1 /* SPDX-License-Identifier: LGPL-2.1+ */
3 This file is part of systemd.
5 Copyright 2014 Lennart Poettering
7 systemd is free software; you can redistribute it and/or modify it
8 under the terms of the GNU Lesser General Public License as published by
9 the Free Software Foundation; either version 2.1 of the License, or
10 (at your option) any later version.
12 systemd is distributed in the hope that it will be useful, but
13 WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 Lesser General Public License for more details.
17 You should have received a copy of the GNU Lesser General Public License
18 along with systemd; If not, see <http://www.gnu.org/licenses/>.
21 #include <netinet/tcp.h>
24 #include "alloc-util.h"
25 #include "dns-domain.h"
27 #include "hostname-util.h"
29 #include "random-util.h"
30 #include "resolved-dns-scope.h"
31 #include "resolved-llmnr.h"
32 #include "resolved-mdns.h"
33 #include "socket-util.h"
36 #define MULTICAST_RATELIMIT_INTERVAL_USEC (1*USEC_PER_SEC)
37 #define MULTICAST_RATELIMIT_BURST 1000
39 /* After how much time to repeat LLMNR requests, see RFC 4795 Section 7 */
40 #define MULTICAST_RESEND_TIMEOUT_MIN_USEC (100 * USEC_PER_MSEC)
41 #define MULTICAST_RESEND_TIMEOUT_MAX_USEC (1 * USEC_PER_SEC)
43 int dns_scope_new(Manager
*m
, DnsScope
**ret
, Link
*l
, DnsProtocol protocol
, int family
) {
49 s
= new0(DnsScope
, 1);
55 s
->protocol
= protocol
;
57 s
->resend_timeout
= MULTICAST_RESEND_TIMEOUT_MIN_USEC
;
59 if (protocol
== DNS_PROTOCOL_DNS
) {
60 /* Copy DNSSEC mode from the link if it is set there,
61 * otherwise take the manager's DNSSEC mode. Note that
62 * we copy this only at scope creation time, and do
63 * not update it from the on, even if the setting
67 s
->dnssec_mode
= link_get_dnssec_mode(l
);
69 s
->dnssec_mode
= manager_get_dnssec_mode(m
);
71 s
->dnssec_mode
= DNSSEC_NO
;
73 LIST_PREPEND(scopes
, m
->dns_scopes
, s
);
75 dns_scope_llmnr_membership(s
, true);
76 dns_scope_mdns_membership(s
, true);
78 log_debug("New scope on link %s, protocol %s, family %s", l
? l
->name
: "*", dns_protocol_to_string(protocol
), family
== AF_UNSPEC
? "*" : af_to_name(family
));
80 /* Enforce ratelimiting for the multicast protocols */
81 RATELIMIT_INIT(s
->ratelimit
, MULTICAST_RATELIMIT_INTERVAL_USEC
, MULTICAST_RATELIMIT_BURST
);
87 static void dns_scope_abort_transactions(DnsScope
*s
) {
90 while (s
->transactions
) {
91 DnsTransaction
*t
= s
->transactions
;
93 /* Abort the transaction, but make sure it is not
94 * freed while we still look at it */
97 if (DNS_TRANSACTION_IS_LIVE(t
->state
))
98 dns_transaction_complete(t
, DNS_TRANSACTION_ABORTED
);
101 dns_transaction_free(t
);
105 DnsScope
* dns_scope_free(DnsScope
*s
) {
106 DnsResourceRecord
*rr
;
111 log_debug("Removing scope on link %s, protocol %s, family %s", s
->link
? s
->link
->name
: "*", dns_protocol_to_string(s
->protocol
), s
->family
== AF_UNSPEC
? "*" : af_to_name(s
->family
));
113 dns_scope_llmnr_membership(s
, false);
114 dns_scope_mdns_membership(s
, false);
115 dns_scope_abort_transactions(s
);
117 while (s
->query_candidates
)
118 dns_query_candidate_free(s
->query_candidates
);
120 hashmap_free(s
->transactions_by_key
);
122 while ((rr
= ordered_hashmap_steal_first(s
