2 This file is part of systemd.
4 Copyright 2014 Lennart Poettering
6 systemd is free software; you can redistribute it and/or modify it
7 under the terms of the GNU Lesser General Public License as published by
8 the Free Software Foundation; either version 2.1 of the License, or
9 (at your option) any later version.
11 systemd is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
16 You should have received a copy of the GNU Lesser General Public License
17 along with systemd; If not, see <http://www.gnu.org/licenses/>.
20 #include <netinet/tcp.h>
23 #include "alloc-util.h"
24 #include "dns-domain.h"
26 #include "hostname-util.h"
28 #include "random-util.h"
29 #include "resolved-dns-scope.h"
30 #include "resolved-llmnr.h"
31 #include "resolved-mdns.h"
32 #include "socket-util.h"
35 #define MULTICAST_RATELIMIT_INTERVAL_USEC (1*USEC_PER_SEC)
36 #define MULTICAST_RATELIMIT_BURST 1000
38 /* After how much time to repeat LLMNR requests, see RFC 4795 Section 7 */
39 #define MULTICAST_RESEND_TIMEOUT_MIN_USEC (100 * USEC_PER_MSEC)
40 #define MULTICAST_RESEND_TIMEOUT_MAX_USEC (1 * USEC_PER_SEC)
42 int dns_scope_new(Manager
*m
, DnsScope
**ret
, Link
*l
, DnsProtocol protocol
, int family
) {
48 s
= new0(DnsScope
, 1);
54 s
->protocol
= protocol
;
56 s
->resend_timeout
= MULTICAST_RESEND_TIMEOUT_MIN_USEC
;
58 if (protocol
== DNS_PROTOCOL_DNS
) {
59 /* Copy DNSSEC mode from the link if it is set there,
60 * otherwise take the manager's DNSSEC mode. Note that
61 * we copy this only at scope creation time, and do
62 * not update it from the on, even if the setting
66 s
->dnssec_mode
= link_get_dnssec_mode(l
);
68 s
->dnssec_mode
= manager_get_dnssec_mode(m
);
70 s
->dnssec_mode
= DNSSEC_NO
;
72 LIST_PREPEND(scopes
, m
->dns_scopes
, s
);
74 dns_scope_llmnr_membership(s
, true);
75 dns_scope_mdns_membership(s
, true);
77 log_debug("New scope on link %s, protocol %s, family %s", l
? l
->name
: "*", dns_protocol_to_string(protocol
), family
== AF_UNSPEC
? "*" : af_to_name(family
));
79 /* Enforce ratelimiting for the multicast protocols */
80 RATELIMIT_INIT(s
->ratelimit
, MULTICAST_RATELIMIT_INTERVAL_USEC
, MULTICAST_RATELIMIT_BURST
);
86 static void dns_scope_abort_transactions(DnsScope
*s
) {
89 while (s
->transactions
) {
90 DnsTransaction
*t
= s
->transactions
;
92 /* Abort the transaction, but make sure it is not
93 * freed while we still look at it */
96 if (DNS_TRANSACTION_IS_LIVE(t
->state
))
97 dns_transaction_complete(t
, DNS_TRANSACTION_ABORTED
);
100 dns_transaction_free(t
);
104 DnsScope
* dns_scope_free(DnsScope
*s
) {
105 DnsResourceRecord
*rr
;
110 log_debug("Removing scope on link %s, protocol %s, family %s", s
->link
? s
->link
->name
: "*", dns_protocol_to_string(s
->protocol
), s
->family
== AF_UNSPEC
? "*" : af_to_name(s
->family
));
112 dns_scope_llmnr_membership(s
, false);
113 dns_scope_mdns_membership(s
, false);
114 dns_scope_abort_transactions(s
);
116 while (s
