1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2014 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
22 #include <netinet/tcp.h>
26 #include "socket-util.h"
28 #include "random-util.h"
29 #include "hostname-util.h"
30 #include "dns-domain.h"
31 #include "resolved-llmnr.h"
32 #include "resolved-dns-scope.h"
34 #define MULTICAST_RATELIMIT_INTERVAL_USEC (1*USEC_PER_SEC)
35 #define MULTICAST_RATELIMIT_BURST 1000
37 int dns_scope_new(Manager
*m
, DnsScope
**ret
, Link
*l
, DnsProtocol protocol
, int family
) {
43 s
= new0(DnsScope
, 1);
49 s
->protocol
= protocol
;
52 LIST_PREPEND(scopes
, m
->dns_scopes
, s
);
54 dns_scope_llmnr_membership(s
, true);
56 log_debug("New scope on link %s, protocol %s, family %s", l
? l
->name
: "*", dns_protocol_to_string(protocol
), family
== AF_UNSPEC
? "*" : af_to_name(family
));
58 /* Enforce ratelimiting for the multicast protocols */
59 RATELIMIT_INIT(s
->ratelimit
, MULTICAST_RATELIMIT_INTERVAL_USEC
, MULTICAST_RATELIMIT_BURST
);
65 DnsScope
* dns_scope_free(DnsScope
*s
) {
67 DnsResourceRecord
*rr
;
72 log_debug("Removing scope on link %s, protocol %s, family %s", s
->link
? s
->link
->name
: "*", dns_protocol_to_string(s
->protocol
), s
->family
== AF_UNSPEC
? "*" : af_to_name(s
->family
));
74 dns_scope_llmnr_membership(s
, false);
76 while ((t
= s
->transactions
)) {
78 /* Abort the transaction, but make sure it is not
79 * freed while we still look at it */
82 dns_transaction_complete(t
, DNS_TRANSACTION_ABORTED
);
85 dns_transaction_free(t
);
88 while ((rr
= ordered_hashmap_steal_first(s
->conflict_queue
)))
89 dns_resource_record_unref(rr
);
91 ordered_hashmap_free(s
->conflict_queue
);
92 sd_event_source_unref(s
->conflict_event_source
);
94 dns_cache_flush(&s
->cache
);
95 dns_zone_flush(&s
->zone
);
97 LIST_REMOVE(scopes
, s
->manager
->dns_scopes
, s
);
98 strv_free(s
->domains
);
104 DnsServer
*dns_scope_get_dns_server(DnsScope
*s
) {
107 if (s
->protocol
!= DNS_PROTOCOL_DNS
)
111 return link_get_dns_server(s
->link
);
113 return manager_get_dns_server(s
->manager
);
116 void dns_scope_next_dns_server(DnsScope
*s
) {
119 if (s
->protocol
!= DNS_PROTOCOL_DNS
)
123 link_next_dns_server(s
->link
);
125 manager_next_dns_server(s
->manager
);
128 int dns_scope_emit(DnsScope
*s
, DnsTransaction
*t
, DnsPacket
*p
, DnsServer
**server
) {
129 DnsServer
*srv
= NULL
;
130 union in_addr_union addr
;
139 assert(p
->protocol
== s
->protocol
);
143 ifindex
= s
->link
->ifindex
;
145 mtu
= manager_find_mtu(s
->manager
);
147 if (s
->protocol
== DNS_PROTOCOL_DNS
) {
148 if (DNS_PACKET_QDCOUNT(p
) > 1)
151 if (p
->size
> DNS_PACKET_UNICAST_SIZE_MAX
)
154 if (p
->size
+ UDP_PACKET_HEADER_SIZE
> mtu
)
157 fd
= transaction_dns_fd(t
, &srv
);
161 family
= srv
->family
;
165 } else if (s
->protocol
== DNS_PROTOCOL_LLMNR
) {
167 if (DNS_PACKET_QDCOUNT(p
) > 1)
170 if (!ratelimit_test(&s
->ratelimit
))
176 if (family
== AF_INET
) {
177 addr
.in
= LLMNR_MULTICAST_IPV4_ADDRESS
;
178 fd
= manager_llmnr_ipv4_udp_fd(s
->manager
);
179 } else if (family
== AF_INET6
) {
180 addr
.in6
= LLMNR_MULTICAST_IPV6_ADDRESS
;
181 fd
