1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2014 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
22 #include <netinet/tcp.h>
26 #include "socket-util.h"
28 #include "random-util.h"
29 #include "hostname-util.h"
30 #include "dns-domain.h"
31 #include "resolved-llmnr.h"
32 #include "resolved-dns-scope.h"
34 #define MULTICAST_RATELIMIT_INTERVAL_USEC (1*USEC_PER_SEC)
35 #define MULTICAST_RATELIMIT_BURST 1000
37 /* After how much time to repeat LLMNR requests, see RFC 4795 Section 7 */
38 #define MULTICAST_RESEND_TIMEOUT_MIN_USEC (100 * USEC_PER_MSEC)
39 #define MULTICAST_RESEND_TIMEOUT_MAX_USEC (1 * USEC_PER_SEC)
41 int dns_scope_new(Manager
*m
, DnsScope
**ret
, Link
*l
, DnsProtocol protocol
, int family
) {
47 s
= new0(DnsScope
, 1);
53 s
->protocol
= protocol
;
55 s
->resend_timeout
= MULTICAST_RESEND_TIMEOUT_MIN_USEC
;
57 LIST_PREPEND(scopes
, m
->dns_scopes
, s
);
59 dns_scope_llmnr_membership(s
, true);
61 log_debug("New scope on link %s, protocol %s, family %s", l
? l
->name
: "*", dns_protocol_to_string(protocol
), family
== AF_UNSPEC
? "*" : af_to_name(family
));
63 /* Enforce ratelimiting for the multicast protocols */
64 RATELIMIT_INIT(s
->ratelimit
, MULTICAST_RATELIMIT_INTERVAL_USEC
, MULTICAST_RATELIMIT_BURST
);
70 DnsScope
* dns_scope_free(DnsScope
*s
) {
72 DnsResourceRecord
*rr
;
77 log_debug("Removing scope on link %s, protocol %s, family %s", s
->link
? s
->link
->name
: "*", dns_protocol_to_string(s
->protocol
), s
->family
== AF_UNSPEC
? "*" : af_to_name(s
->family
));
79 dns_scope_llmnr_membership(s
, false);
81 while ((t
= s
->transactions
)) {
83 /* Abort the transaction, but make sure it is not
84 * freed while we still look at it */
87 dns_transaction_complete(t
, DNS_TRANSACTION_ABORTED
);
90 dns_transaction_free(t
);
93 while ((rr
= ordered_hashmap_steal_first(s
->conflict_queue
)))
94 dns_resource_record_unref(rr
);
96 ordered_hashmap_free(s
->conflict_queue
);
97 sd_event_source_unref(s
->conflict_event_source
);
99 dns_cache_flush(&s
->cache
);
100 dns_zone_flush(&s
->zone
);
102 LIST_REMOVE(scopes
, s
->manager
->dns_scopes
, s
);
103 strv_free(s
->domains
);
109 DnsServer
*dns_scope_get_dns_server(DnsScope
*s
) {
112 if (s
->protocol
!= DNS_PROTOCOL_DNS
)
116 return link_get_dns_server(s
->link
);
118 return manager_get_dns_server(s
->manager
);
121 void dns_scope_next_dns_server(DnsScope
*s
) {
124 if (s
->protocol
!= DNS_PROTOCOL_DNS
)
128 link_next_dns_server(s
->link
);
130 manager_next_dns_server(s
->manager
);
133 void dns_scope_packet_received(DnsScope
*s
, usec_t rtt
) {
136 if (rtt
> s
->max_rtt
) {
138 s
->resend_timeout
= MIN(MAX(MULTICAST_RESEND_TIMEOUT_MIN_USEC
, s
->max_rtt
* 2),
139 MULTICAST_RESEND_TIMEOUT_MAX_USEC
);
143 void dns_scope_packet_lost(DnsScope
*s
, usec_t usec
) {
146 if (s
->resend_timeout
<= usec
)
147 s
