1 /* SPDX-License-Identifier: LGPL-2.1+ */
3 This file is part of systemd.
5 Copyright 2014 Lennart Poettering
7 systemd is free software; you can redistribute it and/or modify it
8 under the terms of the GNU Lesser General Public License as published by
9 the Free Software Foundation; either version 2.1 of the License, or
10 (at your option) any later version.
12 systemd is distributed in the hope that it will be useful, but
13 WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 Lesser General Public License for more details.
17 You should have received a copy of the GNU Lesser General Public License
18 along with systemd; If not, see <http://www.gnu.org/licenses/>.
21 #include <netinet/tcp.h>
24 #include "alloc-util.h"
25 #include "dns-domain.h"
27 #include "hostname-util.h"
29 #include "random-util.h"
30 #include "resolved-dnssd.h"
31 #include "resolved-dns-scope.h"
32 #include "resolved-dns-zone.h"
33 #include "resolved-llmnr.h"
34 #include "resolved-mdns.h"
35 #include "socket-util.h"
38 #define MULTICAST_RATELIMIT_INTERVAL_USEC (1*USEC_PER_SEC)
39 #define MULTICAST_RATELIMIT_BURST 1000
41 /* After how much time to repeat LLMNR requests, see RFC 4795 Section 7 */
42 #define MULTICAST_RESEND_TIMEOUT_MIN_USEC (100 * USEC_PER_MSEC)
43 #define MULTICAST_RESEND_TIMEOUT_MAX_USEC (1 * USEC_PER_SEC)
45 int dns_scope_new(Manager
*m
, DnsScope
**ret
, Link
*l
, DnsProtocol protocol
, int family
) {
51 s
= new0(DnsScope
, 1);
57 s
->protocol
= protocol
;
59 s
->resend_timeout
= MULTICAST_RESEND_TIMEOUT_MIN_USEC
;
61 if (protocol
== DNS_PROTOCOL_DNS
) {
62 /* Copy DNSSEC mode from the link if it is set there,
63 * otherwise take the manager's DNSSEC mode. Note that
64 * we copy this only at scope creation time, and do
65 * not update it from the on, even if the setting
69 s
->dnssec_mode
= link_get_dnssec_mode(l
);
71 s
->dnssec_mode
= manager_get_dnssec_mode(m
);
73 s
->dnssec_mode
= DNSSEC_NO
;
75 LIST_PREPEND(scopes
, m
->dns_scopes
, s
);
77 dns_scope_llmnr_membership(s
, true);
78 dns_scope_mdns_membership(s
, true);
80 log_debug("New scope on link %s, protocol %s, family %s", l
? l
->name
: "*", dns_protocol_to_string(protocol
), family
== AF_UNSPEC
? "*" : af_to_name(family
));
82 /* Enforce ratelimiting for the multicast protocols */
83 RATELIMIT_INIT(s
->ratelimit
, MULTICAST_RATELIMIT_INTERVAL_USEC
, MULTICAST_RATELIMIT_BURST
);
89 static void dns_scope_abort_transactions(DnsScope
*s
) {
92 while (s
->transactions
) {
93 DnsTransaction
*t
= s
->transactions
;
95 /* Abort the transaction, but make sure it is not
96 * freed while we still look at it */
99 if (DNS_TRANSACTION_IS_LIVE(t
->state
))
100 dns_transaction_complete(t
, DNS_TRANSACTION_ABORTED
);
103 dns_transaction_free(t
);
107 DnsScope
* dns_scope_free(DnsScope
*s
) {
111 log_debug("Removing scope on link %s, protocol %s, family %s", s
->link
? s
->link
->name
: "*", dns_protocol_to_string(s
->protocol
), s
->family
== AF_UNSPEC
? "*" : af_to_name(s
->family
));
113 dns_scope_llmnr_membership(s
, false);
114 dns_scope_mdns_membership(s
, false);
115 dns_scope_abort_transactions(s
);
117 while (s
->query_candidates
)
118 dns_query_candidate_free(s
->query_candidates
);
120 hashmap_free(s
->transactions_by_key
);
122 ordered_hashmap_free_with_destructor(s
->conflict_queue
, dns_resource_record_unref
);
123 sd_event_source_unref(s
->conflict_event_source
);
125 sd_event_source_unref(s
->announce_event_source
);
127 dns_cache_flush(&s
->cache
);
128 dns_zone_flush(&s
->zone
);
130 LIST_REMOVE(scopes
, s
->manager
->dns_scopes
, s
);
134 DnsServer
*dns_scope_get_dns_server(DnsScope
*s
) {
137 if (s
->protocol
!= DNS_PROTOCOL_DNS
)
141 return link_get_dns_server(s
->link
);
143 return manager_get_dns_server(s
->manager
);