->conflict_queue
)))
123 dns_resource_record_unref(rr
);
125 ordered_hashmap_free(s
->conflict_queue
);
126 sd_event_source_unref(s
->conflict_event_source
);
128 sd_event_source_unref(s
->announce_event_source
);
130 dns_cache_flush(&s
->cache
);
131 dns_zone_flush(&s
->zone
);
133 LIST_REMOVE(scopes
, s
->manager
->dns_scopes
, s
);
137 DnsServer
*dns_scope_get_dns_server(DnsScope
*s
) {
140 if (s
->protocol
!= DNS_PROTOCOL_DNS
)
144 return link_get_dns_server(s
->link
);
146 return manager_get_dns_server(s
->manager
);
149 void dns_scope_next_dns_server(DnsScope
*s
) {
152 if (s
->protocol
!= DNS_PROTOCOL_DNS
)
156 link_next_dns_server(s
->link
);
158 manager_next_dns_server(s
->manager
);
161 void dns_scope_packet_received(DnsScope
*s
, usec_t rtt
) {
164 if (rtt
<= s
->max_rtt
)
168 s
->resend_timeout
= MIN(MAX(MULTICAST_RESEND_TIMEOUT_MIN_USEC
, s
->max_rtt
* 2), MULTICAST_RESEND_TIMEOUT_MAX_USEC
);
171 void dns_scope_packet_lost(DnsScope
*s
, usec_t usec
) {
174 if (s
->resend_timeout
<= usec
)
175 s
->resend_timeout
= MIN(s
->resend_timeout
* 2, MULTICAST_RESEND_TIMEOUT_MAX_USEC
);
178 static int dns_scope_emit_one(DnsScope
*s
, int fd
, DnsPacket
*p
) {
179 union in_addr_union addr
;
186 assert(p
->protocol
== s
->protocol
);
190 ifindex
= s
->link
->ifindex
;
192 mtu
= manager_find_mtu(s
->manager
);
194 switch (s
->protocol
) {
196 case DNS_PROTOCOL_DNS
:
199 if (DNS_PACKET_QDCOUNT(p
) > 1)
202 if (p
->size
> DNS_PACKET_UNICAST_SIZE_MAX
)
205 if (p
->size
+ UDP_PACKET_HEADER_SIZE
> mtu
)
208 r
= manager_write(s
->manager
, fd
, p
);
214 case DNS_PROTOCOL_LLMNR
:
217 if (DNS_PACKET_QDCOUNT(p
) > 1)
220 if (!ratelimit_test(&s
->ratelimit
))
225 if (family
== AF_INET
) {
226 addr
.in
= LLMNR_MULTICAST_IPV4_ADDRESS
;
227 fd
= manager_llmnr_ipv4_udp_fd(s
->manager
);
228 } else if (family
== AF_INET6
) {
229 addr
.in6
= LLMNR_MULTICAST_IPV6_ADDRESS
;
230 fd
= manager_llmnr_ipv6_udp_fd(s
->manager
);
232 return -EAFNOSUPPORT
;
236 r
= manager_send(s
->manager
, fd
, ifindex
, family
, &addr
, LLMNR_PORT
, NULL
, p
);
242 case DNS_PROTOCOL_MDNS
:
245 if (!ratelimit_test(&s
->ratelimit
))
250 if (family
== AF_INET
) {
251 addr
.in
= MDNS_MULTICAST_IPV4_ADDRESS
;
252 fd
= manager_mdns_ipv4_fd(s
->manager
);
253 } else if (family
== AF_INET6
) {
254 addr
.in6
= MDNS_MULTICAST_IPV6_ADDRESS
;
255 fd
= manager_mdns_ipv6_fd(s
->manager
);
257 return -EAFNOSUPPORT
;
261 r
= manager_send(s
->manager
, fd
, ifindex
, family
, &addr
, MDNS_PORT
, NULL
, p
);
268 return -EAFNOSUPPORT
;
274 int dns_scope_emit_udp(DnsScope
*s
, int fd
, DnsPacket
*p
) {
279 assert(p
->protocol
== s
->protocol
);
280 assert((s
->protocol
== DNS_PROTOCOL_DNS
) == (fd
>= 0));
283 /* If there are multiple linked packets, set the TC bit in all but the last of them */
285 assert(p
->protocol
== DNS_PROTOCOL_MDNS
);
286 dns_packet_set_flags(p
, true, true);
289 r
= dns_scope_emit_one(s
, fd
, p
);
299 static int dns_scope_socket(
303 const union in_addr_union
*address
,
307 _cleanup_close_
int fd
= -1;
308 union sockaddr_union sa
= {};
310 static const int one
= 1;
316 assert(family
== AF_UNSPEC
);
319 ifindex
= dns_server_ifindex(server
);
321 sa
.sa
.sa_family
= server
->family
;
322 if (server
->family
== AF_INET
) {
323 sa
.in