->query_candidates
)
117 dns_query_candidate_free(s
->query_candidates
);
119 hashmap_free(s
->transactions_by_key
);
121 while ((rr
= ordered_hashmap_steal_first(s
->conflict_queue
)))
122 dns_resource_record_unref(rr
);
124 ordered_hashmap_free(s
->conflict_queue
);
125 sd_event_source_unref(s
->conflict_event_source
);
127 dns_cache_flush(&s
->cache
);
128 dns_zone_flush(&s
->zone
);
130 LIST_REMOVE(scopes
, s
->manager
->dns_scopes
, s
);
134 DnsServer
*dns_scope_get_dns_server(DnsScope
*s
) {
137 if (s
->protocol
!= DNS_PROTOCOL_DNS
)
141 return link_get_dns_server(s
->link
);
143 return manager_get_dns_server(s
->manager
);
146 void dns_scope_next_dns_server(DnsScope
*s
) {
149 if (s
->protocol
!= DNS_PROTOCOL_DNS
)
153 link_next_dns_server(s
->link
);
155 manager_next_dns_server(s
->manager
);
158 void dns_scope_packet_received(DnsScope
*s
, usec_t rtt
) {
161 if (rtt
<= s
->max_rtt
)
165 s
->resend_timeout
= MIN(MAX(MULTICAST_RESEND_TIMEOUT_MIN_USEC
, s
->max_rtt
* 2), MULTICAST_RESEND_TIMEOUT_MAX_USEC
);
168 void dns_scope_packet_lost(DnsScope
*s
, usec_t usec
) {
171 if (s
->resend_timeout
<= usec
)
172 s
->resend_timeout
= MIN(s
->resend_timeout
* 2, MULTICAST_RESEND_TIMEOUT_MAX_USEC
);
175 static int dns_scope_emit_one(DnsScope
*s
, int fd
, DnsPacket
*p
) {
176 union in_addr_union addr
;
183 assert(p
->protocol
== s
->protocol
);
187 ifindex
= s
->link
->ifindex
;
189 mtu
= manager_find_mtu(s
->manager
);
191 switch (s
->protocol
) {
193 case DNS_PROTOCOL_DNS
:
196 if (DNS_PACKET_QDCOUNT(p
) > 1)
199 if (p
->size
> DNS_PACKET_UNICAST_SIZE_MAX
)
202 if (p
->size
+ UDP_PACKET_HEADER_SIZE
> mtu
)
205 r
= manager_write(s
->manager
, fd
, p
);
211 case DNS_PROTOCOL_LLMNR
:
214 if (DNS_PACKET_QDCOUNT(p
) > 1)
217 if (!ratelimit_test(&s
->ratelimit
))
222 if (family
== AF_INET
) {
223 addr
.in
= LLMNR_MULTICAST_IPV4_ADDRESS
;
224 fd
= manager_llmnr_ipv4_udp_fd(s
->manager
);
225 } else if (family
== AF_INET6
) {
226 addr
.in6
= LLMNR_MULTICAST_IPV6_ADDRESS
;
227 fd
= manager_llmnr_ipv6_udp_fd(s
->manager
);
229 return -EAFNOSUPPORT
;
233 r
= manager_send(s
->manager
, fd
, ifindex
, family
, &addr
, LLMNR_PORT
, NULL
, p
);
239 case DNS_PROTOCOL_MDNS
:
242 if (!ratelimit_test(&s
->ratelimit
))
247 if (family
== AF_INET
) {
248 addr
.in
= MDNS_MULTICAST_IPV4_ADDRESS
;
249 fd
= manager_mdns_ipv4_fd(s
->manager
);
250 } else if (family
== AF_INET6
) {
251 addr
.in6
= MDNS_MULTICAST_IPV6_ADDRESS
;
252 fd
= manager_mdns_ipv6_fd(s
->manager
);
254 return -EAFNOSUPPORT
;
258 r
= manager_send(s
->manager
, fd
, ifindex
, family
, &addr
, MDNS_PORT
, NULL
, p
);
265 return -EAFNOSUPPORT
;
271 int dns_scope_emit_udp(DnsScope
*s
, int fd
, DnsPacket
*p
) {
276 assert(p
->protocol
== s
->protocol
);
277 assert((s
->protocol
== DNS_PROTOCOL_DNS
) == (fd
>= 0));
280 /* If there are multiple linked packets, set the TC bit in all but the last of them */
282 assert(p
->protocol
