INET
) {
548 struct ip_mreqn mreqn
= {
550 .imr_ifindex
= s
->link
->ifindex
,
553 if (s
->protocol
== DNS_PROTOCOL_LLMNR
)
554 fd
= manager_llmnr_ipv4_udp_fd(s
->manager
);
556 fd
= manager_mdns_ipv4_fd(s
->manager
);
561 /* Always first try to drop membership before we add
562 * one. This is necessary on some devices, such as
565 (void) setsockopt(fd
, IPPROTO_IP
, IP_DROP_MEMBERSHIP
, &mreqn
, sizeof(mreqn
));
567 if (setsockopt(fd
, IPPROTO_IP
, b
? IP_ADD_MEMBERSHIP
: IP_DROP_MEMBERSHIP
, &mreqn
, sizeof(mreqn
)) < 0)
570 } else if (s
->family
== AF_INET6
) {
571 struct ipv6_mreq mreq
= {
572 .ipv6mr_multiaddr
= in6
,
573 .ipv6mr_interface
= s
->link
->ifindex
,
576 if (s
->protocol
== DNS_PROTOCOL_LLMNR
)
577 fd
= manager_llmnr_ipv6_udp_fd(s
->manager
);
579 fd
= manager_mdns_ipv6_fd(s
->manager
);
585 (void) setsockopt(fd
, IPPROTO_IPV6
, IPV6_DROP_MEMBERSHIP
, &mreq
, sizeof(mreq
));
587 if (setsockopt(fd
, IPPROTO_IPV6
, b
? IPV6_ADD_MEMBERSHIP
: IPV6_DROP_MEMBERSHIP
, &mreq
, sizeof(mreq
)) < 0)
590 return -EAFNOSUPPORT
;
595 int dns_scope_llmnr_membership(DnsScope
*s
, bool b
) {
598 if (s
->protocol
!= DNS_PROTOCOL_LLMNR
)
601 return dns_scope_multicast_membership(s
, b
, LLMNR_MULTICAST_IPV4_ADDRESS
, LLMNR_MULTICAST_IPV6_ADDRESS
);
604 int dns_scope_mdns_membership(DnsScope
*s
, bool b
) {
607 if (s
->protocol
!= DNS_PROTOCOL_MDNS
)
610 return dns_scope_multicast_membership(s
, b
, MDNS_MULTICAST_IPV4_ADDRESS
, MDNS_MULTICAST_IPV6_ADDRESS
);
613 int dns_scope_make_reply_packet(
623 _cleanup_(dns_packet_unrefp
) DnsPacket
*p
= NULL
;
629 if (dns_question_isempty(q
) &&
630 dns_answer_isempty(answer
) &&
631 dns_answer_isempty(soa
))
634 r
= dns_packet_new(&p
, s
->protocol
, 0, DNS_PACKET_SIZE_MAX
);
638 DNS_PACKET_HEADER(p
)->id
= id
;
639 DNS_PACKET_HEADER(p
)->flags
= htobe16(DNS_PACKET_MAKE_FLAGS(
650 r
= dns_packet_append_question(p
, q
);
653 DNS_PACKET_HEADER(p
)->qdcount
= htobe16(dns_question_size(q
));
655 r
= dns_packet_append_answer(p
, answer
);
658 DNS_PACKET_HEADER(p
)->ancount
= htobe16(dns_answer_size(answer
));
660 r
= dns_packet_append_answer(p
, soa
);
663 DNS_PACKET_HEADER(p
)->arcount
= htobe16(dns_answer_size(soa
));
671 static void dns_scope_verify_conflicts(DnsScope
*s
, DnsPacket
*p
) {
672 DnsResourceRecord
*rr
;
678 DNS_QUESTION_FOREACH(key
, p
->question
)
679 dns_zone_verify_conflicts(&s
->zone
, key
);
681 DNS_ANSWER_FOREACH(rr
, p
->answer
)
682 dns_zone_verify_conflicts(&s
->zone
, rr
->key
);
685 void dns_scope_process_query(DnsScope
*s
, DnsStream
*stream
, DnsPacket
*p
) {
686 _cleanup_(dns_answer_unrefp
) DnsAnswer
*answer
= NULL
, *soa
= NULL
;
687 _cleanup_(dns_packet_unrefp
) DnsPacket
*reply
= NULL
;
688 DnsResourceKey
*key
= NULL
;
689 bool tentative
= false;
695 if (p
->protocol
!= DNS_PROTOCOL_LLMNR
)
698 if (p
->ipproto
== IPPROTO_UDP
) {
699 /* Don't accept UDP queries directed to anything but
700 * the LLMNR multicast addresses. See RFC 4795,
703 if (p
->family
== AF_INET
&& !in_addr_equal(AF_INET
, &p
->destination
, (union in_addr_union
*) &LLMNR_MULTICAST_IPV4_ADDRESS
))
706 if (p
->family
== AF_INET6