->resend_timeout
= MIN(s
->resend_timeout
* 2, MULTICAST_RESEND_TIMEOUT_MAX_USEC
);
150 int dns_scope_emit(DnsScope
*s
, int fd
, DnsPacket
*p
) {
151 union in_addr_union addr
;
159 assert(p
->protocol
== s
->protocol
);
160 assert((s
->protocol
== DNS_PROTOCOL_DNS
) != (fd
< 0));
164 ifindex
= s
->link
->ifindex
;
166 mtu
= manager_find_mtu(s
->manager
);
168 if (s
->protocol
== DNS_PROTOCOL_DNS
) {
169 if (DNS_PACKET_QDCOUNT(p
) > 1)
172 if (p
->size
> DNS_PACKET_UNICAST_SIZE_MAX
)
175 if (p
->size
+ UDP_PACKET_HEADER_SIZE
> mtu
)
178 r
= manager_write(s
->manager
, fd
, p
);
182 } else if (s
->protocol
== DNS_PROTOCOL_LLMNR
) {
184 if (DNS_PACKET_QDCOUNT(p
) > 1)
187 if (!ratelimit_test(&s
->ratelimit
))
193 if (family
== AF_INET
) {
194 addr
.in
= LLMNR_MULTICAST_IPV4_ADDRESS
;
195 fd
= manager_llmnr_ipv4_udp_fd(s
->manager
);
196 } else if (family
== AF_INET6
) {
197 addr
.in6
= LLMNR_MULTICAST_IPV6_ADDRESS
;
198 fd
= manager_llmnr_ipv6_udp_fd(s
->manager
);
200 return -EAFNOSUPPORT
;
204 r
= manager_send(s
->manager
, fd
, ifindex
, family
, &addr
, port
, p
);
208 return -EAFNOSUPPORT
;
213 static int dns_scope_socket(DnsScope
*s
, int type
, int family
, const union in_addr_union
*address
, uint16_t port
, DnsServer
**server
) {
214 DnsServer
*srv
= NULL
;
215 _cleanup_close_
int fd
= -1;
216 union sockaddr_union sa
= {};
218 static const int one
= 1;
222 assert((family
== AF_UNSPEC
) == !address
);
224 if (family
== AF_UNSPEC
) {
225 srv
= dns_scope_get_dns_server(s
);
229 sa
.sa
.sa_family
= srv
->family
;
230 if (srv
->family
== AF_INET
) {
231 sa
.in
.sin_port
= htobe16(port
);
232 sa
.in
.sin_addr
= srv
->address
.in
;
233 salen
= sizeof(sa
.in
);
234 } else if (srv
->family
== AF_INET6
) {
235 sa
.in6
.sin6_port
= htobe16(port
);
236 sa
.in6
.sin6_addr
= srv
->address
.in6
;
237 sa
.in6
.sin6_scope_id
= s
->link
? s
->link
->ifindex
: 0;
238 salen
= sizeof(sa
.in6
);
240 return -EAFNOSUPPORT
;
242 sa
.sa
.sa_family
= family
;
244 if (family
== AF_INET
) {
245 sa
.in
.sin_port
= htobe16(port
);
246 sa
.in
.sin_addr
= address
->in
;
247 salen
= sizeof(sa
.in
);
248 } else if (family
== AF_INET6
) {
249 sa
.in6
.sin6_port
= htobe16(port
);
250 sa
.in6
.sin6_addr
= address
->in6
;
251 sa
.in6
.sin6_scope_id
= s
->link
? s
->link
->ifindex
: 0;
252 salen
= sizeof(sa
.in6
);
254 return -EAFNOSUPPORT
;
257 fd
= socket(sa
.sa
.sa_family
, type
|SOCK_CLOEXEC
|SOCK_NONBLOCK
, 0);
261 if (type
== SOCK_STREAM
) {
262 r
= setsockopt(fd
, IPPROTO_TCP
, TCP_NODELAY
, &one
, sizeof(one
));
268 uint32_t ifindex
= htobe32(s
->link
->ifindex
);
270 if (sa
.sa
.sa_family
== AF_INET
) {
271 r
= setsockopt(fd
, IPPROTO_IP
, IP_UNICAST_IF
, &ifindex
, sizeof(ifindex
));
274 } else if (sa
.sa
.sa_family
== AF_INET6
) {
275 r
= setsockopt(fd
, IPPROTO_IPV6
, IPV6_UNICAST_IF
, &ifindex
, sizeof(ifindex