== DNS_PROTOCOL_MDNS
);
283 dns_packet_set_flags(p
, true, true);
286 r
= dns_scope_emit_one(s
, fd
, p
);
296 static int dns_scope_socket(
300 const union in_addr_union
*address
,
304 _cleanup_close_
int fd
= -1;
305 union sockaddr_union sa
= {};
307 static const int one
= 1;
313 assert(family
== AF_UNSPEC
);
316 ifindex
= dns_server_ifindex(server
);
318 sa
.sa
.sa_family
= server
->family
;
319 if (server
->family
== AF_INET
) {
320 sa
.in
.sin_port
= htobe16(port
);
321 sa
.in
.sin_addr
= server
->address
.in
;
322 salen
= sizeof(sa
.in
);
323 } else if (server
->family
== AF_INET6
) {
324 sa
.in6
.sin6_port
= htobe16(port
);
325 sa
.in6
.sin6_addr
= server
->address
.in6
;
326 sa
.in6
.sin6_scope_id
= ifindex
;
327 salen
= sizeof(sa
.in6
);
329 return -EAFNOSUPPORT
;
331 assert(family
!= AF_UNSPEC
);
334 sa
.sa
.sa_family
= family
;
335 ifindex
= s
->link
? s
->link
->ifindex
: 0;
337 if (family
== AF_INET
) {
338 sa
.in
.sin_port
= htobe16(port
);
339 sa
.in
.sin_addr
= address
->in
;
340 salen
= sizeof(sa
.in
);
341 } else if (family
== AF_INET6
) {
342 sa
.in6
.sin6_port
= htobe16(port
);
343 sa
.in6
.sin6_addr
= address
->in6
;
344 sa
.in6
.sin6_scope_id
= ifindex
;
345 salen
= sizeof(sa
.in6
);
347 return -EAFNOSUPPORT
;
350 fd
= socket(sa
.sa
.sa_family
, type
|SOCK_CLOEXEC
|SOCK_NONBLOCK
, 0);
354 if (type
== SOCK_STREAM
) {
355 r
= setsockopt(fd
, IPPROTO_TCP
, TCP_NODELAY
, &one
, sizeof(one
));
361 be32_t ifindex_be
= htobe32(ifindex
);
363 if (sa
.sa
.sa_family
== AF_INET
) {
364 r
= setsockopt(fd
, IPPROTO_IP
, IP_UNICAST_IF
, &ifindex_be
, sizeof(ifindex_be
));
367 } else if (sa
.sa
.sa_family
== AF_INET6
) {
368 r
= setsockopt(fd
, IPPROTO_IPV6
, IPV6_UNICAST_IF
, &ifindex_be
, sizeof(ifindex_be
));
374 if (s
->protocol
== DNS_PROTOCOL_LLMNR
) {
375 /* RFC 4795, section 2.5 requires the TTL to be set to 1 */
377 if (sa
.sa
.sa_family
== AF_INET
) {
378 r
= setsockopt(fd
, IPPROTO_IP
, IP_TTL
, &one
, sizeof(one
));
381 } else if (sa
.sa
.sa_family
== AF_INET6
) {
382 r
= setsockopt(fd
, IPPROTO_IPV6
, IPV6_UNICAST_HOPS
, &one
, sizeof(one
));
388 r
= connect(fd
, &sa
.sa
, salen
);
389 if (r
< 0 && errno
!= EINPROGRESS
)
398 int dns_scope_socket_udp(DnsScope
*s
, DnsServer
*server
, uint16_t port
) {
399 return dns_scope_socket(s
, SOCK_DGRAM
, AF_UNSPEC
, NULL
, server
, port
);
402 int dns_scope_socket_tcp(DnsScope
*s
, int family
, const union in_addr_union
*address
, DnsServer
*server
, uint16_t port
) {
403 return dns_scope_socket(s
, SOCK_STREAM
, family
, address
, server
, port
);
406 DnsScopeMatch
dns_scope_good_domain(DnsScope
*s
, int ifindex
, uint64_t flags
, const char *domain
) {
408 DnsServer
*dns_server
;
413 /* Checks if the specified domain is something to look up on
414 * this scope. Note that this accepts non-qualified hostnames,
415 * i.e. those without any search path prefixed yet. */
417 if (ifindex
!= 0 && (!s
->link
|| s
->link
->ifindex
