1 /* SPDX-License-Identifier: LGPL-2.1+ */
3 #include <netinet/tcp.h>
6 #include "alloc-util.h"
7 #include "dns-domain.h"
9 #include "hostname-util.h"
11 #include "random-util.h"
12 #include "resolved-dnssd.h"
13 #include "resolved-dns-scope.h"
14 #include "resolved-dns-zone.h"
15 #include "resolved-llmnr.h"
16 #include "resolved-mdns.h"
17 #include "socket-util.h"
20 #define MULTICAST_RATELIMIT_INTERVAL_USEC (1*USEC_PER_SEC)
21 #define MULTICAST_RATELIMIT_BURST 1000
23 /* After how much time to repeat LLMNR requests, see RFC 4795 Section 7 */
24 #define MULTICAST_RESEND_TIMEOUT_MIN_USEC (100 * USEC_PER_MSEC)
25 #define MULTICAST_RESEND_TIMEOUT_MAX_USEC (1 * USEC_PER_SEC)
27 int dns_scope_new(Manager
*m
, DnsScope
**ret
, Link
*l
, DnsProtocol protocol
, int family
) {
42 .resend_timeout
= MULTICAST_RESEND_TIMEOUT_MIN_USEC
,
45 if (protocol
== DNS_PROTOCOL_DNS
) {
46 /* Copy DNSSEC mode from the link if it is set there,
47 * otherwise take the manager's DNSSEC mode. Note that
48 * we copy this only at scope creation time, and do
49 * not update it from the on, even if the setting
53 s
->dnssec_mode
= link_get_dnssec_mode(l
);
54 s
->dns_over_tls_mode
= link_get_dns_over_tls_mode(l
);
56 s
->dnssec_mode
= manager_get_dnssec_mode(m
);
57 s
->dns_over_tls_mode
= manager_get_dns_over_tls_mode(m
);
61 s
->dnssec_mode
= DNSSEC_NO
;
62 s
->dns_over_tls_mode
= DNS_OVER_TLS_NO
;
65 LIST_PREPEND(scopes
, m
->dns_scopes
, s
);
67 dns_scope_llmnr_membership(s
, true);
68 dns_scope_mdns_membership(s
, true);
70 log_debug("New scope on link %s, protocol %s, family %s", l
? l
->name
: "*", dns_protocol_to_string(protocol
), family
== AF_UNSPEC
? "*" : af_to_name(family
));
72 /* Enforce ratelimiting for the multicast protocols */
73 RATELIMIT_INIT(s
->ratelimit
, MULTICAST_RATELIMIT_INTERVAL_USEC
, MULTICAST_RATELIMIT_BURST
);
79 static void dns_scope_abort_transactions(DnsScope
*s
) {
82 while (s
->transactions
) {
83 DnsTransaction
*t
= s
->transactions
;
85 /* Abort the transaction, but make sure it is not
86 * freed while we still look at it */
89 if (DNS_TRANSACTION_IS_LIVE(t
->state
))
90 dns_transaction_complete(t
, DNS_TRANSACTION_ABORTED
);
93 dns_transaction_free(t
);
97 DnsScope
* dns_scope_free(DnsScope
*s
) {
101 log_debug("Removing scope on link %s, protocol %s, family %s", s
->link
? s
->link
->name
: "*", dns_protocol_to_string(s
->protocol
), s
->family
== AF_UNSPEC
? "*" : af_to_name(s
->family
));
103 dns_scope_llmnr_membership(s
, false);
104 dns_scope_mdns_membership(s
, false);
105 dns_scope_abort_transactions(s
);
107 while (s
->query_candidates
)
108 dns_query_candidate_free(s
->query_candidates
);
110 hashmap_free(s
->transactions_by_key
);
112 ordered_hashmap_free_with_destructor(s
->conflict_queue
, dns_resource_record_unref
);
113 sd_event_source_unref(s
->conflict_event_source
);
115 sd_event_source_unref(s
->announce_event_source
);
117 dns_cache_flush(&s
->cache
);
118 dns_zone_flush(&s
->zone
);
120 LIST_REMOVE(scopes
, s
->manager
->dns_scopes
, s
);
124 DnsServer
*dns_scope_get_dns_server(DnsScope
*s
) {
127 if (s
->protocol
!= DNS_PROTOCOL_DNS
)
131 return link_get_dns_server(s
->link
);
133 return manager_get_dns_server(s
->manager
);
136 unsigned dns_scope_get_n_dns_servers(DnsScope
*s
) {
142 if (s
->protocol
!= DNS_PROTOCOL_DNS
)
146 i
= s
->link
->dns_servers
;
148 i
= s
->manager
->dns_servers
;
150 for (; i
; i
= i
->servers_next
)
156 void dns_scope_next_dns_server(DnsScope
*s
) {
159 if (s
->protocol
!= DNS_PROTOCOL_DNS
)
163 link_next_dns_server(s
->link
);
165 manager_next_dns_server(s
->manager
);
168 void dns_scope_packet_received(DnsScope
*s
, usec_t rtt
) {
171 if (rtt
<= s
->max_rtt
)
175 s
->resend_timeout
= MIN(MAX(MULTICAST_RESEND_TIMEOUT_MIN_USEC
, s
->max_rtt
* 2), MULTICAST_RESEND_TIMEOUT_MAX_USEC
);
178 void dns_scope_packet_lost(DnsScope
*s
, usec_t usec
) {
181 if (s
->resend_timeout
<= usec
)
182 s
->resend_timeout
= MIN(s
->resend_timeout
* 2, MULTICAST_RESEND_TIMEOUT_MAX_USEC
);
185 static int dns_scope_emit_one(DnsScope
*s
, int fd
, DnsPacket
*p
) {
186 union in_addr_union addr
;
193 assert(p
->protocol
== s
->protocol
);
197 ifindex
= s
->link
->ifindex
;
199 mtu
= manager_find_mtu(s
->manager
);
201 switch (s
->protocol
) {
203 case DNS_PROTOCOL_DNS
:
206 if (DNS_PACKET_QDCOUNT(p
) > 1)
209 if (p
