]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/resolve/resolved-dns-scope.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Add SPDX license identifiers to source files under the LGPL
[thirdparty/systemd.git] / src / resolve / resolved-dns-scope.c
1 /* SPDX-License-Identifier: LGPL-2.1+ */
2 /***
3 This file is part of systemd.
4
5 Copyright 2014 Lennart Poettering
6
7 systemd is free software; you can redistribute it and/or modify it
8 under the terms of the GNU Lesser General Public License as published by
9 the Free Software Foundation; either version 2.1 of the License, or
10 (at your option) any later version.
11
12 systemd is distributed in the hope that it will be useful, but
13 WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 Lesser General Public License for more details.
16
17 You should have received a copy of the GNU Lesser General Public License
18 along with systemd; If not, see <http://www.gnu.org/licenses/>.
19 ***/
20
21 #include <netinet/tcp.h>
22
23 #include "af-list.h"
24 #include "alloc-util.h"
25 #include "dns-domain.h"
26 #include "fd-util.h"
27 #include "hostname-util.h"
28 #include "missing.h"
29 #include "random-util.h"
30 #include "resolved-dns-scope.h"
31 #include "resolved-llmnr.h"
32 #include "resolved-mdns.h"
33 #include "socket-util.h"
34 #include "strv.h"
35
36 #define MULTICAST_RATELIMIT_INTERVAL_USEC (1*USEC_PER_SEC)
37 #define MULTICAST_RATELIMIT_BURST 1000
38
39 /* After how much time to repeat LLMNR requests, see RFC 4795 Section 7 */
40 #define MULTICAST_RESEND_TIMEOUT_MIN_USEC (100 * USEC_PER_MSEC)
41 #define MULTICAST_RESEND_TIMEOUT_MAX_USEC (1 * USEC_PER_SEC)
42
43 int dns_scope_new(Manager *m, DnsScope **ret, Link *l, DnsProtocol protocol, int family) {
44 DnsScope *s;
45
46 assert(m);
47 assert(ret);
48
49 s = new0(DnsScope, 1);
50 if (!s)
51 return -ENOMEM;
52
53 s->manager = m;
54 s->link = l;
55 s->protocol = protocol;
56 s->family = family;
57 s->resend_timeout = MULTICAST_RESEND_TIMEOUT_MIN_USEC;
58
59 if (protocol == DNS_PROTOCOL_DNS) {
60 /* Copy DNSSEC mode from the link if it is set there,
61 * otherwise take the manager's DNSSEC mode. Note that
62 * we copy this only at scope creation time, and do
63 * not update it from the on, even if the setting
64 * changes. */
65
66 if (l)
67 s->dnssec_mode = link_get_dnssec_mode(l);
68 else
69 s->dnssec_mode = manager_get_dnssec_mode(m);
70 } else
71 s->dnssec_mode = DNSSEC_NO;
72
73 LIST_PREPEND(scopes, m->dns_scopes, s);
74
75 dns_scope_llmnr_membership(s, true);
76 dns_scope_mdns_membership(s, true);
77
78 log_debug("New scope on link %s, protocol %s, family %s", l ? l->name : "*", dns_protocol_to_string(protocol), family == AF_UNSPEC ? "*" : af_to_name(family));
79
80 /* Enforce ratelimiting for the multicast protocols */
81 RATELIMIT_INIT(s->ratelimit, MULTICAST_RATELIMIT_INTERVAL_USEC, MULTICAST_RATELIMIT_BURST);
82
83 *ret = s;
84 return 0;
85 }
86
87 static void dns_scope_abort_transactions(DnsScope *s) {
88 assert(s);
89
90 while (s->transactions) {
91 DnsTransaction *t = s->transactions;
92
93 /* Abort the transaction, but make sure it is not
94 * freed while we still look at it */
95
96 t->block_gc++;
97 if (DNS_TRANSACTION_IS_LIVE(t->state))
98 dns_transaction_complete(t, DNS_TRANSACTION_ABORTED);
99 t->block_gc--;
100
101 dns_transaction_free(t);
102 }
103 }
104
105 DnsScope* dns_scope_free(DnsScope *s) {
106 DnsResourceRecord *rr;
107
108 if (!s)
109 return NULL;
110
111 log_debug("Removing scope on link %s, protocol %s, family %s", s->link ? s->link->name : "*", dns_protocol_to_string(s->protocol), s->family == AF_UNSPEC ? "*" : af_to_name(s->family));
112
113 dns_scope_llmnr_membership(s, false);
114 dns_scope_mdns_membership(s, false);
115 dns_scope_abort_transactions(s);
116
117 while (s->query_candidates)
118 dns_query_candidate_free(s->query_candidates);
119
120 hashmap_free(s->transactions_by_key);
121
122 while ((rr = ordered_hashmap_steal_first(s->conflict_queue)))
123 dns_resource_record_unref(rr);
124
125 ordered_hashmap_free(s->conflict_queue);
