From 613dca46d22ca7d47fcbd78bfb4bca7f6541ebaf Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Fri, 8 Dec 2017 17:21:42 +0100
Subject: [PATCH] resolved: tweak domain routing logic a bit

This makes sure that a classic DNS scope that has no DNS servers
assigned is never considered for routing requests to even if it has
matching search/routing domains associated.

This is inspired by #7544, where lookup requests are refused since a
scope with no DNS server is configured. This change does not deliver
what the reporter intended, but is generally useful in general, as it
makes us mor robust to misconfiguration.
---
 src/resolve/resolved-dns-scope.c | 37 +++++++++++++++++---------------
 1 file changed, 20 insertions(+), 17 deletions(-)

diff --git a/src/resolve/resolved-dns-scope.c b/src/resolve/resolved-dns-scope.c
index a9071ee73e3..0a121cdcdf1 100644
--- a/src/resolve/resolved-dns-scope.c
+++ b/src/resolve/resolved-dns-scope.c
@@ -403,7 +403,6 @@ int dns_scope_socket_tcp(DnsScope *s, int family, const union in_addr_union *add
 
 DnsScopeMatch dns_scope_good_domain(DnsScope *s, int ifindex, uint64_t flags, const char *domain) {
         DnsSearchDomain *d;
-        DnsServer *dns_server;
 
         assert(s);
         assert(domain);
@@ -436,24 +435,27 @@ DnsScopeMatch dns_scope_good_domain(DnsScope *s, int ifindex, uint64_t flags, co
         if (dns_name_endswith(domain, "invalid") > 0)
                 return DNS_SCOPE_NO;
 
-        /* Always honour search domains for routing queries. Note that
-         * we return DNS_SCOPE_YES here, rather than just
-         * DNS_SCOPE_MAYBE, which means wildcard scopes won't be
-         * considered anymore. */
-        LIST_FOREACH(domains, d, dns_scope_get_search_domains(s))
-                if (dns_name_endswith(domain, d->name) > 0)
-                        return DNS_SCOPE_YES;
-
-        /* If the DNS server has route-only domains, don't send other requests
-         * to it. This would be a privacy violation, will most probably fail
-         * anyway, and adds unnecessary load. */
-        dns_server = dns_scope_get_dns_server(s);
-        if (dns_server && dns_server_limited_domains(dns_server))
-                return DNS_SCOPE_NO;
-
         switch (s->protocol) {
 
-        case DNS_PROTOCOL_DNS:
+        case DNS_PROTOCOL_DNS: {
+                DnsServer *dns_server;
+
+                /* Never route things to scopes that lack DNS servers */
+                dns_server = dns_scope_get_dns_server(s);
+                if (!dns_server)
+                        return DNS_SCOPE_NO;
+
+                /* Always honour search domains for routing queries, except if this scope lacks DNS servers. Note that
+                 * we return DNS_SCOPE_YES here, rather than just DNS_SCOPE_MAYBE, which means other wildcard scopes
+                 * won't be considered anymore. */
+                LIST_FOREACH(domains, d, dns_scope_get_search_domains(s))
+                        if (dns_name_endswith(domain, d->name) > 0)
+                                return DNS_SCOPE_YES;
+
+                /* If the DNS server has route-only domains, don't send other requests to it. This would be a privacy
+                 * violation, will most probably fail anyway, and adds unnecessary load. */
+                if (dns_server_limited_domains(dns_server))
+                        return DNS_SCOPE_NO;
 
                 /* Exclude link-local IP ranges */
                 if (dns_name_endswith(domain, "254.169.in-addr.arpa") == 0 &&
@@ -468,6 +470,7 @@ DnsScopeMatch dns_scope_good_domain(DnsScope *s, int ifindex, uint64_t flags, co
                         return DNS_SCOPE_MAYBE;
 
                 return DNS_SCOPE_NO;
+        }
 
         case DNS_PROTOCOL_MDNS:
                 if ((s->family == AF_INET && dns_name_endswith(domain, "in-addr.arpa") > 0) ||
-- 
2.39.2