->size
> DNS_PACKET_UNICAST_SIZE_MAX
)
212 if (p
->size
+ UDP_PACKET_HEADER_SIZE
> mtu
)
215 r
= manager_write(s
->manager
, fd
, p
);
221 case DNS_PROTOCOL_LLMNR
:
224 if (DNS_PACKET_QDCOUNT(p
) > 1)
227 if (!ratelimit_below(&s
->ratelimit
))
232 if (family
== AF_INET
) {
233 addr
.in
= LLMNR_MULTICAST_IPV4_ADDRESS
;
234 fd
= manager_llmnr_ipv4_udp_fd(s
->manager
);
235 } else if (family
== AF_INET6
) {
236 addr
.in6
= LLMNR_MULTICAST_IPV6_ADDRESS
;
237 fd
= manager_llmnr_ipv6_udp_fd(s
->manager
);
239 return -EAFNOSUPPORT
;
243 r
= manager_send(s
->manager
, fd
, ifindex
, family
, &addr
, LLMNR_PORT
, NULL
, p
);
249 case DNS_PROTOCOL_MDNS
:
252 if (!ratelimit_below(&s
->ratelimit
))
257 if (family
== AF_INET
) {
258 addr
.in
= MDNS_MULTICAST_IPV4_ADDRESS
;
259 fd
= manager_mdns_ipv4_fd(s
->manager
);
260 } else if (family
== AF_INET6
) {
261 addr
.in6
= MDNS_MULTICAST_IPV6_ADDRESS
;
262 fd
= manager_mdns_ipv6_fd(s
->manager
);
264 return -EAFNOSUPPORT
;
268 r
= manager_send(s
->manager
, fd
, ifindex
, family
, &addr
, MDNS_PORT
, NULL
, p
);
275 return -EAFNOSUPPORT
;
281 int dns_scope_emit_udp(DnsScope
*s
, int fd
, DnsPacket
*p
) {
286 assert(p
->protocol
== s
->protocol
);
287 assert((s
->protocol
== DNS_PROTOCOL_DNS
) == (fd
>= 0));
290 /* If there are multiple linked packets, set the TC bit in all but the last of them */
292 assert(p
->protocol
== DNS_PROTOCOL_MDNS
);
293 dns_packet_set_flags(p
, true, true);
296 r
= dns_scope_emit_one(s
, fd
, p
);
306 static int dns_scope_socket(
310 const union in_addr_union
*address
,
313 union sockaddr_union
*ret_socket_address
) {
315 _cleanup_close_
int fd
= -1;
316 union sockaddr_union sa
;
323 assert(family
== AF_UNSPEC
);
326 ifindex
= dns_server_ifindex(server
);
328 switch (server
->family
) {
330 sa
= (union sockaddr_union
) {
331 .in
.sin_family
= server
->family
,
332 .in
.sin_port
= htobe16(port
),
333 .in
.sin_addr
= server
->address
.in
,
335 salen
= sizeof(sa
.in
);
338 sa
= (union sockaddr_union
) {
339 .in6
.sin6_family
= server
->family
,
340 .in6
.sin6_port
= htobe16(port
),
341 .in6
.sin6_addr
= server
->address
.in6
,
342 .in6
.sin6_scope_id
= ifindex
,
344 salen
= sizeof(sa
.in6
);
347 return -EAFNOSUPPORT
;
350 assert(family
!= AF_UNSPEC
);
353 ifindex
= s
->link
? s
->link
->ifindex
: 0;
357 sa
= (union sockaddr_union
) {
358 .in
.sin_family
= family
,
359 .in
.sin_port
= htobe16(port
),
360 .in
.sin_addr
= address
->in
,
362 salen
= sizeof(sa
.in
);
365 sa
= (union sockaddr_union
) {
366 .in6
.sin6_family
= family
,
367 .in6
.sin6_port
= htobe16(port
),
368 .in6
.sin6_addr
= address
->in6
,
369 .in6
.sin6_scope_id
= ifindex
,
371 salen
= sizeof(sa
.in6
);
374 return -EAFNOSUPPORT
;
378 fd
= socket(sa
.sa
.sa_family
, type
|SOCK_CLOEXEC
|SOCK_NONBLOCK
, 0);
382 if (type
== SOCK_STREAM
) {
383 r
= setsockopt_int(fd
, IPPROTO_TCP
, TCP_NODELAY
, true);
389 be32_t ifindex_be
= htobe32(ifindex
);
391 if (sa
.sa
.sa_family
== AF_INET
) {
392 r
= setsockopt(fd
, IPPROTO_IP
, IP_UNICAST_IF
, &ifindex_be
, sizeof(ifindex_be
));
395 } else if (sa
.sa
.sa_family
== AF_INET6
) {
396 r
= setsockopt(fd
, IPPROTO_IPV6
, IPV6_UNICAST_IF
, &ifindex_be
, sizeof(ifindex_be
));
402 if (s
->protocol
== DNS_PROTOCOL_LLMNR
) {
403 /* RFC 4795, section 2.5 requires the TTL to be set to 1 */
405 if (sa
.sa
.sa_family
== AF_INET
) {
406 r
= setsockopt_int(fd
, IPPROTO_IP
, IP_TTL
, true);
409 } else if (sa
.sa
.sa_family
== AF_INET6
) {
410 r
= setsockopt_int(fd
, IPPROTO_IPV6
, IPV6_UNICAST_HOPS
, true);
416 if (type
== SOCK_DGRAM
) {
417 /* Set IP_RECVERR or IPV6_RECVERR to get ICMP error feedback. See discussion in #10345. */
419 if (sa
.sa
.sa_family
== AF_INET
) {
420 r
= setsockopt_int(fd
, IPPROTO_IP
, IP_RECVERR
, true);
424 r
= setsockopt_int(fd
, IPPROTO_IP
, IP_PKTINFO
, true);
428 } else if (sa
.sa
.sa_family
== AF_INET6
) {
429 r
= setsockopt_int(fd
, IPPROTO_IPV6
, IPV6_RECVERR
, true);
433 r
= setsockopt_int(fd
, IPPROTO_IPV6
, IPV6_RECVPKTINFO
, true);
439 if (ret_socket_address
)
440 *ret_socket_address
= sa
;
442 r
= connect(fd
, &sa
.sa
, salen
);
443 if (r
< 0 && errno
!= EINPROGRESS
)
450 int dns_scope_socket_udp(DnsScope
*s
, DnsServer
*server
, uint16_t port
) {
451 return dns_scope_socket(s
, SOCK_DGRAM
, AF_UNSPEC
, NULL
, server
, port
, NULL
);
454 int dns_scope_socket_tcp(DnsScope
