1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2014 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
22 #include <netinet/tcp.h>
25 #include "alloc-util.h"
26 #include "dns-domain.h"
28 #include "hostname-util.h"
30 #include "random-util.h"
31 #include "resolved-dns-scope.h"
32 #include "resolved-llmnr.h"
33 #include "resolved-mdns.h"
34 #include "socket-util.h"
37 #define MULTICAST_RATELIMIT_INTERVAL_USEC (1*USEC_PER_SEC)
38 #define MULTICAST_RATELIMIT_BURST 1000
40 /* After how much time to repeat LLMNR requests, see RFC 4795 Section 7 */
41 #define MULTICAST_RESEND_TIMEOUT_MIN_USEC (100 * USEC_PER_MSEC)
42 #define MULTICAST_RESEND_TIMEOUT_MAX_USEC (1 * USEC_PER_SEC)
44 int dns_scope_new(Manager
*m
, DnsScope
**ret
, Link
*l
, DnsProtocol protocol
, int family
) {
50 s
= new0(DnsScope
, 1);
56 s
->protocol
= protocol
;
58 s
->resend_timeout
= MULTICAST_RESEND_TIMEOUT_MIN_USEC
;
60 s
->dnssec_mode
= _DNSSEC_MODE_INVALID
;
62 if (protocol
== DNS_PROTOCOL_DNS
) {
63 /* Copy DNSSEC mode from the link if it is set there,
64 * otherwise take the manager's DNSSEC mode. Note that
65 * we copy this only at scope creation time, and do
66 * not update it from the on, even if the setting
70 s
->dnssec_mode
= link_get_dnssec_mode(l
);
72 s
->dnssec_mode
= manager_get_dnssec_mode(m
);
75 LIST_PREPEND(scopes
, m
->dns_scopes
, s
);
77 dns_scope_llmnr_membership(s
, true);
78 dns_scope_mdns_membership(s
, true);
80 log_debug("New scope on link %s, protocol %s, family %s", l
? l
->name
: "*", dns_protocol_to_string(protocol
), family
== AF_UNSPEC
? "*" : af_to_name(family
));
82 /* Enforce ratelimiting for the multicast protocols */
83 RATELIMIT_INIT(s
->ratelimit
, MULTICAST_RATELIMIT_INTERVAL_USEC
, MULTICAST_RATELIMIT_BURST
);
89 static void dns_scope_abort_transactions(DnsScope
*s
) {
92 while (s
->transactions
) {
93 DnsTransaction
*t
= s
->transactions
;
95 /* Abort the transaction, but make sure it is not
96 * freed while we still look at it */
99 if (DNS_TRANSACTION_IS_LIVE(t
->state
))
100 dns_transaction_complete(t
, DNS_TRANSACTION_ABORTED
);
103 dns_transaction_free(t
);
107 DnsScope
* dns_scope_free(DnsScope
*s
) {
108 DnsResourceRecord
*rr
;
113 log_debug("Removing scope on link %s, protocol %s, family %s", s
->link
? s
->link
->name
: "*", dns_protocol_to_string(s
->protocol
), s
->family
== AF_UNSPEC
? "*" : af_to_name(s
->family
));
115 dns_scope_llmnr_membership(s
, false);
116 dns_scope_mdns_membership(s
, false);
117 dns_scope_abort_transactions(s
);
119 while (s
->query_candidates
)
120 dns_query_candidate_free(s
->query_candidates
);
122 hashmap_free(s
->transactions_by_key
);
124 while ((rr
= ordered_hashmap_steal_first(s
->conflict_queue
)))
125 dns_resource_record_unref(rr
);
127 ordered_hashmap_free(s
->conflict_queue
);
128 sd_event_source_unref(s
->conflict_event_source
);
130 dns_cache_flush(&s
->cache
);
131 dns_zone_flush(&s
->zone
);
133 LIST_REMOVE(scopes
, s
->manager
->dns_scopes
, s
);
139 DnsServer
*dns_scope_get_dns_server(DnsScope
*s
) {
142 if (s
->protocol
!= DNS_PROTOCOL_DNS
)
146 return link_get_dns_server(s
->link
);
148 return manager_get_dns_server(s
->manager
);
151 void dns_scope_next_dns_server(DnsScope