= manager_llmnr_ipv6_udp_fd(s
->manager
);
183 return -EAFNOSUPPORT
;
187 return -EAFNOSUPPORT
;
189 r
= manager_send(s
->manager
, fd
, ifindex
, family
, &addr
, port
, p
);
199 static int dns_scope_socket(DnsScope
*s
, int type
, int family
, const union in_addr_union
*address
, uint16_t port
, DnsServer
**server
) {
200 DnsServer
*srv
= NULL
;
201 _cleanup_close_
int fd
= -1;
202 union sockaddr_union sa
= {};
204 static const int one
= 1;
208 assert((family
== AF_UNSPEC
) == !address
);
210 if (family
== AF_UNSPEC
) {
211 srv
= dns_scope_get_dns_server(s
);
215 sa
.sa
.sa_family
= srv
->family
;
216 if (srv
->family
== AF_INET
) {
217 sa
.in
.sin_port
= htobe16(port
);
218 sa
.in
.sin_addr
= srv
->address
.in
;
219 salen
= sizeof(sa
.in
);
220 } else if (srv
->family
== AF_INET6
) {
221 sa
.in6
.sin6_port
= htobe16(port
);
222 sa
.in6
.sin6_addr
= srv
->address
.in6
;
223 sa
.in6
.sin6_scope_id
= s
->link
? s
->link
->ifindex
: 0;
224 salen
= sizeof(sa
.in6
);
226 return -EAFNOSUPPORT
;
228 sa
.sa
.sa_family
= family
;
230 if (family
== AF_INET
) {
231 sa
.in
.sin_port
= htobe16(port
);
232 sa
.in
.sin_addr
= address
->in
;
233 salen
= sizeof(sa
.in
);
234 } else if (family
== AF_INET6
) {
235 sa
.in6
.sin6_port
= htobe16(port
);
236 sa
.in6
.sin6_addr
= address
->in6
;
237 sa
.in6
.sin6_scope_id
= s
->link
? s
->link
->ifindex
: 0;
238 salen
= sizeof(sa
.in6
);
240 return -EAFNOSUPPORT
;
243 fd
= socket(sa
.sa
.sa_family
, type
|SOCK_CLOEXEC
|SOCK_NONBLOCK
, 0);
247 if (type
== SOCK_STREAM
) {
248 r
= setsockopt(fd
, IPPROTO_TCP
, TCP_NODELAY
, &one
, sizeof(one
));
254 uint32_t ifindex
= htobe32(s
->link
->ifindex
);
256 if (sa
.sa
.sa_family
== AF_INET
) {
257 r
= setsockopt(fd
, IPPROTO_IP
, IP_UNICAST_IF
, &ifindex
, sizeof(ifindex
));
260 } else if (sa
.sa
.sa_family
== AF_INET6
) {
261 r
= setsockopt(fd
, IPPROTO_IPV6
, IPV6_UNICAST_IF
, &ifindex
, sizeof(ifindex
));
267 if (s
->protocol
== DNS_PROTOCOL_LLMNR
) {
268 /* RFC 4795, section 2.5 requires the TTL to be set to 1 */
270 if (sa
.sa
.sa_family
== AF_INET
) {
271 r
= setsockopt(fd
, IPPROTO_IP
, IP_TTL
, &one
, sizeof(one
));
274 } else if (sa
.sa
.sa_family
== AF_INET6
) {
275 r
= setsockopt(fd
, IPPROTO_IPV6
, IPV6_UNICAST_HOPS
, &one
, sizeof(one
));
281 r
= connect(fd
, &sa
.sa
, salen
);
282 if (r
< 0 && errno
!= EINPROGRESS
)
294 int dns_scope_udp_dns_socket(DnsScope
*s
, DnsServer
**server
) {
295 return dns_scope_socket(s
, SOCK_DGRAM
, AF_UNSPEC
, NULL
, 53, server
);
298 int dns_scope_tcp_socket(DnsScope
*s
, int family
, const union in_addr_union
*address
, uint16_t port
, DnsServer
**server
) {
299 return dns_scope_socket(s
, SOCK_STREAM
, family
, address
, port
, server
);
302 DnsScopeMatch
dns_scope_good_domain(DnsScope
*s
, int ifindex
, uint64_t flags
, const char *domain
) {
308 if (ifindex
!= 0 && (!s
->link
|| s
->link
->ifindex
!= ifindex
))
311 if ((SD_RESOLVED_FLAGS_MAKE(s
->protocol
, s
->family
) & flags
) == 0)
314 STRV_FOREACH(i
, s
->domains
)
315 if (dns_name_endswith(domain
, *i
) > 0)
316 return DNS_SCOPE_YES
;
318 if (dns_name_root(domain
) != 0)
321 if (is_localhost(domain