.sin_port
= htobe16(port
);
324 sa
.in
.sin_addr
= server
->address
.in
;
325 salen
= sizeof(sa
.in
);
326 } else if (server
->family
== AF_INET6
) {
327 sa
.in6
.sin6_port
= htobe16(port
);
328 sa
.in6
.sin6_addr
= server
->address
.in6
;
329 sa
.in6
.sin6_scope_id
= ifindex
;
330 salen
= sizeof(sa
.in6
);
332 return -EAFNOSUPPORT
;
334 assert(family
!= AF_UNSPEC
);
337 sa
.sa
.sa_family
= family
;
338 ifindex
= s
->link
? s
->link
->ifindex
: 0;
340 if (family
== AF_INET
) {
341 sa
.in
.sin_port
= htobe16(port
);
342 sa
.in
.sin_addr
= address
->in
;
343 salen
= sizeof(sa
.in
);
344 } else if (family
== AF_INET6
) {
345 sa
.in6
.sin6_port
= htobe16(port
);
346 sa
.in6
.sin6_addr
= address
->in6
;
347 sa
.in6
.sin6_scope_id
= ifindex
;
348 salen
= sizeof(sa
.in6
);
350 return -EAFNOSUPPORT
;
353 fd
= socket(sa
.sa
.sa_family
, type
|SOCK_CLOEXEC
|SOCK_NONBLOCK
, 0);
357 if (type
== SOCK_STREAM
) {
358 r
= setsockopt(fd
, IPPROTO_TCP
, TCP_NODELAY
, &one
, sizeof(one
));
364 be32_t ifindex_be
= htobe32(ifindex
);
366 if (sa
.sa
.sa_family
== AF_INET
) {
367 r
= setsockopt(fd
, IPPROTO_IP
, IP_UNICAST_IF
, &ifindex_be
, sizeof(ifindex_be
));
370 } else if (sa
.sa
.sa_family
== AF_INET6
) {
371 r
= setsockopt(fd
, IPPROTO_IPV6
, IPV6_UNICAST_IF
, &ifindex_be
, sizeof(ifindex_be
));
377 if (s
->protocol
== DNS_PROTOCOL_LLMNR
) {
378 /* RFC 4795, section 2.5 requires the TTL to be set to 1 */
380 if (sa
.sa
.sa_family
== AF_INET
) {
381 r
= setsockopt(fd
, IPPROTO_IP
, IP_TTL
, &one
, sizeof(one
));
384 } else if (sa
.sa
.sa_family
== AF_INET6
) {
385 r
= setsockopt(fd
, IPPROTO_IPV6
, IPV6_UNICAST_HOPS
, &one
, sizeof(one
));
391 r
= connect(fd
, &sa
.sa
, salen
);
392 if (r
< 0 && errno
!= EINPROGRESS
)
401 int dns_scope_socket_udp(DnsScope
*s
, DnsServer
*server
, uint16_t port
) {
402 return dns_scope_socket(s
, SOCK_DGRAM
, AF_UNSPEC
, NULL
, server
, port
);
405 int dns_scope_socket_tcp(DnsScope
*s
, int family
, const union in_addr_union
*address
, DnsServer
*server
, uint16_t port
) {
406 return dns_scope_socket(s
, SOCK_STREAM
, family
, address
, server
, port
);
409 DnsScopeMatch
dns_scope_good_domain(DnsScope
*s
, int ifindex
, uint64_t flags
, const char *domain
) {
411 DnsServer
*dns_server
;
416 /* Checks if the specified domain is something to look up on
417 * this scope. Note that this accepts non-qualified hostnames,
418 * i.e. those without any search path prefixed yet. */
420 if (ifindex
!= 0 && (!s
->link
|| s
->link
->ifindex
!= ifindex
))
423 if ((SD_RESOLVED_FLAGS_MAKE(s
->protocol
, s
->family
, 0) & flags
) == 0)
426 /* Never resolve any loopback hostname or IP address via DNS,
427 * LLMNR or mDNS. Instead, always rely on synthesized RRs for
429 if (is_localhost(domain
) ||
430 dns_name_endswith(domain
, "127.in-addr.arpa") > 0 ||
431 dns_name_equal(domain
, "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa") > 0)
434 /* Never respond to some of the domains listed in RFC6303 */
435 if (dns_name_endswith(domain
, "0.in-addr.arpa") > 0 ||
436 dns_name_equal(domain
, "255.255.255.255.in-addr.arpa") > 0 ||
437 dns_name_equal(domain
, "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa") > 0)
440 /* Never respond to some of the domains listed in RFC6761 */
