1 /* SPDX-License-Identifier: LGPL-2.1+ */
3 #include "sd-messages.h"
5 #include "alloc-util.h"
6 #include "resolved-dns-server.h"
7 #include "resolved-dns-stub.h"
8 #include "resolved-resolv-conf.h"
10 #include "string-table.h"
11 #include "string-util.h"
13 /* The amount of time to wait before retrying with a full feature set */
14 #define DNS_SERVER_FEATURE_GRACE_PERIOD_MAX_USEC (6 * USEC_PER_HOUR)
15 #define DNS_SERVER_FEATURE_GRACE_PERIOD_MIN_USEC (5 * USEC_PER_MINUTE)
17 /* The number of times we will attempt a certain feature set before degrading */
18 #define DNS_SERVER_FEATURE_RETRY_ATTEMPTS 3
26 const union in_addr_union
*in_addr
,
32 assert((type
== DNS_SERVER_LINK
) == !!l
);
35 if (!IN_SET(family
, AF_INET
, AF_INET6
))
39 if (l
->n_dns_servers
>= LINK_DNS_SERVERS_MAX
)
42 if (m
->n_dns_servers
>= MANAGER_DNS_SERVERS_MAX
)
46 s
= new0(DnsServer
, 1);
54 s
->address
= *in_addr
;
57 dns_server_reset_features(s
);
63 LIST_APPEND(servers
, l
->dns_servers
, s
);
67 case DNS_SERVER_SYSTEM
:
68 LIST_APPEND(servers
, m
->dns_servers
, s
);
72 case DNS_SERVER_FALLBACK
:
73 LIST_APPEND(servers
, m
->fallback_dns_servers
, s
);
78 assert_not_reached("Unknown server type");
83 #if ENABLE_DNS_OVER_TLS
84 /* Do not verify cerificate */
85 gnutls_certificate_allocate_credentials(&s
->tls_cert_cred
);
88 /* A new DNS server that isn't fallback is added and the one
89 * we used so far was a fallback one? Then let's try to pick
91 if (type
!= DNS_SERVER_FALLBACK
&&
92 m
->current_dns_server
&&
93 m
->current_dns_server
->type
== DNS_SERVER_FALLBACK
)
94 manager_set_dns_server(m
, NULL
);
102 DnsServer
* dns_server_ref(DnsServer
*s
) {
106 assert(s
->n_ref
> 0);
112 DnsServer
* dns_server_unref(DnsServer
*s
) {
116 assert(s
->n_ref
> 0);
122 dns_stream_unref(s
->stream
);
124 #if ENABLE_DNS_OVER_TLS
125 if (s
->tls_cert_cred
)
126 gnutls_certificate_free_credentials(s
->tls_cert_cred
);
128 if (s
->tls_session_data
.data
)
129 gnutls_free(s
->tls_session_data
.data
);
132 free(s
->server_string
);
136 void dns_server_unlink(DnsServer
*s
) {
140 /* This removes the specified server from the linked list of
141 * servers, but any server might still stay around if it has
142 * refs, for example from an ongoing transaction. */
149 case DNS_SERVER_LINK
:
151 assert(s
->link
->n_dns_servers
> 0);
152 LIST_REMOVE(servers
, s
->link
->dns_servers
, s
);
153 s
->link
->n_dns_servers
--;
156 case DNS_SERVER_SYSTEM
:
157 assert(s
->manager
->n_dns_servers
> 0);
158 LIST_REMOVE(servers
, s
->manager
->dns_servers
, s
);
159 s
->manager
->n_dns_servers
--;
162 case DNS_SERVER_FALLBACK
:
163 assert(s
->manager
->n_dns_servers
> 0);
164 LIST_REMOVE(servers
, s
->manager
->fallback_dns_servers
, s
);
165 s
->manager
->n_dns_servers
--;
171 if (s
->link
&& s
->link
->current_dns_server
== s
)
172 link_set_dns_server(s
->link
, NULL
);
174 if (s
->manager
->current_dns_server
== s
)
175 manager_set_dns_server(s
->manager
, NULL
);
180 void dns_server_move_back_and_unmark(DnsServer
*s
) {
190 if (!s
->linked
|| !s
->servers_next
)
193 /* Move us to the end of the list, so that the order is
194 * strictly kept, if we are not at the end anyway. */
198 case DNS_SERVER_LINK
:
200 LIST_FIND_TAIL(servers
, s
, tail
