]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/resolve/resolved-dns-scope.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
resolved: rework what ResolveHostname() with family == AF_UNSPEC means
[thirdparty/systemd.git] / src / resolve / resolved-dns-scope.c
1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
2
3 /***
4 This file is part of systemd.
5
6 Copyright 2014 Lennart Poettering
7
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
12
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
17
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
20 ***/
21
22 #include <netinet/tcp.h>
23
24 #include "af-list.h"
25 #include "alloc-util.h"
26 #include "dns-domain.h"
27 #include "fd-util.h"
28 #include "hostname-util.h"
29 #include "missing.h"
30 #include "random-util.h"
31 #include "resolved-dns-scope.h"
32 #include "resolved-llmnr.h"
33 #include "resolved-mdns.h"
34 #include "socket-util.h"
35 #include "strv.h"
36
37 #define MULTICAST_RATELIMIT_INTERVAL_USEC (1*USEC_PER_SEC)
38 #define MULTICAST_RATELIMIT_BURST 1000
39
40 /* After how much time to repeat LLMNR requests, see RFC 4795 Section 7 */
41 #define MULTICAST_RESEND_TIMEOUT_MIN_USEC (100 * USEC_PER_MSEC)
42 #define MULTICAST_RESEND_TIMEOUT_MAX_USEC (1 * USEC_PER_SEC)
43
44 int dns_scope_new(Manager *m, DnsScope **ret, Link *l, DnsProtocol protocol, int family) {
45 DnsScope *s;
46
47 assert(m);
48 assert(ret);
49
50 s = new0(DnsScope, 1);
51 if (!s)
52 return -ENOMEM;
53
54 s->manager = m;
55 s->link = l;
56 s->protocol = protocol;
57 s->family = family;
58 s->resend_timeout = MULTICAST_RESEND_TIMEOUT_MIN_USEC;
59
60 s->dnssec_mode = _DNSSEC_MODE_INVALID;
61
62 if (protocol == DNS_PROTOCOL_DNS) {
63 /* Copy DNSSEC mode from the link if it is set there,
64 * otherwise take the manager's DNSSEC mode. Note that
65 * we copy this only at scope creation time, and do
66 * not update it from the on, even if the setting
67 * changes. */
68
69 if (l)
70 s->dnssec_mode = link_get_dnssec_mode(l);
71 else
72 s->dnssec_mode = manager_get_dnssec_mode(m);
73 }
74
75 LIST_PREPEND(scopes, m->dns_scopes, s);
76
77 dns_scope_llmnr_membership(s, true);
78 dns_scope_mdns_membership(s, true);
79
80 log_debug("New scope on link %s, protocol %s, family %s", l ? l->name : "*", dns_protocol_to_string(protocol), family == AF_UNSPEC ? "*" : af_to_name(family));
81
82 /* Enforce ratelimiting for the multicast protocols */
83 RATELIMIT_INIT(s->ratelimit, MULTICAST_RATELIMIT_INTERVAL_USEC, MULTICAST_RATELIMIT_BURST);
84
85 *ret = s;
86 return 0;
87 }
88
89 static void dns_scope_abort_transactions(DnsScope *s) {
90 assert(s);
91
92 while (s->transactions) {
93 DnsTransaction *t = s->transactions;
94
95 /* Abort the transaction, but make sure it is not
96 * freed while we still look at it */
97
98 t->block_gc++;
99 if (DNS_TRANSACTION_IS_LIVE(t->state))
100 dns_transaction_complete(t, DNS_TRANSACTION_ABORTED);
101 t->block_gc--;
102
103 dns_transaction_free(t);
104 }
105 }
106
107 DnsScope* dns_scope_free(DnsScope *s) {
108 DnsResourceRecord *rr;
109
110 if (!s)
111 return NULL;
112
113 log_debug("Removing scope on link %s, protocol %s, family %s", s->link ? s->link->name : "*", dns_protocol_to_string(s->protocol), s->family == AF_UNSPEC ? "*" : af_to_name(s->family));
114
115 dns_scope_llmnr_membership(s, false);
116 dns_scope_mdns_membership(s, false);
117 dns_scope_abort_transactions(s);
118
119 while (s->query_candidates)
120 dns_query_candidate_free(s->query_candidates);
121
122 hashmap_free(s->transactions_by_key);
123