))
324 if (s
->protocol
== DNS_PROTOCOL_DNS
) {
325 if (dns_name_endswith(domain
, "254.169.in-addr.arpa") == 0 &&
326 dns_name_endswith(domain
, "0.8.e.f.ip6.arpa") == 0 &&
327 dns_name_single_label(domain
) == 0)
328 return DNS_SCOPE_MAYBE
;
333 if (s
->protocol
== DNS_PROTOCOL_MDNS
) {
334 if (dns_name_endswith(domain
, "254.169.in-addr.arpa") > 0 ||
335 dns_name_endswith(domain
, "0.8.e.f.ip6.arpa") > 0 ||
336 (dns_name_endswith(domain
, "local") > 0 && dns_name_equal(domain
, "local") == 0))
337 return DNS_SCOPE_MAYBE
;
342 if (s
->protocol
== DNS_PROTOCOL_LLMNR
) {
343 if (dns_name_endswith(domain
, "in-addr.arpa") > 0 ||
344 dns_name_endswith(domain
, "ip6.arpa") > 0 ||
345 (dns_name_single_label(domain
) > 0 &&
346 dns_name_equal(domain
, "gateway") <= 0)) /* don't resolve "gateway" with LLMNR, let nss-myhostname handle this */
347 return DNS_SCOPE_MAYBE
;
352 assert_not_reached("Unknown scope protocol");
355 int dns_scope_good_key(DnsScope
*s
, DnsResourceKey
*key
) {
359 if (s
->protocol
== DNS_PROTOCOL_DNS
)
362 /* On mDNS and LLMNR, send A and AAAA queries only on the
363 * respective scopes */
365 if (s
->family
== AF_INET
&& key
->class == DNS_CLASS_IN
&& key
->type
== DNS_TYPE_AAAA
)
368 if (s
->family
== AF_INET6
&& key
->class == DNS_CLASS_IN
&& key
->type
== DNS_TYPE_A
)
374 int dns_scope_llmnr_membership(DnsScope
*s
, bool b
) {
379 if (s
->protocol
!= DNS_PROTOCOL_LLMNR
)
384 if (s
->family
== AF_INET
) {
385 struct ip_mreqn mreqn
= {
386 .imr_multiaddr
= LLMNR_MULTICAST_IPV4_ADDRESS
,
387 .imr_ifindex
= s
->link
->ifindex
,
390 fd
= manager_llmnr_ipv4_udp_fd(s
->manager
);
394 /* Always first try to drop membership before we add
395 * one. This is necessary on some devices, such as
398 (void) setsockopt(fd
, IPPROTO_IP
, IP_DROP_MEMBERSHIP
, &mreqn
, sizeof(mreqn
));
400 if (setsockopt(fd
, IPPROTO_IP
, b
? IP_ADD_MEMBERSHIP
: IP_DROP_MEMBERSHIP
, &mreqn
, sizeof(mreqn
)) < 0)
403 } else if (s
->family
== AF_INET6
) {
404 struct ipv6_mreq mreq
= {
405 .ipv6mr_multiaddr
= LLMNR_MULTICAST_IPV6_ADDRESS
,
406 .ipv6mr_interface
= s
->link
->ifindex
,
409 fd
= manager_llmnr_ipv6_udp_fd(s
->manager
);
414 (void) setsockopt(fd
, IPPROTO_IPV6
, IPV6_DROP_MEMBERSHIP
, &mreq
, sizeof(mreq
));
416 if (setsockopt(fd
, IPPROTO_IPV6
, b
? IPV6_ADD_MEMBERSHIP
: IPV6_DROP_MEMBERSHIP
, &mreq
, sizeof(mreq
)) < 0)
419 return -EAFNOSUPPORT
;
424 static int dns_scope_make_reply_packet(
434 _cleanup_(dns_packet_unrefp
) DnsPacket
*p
= NULL
;
441 if ((!q
|| q
->n_keys
<= 0)
442 && (!answer
|| answer
->n_rrs
<= 0)
443 && (!soa
|| soa
->n_rrs
<= 0))
446 r
= dns_packet_new(&p
, s
->protocol
, 0);
450 DNS_PACKET_HEADER(p
)->id
= id
;
451 DNS_PACKET_HEADER(p
)->flags
= htobe16(DNS_PACKET_MAKE_FLAGS(
463 for (i
= 0; i
< q
->n_keys
; i
++) {
464 r
= dns_packet_append_key(p
, q
->keys
[i
], NULL
);
469 DNS_PACKET_HEADER(p
)->qdcount
= htobe16(q
->n_keys
);
473 for (i
= 0; i
< answer
->n_rrs
; i
++) {
474 r
= dns_packet_append_rr(p
, answer
->rrs
[i
], NULL
);
479 DNS_PACKET_HEADER(p
)->ancount
= htobe16(answer
->n_rrs
);
483 for (i
= 0; i
< soa
->n_rrs
; i
++) {