);
201 LIST_REMOVE(servers
, s
->link
->dns_servers
, s
);
202 LIST_INSERT_AFTER(servers
, s
->link
->dns_servers
, tail
, s
);
205 case DNS_SERVER_SYSTEM
:
206 LIST_FIND_TAIL(servers
, s
, tail
);
207 LIST_REMOVE(servers
, s
->manager
->dns_servers
, s
);
208 LIST_INSERT_AFTER(servers
, s
->manager
->dns_servers
, tail
, s
);
211 case DNS_SERVER_FALLBACK
:
212 LIST_FIND_TAIL(servers
, s
, tail
);
213 LIST_REMOVE(servers
, s
->manager
->fallback_dns_servers
, s
);
214 LIST_INSERT_AFTER(servers
, s
->manager
->fallback_dns_servers
, tail
, s
);
218 assert_not_reached("Unknown server type");
222 static void dns_server_verified(DnsServer
*s
, DnsServerFeatureLevel level
) {
225 if (s
->verified_feature_level
> level
)
228 if (s
->verified_feature_level
!= level
) {
229 log_debug("Verified we get a response at feature level %s from DNS server %s.",
230 dns_server_feature_level_to_string(level
),
231 dns_server_string(s
));
232 s
->verified_feature_level
= level
;
235 assert_se(sd_event_now(s
->manager
->event
, clock_boottime_or_monotonic(), &s
->verified_usec
) >= 0);
238 static void dns_server_reset_counters(DnsServer
*s
) {
244 s
->packet_truncated
= false;
245 s
->verified_usec
= 0;
247 /* Note that we do not reset s->packet_bad_opt and s->packet_rrsig_missing here. We reset them only when the
248 * grace period ends, but not when lowering the possible feature level, as a lower level feature level should
249 * not make RRSIGs appear or OPT appear, but rather make them disappear. If the reappear anyway, then that's
250 * indication for a differently broken OPT/RRSIG implementation, and we really don't want to support that
253 * This is particularly important to deal with certain Belkin routers which break OPT for certain lookups (A),
254 * but pass traffic through for others (AAAA). If we detect the broken behaviour on one lookup we should not
255 * reenable it for another, because we cannot validate things anyway, given that the RRSIG/OPT data will be
259 void dns_server_packet_received(DnsServer
*s
, int protocol
, DnsServerFeatureLevel level
, size_t size
) {
262 if (protocol
== IPPROTO_UDP
) {
263 if (s
->possible_feature_level
== level
)
265 } else if (protocol
== IPPROTO_TCP
) {
266 if (DNS_SERVER_FEATURE_LEVEL_IS_TLS(level
)) {
267 if (s
->possible_feature_level
== level
)
270 if (s
->possible_feature_level
== level
)
273 /* Successful TCP connections are only useful to verify the TCP feature level. */
274 level
= DNS_SERVER_FEATURE_LEVEL_TCP
;
278 /* If the RRSIG data is missing, then we can only validate EDNS0 at max */
279 if (s
->packet_rrsig_missing
&& level
>= DNS_SERVER_FEATURE_LEVEL_DO
)
280 level
= DNS_SERVER_FEATURE_LEVEL_IS_TLS(level
) ? DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN
: DNS_SERVER_FEATURE_LEVEL_EDNS0
;
282 /* If the OPT RR got lost, then we can only validate UDP at max */
283 if (s
->packet_bad_opt
&& level
>= DNS_SERVER_FEATURE_LEVEL_EDNS0
)
284 level
= DNS_SERVER_FEATURE_LEVEL_EDNS0
- 1;
286 /* Even if we successfully receive a reply to a request announcing support for large packets,
287 that does not mean we can necessarily receive large packets. */
288 if (level
== DNS_SERVER_FEATURE_LEVEL_LARGE
)
289 level
= DNS_SERVER_FEATURE_LEVEL_LARGE