*s
) {
154 if (s
->protocol
!= DNS_PROTOCOL_DNS
)
158 link_next_dns_server(s
->link
);
160 manager_next_dns_server(s
->manager
);
163 void dns_scope_packet_received(DnsScope
*s
, usec_t rtt
) {
166 if (rtt
<= s
->max_rtt
)
170 s
->resend_timeout
= MIN(MAX(MULTICAST_RESEND_TIMEOUT_MIN_USEC
, s
->max_rtt
* 2), MULTICAST_RESEND_TIMEOUT_MAX_USEC
);
173 void dns_scope_packet_lost(DnsScope
*s
, usec_t usec
) {
176 if (s
->resend_timeout
<= usec
)
177 s
->resend_timeout
= MIN(s
->resend_timeout
* 2, MULTICAST_RESEND_TIMEOUT_MAX_USEC
);
180 static int dns_scope_emit_one(DnsScope
*s
, int fd
, DnsPacket
*p
) {
181 union in_addr_union addr
;
188 assert(p
->protocol
== s
->protocol
);
192 ifindex
= s
->link
->ifindex
;
194 mtu
= manager_find_mtu(s
->manager
);
196 switch (s
->protocol
) {
198 case DNS_PROTOCOL_DNS
:
201 if (DNS_PACKET_QDCOUNT(p
) > 1)
204 if (p
->size
> DNS_PACKET_UNICAST_SIZE_MAX
)
207 if (p
->size
+ UDP_PACKET_HEADER_SIZE
> mtu
)
210 r
= manager_write(s
->manager
, fd
, p
);
216 case DNS_PROTOCOL_LLMNR
:
219 if (DNS_PACKET_QDCOUNT(p
) > 1)
222 if (!ratelimit_test(&s
->ratelimit
))
227 if (family
== AF_INET
) {
228 addr
.in
= LLMNR_MULTICAST_IPV4_ADDRESS
;
229 fd
= manager_llmnr_ipv4_udp_fd(s
->manager
);
230 } else if (family
== AF_INET6
) {
231 addr
.in6
= LLMNR_MULTICAST_IPV6_ADDRESS
;
232 fd
= manager_llmnr_ipv6_udp_fd(s
->manager
);
234 return -EAFNOSUPPORT
;
238 r
= manager_send(s
->manager
, fd
, ifindex
, family
, &addr
, LLMNR_PORT
, p
);
244 case DNS_PROTOCOL_MDNS
:
247 if (!ratelimit_test(&s
->ratelimit
))
252 if (family
== AF_INET
) {
253 addr
.in
= MDNS_MULTICAST_IPV4_ADDRESS
;
254 fd
= manager_mdns_ipv4_fd(s
->manager
);
255 } else if (family
== AF_INET6
) {
256 addr
.in6
= MDNS_MULTICAST_IPV6_ADDRESS
;
257 fd
= manager_mdns_ipv6_fd(s
->manager
);
259 return -EAFNOSUPPORT
;
263 r
= manager_send(s
->manager
, fd
, ifindex
, family
, &addr
, MDNS_PORT
, p
);
270 return -EAFNOSUPPORT
;
276 int dns_scope_emit_udp(DnsScope
*s
, int fd
, DnsPacket
*p
) {
281 assert(p
->protocol
== s
->protocol
);
282 assert((s
->protocol
== DNS_PROTOCOL_DNS
) == (fd
>= 0));
285 /* If there are multiple linked packets, set the TC bit in all but the last of them */
287 assert(p
->protocol
== DNS_PROTOCOL_MDNS
);
288 dns_packet_set_flags(p
, true, true);
291 r
= dns_scope_emit_one(s
, fd
, p
);
301 static int dns_scope_socket(
305 const union in_addr_union
*address
,
309 _cleanup_close_
int fd
= -1;
310 union sockaddr_union sa
= {};
312 static const int one
= 1;
318 assert(family
== AF_UNSPEC
);
321 sa
.sa
.sa_family
= server
->family
;
322 if (server
->family
== AF_INET
) {
323 sa
.in
.sin_port
= htobe16(port
);
324 sa
.in
.sin_addr
= server
->address
.in
;
325 salen
= sizeof(sa
.in
);
326 } else if (server
->family
== AF_INET6
) {
327 sa
.in6
.sin6_port
= htobe16(port
);
328 sa
.in6
.sin6_addr
= server
->address
.in6
;
329 sa
.in6
.sin6_scope_id
= s
->link
? s
->link
->ifindex
: 0;
330 salen
= sizeof(sa
.in6
);
332 return -EAFNOSUPPORT
;
334 assert(family
!= AF_UNSPEC
);
337 sa
.sa
.sa_family
= family
;
339 if (family
== AF_INET
) {
340 sa
.in
.sin_port
= htobe16(port
);
341 sa
.in
.sin_addr
= address
->in
;
342 salen