126 sd_event_source_unref(s->conflict_event_source);
127
128 sd_event_source_unref(s->announce_event_source);
129
130 dns_cache_flush(&s->cache);
131 dns_zone_flush(&s->zone);
132
133 LIST_REMOVE(scopes, s->manager->dns_scopes, s);
134 return mfree(s);
135 }
136
137 DnsServer *dns_scope_get_dns_server(DnsScope *s) {
138 assert(s);
139
140 if (s->protocol != DNS_PROTOCOL_DNS)
141 return NULL;
142
143 if (s->link)
144 return link_get_dns_server(s->link);
145 else
146 return manager_get_dns_server(s->manager);
147 }
148
149 void dns_scope_next_dns_server(DnsScope *s) {
150 assert(s);
151
152 if (s->protocol != DNS_PROTOCOL_DNS)
153 return;
154
155 if (s->link)
156 link_next_dns_server(s->link);
157 else
158 manager_next_dns_server(s->manager);
159 }
160
161 void dns_scope_packet_received(DnsScope *s, usec_t rtt) {
162 assert(s);
163
164 if (rtt <= s->max_rtt)
165 return;
166
167 s->max_rtt = rtt;
168 s->resend_timeout = MIN(MAX(MULTICAST_RESEND_TIMEOUT_MIN_USEC, s->max_rtt * 2), MULTICAST_RESEND_TIMEOUT_MAX_USEC);
169 }
170
171 void dns_scope_packet_lost(DnsScope *s, usec_t usec) {
172 assert(s);
173
174 if (s->resend_timeout <= usec)
175 s->resend_timeout = MIN(s->resend_timeout * 2, MULTICAST_RESEND_TIMEOUT_MAX_USEC);
176 }
177
178 static int dns_scope_emit_one(DnsScope *s, int fd, DnsPacket *p) {
179 union in_addr_union addr;
180 int ifindex = 0, r;
181 int family;
182 uint32_t mtu;
183
184 assert(s);
185 assert(p);
186 assert(p->protocol == s->protocol);
187
188 if (s->link) {
189 mtu = s->link->mtu;
190 ifindex = s->link->ifindex;
191 } else
192 mtu = manager_find_mtu(s->manager);
193
194 switch (s->protocol) {
195
196 case DNS_PROTOCOL_DNS:
197 assert(fd >= 0);
198
199 if (DNS_PACKET_QDCOUNT(p) > 1)
200 return -EOPNOTSUPP;
201
202 if (p->size > DNS_PACKET_UNICAST_SIZE_MAX)
203 return -EMSGSIZE;
204
205 if (p->size + UDP_PACKET_HEADER_SIZE > mtu)
206 return -EMSGSIZE;
207
208 r = manager_write(s->manager, fd, p);
209 if (r < 0)
210 return r;
211
212 break;
213
214 case DNS_PROTOCOL_LLMNR:
215 assert(fd < 0);
216
217 if (DNS_PACKET_QDCOUNT(p) > 1)
218 return -EOPNOTSUPP;
219
220 if (!ratelimit_test(&s->ratelimit))
221 return -EBUSY;
222
223 family = s->family;
224
225 if (family == AF_INET) {
226 addr.in = LLMNR_MULTICAST_IPV4_ADDRESS;
227 fd = manager_llmnr_ipv4_udp_fd(s->manager);
228 } else if (family == AF_INET6) {
229 addr.in6 = LLMNR_MULTICAST_IPV6_ADDRESS;
230 fd = manager_llmnr_ipv6_udp_fd(s->manager);
231 } else
232 return -EAFNOSUPPORT;
233 if (fd < 0)
234 return fd;
235
236 r = manager_send(s->manager, fd, ifindex, family, &addr, LLMNR_PORT, NULL, p);
237 if (r < 0)
238 return r;
239
240 break;
241
242 case DNS_PROTOCOL_MDNS:
243 assert(fd < 0);
244
245 if (!ratelimit_test(&s->ratelimit))
246 return -EBUSY;
247
248 family = s->family;
249
250 if (family == AF_INET) {
251 addr.in = MDNS_MULTICAST_IPV4_ADDRESS;
252 fd = manager_mdns_ipv4_fd(s->manager);
253 } else if (family == AF_INET6) {
254 addr.in6 = MDNS_MULTICAST_IPV6_ADDRESS;
255 fd = manager_mdns_ipv6_fd(s->manager);
256 } else
257 return -EAFNOSUPPORT;
258 if (fd < 0)
259 return fd;
260
261 r = manager_send(s->manager, fd, ifindex, family, &addr, MDNS_PORT, NULL, p);
262 if (r < 0)
263 return r;
264
265 break;
266
267 default:
268 return -EAFNOSUPPORT;
269 }
270
271 return 1;
272 }
273
274 int dns_scope_emit_udp(DnsScope *s, int fd, DnsPacket *p) {
275 int r;
276
277 assert(s);
278 assert(p);
279 assert(p->protocol == s->protocol);
280 assert((s->protocol == DNS_PROTOCOL_DNS) == (fd >= 0));
281
282 do {
283 /* If there are multiple linked packets, set the TC bit in all but the last of them */
284 if (p->more) {
285 assert(p->protocol == DNS_PROTOCOL_MDNS);
286 dns_packet_set_flags(p, true, true);
287 }
288
289 r = dns_scope_emit_one(s, fd, p);
290 if (r < 0)
291 return r;
292
293 p = p->more;
294 } while (p);
295
296 return 0;
297 }
298
299 static int dns_scope_socket(
300 DnsScope *s,
301 int type,
302 int family,
303 const union in_addr_union *address,
304 DnsServer *server,