*s
, int family
, const union in_addr_union
*address
, DnsServer
*server
, uint16_t port
, union sockaddr_union
*ret_socket_address
) {
455 /* If ret_socket_address is not NULL, the caller is responisble
456 * for calling connect() or sendmsg(). This is required by TCP
457 * Fast Open, to be able to send the initial SYN packet along
458 * with the first data packet. */
459 return dns_scope_socket(s
, SOCK_STREAM
, family
, address
, server
, port
, ret_socket_address
);
462 static DnsScopeMatch
accept_link_local_reverse_lookups(const char *domain
) {
465 if (dns_name_endswith(domain
, "254.169.in-addr.arpa") > 0)
466 return DNS_SCOPE_YES_BASE
+ 4; /* 4 labels match */
468 if (dns_name_endswith(domain
, "8.e.f.ip6.arpa") > 0 ||
469 dns_name_endswith(domain
, "9.e.f.ip6.arpa") > 0 ||
470 dns_name_endswith(domain
, "a.e.f.ip6.arpa") > 0 ||
471 dns_name_endswith(domain
, "b.e.f.ip6.arpa") > 0)
472 return DNS_SCOPE_YES_BASE
+ 5; /* 5 labels match */
474 return _DNS_SCOPE_MATCH_INVALID
;
477 DnsScopeMatch
dns_scope_good_domain(
481 const char *domain
) {
485 /* This returns the following return values:
487 * DNS_SCOPE_NO → This scope is not suitable for lookups of this domain, at all
488 * DNS_SCOPE_MAYBE → This scope is suitable, but only if nothing else wants it
489 * DNS_SCOPE_YES_BASE+n → This scope is suitable, and 'n' suffix labels match
491 * (The idea is that the caller will only use the scopes with the longest 'n' returned. If no scopes return
492 * DNS_SCOPE_YES_BASE+n, then it should use those which returned DNS_SCOPE_MAYBE. It should never use those
493 * which returned DNS_SCOPE_NO.)
499 /* Checks if the specified domain is something to look up on
500 * this scope. Note that this accepts non-qualified hostnames,
501 * i.e. those without any search path prefixed yet. */
503 if (ifindex
!= 0 && (!s
->link
|| s
->link
->ifindex
!= ifindex
))
506 if ((SD_RESOLVED_FLAGS_MAKE(s
->protocol
, s
->family
, 0) & flags
) == 0)
509 /* Never resolve any loopback hostname or IP address via DNS,
510 * LLMNR or mDNS. Instead, always rely on synthesized RRs for
512 if (is_localhost(domain
) ||
513 dns_name_endswith(domain
, "127.in-addr.arpa") > 0 ||
514 dns_name_equal(domain
, "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa") > 0)
517 /* Never respond to some of the domains listed in RFC6303 */
518 if (dns_name_endswith(domain
, "0.in-addr.arpa") > 0 ||
519 dns_name_equal(domain
, "255.255.255.255.in-addr.arpa") > 0 ||
520 dns_name_equal(domain
, "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa") > 0)
523 /* Never respond to some of the domains listed in RFC6761 */
524 if (dns_name_endswith(domain
, "invalid") > 0)
527 switch (s
->protocol
) {
529 case DNS_PROTOCOL_DNS
: {
530 bool has_search_domains
= false;
533 /* Never route things to scopes that lack DNS servers */
534 if (!dns_scope_get_dns_server(s
))
537 /* Always honour search domains for routing queries, except if this scope lacks DNS servers. Note that
538 * we return DNS_SCOPE_YES here, rather than just DNS_SCOPE_MAYBE, which means other wildcard scopes
539 * won't be considered anymore. */
540 LIST_FOREACH(domains
, d
, dns_scope_get_search_domains(s
)) {
542 if (!d
->route_only
&& !dns_name_is_root(d
->name
))
543 has_search_domains
= true;
545 if (dns_name_endswith(domain
, d
->name
) > 0) {
548 c
= dns_name_count_labels(d
->name
);
557 /* If there's a true search domain defined for this scope, and the query is single-label,
558 * then let's resolve things here, prefereably. Note that LLMNR considers itself
559 * authoritative for single-label names too, at the same preference, see below. */
560 if (has_search_domains
&& dns_name_is_single_label(domain
))
561 return DNS_SCOPE_YES_BASE
+ 1;
563 /* Let's return the number of labels in the best matching result */
565 assert(n_best
<= DNS_SCOPE_YES_END
- DNS_SCOPE_YES_BASE
);
566 return DNS_SCOPE_YES_BASE
+ n_best
;
569 /* See if this scope is suitable as default route. */
570 if (!dns_scope_is_default_route(s
))
573 /* Exclude link-local IP ranges */
574 if (dns_name_endswith(domain
, "254.169.in-addr.arpa") == 0 &&
575 dns_name_endswith(domain
, "8.e.f.ip6.arpa") == 0 &&
576 dns_name_endswith(domain
, "9.e.f.ip6.arpa") == 0 &&
577 dns_name_endswith(domain
, "a.e.f.ip6.arpa") == 0 &&
578 dns_name_endswith(domain
, "b.e.f.ip6.arpa") == 0 &&