441 if (dns_name_endswith(domain
, "invalid") > 0)
444 /* Always honour search domains for routing queries. Note that
445 * we return DNS_SCOPE_YES here, rather than just
446 * DNS_SCOPE_MAYBE, which means wildcard scopes won't be
447 * considered anymore. */
448 LIST_FOREACH(domains
, d
, dns_scope_get_search_domains(s
))
449 if (dns_name_endswith(domain
, d
->name
) > 0)
450 return DNS_SCOPE_YES
;
452 /* If the DNS server has route-only domains, don't send other requests
453 * to it. This would be a privacy violation, will most probably fail
454 * anyway, and adds unnecessary load. */
455 dns_server
= dns_scope_get_dns_server(s
);
456 if (dns_server
&& dns_server_limited_domains(dns_server
))
459 switch (s
->protocol
) {
461 case DNS_PROTOCOL_DNS
:
463 /* Exclude link-local IP ranges */
464 if (dns_name_endswith(domain
, "254.169.in-addr.arpa") == 0 &&
465 dns_name_endswith(domain
, "8.e.f.ip6.arpa") == 0 &&
466 dns_name_endswith(domain
, "9.e.f.ip6.arpa") == 0 &&
467 dns_name_endswith(domain
, "a.e.f.ip6.arpa") == 0 &&
468 dns_name_endswith(domain
, "b.e.f.ip6.arpa") == 0 &&
469 /* If networks use .local in their private setups, they are supposed to also add .local to their search
470 * domains, which we already checked above. Otherwise, we consider .local specific to mDNS and won't
471 * send such queries ordinary DNS servers. */
472 dns_name_endswith(domain
, "local") == 0)
473 return DNS_SCOPE_MAYBE
;
477 case DNS_PROTOCOL_MDNS
:
478 if ((s
->family
== AF_INET
&& dns_name_endswith(domain
, "in-addr.arpa") > 0) ||
479 (s
->family
== AF_INET6
&& dns_name_endswith(domain
, "ip6.arpa") > 0) ||
480 (dns_name_endswith(domain
, "local") > 0 && /* only resolve names ending in .local via mDNS */
481 dns_name_equal(domain
, "local") == 0 && /* but not the single-label "local" name itself */
482 manager_is_own_hostname(s
->manager
, domain
) <= 0)) /* never resolve the local hostname via mDNS */
483 return DNS_SCOPE_MAYBE
;
487 case DNS_PROTOCOL_LLMNR
:
488 if ((s
->family
== AF_INET
&& dns_name_endswith(domain
, "in-addr.arpa") > 0) ||
489 (s
->family
== AF_INET6
&& dns_name_endswith(domain
, "ip6.arpa") > 0) ||
490 (dns_name_is_single_label(domain
) && /* only resolve single label names via LLMNR */
491 !is_gateway_hostname(domain
) && /* don't resolve "gateway" with LLMNR, let nss-myhostname handle this */
492 manager_is_own_hostname(s
->manager
, domain
) <= 0)) /* never resolve the local hostname via LLMNR */
493 return DNS_SCOPE_MAYBE
;
498 assert_not_reached("Unknown scope protocol");
502 bool dns_scope_good_key(DnsScope
*s
, const DnsResourceKey
*key
) {
508 /* Check if it makes sense to resolve the specified key on
509 * this scope. Note that this call assumes as fully qualified
510 * name, i.e. the search suffixes already appended. */
512 if (key
->class != DNS_CLASS_IN
)
515 if (s
->protocol
== DNS_PROTOCOL_DNS
) {
517 /* On classic DNS, looking up non-address RRs is always
518 * fine. (Specifically, we want to permit looking up
519 * DNSKEY and DS records on the root and top-level
521 if (!dns_resource_key_is_address(key
))
524 /* However, we refuse to look up A and AAAA RRs on the
525 * root and single-label domains, under the assumption
526 * that those should be resolved via LLMNR or search
