1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2014 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
22 #include <netinet/tcp.h>
26 #include "socket-util.h"
28 #include "random-util.h"
29 #include "hostname-util.h"
30 #include "dns-domain.h"
31 #include "resolved-llmnr.h"
32 #include "resolved-dns-scope.h"
34 #define MULTICAST_RATELIMIT_INTERVAL_USEC (1*USEC_PER_SEC)
35 #define MULTICAST_RATELIMIT_BURST 1000
37 /* After how much time to repeat LLMNR requests, see RFC 4795 Section 7 */
38 #define MULTICAST_RESEND_TIMEOUT_MIN_USEC (100 * USEC_PER_MSEC)
39 #define MULTICAST_RESEND_TIMEOUT_MAX_USEC (1 * USEC_PER_SEC)
41 int dns_scope_new(Manager
*m
, DnsScope
**ret
, Link
*l
, DnsProtocol protocol
, int family
) {
47 s
= new0(DnsScope
, 1);
53 s
->protocol
= protocol
;
55 s
->resend_timeout
= MULTICAST_RESEND_TIMEOUT_MIN_USEC
;
57 LIST_PREPEND(scopes
, m
->dns_scopes
, s
);
59 dns_scope_llmnr_membership(s
, true);
61 log_debug("New scope on link %s, protocol %s, family %s", l
? l
->name
: "*", dns_protocol_to_string(protocol
), family
== AF_UNSPEC
? "*" : af_to_name(family
));
63 /* Enforce ratelimiting for the multicast protocols */
64 RATELIMIT_INIT(s
->ratelimit
, MULTICAST_RATELIMIT_INTERVAL_USEC
, MULTICAST_RATELIMIT_BURST
);
70 DnsScope
* dns_scope_free(DnsScope
*s
) {
72 DnsResourceRecord
*rr
;
77 log_debug("Removing scope on link %s, protocol %s, family %s", s
->link
? s
->link
->name
: "*", dns_protocol_to_string(s
->protocol
), s
->family
== AF_UNSPEC
? "*" : af_to_name(s
->family
));
79 dns_scope_llmnr_membership(s
, false);
81 while ((t
= hashmap_steal_first(s
->transactions
))) {
82 /* Abort the transaction, but make sure it is not
83 * freed while we still look at it */
86 dns_transaction_complete(t
, DNS_TRANSACTION_ABORTED
);
89 dns_transaction_free(t
);
92 hashmap_free(s
->transactions
);
94 while ((rr
= ordered_hashmap_steal_first(s
->conflict_queue
)))
95 dns_resource_record_unref(rr
);
97 ordered_hashmap_free(s
->conflict_queue
);
98 sd_event_source_unref(s
->conflict_event_source
);
100 dns_cache_flush(&s
->cache
);
101 dns_zone_flush(&s
->zone
);
103 LIST_REMOVE(scopes
, s
->manager
->dns_scopes
, s
);
104 strv_free(s
->domains
);
110 DnsServer
*dns_scope_get_dns_server(DnsScope
*s
) {
113 if (s
->protocol
!= DNS_PROTOCOL_DNS
)
117 return link_get_dns_server(s
->link
);
119 return manager_get_dns_server(s
->manager
);
122 void dns_scope_next_dns_server(DnsScope
*s
) {
125 if (s
->protocol
!= DNS_PROTOCOL_DNS
)
129 link_next_dns_server(s
->link
);
131 manager_next_dns_server(s
->manager
);
134 void dns_scope_packet_received(DnsScope
*s
, usec_t rtt
) {
137 if (rtt
> s
->max_rtt
) {
139 s
->resend_timeout
= MIN(MAX(MULTICAST_RESEND_TIMEOUT_MIN_USEC
, s
->max_rtt
* 2),
140 MULTICAST_RESEND_TIMEOUT_MAX_USEC
);
144 void dns_scope_packet_lost(DnsScope