124 while ((rr = ordered_hashmap_steal_first(s->conflict_queue)))
125 dns_resource_record_unref(rr);
126
127 ordered_hashmap_free(s->conflict_queue);
128 sd_event_source_unref(s->conflict_event_source);
129
130 dns_cache_flush(&s->cache);
131 dns_zone_flush(&s->zone);
132
133 LIST_REMOVE(scopes, s->manager->dns_scopes, s);
134 free(s);
135
136 return NULL;
137 }
138
139 DnsServer *dns_scope_get_dns_server(DnsScope *s) {
140 assert(s);
141
142 if (s->protocol != DNS_PROTOCOL_DNS)
143 return NULL;
144
145 if (s->link)
146 return link_get_dns_server(s->link);
147 else
148 return manager_get_dns_server(s->manager);
149 }
150
151 void dns_scope_next_dns_server(DnsScope *s) {
152 assert(s);
153
154 if (s->protocol != DNS_PROTOCOL_DNS)
155 return;
156
157 if (s->link)
158 link_next_dns_server(s->link);
159 else
160 manager_next_dns_server(s->manager);
161 }
162
163 void dns_scope_packet_received(DnsScope *s, usec_t rtt) {
164 assert(s);
165
166 if (rtt <= s->max_rtt)
167 return;
168
169 s->max_rtt = rtt;
170 s->resend_timeout = MIN(MAX(MULTICAST_RESEND_TIMEOUT_MIN_USEC, s->max_rtt * 2), MULTICAST_RESEND_TIMEOUT_MAX_USEC);
171 }
172
173 void dns_scope_packet_lost(DnsScope *s, usec_t usec) {
174 assert(s);
175
176 if (s->resend_timeout <= usec)
177 s->resend_timeout = MIN(s->resend_timeout * 2, MULTICAST_RESEND_TIMEOUT_MAX_USEC);
178 }
179
180 static int dns_scope_emit_one(DnsScope *s, int fd, DnsPacket *p) {
181 union in_addr_union addr;
182 int ifindex = 0, r;
183 int family;
184 uint32_t mtu;
185
186 assert(s);
187 assert(p);
188 assert(p->protocol == s->protocol);
189
190 if (s->link) {
191 mtu = s->link->mtu;
192 ifindex = s->link->ifindex;
193 } else
194 mtu = manager_find_mtu(s->manager);
195
196 switch (s->protocol) {
197
198 case DNS_PROTOCOL_DNS:
199 assert(fd >= 0);
200
201 if (DNS_PACKET_QDCOUNT(p) > 1)
202 return -EOPNOTSUPP;
203
204 if (p->size > DNS_PACKET_UNICAST_SIZE_MAX)
205 return -EMSGSIZE;
206
207 if (p->size + UDP_PACKET_HEADER_SIZE > mtu)
208 return -EMSGSIZE;
209
210 r = manager_write(s->manager, fd, p);
211 if (r < 0)
212 return r;
213
214 break;
215
216 case DNS_PROTOCOL_LLMNR:
217 assert(fd < 0);
218
219 if (DNS_PACKET_QDCOUNT(p) > 1)
220 return -EOPNOTSUPP;
221
222 if (!ratelimit_test(&s->ratelimit))
223 return -EBUSY;
224
225 family = s->family;
226
227 if (family == AF_INET) {
228 addr.in = LLMNR_MULTICAST_IPV4_ADDRESS;
229 fd = manager_llmnr_ipv4_udp_fd(s->manager);
230 } else if (family == AF_INET6) {
231 addr.in6 = LLMNR_MULTICAST_IPV6_ADDRESS;
232 fd = manager_llmnr_ipv6_udp_fd(s->manager);
233 } else
234 return -EAFNOSUPPORT;
235 if (fd < 0)
236 return fd;
237
238 r = manager_send(s->manager, fd, ifindex, family, &addr, LLMNR_PORT, p);
239 if (r < 0)
240 return r;
241
242 break;
243
244 case DNS_PROTOCOL_MDNS:
245 assert(fd < 0);
246
247 if (!ratelimit_test(&s->ratelimit))
248 return -EBUSY;
249
250 family = s->family;
251
252 if (family == AF_INET) {
253 addr.in = MDNS_MULTICAST_IPV4_ADDRESS;
254 fd = manager_mdns_ipv4_fd(s->manager);
255 } else if (family == AF_INET6) {
256 addr.in6 = MDNS_MULTICAST_IPV6_ADDRESS;
257 fd = manager_mdns_ipv6_fd(s->manager);
258 } else
259 return -EAFNOSUPPORT;
260 if (fd < 0)
261 return fd;
262
263 r = manager_send(s->manager, fd, ifindex, family, &addr, MDNS_PORT, p);
264 if (r < 0)
265 return r;
266
267 break;
268
269 default:
270 return -EAFNOSUPPORT;
271 }
272
273 return 1;
274 }
275
276 int dns_scope_emit_udp(DnsScope *s, int fd, DnsPacket *p) {
277 int r;
278
279 assert(s);
280 assert(p);
281 assert(p->protocol == s->protocol);