!= ifindex
))
420 if ((SD_RESOLVED_FLAGS_MAKE(s
->protocol
, s
->family
, 0) & flags
) == 0)
423 /* Never resolve any loopback hostname or IP address via DNS,
424 * LLMNR or mDNS. Instead, always rely on synthesized RRs for
426 if (is_localhost(domain
) ||
427 dns_name_endswith(domain
, "127.in-addr.arpa") > 0 ||
428 dns_name_equal(domain
, "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa") > 0)
431 /* Never respond to some of the domains listed in RFC6303 */
432 if (dns_name_endswith(domain
, "0.in-addr.arpa") > 0 ||
433 dns_name_equal(domain
, "255.255.255.255.in-addr.arpa") > 0 ||
434 dns_name_equal(domain
, "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa") > 0)
437 /* Never respond to some of the domains listed in RFC6761 */
438 if (dns_name_endswith(domain
, "invalid") > 0)
441 /* Always honour search domains for routing queries. Note that
442 * we return DNS_SCOPE_YES here, rather than just
443 * DNS_SCOPE_MAYBE, which means wildcard scopes won't be
444 * considered anymore. */
445 LIST_FOREACH(domains
, d
, dns_scope_get_search_domains(s
))
446 if (dns_name_endswith(domain
, d
->name
) > 0)
447 return DNS_SCOPE_YES
;
449 /* If the DNS server has route-only domains, don't send other requests
450 * to it. This would be a privacy violation, will most probably fail
451 * anyway, and adds unnecessary load. */
452 dns_server
= dns_scope_get_dns_server(s
);
453 if (dns_server
&& dns_server_limited_domains(dns_server
))
456 switch (s
->protocol
) {
458 case DNS_PROTOCOL_DNS
:
460 /* Exclude link-local IP ranges */
461 if (dns_name_endswith(domain
, "254.169.in-addr.arpa") == 0 &&
462 dns_name_endswith(domain
, "8.e.f.ip6.arpa") == 0 &&
463 dns_name_endswith(domain
, "9.e.f.ip6.arpa") == 0 &&
464 dns_name_endswith(domain
, "a.e.f.ip6.arpa") == 0 &&
465 dns_name_endswith(domain
, "b.e.f.ip6.arpa") == 0 &&
466 /* If networks use .local in their private setups, they are supposed to also add .local to their search
467 * domains, which we already checked above. Otherwise, we consider .local specific to mDNS and won't
468 * send such queries ordinary DNS servers. */
469 dns_name_endswith(domain
, "local") == 0)
470 return DNS_SCOPE_MAYBE
;
474 case DNS_PROTOCOL_MDNS
:
475 if ((s
->family
== AF_INET
&& dns_name_endswith(domain
, "in-addr.arpa") > 0) ||
476 (s
->family
== AF_INET6
&& dns_name_endswith(domain
, "ip6.arpa") > 0) ||
477 (dns_name_endswith(domain
, "local") > 0 && /* only resolve names ending in .local via mDNS */
478 dns_name_equal(domain
, "local") == 0 && /* but not the single-label "local" name itself */
479 manager_is_own_hostname(s
->manager
, domain
) <= 0)) /* never resolve the local hostname via mDNS */
480 return DNS_SCOPE_MAYBE
;
484 case DNS_PROTOCOL_LLMNR
:
485 if ((s
->family
== AF_INET
&& dns_name_endswith(domain
, "in-addr.arpa") > 0) ||
486 (s
->family
== AF_INET6
&& dns_name_endswith(domain
, "ip6.arpa") > 0) ||
487 (dns_name_is_single_label(domain
