1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2014 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
22 #include <netinet/tcp.h>
26 #include "socket-util.h"
28 #include "random-util.h"
29 #include "hostname-util.h"
30 #include "dns-domain.h"
31 #include "resolved-llmnr.h"
32 #include "resolved-dns-scope.h"
34 #define MULTICAST_RATELIMIT_INTERVAL_USEC (1*USEC_PER_SEC)
35 #define MULTICAST_RATELIMIT_BURST 1000
37 int dns_scope_new(Manager
*m
, DnsScope
**ret
, Link
*l
, DnsProtocol protocol
, int family
) {
43 s
= new0(DnsScope
, 1);
49 s
->protocol
= protocol
;
52 LIST_PREPEND(scopes
, m
->dns_scopes
, s
);
54 dns_scope_llmnr_membership(s
, true);
56 log_debug("New scope on link %s, protocol %s, family %s", l
? l
->name
: "*", dns_protocol_to_string(protocol
), family
== AF_UNSPEC
? "*" : af_to_name(family
));
58 /* Enforce ratelimiting for the multicast protocols */
59 RATELIMIT_INIT(s
->ratelimit
, MULTICAST_RATELIMIT_INTERVAL_USEC
, MULTICAST_RATELIMIT_BURST
);
65 DnsScope
* dns_scope_free(DnsScope
*s
) {
67 DnsResourceRecord
*rr
;
72 log_debug("Removing scope on link %s, protocol %s, family %s", s
->link
? s
->link
->name
: "*", dns_protocol_to_string(s
->protocol
), s
->family
== AF_UNSPEC
? "*" : af_to_name(s
->family
));
74 dns_scope_llmnr_membership(s
, false);
76 while ((t
= s
->transactions
)) {
78 /* Abort the transaction, but make sure it is not
79 * freed while we still look at it */
82 dns_transaction_complete(t
, DNS_TRANSACTION_ABORTED
);
85 dns_transaction_free(t
);
88 while ((rr
= ordered_hashmap_steal_first(s
->conflict_queue
)))
89 dns_resource_record_unref(rr
);
91 ordered_hashmap_free(s
->conflict_queue
);
92 sd_event_source_unref(s
->conflict_event_source
);
94 dns_cache_flush(&s
->cache
);
95 dns_zone_flush(&s
->zone
);
97 LIST_REMOVE(scopes
, s
->manager
->dns_scopes
, s
);
98 strv_free(s
->domains
);
104 DnsServer
*dns_scope_get_dns_server(DnsScope
*s
) {
107 if (s
->protocol
!= DNS_PROTOCOL_DNS
)
111 return link_get_dns_server(s
->link
);
113 return manager_get_dns_server(s
->manager
);
116 void dns_scope_next_dns_server(DnsScope
*s
) {
119 if (s
->protocol
!= DNS_PROTOCOL_DNS
)
123 link_next_dns_server(s
->link
);
125 manager_next_dns_server(s
->manager
);
128 int dns_scope_emit(DnsScope
*s
, DnsTransaction
*t
, DnsPacket
*p
, DnsServer
**server
) {
129 DnsServer
*srv
= NULL
;
130 union in_addr_union addr
;
139 assert(p
->protocol
== s
->protocol
);
143 ifindex
= s
->link
->ifindex
;
145 mtu
= manager_find_mtu(s
->manager
);
147 if (s
->protocol
== DNS_PROTOCOL_DNS
) {
148 if (DNS_PACKET_QDCOUNT(p
) > 1)
151 srv
= dns_scope_get_dns_server(s
);
155 family
= srv
->family
;
159 if (p
->size
> DNS_PACKET_UNICAST_SIZE_MAX
)
162 if (p
->size
+ UDP_PACKET_HEADER_SIZE
> mtu
)
165 if (family
== AF_INET
)
166 fd
= transaction_dns_ipv4_fd(t
);
167 else if (family
== AF_INET6
)
168 fd
= transaction_dns_ipv6_fd(t
);
170 return -EAFNOSUPPORT
;
174 } else if (s
->protocol
== DNS_PROTOCOL_LLMNR
) {
176 if (DNS_PACKET_QDCOUNT(p
) > 1)
179 if (!ratelimit_test(&s
->ratelimit
))
185 if (family