282 assert((s->protocol == DNS_PROTOCOL_DNS) == (fd >= 0));
283
284 do {
285 /* If there are multiple linked packets, set the TC bit in all but the last of them */
286 if (p->more) {
287 assert(p->protocol == DNS_PROTOCOL_MDNS);
288 dns_packet_set_flags(p, true, true);
289 }
290
291 r = dns_scope_emit_one(s, fd, p);
292 if (r < 0)
293 return r;
294
295 p = p->more;
296 } while (p);
297
298 return 0;
299 }
300
301 static int dns_scope_socket(
302 DnsScope *s,
303 int type,
304 int family,
305 const union in_addr_union *address,
306 DnsServer *server,
307 uint16_t port) {
308
309 _cleanup_close_ int fd = -1;
310 union sockaddr_union sa = {};
311 socklen_t salen;
312 static const int one = 1;
313 int ret, r;
314
315 assert(s);
316
317 if (server) {
318 assert(family == AF_UNSPEC);
319 assert(!address);
320
321 sa.sa.sa_family = server->family;
322 if (server->family == AF_INET) {
323 sa.in.sin_port = htobe16(port);
324 sa.in.sin_addr = server->address.in;
325 salen = sizeof(sa.in);
326 } else if (server->family == AF_INET6) {
327 sa.in6.sin6_port = htobe16(port);
328 sa.in6.sin6_addr = server->address.in6;
329 sa.in6.sin6_scope_id = s->link ? s->link->ifindex : 0;
330 salen = sizeof(sa.in6);
331 } else
332 return -EAFNOSUPPORT;
333 } else {
334 assert(family != AF_UNSPEC);
335 assert(address);
336
337 sa.sa.sa_family = family;
338
339 if (family == AF_INET) {
340 sa.in.sin_port = htobe16(port);
341 sa.in.sin_addr = address->in;
342 salen = sizeof(sa.in);
343 } else if (family == AF_INET6) {
344 sa.in6.sin6_port = htobe16(port);
345 sa.in6.sin6_addr = address->in6;
346 sa.in6.sin6_scope_id = s->link ? s->link->ifindex : 0;
347 salen = sizeof(sa.in6);
348 } else
349 return -EAFNOSUPPORT;
350 }
351
352 fd = socket(sa.sa.sa_family, type|SOCK_CLOEXEC|SOCK_NONBLOCK, 0);
353 if (fd < 0)
354 return -errno;
355
356 if (type == SOCK_STREAM) {
357 r = setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &one, sizeof(one));
358 if (r < 0)
359 return -errno;
360 }
361
362 if (s->link) {
363 uint32_t ifindex = htobe32(s->link->ifindex);
364
365 if (sa.sa.sa_family == AF_INET) {
366 r = setsockopt(fd, IPPROTO_IP, IP_UNICAST_IF, &ifindex, sizeof(ifindex));
367 if (r < 0)
368 return -errno;
369 } else if (sa.sa.sa_family == AF_INET6) {
370 r = setsockopt(fd, IPPROTO_IPV6, IPV6_UNICAST_IF, &ifindex, sizeof(ifindex));
371 if (r < 0)
372 return -errno;
373 }
374 }
375
376 if (s->protocol == DNS_PROTOCOL_LLMNR) {
377 /* RFC 4795, section 2.5 requires the TTL to be set to 1 */
378
379 if (sa.sa.sa_family == AF_INET) {
380 r = setsockopt(fd, IPPROTO_IP, IP_TTL, &one, sizeof(one));
381 if (r < 0)
382 return -errno;
383 } else if (sa.sa.sa_family == AF_INET6) {
384 r = setsockopt(fd, IPPROTO_IPV6, IPV6_UNICAST_HOPS, &one, sizeof(one));
385 if (r < 0)
386 return -errno;
387 }
388 }
389
390 r = connect(fd, &sa.sa, salen);
391 if (r < 0 && errno != EINPROGRESS)
392 return -errno;
393
394 ret = fd;
395 fd = -1;
396
397 return ret;
398 }
399
400 int dns_scope_socket_udp(DnsScope *s, DnsServer *server, uint16_t port) {
401 return dns_scope_socket(s, SOCK_DGRAM, AF_UNSPEC, NULL, server, port);
402 }
403
404 int dns_scope_socket_tcp(DnsScope *s, int family, const union in_addr_union *address, DnsServer *server, uint16_t port) {
405 return dns_scope_socket(s, SOCK_STREAM, family, address, server, port);
406 }
407
408 DnsScopeMatch dns_scope_good_domain(DnsScope *s, int ifindex, uint64_t flags, const char *domain) {
409 DnsSearchDomain *d;
410
411 assert(s);
412 assert(domain);
413
414 /* Checks if the specified domain is something to look up on