146 unsigned dns_scope_get_n_dns_servers(DnsScope
*s
) {
152 if (s
->protocol
!= DNS_PROTOCOL_DNS
)
156 i
= s
->link
->dns_servers
;
158 i
= s
->manager
->dns_servers
;
160 for (; i
; i
= i
->servers_next
)
166 void dns_scope_next_dns_server(DnsScope
*s
) {
169 if (s
->protocol
!= DNS_PROTOCOL_DNS
)
173 link_next_dns_server(s
->link
);
175 manager_next_dns_server(s
->manager
);
178 void dns_scope_packet_received(DnsScope
*s
, usec_t rtt
) {
181 if (rtt
<= s
->max_rtt
)
185 s
->resend_timeout
= MIN(MAX(MULTICAST_RESEND_TIMEOUT_MIN_USEC
, s
->max_rtt
* 2), MULTICAST_RESEND_TIMEOUT_MAX_USEC
);
188 void dns_scope_packet_lost(DnsScope
*s
, usec_t usec
) {
191 if (s
->resend_timeout
<= usec
)
192 s
->resend_timeout
= MIN(s
->resend_timeout
* 2, MULTICAST_RESEND_TIMEOUT_MAX_USEC
);
195 static int dns_scope_emit_one(DnsScope
*s
, int fd
, DnsPacket
*p
) {
196 union in_addr_union addr
;
203 assert(p
->protocol
== s
->protocol
);
207 ifindex
= s
->link
->ifindex
;
209 mtu
= manager_find_mtu(s
->manager
);
211 switch (s
->protocol
) {
213 case DNS_PROTOCOL_DNS
:
216 if (DNS_PACKET_QDCOUNT(p
) > 1)
219 if (p
->size
> DNS_PACKET_UNICAST_SIZE_MAX
)
222 if (p
->size
+ UDP_PACKET_HEADER_SIZE
> mtu
)
225 r
= manager_write(s
->manager
, fd
, p
);
231 case DNS_PROTOCOL_LLMNR
:
234 if (DNS_PACKET_QDCOUNT(p
) > 1)
237 if (!ratelimit_test(&s
->ratelimit
))
242 if (family
== AF_INET
) {
243 addr
.in
= LLMNR_MULTICAST_IPV4_ADDRESS
;
244 fd
= manager_llmnr_ipv4_udp_fd(s
->manager
);
245 } else if (family
== AF_INET6
) {
246 addr
.in6
= LLMNR_MULTICAST_IPV6_ADDRESS
;
247 fd
= manager_llmnr_ipv6_udp_fd(s
->manager
);
249 return -EAFNOSUPPORT
;
253 r
= manager_send(s
->manager
, fd
, ifindex
, family
, &addr
, LLMNR_PORT
, NULL
, p
);
259 case DNS_PROTOCOL_MDNS
:
262 if (!ratelimit_test(&s
->ratelimit
))
267 if (family
== AF_INET
) {
268 addr
.in
= MDNS_MULTICAST_IPV4_ADDRESS
;
269 fd
= manager_mdns_ipv4_fd(s
->manager
);
270 } else if (family
== AF_INET6
) {
271 addr
.in6
= MDNS_MULTICAST_IPV6_ADDRESS
;
272 fd
= manager_mdns_ipv6_fd(s
->manager
);
274 return -EAFNOSUPPORT
;
278 r
= manager_send(s
->manager
, fd
, ifindex
, family
, &addr
, MDNS_PORT
, NULL
, p
);
285 return -EAFNOSUPPORT
;
291 int dns_scope_emit_udp(DnsScope
*s
, int fd
, DnsPacket
*p
) {
296 assert(p
->protocol
== s
->protocol
);
297 assert((s
->protocol
== DNS_PROTOCOL_DNS
) == (fd
>= 0));
300 /* If there are multiple linked packets, set the TC bit in all but the last of them */
302 assert(p
->protocol
== DNS_PROTOCOL_MDNS
);
303 dns_packet_set_flags(p
, true, true);
306 r
= dns_scope_emit_one(s
, fd
, p
);
316 static int dns_scope_socket(
320 const union in_addr_union
*address
,
324 _cleanup_close_
int fd
= -1;
325 union sockaddr_union sa
= {};
327 static const int one
= 1;
333 assert(family
== AF_UNSPEC
);
336 ifindex
= dns_server_ifindex(server
);
338 sa
.sa
.sa_family
= server
->family
;
339 if (server
->family
== AF_INET
) {
340 sa
.in
.sin_port
= htobe16(port
);
341 sa
.in
.sin_addr
= server
->address
.in
;
342 salen
= sizeof(sa
.in
);
343 } else if (server
->family
== AF_INET6
) {
344 sa
.in6
.sin6_port
= htobe16(port
);
345 sa
.in6
.sin6_addr
= server
->address
.in6
;
346 sa
.in6
.sin6_scope_id
= ifindex
;
347 salen
= sizeof(sa
.in6
);
349 return -EAFNOSUPPORT
;
351 assert(family
!= AF_UNSPEC
);
354 sa
.sa
.sa_family
= family
;
355 ifindex
= s
->link
? s
->link
->ifindex
: 0;
357 if (family
== AF_INET
) {
358 sa
.in
.sin_port
= htobe16(port
);
359 sa
.in
.sin_addr
= address
->in
;
360 salen
= sizeof(sa
.in
);
361 } else if (family
== AF_INET6
) {
362 sa
.in6
.sin6_port
= htobe16(port
);
363 sa
.in6
.sin6_addr
= address
->in6
;
364 sa
.in6
.sin6_scope_id
= ifindex
;
365 salen
= sizeof(sa
.in6
);
367 return -EAFNOSUPPORT
;
370 fd
= socket(sa
.sa
.sa_family
, type
|SOCK_CLOEXEC