== AF_INET
) {
186 addr
.in
= LLMNR_MULTICAST_IPV4_ADDRESS
;
187 fd
= manager_llmnr_ipv4_udp_fd(s
->manager
);
188 } else if (family
== AF_INET6
) {
189 addr
.in6
= LLMNR_MULTICAST_IPV6_ADDRESS
;
190 fd
= manager_llmnr_ipv6_udp_fd(s
->manager
);
192 return -EAFNOSUPPORT
;
196 return -EAFNOSUPPORT
;
198 r
= manager_send(s
->manager
, fd
, ifindex
, family
, &addr
, port
, p
);
208 int dns_scope_tcp_socket(DnsScope
*s
, int family
, const union in_addr_union
*address
, uint16_t port
, DnsServer
**server
) {
209 DnsServer
*srv
= NULL
;
210 _cleanup_close_
int fd
= -1;
211 union sockaddr_union sa
= {};
213 static const int one
= 1;
217 assert((family
== AF_UNSPEC
) == !address
);
219 if (family
== AF_UNSPEC
) {
220 srv
= dns_scope_get_dns_server(s
);
224 sa
.sa
.sa_family
= srv
->family
;
225 if (srv
->family
== AF_INET
) {
226 sa
.in
.sin_port
= htobe16(port
);
227 sa
.in
.sin_addr
= srv
->address
.in
;
228 salen
= sizeof(sa
.in
);
229 } else if (srv
->family
== AF_INET6
) {
230 sa
.in6
.sin6_port
= htobe16(port
);
231 sa
.in6
.sin6_addr
= srv
->address
.in6
;
232 sa
.in6
.sin6_scope_id
= s
->link
? s
->link
->ifindex
: 0;
233 salen
= sizeof(sa
.in6
);
235 return -EAFNOSUPPORT
;
237 sa
.sa
.sa_family
= family
;
239 if (family
== AF_INET
) {
240 sa
.in
.sin_port
= htobe16(port
);
241 sa
.in
.sin_addr
= address
->in
;
242 salen
= sizeof(sa
.in
);
243 } else if (family
== AF_INET6
) {
244 sa
.in6
.sin6_port
= htobe16(port
);
245 sa
.in6
.sin6_addr
= address
->in6
;
246 sa
.in6
.sin6_scope_id
= s
->link
? s
->link
->ifindex
: 0;
247 salen
= sizeof(sa
.in6
);
249 return -EAFNOSUPPORT
;
252 fd
= socket(sa
.sa
.sa_family
, SOCK_STREAM
|SOCK_CLOEXEC
|SOCK_NONBLOCK
, 0);
256 r
= setsockopt(fd
, IPPROTO_TCP
, TCP_NODELAY
, &one
, sizeof(one
));
261 uint32_t ifindex
= htobe32(s
->link
->ifindex
);
263 if (sa
.sa
.sa_family
== AF_INET
) {
264 r
= setsockopt(fd
, IPPROTO_IP
, IP_UNICAST_IF
, &ifindex
, sizeof(ifindex
));
267 } else if (sa
.sa
.sa_family
== AF_INET6
) {
268 r
= setsockopt(fd
, IPPROTO_IPV6
, IPV6_UNICAST_IF
, &ifindex
, sizeof(ifindex
));
274 if (s
->protocol
== DNS_PROTOCOL_LLMNR
) {
275 /* RFC 4795, section 2.5 requires the TTL to be set to 1 */
277 if (sa
.sa
.sa_family
== AF_INET
) {
278 r
= setsockopt(fd
, IPPROTO_IP
, IP_TTL
, &one
, sizeof(one
));
281 } else if (sa
.sa
.sa_family
== AF_INET6
) {
282 r
= setsockopt(fd
, IPPROTO_IPV6
, IPV6_UNICAST_HOPS
, &one
, sizeof(one
));
288 r
= connect(fd
, &sa
.sa
, salen
);
289 if (r
< 0 && errno
!= EINPROGRESS
)
301 DnsScopeMatch
dns_scope_good_domain(DnsScope
*s
, int ifindex
, uint64_t flags
, const char *domain
) {
307 if (ifindex
!= 0 && (!s
->link
|| s
->link
->ifindex
!= ifindex
))
310 if ((SD_RESOLVED_FLAGS_MAKE(s
->protocol
, s
->family
) & flags
) == 0)
313 STRV_FOREACH(i
, s
->domains
)
314 if (dns_name_endswith(domain
, *i
) > 0)
315 return DNS_SCOPE_YES
;
317 if (dns_name_root(domain
) != 0)
320 if (is_localhost(domain
))
323 if (s
->protocol
== DNS_PROTOCOL_DNS
) {
324 if (dns_name_endswith(domain
, "254.169.in-addr.arpa") == 0 &&
325 dns_name_endswith(domain