&& !in_addr_equal(AF_INET6
, &p
->destination
, (union in_addr_union
*) &LLMNR_MULTICAST_IPV6_ADDRESS
))
710 r
= dns_packet_extract(p
);
712 log_debug_errno(r
, "Failed to extract resource records from incoming packet: %m");
716 if (DNS_PACKET_LLMNR_C(p
)) {
717 /* Somebody notified us about a possible conflict */
718 dns_scope_verify_conflicts(s
, p
);
722 assert(dns_question_size(p
->question
) == 1);
723 key
= p
->question
->keys
[0];
725 r
= dns_zone_lookup(&s
->zone
, key
, 0, &answer
, &soa
, &tentative
);
727 log_debug_errno(r
, "Failed to lookup key: %m");
734 dns_answer_order_by_scope(answer
, in_addr_is_link_local(p
->family
, &p
->sender
) > 0);
736 r
= dns_scope_make_reply_packet(s
, DNS_PACKET_ID(p
), DNS_RCODE_SUCCESS
, p
->question
, answer
, soa
, tentative
, &reply
);
738 log_debug_errno(r
, "Failed to build reply packet: %m");
743 r
= dns_stream_write_packet(stream
, reply
);
745 log_debug_errno(r
, "Failed to enqueue reply packet: %m");
749 /* Let's take an extra reference on this stream, so that it stays around after returning. The reference
750 * will be dangling until the stream is disconnected, and the default completion handler of the stream
751 * will then unref the stream and destroy it */
752 if (DNS_STREAM_QUEUED(stream
))
753 dns_stream_ref(stream
);
757 if (!ratelimit_test(&s
->ratelimit
))
760 if (p
->family
== AF_INET
)
761 fd
= manager_llmnr_ipv4_udp_fd(s
->manager
);
762 else if (p
->family
== AF_INET6
)
763 fd
= manager_llmnr_ipv6_udp_fd(s
->manager
);
765 log_debug("Unknown protocol");
769 log_debug_errno(fd
, "Failed to get reply socket: %m");
773 /* Note that we always immediately reply to all LLMNR
774 * requests, and do not wait any time, since we
775 * verified uniqueness for all records. Also see RFC
776 * 4795, Section 2.7 */
778 r
= manager_send(s
->manager
, fd
, p
->ifindex
, p
->family
, &p
->sender
, p
->sender_port
, NULL
, reply
);
780 log_debug_errno(r
, "Failed to send reply packet: %m");
786 DnsTransaction
*dns_scope_find_transaction(DnsScope
*scope
, DnsResourceKey
*key
, bool cache_ok
) {
792 /* Try to find an ongoing transaction that is a equal to the
793 * specified question */
794 t
= hashmap_get(scope
->transactions_by_key
, key
);
798 /* Refuse reusing transactions that completed based on cached
799 * data instead of a real packet, if that's requested. */
801 IN_SET(t
->state
, DNS_TRANSACTION_SUCCESS
, DNS_TRANSACTION_RCODE_FAILURE
) &&
802 t
->answer_source
!= DNS_TRANSACTION_NETWORK
)
808 static int dns_scope_make_conflict_packet(
810 DnsResourceRecord
*rr
,
813 _cleanup_(dns_packet_unrefp
) DnsPacket
*p
= NULL
;
820 r
= dns_packet_new(&p
, s
->protocol
, 0, DNS_PACKET_SIZE_MAX
);
824 DNS_PACKET_HEADER(p
)->flags
= htobe16(DNS_PACKET_MAKE_FLAGS(
835 /* For mDNS, the transaction ID should always be 0 */
836 if (s
->protocol
!= DNS_PROTOCOL_MDNS
)
837 random_bytes(&DNS_PACKET_HEADER(p
)->id
, sizeof(uint16_t));
839 DNS_PACKET_HEADER(p
)->qdcount
= htobe16(1);
840 DNS_PACKET_HEADER(p
)->arcount
= htobe16(1);
842 r
= dns_packet_append_key(p
, rr
->key
, 0, NULL
);
846 r
= dns_packet_append_rr(p
, rr
, 0, NULL
, NULL
);