527 * path only, and should not be leaked onto the
529 return !(dns_name_is_single_label(dns_resource_key_name(key
)) ||
530 dns_name_is_root(dns_resource_key_name(key
)));
533 /* On mDNS and LLMNR, send A and AAAA queries only on the
534 * respective scopes */
536 key_family
= dns_type_to_af(key
->type
);
540 return key_family
== s
->family
;
543 static int dns_scope_multicast_membership(DnsScope
*s
, bool b
, struct in_addr in
, struct in6_addr in6
) {
549 if (s
->family
== AF_INET
) {
550 struct ip_mreqn mreqn
= {
552 .imr_ifindex
= s
->link
->ifindex
,
555 if (s
->protocol
== DNS_PROTOCOL_LLMNR
)
556 fd
= manager_llmnr_ipv4_udp_fd(s
->manager
);
558 fd
= manager_mdns_ipv4_fd(s
->manager
);
563 /* Always first try to drop membership before we add
564 * one. This is necessary on some devices, such as
567 (void) setsockopt(fd
, IPPROTO_IP
, IP_DROP_MEMBERSHIP
, &mreqn
, sizeof(mreqn
));
569 if (setsockopt(fd
, IPPROTO_IP
, b
? IP_ADD_MEMBERSHIP
: IP_DROP_MEMBERSHIP
, &mreqn
, sizeof(mreqn
)) < 0)
572 } else if (s
->family
== AF_INET6
) {
573 struct ipv6_mreq mreq
= {
574 .ipv6mr_multiaddr
= in6
,
575 .ipv6mr_interface
= s
->link
->ifindex
,
578 if (s
->protocol
== DNS_PROTOCOL_LLMNR
)
579 fd
= manager_llmnr_ipv6_udp_fd(s
->manager
);
581 fd
= manager_mdns_ipv6_fd(s
->manager
);
587 (void) setsockopt(fd
, IPPROTO_IPV6
, IPV6_DROP_MEMBERSHIP
, &mreq
, sizeof(mreq
));
589 if (setsockopt(fd
, IPPROTO_IPV6
, b
? IPV6_ADD_MEMBERSHIP
: IPV6_DROP_MEMBERSHIP
, &mreq
, sizeof(mreq
)) < 0)
592 return -EAFNOSUPPORT
;
597 int dns_scope_llmnr_membership(DnsScope
*s
, bool b
) {
600 if (s
->protocol
!= DNS_PROTOCOL_LLMNR
)
603 return dns_scope_multicast_membership(s
, b
, LLMNR_MULTICAST_IPV4_ADDRESS
, LLMNR_MULTICAST_IPV6_ADDRESS
);
606 int dns_scope_mdns_membership(DnsScope
*s
, bool b
) {
609 if (s
->protocol
!= DNS_PROTOCOL_MDNS
)
612 return dns_scope_multicast_membership(s
, b
, MDNS_MULTICAST_IPV4_ADDRESS
, MDNS_MULTICAST_IPV6_ADDRESS
);
615 int dns_scope_make_reply_packet(
625 _cleanup_(dns_packet_unrefp
) DnsPacket
*p
= NULL
;
631 if (dns_question_isempty(q
) &&
632 dns_answer_isempty(answer
) &&
633 dns_answer_isempty(soa
))
636 r
= dns_packet_new(&p
, s
->protocol
, 0, DNS_PACKET_SIZE_MAX
);
640 DNS_PACKET_HEADER(p
)->id
= id
;
641 DNS_PACKET_HEADER(p
)->flags
= htobe16(DNS_PACKET_MAKE_FLAGS(
652 r
= dns_packet_append_question(p
, q
);
655 DNS_PACKET_HEADER(p
)->qdcount
= htobe16(dns_question_size(q
));
657 r
= dns_packet_append_answer(p
, answer
);
660 DNS_PACKET_HEADER(p
)->ancount
= htobe16(dns_answer_size(answer
));
662 r
= dns_packet_append_answer(p
, soa
);
665 DNS_PACKET_HEADER(p
)->arcount
= htobe16(dns_answer_size(soa
));
673 static void dns_scope_verify_conflicts(DnsScope
*s
, DnsPacket
*p
) {
674 DnsResourceRecord
*rr
;
680 DNS_QUESTION_FOREACH(key
, p
->question
)
681 dns_zone_verify_conflicts(&s
->zone
, key
);
683 DNS_ANSWER_FOREACH(rr
, p
->answer
)
684 dns_zone_verify_conflicts(&s
->zone
, rr
->key
);
687 void dns_scope_process_query(DnsScope
*s
, DnsStream
*stream
, DnsPacket
*p
) {
688 _cleanup_(dns_answer_unrefp
) DnsAnswer
*answer
= NULL
, *soa
= NULL
;
689 _cleanup_(dns_packet_unrefp
) DnsPacket
*reply
= NULL
;
690 DnsResourceKey
*key
= NULL
;
691 bool tentative
= false;