|SOCK_NONBLOCK
, 0);
374 if (type
== SOCK_STREAM
) {
375 r
= setsockopt(fd
, IPPROTO_TCP
, TCP_NODELAY
, &one
, sizeof(one
));
381 be32_t ifindex_be
= htobe32(ifindex
);
383 if (sa
.sa
.sa_family
== AF_INET
) {
384 r
= setsockopt(fd
, IPPROTO_IP
, IP_UNICAST_IF
, &ifindex_be
, sizeof(ifindex_be
));
387 } else if (sa
.sa
.sa_family
== AF_INET6
) {
388 r
= setsockopt(fd
, IPPROTO_IPV6
, IPV6_UNICAST_IF
, &ifindex_be
, sizeof(ifindex_be
));
394 if (s
->protocol
== DNS_PROTOCOL_LLMNR
) {
395 /* RFC 4795, section 2.5 requires the TTL to be set to 1 */
397 if (sa
.sa
.sa_family
== AF_INET
) {
398 r
= setsockopt(fd
, IPPROTO_IP
, IP_TTL
, &one
, sizeof(one
));
401 } else if (sa
.sa
.sa_family
== AF_INET6
) {
402 r
= setsockopt(fd
, IPPROTO_IPV6
, IPV6_UNICAST_HOPS
, &one
, sizeof(one
));
408 r
= connect(fd
, &sa
.sa
, salen
);
409 if (r
< 0 && errno
!= EINPROGRESS
)
415 int dns_scope_socket_udp(DnsScope
*s
, DnsServer
*server
, uint16_t port
) {
416 return dns_scope_socket(s
, SOCK_DGRAM
, AF_UNSPEC
, NULL
, server
, port
);
419 int dns_scope_socket_tcp(DnsScope
*s
, int family
, const union in_addr_union
*address
, DnsServer
*server
, uint16_t port
) {
420 return dns_scope_socket(s
, SOCK_STREAM
, family
, address
, server
, port
);
423 DnsScopeMatch
dns_scope_good_domain(DnsScope
*s
, int ifindex
, uint64_t flags
, const char *domain
) {
429 /* Checks if the specified domain is something to look up on
430 * this scope. Note that this accepts non-qualified hostnames,
431 * i.e. those without any search path prefixed yet. */
433 if (ifindex
!= 0 && (!s
->link
|| s
->link
->ifindex
!= ifindex
))
436 if ((SD_RESOLVED_FLAGS_MAKE(s
->protocol
, s
->family
, 0) & flags
) == 0)
439 /* Never resolve any loopback hostname or IP address via DNS,
440 * LLMNR or mDNS. Instead, always rely on synthesized RRs for
442 if (is_localhost(domain
) ||
443 dns_name_endswith(domain
, "127.in-addr.arpa") > 0 ||
444 dns_name_equal(domain
, "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa") > 0)
447 /* Never respond to some of the domains listed in RFC6303 */
448 if (dns_name_endswith(domain
, "0.in-addr.arpa") > 0 ||
449 dns_name_equal(domain
, "255.255.255.255.in-addr.arpa") > 0 ||
450 dns_name_equal(domain
, "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa") > 0)
453 /* Never respond to some of the domains listed in RFC6761 */
454 if (dns_name_endswith(domain
, "invalid") > 0)
457 switch (s
->protocol
) {
459 case DNS_PROTOCOL_DNS
: {
460 DnsServer
*dns_server
;
462 /* Never route things to scopes that lack DNS servers */
463 dns_server
= dns_scope_get_dns_server(s
);
467 /* Always honour search domains for routing queries, except if this scope lacks DNS servers. Note that
468 * we return DNS_SCOPE_YES here, rather than just DNS_SCOPE_MAYBE, which means other wildcard scopes
469 * won't be considered anymore. */
470 LIST_FOREACH(domains
, d
, dns_scope_get_search_domains(s
))
471 if (dns_name_endswith(domain
, d
->name
) > 0)
472 return DNS_SCOPE_YES
;
474 /* If the DNS server has route-only domains, don't send other requests to it. This would be a privacy
475 * violation, will most probably fail anyway, and adds unnecessary load. */
476 if (dns_server_limited_domains(dns_server
))
479 /* Exclude link-local IP ranges */
480 if (dns_name_endswith(domain
, "254.169.in-addr.arpa") == 0 &&
481 dns_name_endswith(domain
, "8.e.f.ip6.arpa") == 0 &&
482 dns_name_endswith(domain
, "9.e.f.ip6.arpa") == 0 &&
483 dns_name_endswith(domain
, "a.e.f.ip6.arpa") == 0 &&
484 dns_name_endswith(domain
, "b.e.f.ip6.arpa") == 0 &&
485 /* If networks use .local in their private setups, they are supposed to also add .local to their search
486 * domains, which we already checked above. Otherwise, we consider .local specific to mDNS and won't