*s
, usec_t usec
) {
147 if (s
->resend_timeout
<= usec
)
148 s
->resend_timeout
= MIN(s
->resend_timeout
* 2, MULTICAST_RESEND_TIMEOUT_MAX_USEC
);
151 int dns_scope_emit(DnsScope
*s
, int fd
, DnsPacket
*p
) {
152 union in_addr_union addr
;
160 assert(p
->protocol
== s
->protocol
);
161 assert((s
->protocol
== DNS_PROTOCOL_DNS
) != (fd
< 0));
165 ifindex
= s
->link
->ifindex
;
167 mtu
= manager_find_mtu(s
->manager
);
169 switch (s
->protocol
) {
170 case DNS_PROTOCOL_DNS
:
171 if (DNS_PACKET_QDCOUNT(p
) > 1)
174 if (p
->size
> DNS_PACKET_UNICAST_SIZE_MAX
)
177 if (p
->size
+ UDP_PACKET_HEADER_SIZE
> mtu
)
180 r
= manager_write(s
->manager
, fd
, p
);
186 case DNS_PROTOCOL_LLMNR
:
187 if (DNS_PACKET_QDCOUNT(p
) > 1)
190 if (!ratelimit_test(&s
->ratelimit
))
196 if (family
== AF_INET
) {
197 addr
.in
= LLMNR_MULTICAST_IPV4_ADDRESS
;
198 fd
= manager_llmnr_ipv4_udp_fd(s
->manager
);
199 } else if (family
== AF_INET6
) {
200 addr
.in6
= LLMNR_MULTICAST_IPV6_ADDRESS
;
201 fd
= manager_llmnr_ipv6_udp_fd(s
->manager
);
203 return -EAFNOSUPPORT
;
207 r
= manager_send(s
->manager
, fd
, ifindex
, family
, &addr
, port
, p
);
214 return -EAFNOSUPPORT
;
220 static int dns_scope_socket(DnsScope
*s
, int type
, int family
, const union in_addr_union
*address
, uint16_t port
, DnsServer
**server
) {
221 DnsServer
*srv
= NULL
;
222 _cleanup_close_
int fd
= -1;
223 union sockaddr_union sa
= {};
225 static const int one
= 1;
229 assert((family
== AF_UNSPEC
) == !address
);
231 if (family
== AF_UNSPEC
) {
232 srv
= dns_scope_get_dns_server(s
);
236 sa
.sa
.sa_family
= srv
->family
;
237 if (srv
->family
== AF_INET
) {
238 sa
.in
.sin_port
= htobe16(port
);
239 sa
.in
.sin_addr
= srv
->address
.in
;
240 salen
= sizeof(sa
.in
);
241 } else if (srv
->family
== AF_INET6
) {
242 sa
.in6
.sin6_port
= htobe16(port
);
243 sa
.in6
.sin6_addr
= srv
->address
.in6
;
244 sa
.in6
.sin6_scope_id
= s
->link
? s
->link
->ifindex
: 0;
245 salen
= sizeof(sa
.in6
);
247 return -EAFNOSUPPORT
;
249 sa
.sa
.sa_family
= family
;
251 if (family
== AF_INET
) {
252 sa
.in
.sin_port
= htobe16(port
);
253 sa
.in
.sin_addr
= address
->in
;
254 salen
= sizeof(sa
.in
);
255 } else if (family
== AF_INET6
) {
256 sa
.in6
.sin6_port
= htobe16(port
);
257 sa
.in6
.sin6_addr
= address
->in6
;
258 sa
.in6
.sin6_scope_id
= s
->link
? s
->link
->ifindex
: 0;
259 salen
= sizeof(sa
.in6
);
261 return -EAFNOSUPPORT
;
264 fd
= socket(sa
.sa
.sa_family
, type
|SOCK_CLOEXEC
|SOCK_NONBLOCK
, 0);
268 if (type
== SOCK_STREAM
) {
269 r
= setsockopt(fd
, IPPROTO_TCP
, TCP_NODELAY
, &one
, sizeof(one
));
275 uint32_t ifindex
= htobe32(s
->link
->ifindex
);
277 if (sa
.sa
.sa_family
== AF_INET
) {
278 r
= setsockopt(fd
, IPPROTO_IP
, IP_UNICAST_IF
, &ifindex
, sizeof(ifindex
));
281 } else if (sa
.sa
.sa_family
== AF_INET6
) {
282 r