484 r
= dns_packet_append_rr(p
, soa
->rrs
[i
], NULL
);
489 DNS_PACKET_HEADER(p
)->arcount
= htobe16(soa
->n_rrs
);
498 static void dns_scope_verify_conflicts(DnsScope
*s
, DnsPacket
*p
) {
505 for (n
= 0; n
< p
->question
->n_keys
; n
++)
506 dns_zone_verify_conflicts(&s
->zone
, p
->question
->keys
[n
]);
508 for (n
= 0; n
< p
->answer
->n_rrs
; n
++)
509 dns_zone_verify_conflicts(&s
->zone
, p
->answer
->rrs
[n
]->key
);
512 void dns_scope_process_query(DnsScope
*s
, DnsStream
*stream
, DnsPacket
*p
) {
513 _cleanup_(dns_packet_unrefp
) DnsPacket
*reply
= NULL
;
514 _cleanup_(dns_answer_unrefp
) DnsAnswer
*answer
= NULL
, *soa
= NULL
;
515 bool tentative
= false;
521 if (p
->protocol
!= DNS_PROTOCOL_LLMNR
)
524 if (p
->ipproto
== IPPROTO_UDP
) {
525 /* Don't accept UDP queries directed to anything but
526 * the LLMNR multicast addresses. See RFC 4795,
529 if (p
->family
== AF_INET
&& !in_addr_equal(AF_INET
, &p
->destination
, (union in_addr_union
*) &LLMNR_MULTICAST_IPV4_ADDRESS
))
532 if (p
->family
== AF_INET6
&& !in_addr_equal(AF_INET6
, &p
->destination
, (union in_addr_union
*) &LLMNR_MULTICAST_IPV6_ADDRESS
))
536 r
= dns_packet_extract(p
);
538 log_debug_errno(r
, "Failed to extract resources from incoming packet: %m");
542 if (DNS_PACKET_LLMNR_C(p
)) {
543 /* Somebody notified us about a possible conflict */
544 dns_scope_verify_conflicts(s
, p
);
548 r
= dns_zone_lookup(&s
->zone
, p
->question
, &answer
, &soa
, &tentative
);
550 log_debug_errno(r
, "Failed to lookup key: %m");
557 dns_answer_order_by_scope(answer
, in_addr_is_link_local(p
->family
, &p
->sender
) > 0);
559 r
= dns_scope_make_reply_packet(s
, DNS_PACKET_ID(p
), DNS_RCODE_SUCCESS
, p
->question
, answer
, soa
, tentative
, &reply
);
561 log_debug_errno(r
, "Failed to build reply packet: %m");
566 r
= dns_stream_write_packet(stream
, reply
);
568 if (!ratelimit_test(&s
->ratelimit
))
571 if (p
->family
== AF_INET
)
572 fd
= manager_llmnr_ipv4_udp_fd(s
->manager
);
573 else if (p
->family
== AF_INET6
)
574 fd
= manager_llmnr_ipv6_udp_fd(s
->manager
);
576 log_debug("Unknown protocol");
580 log_debug_errno(fd
, "Failed to get reply socket: %m");
584 /* Note that we always immediately reply to all LLMNR
585 * requests, and do not wait any time, since we
586 * verified uniqueness for all records. Also see RFC
587 * 4795, Section 2.7 */
589 r
= manager_send(s
->manager
, fd
, p
->ifindex
, p
->family
, &p
->sender
, p
->sender_port
, reply
);
593 log_debug_errno(r
, "Failed to send reply packet: %m");
598 DnsTransaction
*dns_scope_find_transaction(DnsScope
*scope
, DnsQuestion
*question
, bool cache_ok
) {
604 /* Try to find an ongoing transaction that is a equal or a
605 * superset of the specified question */
607 LIST_FOREACH(transactions_by_scope
, t
, scope
->transactions
) {
609 /* Refuse reusing transactions that completed based on
610 * cached data instead of a real packet, if that's
613 IN_SET(t
->state
, DNS_TRANSACTION_SUCCESS
, DNS_TRANSACTION_FAILURE
) &&
617 if (dns_question_is_superset(t
->question
, question
) > 0)
624 static int dns_scope_make_conflict_packet(