487 * send such queries ordinary DNS servers. */
488 dns_name_endswith(domain
, "local") == 0)
489 return DNS_SCOPE_MAYBE
;
494 case DNS_PROTOCOL_MDNS
:
495 if ((s
->family
== AF_INET
&& dns_name_endswith(domain
, "in-addr.arpa") > 0) ||
496 (s
->family
== AF_INET6
&& dns_name_endswith(domain
, "ip6.arpa") > 0) ||
497 (dns_name_endswith(domain
, "local") > 0 && /* only resolve names ending in .local via mDNS */
498 dns_name_equal(domain
, "local") == 0 && /* but not the single-label "local" name itself */
499 manager_is_own_hostname(s
->manager
, domain
) <= 0)) /* never resolve the local hostname via mDNS */
500 return DNS_SCOPE_MAYBE
;
504 case DNS_PROTOCOL_LLMNR
:
505 if ((s
->family
== AF_INET
&& dns_name_endswith(domain
, "in-addr.arpa") > 0) ||
506 (s
->family
== AF_INET6
&& dns_name_endswith(domain
, "ip6.arpa") > 0) ||
507 (dns_name_is_single_label(domain
) && /* only resolve single label names via LLMNR */
508 !is_gateway_hostname(domain
) && /* don't resolve "gateway" with LLMNR, let nss-myhostname handle this */
509 manager_is_own_hostname(s
->manager
, domain
) <= 0)) /* never resolve the local hostname via LLMNR */
510 return DNS_SCOPE_MAYBE
;
515 assert_not_reached("Unknown scope protocol");
519 bool dns_scope_good_key(DnsScope
*s
, const DnsResourceKey
*key
) {
525 /* Check if it makes sense to resolve the specified key on
526 * this scope. Note that this call assumes as fully qualified
527 * name, i.e. the search suffixes already appended. */
529 if (key
->class != DNS_CLASS_IN
)
532 if (s
->protocol
== DNS_PROTOCOL_DNS
) {
534 /* On classic DNS, looking up non-address RRs is always
535 * fine. (Specifically, we want to permit looking up
536 * DNSKEY and DS records on the root and top-level
538 if (!dns_resource_key_is_address(key
))
541 /* However, we refuse to look up A and AAAA RRs on the
542 * root and single-label domains, under the assumption
543 * that those should be resolved via LLMNR or search
544 * path only, and should not be leaked onto the
546 return !(dns_name_is_single_label(dns_resource_key_name(key
)) ||
547 dns_name_is_root(dns_resource_key_name(key
)));
550 /* On mDNS and LLMNR, send A and AAAA queries only on the
551 * respective scopes */
553 key_family
= dns_type_to_af(key
->type
);
557 return key_family
== s
->family
;
560 static int dns_scope_multicast_membership(DnsScope
*s
, bool b
, struct in_addr in
, struct in6_addr in6
) {
566 if (s
->family
== AF_INET
) {
567 struct ip_mreqn mreqn
= {
569 .imr_ifindex
= s
->link
->ifindex
,
572 if (s
->protocol
== DNS_PROTOCOL_LLMNR
)
573 fd
= manager_llmnr_ipv4_udp_fd(s
->manager
);
575 fd
= manager_mdns_ipv4_fd(s
->manager
);
580 /* Always first try to drop membership before we add
581 * one. This is necessary on some devices, such as
584 (void) setsockopt(fd
, IPPROTO_IP
, IP_DROP_MEMBERSHIP
, &mreqn
, sizeof(mreqn
));
586 if (setsockopt(fd
, IPPROTO_IP
, b
? IP_ADD_MEMBERSHIP
: IP_DROP_MEMBERSHIP
, &mreqn
, sizeof(mreqn
)) < 0)
589 } else if (s
->family
== AF_INET6
) {
590 struct ipv6_mreq mreq
= {
591 .ipv6mr_multiaddr
= in6
,
592 .ipv6mr_interface
= s
->link
->ifindex
,
595 if (s
->protocol
== DNS_PROTOCOL_LLMNR
)
596 fd
= manager_llmnr_ipv6_udp_fd(s
->manager
);
598 fd
= manager_mdns_ipv6_fd(s
->manager
);
604 (void) setsockopt(fd
, IPPROTO_IPV6
, IPV6_DROP_MEMBERSHIP
, &mreq
, sizeof(mreq
));
606 if (setsockopt(fd
, IPPROTO_IPV6
, b
? IPV6_ADD_MEMBERSHIP
: IPV6_DROP_MEMBERSHIP
, &mreq
, sizeof(mreq
)) < 0)
609 return -EAFNOSUPPORT
;
614 int dns_scope_llmnr_membership(DnsScope
*s
, bool b
) {
617 if (s
->protocol
!= DNS_PROTOCOL_LLMNR
)
620 return dns_scope_multicast_membership(s
, b
, LLMNR_MULTICAST_IPV4_ADDRESS
, LLMNR_MULTICAST_IPV6_ADDRESS
);
623 int dns_scope_mdns_membership(DnsScope
*s
, bool b
) {
626 if (s
->protocol