= setsockopt(fd
, IPPROTO_IPV6
, IPV6_UNICAST_IF
, &ifindex
, sizeof(ifindex
));
288 if (s
->protocol
== DNS_PROTOCOL_LLMNR
) {
289 /* RFC 4795, section 2.5 requires the TTL to be set to 1 */
291 if (sa
.sa
.sa_family
== AF_INET
) {
292 r
= setsockopt(fd
, IPPROTO_IP
, IP_TTL
, &one
, sizeof(one
));
295 } else if (sa
.sa
.sa_family
== AF_INET6
) {
296 r
= setsockopt(fd
, IPPROTO_IPV6
, IPV6_UNICAST_HOPS
, &one
, sizeof(one
));
302 r
= connect(fd
, &sa
.sa
, salen
);
303 if (r
< 0 && errno
!= EINPROGRESS
)
315 int dns_scope_udp_dns_socket(DnsScope
*s
, DnsServer
**server
) {
316 return dns_scope_socket(s
, SOCK_DGRAM
, AF_UNSPEC
, NULL
, 53, server
);
319 int dns_scope_tcp_socket(DnsScope
*s
, int family
, const union in_addr_union
*address
, uint16_t port
, DnsServer
**server
) {
320 return dns_scope_socket(s
, SOCK_STREAM
, family
, address
, port
, server
);
323 DnsScopeMatch
dns_scope_good_domain(DnsScope
*s
, int ifindex
, uint64_t flags
, const char *domain
) {
329 if (ifindex
!= 0 && (!s
->link
|| s
->link
->ifindex
!= ifindex
))
332 if ((SD_RESOLVED_FLAGS_MAKE(s
->protocol
, s
->family
) & flags
) == 0)
335 if (dns_name_root(domain
) != 0)
338 /* Never resolve any loopback hostname or IP address via DNS,
339 * LLMNR or mDNS. Instead, always rely on synthesized RRs for
341 if (is_localhost(domain
) ||
342 dns_name_endswith(domain
, "127.in-addr.arpa") > 0 ||
343 dns_name_equal(domain
, "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa") > 0)
346 STRV_FOREACH(i
, s
->domains
)
347 if (dns_name_endswith(domain
, *i
) > 0)
348 return DNS_SCOPE_YES
;
350 switch (s
->protocol
) {
351 case DNS_PROTOCOL_DNS
:
352 if (dns_name_endswith(domain
, "254.169.in-addr.arpa") == 0 &&
353 dns_name_endswith(domain
, "0.8.e.f.ip6.arpa") == 0 &&
354 dns_name_single_label(domain
) == 0)
355 return DNS_SCOPE_MAYBE
;
359 case DNS_PROTOCOL_MDNS
:
360 if ((s
->family
== AF_INET
&& dns_name_endswith(domain
, "in-addr.arpa") > 0) ||
361 (s
->family
== AF_INET6
&& dns_name_endswith(domain
, "ip6.arpa") > 0) ||
362 (dns_name_endswith(domain
, "local") > 0 && /* only resolve names ending in .local via mDNS */
363 dns_name_equal(domain
, "local") == 0 && /* but not the single-label "local" name itself */
364 manager_is_own_hostname(s
->manager
, domain
) <= 0)) /* never resolve the local hostname via mDNS */
365 return DNS_SCOPE_MAYBE
;
369 case DNS_PROTOCOL_LLMNR
:
370 if ((s
->family
== AF_INET
&& dns_name_endswith(domain
, "in-addr.arpa") > 0) ||
371 (s
->family
== AF_INET6
&& dns_name_endswith(domain
, "ip6.arpa") > 0) ||
372 (dns_name_single_label(domain
) > 0 && /* only resolve single label names via LLMNR */
373 !is_gateway_hostname(domain
) && /* don't resolve "gateway" with LLMNR, let nss-myhostname handle this */
374 manager_is_own_hostname(s
->manager
, domain