));
281 if (s
->protocol
== DNS_PROTOCOL_LLMNR
) {
282 /* RFC 4795, section 2.5 requires the TTL to be set to 1 */
284 if (sa
.sa
.sa_family
== AF_INET
) {
285 r
= setsockopt(fd
, IPPROTO_IP
, IP_TTL
, &one
, sizeof(one
));
288 } else if (sa
.sa
.sa_family
== AF_INET6
) {
289 r
= setsockopt(fd
, IPPROTO_IPV6
, IPV6_UNICAST_HOPS
, &one
, sizeof(one
));
295 r
= connect(fd
, &sa
.sa
, salen
);
296 if (r
< 0 && errno
!= EINPROGRESS
)
308 int dns_scope_udp_dns_socket(DnsScope
*s
, DnsServer
**server
) {
309 return dns_scope_socket(s
, SOCK_DGRAM
, AF_UNSPEC
, NULL
, 53, server
);
312 int dns_scope_tcp_socket(DnsScope
*s
, int family
, const union in_addr_union
*address
, uint16_t port
, DnsServer
**server
) {
313 return dns_scope_socket(s
, SOCK_STREAM
, family
, address
, port
, server
);
316 DnsScopeMatch
dns_scope_good_domain(DnsScope
*s
, int ifindex
, uint64_t flags
, const char *domain
) {
322 if (ifindex
!= 0 && (!s
->link
|| s
->link
->ifindex
!= ifindex
))
325 if ((SD_RESOLVED_FLAGS_MAKE(s
->protocol
, s
->family
) & flags
) == 0)
328 if (dns_name_root(domain
) != 0)
331 /* Never resolve any loopback hostname or IP address via DNS,
332 * LLMNR or mDNS. Instead, always rely on synthesized RRs for
334 if (is_localhost(domain
) ||
335 dns_name_endswith(domain
, "127.in-addr.arpa") > 0 ||
336 dns_name_equal(domain
, "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa") > 0)
339 STRV_FOREACH(i
, s
->domains
)
340 if (dns_name_endswith(domain
, *i
) > 0)
341 return DNS_SCOPE_YES
;
343 if (s
->protocol
== DNS_PROTOCOL_DNS
) {
344 if (dns_name_endswith(domain
, "254.169.in-addr.arpa") == 0 &&
345 dns_name_endswith(domain
, "0.8.e.f.ip6.arpa") == 0 &&
346 dns_name_single_label(domain
) == 0)
347 return DNS_SCOPE_MAYBE
;
352 if (s
->protocol
== DNS_PROTOCOL_MDNS
) {
353 if ((s
->family
== AF_INET
&& dns_name_endswith(domain
, "in-addr.arpa") > 0) ||
354 (s
->family
== AF_INET6
&& dns_name_endswith(domain
, "ip6.arpa") > 0) ||
355 (dns_name_endswith(domain
, "local") > 0 && /* only resolve names ending in .local via mDNS */
356 dns_name_equal(domain
, "local") == 0 && /* but not the single-label "local" name itself */
357 manager_is_own_hostname(s
->manager
, domain
) <= 0)) /* never resolve the local hostname via mDNS */
358 return DNS_SCOPE_MAYBE
;
363 if (s
->protocol
== DNS_PROTOCOL_LLMNR
) {
364 if ((s
->family
== AF_INET
&& dns_name_endswith(domain
, "in-addr.arpa") > 0) ||
365 (s
->family
== AF_INET6
&& dns_name_endswith(domain
, "ip6.arpa") > 0) ||
366 (dns_name_single_label(domain
) > 0 && /* only resolve single label names via LLMNR */
367 !is_gateway_hostname(domain
) && /* don't resolve "gateway" with LLMNR, let nss-myhostname handle this */
368 manager_is_own_hostname(s
->manager
, domain
) <= 0)) /* never resolve the local hostname via LLMNR */
369 return DNS_SCOPE_MAYBE