697 if (p
->protocol
!= DNS_PROTOCOL_LLMNR
)
700 if (p
->ipproto
== IPPROTO_UDP
) {
701 /* Don't accept UDP queries directed to anything but
702 * the LLMNR multicast addresses. See RFC 4795,
705 if (p
->family
== AF_INET
&& !in_addr_equal(AF_INET
, &p
->destination
, (union in_addr_union
*) &LLMNR_MULTICAST_IPV4_ADDRESS
))
708 if (p
->family
== AF_INET6
&& !in_addr_equal(AF_INET6
, &p
->destination
, (union in_addr_union
*) &LLMNR_MULTICAST_IPV6_ADDRESS
))
712 r
= dns_packet_extract(p
);
714 log_debug_errno(r
, "Failed to extract resource records from incoming packet: %m");
718 if (DNS_PACKET_LLMNR_C(p
)) {
719 /* Somebody notified us about a possible conflict */
720 dns_scope_verify_conflicts(s
, p
);
724 assert(dns_question_size(p
->question
) == 1);
725 key
= p
->question
->keys
[0];
727 r
= dns_zone_lookup(&s
->zone
, key
, 0, &answer
, &soa
, &tentative
);
729 log_debug_errno(r
, "Failed to lookup key: %m");
736 dns_answer_order_by_scope(answer
, in_addr_is_link_local(p
->family
, &p
->sender
) > 0);
738 r
= dns_scope_make_reply_packet(s
, DNS_PACKET_ID(p
), DNS_RCODE_SUCCESS
, p
->question
, answer
, soa
, tentative
, &reply
);
740 log_debug_errno(r
, "Failed to build reply packet: %m");
745 r
= dns_stream_write_packet(stream
, reply
);
747 log_debug_errno(r
, "Failed to enqueue reply packet: %m");
751 /* Let's take an extra reference on this stream, so that it stays around after returning. The reference
752 * will be dangling until the stream is disconnected, and the default completion handler of the stream
753 * will then unref the stream and destroy it */
754 if (DNS_STREAM_QUEUED(stream
))
755 dns_stream_ref(stream
);
759 if (!ratelimit_test(&s
->ratelimit
))
762 if (p
->family
== AF_INET
)
763 fd
= manager_llmnr_ipv4_udp_fd(s
->manager
);
764 else if (p
->family
== AF_INET6
)
765 fd
= manager_llmnr_ipv6_udp_fd(s
->manager
);
767 log_debug("Unknown protocol");
771 log_debug_errno(fd
, "Failed to get reply socket: %m");
775 /* Note that we always immediately reply to all LLMNR
776 * requests, and do not wait any time, since we
777 * verified uniqueness for all records. Also see RFC
778 * 4795, Section 2.7 */
780 r
= manager_send(s
->manager
, fd
, p
->ifindex
, p
->family
, &p
->sender
, p
->sender_port
, NULL
, reply
);
782 log_debug_errno(r
, "Failed to send reply packet: %m");
788 DnsTransaction
*dns_scope_find_transaction(DnsScope
*scope
, DnsResourceKey
*key
, bool cache_ok
) {
794 /* Try to find an ongoing transaction that is a equal to the
795 * specified question */
796 t
= hashmap_get(scope
->transactions_by_key
, key
);
800 /* Refuse reusing transactions that completed based on cached
801 * data instead of a real packet, if that's requested. */
803 IN_SET(t
->state
, DNS_TRANSACTION_SUCCESS
, DNS_TRANSACTION_RCODE_FAILURE
) &&
804 t
->answer_source
!= DNS_TRANSACTION_NETWORK
)
810 static int dns_scope_make_conflict_packet(
812 DnsResourceRecord
*rr
,
815 _cleanup_(dns_packet_unrefp
) DnsPacket
*p
= NULL
;
822 r
= dns_packet_new(&p
, s
->protocol
, 0, DNS_PACKET_SIZE_MAX
);
826 DNS_PACKET_HEADER(p
)->flags
= htobe16(DNS_PACKET_MAKE_FLAGS(
837 /* For mDNS, the transaction ID should always be 0 */
838 if (s
->protocol
!= DNS_PROTOCOL_MDNS
)
839 random_bytes(&DNS_PACKET_HEADER(p