) <= 0)) /* never resolve the local hostname via LLMNR */
375 return DNS_SCOPE_MAYBE
;
380 assert_not_reached("Unknown scope protocol");
384 int dns_scope_good_key(DnsScope
*s
, DnsResourceKey
*key
) {
388 if (s
->protocol
== DNS_PROTOCOL_DNS
)
391 /* On mDNS and LLMNR, send A and AAAA queries only on the
392 * respective scopes */
394 if (s
->family
== AF_INET
&& key
->class == DNS_CLASS_IN
&& key
->type
== DNS_TYPE_AAAA
)
397 if (s
->family
== AF_INET6
&& key
->class == DNS_CLASS_IN
&& key
->type
== DNS_TYPE_A
)
403 int dns_scope_llmnr_membership(DnsScope
*s
, bool b
) {
408 if (s
->protocol
!= DNS_PROTOCOL_LLMNR
)
413 if (s
->family
== AF_INET
) {
414 struct ip_mreqn mreqn
= {
415 .imr_multiaddr
= LLMNR_MULTICAST_IPV4_ADDRESS
,
416 .imr_ifindex
= s
->link
->ifindex
,
419 fd
= manager_llmnr_ipv4_udp_fd(s
->manager
);
423 /* Always first try to drop membership before we add
424 * one. This is necessary on some devices, such as
427 (void) setsockopt(fd
, IPPROTO_IP
, IP_DROP_MEMBERSHIP
, &mreqn
, sizeof(mreqn
));
429 if (setsockopt(fd
, IPPROTO_IP
, b
? IP_ADD_MEMBERSHIP
: IP_DROP_MEMBERSHIP
, &mreqn
, sizeof(mreqn
)) < 0)
432 } else if (s
->family
== AF_INET6
) {
433 struct ipv6_mreq mreq
= {
434 .ipv6mr_multiaddr
= LLMNR_MULTICAST_IPV6_ADDRESS
,
435 .ipv6mr_interface
= s
->link
->ifindex
,
438 fd
= manager_llmnr_ipv6_udp_fd(s
->manager
);
443 (void) setsockopt(fd
, IPPROTO_IPV6
, IPV6_DROP_MEMBERSHIP
, &mreq
, sizeof(mreq
));
445 if (setsockopt(fd
, IPPROTO_IPV6
, b
? IPV6_ADD_MEMBERSHIP
: IPV6_DROP_MEMBERSHIP
, &mreq
, sizeof(mreq
)) < 0)
448 return -EAFNOSUPPORT
;
453 static int dns_scope_make_reply_packet(
463 _cleanup_(dns_packet_unrefp
) DnsPacket
*p
= NULL
;
470 if ((!q
|| q
->n_keys
<= 0)
471 && (!answer
|| answer
->n_rrs
<= 0)
472 && (!soa
|| soa
->n_rrs
<= 0))
475 r
= dns_packet_new(&p
, s
->protocol
, 0);
479 DNS_PACKET_HEADER(p
)->id
= id
;
480 DNS_PACKET_HEADER(p
)->flags
= htobe16(DNS_PACKET_MAKE_FLAGS(
492 for (i
= 0; i
< q
->n_keys
; i
++) {
493 r
= dns_packet_append_key(p
, q
->keys
[i
], NULL
);
498 DNS_PACKET_HEADER(p
)->qdcount
= htobe16(q
->n_keys
);
502 for (i
= 0; i
< answer
->n_rrs
; i
++) {
503 r
= dns_packet_append_rr(p
, answer
->items
[i
].rr
, NULL
);
508 DNS_PACKET_HEADER(p
)->ancount
= htobe16(answer
->n_rrs
);
512 for (i
= 0; i
< soa
->n_rrs
; i
++) {
513 r
= dns_packet_append_rr(p
, soa
->items
[i
].rr
, NULL
);
518 DNS_PACKET_HEADER(p
)->arcount
= htobe16(soa
->n_rrs
);
527 static void dns_scope_verify_conflicts(DnsScope
*s
, DnsPacket
*p
) {
534 for (n
= 0; n
< p
->question
->n_keys
; n
++)
535 dns_zone_verify_conflicts(&s
->zone
, p
->question
->keys
[n
]);
537 for (n
= 0; n
< p
->answer
->n_rrs
; n
++)
538 dns_zone_verify_conflicts(&s
->zone
, p
->answer
->items
[n
].rr
->key
);
541 void dns_scope_process_query(DnsScope
*s
, DnsStream
*stream
, DnsPacket