415 * this scope. Note that this accepts non-qualified hostnames,
416 * i.e. those without any search path prefixed yet. */
417
418 if (ifindex != 0 && (!s->link || s->link->ifindex != ifindex))
419 return DNS_SCOPE_NO;
420
421 if ((SD_RESOLVED_FLAGS_MAKE(s->protocol, s->family, 0) & flags) == 0)
422 return DNS_SCOPE_NO;
423
424 /* Never resolve any loopback hostname or IP address via DNS,
425 * LLMNR or mDNS. Instead, always rely on synthesized RRs for
426 * these. */
427 if (is_localhost(domain) ||
428 dns_name_endswith(domain, "127.in-addr.arpa") > 0 ||
429 dns_name_equal(domain, "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa") > 0)
430 return DNS_SCOPE_NO;
431
432 /* Never respond to some of the domains listed in RFC6303 */
433 if (dns_name_endswith(domain, "0.in-addr.arpa") > 0 ||
434 dns_name_equal(domain, "255.255.255.255.in-addr.arpa") > 0 ||
435 dns_name_equal(domain, "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa") > 0)
436 return DNS_SCOPE_NO;
437
438 /* Never respond to some of the domains listed in RFC6761 */
439 if (dns_name_endswith(domain, "invalid") > 0)
440 return DNS_SCOPE_NO;
441
442 /* Always honour search domains for routing queries. Note that
443 * we return DNS_SCOPE_YES here, rather than just
444 * DNS_SCOPE_MAYBE, which means wildcard scopes won't be
445 * considered anymore. */
446 LIST_FOREACH(domains, d, dns_scope_get_search_domains(s))
447 if (dns_name_endswith(domain, d->name) > 0)
448 return DNS_SCOPE_YES;
449
450 switch (s->protocol) {
451
452 case DNS_PROTOCOL_DNS:
453
454 /* Exclude link-local IP ranges */
455 if (dns_name_endswith(domain, "254.169.in-addr.arpa") == 0 &&
456 dns_name_endswith(domain, "8.e.f.ip6.arpa") == 0 &&
457 dns_name_endswith(domain, "9.e.f.ip6.arpa") == 0 &&
458 dns_name_endswith(domain, "a.e.f.ip6.arpa") == 0 &&
459 dns_name_endswith(domain, "b.e.f.ip6.arpa") == 0 &&
460 /* If networks use .local in their private setups, they are supposed to also add .local to their search
461 * domains, which we already checked above. Otherwise, we consider .local specific to mDNS and won't
462 * send such queries ordinary DNS servers. */
463 dns_name_endswith(domain, "local") == 0)
464 return DNS_SCOPE_MAYBE;
465
466 return DNS_SCOPE_NO;
467
468 case DNS_PROTOCOL_MDNS:
469 if ((s->family == AF_INET && dns_name_endswith(domain, "in-addr.arpa") > 0) ||
470 (s->family == AF_INET6 && dns_name_endswith(domain, "ip6.arpa") > 0) ||
471 (dns_name_endswith(domain, "local") > 0 && /* only resolve names ending in .local via mDNS */
472 dns_name_equal(domain, "local") == 0 && /* but not the single-label "local" name itself */
473 manager_is_own_hostname(s->manager, domain) <= 0)) /* never resolve the local hostname via mDNS */
474 return DNS_SCOPE_MAYBE;
475
476 return DNS_SCOPE_NO;
477
478 case DNS_PROTOCOL_LLMNR:
479 if ((s->family == AF_INET && dns_name_endswith(domain, "in-addr.arpa") > 0) ||
480 (s->family == AF_INET6 && dns_name_endswith(domain, "ip6.arpa") > 0) ||
481 (dns_name_is_single_label(domain) && /* only resolve single label names via LLMNR */
482 !is_gateway_hostname(domain) && /* don't resolve "gateway" with LLMNR, let nss-myhostname handle this */
483 manager_is_own_hostname(s->manager, domain) <= 0)) /* never resolve the local hostname via LLMNR */
484 return DNS_SCOPE_MAYBE;
485
486 return DNS_SCOPE_NO;
487
488 default:
489 assert_not_reached("Unknown scope protocol");
490 }
491 }
492
493 bool dns_scope_good_key(DnsScope *s, const DnsResourceKey *key) {
494 int key_family;
495
496 assert(s);