= sizeof(sa
.in
);
343 } else if (family
== AF_INET6
) {
344 sa
.in6
.sin6_port
= htobe16(port
);
345 sa
.in6
.sin6_addr
= address
->in6
;
346 sa
.in6
.sin6_scope_id
= s
->link
? s
->link
->ifindex
: 0;
347 salen
= sizeof(sa
.in6
);
349 return -EAFNOSUPPORT
;
352 fd
= socket(sa
.sa
.sa_family
, type
|SOCK_CLOEXEC
|SOCK_NONBLOCK
, 0);
356 if (type
== SOCK_STREAM
) {
357 r
= setsockopt(fd
, IPPROTO_TCP
, TCP_NODELAY
, &one
, sizeof(one
));
363 uint32_t ifindex
= htobe32(s
->link
->ifindex
);
365 if (sa
.sa
.sa_family
== AF_INET
) {
366 r
= setsockopt(fd
, IPPROTO_IP
, IP_UNICAST_IF
, &ifindex
, sizeof(ifindex
));
369 } else if (sa
.sa
.sa_family
== AF_INET6
) {
370 r
= setsockopt(fd
, IPPROTO_IPV6
, IPV6_UNICAST_IF
, &ifindex
, sizeof(ifindex
));
376 if (s
->protocol
== DNS_PROTOCOL_LLMNR
) {
377 /* RFC 4795, section 2.5 requires the TTL to be set to 1 */
379 if (sa
.sa
.sa_family
== AF_INET
) {
380 r
= setsockopt(fd
, IPPROTO_IP
, IP_TTL
, &one
, sizeof(one
));
383 } else if (sa
.sa
.sa_family
== AF_INET6
) {
384 r
= setsockopt(fd
, IPPROTO_IPV6
, IPV6_UNICAST_HOPS
, &one
, sizeof(one
));
390 r
= connect(fd
, &sa
.sa
, salen
);
391 if (r
< 0 && errno
!= EINPROGRESS
)
400 int dns_scope_socket_udp(DnsScope
*s
, DnsServer
*server
, uint16_t port
) {
401 return dns_scope_socket(s
, SOCK_DGRAM
, AF_UNSPEC
, NULL
, server
, port
);
404 int dns_scope_socket_tcp(DnsScope
*s
, int family
, const union in_addr_union
*address
, DnsServer
*server
, uint16_t port
) {
405 return dns_scope_socket(s
, SOCK_STREAM
, family
, address
, server
, port
);
408 DnsScopeMatch
dns_scope_good_domain(DnsScope
*s
, int ifindex
, uint64_t flags
, const char *domain
) {
414 /* Checks if the specified domain is something to look up on
415 * this scope. Note that this accepts non-qualified hostnames,
416 * i.e. those without any search path prefixed yet. */
418 if (ifindex
!= 0 && (!s
->link
|| s
->link
->ifindex
!= ifindex
))
421 if ((SD_RESOLVED_FLAGS_MAKE(s
->protocol
, s
->family
, 0) & flags
) == 0)
424 /* Never resolve any loopback hostname or IP address via DNS,
425 * LLMNR or mDNS. Instead, always rely on synthesized RRs for
427 if (is_localhost(domain
) ||
428 dns_name_endswith(domain
, "127.in-addr.arpa") > 0 ||
429 dns_name_equal(domain
, "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa") > 0)
432 /* Never respond to some of the domains listed in RFC6303 */
433 if (dns_name_endswith(domain
, "0.in-addr.arpa") > 0 ||
434 dns_name_equal(domain
, "255.255.255.255.in-addr.arpa") > 0 ||
435 dns_name_equal(domain
, "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa") > 0)
438 /* Never respond to some of the domains listed in RFC6761 */
439 if (dns_name_endswith(domain
, "invalid") > 0)
442 /* Always honour search domains for routing queries. Note that
443 * we return DNS_SCOPE_YES here, rather than just
444 * DNS_SCOPE_MAYBE, which means wildcard scopes won't be
445 * considered anymore. */
446 LIST_FOREACH(domains
, d
, dns_scope_get_search_domains(s
))
447 if (dns_name_endswith(domain
, d
->name
) > 0)
448 return DNS_SCOPE_YES
;
450 switch (s
->protocol
) {
452 case DNS_PROTOCOL_DNS
:
454 /* Exclude link-local IP ranges */
455 if (dns_name_endswith(domain