856 static int on_conflict_dispatch(sd_event_source
*es
, usec_t usec
, void *userdata
) {
857 DnsScope
*scope
= userdata
;
863 scope
->conflict_event_source
= sd_event_source_unref(scope
->conflict_event_source
);
866 _cleanup_(dns_resource_record_unrefp
) DnsResourceRecord
*rr
= NULL
;
867 _cleanup_(dns_packet_unrefp
) DnsPacket
*p
= NULL
;
869 rr
= ordered_hashmap_steal_first(scope
->conflict_queue
);
873 r
= dns_scope_make_conflict_packet(scope
, rr
, &p
);
875 log_error_errno(r
, "Failed to make conflict packet: %m");
879 r
= dns_scope_emit_udp(scope
, -1, p
);
881 log_debug_errno(r
, "Failed to send conflict packet: %m");
887 int dns_scope_notify_conflict(DnsScope
*scope
, DnsResourceRecord
*rr
) {
894 /* We don't send these queries immediately. Instead, we queue
895 * them, and send them after some jitter delay. */
896 r
= ordered_hashmap_ensure_allocated(&scope
->conflict_queue
, &dns_resource_key_hash_ops
);
902 /* We only place one RR per key in the conflict
903 * messages, not all of them. That should be enough to
904 * indicate where there might be a conflict */
905 r
= ordered_hashmap_put(scope
->conflict_queue
, rr
->key
, rr
);
906 if (IN_SET(r
, 0, -EEXIST
))
909 return log_debug_errno(r
, "Failed to queue conflicting RR: %m");
911 dns_resource_record_ref(rr
);
913 if (scope
->conflict_event_source
)
916 random_bytes(&jitter
, sizeof(jitter
));
917 jitter
%= LLMNR_JITTER_INTERVAL_USEC
;
919 r
= sd_event_add_time(scope
->manager
->event
,
920 &scope
->conflict_event_source
,
921 clock_boottime_or_monotonic(),
922 now(clock_boottime_or_monotonic()) + jitter
,
923 LLMNR_JITTER_INTERVAL_USEC
,
924 on_conflict_dispatch
, scope
);
926 return log_debug_errno(r
, "Failed to add conflict dispatch event: %m");
928 (void) sd_event_source_set_description(scope
->conflict_event_source
, "scope-conflict");
933 void dns_scope_check_conflicts(DnsScope
*scope
, DnsPacket
*p
) {
940 if (!IN_SET(p
->protocol
, DNS_PROTOCOL_LLMNR
, DNS_PROTOCOL_MDNS
))
943 if (DNS_PACKET_RRCOUNT(p
) <= 0)
946 if (p
->protocol
== DNS_PROTOCOL_LLMNR
) {
947 if (DNS_PACKET_LLMNR_C(p
) != 0)
950 if (DNS_PACKET_LLMNR_T(p
) != 0)
954 if (manager_our_packet(scope
->manager
, p
))
957 r
= dns_packet_extract(p
);
959 log_debug_errno(r
, "Failed to extract packet: %m");
963 log_debug("Checking for conflicts...");
965 for (i
= 0; i
< p
->answer
->n_rrs
; i
++) {
967 /* Check for conflicts against the local zone. If we
968 * found one, we won't check any further */
969 r
= dns_zone_check_conflicts(&scope
->zone
, p
->answer
->items
[i
].rr
);
973 /* Check for conflicts against the local cache. If so,
974 * send out an advisory query, to inform everybody */
975 r
= dns_cache_check_conflicts(&scope
->cache
, p
->answer
->items
[i
].rr
, p
->family
, &p
->sender
);
979 dns_scope_notify_conflict(scope
, p
->answer
->items
[i
].rr
);
983 void dns_scope_dump(DnsScope
*s
, FILE *f
) {
989 fputs("[Scope protocol=", f
);
990 fputs(dns_protocol_to_string(s
->protocol
), f
);
993 fputs(" interface=", f
);
994 fputs(s
->link
->name
, f
);
997 if (s
->family
!= AF_UNSPEC
) {
998 fputs(" family=", f
);
999 fputs(af_to_name(s