) && /* only resolve single label names via LLMNR */
488 !is_gateway_hostname(domain
) && /* don't resolve "gateway" with LLMNR, let nss-myhostname handle this */
489 manager_is_own_hostname(s
->manager
, domain
) <= 0)) /* never resolve the local hostname via LLMNR */
490 return DNS_SCOPE_MAYBE
;
495 assert_not_reached("Unknown scope protocol");
499 bool dns_scope_good_key(DnsScope
*s
, const DnsResourceKey
*key
) {
505 /* Check if it makes sense to resolve the specified key on
506 * this scope. Note that this call assumes as fully qualified
507 * name, i.e. the search suffixes already appended. */
509 if (key
->class != DNS_CLASS_IN
)
512 if (s
->protocol
== DNS_PROTOCOL_DNS
) {
514 /* On classic DNS, looking up non-address RRs is always
515 * fine. (Specifically, we want to permit looking up
516 * DNSKEY and DS records on the root and top-level
518 if (!dns_resource_key_is_address(key
))
521 /* However, we refuse to look up A and AAAA RRs on the
522 * root and single-label domains, under the assumption
523 * that those should be resolved via LLMNR or search
524 * path only, and should not be leaked onto the
526 return !(dns_name_is_single_label(dns_resource_key_name(key
)) ||
527 dns_name_is_root(dns_resource_key_name(key
)));
530 /* On mDNS and LLMNR, send A and AAAA queries only on the
531 * respective scopes */
533 key_family
= dns_type_to_af(key
->type
);
537 return key_family
== s
->family
;
540 static int dns_scope_multicast_membership(DnsScope
*s
, bool b
, struct in_addr in
, struct in6_addr in6
) {
546 if (s
->family
== AF_INET
) {
547 struct ip_mreqn mreqn
= {
549 .imr_ifindex
= s
->link
->ifindex
,
552 fd
= manager_llmnr_ipv4_udp_fd(s
->manager
);
556 /* Always first try to drop membership before we add
557 * one. This is necessary on some devices, such as
560 (void) setsockopt(fd
, IPPROTO_IP
, IP_DROP_MEMBERSHIP
, &mreqn
, sizeof(mreqn
));
562 if (setsockopt(fd
, IPPROTO_IP
, b
? IP_ADD_MEMBERSHIP
: IP_DROP_MEMBERSHIP
, &mreqn
, sizeof(mreqn
)) < 0)
565 } else if (s
->family
== AF_INET6
) {
566 struct ipv6_mreq mreq
= {
567 .ipv6mr_multiaddr
= in6
,
568 .ipv6mr_interface
= s
->link
->ifindex
,
571 fd
= manager_llmnr_ipv6_udp_fd(s
->manager
);
576 (void) setsockopt(fd
, IPPROTO_IPV6
, IPV6_DROP_MEMBERSHIP
, &mreq
, sizeof(mreq
));
578 if (setsockopt(fd
, IPPROTO_IPV6
, b
? IPV6_ADD_MEMBERSHIP
: IPV6_DROP_MEMBERSHIP
, &mreq
, sizeof(mreq
)) < 0)
581 return -EAFNOSUPPORT
;
586 int dns_scope_llmnr_membership(DnsScope
*s
, bool b
) {
589 if (s
->protocol
!= DNS_PROTOCOL_LLMNR
)
592 return dns_scope_multicast_membership(s
, b
, LLMNR_MULTICAST_IPV4_ADDRESS
, LLMNR_MULTICAST_IPV6_ADDRESS
);
595 int dns_scope_mdns_membership(DnsScope
*s
, bool b
) {
598 if (s
->protocol
!= DNS_PROTOCOL_MDNS
)
601 return dns_scope_multicast_membership(s
, b
, MDNS_MULTICAST_IPV4_ADDRESS
, MDNS_MULTICAST_IPV6_ADDRESS
);
604 static int dns_scope_make_reply_packet(
614 _cleanup_(dns_packet_unrefp