*p
) {
542 _cleanup_(dns_packet_unrefp
) DnsPacket
*reply
= NULL
;
543 _cleanup_(dns_answer_unrefp
) DnsAnswer
*answer
= NULL
, *soa
= NULL
;
544 bool tentative
= false;
550 if (p
->protocol
!= DNS_PROTOCOL_LLMNR
)
553 if (p
->ipproto
== IPPROTO_UDP
) {
554 /* Don't accept UDP queries directed to anything but
555 * the LLMNR multicast addresses. See RFC 4795,
558 if (p
->family
== AF_INET
&& !in_addr_equal(AF_INET
, &p
->destination
, (union in_addr_union
*) &LLMNR_MULTICAST_IPV4_ADDRESS
))
561 if (p
->family
== AF_INET6
&& !in_addr_equal(AF_INET6
, &p
->destination
, (union in_addr_union
*) &LLMNR_MULTICAST_IPV6_ADDRESS
))
565 r
= dns_packet_extract(p
);
567 log_debug_errno(r
, "Failed to extract resources from incoming packet: %m");
571 if (DNS_PACKET_LLMNR_C(p
)) {
572 /* Somebody notified us about a possible conflict */
573 dns_scope_verify_conflicts(s
, p
);
577 r
= dns_zone_lookup(&s
->zone
, p
->question
, &answer
, &soa
, &tentative
);
579 log_debug_errno(r
, "Failed to lookup key: %m");
586 dns_answer_order_by_scope(answer
, in_addr_is_link_local(p
->family
, &p
->sender
) > 0);
588 r
= dns_scope_make_reply_packet(s
, DNS_PACKET_ID(p
), DNS_RCODE_SUCCESS
, p
->question
, answer
, soa
, tentative
, &reply
);
590 log_debug_errno(r
, "Failed to build reply packet: %m");
595 r
= dns_stream_write_packet(stream
, reply
);
597 if (!ratelimit_test(&s
->ratelimit
))
600 if (p
->family
== AF_INET
)
601 fd
= manager_llmnr_ipv4_udp_fd(s
->manager
);
602 else if (p
->family
== AF_INET6
)
603 fd
= manager_llmnr_ipv6_udp_fd(s
->manager
);
605 log_debug("Unknown protocol");
609 log_debug_errno(fd
, "Failed to get reply socket: %m");
613 /* Note that we always immediately reply to all LLMNR
614 * requests, and do not wait any time, since we
615 * verified uniqueness for all records. Also see RFC
616 * 4795, Section 2.7 */
618 r
= manager_send(s
->manager
, fd
, p
->ifindex
, p
->family
, &p
->sender
, p
->sender_port
, reply
);
622 log_debug_errno(r
, "Failed to send reply packet: %m");
627 DnsTransaction
*dns_scope_find_transaction(DnsScope
*scope
, DnsResourceKey
*key
, bool cache_ok
) {
633 /* Try to find an ongoing transaction that is a equal to the
634 * specified question */
635 t
= hashmap_get(scope
->transactions
, key
);
639 /* Refuse reusing transactions that completed based on cached
640 * data instead of a real packet, if that's requested. */
642 IN_SET(t
->state
, DNS_TRANSACTION_SUCCESS
, DNS_TRANSACTION_FAILURE
) &&
649 static int dns_scope_make_conflict_packet(
651 DnsResourceRecord
*rr
,
654 _cleanup_(dns_packet_unrefp
) DnsPacket
*p
= NULL
;
661 r
= dns_packet_new(&p
, s
->protocol
, 0);
665 DNS_PACKET_HEADER(p
)->flags
= htobe16(DNS_PACKET_MAKE_FLAGS(
675 random_bytes(&DNS_PACKET_HEADER(p
)->id
, sizeof(uint16_t));
676 DNS_PACKET_HEADER(p
)->qdcount
= htobe16(1);