, "0.8.e.f.ip6.arpa") == 0 &&
326 dns_name_single_label(domain
) == 0)
327 return DNS_SCOPE_MAYBE
;
332 if (s
->protocol
== DNS_PROTOCOL_MDNS
) {
333 if (dns_name_endswith(domain
, "254.169.in-addr.arpa") > 0 ||
334 dns_name_endswith(domain
, "0.8.e.f.ip6.arpa") > 0 ||
335 (dns_name_endswith(domain
, "local") > 0 && dns_name_equal(domain
, "local") == 0))
336 return DNS_SCOPE_MAYBE
;
341 if (s
->protocol
== DNS_PROTOCOL_LLMNR
) {
342 if (dns_name_endswith(domain
, "in-addr.arpa") > 0 ||
343 dns_name_endswith(domain
, "ip6.arpa") > 0 ||
344 (dns_name_single_label(domain
) > 0 &&
345 dns_name_equal(domain
, "gateway") <= 0)) /* don't resolve "gateway" with LLMNR, let nss-myhostname handle this */
346 return DNS_SCOPE_MAYBE
;
351 assert_not_reached("Unknown scope protocol");
354 int dns_scope_good_key(DnsScope
*s
, DnsResourceKey
*key
) {
358 if (s
->protocol
== DNS_PROTOCOL_DNS
)
361 /* On mDNS and LLMNR, send A and AAAA queries only on the
362 * respective scopes */
364 if (s
->family
== AF_INET
&& key
->class == DNS_CLASS_IN
&& key
->type
== DNS_TYPE_AAAA
)
367 if (s
->family
== AF_INET6
&& key
->class == DNS_CLASS_IN
&& key
->type
== DNS_TYPE_A
)
373 int dns_scope_llmnr_membership(DnsScope
*s
, bool b
) {
378 if (s
->protocol
!= DNS_PROTOCOL_LLMNR
)
383 if (s
->family
== AF_INET
) {
384 struct ip_mreqn mreqn
= {
385 .imr_multiaddr
= LLMNR_MULTICAST_IPV4_ADDRESS
,
386 .imr_ifindex
= s
->link
->ifindex
,
389 fd
= manager_llmnr_ipv4_udp_fd(s
->manager
);
393 /* Always first try to drop membership before we add
394 * one. This is necessary on some devices, such as
397 (void) setsockopt(fd
, IPPROTO_IP
, IP_DROP_MEMBERSHIP
, &mreqn
, sizeof(mreqn
));
399 if (setsockopt(fd
, IPPROTO_IP
, b
? IP_ADD_MEMBERSHIP
: IP_DROP_MEMBERSHIP
, &mreqn
, sizeof(mreqn
)) < 0)
402 } else if (s
->family
== AF_INET6
) {
403 struct ipv6_mreq mreq
= {
404 .ipv6mr_multiaddr
= LLMNR_MULTICAST_IPV6_ADDRESS
,
405 .ipv6mr_interface
= s
->link
->ifindex
,
408 fd
= manager_llmnr_ipv6_udp_fd(s
->manager
);
413 (void) setsockopt(fd
, IPPROTO_IPV6
, IPV6_DROP_MEMBERSHIP
, &mreq
, sizeof(mreq
));
415 if (setsockopt(fd
, IPPROTO_IPV6
, b
? IPV6_ADD_MEMBERSHIP
: IPV6_DROP_MEMBERSHIP
, &mreq
, sizeof(mreq
)) < 0)
418 return -EAFNOSUPPORT
;
423 static int dns_scope_make_reply_packet(
433 _cleanup_(dns_packet_unrefp
) DnsPacket
*p
= NULL
;
440 if ((!q
|| q
->n_keys
<= 0)
441 && (!answer
|| answer
->n_rrs
<= 0)
442 && (!soa
|| soa
->n_rrs
<= 0))
445 r
= dns_packet_new(&p
, s
->protocol
, 0);
449 DNS_PACKET_HEADER(p
)->id
= id
;
450 DNS_PACKET_HEADER(p
)->flags
= htobe16(DNS_PACKET_MAKE_FLAGS(
462 for (i
= 0; i
< q
->n_keys
; i
++) {
463 r
= dns_packet_append_key(p
, q
->keys
[i
], NULL
);
468 DNS_PACKET_HEADER(p
)->qdcount
= htobe16(q
->n_keys
);
472 for (i
= 0; i
< answer
->n_rrs
; i
++) {
473 r
= dns_packet_append_rr(p
, answer
->rrs
[i
], NULL
);
478 DNS_PACKET_HEADER(p
)->ancount
= htobe16(answer
->n_rrs
);
482 for (i
= 0; i
< soa
->n_rrs
; i
++) {
483 r
= dns_packet_append_rr(p
, soa
->rrs
[i
], NULL
);
488 DNS_PACKET_HEADER(p
)->arcount