579 /* If networks use .local in their private setups, they are supposed to also add .local to their search
580 * domains, which we already checked above. Otherwise, we consider .local specific to mDNS and won't
581 * send such queries ordinary DNS servers. */
582 dns_name_endswith(domain
, "local") == 0)
583 return DNS_SCOPE_MAYBE
;
588 case DNS_PROTOCOL_MDNS
: {
591 m
= accept_link_local_reverse_lookups(domain
);
595 if ((s
->family
== AF_INET
&& dns_name_endswith(domain
, "in-addr.arpa") > 0) ||
596 (s
->family
== AF_INET6
&& dns_name_endswith(domain
, "ip6.arpa") > 0))
597 return DNS_SCOPE_MAYBE
;
599 if ((dns_name_endswith(domain
, "local") > 0 && /* only resolve names ending in .local via mDNS */
600 dns_name_equal(domain
, "local") == 0 && /* but not the single-label "local" name itself */
601 manager_is_own_hostname(s
->manager
, domain
) <= 0)) /* never resolve the local hostname via mDNS */
602 return DNS_SCOPE_YES_BASE
+ 1; /* Return +1, as the top-level .local domain matches, i.e. one label */
607 case DNS_PROTOCOL_LLMNR
: {
610 m
= accept_link_local_reverse_lookups(domain
);
614 if ((s
->family
== AF_INET
&& dns_name_endswith(domain
, "in-addr.arpa") > 0) ||
615 (s
->family
== AF_INET6
&& dns_name_endswith(domain
, "ip6.arpa") > 0))
616 return DNS_SCOPE_MAYBE
;
618 if ((dns_name_is_single_label(domain
) && /* only resolve single label names via LLMNR */
619 !is_gateway_hostname(domain
) && /* don't resolve "gateway" with LLMNR, let nss-myhostname handle this */
620 manager_is_own_hostname(s
->manager
, domain
) <= 0)) /* never resolve the local hostname via LLMNR */
621 return DNS_SCOPE_YES_BASE
+ 1; /* Return +1, as we consider ourselves authoritative
622 * for single-label names, i.e. one label. This is
623 * particular relevant as it means a "." route on some
624 * other scope won't pull all traffic away from
625 * us. (If people actually want to pull traffic away
626 * from us they should turn off LLMNR on the
627 * link). Note that unicast DNS scopes with search
628 * domains also consider themselves authoritative for
629 * single-label domains, at the same preference (see
636 assert_not_reached("Unknown scope protocol");
640 bool dns_scope_good_key(DnsScope
*s
, const DnsResourceKey
*key
) {
646 /* Check if it makes sense to resolve the specified key on
647 * this scope. Note that this call assumes as fully qualified
648 * name, i.e. the search suffixes already appended. */
650 if (key
->class != DNS_CLASS_IN
)
653 if (s
->protocol
== DNS_PROTOCOL_DNS
) {
655 /* On classic DNS, looking up non-address RRs is always
656 * fine. (Specifically, we want to permit looking up
657 * DNSKEY and DS records on the root and top-level
659 if (!dns_resource_key_is_address(key
))
662 /* However, we refuse to look up A and AAAA RRs on the
663 * root and single-label domains, under the assumption
664 * that those should be resolved via LLMNR or search
665 * path only, and should not be leaked onto the
667 return !(dns_name_is_single_label(dns_resource_key_name(key
)) ||
668 dns_name_is_root(dns_resource_key_name(key
)));
671 /* On mDNS and LLMNR, send A and AAAA queries only on the
672 * respective scopes */
674 key_family
= dns_type_to_af(key
->type
);
678 return key_family
== s
->family
;
681 static int dns_scope_multicast_membership(DnsScope
*s
, bool b
, struct in_addr in
, struct in6_addr in6
) {
687 if (s
->family
== AF_INET
) {
688 struct ip_mreqn mreqn
= {
690 .imr_ifindex
= s
->link
->ifindex
,
693 if (s
->protocol
== DNS_PROTOCOL_LLMNR
)
694 fd
= manager_llmnr_ipv4_udp_fd(s
->manager
);
696 fd
= manager_mdns_ipv4_fd(s
->manager
);
701 /* Always first try to drop membership before we add
702 * one. This is necessary on some devices, such as
705 (void) setsockopt(fd
, IPPROTO_IP
, IP_DROP_MEMBERSHIP
, &mreqn
, sizeof(mreqn
));
707 if (setsockopt(fd
, IPPROTO_IP
, b
? IP_ADD_MEMBERSHIP
: IP_DROP_MEMBERSHIP
, &mreqn
, sizeof(mreqn
)) < 0)
710 } else if (s
->family
== AF_INET6
) {
711 struct ipv6_mreq mreq
= {
712 .ipv6mr_multiaddr
= in6
,
713 .ipv6mr_interface
= s
->link
->ifindex
,
716 if (s
->protocol
== DNS_PROTOCOL_LLMNR
)
717 fd
= manager_llmnr_ipv6_udp_fd(s
->manager
);
719 fd
= manager_mdns_ipv6_fd(s
->manager
);
725 (void) setsockopt(fd
, IPPROTO_IPV6
, IPV6_DROP_MEMBERSHIP
, &mreq
, sizeof(mreq
));
727 if (setsockopt(fd