- 1;
291 dns_server_verified(s
, level
);
293 /* Remember the size of the largest UDP packet we received from a server,
294 we know that we can always announce support for packets with at least
296 if (protocol
== IPPROTO_UDP
&& s
->received_udp_packet_max
< size
)
297 s
->received_udp_packet_max
= size
;
300 void dns_server_packet_lost(DnsServer
*s
, int protocol
, DnsServerFeatureLevel level
) {
304 if (s
->possible_feature_level
== level
) {
305 if (protocol
== IPPROTO_UDP
)
307 else if (protocol
== IPPROTO_TCP
) {
308 if (DNS_SERVER_FEATURE_LEVEL_IS_TLS(level
))
316 void dns_server_packet_truncated(DnsServer
*s
, DnsServerFeatureLevel level
) {
319 /* Invoked whenever we get a packet with TC bit set. */
321 if (s
->possible_feature_level
!= level
)
324 s
->packet_truncated
= true;
327 void dns_server_packet_rrsig_missing(DnsServer
*s
, DnsServerFeatureLevel level
) {
330 if (level
< DNS_SERVER_FEATURE_LEVEL_DO
)
333 /* If the RRSIG RRs are missing, we have to downgrade what we previously verified */
334 if (s
->verified_feature_level
>= DNS_SERVER_FEATURE_LEVEL_DO
)
335 s
->verified_feature_level
= DNS_SERVER_FEATURE_LEVEL_IS_TLS(level
) ? DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN
: DNS_SERVER_FEATURE_LEVEL_EDNS0
;
337 s
->packet_rrsig_missing
= true;
340 void dns_server_packet_bad_opt(DnsServer
*s
, DnsServerFeatureLevel level
) {
343 if (level
< DNS_SERVER_FEATURE_LEVEL_EDNS0
)
346 /* If the OPT RR got lost, we have to downgrade what we previously verified */
347 if (s
->verified_feature_level
>= DNS_SERVER_FEATURE_LEVEL_EDNS0
)
348 s
->verified_feature_level
= DNS_SERVER_FEATURE_LEVEL_EDNS0
-1;
350 s
->packet_bad_opt
= true;
353 void dns_server_packet_rcode_downgrade(DnsServer
*s
, DnsServerFeatureLevel level
) {
356 /* Invoked whenever we got a FORMERR, SERVFAIL or NOTIMP rcode from a server and downgrading the feature level
357 * for the transaction made it go away. In this case we immediately downgrade to the feature level that made
360 if (s
->verified_feature_level
> level
)
361 s
->verified_feature_level
= level
;
363 if (s
->possible_feature_level
> level
) {
364 s
->possible_feature_level
= level
;
365 dns_server_reset_counters(s
);
368 log_debug("Downgrading transaction feature level fixed an RCODE error, downgrading server %s too.", dns_server_string(s
));
371 static bool dns_server_grace_period_expired(DnsServer
*s
) {
377 if (s
->verified_usec
== 0)
380 assert_se(sd_event_now(s
->manager
->event
, clock_boottime_or_monotonic(), &ts
) >= 0);
382 if (s
->verified_usec
+ s
->features_grace_period_usec
> ts
)
385 s
->features_grace_period_usec
= MIN(s
->features_grace_period_usec
* 2, DNS_SERVER_FEATURE_GRACE_PERIOD_MAX_USEC
);
390 DnsServerFeatureLevel
dns_server_possible_feature_level(DnsServer
*s
) {
391 DnsServerFeatureLevel best
;
395 /* Determine the best feature level we care about. If DNSSEC mode is off there's no point in using anything
396 * better than EDNS0, hence don't even try. */
397 if (dns_server_get_dnssec_mode(s
) != DNSSEC_NO
)
398 best
= dns_server_get_dns_over_tls_mode(s
) == DNS_OVER_TLS_NO
?
399 DNS_SERVER_FEATURE_LEVEL_LARGE
:
400 DNS_SERVER_FEATURE_LEVEL_TLS_DO
;
402 best
= dns_server_get_dns_over_tls_mode(s
) == DNS_OVER_TLS_NO
?