305 uint16_t port) {
306
307 _cleanup_close_ int fd = -1;
308 union sockaddr_union sa = {};
309 socklen_t salen;
310 static const int one = 1;
311 int ret, r, ifindex;
312
313 assert(s);
314
315 if (server) {
316 assert(family == AF_UNSPEC);
317 assert(!address);
318
319 ifindex = dns_server_ifindex(server);
320
321 sa.sa.sa_family = server->family;
322 if (server->family == AF_INET) {
323 sa.in.sin_port = htobe16(port);
324 sa.in.sin_addr = server->address.in;
325 salen = sizeof(sa.in);
326 } else if (server->family == AF_INET6) {
327 sa.in6.sin6_port = htobe16(port);
328 sa.in6.sin6_addr = server->address.in6;
329 sa.in6.sin6_scope_id = ifindex;
330 salen = sizeof(sa.in6);
331 } else
332 return -EAFNOSUPPORT;
333 } else {
334 assert(family != AF_UNSPEC);
335 assert(address);
336
337 sa.sa.sa_family = family;
338 ifindex = s->link ? s->link->ifindex : 0;
339
340 if (family == AF_INET) {
341 sa.in.sin_port = htobe16(port);
342 sa.in.sin_addr = address->in;
343 salen = sizeof(sa.in);
344 } else if (family == AF_INET6) {
345 sa.in6.sin6_port = htobe16(port);
346 sa.in6.sin6_addr = address->in6;
347 sa.in6.sin6_scope_id = ifindex;
348 salen = sizeof(sa.in6);
349 } else
350 return -EAFNOSUPPORT;
351 }
352
353 fd = socket(sa.sa.sa_family, type|SOCK_CLOEXEC|SOCK_NONBLOCK, 0);
354 if (fd < 0)
355 return -errno;
356
357 if (type == SOCK_STREAM) {
358 r = setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &one, sizeof(one));
359 if (r < 0)
360 return -errno;
361 }
362
363 if (s->link) {
364 be32_t ifindex_be = htobe32(ifindex);
365
366 if (sa.sa.sa_family == AF_INET) {
367 r = setsockopt(fd, IPPROTO_IP, IP_UNICAST_IF, &ifindex_be, sizeof(ifindex_be));
368 if (r < 0)
369 return -errno;
370 } else if (sa.sa.sa_family == AF_INET6) {
371 r = setsockopt(fd, IPPROTO_IPV6, IPV6_UNICAST_IF, &ifindex_be, sizeof(ifindex_be));
372 if (r < 0)
373 return -errno;
374 }
375 }
376
377 if (s->protocol == DNS_PROTOCOL_LLMNR) {
378 /* RFC 4795, section 2.5 requires the TTL to be set to 1 */
379
380 if (sa.sa.sa_family == AF_INET) {
381 r = setsockopt(fd, IPPROTO_IP, IP_TTL, &one, sizeof(one));
382 if (r < 0)
383 return -errno;
384 } else if (sa.sa.sa_family == AF_INET6) {
385 r = setsockopt(fd, IPPROTO_IPV6, IPV6_UNICAST_HOPS, &one, sizeof(one));
386 if (r < 0)
387 return -errno;
388 }
389 }
390
391 r = connect(fd, &sa.sa, salen);
392 if (r < 0 && errno != EINPROGRESS)
393 return -errno;
394
395 ret = fd;
396 fd = -1;
397
398 return ret;
399 }
400
401 int dns_scope_socket_udp(DnsScope *s, DnsServer *server, uint16_t port) {
402 return dns_scope_socket(s, SOCK_DGRAM, AF_UNSPEC, NULL, server, port);
403 }
404
405 int dns_scope_socket_tcp(DnsScope *s, int family, const union in_addr_union *address, DnsServer *server, uint16_t port) {
406 return dns_scope_socket(s, SOCK_STREAM, family, address, server, port);
407 }
408
409 DnsScopeMatch dns_scope_good_domain(DnsScope *s, int ifindex, uint64_t flags, const char *domain) {
410 DnsSearchDomain *d;
411 DnsServer *dns_server;
412
413 assert(s);
414 assert(domain);
415
416 /* Checks if the specified domain is something to look up on
417 * this scope. Note that this accepts non-qualified hostnames,
418 * i.e. those without any search path prefixed yet. */
419
420 if (ifindex != 0 && (!s->link || s->link->ifindex != ifindex))
421 return DNS_SCOPE_NO;
422
423 if ((SD_RESOLVED_FLAGS_MAKE(s->protocol, s->family, 0) & flags) == 0)
424 return DNS_SCOPE_NO;
425
426 /* Never resolve any loopback hostname or IP address via DNS,
427 * LLMNR or mDNS. Instead, always rely on synthesized RRs for
428 * these. */
429 if (is_localhost(domain) ||
430 dns_name_endswith(domain, "127.in-addr.arpa") > 0 ||
431 dns_name_equal(domain, "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa") > 0)
432 return DNS_SCOPE_NO;
433
434 /* Never respond to some of the domains listed in RFC6303 */
435 if (dns_name_endswith(domain, "0.in-addr.arpa") > 0 ||
436 dns_name_equal(domain, "255.255.255.255.in-addr.arpa") > 0 ||
437 dns_name_equal(domain, "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa") > 0)