)->id
, sizeof(uint16_t));
841 DNS_PACKET_HEADER(p
)->qdcount
= htobe16(1);
842 DNS_PACKET_HEADER(p
)->arcount
= htobe16(1);
844 r
= dns_packet_append_key(p
, rr
->key
, 0, NULL
);
848 r
= dns_packet_append_rr(p
, rr
, 0, NULL
, NULL
);
858 static int on_conflict_dispatch(sd_event_source
*es
, usec_t usec
, void *userdata
) {
859 DnsScope
*scope
= userdata
;
865 scope
->conflict_event_source
= sd_event_source_unref(scope
->conflict_event_source
);
868 _cleanup_(dns_resource_record_unrefp
) DnsResourceRecord
*rr
= NULL
;
869 _cleanup_(dns_packet_unrefp
) DnsPacket
*p
= NULL
;
871 rr
= ordered_hashmap_steal_first(scope
->conflict_queue
);
875 r
= dns_scope_make_conflict_packet(scope
, rr
, &p
);
877 log_error_errno(r
, "Failed to make conflict packet: %m");
881 r
= dns_scope_emit_udp(scope
, -1, p
);
883 log_debug_errno(r
, "Failed to send conflict packet: %m");
889 int dns_scope_notify_conflict(DnsScope
*scope
, DnsResourceRecord
*rr
) {
896 /* We don't send these queries immediately. Instead, we queue
897 * them, and send them after some jitter delay. */
898 r
= ordered_hashmap_ensure_allocated(&scope
->conflict_queue
, &dns_resource_key_hash_ops
);
904 /* We only place one RR per key in the conflict
905 * messages, not all of them. That should be enough to
906 * indicate where there might be a conflict */
907 r
= ordered_hashmap_put(scope
->conflict_queue
, rr
->key
, rr
);
908 if (IN_SET(r
, 0, -EEXIST
))
911 return log_debug_errno(r
, "Failed to queue conflicting RR: %m");
913 dns_resource_record_ref(rr
);
915 if (scope
->conflict_event_source
)
918 random_bytes(&jitter
, sizeof(jitter
));
919 jitter
%= LLMNR_JITTER_INTERVAL_USEC
;
921 r
= sd_event_add_time(scope
->manager
->event
,
922 &scope
->conflict_event_source
,
923 clock_boottime_or_monotonic(),
924 now(clock_boottime_or_monotonic()) + jitter
,
925 LLMNR_JITTER_INTERVAL_USEC
,
926 on_conflict_dispatch
, scope
);
928 return log_debug_errno(r
, "Failed to add conflict dispatch event: %m");
930 (void) sd_event_source_set_description(scope
->conflict_event_source
, "scope-conflict");
935 void dns_scope_check_conflicts(DnsScope
*scope
, DnsPacket
*p
) {
942 if (!IN_SET(p
->protocol
, DNS_PROTOCOL_LLMNR
, DNS_PROTOCOL_MDNS
))
945 if (DNS_PACKET_RRCOUNT(p
) <= 0)
948 if (p
->protocol
== DNS_PROTOCOL_LLMNR
) {
949 if (DNS_PACKET_LLMNR_C(p
) != 0)
952 if (DNS_PACKET_LLMNR_T(p
) != 0)
956 if (manager_our_packet(scope
->manager
, p
))
959 r
= dns_packet_extract(p
);
961 log_debug_errno(r
, "Failed to extract packet: %m");
965 log_debug("Checking for conflicts...");
967 for (i
= 0; i
< p
->answer
->n_rrs
; i
++) {
969 /* Check for conflicts against the local zone. If we
970 * found one, we won't check any further */
971 r
= dns_zone_check_conflicts(&scope
->zone
, p
->answer
->items
[i
].rr
);
975 /* Check for conflicts against the local cache. If so,
976 * send out an advisory query, to inform everybody */
977 r
= dns_cache_check_conflicts(&scope
->cache
, p
->answer
->items
[i
].rr
, p
->family
, &p
->sender
);
981 dns_scope_notify_conflict(scope
, p
->answer
->items
[i
].rr
);
985 void dns_scope_dump(DnsScope
*s
, FILE *f
) {
991 fputs("[Scope protocol=", f
);
992 fputs(dns_protocol_to_string(s
->protocol
), f
);
995 fputs(" interface=", f