->family
), f
);
1004 if (!dns_zone_is_empty(&s
->zone
)) {
1005 fputs("ZONE:\n", f
);
1006 dns_zone_dump(&s
->zone
, f
);
1009 if (!dns_cache_is_empty(&s
->cache
)) {
1010 fputs("CACHE:\n", f
);
1011 dns_cache_dump(&s
->cache
, f
);
1015 DnsSearchDomain
*dns_scope_get_search_domains(DnsScope
*s
) {
1018 if (s
->protocol
!= DNS_PROTOCOL_DNS
)
1022 return s
->link
->search_domains
;
1024 return s
->manager
->search_domains
;
1027 bool dns_scope_name_needs_search_domain(DnsScope
*s
, const char *name
) {
1030 if (s
->protocol
!= DNS_PROTOCOL_DNS
)
1033 return dns_name_is_single_label(name
);
1036 bool dns_scope_network_good(DnsScope
*s
) {
1037 /* Checks whether the network is in good state for lookups on this scope. For mDNS/LLMNR/Classic DNS scopes
1038 * bound to links this is easy, as they don't even exist if the link isn't in a suitable state. For the global
1039 * DNS scope we check whether there are any links that are up and have an address. */
1044 return manager_routable(s
->manager
, AF_UNSPEC
);
1047 int dns_scope_ifindex(DnsScope
*s
) {
1051 return s
->link
->ifindex
;
1056 static int on_announcement_timeout(sd_event_source
*s
, usec_t usec
, void *userdata
) {
1057 DnsScope
*scope
= userdata
;
1061 scope
->announce_event_source
= sd_event_source_unref(scope
->announce_event_source
);
1063 (void) dns_scope_announce(scope
, false);
1067 int dns_scope_announce(DnsScope
*scope
, bool goodbye
) {
1068 _cleanup_(dns_answer_unrefp
) DnsAnswer
*answer
= NULL
;
1069 _cleanup_(dns_packet_unrefp
) DnsPacket
*p
= NULL
;
1076 if (scope
->protocol
!= DNS_PROTOCOL_MDNS
)
1079 answer
= dns_answer_new(scope
->link
->n_addresses
* 2);
1083 LIST_FOREACH(addresses
, a
, scope
->link
->addresses
) {
1084 r
= dns_answer_add(answer
, a
->mdns_address_rr
, 0, goodbye
? DNS_ANSWER_GOODBYE
: DNS_ANSWER_CACHE_FLUSH
);
1086 return log_debug_errno(r
, "Failed to add address RR to answer: %m");
1088 r
= dns_answer_add(answer
, a
->mdns_ptr_rr
, 0, goodbye
? DNS_ANSWER_GOODBYE
: DNS_ANSWER_CACHE_FLUSH
);
1090 return log_debug_errno(r
, "Failed to add PTR RR to answer: %m");
1093 if (dns_answer_isempty(answer
))
1096 r
= dns_scope_make_reply_packet(scope
, 0, DNS_RCODE_SUCCESS
, NULL
, answer
, NULL
, false, &p
);
1098 return log_debug_errno(r
, "Failed to build reply packet: %m");
1100 r
= dns_scope_emit_udp(scope
, -1, p
);
1102 return log_debug_errno(r
, "Failed to send reply packet: %m");
1104 /* In section 8.3 of RFC6762: "The Multicast DNS responder MUST send at least two unsolicited
1105 * responses, one second apart." */
1106 if (!scope
->announced
) {
1109 scope
->announced
= true;
1111 assert_se(sd_event_now(scope
->manager
->event
, clock_boottime_or_monotonic(), &ts
) >= 0);
1112 ts
+= MDNS_ANNOUNCE_DELAY
;
1114 r
= sd_event_add_time(
1115 scope
->manager
->event
,
1116 &scope
->announce_event_source
,
1117 clock_boottime_or_monotonic(),
1119 MDNS_JITTER_RANGE_USEC
,
1120 on_announcement_timeout
, scope
);
1122 return log_debug_errno(r
, "Failed to schedule second announcement: %m");
1124 (void) sd_event_source_set_description(scope
->announce_event_source
, "mdns-announce");