438 return DNS_SCOPE_NO;
439
440 /* Never respond to some of the domains listed in RFC6761 */
441 if (dns_name_endswith(domain, "invalid") > 0)
442 return DNS_SCOPE_NO;
443
444 /* Always honour search domains for routing queries. Note that
445 * we return DNS_SCOPE_YES here, rather than just
446 * DNS_SCOPE_MAYBE, which means wildcard scopes won't be
447 * considered anymore. */
448 LIST_FOREACH(domains, d, dns_scope_get_search_domains(s))
449 if (dns_name_endswith(domain, d->name) > 0)
450 return DNS_SCOPE_YES;
451
452 /* If the DNS server has route-only domains, don't send other requests
453 * to it. This would be a privacy violation, will most probably fail
454 * anyway, and adds unnecessary load. */
455 dns_server = dns_scope_get_dns_server(s);
456 if (dns_server && dns_server_limited_domains(dns_server))
457 return DNS_SCOPE_NO;
458
459 switch (s->protocol) {
460
461 case DNS_PROTOCOL_DNS:
462
463 /* Exclude link-local IP ranges */
464 if (dns_name_endswith(domain, "254.169.in-addr.arpa") == 0 &&
465 dns_name_endswith(domain, "8.e.f.ip6.arpa") == 0 &&
466 dns_name_endswith(domain, "9.e.f.ip6.arpa") == 0 &&
467 dns_name_endswith(domain, "a.e.f.ip6.arpa") == 0 &&
468 dns_name_endswith(domain, "b.e.f.ip6.arpa") == 0 &&
469 /* If networks use .local in their private setups, they are supposed to also add .local to their search
470 * domains, which we already checked above. Otherwise, we consider .local specific to mDNS and won't
471 * send such queries ordinary DNS servers. */
472 dns_name_endswith(domain, "local") == 0)
473 return DNS_SCOPE_MAYBE;
474
475 return DNS_SCOPE_NO;
476
477 case DNS_PROTOCOL_MDNS:
478 if ((s->family == AF_INET && dns_name_endswith(domain, "in-addr.arpa") > 0) ||
479 (s->family == AF_INET6 && dns_name_endswith(domain, "ip6.arpa") > 0) ||
480 (dns_name_endswith(domain, "local") > 0 && /* only resolve names ending in .local via mDNS */
481 dns_name_equal(domain, "local") == 0 && /* but not the single-label "local" name itself */
482 manager_is_own_hostname(s->manager, domain) <= 0)) /* never resolve the local hostname via mDNS */
483 return DNS_SCOPE_MAYBE;
484
485 return DNS_SCOPE_NO;
486
487 case DNS_PROTOCOL_LLMNR:
488 if ((s->family == AF_INET && dns_name_endswith(domain, "in-addr.arpa") > 0) ||
489 (s->family == AF_INET6 && dns_name_endswith(domain, "ip6.arpa") > 0) ||
490 (dns_name_is_single_label(domain) && /* only resolve single label names via LLMNR */
491 !is_gateway_hostname(domain) && /* don't resolve "gateway" with LLMNR, let nss-myhostname handle this */
492 manager_is_own_hostname(s->manager, domain) <= 0)) /* never resolve the local hostname via LLMNR */
493 return DNS_SCOPE_MAYBE;
494
495 return DNS_SCOPE_NO;
496
497 default:
498 assert_not_reached("Unknown scope protocol");
499 }
500 }
501
502 bool dns_scope_good_key(DnsScope *s, const DnsResourceKey *key) {
503 int key_family;
504
505 assert(s);
506 assert(key);
507
508 /* Check if it makes sense to resolve the specified key on
509 * this scope. Note that this call assumes as fully qualified
510 * name, i.e. the search suffixes already appended. */
511
512 if (key->class != DNS_CLASS_IN)
513 return false;
514
515 if (s->protocol == DNS_PROTOCOL_DNS) {
516
517 /* On classic DNS, looking up non-address RRs is always
518 * fine. (Specifically, we want to permit looking up
519 * DNSKEY and DS records on the root and top-level
520 * domains.) */
521 if (!dns_resource_key_is_address(key))
522 return true;
523
524 /* However, we refuse to look up A and AAAA RRs on the
525 * root and single-label domains, under the assumption
526 * that those should be resolved via LLMNR or search
527 * path only, and should not be leaked onto the
528 * internet. */
529 return !(dns_name_is_single_label(dns_resource_key_name(key)) ||
530 dns_name_is_root(dns_resource_key_name(key)));
531 }
532
533 /* On mDNS and LLMNR, send A and AAAA queries only on the
534 * respective scopes */
535
536 key_family = dns_type_to_af(key->type);
537 if (key_family < 0)