, IPPROTO_IPV6
, b
? IPV6_ADD_MEMBERSHIP
: IPV6_DROP_MEMBERSHIP
, &mreq
, sizeof(mreq
)) < 0)
730 return -EAFNOSUPPORT
;
735 int dns_scope_llmnr_membership(DnsScope
*s
, bool b
) {
738 if (s
->protocol
!= DNS_PROTOCOL_LLMNR
)
741 return dns_scope_multicast_membership(s
, b
, LLMNR_MULTICAST_IPV4_ADDRESS
, LLMNR_MULTICAST_IPV6_ADDRESS
);
744 int dns_scope_mdns_membership(DnsScope
*s
, bool b
) {
747 if (s
->protocol
!= DNS_PROTOCOL_MDNS
)
750 return dns_scope_multicast_membership(s
, b
, MDNS_MULTICAST_IPV4_ADDRESS
, MDNS_MULTICAST_IPV6_ADDRESS
);
753 int dns_scope_make_reply_packet(
763 _cleanup_(dns_packet_unrefp
) DnsPacket
*p
= NULL
;
769 if (dns_question_isempty(q
) &&
770 dns_answer_isempty(answer
) &&
771 dns_answer_isempty(soa
))
774 r
= dns_packet_new(&p
, s
->protocol
, 0, DNS_PACKET_SIZE_MAX
);
778 DNS_PACKET_HEADER(p
)->id
= id
;
779 DNS_PACKET_HEADER(p
)->flags
= htobe16(DNS_PACKET_MAKE_FLAGS(
790 r
= dns_packet_append_question(p
, q
);
793 DNS_PACKET_HEADER(p
)->qdcount
= htobe16(dns_question_size(q
));
795 r
= dns_packet_append_answer(p
, answer
);
798 DNS_PACKET_HEADER(p
)->ancount
= htobe16(dns_answer_size(answer
));
800 r
= dns_packet_append_answer(p
, soa
);
803 DNS_PACKET_HEADER(p
)->arcount
= htobe16(dns_answer_size(soa
));
810 static void dns_scope_verify_conflicts(DnsScope
*s
, DnsPacket
*p
) {
811 DnsResourceRecord
*rr
;
817 DNS_QUESTION_FOREACH(key
, p
->question
)
818 dns_zone_verify_conflicts(&s
->zone
, key
);
820 DNS_ANSWER_FOREACH(rr
, p
->answer
)
821 dns_zone_verify_conflicts(&s
->zone
, rr
->key
);
824 void dns_scope_process_query(DnsScope
*s
, DnsStream
*stream
, DnsPacket
*p
) {
825 _cleanup_(dns_answer_unrefp
) DnsAnswer
*answer
= NULL
, *soa
= NULL
;
826 _cleanup_(dns_packet_unrefp
) DnsPacket
*reply
= NULL
;
827 DnsResourceKey
*key
= NULL
;
828 bool tentative
= false;
834 if (p
->protocol
!= DNS_PROTOCOL_LLMNR
)
837 if (p
->ipproto
== IPPROTO_UDP
) {
838 /* Don't accept UDP queries directed to anything but
839 * the LLMNR multicast addresses. See RFC 4795,
842 if (p
->family
== AF_INET
&& !in_addr_equal(AF_INET
, &p
->destination
, (union in_addr_union
*) &LLMNR_MULTICAST_IPV4_ADDRESS
))
845 if (p
->family
== AF_INET6
&& !in_addr_equal(AF_INET6
, &p
->destination
, (union in_addr_union
*) &LLMNR_MULTICAST_IPV6_ADDRESS
))
849 r
= dns_packet_extract(p
);
851 log_debug_errno(r
, "Failed to extract resource records from incoming packet: %m");
855 if (DNS_PACKET_LLMNR_C(p
)) {
856 /* Somebody notified us about a possible conflict */
857 dns_scope_verify_conflicts(s
, p
);
861 assert(dns_question_size(p
->question
) == 1);
862 key
= p
->question
->keys
[0];
864 r
= dns_zone_lookup(&s
->zone
, key
, 0, &answer
, &soa
, &tentative
);
866 log_debug_errno(r
, "Failed to lookup key: %m");
873 dns_answer_order_by_scope(answer
, in_addr_is_link_local(p
->family
, &p
->sender
) > 0);
875 r
= dns_scope_make_reply_packet(s
, DNS_PACKET_ID(p
), DNS_RCODE_SUCCESS
, p
->question
, answer
, soa
, tentative
, &reply
);
877 log_debug_errno(r
, "Failed to build reply packet: %m");
882 r
= dns_stream_write_packet(stream
, reply
);
884 log_debug_errno(r
, "Failed to enqueue reply packet: %m");
888 /* Let's take an extra reference on this stream, so that it stays around after returning. The reference
889 * will be dangling until the stream is disconnected, and the default completion handler of the stream
890 * will then unref the stream and destroy it */
891 if (DNS_STREAM_QUEUED(stream
))
892 dns_stream_ref(stream
);
896 if (!ratelimit_below(&s
->ratelimit
))
899 if (p
->family
== AF_INET
)
900 fd
= manager_llmnr_ipv4_udp_fd(s
->manager
);
901 else if (p
->family
== AF_INET6
)
902 fd
= manager_llmnr_ipv6_udp_fd(s
->manager
);
904 log_debug("Unknown protocol");
908 log_debug_errno(fd
, "Failed to get reply socket: %m");
912 /* Note that we always immediately reply to all LLMNR
913 * requests, and do not wait any time, since we
914 * verified uniqueness for all records. Also see RFC
915 * 4795, Section 2.7 */
917 r
= manager_send(s
->manager
, fd
, p
->ifindex
, p
->family
, &p
->sender
, p
->sender_port
, NULL
, reply
);
919 log_debug_errno(r
, "Failed to send reply packet: %m");
925 DnsTransaction
*dns_scope_find_transaction(DnsScope
*scope
, DnsResourceKey
*key
, bool cache_ok
) {
931 /* Try to find an ongoing transaction that is a equal to the