= htobe16(soa
->n_rrs
);
497 static void dns_scope_verify_conflicts(DnsScope
*s
, DnsPacket
*p
) {
504 for (n
= 0; n
< p
->question
->n_keys
; n
++)
505 dns_zone_verify_conflicts(&s
->zone
, p
->question
->keys
[n
]);
507 for (n
= 0; n
< p
->answer
->n_rrs
; n
++)
508 dns_zone_verify_conflicts(&s
->zone
, p
->answer
->rrs
[n
]->key
);
511 void dns_scope_process_query(DnsScope
*s
, DnsStream
*stream
, DnsPacket
*p
) {
512 _cleanup_(dns_packet_unrefp
) DnsPacket
*reply
= NULL
;
513 _cleanup_(dns_answer_unrefp
) DnsAnswer
*answer
= NULL
, *soa
= NULL
;
514 bool tentative
= false;
520 if (p
->protocol
!= DNS_PROTOCOL_LLMNR
)
523 if (p
->ipproto
== IPPROTO_UDP
) {
524 /* Don't accept UDP queries directed to anything but
525 * the LLMNR multicast addresses. See RFC 4795,
528 if (p
->family
== AF_INET
&& !in_addr_equal(AF_INET
, &p
->destination
, (union in_addr_union
*) &LLMNR_MULTICAST_IPV4_ADDRESS
))
531 if (p
->family
== AF_INET6
&& !in_addr_equal(AF_INET6
, &p
->destination
, (union in_addr_union
*) &LLMNR_MULTICAST_IPV6_ADDRESS
))
535 r
= dns_packet_extract(p
);
537 log_debug_errno(r
, "Failed to extract resources from incoming packet: %m");
541 if (DNS_PACKET_LLMNR_C(p
)) {
542 /* Somebody notified us about a possible conflict */
543 dns_scope_verify_conflicts(s
, p
);
547 r
= dns_zone_lookup(&s
->zone
, p
->question
, &answer
, &soa
, &tentative
);
549 log_debug_errno(r
, "Failed to lookup key: %m");
556 dns_answer_order_by_scope(answer
, in_addr_is_link_local(p
->family
, &p
->sender
) > 0);
558 r
= dns_scope_make_reply_packet(s
, DNS_PACKET_ID(p
), DNS_RCODE_SUCCESS
, p
->question
, answer
, soa
, tentative
, &reply
);
560 log_debug_errno(r
, "Failed to build reply packet: %m");
565 r
= dns_stream_write_packet(stream
, reply
);
567 if (!ratelimit_test(&s
->ratelimit
))
570 if (p
->family
== AF_INET
)
571 fd
= manager_llmnr_ipv4_udp_fd(s
->manager
);
572 else if (p
->family
== AF_INET6
)
573 fd
= manager_llmnr_ipv6_udp_fd(s
->manager
);
575 log_debug("Unknown protocol");
579 log_debug_errno(fd
, "Failed to get reply socket: %m");
583 /* Note that we always immediately reply to all LLMNR
584 * requests, and do not wait any time, since we
585 * verified uniqueness for all records. Also see RFC
586 * 4795, Section 2.7 */
588 r
= manager_send(s
->manager
, fd
, p
->ifindex
, p
->family
, &p
->sender
, p
->sender_port
, reply
);
592 log_debug_errno(r
, "Failed to send reply packet: %m");
597 DnsTransaction
*dns_scope_find_transaction(DnsScope
*scope
, DnsQuestion
*question
, bool cache_ok
) {
603 /* Try to find an ongoing transaction that is a equal or a
604 * superset of the specified question */
606 LIST_FOREACH(transactions_by_scope
, t
, scope
->transactions
) {
608 /* Refuse reusing transactions that completed based on
609 * cached data instead of a real packet, if that's
612 IN_SET(t
->state
, DNS_TRANSACTION_SUCCESS
, DNS_TRANSACTION_FAILURE
) &&
616 if (dns_question_is_superset(t
->question
, question
) > 0)
623 static int dns_scope_make_conflict_packet(
625 DnsResourceRecord
*rr
,
628 _cleanup_(dns_packet_unrefp