) DnsPacket
*p
= NULL
;
620 if (dns_question_isempty(q
) &&
621 dns_answer_isempty(answer
) &&
622 dns_answer_isempty(soa
))
625 r
= dns_packet_new(&p
, s
->protocol
, 0);
629 DNS_PACKET_HEADER(p
)->id
= id
;
630 DNS_PACKET_HEADER(p
)->flags
= htobe16(DNS_PACKET_MAKE_FLAGS(
641 r
= dns_packet_append_question(p
, q
);
644 DNS_PACKET_HEADER(p
)->qdcount
= htobe16(dns_question_size(q
));
646 r
= dns_packet_append_answer(p
, answer
);
649 DNS_PACKET_HEADER(p
)->ancount
= htobe16(dns_answer_size(answer
));
651 r
= dns_packet_append_answer(p
, soa
);
654 DNS_PACKET_HEADER(p
)->arcount
= htobe16(dns_answer_size(soa
));
662 static void dns_scope_verify_conflicts(DnsScope
*s
, DnsPacket
*p
) {
663 DnsResourceRecord
*rr
;
669 DNS_QUESTION_FOREACH(key
, p
->question
)
670 dns_zone_verify_conflicts(&s
->zone
, key
);
672 DNS_ANSWER_FOREACH(rr
, p
->answer
)
673 dns_zone_verify_conflicts(&s
->zone
, rr
->key
);
676 void dns_scope_process_query(DnsScope
*s
, DnsStream
*stream
, DnsPacket
*p
) {
677 _cleanup_(dns_answer_unrefp
) DnsAnswer
*answer
= NULL
, *soa
= NULL
;
678 _cleanup_(dns_packet_unrefp
) DnsPacket
*reply
= NULL
;
679 DnsResourceKey
*key
= NULL
;
680 bool tentative
= false;
686 if (p
->protocol
!= DNS_PROTOCOL_LLMNR
)
689 if (p
->ipproto
== IPPROTO_UDP
) {
690 /* Don't accept UDP queries directed to anything but
691 * the LLMNR multicast addresses. See RFC 4795,
694 if (p
->family
== AF_INET
&& !in_addr_equal(AF_INET
, &p
->destination
, (union in_addr_union
*) &LLMNR_MULTICAST_IPV4_ADDRESS
))
697 if (p
->family
== AF_INET6
&& !in_addr_equal(AF_INET6
, &p
->destination
, (union in_addr_union
*) &LLMNR_MULTICAST_IPV6_ADDRESS
))
701 r
= dns_packet_extract(p
);
703 log_debug_errno(r
, "Failed to extract resource records from incoming packet: %m");
707 if (DNS_PACKET_LLMNR_C(p
)) {
708 /* Somebody notified us about a possible conflict */
709 dns_scope_verify_conflicts(s
, p
);
713 assert(dns_question_size(p
->question
) == 1);
714 key
= p
->question
->keys
[0];
716 r
= dns_zone_lookup(&s
->zone
, key
, 0, &answer
, &soa
, &tentative
);
718 log_debug_errno(r
, "Failed to lookup key: %m");
725 dns_answer_order_by_scope(answer
, in_addr_is_link_local(p
->family
, &p
->sender
) > 0);
727 r
= dns_scope_make_reply_packet(s
, DNS_PACKET_ID(p
), DNS_RCODE_SUCCESS
, p
->question
, answer
, soa
, tentative
, &reply
);
729 log_debug_errno(r
, "Failed to build reply packet: %m");
734 r
= dns_stream_write_packet(stream
, reply
);
736 log_debug_errno(r
, "Failed to enqueue reply packet: %m");
740 /* Let's take an extra reference on this stream, so that it stays around after returning. The reference
741 * will be dangling until the stream is disconnected, and the default completion handler of the stream
742 * will then unref the stream and destroy it */
743 if (DNS_STREAM_QUEUED(stream
))
744 dns_stream_ref(stream
);
748 if (!ratelimit_test(&s
->ratelimit
))
751 if (p
->family
== AF_INET