677 DNS_PACKET_HEADER(p
)->arcount
= htobe16(1);
679 r
= dns_packet_append_key(p
, rr
->key
, NULL
);
683 r
= dns_packet_append_rr(p
, rr
, NULL
);
693 static int on_conflict_dispatch(sd_event_source
*es
, usec_t usec
, void *userdata
) {
694 DnsScope
*scope
= userdata
;
700 scope
->conflict_event_source
= sd_event_source_unref(scope
->conflict_event_source
);
703 _cleanup_(dns_resource_record_unrefp
) DnsResourceRecord
*rr
= NULL
;
704 _cleanup_(dns_packet_unrefp
) DnsPacket
*p
= NULL
;
706 rr
= ordered_hashmap_steal_first(scope
->conflict_queue
);
710 r
= dns_scope_make_conflict_packet(scope
, rr
, &p
);
712 log_error_errno(r
, "Failed to make conflict packet: %m");
716 r
= dns_scope_emit(scope
, -1, p
);
718 log_debug_errno(r
, "Failed to send conflict packet: %m");
724 int dns_scope_notify_conflict(DnsScope
*scope
, DnsResourceRecord
*rr
) {
731 /* We don't send these queries immediately. Instead, we queue
732 * them, and send them after some jitter delay. */
733 r
= ordered_hashmap_ensure_allocated(&scope
->conflict_queue
, &dns_resource_key_hash_ops
);
739 /* We only place one RR per key in the conflict
740 * messages, not all of them. That should be enough to
741 * indicate where there might be a conflict */
742 r
= ordered_hashmap_put(scope
->conflict_queue
, rr
->key
, rr
);
743 if (r
== -EEXIST
|| r
== 0)
746 return log_debug_errno(r
, "Failed to queue conflicting RR: %m");
748 dns_resource_record_ref(rr
);
750 if (scope
->conflict_event_source
)
753 random_bytes(&jitter
, sizeof(jitter
));
754 jitter
%= LLMNR_JITTER_INTERVAL_USEC
;
756 r
= sd_event_add_time(scope
->manager
->event
,
757 &scope
->conflict_event_source
,
758 clock_boottime_or_monotonic(),
759 now(clock_boottime_or_monotonic()) + jitter
,
760 LLMNR_JITTER_INTERVAL_USEC
,
761 on_conflict_dispatch
, scope
);
763 return log_debug_errno(r
, "Failed to add conflict dispatch event: %m");
768 void dns_scope_check_conflicts(DnsScope
*scope
, DnsPacket
*p
) {
775 if (p
->protocol
!= DNS_PROTOCOL_LLMNR
)
778 if (DNS_PACKET_RRCOUNT(p
) <= 0)
781 if (DNS_PACKET_LLMNR_C(p
) != 0)
784 if (DNS_PACKET_LLMNR_T(p
) != 0)
787 if (manager_our_packet(scope
->manager
, p
))
790 r
= dns_packet_extract(p
);
792 log_debug_errno(r
, "Failed to extract packet: %m");
796 log_debug("Checking for conflicts...");
798 for (i
= 0; i
< p
->answer
->n_rrs
; i
++) {
800 /* Check for conflicts against the local zone. If we
801 * found one, we won't check any further */
802 r
= dns_zone_check_conflicts(&scope
->zone
, p
->answer
->items
[i
].rr
);
806 /* Check for conflicts against the local cache. If so,
807 * send out an advisory query, to inform everybody */
808 r
= dns_cache_check_conflicts(&scope
->cache
, p
->answer
->items
[i
].rr
, p
->family
, &p
->sender
);
812 dns_scope_notify_conflict(scope
, p
->answer
->items
[i
].rr
);