;
374 assert_not_reached("Unknown scope protocol");
377 int dns_scope_good_key(DnsScope
*s
, DnsResourceKey
*key
) {
381 if (s
->protocol
== DNS_PROTOCOL_DNS
)
384 /* On mDNS and LLMNR, send A and AAAA queries only on the
385 * respective scopes */
387 if (s
->family
== AF_INET
&& key
->class == DNS_CLASS_IN
&& key
->type
== DNS_TYPE_AAAA
)
390 if (s
->family
== AF_INET6
&& key
->class == DNS_CLASS_IN
&& key
->type
== DNS_TYPE_A
)
396 int dns_scope_llmnr_membership(DnsScope
*s
, bool b
) {
401 if (s
->protocol
!= DNS_PROTOCOL_LLMNR
)
406 if (s
->family
== AF_INET
) {
407 struct ip_mreqn mreqn
= {
408 .imr_multiaddr
= LLMNR_MULTICAST_IPV4_ADDRESS
,
409 .imr_ifindex
= s
->link
->ifindex
,
412 fd
= manager_llmnr_ipv4_udp_fd(s
->manager
);
416 /* Always first try to drop membership before we add
417 * one. This is necessary on some devices, such as
420 (void) setsockopt(fd
, IPPROTO_IP
, IP_DROP_MEMBERSHIP
, &mreqn
, sizeof(mreqn
));
422 if (setsockopt(fd
, IPPROTO_IP
, b
? IP_ADD_MEMBERSHIP
: IP_DROP_MEMBERSHIP
, &mreqn
, sizeof(mreqn
)) < 0)
425 } else if (s
->family
== AF_INET6
) {
426 struct ipv6_mreq mreq
= {
427 .ipv6mr_multiaddr
= LLMNR_MULTICAST_IPV6_ADDRESS
,
428 .ipv6mr_interface
= s
->link
->ifindex
,
431 fd
= manager_llmnr_ipv6_udp_fd(s
->manager
);
436 (void) setsockopt(fd
, IPPROTO_IPV6
, IPV6_DROP_MEMBERSHIP
, &mreq
, sizeof(mreq
));
438 if (setsockopt(fd
, IPPROTO_IPV6
, b
? IPV6_ADD_MEMBERSHIP
: IPV6_DROP_MEMBERSHIP
, &mreq
, sizeof(mreq
)) < 0)
441 return -EAFNOSUPPORT
;
446 static int dns_scope_make_reply_packet(
456 _cleanup_(dns_packet_unrefp
) DnsPacket
*p
= NULL
;
463 if ((!q
|| q
->n_keys
<= 0)
464 && (!answer
|| answer
->n_rrs
<= 0)
465 && (!soa
|| soa
->n_rrs
<= 0))
468 r
= dns_packet_new(&p
, s
->protocol
, 0);
472 DNS_PACKET_HEADER(p
)->id
= id
;
473 DNS_PACKET_HEADER(p
)->flags
= htobe16(DNS_PACKET_MAKE_FLAGS(
485 for (i
= 0; i
< q
->n_keys
; i
++) {
486 r
= dns_packet_append_key(p
, q
->keys
[i
], NULL
);
491 DNS_PACKET_HEADER(p
)->qdcount
= htobe16(q
->n_keys
);
495 for (i
= 0; i
< answer
->n_rrs
; i
++) {
496 r
= dns_packet_append_rr(p
, answer
->items
[i
].rr
, NULL
);
501 DNS_PACKET_HEADER(p
)->ancount
= htobe16(answer
->n_rrs
);
505 for (i
= 0; i
< soa
->n_rrs
; i
++) {
506 r
= dns_packet_append_rr(p
, soa
->items
[i
].rr
, NULL
);
511 DNS_PACKET_HEADER(p
)->arcount
= htobe16(soa
->n_rrs
);
520 static void dns_scope_verify_conflicts(DnsScope
*s
, DnsPacket
*p
) {
527 for (n
= 0; n
< p
->question
->n_keys
; n
++)
528 dns_zone_verify_conflicts(&s
->zone
, p
->question
->keys
[n
]);
530 for (n
= 0; n
< p
->answer
->n_rrs
; n
++)
531 dns_zone_verify_conflicts(&s
->zone
, p
->answer
->items
[n
].rr
->key
);
534 void dns_scope_process_query(DnsScope
*s
, DnsStream
*stream
, DnsPacket
*p
) {
535 _cleanup_(dns_packet_unrefp
) DnsPacket
*reply
= NULL
;