932 * specified question */
933 t
= hashmap_get(scope
->transactions_by_key
, key
);
937 /* Refuse reusing transactions that completed based on cached
938 * data instead of a real packet, if that's requested. */
940 IN_SET(t
->state
, DNS_TRANSACTION_SUCCESS
, DNS_TRANSACTION_RCODE_FAILURE
) &&
941 t
->answer_source
!= DNS_TRANSACTION_NETWORK
)
947 static int dns_scope_make_conflict_packet(
949 DnsResourceRecord
*rr
,
952 _cleanup_(dns_packet_unrefp
) DnsPacket
*p
= NULL
;
959 r
= dns_packet_new(&p
, s
->protocol
, 0, DNS_PACKET_SIZE_MAX
);
963 DNS_PACKET_HEADER(p
)->flags
= htobe16(DNS_PACKET_MAKE_FLAGS(
974 /* For mDNS, the transaction ID should always be 0 */
975 if (s
->protocol
!= DNS_PROTOCOL_MDNS
)
976 random_bytes(&DNS_PACKET_HEADER(p
)->id
, sizeof(uint16_t));
978 DNS_PACKET_HEADER(p
)->qdcount
= htobe16(1);
979 DNS_PACKET_HEADER(p
)->arcount
= htobe16(1);
981 r
= dns_packet_append_key(p
, rr
->key
, 0, NULL
);
985 r
= dns_packet_append_rr(p
, rr
, 0, NULL
, NULL
);
994 static int on_conflict_dispatch(sd_event_source
*es
, usec_t usec
, void *userdata
) {
995 DnsScope
*scope
= userdata
;
1001 scope
->conflict_event_source
= sd_event_source_unref(scope
->conflict_event_source
);
1004 _cleanup_(dns_resource_key_unrefp
) DnsResourceKey
*key
= NULL
;
1005 _cleanup_(dns_resource_record_unrefp
) DnsResourceRecord
*rr
= NULL
;
1006 _cleanup_(dns_packet_unrefp
) DnsPacket
*p
= NULL
;
1008 key
= ordered_hashmap_first_key(scope
->conflict_queue
);
1012 rr
= ordered_hashmap_remove(scope
->conflict_queue
, key
);
1015 r
= dns_scope_make_conflict_packet(scope
, rr
, &p
);
1017 log_error_errno(r
, "Failed to make conflict packet: %m");
1021 r
= dns_scope_emit_udp(scope
, -1, p
);
1023 log_debug_errno(r
, "Failed to send conflict packet: %m");
1029 int dns_scope_notify_conflict(DnsScope
*scope
, DnsResourceRecord
*rr
) {
1036 /* We don't send these queries immediately. Instead, we queue
1037 * them, and send them after some jitter delay. */
1038 r
= ordered_hashmap_ensure_allocated(&scope
->conflict_queue
, &dns_resource_key_hash_ops
);
1044 /* We only place one RR per key in the conflict
1045 * messages, not all of them. That should be enough to
1046 * indicate where there might be a conflict */
1047 r
= ordered_hashmap_put(scope
->conflict_queue
, rr
->key
, rr
);
1048 if (IN_SET(r
, 0, -EEXIST
))
1051 return log_debug_errno(r
, "Failed to queue conflicting RR: %m");
1053 dns_resource_key_ref(rr
->key
);
1054 dns_resource_record_ref(rr
);
1056 if (scope
->conflict_event_source
)
1059 random_bytes(&jitter
, sizeof(jitter
));
1060 jitter
%= LLMNR_JITTER_INTERVAL_USEC
;
1062 r
= sd_event_add_time(scope
->manager
->event
,
1063 &scope
->conflict_event_source
,
1064 clock_boottime_or_monotonic(),
1065 now(clock_boottime_or_monotonic()) + jitter
,
1066 LLMNR_JITTER_INTERVAL_USEC
,
1067 on_conflict_dispatch
, scope
);
1069 return log_debug_errno(r
, "Failed to add conflict dispatch event: %m");
1071 (void) sd_event_source_set_description(scope
->conflict_event_source
, "scope-conflict");
1076 void dns_scope_check_conflicts(DnsScope
*scope
, DnsPacket
*p
) {
1077 DnsResourceRecord
*rr
;
1083 if (!IN_SET(p
->protocol
, DNS_PROTOCOL_LLMNR
, DNS_PROTOCOL_MDNS
))
1086 if (DNS_PACKET_RRCOUNT(p
) <= 0)
1089 if (p
->protocol
== DNS_PROTOCOL_LLMNR
) {
1090 if (DNS_PACKET_LLMNR_C(p
) != 0)
1093 if (DNS_PACKET_LLMNR_T(p
) != 0)
1097 if (manager_our_packet(scope
->manager
, p
))
1100 r
= dns_packet_extract(p
);
1102 log_debug_errno(r
, "Failed to extract packet: %m");
1106 log_debug("Checking for conflicts...");
1108 DNS_ANSWER_FOREACH(rr
, p
->answer
) {
1109 /* No conflict if it is DNS-SD RR used for service enumeration. */
1110 if (dns_resource_key_is_dnssd_ptr(rr
->key
))
1113 /* Check for conflicts against the local zone. If we
1114 * found one, we won't check any further */
1115 r
= dns_zone_check_conflicts(&scope
->zone
, rr
);
1119 /* Check for conflicts against the local cache. If so,
1120 * send out an advisory query, to inform everybody */
1121 r
= dns_cache_check_conflicts(&scope
->cache
, rr
, p
->family
, &p
->sender
);
1125 dns_scope_notify_conflict(scope
, rr
);
1129 void dns_scope_dump(DnsScope
*s
, FILE *f
) {
1135 fputs("[Scope protocol=", f
);
1136 fputs(dns_protocol_to_string(s
->protocol
), f
);
1139 fputs(" interface=", f
);
1140 fputs(s
->link