)
752 fd
= manager_llmnr_ipv4_udp_fd(s
->manager
);
753 else if (p
->family
== AF_INET6
)
754 fd
= manager_llmnr_ipv6_udp_fd(s
->manager
);
756 log_debug("Unknown protocol");
760 log_debug_errno(fd
, "Failed to get reply socket: %m");
764 /* Note that we always immediately reply to all LLMNR
765 * requests, and do not wait any time, since we
766 * verified uniqueness for all records. Also see RFC
767 * 4795, Section 2.7 */
769 r
= manager_send(s
->manager
, fd
, p
->ifindex
, p
->family
, &p
->sender
, p
->sender_port
, NULL
, reply
);
771 log_debug_errno(r
, "Failed to send reply packet: %m");
777 DnsTransaction
*dns_scope_find_transaction(DnsScope
*scope
, DnsResourceKey
*key
, bool cache_ok
) {
783 /* Try to find an ongoing transaction that is a equal to the
784 * specified question */
785 t
= hashmap_get(scope
->transactions_by_key
, key
);
789 /* Refuse reusing transactions that completed based on cached
790 * data instead of a real packet, if that's requested. */
792 IN_SET(t
->state
, DNS_TRANSACTION_SUCCESS
, DNS_TRANSACTION_RCODE_FAILURE
) &&
793 t
->answer_source
!= DNS_TRANSACTION_NETWORK
)
799 static int dns_scope_make_conflict_packet(
801 DnsResourceRecord
*rr
,
804 _cleanup_(dns_packet_unrefp
) DnsPacket
*p
= NULL
;
811 r
= dns_packet_new(&p
, s
->protocol
, 0);
815 DNS_PACKET_HEADER(p
)->flags
= htobe16(DNS_PACKET_MAKE_FLAGS(
826 /* For mDNS, the transaction ID should always be 0 */
827 if (s
->protocol
!= DNS_PROTOCOL_MDNS
)
828 random_bytes(&DNS_PACKET_HEADER(p
)->id
, sizeof(uint16_t));
830 DNS_PACKET_HEADER(p
)->qdcount
= htobe16(1);
831 DNS_PACKET_HEADER(p
)->arcount
= htobe16(1);
833 r
= dns_packet_append_key(p
, rr
->key
, NULL
);
837 r
= dns_packet_append_rr(p
, rr
, NULL
, NULL
);
847 static int on_conflict_dispatch(sd_event_source
*es
, usec_t usec
, void *userdata
) {
848 DnsScope
*scope
= userdata
;
854 scope
->conflict_event_source
= sd_event_source_unref(scope
->conflict_event_source
);
857 _cleanup_(dns_resource_record_unrefp
) DnsResourceRecord
*rr
= NULL
;
858 _cleanup_(dns_packet_unrefp
) DnsPacket
*p
= NULL
;
860 rr
= ordered_hashmap_steal_first(scope
->conflict_queue
);
864 r
= dns_scope_make_conflict_packet(scope
, rr
, &p
);
866 log_error_errno(r
, "Failed to make conflict packet: %m");
870 r
= dns_scope_emit_udp(scope
, -1, p
);
872 log_debug_errno(r
, "Failed to send conflict packet: %m");
878 int dns_scope_notify_conflict(DnsScope
*scope
, DnsResourceRecord
*rr
) {
885 /* We don't send these queries immediately. Instead, we queue
886 * them, and send them after some jitter delay. */
887 r
= ordered_hashmap_ensure_allocated(&scope
->conflict_queue
, &dns_resource_key_hash_ops
);
893 /* We only place one RR per key in the conflict
894 * messages, not all of them. That should be enough to
895 * indicate where there might be a conflict */
896 r
= ordered_hashmap_put(scope
->conflict_queue
, rr
->key
, rr
);
897 if (r
== -EEXIST
|| r
== 0)