, "254.169.in-addr.arpa") == 0 &&
456 dns_name_endswith(domain
, "8.e.f.ip6.arpa") == 0 &&
457 dns_name_endswith(domain
, "9.e.f.ip6.arpa") == 0 &&
458 dns_name_endswith(domain
, "a.e.f.ip6.arpa") == 0 &&
459 dns_name_endswith(domain
, "b.e.f.ip6.arpa") == 0 &&
460 /* If networks use .local in their private setups, they are supposed to also add .local to their search
461 * domains, which we already checked above. Otherwise, we consider .local specific to mDNS and won't
462 * send such queries ordinary DNS servers. */
463 dns_name_endswith(domain
, "local") == 0)
464 return DNS_SCOPE_MAYBE
;
468 case DNS_PROTOCOL_MDNS
:
469 if ((s
->family
== AF_INET
&& dns_name_endswith(domain
, "in-addr.arpa") > 0) ||
470 (s
->family
== AF_INET6
&& dns_name_endswith(domain
, "ip6.arpa") > 0) ||
471 (dns_name_endswith(domain
, "local") > 0 && /* only resolve names ending in .local via mDNS */
472 dns_name_equal(domain
, "local") == 0 && /* but not the single-label "local" name itself */
473 manager_is_own_hostname(s
->manager
, domain
) <= 0)) /* never resolve the local hostname via mDNS */
474 return DNS_SCOPE_MAYBE
;
478 case DNS_PROTOCOL_LLMNR
:
479 if ((s
->family
== AF_INET
&& dns_name_endswith(domain
, "in-addr.arpa") > 0) ||
480 (s
->family
== AF_INET6
&& dns_name_endswith(domain
, "ip6.arpa") > 0) ||
481 (dns_name_is_single_label(domain
) && /* only resolve single label names via LLMNR */
482 !is_gateway_hostname(domain
) && /* don't resolve "gateway" with LLMNR, let nss-myhostname handle this */
483 manager_is_own_hostname(s
->manager
, domain
) <= 0)) /* never resolve the local hostname via LLMNR */
484 return DNS_SCOPE_MAYBE
;
489 assert_not_reached("Unknown scope protocol");
493 bool dns_scope_good_key(DnsScope
*s
, const DnsResourceKey
*key
) {
499 /* Check if it makes sense to resolve the specified key on
500 * this scope. Note that this call assumes as fully qualified
501 * name, i.e. the search suffixes already appended. */
503 if (key
->class != DNS_CLASS_IN
)
506 if (s
->protocol
== DNS_PROTOCOL_DNS
) {
508 /* On classic DNS, looking up non-address RRs is always
509 * fine. (Specifically, we want to permit looking up
510 * DNSKEY and DS records on the root and top-level
512 if (!dns_resource_key_is_address(key
))
515 /* However, we refuse to look up A and AAAA RRs on the
516 * root and single-label domains, under the assumption
517 * that those should be resolved via LLMNR or search
518 * path only, and should not be leaked onto the
520 return !(dns_name_is_single_label(DNS_RESOURCE_KEY_NAME(key
)) ||
521 dns_name_is_root(DNS_RESOURCE_KEY_NAME(key
)));
524 /* On mDNS and LLMNR, send A and AAAA queries only on the
525 * respective scopes */
527 key_family
= dns_type_to_af(key
->type
);
531 return key_family
== s
->family
;
534 static int dns_scope_multicast_membership(DnsScope
*s
, bool b
, struct in_addr in
, struct in6_addr in6
) {
540 if (s
->family
== AF_INET
) {
541 struct ip_mreqn mreqn
= {
543 .imr_ifindex
= s
->link
->ifindex
,
546 fd
= manager_llmnr_ipv4_udp_fd(s
->manager
);
550 /* Always first try to drop membership before we add
551 * one. This is necessary on some devices, such as
554 (void) setsockopt(fd
, IPPROTO_IP