403 DNS_SERVER_FEATURE_LEVEL_EDNS0
:
404 DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN
;
406 /* Clamp the feature level the highest level we care about. The DNSSEC mode might have changed since the last
407 * time, hence let's downgrade if we are still at a higher level. */
408 if (s
->possible_feature_level
> best
)
409 s
->possible_feature_level
= best
;
411 if (s
->possible_feature_level
< best
&& dns_server_grace_period_expired(s
)) {
413 s
->possible_feature_level
= best
;
415 dns_server_reset_counters(s
);
417 s
->packet_bad_opt
= false;
418 s
->packet_rrsig_missing
= false;
420 log_info("Grace period over, resuming full feature set (%s) for DNS server %s.",
421 dns_server_feature_level_to_string(s
->possible_feature_level
),
422 dns_server_string(s
));
424 dns_server_flush_cache(s
);
426 } else if (s
->possible_feature_level
<= s
->verified_feature_level
)
427 s
->possible_feature_level
= s
->verified_feature_level
;
429 DnsServerFeatureLevel p
= s
->possible_feature_level
;
431 if (s
->n_failed_tcp
>= DNS_SERVER_FEATURE_RETRY_ATTEMPTS
&&
432 s
->possible_feature_level
== DNS_SERVER_FEATURE_LEVEL_TCP
) {
434 /* We are at the TCP (lowest) level, and we tried a couple of TCP connections, and it didn't
435 * work. Upgrade back to UDP again. */
436 log_debug("Reached maximum number of failed TCP connection attempts, trying UDP again...");
437 s
->possible_feature_level
= DNS_SERVER_FEATURE_LEVEL_UDP
;
438 } else if (s
->n_failed_tls
> 0 &&
439 DNS_SERVER_FEATURE_LEVEL_IS_TLS(s
->possible_feature_level
)) {
441 /* We tried to connect using DNS-over-TLS, and it didn't work. Downgrade to plaintext UDP
442 * if we don't require DNS-over-TLS */
444 log_debug("Server doesn't support DNS-over-TLS, downgrading protocol...");
445 s
->possible_feature_level
--;
446 } else if (s
->packet_bad_opt
&&
447 s
->possible_feature_level
>= DNS_SERVER_FEATURE_LEVEL_EDNS0
) {
449 /* A reply to one of our EDNS0 queries didn't carry a valid OPT RR, then downgrade to below
450 * EDNS0 levels. After all, some records generate different responses with and without OPT RR
451 * in the request. Example:
452 * https://open.nlnetlabs.nl/pipermail/dnssec-trigger/2014-November/000376.html */
454 log_debug("Server doesn't support EDNS(0) properly, downgrading feature level...");
455 s
->possible_feature_level
= DNS_SERVER_FEATURE_LEVEL_UDP
;
457 } else if (s
->packet_rrsig_missing
&&
458 s
->possible_feature_level
>= DNS_SERVER_FEATURE_LEVEL_DO
) {
460 /* RRSIG data was missing on a EDNS0 packet with DO bit set. This means the server doesn't
461 * augment responses with DNSSEC RRs. If so, let's better not ask the server for it anymore,
462 * after all some servers generate different replies depending if an OPT RR is in the query or
465 log_debug("Detected server responses lack RRSIG records, downgrading feature level...");
466 s
->possible_feature_level
= DNS_SERVER_FEATURE_LEVEL_IS_TLS(s
->possible_feature_level
) ? DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN
: DNS_SERVER_FEATURE_LEVEL_EDNS0
;
468 } else if (s
->n_failed_udp
>= DNS_SERVER_FEATURE_RETRY_ATTEMPTS
&&
469 s
->possible_feature_level
>= (dns_server_get_dnssec_mode(s
) == DNSSEC_YES
? DNS_SERVER_FEATURE_LEVEL_LARGE
: DNS_SERVER_FEATURE_LEVEL_UDP
)) {
471 /* We lost too many UDP packets in a row, and are on a feature level of UDP or higher. If the
472 * packets are lost, maybe the server cannot parse them, hence downgrading sounds like a good
473 * idea. We might downgrade all the way down to TCP this way.