) DnsPacket
*p
= NULL
;
635 r
= dns_packet_new(&p
, s
->protocol
, 0);
639 DNS_PACKET_HEADER(p
)->flags
= htobe16(DNS_PACKET_MAKE_FLAGS(
649 random_bytes(&DNS_PACKET_HEADER(p
)->id
, sizeof(uint16_t));
650 DNS_PACKET_HEADER(p
)->qdcount
= htobe16(1);
651 DNS_PACKET_HEADER(p
)->arcount
= htobe16(1);
653 r
= dns_packet_append_key(p
, rr
->key
, NULL
);
657 r
= dns_packet_append_rr(p
, rr
, NULL
);
667 static int on_conflict_dispatch(sd_event_source
*es
, usec_t usec
, void *userdata
) {
668 DnsScope
*scope
= userdata
;
674 scope
->conflict_event_source
= sd_event_source_unref(scope
->conflict_event_source
);
677 _cleanup_(dns_resource_record_unrefp
) DnsResourceRecord
*rr
= NULL
;
678 _cleanup_(dns_packet_unrefp
) DnsPacket
*p
= NULL
;
680 rr
= ordered_hashmap_steal_first(scope
->conflict_queue
);
684 r
= dns_scope_make_conflict_packet(scope
, rr
, &p
);
686 log_error_errno(r
, "Failed to make conflict packet: %m");
690 r
= dns_scope_emit(scope
, NULL
, p
, NULL
);
692 log_debug_errno(r
, "Failed to send conflict packet: %m");
698 int dns_scope_notify_conflict(DnsScope
*scope
, DnsResourceRecord
*rr
) {
705 /* We don't send these queries immediately. Instead, we queue
706 * them, and send them after some jitter delay. */
707 r
= ordered_hashmap_ensure_allocated(&scope
->conflict_queue
, &dns_resource_key_hash_ops
);
713 /* We only place one RR per key in the conflict
714 * messages, not all of them. That should be enough to
715 * indicate where there might be a conflict */
716 r
= ordered_hashmap_put(scope
->conflict_queue
, rr
->key
, rr
);
717 if (r
== -EEXIST
|| r
== 0)
720 return log_debug_errno(r
, "Failed to queue conflicting RR: %m");
722 dns_resource_record_ref(rr
);
724 if (scope
->conflict_event_source
)
727 random_bytes(&jitter
, sizeof(jitter
));
728 jitter
%= LLMNR_JITTER_INTERVAL_USEC
;
730 r
= sd_event_add_time(scope
->manager
->event
,
731 &scope
->conflict_event_source
,
732 clock_boottime_or_monotonic(),
733 now(clock_boottime_or_monotonic()) + jitter
,
734 LLMNR_JITTER_INTERVAL_USEC
,
735 on_conflict_dispatch
, scope
);
737 return log_debug_errno(r
, "Failed to add conflict dispatch event: %m");
742 void dns_scope_check_conflicts(DnsScope
*scope
, DnsPacket
*p
) {
749 if (p
->protocol
!= DNS_PROTOCOL_LLMNR
)
752 if (DNS_PACKET_RRCOUNT(p
) <= 0)
755 if (DNS_PACKET_LLMNR_C(p
) != 0)
758 if (DNS_PACKET_LLMNR_T(p
) != 0)
761 if (manager_our_packet(scope
->manager
, p
))
764 r
= dns_packet_extract(p
);
766 log_debug_errno(r
, "Failed to extract packet: %m");
770 log_debug("Checking for conflicts...");
772 for (i
= 0; i
< p
->answer
->n_rrs
; i
++) {
774 /* Check for conflicts against the local zone. If we
775 * found one, we won't check any further */
776 r
= dns_zone_check_conflicts(&scope
->zone
, p
->answer
->rrs
[i
]);
780 /* Check for conflicts against the local cache. If so,
781 * send out an advisory query, to inform everybody */
782 r
= dns_cache_check_conflicts(&scope
->cache
, p
->answer
->rrs
[i
], p
->family
, &p
->sender
);
786 dns_scope_notify_conflict(scope
, p
->answer
->rrs
[i
]);