->name
, f
);
1143 if (s
->family
!= AF_UNSPEC
) {
1144 fputs(" family=", f
);
1145 fputs(af_to_name(s
->family
), f
);
1150 if (!dns_zone_is_empty(&s
->zone
)) {
1151 fputs("ZONE:\n", f
);
1152 dns_zone_dump(&s
->zone
, f
);
1155 if (!dns_cache_is_empty(&s
->cache
)) {
1156 fputs("CACHE:\n", f
);
1157 dns_cache_dump(&s
->cache
, f
);
1161 DnsSearchDomain
*dns_scope_get_search_domains(DnsScope
*s
) {
1164 if (s
->protocol
!= DNS_PROTOCOL_DNS
)
1168 return s
->link
->search_domains
;
1170 return s
->manager
->search_domains
;
1173 bool dns_scope_name_needs_search_domain(DnsScope
*s
, const char *name
) {
1176 if (s
->protocol
!= DNS_PROTOCOL_DNS
)
1179 return dns_name_is_single_label(name
);
1182 bool dns_scope_network_good(DnsScope
*s
) {
1183 /* Checks whether the network is in good state for lookups on this scope. For mDNS/LLMNR/Classic DNS scopes
1184 * bound to links this is easy, as they don't even exist if the link isn't in a suitable state. For the global
1185 * DNS scope we check whether there are any links that are up and have an address. */
1190 return manager_routable(s
->manager
, AF_UNSPEC
);
1193 int dns_scope_ifindex(DnsScope
*s
) {
1197 return s
->link
->ifindex
;
1202 static int on_announcement_timeout(sd_event_source
*s
, usec_t usec
, void *userdata
) {
1203 DnsScope
*scope
= userdata
;
1207 scope
->announce_event_source
= sd_event_source_unref(scope
->announce_event_source
);
1209 (void) dns_scope_announce(scope
, false);
1213 int dns_scope_announce(DnsScope
*scope
, bool goodbye
) {
1214 _cleanup_(dns_answer_unrefp
) DnsAnswer
*answer
= NULL
;
1215 _cleanup_(dns_packet_unrefp
) DnsPacket
*p
= NULL
;
1216 _cleanup_set_free_ Set
*types
= NULL
;
1227 if (scope
->protocol
!= DNS_PROTOCOL_MDNS
)
1230 /* Check if we're done with probing. */
1231 LIST_FOREACH(transactions_by_scope
, t
, scope
->transactions
)
1232 if (DNS_TRANSACTION_IS_LIVE(t
->state
))
1235 /* Check if there're services pending conflict resolution. */
1236 if (manager_next_dnssd_names(scope
->manager
))
1237 return 0; /* we reach this point only if changing hostname didn't help */
1239 /* Calculate answer's size. */
1240 HASHMAP_FOREACH(z
, scope
->zone
.by_key
, iterator
) {
1241 if (z
->state
!= DNS_ZONE_ITEM_ESTABLISHED
)
1244 if (z
->rr
->key
->type
== DNS_TYPE_PTR
&&
1245 !dns_zone_contains_name(&scope
->zone
, z
->rr
->ptr
.name
)) {
1246 char key_str
[DNS_RESOURCE_KEY_STRING_MAX
];
1248 log_debug("Skip PTR RR <%s> since its counterparts seem to be withdrawn", dns_resource_key_to_string(z
->rr
->key
, key_str
, sizeof key_str
));
1249 z
->state
= DNS_ZONE_ITEM_WITHDRAWN
;
1253 /* Collect service types for _services._dns-sd._udp.local RRs in a set */
1254 if (!scope
->announced
&&
1255 dns_resource_key_is_dnssd_ptr(z
->rr
->key
)) {
1256 if (!set_contains(types
, dns_resource_key_name(z
->rr
->key
))) {
1257 r
= set_ensure_allocated(&types
, &dns_name_hash_ops
);
1259 return log_debug_errno(r
, "Failed to allocate set: %m");
1261 r
= set_put(types
, dns_resource_key_name(z
->rr
->key
));
1263 return log_debug_errno(r
, "Failed to add item to set: %m");
1267 LIST_FOREACH(by_key
, i
, z
)
1271 answer
= dns_answer_new(size
+ set_size(types
));
1275 /* Second iteration, actually add RRs to the answer. */
1276 HASHMAP_FOREACH(z
, scope
->zone
.by_key
, iterator
)
1277 LIST_FOREACH (by_key
, i
, z
) {
1278 DnsAnswerFlags flags
;
1280 if (i
->state
!= DNS_ZONE_ITEM_ESTABLISHED
)
1283 if (dns_resource_key_is_dnssd_ptr(i
->rr
->key
))
1284 flags
= goodbye
? DNS_ANSWER_GOODBYE
: 0;
1286 flags
= goodbye
? (DNS_ANSWER_GOODBYE
|DNS_ANSWER_CACHE_FLUSH
) : DNS_ANSWER_CACHE_FLUSH
;
1288 r
= dns_answer_add(answer
, i
->rr
, 0 , flags
);
1290 return log_debug_errno(r
, "Failed to add RR to announce: %m");
1293 /* Since all the active services are in the zone make them discoverable now. */
1294 SET_FOREACH(service_type
, types
, iterator
) {
1295 _cleanup_(dns_resource_record_unrefp
) DnsResourceRecord
*rr
;
1297 rr
= dns_resource_record_new_full(DNS_CLASS_IN
, DNS_TYPE_PTR
,
1298 "_services._dns-sd._udp.local");
1299 rr
->ptr
.name
= strdup(service_type
);
1300 rr
->ttl
= MDNS_DEFAULT_TTL
;
1302 r
= dns_zone_put(&scope
->zone
, scope
, rr
, false);
1304 log_warning_errno(r
, "Failed to add DNS-SD PTR record to MDNS zone: %m");
1306 r
= dns_answer_add(answer
, rr
, 0 , 0);