497 assert(key);
498
499 /* Check if it makes sense to resolve the specified key on
500 * this scope. Note that this call assumes as fully qualified
501 * name, i.e. the search suffixes already appended. */
502
503 if (key->class != DNS_CLASS_IN)
504 return false;
505
506 if (s->protocol == DNS_PROTOCOL_DNS) {
507
508 /* On classic DNS, looking up non-address RRs is always
509 * fine. (Specifically, we want to permit looking up
510 * DNSKEY and DS records on the root and top-level
511 * domains.) */
512 if (!dns_resource_key_is_address(key))
513 return true;
514
515 /* However, we refuse to look up A and AAAA RRs on the
516 * root and single-label domains, under the assumption
517 * that those should be resolved via LLMNR or search
518 * path only, and should not be leaked onto the
519 * internet. */
520 return !(dns_name_is_single_label(DNS_RESOURCE_KEY_NAME(key)) ||
521 dns_name_is_root(DNS_RESOURCE_KEY_NAME(key)));
522 }
523
524 /* On mDNS and LLMNR, send A and AAAA queries only on the
525 * respective scopes */
526
527 key_family = dns_type_to_af(key->type);
528 if (key_family < 0)
529 return true;
530
531 return key_family == s->family;
532 }
533
534 static int dns_scope_multicast_membership(DnsScope *s, bool b, struct in_addr in, struct in6_addr in6) {
535 int fd;
536
537 assert(s);
538 assert(s->link);
539
540 if (s->family == AF_INET) {
541 struct ip_mreqn mreqn = {
542 .imr_multiaddr = in,
543 .imr_ifindex = s->link->ifindex,
544 };
545
546 fd = manager_llmnr_ipv4_udp_fd(s->manager);
547 if (fd < 0)
548 return fd;
549
550 /* Always first try to drop membership before we add
551 * one. This is necessary on some devices, such as
552 * veth. */
553 if (b)
554 (void) setsockopt(fd, IPPROTO_IP, IP_DROP_MEMBERSHIP, &mreqn, sizeof(mreqn));
555
556 if (setsockopt(fd, IPPROTO_IP, b ? IP_ADD_MEMBERSHIP : IP_DROP_MEMBERSHIP, &mreqn, sizeof(mreqn)) < 0)
557 return -errno;
558
559 } else if (s->family == AF_INET6) {
560 struct ipv6_mreq mreq = {
561 .ipv6mr_multiaddr = in6,
562 .ipv6mr_interface = s->link->ifindex,
563 };
564
565 fd = manager_llmnr_ipv6_udp_fd(s->manager);
566 if (fd < 0)
567 return fd;
568
569 if (b)
570 (void) setsockopt(fd, IPPROTO_IPV6, IPV6_DROP_MEMBERSHIP, &mreq, sizeof(mreq));
571
572 if (setsockopt(fd, IPPROTO_IPV6, b ? IPV6_ADD_MEMBERSHIP : IPV6_DROP_MEMBERSHIP, &mreq, sizeof(mreq)) < 0)
573 return -errno;
574 } else
575 return -EAFNOSUPPORT;
576
577 return 0;
578 }
579
580 int dns_scope_llmnr_membership(DnsScope *s, bool b) {
581
582 if (s->protocol != DNS_PROTOCOL_LLMNR)
583 return 0;
584
585 return dns_scope_multicast_membership(s, b, LLMNR_MULTICAST_IPV4_ADDRESS, LLMNR_MULTICAST_IPV6_ADDRESS);
586 }
587
588 int dns_scope_mdns_membership(DnsScope *s, bool b) {
589
590 if (s->protocol != DNS_PROTOCOL_MDNS)
591 return 0;
592
593 return dns_scope_multicast_membership(s, b, MDNS_MULTICAST_IPV4_ADDRESS, MDNS_MULTICAST_IPV6_ADDRESS);
594 }
595
596 static int dns_scope_make_reply_packet(
597 DnsScope *s,
598 uint16_t id,
599 int rcode,
600 DnsQuestion *q,
601 DnsAnswer *answer,
602 DnsAnswer *soa,
603 bool tentative,
604 DnsPacket **ret) {
605
606 _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
607 unsigned i;
608 int r;
609
610 assert(s);
611 assert(ret);
612
613 if ((!q || q->n_keys <= 0)
614 && (!answer || answer->n_rrs <= 0)
615 && (!soa || soa->n_rrs <= 0))
616 return -EINVAL;
617
618 r = dns_packet_new(&p, s->protocol, 0);
619 if (r < 0)
620 return r;
621
622 DNS_PACKET_HEADER(p)->id = id;
623 DNS_PACKET_HEADER(p)->flags = htobe16(DNS_PACKET_MAKE_FLAGS(