626 DnsResourceRecord
*rr
,
629 _cleanup_(dns_packet_unrefp
) DnsPacket
*p
= NULL
;
636 r
= dns_packet_new(&p
, s
->protocol
, 0);
640 DNS_PACKET_HEADER(p
)->flags
= htobe16(DNS_PACKET_MAKE_FLAGS(
650 random_bytes(&DNS_PACKET_HEADER(p
)->id
, sizeof(uint16_t));
651 DNS_PACKET_HEADER(p
)->qdcount
= htobe16(1);
652 DNS_PACKET_HEADER(p
)->arcount
= htobe16(1);
654 r
= dns_packet_append_key(p
, rr
->key
, NULL
);
658 r
= dns_packet_append_rr(p
, rr
, NULL
);
668 static int on_conflict_dispatch(sd_event_source
*es
, usec_t usec
, void *userdata
) {
669 DnsScope
*scope
= userdata
;
675 scope
->conflict_event_source
= sd_event_source_unref(scope
->conflict_event_source
);
678 _cleanup_(dns_resource_record_unrefp
) DnsResourceRecord
*rr
= NULL
;
679 _cleanup_(dns_packet_unrefp
) DnsPacket
*p
= NULL
;
681 rr
= ordered_hashmap_steal_first(scope
->conflict_queue
);
685 r
= dns_scope_make_conflict_packet(scope
, rr
, &p
);
687 log_error_errno(r
, "Failed to make conflict packet: %m");
691 r
= dns_scope_emit(scope
, NULL
, p
, NULL
);
693 log_debug_errno(r
, "Failed to send conflict packet: %m");
699 int dns_scope_notify_conflict(DnsScope
*scope
, DnsResourceRecord
*rr
) {
706 /* We don't send these queries immediately. Instead, we queue
707 * them, and send them after some jitter delay. */
708 r
= ordered_hashmap_ensure_allocated(&scope
->conflict_queue
, &dns_resource_key_hash_ops
);
714 /* We only place one RR per key in the conflict
715 * messages, not all of them. That should be enough to
716 * indicate where there might be a conflict */
717 r
= ordered_hashmap_put(scope
->conflict_queue
, rr
->key
, rr
);
718 if (r
== -EEXIST
|| r
== 0)
721 return log_debug_errno(r
, "Failed to queue conflicting RR: %m");
723 dns_resource_record_ref(rr
);
725 if (scope
->conflict_event_source
)
728 random_bytes(&jitter
, sizeof(jitter
));
729 jitter
%= LLMNR_JITTER_INTERVAL_USEC
;
731 r
= sd_event_add_time(scope
->manager
->event
,
732 &scope
->conflict_event_source
,
733 clock_boottime_or_monotonic(),
734 now(clock_boottime_or_monotonic()) + jitter
,
735 LLMNR_JITTER_INTERVAL_USEC
,
736 on_conflict_dispatch
, scope
);
738 return log_debug_errno(r
, "Failed to add conflict dispatch event: %m");
743 void dns_scope_check_conflicts(DnsScope
*scope
, DnsPacket
*p
) {
750 if (p
->protocol
!= DNS_PROTOCOL_LLMNR
)
753 if (DNS_PACKET_RRCOUNT(p
) <= 0)
756 if (DNS_PACKET_LLMNR_C(p
) != 0)
759 if (DNS_PACKET_LLMNR_T(p
) != 0)
762 if (manager_our_packet(scope
->manager
, p
))
765 r
= dns_packet_extract(p
);
767 log_debug_errno(r
, "Failed to extract packet: %m");
771 log_debug("Checking for conflicts...");
773 for (i
= 0; i
< p
->answer
->n_rrs
; i
++) {
775 /* Check for conflicts against the local zone. If we
776 * found one, we won't check any further */
777 r
= dns_zone_check_conflicts(&scope
->zone
, p
->answer
->rrs
[i
]);
781 /* Check for conflicts against the local cache. If so,
782 * send out an advisory query, to inform everybody */
783 r
= dns_cache_check_conflicts(&scope
->cache
, p
->answer
->rrs
[i
], p
->family
, &p
->sender
);
787 dns_scope_notify_conflict(scope
, p
->answer
->rrs
[i
]);