538 return true;
539
540 return key_family == s->family;
541 }
542
543 static int dns_scope_multicast_membership(DnsScope *s, bool b, struct in_addr in, struct in6_addr in6) {
544 int fd;
545
546 assert(s);
547 assert(s->link);
548
549 if (s->family == AF_INET) {
550 struct ip_mreqn mreqn = {
551 .imr_multiaddr = in,
552 .imr_ifindex = s->link->ifindex,
553 };
554
555 if (s->protocol == DNS_PROTOCOL_LLMNR)
556 fd = manager_llmnr_ipv4_udp_fd(s->manager);
557 else
558 fd = manager_mdns_ipv4_fd(s->manager);
559
560 if (fd < 0)
561 return fd;
562
563 /* Always first try to drop membership before we add
564 * one. This is necessary on some devices, such as
565 * veth. */
566 if (b)
567 (void) setsockopt(fd, IPPROTO_IP, IP_DROP_MEMBERSHIP, &mreqn, sizeof(mreqn));
568
569 if (setsockopt(fd, IPPROTO_IP, b ? IP_ADD_MEMBERSHIP : IP_DROP_MEMBERSHIP, &mreqn, sizeof(mreqn)) < 0)
570 return -errno;
571
572 } else if (s->family == AF_INET6) {
573 struct ipv6_mreq mreq = {
574 .ipv6mr_multiaddr = in6,
575 .ipv6mr_interface = s->link->ifindex,
576 };
577
578 if (s->protocol == DNS_PROTOCOL_LLMNR)
579 fd = manager_llmnr_ipv6_udp_fd(s->manager);
580 else
581 fd = manager_mdns_ipv6_fd(s->manager);
582
583 if (fd < 0)
584 return fd;
585
586 if (b)
587 (void) setsockopt(fd, IPPROTO_IPV6, IPV6_DROP_MEMBERSHIP, &mreq, sizeof(mreq));
588
589 if (setsockopt(fd, IPPROTO_IPV6, b ? IPV6_ADD_MEMBERSHIP : IPV6_DROP_MEMBERSHIP, &mreq, sizeof(mreq)) < 0)
590 return -errno;
591 } else
592 return -EAFNOSUPPORT;
593
594 return 0;
595 }
596
597 int dns_scope_llmnr_membership(DnsScope *s, bool b) {
598 assert(s);
599
600 if (s->protocol != DNS_PROTOCOL_LLMNR)
601 return 0;
602
603 return dns_scope_multicast_membership(s, b, LLMNR_MULTICAST_IPV4_ADDRESS, LLMNR_MULTICAST_IPV6_ADDRESS);
604 }
605
606 int dns_scope_mdns_membership(DnsScope *s, bool b) {
607 assert(s);
608
609 if (s->protocol != DNS_PROTOCOL_MDNS)
610 return 0;
611
612 return dns_scope_multicast_membership(s, b, MDNS_MULTICAST_IPV4_ADDRESS, MDNS_MULTICAST_IPV6_ADDRESS);
613 }
614
615 int dns_scope_make_reply_packet(
616 DnsScope *s,
617 uint16_t id,
618 int rcode,
619 DnsQuestion *q,
620 DnsAnswer *answer,
621 DnsAnswer *soa,
622 bool tentative,
623 DnsPacket **ret) {
624
625 _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
626 int r;
627
628 assert(s);
629 assert(ret);
630
631 if (dns_question_isempty(q) &&
632 dns_answer_isempty(answer) &&
633 dns_answer_isempty(soa))
634 return -EINVAL;
635
636 r = dns_packet_new(&p, s->protocol, 0, DNS_PACKET_SIZE_MAX);
637 if (r < 0)
638 return r;
639
640 DNS_PACKET_HEADER(p)->id = id;
641 DNS_PACKET_HEADER(p)->flags = htobe16(DNS_PACKET_MAKE_FLAGS(
642 1 /* qr */,
643 0 /* opcode */,
644 0 /* c */,
645 0 /* tc */,
646 tentative,
647 0 /* (ra) */,
648 0 /* (ad) */,
649 0 /* (cd) */,
650 rcode));
651
652 r = dns_packet_append_question(p, q);
653 if (r < 0)
654 return r;
655 DNS_PACKET_HEADER(p)->qdcount = htobe16(dns_question_size(q));
656
657 r = dns_packet_append_answer(p, answer);
658 if (r < 0)
659 return r;
660 DNS_PACKET_HEADER(p)->ancount = htobe16(dns_answer_size(answer));
661
662 r = dns_packet_append_answer(p, soa);
663 if (r < 0)
664 return r;
665 DNS_PACKET_HEADER(p)->arcount = htobe16(dns_answer_size(soa));
666
667 *ret = p;
668 p = NULL;
669
670 return 0;
671 }
672
673 static void dns_scope_verify_conflicts(DnsScope *s, DnsPacket *p) {
674 DnsResourceRecord *rr;
675 DnsResourceKey *key;
676
677 assert(s);
678 assert(p);
679
680 DNS_QUESTION_FOREACH(key, p->question)
681 dns_zone_verify_conflicts(&s->zone, key);
682
683 DNS_ANSWER_FOREACH(rr, p->answer)
684 dns_zone_verify_conflicts(&s->zone, rr->key);
685 }
686
687 void dns_scope_process_query(DnsScope *s, DnsStream *stream, DnsPacket *p) {
688 _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL, *soa = NULL;
689 _cleanup_(dns_packet_unrefp) DnsPacket *reply = NULL;
690 DnsResourceKey *key = NULL;
691 bool tentative = false;
692 int r;
693
694 assert(s);
695 assert(p);
696
697 if (p->protocol != DNS_PROTOCOL_LLMNR)
698 return;