624 1 /* qr */,
625 0 /* opcode */,
626 0 /* c */,
627 0 /* tc */,
628 tentative,
629 0 /* (ra) */,
630 0 /* (ad) */,
631 0 /* (cd) */,
632 rcode));
633
634 if (q) {
635 for (i = 0; i < q->n_keys; i++) {
636 r = dns_packet_append_key(p, q->keys[i], NULL);
637 if (r < 0)
638 return r;
639 }
640
641 DNS_PACKET_HEADER(p)->qdcount = htobe16(q->n_keys);
642 }
643
644 if (answer) {
645 for (i = 0; i < answer->n_rrs; i++) {
646 r = dns_packet_append_rr(p, answer->items[i].rr, NULL, NULL);
647 if (r < 0)
648 return r;
649 }
650
651 DNS_PACKET_HEADER(p)->ancount = htobe16(answer->n_rrs);
652 }
653
654 if (soa) {
655 for (i = 0; i < soa->n_rrs; i++) {
656 r = dns_packet_append_rr(p, soa->items[i].rr, NULL, NULL);
657 if (r < 0)
658 return r;
659 }
660
661 DNS_PACKET_HEADER(p)->arcount = htobe16(soa->n_rrs);
662 }
663
664 *ret = p;
665 p = NULL;
666
667 return 0;
668 }
669
670 static void dns_scope_verify_conflicts(DnsScope *s, DnsPacket *p) {
671 unsigned n;
672
673 assert(s);
674 assert(p);
675
676 if (p->question)
677 for (n = 0; n < p->question->n_keys; n++)
678 dns_zone_verify_conflicts(&s->zone, p->question->keys[n]);
679 if (p->answer)
680 for (n = 0; n < p->answer->n_rrs; n++)
681 dns_zone_verify_conflicts(&s->zone, p->answer->items[n].rr->key);
682 }
683
684 void dns_scope_process_query(DnsScope *s, DnsStream *stream, DnsPacket *p) {
685 _cleanup_(dns_packet_unrefp) DnsPacket *reply = NULL;
686 _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL, *soa = NULL;
687 DnsResourceKey *key = NULL;
688 bool tentative = false;
689 int r, fd;
690
691 assert(s);
692 assert(p);
693
694 if (p->protocol != DNS_PROTOCOL_LLMNR)
695 return;
696
697 if (p->ipproto == IPPROTO_UDP) {
698 /* Don't accept UDP queries directed to anything but
699 * the LLMNR multicast addresses. See RFC 4795,
700 * section 2.5. */
701
702 if (p->family == AF_INET && !in_addr_equal(AF_INET, &p->destination, (union in_addr_union*) &LLMNR_MULTICAST_IPV4_ADDRESS))
703 return;
704
705 if (p->family == AF_INET6 && !in_addr_equal(AF_INET6, &p->destination, (union in_addr_union*) &LLMNR_MULTICAST_IPV6_ADDRESS))
706 return;
707 }
708
709 r = dns_packet_extract(p);
710 if (r < 0) {
711 log_debug_errno(r, "Failed to extract resources from incoming packet: %m");
712 return;
713 }
714
715 if (DNS_PACKET_LLMNR_C(p)) {
716 /* Somebody notified us about a possible conflict */
717 dns_scope_verify_conflicts(s, p);
718 return;
719 }
720
721 assert(p->question->n_keys == 1);
722 key = p->question->keys[0];
723
724 r = dns_zone_lookup(&s->zone, key, &answer, &soa, &tentative);
725 if (r < 0) {
726 log_debug_errno(r, "Failed to lookup key: %m");
727 return;
728 }
729 if (r == 0)
730 return;
731
732 if (answer)
733 dns_answer_order_by_scope(answer, in_addr_is_link_local(p->family, &p->sender) > 0);
734
735 r = dns_scope_make_reply_packet(s, DNS_PACKET_ID(p), DNS_RCODE_SUCCESS, p->question, answer, soa, tentative, &reply);
736 if (r < 0) {
737 log_debug_errno(r, "Failed to build reply packet: %m");
738 return;
739 }
740
741 if (stream)
742 r = dns_stream_write_packet(stream, reply);
743 else {
744 if (!ratelimit_test(&s->ratelimit))
745 return;
746
747 if (p->family == AF_INET)
748 fd = manager_llmnr_ipv4_udp_fd(s->manager);
749 else if (p->family == AF_INET6)
750 fd = manager_llmnr_ipv6_udp_fd(s->manager);
751 else {
752 log_debug("Unknown protocol");
753 return;
754 }
755 if (fd < 0) {
756 log_debug_errno(fd, "Failed to get reply socket: %m");
757 return;
758 }
759
760 /* Note that we always immediately reply to all LLMNR