, IP_DROP_MEMBERSHIP
, &mreqn
, sizeof(mreqn
));
556 if (setsockopt(fd
, IPPROTO_IP
, b
? IP_ADD_MEMBERSHIP
: IP_DROP_MEMBERSHIP
, &mreqn
, sizeof(mreqn
)) < 0)
559 } else if (s
->family
== AF_INET6
) {
560 struct ipv6_mreq mreq
= {
561 .ipv6mr_multiaddr
= in6
,
562 .ipv6mr_interface
= s
->link
->ifindex
,
565 fd
= manager_llmnr_ipv6_udp_fd(s
->manager
);
570 (void) setsockopt(fd
, IPPROTO_IPV6
, IPV6_DROP_MEMBERSHIP
, &mreq
, sizeof(mreq
));
572 if (setsockopt(fd
, IPPROTO_IPV6
, b
? IPV6_ADD_MEMBERSHIP
: IPV6_DROP_MEMBERSHIP
, &mreq
, sizeof(mreq
)) < 0)
575 return -EAFNOSUPPORT
;
580 int dns_scope_llmnr_membership(DnsScope
*s
, bool b
) {
582 if (s
->protocol
!= DNS_PROTOCOL_LLMNR
)
585 return dns_scope_multicast_membership(s
, b
, LLMNR_MULTICAST_IPV4_ADDRESS
, LLMNR_MULTICAST_IPV6_ADDRESS
);
588 int dns_scope_mdns_membership(DnsScope
*s
, bool b
) {
590 if (s
->protocol
!= DNS_PROTOCOL_MDNS
)
593 return dns_scope_multicast_membership(s
, b
, MDNS_MULTICAST_IPV4_ADDRESS
, MDNS_MULTICAST_IPV6_ADDRESS
);
596 static int dns_scope_make_reply_packet(
606 _cleanup_(dns_packet_unrefp
) DnsPacket
*p
= NULL
;
613 if ((!q
|| q
->n_keys
<= 0)
614 && (!answer
|| answer
->n_rrs
<= 0)
615 && (!soa
|| soa
->n_rrs
<= 0))
618 r
= dns_packet_new(&p
, s
->protocol
, 0);
622 DNS_PACKET_HEADER(p
)->id
= id
;
623 DNS_PACKET_HEADER(p
)->flags
= htobe16(DNS_PACKET_MAKE_FLAGS(
635 for (i
= 0; i
< q
->n_keys
; i
++) {
636 r
= dns_packet_append_key(p
, q
->keys
[i
], NULL
);
641 DNS_PACKET_HEADER(p
)->qdcount
= htobe16(q
->n_keys
);
645 for (i
= 0; i
< answer
->n_rrs
; i
++) {
646 r
= dns_packet_append_rr(p
, answer
->items
[i
].rr
, NULL
, NULL
);
651 DNS_PACKET_HEADER(p
)->ancount
= htobe16(answer
->n_rrs
);
655 for (i
= 0; i
< soa
->n_rrs
; i
++) {
656 r
= dns_packet_append_rr(p
, soa
->items
[i
].rr
, NULL
, NULL
);
661 DNS_PACKET_HEADER(p
)->arcount
= htobe16(soa
->n_rrs
);
670 static void dns_scope_verify_conflicts(DnsScope
*s
, DnsPacket
*p
) {
677 for (n
= 0; n
< p
->question
->n_keys
; n
++)
678 dns_zone_verify_conflicts(&s
->zone
, p
->question
->keys
[n
]);
680 for (n
= 0; n
< p
->answer
->n_rrs
; n
++)
681 dns_zone_verify_conflicts(&s
->zone
, p
->answer
->items
[n
].rr
->key
);
684 void dns_scope_process_query(DnsScope
*s
, DnsStream
*stream
, DnsPacket
*p
) {
685 _cleanup_(dns_packet_unrefp
) DnsPacket
*reply
= NULL
;
686 _cleanup_(dns_answer_unrefp
) DnsAnswer
*answer
= NULL
, *soa
= NULL
;
687 DnsResourceKey
*key
= NULL
;
688 bool tentative
= false;
694 if (p
->protocol
!= DNS_PROTOCOL_LLMNR
)
697 if (p
->ipproto
== IPPROTO_UDP
) {
698 /* Don't accept UDP queries directed to anything but
699 * the LLMNR multicast addresses. See RFC 4795,
702 if (p
->family
== AF_INET
&& !in_addr_equal(AF_INET
, &p
->destination
, (union in_addr_union
*) &LLMNR_MULTICAST_IPV4_ADDRESS
))
705 if (p
->family
== AF_INET6
&& !in_addr_equal(AF_INET6
, &p
->destination
, (union in_addr_union
*) &LLMNR_MULTICAST_IPV6_ADDRESS
))
709 r
= dns_packet_extract(p
);
711 log_debug_errno(r
, "Failed to extract resources from incoming packet: %m");
715 if (DNS_PACKET_LLMNR_C(p
)) {
716 /* Somebody notified us about a possible conflict */
717 dns_scope_verify_conflicts(s
, p
);