900 return log_debug_errno(r
, "Failed to queue conflicting RR: %m");
902 dns_resource_record_ref(rr
);
904 if (scope
->conflict_event_source
)
907 random_bytes(&jitter
, sizeof(jitter
));
908 jitter
%= LLMNR_JITTER_INTERVAL_USEC
;
910 r
= sd_event_add_time(scope
->manager
->event
,
911 &scope
->conflict_event_source
,
912 clock_boottime_or_monotonic(),
913 now(clock_boottime_or_monotonic()) + jitter
,
914 LLMNR_JITTER_INTERVAL_USEC
,
915 on_conflict_dispatch
, scope
);
917 return log_debug_errno(r
, "Failed to add conflict dispatch event: %m");
919 (void) sd_event_source_set_description(scope
->conflict_event_source
, "scope-conflict");
924 void dns_scope_check_conflicts(DnsScope
*scope
, DnsPacket
*p
) {
931 if (p
->protocol
!= DNS_PROTOCOL_LLMNR
)
934 if (DNS_PACKET_RRCOUNT(p
) <= 0)
937 if (DNS_PACKET_LLMNR_C(p
) != 0)
940 if (DNS_PACKET_LLMNR_T(p
) != 0)
943 if (manager_our_packet(scope
->manager
, p
))
946 r
= dns_packet_extract(p
);
948 log_debug_errno(r
, "Failed to extract packet: %m");
952 log_debug("Checking for conflicts...");
954 for (i
= 0; i
< p
->answer
->n_rrs
; i
++) {
956 /* Check for conflicts against the local zone. If we
957 * found one, we won't check any further */
958 r
= dns_zone_check_conflicts(&scope
->zone
, p
->answer
->items
[i
].rr
);
962 /* Check for conflicts against the local cache. If so,
963 * send out an advisory query, to inform everybody */
964 r
= dns_cache_check_conflicts(&scope
->cache
, p
->answer
->items
[i
].rr
, p
->family
, &p
->sender
);
968 dns_scope_notify_conflict(scope
, p
->answer
->items
[i
].rr
);
972 void dns_scope_dump(DnsScope
*s
, FILE *f
) {
978 fputs("[Scope protocol=", f
);
979 fputs(dns_protocol_to_string(s
->protocol
), f
);
982 fputs(" interface=", f
);
983 fputs(s
->link
->name
, f
);
986 if (s
->family
!= AF_UNSPEC
) {
987 fputs(" family=", f
);
988 fputs(af_to_name(s
->family
), f
);
993 if (!dns_zone_is_empty(&s
->zone
)) {
995 dns_zone_dump(&s
->zone
, f
);
998 if (!dns_cache_is_empty(&s
->cache
)) {
999 fputs("CACHE:\n", f
);
1000 dns_cache_dump(&s
->cache
, f
);
1004 DnsSearchDomain
*dns_scope_get_search_domains(DnsScope
*s
) {
1007 if (s
->protocol
!= DNS_PROTOCOL_DNS
)
1011 return s
->link
->search_domains
;
1013 return s
->manager
->search_domains
;
1016 bool dns_scope_name_needs_search_domain(DnsScope
*s
, const char *name
) {
1019 if (s
->protocol
!= DNS_PROTOCOL_DNS
)
1022 return dns_name_is_single_label(name
);
1025 bool dns_scope_network_good(DnsScope
*s
) {
1026 /* Checks whether the network is in good state for lookups on this scope. For mDNS/LLMNR/Classic DNS scopes
1027 * bound to links this is easy, as they don't even exist if the link isn't in a suitable state. For the global
1028 * DNS scope we check whether there are any links that are up and have an address. */
1033 return manager_routable(s
->manager
, AF_UNSPEC
);
1036 int dns_scope_ifindex(DnsScope
*s
) {
1040 return s
->link
->ifindex
;