699
700 if (p->ipproto == IPPROTO_UDP) {
701 /* Don't accept UDP queries directed to anything but
702 * the LLMNR multicast addresses. See RFC 4795,
703 * section 2.5. */
704
705 if (p->family == AF_INET && !in_addr_equal(AF_INET, &p->destination, (union in_addr_union*) &LLMNR_MULTICAST_IPV4_ADDRESS))
706 return;
707
708 if (p->family == AF_INET6 && !in_addr_equal(AF_INET6, &p->destination, (union in_addr_union*) &LLMNR_MULTICAST_IPV6_ADDRESS))
709 return;
710 }
711
712 r = dns_packet_extract(p);
713 if (r < 0) {
714 log_debug_errno(r, "Failed to extract resource records from incoming packet: %m");
715 return;
716 }
717
718 if (DNS_PACKET_LLMNR_C(p)) {
719 /* Somebody notified us about a possible conflict */
720 dns_scope_verify_conflicts(s, p);
721 return;
722 }
723
724 assert(dns_question_size(p->question) == 1);
725 key = p->question->keys[0];
726
727 r = dns_zone_lookup(&s->zone, key, 0, &answer, &soa, &tentative);
728 if (r < 0) {
729 log_debug_errno(r, "Failed to lookup key: %m");
730 return;
731 }
732 if (r == 0)
733 return;
734
735 if (answer)
736 dns_answer_order_by_scope(answer, in_addr_is_link_local(p->family, &p->sender) > 0);
737
738 r = dns_scope_make_reply_packet(s, DNS_PACKET_ID(p), DNS_RCODE_SUCCESS, p->question, answer, soa, tentative, &reply);
739 if (r < 0) {
740 log_debug_errno(r, "Failed to build reply packet: %m");
741 return;
742 }
743
744 if (stream) {
745 r = dns_stream_write_packet(stream, reply);
746 if (r < 0) {
747 log_debug_errno(r, "Failed to enqueue reply packet: %m");
748 return;
749 }
750
751 /* Let's take an extra reference on this stream, so that it stays around after returning. The reference
752 * will be dangling until the stream is disconnected, and the default completion handler of the stream
753 * will then unref the stream and destroy it */
754 if (DNS_STREAM_QUEUED(stream))
755 dns_stream_ref(stream);
756 } else {
757 int fd;
758
759 if (!ratelimit_test(&s->ratelimit))
760 return;
761
762 if (p->family == AF_INET)
763 fd = manager_llmnr_ipv4_udp_fd(s->manager);
764 else if (p->family == AF_INET6)
765 fd = manager_llmnr_ipv6_udp_fd(s->manager);
766 else {
767 log_debug("Unknown protocol");
768 return;
769 }
770 if (fd < 0) {
771 log_debug_errno(fd, "Failed to get reply socket: %m");
772 return;
773 }
774
775 /* Note that we always immediately reply to all LLMNR
776 * requests, and do not wait any time, since we
777 * verified uniqueness for all records. Also see RFC
778 * 4795, Section 2.7 */
779
780 r = manager_send(s->manager, fd, p->ifindex, p->family, &p->sender, p->sender_port, NULL, reply);
781 if (r < 0) {
782 log_debug_errno(r, "Failed to send reply packet: %m");
783 return;
784 }
785 }
786 }
787
788 DnsTransaction *dns_scope_find_transaction(DnsScope *scope, DnsResourceKey *key, bool cache_ok) {
789 DnsTransaction *t;
790
791 assert(scope);
792 assert(key);
793
794 /* Try to find an ongoing transaction that is a equal to the
795 * specified question */
796 t = hashmap_get(scope->transactions_by_key, key);
797 if (!t)
798 return NULL;
799
800 /* Refuse reusing transactions that completed based on cached
801 * data instead of a real packet, if that's requested. */
802 if (!cache_ok &&
803 IN_SET(t->state, DNS_TRANSACTION_SUCCESS, DNS_TRANSACTION_RCODE_FAILURE) &&
804 t->answer_source != DNS_TRANSACTION_NETWORK)
805 return NULL;
806
807 return t;
808 }
809
810 static int dns_scope_make_conflict_packet(
811 DnsScope *s,
812 DnsResourceRecord *rr,
813 DnsPacket **ret) {
814
815 _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
816 int r;
817
818 assert(s);
819 assert(rr);
820 assert(ret);
821
822 r = dns_packet_new(&p, s->protocol, 0, DNS_PACKET_SIZE_MAX);
823 if (r < 0)
824 return r;
825
826 DNS_PACKET_HEADER(p)->flags = htobe16(DNS_PACKET_MAKE_FLAGS(
827 0 /* qr */,
828 0 /* opcode */,
829 1 /* conflict */,
830 0 /* tc */,
831 0 /* t */,
832 0 /* (ra) */,
833 0 /* (ad) */,
834 0 /* (cd) */,
835 0));
836
837 /* For mDNS, the transaction ID should always be 0 */
838 if (s->protocol != DNS_PROTOCOL_MDNS)