721 assert(p
->question
->n_keys
== 1);
722 key
= p
->question
->keys
[0];
724 r
= dns_zone_lookup(&s
->zone
, key
, &answer
, &soa
, &tentative
);
726 log_debug_errno(r
, "Failed to lookup key: %m");
733 dns_answer_order_by_scope(answer
, in_addr_is_link_local(p
->family
, &p
->sender
) > 0);
735 r
= dns_scope_make_reply_packet(s
, DNS_PACKET_ID(p
), DNS_RCODE_SUCCESS
, p
->question
, answer
, soa
, tentative
, &reply
);
737 log_debug_errno(r
, "Failed to build reply packet: %m");
742 r
= dns_stream_write_packet(stream
, reply
);
744 if (!ratelimit_test(&s
->ratelimit
))
747 if (p
->family
== AF_INET
)
748 fd
= manager_llmnr_ipv4_udp_fd(s
->manager
);
749 else if (p
->family
== AF_INET6
)
750 fd
= manager_llmnr_ipv6_udp_fd(s
->manager
);
752 log_debug("Unknown protocol");
756 log_debug_errno(fd
, "Failed to get reply socket: %m");
760 /* Note that we always immediately reply to all LLMNR
761 * requests, and do not wait any time, since we
762 * verified uniqueness for all records. Also see RFC
763 * 4795, Section 2.7 */
765 r
= manager_send(s
->manager
, fd
, p
->ifindex
, p
->family
, &p
->sender
, p
->sender_port
, reply
);
769 log_debug_errno(r
, "Failed to send reply packet: %m");
774 DnsTransaction
*dns_scope_find_transaction(DnsScope
*scope
, DnsResourceKey
*key
, bool cache_ok
) {
780 /* Try to find an ongoing transaction that is a equal to the
781 * specified question */
782 t
= hashmap_get(scope
->transactions_by_key
, key
);
786 /* Refuse reusing transactions that completed based on cached
787 * data instead of a real packet, if that's requested. */
789 IN_SET(t
->state
, DNS_TRANSACTION_SUCCESS
, DNS_TRANSACTION_RCODE_FAILURE
) &&
790 t
->answer_source
!= DNS_TRANSACTION_NETWORK
)
796 static int dns_scope_make_conflict_packet(
798 DnsResourceRecord
*rr
,
801 _cleanup_(dns_packet_unrefp
) DnsPacket
*p
= NULL
;
808 r
= dns_packet_new(&p
, s
->protocol
, 0);
812 DNS_PACKET_HEADER(p
)->flags
= htobe16(DNS_PACKET_MAKE_FLAGS(
823 /* For mDNS, the transaction ID should always be 0 */
824 if (s
->protocol
!= DNS_PROTOCOL_MDNS
)
825 random_bytes(&DNS_PACKET_HEADER(p
)->id
, sizeof(uint16_t));
827 DNS_PACKET_HEADER(p
)->qdcount
= htobe16(1);
828 DNS_PACKET_HEADER(p
)->arcount
= htobe16(1);
830 r
= dns_packet_append_key(p
, rr
->key
, NULL
);
834 r
= dns_packet_append_rr(p
, rr
, NULL
, NULL
);
844 static int on_conflict_dispatch(sd_event_source
*es
, usec_t usec
, void *userdata
) {
845 DnsScope
*scope
= userdata
;
851 scope
->conflict_event_source
= sd_event_source_unref(scope
->conflict_event_source
);
854 _cleanup_(dns_resource_record_unrefp
) DnsResourceRecord
*rr
= NULL
;
855 _cleanup_(dns_packet_unrefp
) DnsPacket
*p
= NULL
;
857 rr
= ordered_hashmap_steal_first(scope
->conflict_queue
);
861 r
= dns_scope_make_conflict_packet(scope
, rr
, &p
);
863 log_error_errno(r
, "Failed to make conflict packet: %m");
867 r
= dns_scope_emit_udp(scope
, -1, p
);
869 log_debug_errno(r
, "Failed to send conflict packet: %m");
875 int dns_scope_notify_conflict(DnsScope
*scope
, DnsResourceRecord
*rr
) {
882 /* We don't send these queries immediately. Instead, we queue
883 * them, and send them after some jitter delay. */
884 r