536 _cleanup_(dns_answer_unrefp
) DnsAnswer
*answer
= NULL
, *soa
= NULL
;
537 bool tentative
= false;
543 if (p
->protocol
!= DNS_PROTOCOL_LLMNR
)
546 if (p
->ipproto
== IPPROTO_UDP
) {
547 /* Don't accept UDP queries directed to anything but
548 * the LLMNR multicast addresses. See RFC 4795,
551 if (p
->family
== AF_INET
&& !in_addr_equal(AF_INET
, &p
->destination
, (union in_addr_union
*) &LLMNR_MULTICAST_IPV4_ADDRESS
))
554 if (p
->family
== AF_INET6
&& !in_addr_equal(AF_INET6
, &p
->destination
, (union in_addr_union
*) &LLMNR_MULTICAST_IPV6_ADDRESS
))
558 r
= dns_packet_extract(p
);
560 log_debug_errno(r
, "Failed to extract resources from incoming packet: %m");
564 if (DNS_PACKET_LLMNR_C(p
)) {
565 /* Somebody notified us about a possible conflict */
566 dns_scope_verify_conflicts(s
, p
);
570 r
= dns_zone_lookup(&s
->zone
, p
->question
, &answer
, &soa
, &tentative
);
572 log_debug_errno(r
, "Failed to lookup key: %m");
579 dns_answer_order_by_scope(answer
, in_addr_is_link_local(p
->family
, &p
->sender
) > 0);
581 r
= dns_scope_make_reply_packet(s
, DNS_PACKET_ID(p
), DNS_RCODE_SUCCESS
, p
->question
, answer
, soa
, tentative
, &reply
);
583 log_debug_errno(r
, "Failed to build reply packet: %m");
588 r
= dns_stream_write_packet(stream
, reply
);
590 if (!ratelimit_test(&s
->ratelimit
))
593 if (p
->family
== AF_INET
)
594 fd
= manager_llmnr_ipv4_udp_fd(s
->manager
);
595 else if (p
->family
== AF_INET6
)
596 fd
= manager_llmnr_ipv6_udp_fd(s
->manager
);
598 log_debug("Unknown protocol");
602 log_debug_errno(fd
, "Failed to get reply socket: %m");
606 /* Note that we always immediately reply to all LLMNR
607 * requests, and do not wait any time, since we
608 * verified uniqueness for all records. Also see RFC
609 * 4795, Section 2.7 */
611 r
= manager_send(s
->manager
, fd
, p
->ifindex
, p
->family
, &p
->sender
, p
->sender_port
, reply
);
615 log_debug_errno(r
, "Failed to send reply packet: %m");
620 DnsTransaction
*dns_scope_find_transaction(DnsScope
*scope
, DnsQuestion
*question
, bool cache_ok
) {
626 /* Try to find an ongoing transaction that is a equal or a
627 * superset of the specified question */
629 LIST_FOREACH(transactions_by_scope
, t
, scope
->transactions
) {
631 /* Refuse reusing transactions that completed based on
632 * cached data instead of a real packet, if that's
635 IN_SET(t
->state
, DNS_TRANSACTION_SUCCESS
, DNS_TRANSACTION_FAILURE
) &&
639 if (dns_question_is_superset(t
->question
, question
) > 0)
646 static int dns_scope_make_conflict_packet(
648 DnsResourceRecord
*rr
,
651 _cleanup_(dns_packet_unrefp
) DnsPacket
*p
= NULL
;
658 r
= dns_packet_new(&p
, s
->protocol
, 0);
662 DNS_PACKET_HEADER(p
)->flags
= htobe16(DNS_PACKET_MAKE_FLAGS(
672 random_bytes(&DNS_PACKET_HEADER(p
)->id
, sizeof(uint16_t));
673 DNS_PACKET_HEADER(p
)->qdcount