!= DNS_PROTOCOL_MDNS
)
629 return dns_scope_multicast_membership(s
, b
, MDNS_MULTICAST_IPV4_ADDRESS
, MDNS_MULTICAST_IPV6_ADDRESS
);
632 int dns_scope_make_reply_packet(
642 _cleanup_(dns_packet_unrefp
) DnsPacket
*p
= NULL
;
648 if (dns_question_isempty(q
) &&
649 dns_answer_isempty(answer
) &&
650 dns_answer_isempty(soa
))
653 r
= dns_packet_new(&p
, s
->protocol
, 0, DNS_PACKET_SIZE_MAX
);
657 DNS_PACKET_HEADER(p
)->id
= id
;
658 DNS_PACKET_HEADER(p
)->flags
= htobe16(DNS_PACKET_MAKE_FLAGS(
669 r
= dns_packet_append_question(p
, q
);
672 DNS_PACKET_HEADER(p
)->qdcount
= htobe16(dns_question_size(q
));
674 r
= dns_packet_append_answer(p
, answer
);
677 DNS_PACKET_HEADER(p
)->ancount
= htobe16(dns_answer_size(answer
));
679 r
= dns_packet_append_answer(p
, soa
);
682 DNS_PACKET_HEADER(p
)->arcount
= htobe16(dns_answer_size(soa
));
690 static void dns_scope_verify_conflicts(DnsScope
*s
, DnsPacket
*p
) {
691 DnsResourceRecord
*rr
;
697 DNS_QUESTION_FOREACH(key
, p
->question
)
698 dns_zone_verify_conflicts(&s
->zone
, key
);
700 DNS_ANSWER_FOREACH(rr
, p
->answer
)
701 dns_zone_verify_conflicts(&s
->zone
, rr
->key
);
704 void dns_scope_process_query(DnsScope
*s
, DnsStream
*stream
, DnsPacket
*p
) {
705 _cleanup_(dns_answer_unrefp
) DnsAnswer
*answer
= NULL
, *soa
= NULL
;
706 _cleanup_(dns_packet_unrefp
) DnsPacket
*reply
= NULL
;
707 DnsResourceKey
*key
= NULL
;
708 bool tentative
= false;
714 if (p
->protocol
!= DNS_PROTOCOL_LLMNR
)
717 if (p
->ipproto
== IPPROTO_UDP
) {
718 /* Don't accept UDP queries directed to anything but
719 * the LLMNR multicast addresses. See RFC 4795,
722 if (p
->family
== AF_INET
&& !in_addr_equal(AF_INET
, &p
->destination
, (union in_addr_union
*) &LLMNR_MULTICAST_IPV4_ADDRESS
))
725 if (p
->family
== AF_INET6
&& !in_addr_equal(AF_INET6
, &p
->destination
, (union in_addr_union
*) &LLMNR_MULTICAST_IPV6_ADDRESS
))
729 r
= dns_packet_extract(p
);
731 log_debug_errno(r
, "Failed to extract resource records from incoming packet: %m");
735 if (DNS_PACKET_LLMNR_C(p
)) {
736 /* Somebody notified us about a possible conflict */
737 dns_scope_verify_conflicts(s
, p
);
741 assert(dns_question_size(p
->question
) == 1);
742 key
= p
->question
->keys
[0];
744 r
= dns_zone_lookup(&s
->zone
, key
, 0, &answer
, &soa
, &tentative
);
746 log_debug_errno(r
, "Failed to lookup key: %m");
753 dns_answer_order_by_scope(answer
, in_addr_is_link_local(p
->family
, &p
->sender
) > 0);
755 r
= dns_scope_make_reply_packet(s
, DNS_PACKET_ID(p
), DNS_RCODE_SUCCESS
, p
->question
, answer
, soa
, tentative
, &reply
);
757 log_debug_errno(r
, "Failed to build reply packet: %m");
762 r
= dns_stream_write_packet(stream
, reply
);
764 log_debug_errno(r
, "Failed to enqueue reply packet: %m");
768 /* Let's take an extra reference on this stream, so that it stays around after returning. The reference
769 * will be dangling until the stream is disconnected, and the default completion handler of the stream
770 * will then unref the stream and destroy it */
771 if (DNS_STREAM_QUEUED(stream
))
772 dns_stream_ref(stream
);
776 if (!ratelimit_test(&s
->ratelimit
))
779 if (p
->family
== AF_INET
)
780 fd
= manager_llmnr_ipv4_udp_fd(s
->manager
);
781 else if (p
->family
== AF_INET6
)
782 fd
= manager_llmnr_ipv6_udp_fd(s
->manager
);
784 log_debug("Unknown protocol");
788 log_debug_errno(fd
, "Failed to get reply socket: %m");
792 /* Note that we always immediately reply to all LLMNR
793 * requests, and do not wait any time, since we
794 * verified uniqueness for all records. Also see RFC
795 * 4795, Section 2.7 */
797 r
= manager_send(s
->manager
, fd
, p
->ifindex
, p
->family
, &p
->sender
, p
->sender_port
, NULL
, reply
);
799 log_debug_errno(r
, "Failed to send reply packet: %m");
805 DnsTransaction