761 * requests, and do not wait any time, since we
762 * verified uniqueness for all records. Also see RFC
763 * 4795, Section 2.7 */
764
765 r = manager_send(s->manager, fd, p->ifindex, p->family, &p->sender, p->sender_port, reply);
766 }
767
768 if (r < 0) {
769 log_debug_errno(r, "Failed to send reply packet: %m");
770 return;
771 }
772 }
773
774 DnsTransaction *dns_scope_find_transaction(DnsScope *scope, DnsResourceKey *key, bool cache_ok) {
775 DnsTransaction *t;
776
777 assert(scope);
778 assert(key);
779
780 /* Try to find an ongoing transaction that is a equal to the
781 * specified question */
782 t = hashmap_get(scope->transactions_by_key, key);
783 if (!t)
784 return NULL;
785
786 /* Refuse reusing transactions that completed based on cached
787 * data instead of a real packet, if that's requested. */
788 if (!cache_ok &&
789 IN_SET(t->state, DNS_TRANSACTION_SUCCESS, DNS_TRANSACTION_RCODE_FAILURE) &&
790 t->answer_source != DNS_TRANSACTION_NETWORK)
791 return NULL;
792
793 return t;
794 }
795
796 static int dns_scope_make_conflict_packet(
797 DnsScope *s,
798 DnsResourceRecord *rr,
799 DnsPacket **ret) {
800
801 _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
802 int r;
803
804 assert(s);
805 assert(rr);
806 assert(ret);
807
808 r = dns_packet_new(&p, s->protocol, 0);
809 if (r < 0)
810 return r;
811
812 DNS_PACKET_HEADER(p)->flags = htobe16(DNS_PACKET_MAKE_FLAGS(
813 0 /* qr */,
814 0 /* opcode */,
815 1 /* conflict */,
816 0 /* tc */,
817 0 /* t */,
818 0 /* (ra) */,
819 0 /* (ad) */,
820 0 /* (cd) */,
821 0));
822
823 /* For mDNS, the transaction ID should always be 0 */
824 if (s->protocol != DNS_PROTOCOL_MDNS)
825 random_bytes(&DNS_PACKET_HEADER(p)->id, sizeof(uint16_t));
826
827 DNS_PACKET_HEADER(p)->qdcount = htobe16(1);
828 DNS_PACKET_HEADER(p)->arcount = htobe16(1);
829
830 r = dns_packet_append_key(p, rr->key, NULL);
831 if (r < 0)
832 return r;
833
834 r = dns_packet_append_rr(p, rr, NULL, NULL);
835 if (r < 0)
836 return r;
837
838 *ret = p;
839 p = NULL;
840
841 return 0;
842 }
843
844 static int on_conflict_dispatch(sd_event_source *es, usec_t usec, void *userdata) {
845 DnsScope *scope = userdata;
846 int r;
847
848 assert(es);
849 assert(scope);
850
851 scope->conflict_event_source = sd_event_source_unref(scope->conflict_event_source);
852
853 for (;;) {
854 _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *rr = NULL;
855 _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
856
857 rr = ordered_hashmap_steal_first(scope->conflict_queue);
858 if (!rr)
859 break;
860
861 r = dns_scope_make_conflict_packet(scope, rr, &p);
862 if (r < 0) {
863 log_error_errno(r, "Failed to make conflict packet: %m");
864 return 0;
865 }
866
867 r = dns_scope_emit_udp(scope, -1, p);
868 if (r < 0)
869 log_debug_errno(r, "Failed to send conflict packet: %m");
870 }
871
872 return 0;
873 }
874
875 int dns_scope_notify_conflict(DnsScope *scope, DnsResourceRecord *rr) {
876 usec_t jitter;
877 int r;
878
879 assert(scope);
880 assert(rr);
881
882 /* We don't send these queries immediately. Instead, we queue
883 * them, and send them after some jitter delay. */
884 r = ordered_hashmap_ensure_allocated(&scope->conflict_queue, &dns_resource_key_hash_ops);
885 if (r < 0) {
886 log_oom();
887 return r;
888 }
889
890 /* We only place one RR per key in the conflict
891 * messages, not all of them. That should be enough to
892 * indicate where there might be a conflict */
893 r = ordered_hashmap_put(scope->conflict_queue, rr->key, rr);
894 if (r == -EEXIST || r == 0)
895 return 0;