839 random_bytes(&DNS_PACKET_HEADER(p)->id, sizeof(uint16_t));
840
841 DNS_PACKET_HEADER(p)->qdcount = htobe16(1);
842 DNS_PACKET_HEADER(p)->arcount = htobe16(1);
843
844 r = dns_packet_append_key(p, rr->key, 0, NULL);
845 if (r < 0)
846 return r;
847
848 r = dns_packet_append_rr(p, rr, 0, NULL, NULL);
849 if (r < 0)
850 return r;
851
852 *ret = p;
853 p = NULL;
854
855 return 0;
856 }
857
858 static int on_conflict_dispatch(sd_event_source *es, usec_t usec, void *userdata) {
859 DnsScope *scope = userdata;
860 int r;
861
862 assert(es);
863 assert(scope);
864
865 scope->conflict_event_source = sd_event_source_unref(scope->conflict_event_source);
866
867 for (;;) {
868 _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *rr = NULL;
869 _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
870
871 rr = ordered_hashmap_steal_first(scope->conflict_queue);
872 if (!rr)
873 break;
874
875 r = dns_scope_make_conflict_packet(scope, rr, &p);
876 if (r < 0) {
877 log_error_errno(r, "Failed to make conflict packet: %m");
878 return 0;
879 }
880
881 r = dns_scope_emit_udp(scope, -1, p);
882 if (r < 0)
883 log_debug_errno(r, "Failed to send conflict packet: %m");
884 }
885
886 return 0;
887 }
888
889 int dns_scope_notify_conflict(DnsScope *scope, DnsResourceRecord *rr) {
890 usec_t jitter;
891 int r;
892
893 assert(scope);
894 assert(rr);
895
896 /* We don't send these queries immediately. Instead, we queue
897 * them, and send them after some jitter delay. */
898 r = ordered_hashmap_ensure_allocated(&scope->conflict_queue, &dns_resource_key_hash_ops);
899 if (r < 0) {
900 log_oom();
901 return r;
902 }
903
904 /* We only place one RR per key in the conflict
905 * messages, not all of them. That should be enough to
906 * indicate where there might be a conflict */
907 r = ordered_hashmap_put(scope->conflict_queue, rr->key, rr);
908 if (IN_SET(r, 0, -EEXIST))
909 return 0;
910 if (r < 0)
911 return log_debug_errno(r, "Failed to queue conflicting RR: %m");
912
913 dns_resource_record_ref(rr);
914
915 if (scope->conflict_event_source)
916 return 0;
917
918 random_bytes(&jitter, sizeof(jitter));
919 jitter %= LLMNR_JITTER_INTERVAL_USEC;
920
921 r = sd_event_add_time(scope->manager->event,
922 &scope->conflict_event_source,
923 clock_boottime_or_monotonic(),
924 now(clock_boottime_or_monotonic()) + jitter,
925 LLMNR_JITTER_INTERVAL_USEC,
926 on_conflict_dispatch, scope);
927 if (r < 0)
928 return log_debug_errno(r, "Failed to add conflict dispatch event: %m");
929
930 (void) sd_event_source_set_description(scope->conflict_event_source, "scope-conflict");
931
932 return 0;
933 }
934
935 void dns_scope_check_conflicts(DnsScope *scope, DnsPacket *p) {
936 unsigned i;
937 int r;
938
939 assert(scope);
940 assert(p);
941
942 if (!IN_SET(p->protocol, DNS_PROTOCOL_LLMNR, DNS_PROTOCOL_MDNS))
943 return;
944
945 if (DNS_PACKET_RRCOUNT(p) <= 0)
946 return;
947
948 if (p->protocol == DNS_PROTOCOL_LLMNR) {
949 if (DNS_PACKET_LLMNR_C(p) != 0)
950 return;
951
952 if (DNS_PACKET_LLMNR_T(p) != 0)
953 return;
954 }
955
956 if (manager_our_packet(scope->manager, p))
957 return;
958
959 r = dns_packet_extract(p);
960 if (r < 0) {
961 log_debug_errno(r, "Failed to extract packet: %m");
962 return;
963 }
964
965 log_debug("Checking for conflicts...");
966
967 for (i = 0; i < p->answer->n_rrs; i++) {
968
969 /* Check for conflicts against the local zone. If we
970 * found one, we won't check any further */
971 r = dns_zone_check_conflicts(&scope->zone, p->answer->items[i].rr);
972 if (r != 0)
973 continue;
974
975 /* Check for conflicts against the local cache. If so,
976 * send out an advisory query, to inform everybody */
977 r = dns_cache_check_conflicts(&scope->cache, p->answer->items[i].rr, p->family, &p->sender);
978 if (r <= 0)
979 continue;
980
981 dns_scope_notify_conflict(scope, p->answer->items[i].rr);
982 }
983 }
984
985 void dns_scope_dump(DnsScope *s, FILE *f) {
986 assert(s);
987
988 if (!f)
989 f = stdout;
990
991 fputs("[Scope protocol=", f);
992 fputs(dns_protocol_to_string(s->protocol), f);