*dns_scope_find_transaction(DnsScope
*scope
, DnsResourceKey
*key
, bool cache_ok
) {
811 /* Try to find an ongoing transaction that is a equal to the
812 * specified question */
813 t
= hashmap_get(scope
->transactions_by_key
, key
);
817 /* Refuse reusing transactions that completed based on cached
818 * data instead of a real packet, if that's requested. */
820 IN_SET(t
->state
, DNS_TRANSACTION_SUCCESS
, DNS_TRANSACTION_RCODE_FAILURE
) &&
821 t
->answer_source
!= DNS_TRANSACTION_NETWORK
)
827 static int dns_scope_make_conflict_packet(
829 DnsResourceRecord
*rr
,
832 _cleanup_(dns_packet_unrefp
) DnsPacket
*p
= NULL
;
839 r
= dns_packet_new(&p
, s
->protocol
, 0, DNS_PACKET_SIZE_MAX
);
843 DNS_PACKET_HEADER(p
)->flags
= htobe16(DNS_PACKET_MAKE_FLAGS(
854 /* For mDNS, the transaction ID should always be 0 */
855 if (s
->protocol
!= DNS_PROTOCOL_MDNS
)
856 random_bytes(&DNS_PACKET_HEADER(p
)->id
, sizeof(uint16_t));
858 DNS_PACKET_HEADER(p
)->qdcount
= htobe16(1);
859 DNS_PACKET_HEADER(p
)->arcount
= htobe16(1);
861 r
= dns_packet_append_key(p
, rr
->key
, 0, NULL
);
865 r
= dns_packet_append_rr(p
, rr
, 0, NULL
, NULL
);
875 static int on_conflict_dispatch(sd_event_source
*es
, usec_t usec
, void *userdata
) {
876 DnsScope
*scope
= userdata
;
882 scope
->conflict_event_source
= sd_event_source_unref(scope
->conflict_event_source
);
885 _cleanup_(dns_resource_key_unrefp
) DnsResourceKey
*key
= NULL
;
886 _cleanup_(dns_resource_record_unrefp
) DnsResourceRecord
*rr
= NULL
;
887 _cleanup_(dns_packet_unrefp
) DnsPacket
*p
= NULL
;
889 key
= ordered_hashmap_first_key(scope
->conflict_queue
);
893 rr
= ordered_hashmap_remove(scope
->conflict_queue
, key
);
896 r
= dns_scope_make_conflict_packet(scope
, rr
, &p
);
898 log_error_errno(r
, "Failed to make conflict packet: %m");
902 r
= dns_scope_emit_udp(scope
, -1, p
);
904 log_debug_errno(r
, "Failed to send conflict packet: %m");
910 int dns_scope_notify_conflict(DnsScope
*scope
, DnsResourceRecord
*rr
) {
917 /* We don't send these queries immediately. Instead, we queue
918 * them, and send them after some jitter delay. */
919 r
= ordered_hashmap_ensure_allocated(&scope
->conflict_queue
, &dns_resource_key_hash_ops
);
925 /* We only place one RR per key in the conflict
926 * messages, not all of them. That should be enough to
927 * indicate where there might be a conflict */
928 r
= ordered_hashmap_put(scope
->conflict_queue
, rr
->key
, rr
);
929 if (IN_SET(r
, 0, -EEXIST
))
932 return log_debug_errno(r
, "Failed to queue conflicting RR: %m");
934 dns_resource_key_ref(rr
->key
);
935 dns_resource_record_ref(rr
);
937 if (scope
->conflict_event_source
)
940 random_bytes(&jitter
, sizeof(jitter
));
941 jitter
%= LLMNR_JITTER_INTERVAL_USEC
;
943 r
= sd_event_add_time(scope
->manager
->event
,
944 &scope
->conflict_event_source
,
945 clock_boottime_or_monotonic(),
946 now(clock_boottime_or_monotonic()) + jitter
,
947 LLMNR_JITTER_INTERVAL_USEC
,
948 on_conflict_dispatch
, scope
);
950 return log_debug_errno(r
, "Failed to add conflict dispatch event: %m");
952 (void) sd_event_source_set_description(scope
->conflict_event_source
, "scope-conflict");
957 void dns_scope_check_conflicts(DnsScope
*scope
, DnsPacket
*p
) {
958 DnsResourceRecord
*rr
;
964 if (!IN_SET(p
->protocol
, DNS_PROTOCOL_LLMNR
, DNS_PROTOCOL_MDNS
))
967 if (DNS_PACKET_RRCOUNT(p
) <= 0)
970 if (p
->protocol
== DNS_PROTOCOL_LLMNR
) {
971 if (DNS_PACKET_LLMNR_C(p
) != 0)
974 if (DNS_PACKET_LLMNR_T(p
) != 0)
978 if (manager_our_packet(scope
->manager
, p
))
981 r
= dns_packet_extract(p
);
983 log_debug_errno(r
, "Failed to extract packet: %m");
987 log_debug("Checking for conflicts...");
989 DNS_ANSWER_FOREACH(rr
, p
->answer
) {
990 /* No conflict if it is DNS-SD RR used for service enumeration. */