= htobe16(1);
674 DNS_PACKET_HEADER(p
)->arcount
= htobe16(1);
676 r
= dns_packet_append_key(p
, rr
->key
, NULL
);
680 r
= dns_packet_append_rr(p
, rr
, NULL
);
690 static int on_conflict_dispatch(sd_event_source
*es
, usec_t usec
, void *userdata
) {
691 DnsScope
*scope
= userdata
;
697 scope
->conflict_event_source
= sd_event_source_unref(scope
->conflict_event_source
);
700 _cleanup_(dns_resource_record_unrefp
) DnsResourceRecord
*rr
= NULL
;
701 _cleanup_(dns_packet_unrefp
) DnsPacket
*p
= NULL
;
703 rr
= ordered_hashmap_steal_first(scope
->conflict_queue
);
707 r
= dns_scope_make_conflict_packet(scope
, rr
, &p
);
709 log_error_errno(r
, "Failed to make conflict packet: %m");
713 r
= dns_scope_emit(scope
, -1, p
);
715 log_debug_errno(r
, "Failed to send conflict packet: %m");
721 int dns_scope_notify_conflict(DnsScope
*scope
, DnsResourceRecord
*rr
) {
728 /* We don't send these queries immediately. Instead, we queue
729 * them, and send them after some jitter delay. */
730 r
= ordered_hashmap_ensure_allocated(&scope
->conflict_queue
, &dns_resource_key_hash_ops
);
736 /* We only place one RR per key in the conflict
737 * messages, not all of them. That should be enough to
738 * indicate where there might be a conflict */
739 r
= ordered_hashmap_put(scope
->conflict_queue
, rr
->key
, rr
);
740 if (r
== -EEXIST
|| r
== 0)
743 return log_debug_errno(r
, "Failed to queue conflicting RR: %m");
745 dns_resource_record_ref(rr
);
747 if (scope
->conflict_event_source
)
750 random_bytes(&jitter
, sizeof(jitter
));
751 jitter
%= LLMNR_JITTER_INTERVAL_USEC
;
753 r
= sd_event_add_time(scope
->manager
->event
,
754 &scope
->conflict_event_source
,
755 clock_boottime_or_monotonic(),
756 now(clock_boottime_or_monotonic()) + jitter
,
757 LLMNR_JITTER_INTERVAL_USEC
,
758 on_conflict_dispatch
, scope
);
760 return log_debug_errno(r
, "Failed to add conflict dispatch event: %m");
765 void dns_scope_check_conflicts(DnsScope
*scope
, DnsPacket
*p
) {
772 if (p
->protocol
!= DNS_PROTOCOL_LLMNR
)
775 if (DNS_PACKET_RRCOUNT(p
) <= 0)
778 if (DNS_PACKET_LLMNR_C(p
) != 0)
781 if (DNS_PACKET_LLMNR_T(p
) != 0)
784 if (manager_our_packet(scope
->manager
, p
))
787 r
= dns_packet_extract(p
);
789 log_debug_errno(r
, "Failed to extract packet: %m");
793 log_debug("Checking for conflicts...");
795 for (i
= 0; i
< p
->answer
->n_rrs
; i
++) {
797 /* Check for conflicts against the local zone. If we
798 * found one, we won't check any further */
799 r
= dns_zone_check_conflicts(&scope
->zone
, p
->answer
->items
[i
].rr
);
803 /* Check for conflicts against the local cache. If so,
804 * send out an advisory query, to inform everybody */
805 r
= dns_cache_check_conflicts(&scope
->cache
, p
->answer
->items
[i
].rr
, p
->family
, &p
->sender
);
809 dns_scope_notify_conflict(scope
, p
->answer
->items
[i
].rr
);