896 if (r < 0)
897 return log_debug_errno(r, "Failed to queue conflicting RR: %m");
898
899 dns_resource_record_ref(rr);
900
901 if (scope->conflict_event_source)
902 return 0;
903
904 random_bytes(&jitter, sizeof(jitter));
905 jitter %= LLMNR_JITTER_INTERVAL_USEC;
906
907 r = sd_event_add_time(scope->manager->event,
908 &scope->conflict_event_source,
909 clock_boottime_or_monotonic(),
910 now(clock_boottime_or_monotonic()) + jitter,
911 LLMNR_JITTER_INTERVAL_USEC,
912 on_conflict_dispatch, scope);
913 if (r < 0)
914 return log_debug_errno(r, "Failed to add conflict dispatch event: %m");
915
916 (void) sd_event_source_set_description(scope->conflict_event_source, "scope-conflict");
917
918 return 0;
919 }
920
921 void dns_scope_check_conflicts(DnsScope *scope, DnsPacket *p) {
922 unsigned i;
923 int r;
924
925 assert(scope);
926 assert(p);
927
928 if (p->protocol != DNS_PROTOCOL_LLMNR)
929 return;
930
931 if (DNS_PACKET_RRCOUNT(p) <= 0)
932 return;
933
934 if (DNS_PACKET_LLMNR_C(p) != 0)
935 return;
936
937 if (DNS_PACKET_LLMNR_T(p) != 0)
938 return;
939
940 if (manager_our_packet(scope->manager, p))
941 return;
942
943 r = dns_packet_extract(p);
944 if (r < 0) {
945 log_debug_errno(r, "Failed to extract packet: %m");
946 return;
947 }
948
949 log_debug("Checking for conflicts...");
950
951 for (i = 0; i < p->answer->n_rrs; i++) {
952
953 /* Check for conflicts against the local zone. If we
954 * found one, we won't check any further */
955 r = dns_zone_check_conflicts(&scope->zone, p->answer->items[i].rr);
956 if (r != 0)
957 continue;
958
959 /* Check for conflicts against the local cache. If so,
960 * send out an advisory query, to inform everybody */
961 r = dns_cache_check_conflicts(&scope->cache, p->answer->items[i].rr, p->family, &p->sender);
962 if (r <= 0)
963 continue;
964
965 dns_scope_notify_conflict(scope, p->answer->items[i].rr);
966 }
967 }
968
969 void dns_scope_dump(DnsScope *s, FILE *f) {
970 assert(s);
971
972 if (!f)
973 f = stdout;
974
975 fputs("[Scope protocol=", f);
976 fputs(dns_protocol_to_string(s->protocol), f);
977
978 if (s->link) {
979 fputs(" interface=", f);
980 fputs(s->link->name, f);
981 }
982
983 if (s->family != AF_UNSPEC) {
984 fputs(" family=", f);
985 fputs(af_to_name(s->family), f);
986 }
987
988 fputs("]\n", f);
989
990 if (!dns_zone_is_empty(&s->zone)) {
991 fputs("ZONE:\n", f);
992 dns_zone_dump(&s->zone, f);
993 }
994
995 if (!dns_cache_is_empty(&s->cache)) {
996 fputs("CACHE:\n", f);
997 dns_cache_dump(&s->cache, f);
998 }
999 }
1000
1001 DnsSearchDomain *dns_scope_get_search_domains(DnsScope *s) {
1002 assert(s);
1003
1004 if (s->protocol != DNS_PROTOCOL_DNS)
1005 return NULL;
1006
1007 if (s->link)
1008 return s->link->search_domains;
1009
1010 return s->manager->search_domains;
1011 }
1012
1013 bool dns_scope_name_needs_search_domain(DnsScope *s, const char *name) {
1014 assert(s);
1015
1016 if (s->protocol != DNS_PROTOCOL_DNS)
1017 return false;
1018
1019 return dns_name_is_single_label(name);
1020 }
1021
1022 bool dns_scope_network_good(DnsScope *s) {
1023 /* Checks whether the network is in good state for lookups on this scope. For mDNS/LLMNR/Classic DNS scopes
1024 * bound to links this is easy, as they don't even exist if the link isn't in a suitable state. For the global
1025 * DNS scope we check whether there are any links that are up and have an address. */
1026
1027 if (s->link)
1028 return true;
1029
1030 return manager_routable(s->manager, AF_UNSPEC);
1031 }
Unnamed repository; edit this file 'description' to name the repository.