991 if (dns_resource_key_is_dnssd_ptr(rr
->key
))
994 /* Check for conflicts against the local zone. If we
995 * found one, we won't check any further */
996 r
= dns_zone_check_conflicts(&scope
->zone
, rr
);
1000 /* Check for conflicts against the local cache. If so,
1001 * send out an advisory query, to inform everybody */
1002 r
= dns_cache_check_conflicts(&scope
->cache
, rr
, p
->family
, &p
->sender
);
1006 dns_scope_notify_conflict(scope
, rr
);
1010 void dns_scope_dump(DnsScope
*s
, FILE *f
) {
1016 fputs("[Scope protocol=", f
);
1017 fputs(dns_protocol_to_string(s
->protocol
), f
);
1020 fputs(" interface=", f
);
1021 fputs(s
->link
->name
, f
);
1024 if (s
->family
!= AF_UNSPEC
) {
1025 fputs(" family=", f
);
1026 fputs(af_to_name(s
->family
), f
);
1031 if (!dns_zone_is_empty(&s
->zone
)) {
1032 fputs("ZONE:\n", f
);
1033 dns_zone_dump(&s
->zone
, f
);
1036 if (!dns_cache_is_empty(&s
->cache
)) {
1037 fputs("CACHE:\n", f
);
1038 dns_cache_dump(&s
->cache
, f
);
1042 DnsSearchDomain
*dns_scope_get_search_domains(DnsScope
*s
) {
1045 if (s
->protocol
!= DNS_PROTOCOL_DNS
)
1049 return s
->link
->search_domains
;
1051 return s
->manager
->search_domains
;
1054 bool dns_scope_name_needs_search_domain(DnsScope
*s
, const char *name
) {
1057 if (s
->protocol
!= DNS_PROTOCOL_DNS
)
1060 return dns_name_is_single_label(name
);
1063 bool dns_scope_network_good(DnsScope
*s
) {
1064 /* Checks whether the network is in good state for lookups on this scope. For mDNS/LLMNR/Classic DNS scopes
1065 * bound to links this is easy, as they don't even exist if the link isn't in a suitable state. For the global
1066 * DNS scope we check whether there are any links that are up and have an address. */
1071 return manager_routable(s
->manager
, AF_UNSPEC
);
1074 int dns_scope_ifindex(DnsScope
*s
) {
1078 return s
->link
->ifindex
;
1083 static int on_announcement_timeout(sd_event_source
*s
, usec_t usec
, void *userdata
) {
1084 DnsScope
*scope
= userdata
;
1088 scope
->announce_event_source
= sd_event_source_unref(scope
->announce_event_source
);
1090 (void) dns_scope_announce(scope
, false);
1094 int dns_scope_announce(DnsScope
*scope
, bool goodbye
) {
1095 _cleanup_(dns_answer_unrefp
) DnsAnswer
*answer
= NULL
;
1096 _cleanup_(dns_packet_unrefp
) DnsPacket
*p
= NULL
;
1097 _cleanup_set_free_ Set
*types
= NULL
;
1108 if (scope
->protocol
!= DNS_PROTOCOL_MDNS
)
1111 /* Check if we're done with probing. */
1112 LIST_FOREACH(transactions_by_scope
, t
, scope
->transactions
)
1113 if (DNS_TRANSACTION_IS_LIVE(t
->state
))
1116 /* Check if there're services pending conflict resolution. */
1117 if (manager_next_dnssd_names(scope
->manager
))
1118 return 0; /* we reach this point only if changing hostname didn't help */
1120 /* Calculate answer's size. */
1121 HASHMAP_FOREACH(z
, scope
->zone
.by_key
, iterator
) {
1122 if (z
->state
!= DNS_ZONE_ITEM_ESTABLISHED
)
1125 if (z
->rr
->key
->type
== DNS_TYPE_PTR
&&
1126 !dns_zone_contains_name(&scope
->zone
, z
->rr
->ptr
.name
)) {
1127 char key_str
[DNS_RESOURCE_KEY_STRING_MAX
];
1129 log_debug("Skip PTR RR <%s> since its counterparts seem to be withdrawn", dns_resource_key_to_string(z
->rr
->key
, key_str
, sizeof key_str
));
1130 z
->state
= DNS_ZONE_ITEM_WITHDRAWN
;
1134 /* Collect service types for _services._dns-sd._udp.local RRs in a set */
1135 if (!scope
->announced
&&
1136 dns_resource_key_is_dnssd_ptr(z
->rr
->key
)) {
1137 if (!set_contains(types
, dns_resource_key_name(z
->rr
->key
))) {
1138 r
= set_ensure_allocated(&types
, &dns_name_hash_ops
);
1140 return log_debug_errno(r
, "Failed to allocate set: %m");
1142 r
= set_put(types
, dns_resource_key_name(z
->rr
->key
));
1144 return log_debug_errno(r
, "Failed to add item to set: %m");
1148 LIST_FOREACH(by_key
, i
, z