475 * If strict DNSSEC mode is used we won't downgrade below DO level however, as packet loss
476 * might have many reasons, a broken DNSSEC implementation being only one reason. And if the
477 * user is strict on DNSSEC, then let's assume that DNSSEC is not the fault here. */
479 log_debug("Lost too many UDP packets, downgrading feature level...");
480 s
->possible_feature_level
--;
482 } else if (s
->n_failed_tcp
>= DNS_SERVER_FEATURE_RETRY_ATTEMPTS
&&
483 s
->packet_truncated
&&
484 s
->possible_feature_level
> (dns_server_get_dnssec_mode(s
) == DNSSEC_YES
? DNS_SERVER_FEATURE_LEVEL_LARGE
: DNS_SERVER_FEATURE_LEVEL_UDP
)) {
486 /* We got too many TCP connection failures in a row, we had at least one truncated packet, and
487 * are on a feature level above UDP. By downgrading things and getting rid of DNSSEC or EDNS0
488 * data we hope to make the packet smaller, so that it still works via UDP given that TCP
489 * appears not to be a fallback. Note that if we are already at the lowest UDP level, we don't
490 * go further down, since that's TCP, and TCP failed too often after all. */
492 log_debug("Got too many failed TCP connection failures and truncated UDP packets, downgrading feature level...");
493 s
->possible_feature_level
--;
496 if (p
!= s
->possible_feature_level
) {
498 /* We changed the feature level, reset the counting */
499 dns_server_reset_counters(s
);
501 log_warning("Using degraded feature set (%s) for DNS server %s.",
502 dns_server_feature_level_to_string(s
->possible_feature_level
),
503 dns_server_string(s
));
507 return s
->possible_feature_level
;
510 int dns_server_adjust_opt(DnsServer
*server
, DnsPacket
*packet
, DnsServerFeatureLevel level
) {
517 assert(packet
->protocol
== DNS_PROTOCOL_DNS
);
519 /* Fix the OPT field in the packet to match our current feature level. */
521 r
= dns_packet_truncate_opt(packet
);
525 if (level
< DNS_SERVER_FEATURE_LEVEL_EDNS0
)
528 edns_do
= level
>= DNS_SERVER_FEATURE_LEVEL_DO
;
530 if (level
>= DNS_SERVER_FEATURE_LEVEL_LARGE
)
531 packet_size
= DNS_PACKET_UNICAST_SIZE_LARGE_MAX
;
533 packet_size
= server
->received_udp_packet_max
;
535 return dns_packet_append_opt(packet
, packet_size
, edns_do
, 0, NULL
);
538 int dns_server_ifindex(const DnsServer
*s
) {
541 /* The link ifindex always takes precedence */
543 return s
->link
->ifindex
;
551 const char *dns_server_string(DnsServer
*server
) {
554 if (!server
->server_string
)
555 (void) in_addr_ifindex_to_string(server
->family
, &server
->address
, dns_server_ifindex(server
), &server
->server_string
);
557 return strna(server
->server_string
);
560 bool dns_server_dnssec_supported(DnsServer
*server
) {
563 /* Returns whether the server supports DNSSEC according to what we know about it */
565 if (server
->possible_feature_level
< DNS_SERVER_FEATURE_LEVEL_DO
)
568 if (server
->packet_bad_opt
)
571 if (server
->packet_rrsig_missing
)
574 /* DNSSEC servers need to support TCP properly (see RFC5966), if they don't, we assume DNSSEC is borked too */
575 if (server
->n_failed_tcp
>= DNS_SERVER_FEATURE_RETRY_ATTEMPTS
)
581 void dns_server_warn_downgrade(DnsServer
*server
) {
584 if (server
->warned_downgrade
)
587 log_struct(LOG_NOTICE
,
588 "MESSAGE_ID=" SD_MESSAGE_DNSSEC_DOWNGRADE_STR
,
589 LOG_MESSAGE("Server %s does not support DNSSEC, downgrading to non-DNSSEC mode.", dns_server_string(server
)),
590 "DNS_SERVER=%s", dns_server_string(server
),
591 "DNS_SERVER_FEATURE_LEVEL=%s", dns_server_feature_level_to_string(server
->possible_feature_level
));
593 server
->warned_downgrade
= true;
596 bool dns_server_limited_domains(DnsServer
*server
) {
597 DnsSearchDomain