993
994 if (s->link) {
995 fputs(" interface=", f);
996 fputs(s->link->name, f);
997 }
998
999 if (s->family != AF_UNSPEC) {
1000 fputs(" family=", f);
1001 fputs(af_to_name(s->family), f);
1002 }
1003
1004 fputs("]\n", f);
1005
1006 if (!dns_zone_is_empty(&s->zone)) {
1007 fputs("ZONE:\n", f);
1008 dns_zone_dump(&s->zone, f);
1009 }
1010
1011 if (!dns_cache_is_empty(&s->cache)) {
1012 fputs("CACHE:\n", f);
1013 dns_cache_dump(&s->cache, f);
1014 }
1015 }
1016
1017 DnsSearchDomain *dns_scope_get_search_domains(DnsScope *s) {
1018 assert(s);
1019
1020 if (s->protocol != DNS_PROTOCOL_DNS)
1021 return NULL;
1022
1023 if (s->link)
1024 return s->link->search_domains;
1025
1026 return s->manager->search_domains;
1027 }
1028
1029 bool dns_scope_name_needs_search_domain(DnsScope *s, const char *name) {
1030 assert(s);
1031
1032 if (s->protocol != DNS_PROTOCOL_DNS)
1033 return false;
1034
1035 return dns_name_is_single_label(name);
1036 }
1037
1038 bool dns_scope_network_good(DnsScope *s) {
1039 /* Checks whether the network is in good state for lookups on this scope. For mDNS/LLMNR/Classic DNS scopes
1040 * bound to links this is easy, as they don't even exist if the link isn't in a suitable state. For the global
1041 * DNS scope we check whether there are any links that are up and have an address. */
1042
1043 if (s->link)
1044 return true;
1045
1046 return manager_routable(s->manager, AF_UNSPEC);
1047 }
1048
1049 int dns_scope_ifindex(DnsScope *s) {
1050 assert(s);
1051
1052 if (s->link)
1053 return s->link->ifindex;
1054
1055 return 0;
1056 }
1057
1058 static int on_announcement_timeout(sd_event_source *s, usec_t usec, void *userdata) {
1059 DnsScope *scope = userdata;
1060
1061 assert(s);
1062
1063 scope->announce_event_source = sd_event_source_unref(scope->announce_event_source);
1064
1065 (void) dns_scope_announce(scope, false);
1066 return 0;
1067 }
1068
1069 int dns_scope_announce(DnsScope *scope, bool goodbye) {
1070 _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL;
1071 _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
1072 LinkAddress *a;
1073 int r;
1074
1075 if (!scope)
1076 return 0;
1077
1078 if (scope->protocol != DNS_PROTOCOL_MDNS)
1079 return 0;
1080
1081 answer = dns_answer_new(scope->link->n_addresses * 2);
1082 if (!answer)
1083 return log_oom();
1084
1085 LIST_FOREACH(addresses, a, scope->link->addresses) {
1086 r = dns_answer_add(answer, a->mdns_address_rr, 0, goodbye ? DNS_ANSWER_GOODBYE : DNS_ANSWER_CACHE_FLUSH);
1087 if (r < 0)
1088 return log_debug_errno(r, "Failed to add address RR to answer: %m");
1089
1090 r = dns_answer_add(answer, a->mdns_ptr_rr, 0, goodbye ? DNS_ANSWER_GOODBYE : DNS_ANSWER_CACHE_FLUSH);
1091 if (r < 0)
1092 return log_debug_errno(r, "Failed to add PTR RR to answer: %m");
1093 }
1094
1095 if (dns_answer_isempty(answer))
1096 return 0;
1097
1098 r = dns_scope_make_reply_packet(scope, 0, DNS_RCODE_SUCCESS, NULL, answer, NULL, false, &p);
1099 if (r < 0)
1100 return log_debug_errno(r, "Failed to build reply packet: %m");
1101
1102 r = dns_scope_emit_udp(scope, -1, p);
1103 if (r < 0)
1104 return log_debug_errno(r, "Failed to send reply packet: %m");
1105
1106 /* In section 8.3 of RFC6762: "The Multicast DNS responder MUST send at least two unsolicited
1107 * responses, one second apart." */
1108 if (!scope->announced) {
1109 usec_t ts;
1110
1111 scope->announced = true;
1112
1113 assert_se(sd_event_now(scope->manager->event, clock_boottime_or_monotonic(), &ts) >= 0);
1114 ts += MDNS_ANNOUNCE_DELAY;
1115
1116 r = sd_event_add_time(
1117 scope->manager->event,
1118 &scope->announce_event_source,
1119 clock_boottime_or_monotonic(),
1120 ts,
1121 MDNS_JITTER_RANGE_USEC,
1122 on_announcement_timeout, scope);
1123 if (r < 0)
1124 return log_debug_errno(r, "Failed to schedule second announcement: %m");
1125
1126 (void) sd_event_source_set_description(scope->announce_event_source, "mdns-announce");
1127 }
1128
1129 return 0;
1130 }
Unnamed repository; edit this file 'description' to name the repository.