)
1152 answer
= dns_answer_new(size
+ set_size(types
));
1156 /* Second iteration, actually add RRs to the answer. */
1157 HASHMAP_FOREACH(z
, scope
->zone
.by_key
, iterator
)
1158 LIST_FOREACH (by_key
, i
, z
) {
1159 DnsAnswerFlags flags
;
1161 if (i
->state
!= DNS_ZONE_ITEM_ESTABLISHED
)
1164 if (dns_resource_key_is_dnssd_ptr(i
->rr
->key
))
1165 flags
= goodbye
? DNS_ANSWER_GOODBYE
: 0;
1167 flags
= goodbye
? (DNS_ANSWER_GOODBYE
|DNS_ANSWER_CACHE_FLUSH
) : DNS_ANSWER_CACHE_FLUSH
;
1169 r
= dns_answer_add(answer
, i
->rr
, 0 , flags
);
1171 return log_debug_errno(r
, "Failed to add RR to announce: %m");
1174 /* Since all the active services are in the zone make them discoverable now. */
1175 SET_FOREACH(service_type
, types
, iterator
) {
1176 _cleanup_(dns_resource_record_unrefp
) DnsResourceRecord
*rr
;
1178 rr
= dns_resource_record_new_full(DNS_CLASS_IN
, DNS_TYPE_PTR
,
1179 "_services._dns-sd._udp.local");
1180 rr
->ptr
.name
= strdup(service_type
);
1181 rr
->ttl
= MDNS_DEFAULT_TTL
;
1183 r
= dns_zone_put(&scope
->zone
, scope
, rr
, false);
1185 log_warning_errno(r
, "Failed to add DNS-SD PTR record to MDNS zone: %m");
1187 r
= dns_answer_add(answer
, rr
, 0 , 0);
1189 return log_debug_errno(r
, "Failed to add RR to announce: %m");
1192 if (dns_answer_isempty(answer
))
1195 r
= dns_scope_make_reply_packet(scope
, 0, DNS_RCODE_SUCCESS
, NULL
, answer
, NULL
, false, &p
);
1197 return log_debug_errno(r
, "Failed to build reply packet: %m");
1199 r
= dns_scope_emit_udp(scope
, -1, p
);
1201 return log_debug_errno(r
, "Failed to send reply packet: %m");
1203 /* In section 8.3 of RFC6762: "The Multicast DNS responder MUST send at least two unsolicited
1204 * responses, one second apart." */
1205 if (!scope
->announced
) {
1208 scope
->announced
= true;
1210 assert_se(sd_event_now(scope
->manager
->event
, clock_boottime_or_monotonic(), &ts
) >= 0);
1211 ts
+= MDNS_ANNOUNCE_DELAY
;
1213 r
= sd_event_add_time(
1214 scope
->manager
->event
,
1215 &scope
->announce_event_source
,
1216 clock_boottime_or_monotonic(),
1218 MDNS_JITTER_RANGE_USEC
,
1219 on_announcement_timeout
, scope
);
1221 return log_debug_errno(r
, "Failed to schedule second announcement: %m");
1223 (void) sd_event_source_set_description(scope
->announce_event_source
, "mdns-announce");
1229 int dns_scope_add_dnssd_services(DnsScope
*scope
) {
1231 DnssdService
*service
;
1232 DnssdTxtData
*txt_data
;
1237 if (hashmap_size(scope
->manager
->dnssd_services
) == 0)
1240 scope
->announced
= false;
1242 HASHMAP_FOREACH(service
, scope
->manager
->dnssd_services
, i
) {
1243 service
->withdrawn
= false;
1245 r
= dns_zone_put(&scope
->zone
, scope
, service
->ptr_rr
, false);
1247 log_warning_errno(r
, "Failed to add PTR record to MDNS zone: %m");
1249 r
= dns_zone_put(&scope
->zone
, scope
, service
->srv_rr
, true);
1251 log_warning_errno(r
, "Failed to add SRV record to MDNS zone: %m");
1253 LIST_FOREACH(items
, txt_data
, service
->txt_data_items
) {
1254 r
= dns_zone_put(&scope
->zone
, scope
, txt_data
->rr
, true);
1256 log_warning_errno(r
, "Failed to add TXT record to MDNS zone: %m");
1263 int dns_scope_remove_dnssd_services(DnsScope
*scope
) {
1264 _cleanup_(dns_resource_key_unrefp
) DnsResourceKey
*key
= NULL
;
1266 DnssdService
*service
;
1267 DnssdTxtData
*txt_data
;
1272 key
= dns_resource_key_new(DNS_CLASS_IN
, DNS_TYPE_PTR
,
1273 "_services._dns-sd._udp.local");
1277 r
= dns_zone_remove_rrs_by_key(&scope
->zone
, key
);
1281 HASHMAP_FOREACH(service
, scope
->manager
->dnssd_services
, i
) {
1282 dns_zone_remove_rr(&scope
->zone
, service
->ptr_rr
);
1283 dns_zone_remove_rr(&scope
->zone
, service
->srv_rr
);
1284 LIST_FOREACH(items
, txt_data
, service
->txt_data_items
)
1285 dns_zone_remove_rr(&scope
->zone
, txt_data
->rr
);