*domain
;
598 bool domain_restricted
= false;
600 /* Check if the server has route-only domains without ~., i. e. whether
601 * it should only be used for particular domains */
605 LIST_FOREACH(domains
, domain
, server
->link
->search_domains
)
606 if (domain
->route_only
) {
607 domain_restricted
= true;
608 /* ~. means "any domain", thus it is a global server */
609 if (dns_name_is_root(DNS_SEARCH_DOMAIN_NAME(domain
)))
613 return domain_restricted
;
616 static void dns_server_hash_func(const void *p
, struct siphash
*state
) {
617 const DnsServer
*s
= p
;
621 siphash24_compress(&s
->family
, sizeof(s
->family
), state
);
622 siphash24_compress(&s
->address
, FAMILY_ADDRESS_SIZE(s
->family
), state
);
623 siphash24_compress(&s
->ifindex
, sizeof(s
->ifindex
), state
);
626 static int dns_server_compare_func(const void *a
, const void *b
) {
627 const DnsServer
*x
= a
, *y
= b
;
630 if (x
->family
< y
->family
)
632 if (x
->family
> y
->family
)
635 r
= memcmp(&x
->address
, &y
->address
, FAMILY_ADDRESS_SIZE(x
->family
));
639 if (x
->ifindex
< y
->ifindex
)
641 if (x
->ifindex
> y
->ifindex
)
647 const struct hash_ops dns_server_hash_ops
= {
648 .hash
= dns_server_hash_func
,
649 .compare
= dns_server_compare_func
652 void dns_server_unlink_all(DnsServer
*first
) {
658 next
= first
->servers_next
;
659 dns_server_unlink(first
);
661 dns_server_unlink_all(next
);
664 void dns_server_unlink_marked(DnsServer
*first
) {
670 next
= first
->servers_next
;
673 dns_server_unlink(first
);
675 dns_server_unlink_marked(next
);
678 void dns_server_mark_all(DnsServer
*first
) {
682 first
->marked
= true;
683 dns_server_mark_all(first
->servers_next
);
686 DnsServer
*dns_server_find(DnsServer
*first
, int family
, const union in_addr_union
*in_addr
, int ifindex
) {
689 LIST_FOREACH(servers
, s
, first
)
690 if (s
->family
== family
&& in_addr_equal(family
, &s
->address
, in_addr
) > 0 && s
->ifindex
== ifindex
)
696 DnsServer
*manager_get_first_dns_server(Manager
*m
, DnsServerType t
) {
701 case DNS_SERVER_SYSTEM
:
702 return m
->dns_servers
;
704 case DNS_SERVER_FALLBACK
:
705 return m
->fallback_dns_servers
;
712 DnsServer
*manager_set_dns_server(Manager
*m
, DnsServer
*s
) {
715 if (m
->current_dns_server
== s
)
719 log_debug("Switching to %s DNS server %s.",
720 dns_server_type_to_string(s
->type
),
721 dns_server_string(s
));
723 dns_server_unref(m
->current_dns_server
);
724 m
->current_dns_server
= dns_server_ref(s
);
726 if (m
->unicast_scope
)
727 dns_cache_flush(&m
->unicast_scope
->cache
);
732 DnsServer
*manager_get_dns_server(Manager
*m
) {
736 /* Try to read updates resolv.conf */
737 manager_read_resolv_conf(m
);
739 /* If no DNS server was chosen so far, pick the first one */
740 if (!m
->current_dns_server
)
741 manager_set_dns_server(m
, m
->dns_servers
);
743 if (!m
->current_dns_server
) {
747 /* No DNS servers configured, let's see if there are
748 * any on any links. If not, we use the fallback
751 HASHMAP_FOREACH(l
, m
->links
, i
)
752 if (l
->dns_servers
) {
758 manager_set_dns_server(m
, m
->fallback_dns_servers
);
761 return m
->current_dns_server
;
764 void manager_next_dns_server(Manager
*m
) {
767 /* If there's currently no DNS server set, then the next
768 * manager_get_dns_server() will find one */
769 if (!m
->current_dns_server
)
772 /* Change to the next one, but make sure to follow the linked
773 * list only if the server is still linked. */
774 if (m
->current_dns_server
->linked
&& m
->current_dns_server
->servers_next
) {
775 manager_set_dns_server(m
, m
->current_dns_server
->servers_next
);
779 /* If there was no next one, then start from the beginning of