);
996 fputs(s
->link
->name
, f
);
999 if (s
->family
!= AF_UNSPEC
) {
1000 fputs(" family=", f
);
1001 fputs(af_to_name(s
->family
), f
);
1006 if (!dns_zone_is_empty(&s
->zone
)) {
1007 fputs("ZONE:\n", f
);
1008 dns_zone_dump(&s
->zone
, f
);
1011 if (!dns_cache_is_empty(&s
->cache
)) {
1012 fputs("CACHE:\n", f
);
1013 dns_cache_dump(&s
->cache
, f
);
1017 DnsSearchDomain
*dns_scope_get_search_domains(DnsScope
*s
) {
1020 if (s
->protocol
!= DNS_PROTOCOL_DNS
)
1024 return s
->link
->search_domains
;
1026 return s
->manager
->search_domains
;
1029 bool dns_scope_name_needs_search_domain(DnsScope
*s
, const char *name
) {
1032 if (s
->protocol
!= DNS_PROTOCOL_DNS
)
1035 return dns_name_is_single_label(name
);
1038 bool dns_scope_network_good(DnsScope
*s
) {
1039 /* Checks whether the network is in good state for lookups on this scope. For mDNS/LLMNR/Classic DNS scopes
1040 * bound to links this is easy, as they don't even exist if the link isn't in a suitable state. For the global
1041 * DNS scope we check whether there are any links that are up and have an address. */
1046 return manager_routable(s
->manager
, AF_UNSPEC
);
1049 int dns_scope_ifindex(DnsScope
*s
) {
1053 return s
->link
->ifindex
;
1058 static int on_announcement_timeout(sd_event_source
*s
, usec_t usec
, void *userdata
) {
1059 DnsScope
*scope
= userdata
;
1063 scope
->announce_event_source
= sd_event_source_unref(scope
->announce_event_source
);
1065 (void) dns_scope_announce(scope
, false);
1069 int dns_scope_announce(DnsScope
*scope
, bool goodbye
) {
1070 _cleanup_(dns_answer_unrefp
) DnsAnswer
*answer
= NULL
;
1071 _cleanup_(dns_packet_unrefp
) DnsPacket
*p
= NULL
;
1078 if (scope
->protocol
!= DNS_PROTOCOL_MDNS
)
1081 answer
= dns_answer_new(scope
->link
->n_addresses
* 2);
1085 LIST_FOREACH(addresses
, a
, scope
->link
->addresses
) {
1086 r
= dns_answer_add(answer
, a
->mdns_address_rr
, 0, goodbye
? DNS_ANSWER_GOODBYE
: DNS_ANSWER_CACHE_FLUSH
);
1088 return log_debug_errno(r
, "Failed to add address RR to answer: %m");
1090 r
= dns_answer_add(answer
, a
->mdns_ptr_rr
, 0, goodbye
? DNS_ANSWER_GOODBYE
: DNS_ANSWER_CACHE_FLUSH
);
1092 return log_debug_errno(r
, "Failed to add PTR RR to answer: %m");
1095 if (dns_answer_isempty(answer
))
1098 r
= dns_scope_make_reply_packet(scope
, 0, DNS_RCODE_SUCCESS
, NULL
, answer
, NULL
, false, &p
);
1100 return log_debug_errno(r
, "Failed to build reply packet: %m");
1102 r
= dns_scope_emit_udp(scope
, -1, p
);
1104 return log_debug_errno(r
, "Failed to send reply packet: %m");
1106 /* In section 8.3 of RFC6762: "The Multicast DNS responder MUST send at least two unsolicited
1107 * responses, one second apart." */
1108 if (!scope
->announced
) {
1111 scope
->announced
= true;
1113 assert_se(sd_event_now(scope
->manager
->event
, clock_boottime_or_monotonic(), &ts
) >= 0);
1114 ts
+= MDNS_ANNOUNCE_DELAY
;
1116 r
= sd_event_add_time(
1117 scope
->manager
->event
,
1118 &scope
->announce_event_source
,
1119 clock_boottime_or_monotonic(),
1121 MDNS_JITTER_RANGE_USEC
,
1122 on_announcement_timeout
, scope
);
1124 return log_debug_errno(r
, "Failed to schedule second announcement: %m");
1126 (void) sd_event_source_set_description(scope
->announce_event_source
, "mdns-announce");