= ordered_hashmap_ensure_allocated(&scope
->conflict_queue
, &dns_resource_key_hash_ops
);
890 /* We only place one RR per key in the conflict
891 * messages, not all of them. That should be enough to
892 * indicate where there might be a conflict */
893 r
= ordered_hashmap_put(scope
->conflict_queue
, rr
->key
, rr
);
894 if (r
== -EEXIST
|| r
== 0)
897 return log_debug_errno(r
, "Failed to queue conflicting RR: %m");
899 dns_resource_record_ref(rr
);
901 if (scope
->conflict_event_source
)
904 random_bytes(&jitter
, sizeof(jitter
));
905 jitter
%= LLMNR_JITTER_INTERVAL_USEC
;
907 r
= sd_event_add_time(scope
->manager
->event
,
908 &scope
->conflict_event_source
,
909 clock_boottime_or_monotonic(),
910 now(clock_boottime_or_monotonic()) + jitter
,
911 LLMNR_JITTER_INTERVAL_USEC
,
912 on_conflict_dispatch
, scope
);
914 return log_debug_errno(r
, "Failed to add conflict dispatch event: %m");
916 (void) sd_event_source_set_description(scope
->conflict_event_source
, "scope-conflict");
921 void dns_scope_check_conflicts(DnsScope
*scope
, DnsPacket
*p
) {
928 if (p
->protocol
!= DNS_PROTOCOL_LLMNR
)
931 if (DNS_PACKET_RRCOUNT(p
) <= 0)
934 if (DNS_PACKET_LLMNR_C(p
) != 0)
937 if (DNS_PACKET_LLMNR_T(p
) != 0)
940 if (manager_our_packet(scope
->manager
, p
))
943 r
= dns_packet_extract(p
);
945 log_debug_errno(r
, "Failed to extract packet: %m");
949 log_debug("Checking for conflicts...");
951 for (i
= 0; i
< p
->answer
->n_rrs
; i
++) {
953 /* Check for conflicts against the local zone. If we
954 * found one, we won't check any further */
955 r
= dns_zone_check_conflicts(&scope
->zone
, p
->answer
->items
[i
].rr
);
959 /* Check for conflicts against the local cache. If so,
960 * send out an advisory query, to inform everybody */
961 r
= dns_cache_check_conflicts(&scope
->cache
, p
->answer
->items
[i
].rr
, p
->family
, &p
->sender
);
965 dns_scope_notify_conflict(scope
, p
->answer
->items
[i
].rr
);
969 void dns_scope_dump(DnsScope
*s
, FILE *f
) {
975 fputs("[Scope protocol=", f
);
976 fputs(dns_protocol_to_string(s
->protocol
), f
);
979 fputs(" interface=", f
);
980 fputs(s
->link
->name
, f
);
983 if (s
->family
!= AF_UNSPEC
) {
984 fputs(" family=", f
);
985 fputs(af_to_name(s
->family
), f
);
990 if (!dns_zone_is_empty(&s
->zone
)) {
992 dns_zone_dump(&s
->zone
, f
);
995 if (!dns_cache_is_empty(&s
->cache
)) {
996 fputs("CACHE:\n", f
);
997 dns_cache_dump(&s
->cache
, f
);
1001 DnsSearchDomain
*dns_scope_get_search_domains(DnsScope
*s
) {
1004 if (s
->protocol
!= DNS_PROTOCOL_DNS
)
1008 return s
->link
->search_domains
;
1010 return s
->manager
->search_domains
;
1013 bool dns_scope_name_needs_search_domain(DnsScope
*s
, const char *name
) {
1016 if (s
->protocol
!= DNS_PROTOCOL_DNS
)
1019 return dns_name_is_single_label(name
);
1022 bool dns_scope_network_good(DnsScope
*s
) {
1023 /* Checks whether the network is in good state for lookups on this scope. For mDNS/LLMNR/Classic DNS scopes
1024 * bound to links this is easy, as they don't even exist if the link isn't in a suitable state. For the global
1025 * DNS scope we check whether there are any links that are up and have an address. */
1030 return manager_routable(s
->manager
, AF_UNSPEC
);