781 if (m
->current_dns_server
->type
== DNS_SERVER_FALLBACK
)
782 manager_set_dns_server(m
, m
->fallback_dns_servers
);
784 manager_set_dns_server(m
, m
->dns_servers
);
787 bool dns_server_address_valid(int family
, const union in_addr_union
*sa
) {
789 /* Refuses the 0 IP addresses as well as 127.0.0.53 (which is our own DNS stub) */
791 if (in_addr_is_null(family
, sa
))
794 if (family
== AF_INET
&& sa
->in
.s_addr
== htobe32(INADDR_DNS_STUB
))
800 DnssecMode
dns_server_get_dnssec_mode(DnsServer
*s
) {
804 return link_get_dnssec_mode(s
->link
);
806 return manager_get_dnssec_mode(s
->manager
);
809 DnsOverTlsMode
dns_server_get_dns_over_tls_mode(DnsServer
*s
) {
813 return link_get_dns_over_tls_mode(s
->link
);
815 return manager_get_dns_over_tls_mode(s
->manager
);
818 void dns_server_flush_cache(DnsServer
*s
) {
824 /* Flush the cache of the scope this server belongs to */
826 current
= s
->link
? s
->link
->current_dns_server
: s
->manager
->current_dns_server
;
830 scope
= s
->link
? s
->link
->unicast_scope
: s
->manager
->unicast_scope
;
834 dns_cache_flush(&scope
->cache
);
837 void dns_server_reset_features(DnsServer
*s
) {
840 s
->verified_feature_level
= _DNS_SERVER_FEATURE_LEVEL_INVALID
;
841 s
->possible_feature_level
= DNS_SERVER_FEATURE_LEVEL_BEST
;
843 s
->received_udp_packet_max
= DNS_PACKET_UNICAST_SIZE_MAX
;
845 s
->packet_bad_opt
= false;
846 s
->packet_rrsig_missing
= false;
848 s
->features_grace_period_usec
= DNS_SERVER_FEATURE_GRACE_PERIOD_MIN_USEC
;
850 s
->warned_downgrade
= false;
852 dns_server_reset_counters(s
);
855 void dns_server_reset_features_all(DnsServer
*s
) {
858 LIST_FOREACH(servers
, i
, s
)
859 dns_server_reset_features(i
);
862 void dns_server_dump(DnsServer
*s
, FILE *f
) {
868 fputs("[Server ", f
);
869 fputs(dns_server_string(s
), f
);
871 fputs(dns_server_type_to_string(s
->type
), f
);
873 if (s
->type
== DNS_SERVER_LINK
) {
876 fputs(" interface=", f
);
877 fputs(s
->link
->name
, f
);
882 fputs("\tVerified feature level: ", f
);
883 fputs(strna(dns_server_feature_level_to_string(s
->verified_feature_level
)), f
);
886 fputs("\tPossible feature level: ", f
);
887 fputs(strna(dns_server_feature_level_to_string(s
->possible_feature_level
)), f
);
890 fputs("\tDNSSEC Mode: ", f
);
891 fputs(strna(dnssec_mode_to_string(dns_server_get_dnssec_mode(s
))), f
);
894 fputs("\tCan do DNSSEC: ", f
);
895 fputs(yes_no(dns_server_dnssec_supported(s
)), f
);
899 "\tMaximum UDP packet size received: %zu\n"
900 "\tFailed UDP attempts: %u\n"
901 "\tFailed TCP attempts: %u\n"
902 "\tSeen truncated packet: %s\n"
903 "\tSeen OPT RR getting lost: %s\n"
904 "\tSeen RRSIG RR missing: %s\n",
905 s
->received_udp_packet_max
,
908 yes_no(s
->packet_truncated
),
909 yes_no(s
->packet_bad_opt
),
910 yes_no(s
->packet_rrsig_missing
));
913 static const char* const dns_server_type_table
[_DNS_SERVER_TYPE_MAX
] = {
914 [DNS_SERVER_SYSTEM
] = "system",
915 [DNS_SERVER_FALLBACK
] = "fallback",
916 [DNS_SERVER_LINK
] = "link",
918 DEFINE_STRING_TABLE_LOOKUP(dns_server_type
, DnsServerType
);
920 static const char* const dns_server_feature_level_table
[_DNS_SERVER_FEATURE_LEVEL_MAX
] = {
921 [DNS_SERVER_FEATURE_LEVEL_TCP
] = "TCP",
922 [DNS_SERVER_FEATURE_LEVEL_UDP
] = "UDP",
923 [DNS_SERVER_FEATURE_LEVEL_EDNS0
] = "UDP+EDNS0",
924 [DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN
] = "TLS+EDNS0",
925 [DNS_SERVER_FEATURE_LEVEL_DO
] = "UDP+EDNS0+DO",
926 [DNS_SERVER_FEATURE_LEVEL_LARGE
] = "UDP+EDNS0+DO+LARGE",
927 [DNS_SERVER_FEATURE_LEVEL_TLS_DO
] = "TLS+EDNS0+D0",
929 DEFINE_STRING_TABLE_LOOKUP(dns_server_feature_level
, DnsServerFeatureLevel
);