1308 return log_debug_errno(r
, "Failed to add RR to announce: %m");
1311 if (dns_answer_isempty(answer
))
1314 r
= dns_scope_make_reply_packet(scope
, 0, DNS_RCODE_SUCCESS
, NULL
, answer
, NULL
, false, &p
);
1316 return log_debug_errno(r
, "Failed to build reply packet: %m");
1318 r
= dns_scope_emit_udp(scope
, -1, p
);
1320 return log_debug_errno(r
, "Failed to send reply packet: %m");
1322 /* In section 8.3 of RFC6762: "The Multicast DNS responder MUST send at least two unsolicited
1323 * responses, one second apart." */
1324 if (!scope
->announced
) {
1327 scope
->announced
= true;
1329 assert_se(sd_event_now(scope
->manager
->event
, clock_boottime_or_monotonic(), &ts
) >= 0);
1330 ts
+= MDNS_ANNOUNCE_DELAY
;
1332 r
= sd_event_add_time(
1333 scope
->manager
->event
,
1334 &scope
->announce_event_source
,
1335 clock_boottime_or_monotonic(),
1337 MDNS_JITTER_RANGE_USEC
,
1338 on_announcement_timeout
, scope
);
1340 return log_debug_errno(r
, "Failed to schedule second announcement: %m");
1342 (void) sd_event_source_set_description(scope
->announce_event_source
, "mdns-announce");
1348 int dns_scope_add_dnssd_services(DnsScope
*scope
) {
1350 DnssdService
*service
;
1351 DnssdTxtData
*txt_data
;
1356 if (hashmap_size(scope
->manager
->dnssd_services
) == 0)
1359 scope
->announced
= false;
1361 HASHMAP_FOREACH(service
, scope
->manager
->dnssd_services
, i
) {
1362 service
->withdrawn
= false;
1364 r
= dns_zone_put(&scope
->zone
, scope
, service
->ptr_rr
, false);
1366 log_warning_errno(r
, "Failed to add PTR record to MDNS zone: %m");
1368 r
= dns_zone_put(&scope
->zone
, scope
, service
->srv_rr
, true);
1370 log_warning_errno(r
, "Failed to add SRV record to MDNS zone: %m");
1372 LIST_FOREACH(items
, txt_data
, service
->txt_data_items
) {
1373 r
= dns_zone_put(&scope
->zone
, scope
, txt_data
->rr
, true);
1375 log_warning_errno(r
, "Failed to add TXT record to MDNS zone: %m");
1382 int dns_scope_remove_dnssd_services(DnsScope
*scope
) {
1383 _cleanup_(dns_resource_key_unrefp
) DnsResourceKey
*key
= NULL
;
1385 DnssdService
*service
;
1386 DnssdTxtData
*txt_data
;
1391 key
= dns_resource_key_new(DNS_CLASS_IN
, DNS_TYPE_PTR
,
1392 "_services._dns-sd._udp.local");
1396 r
= dns_zone_remove_rrs_by_key(&scope
->zone
, key
);
1400 HASHMAP_FOREACH(service
, scope
->manager
->dnssd_services
, i
) {
1401 dns_zone_remove_rr(&scope
->zone
, service
->ptr_rr
);
1402 dns_zone_remove_rr(&scope
->zone
, service
->srv_rr
);
1403 LIST_FOREACH(items
, txt_data
, service
->txt_data_items
)
1404 dns_zone_remove_rr(&scope
->zone
, txt_data
->rr
);
1410 static bool dns_scope_has_route_only_domains(DnsScope
*scope
) {
1411 DnsSearchDomain
*domain
, *first
;
1412 bool route_only
= false;
1415 assert(scope
->protocol
== DNS_PROTOCOL_DNS
);
1417 /* Returns 'true' if this scope is suitable for queries to specific domains only. For that we check
1418 * if there are any route-only domains on this interface, as a heuristic to discern VPN-style links
1419 * from non-VPN-style links. Returns 'false' for all other cases, i.e. if the scope is intended to
1420 * take queries to arbitrary domains, i.e. has no routing domains set. */
1423 first
= scope
->link
->search_domains
;
1425 first
= scope
->manager
->search_domains
;
1427 LIST_FOREACH(domains
, domain
, first
) {
1428 /* "." means "any domain", thus the interface takes any kind of traffic. Thus, we exit early
1429 * here, as it doesn't really matter whether this link has any route-only domains or not,
1430 * "~." really trumps everything and clearly indicates that this interface shall receive all
1431 * traffic it can get. */
1432 if (dns_name_is_root(DNS_SEARCH_DOMAIN_NAME(domain
)))
1435 if (domain
->route_only
)
1442 bool dns_scope_is_default_route(DnsScope
*scope
) {
1445 /* Only use DNS scopes as default routes */
1446 if (scope
->protocol
!= DNS_PROTOCOL_DNS
)
1449 /* The global DNS scope is always suitable as default route */
1453 /* Honour whatever is explicitly configured. This is really the best approach, and trumps any
1454 * automatic logic. */
1455 if (scope
->link
->default_route
>= 0)
1456 return scope
->link
->default_route
;
1458 /* Otherwise check if we have any route-only domains, as a sensible heuristic: if so, let's not
1459 * volunteer as default route. */
1460 return !dns_scope_has_route_only_domains(scope
);