]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/resolve/resolved-dns-server.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #7881 from keszybz/pcre
[thirdparty/systemd.git] / src / resolve / resolved-dns-server.c
1 /* SPDX-License-Identifier: LGPL-2.1+ */
2 /***
3 This file is part of systemd.
4
5 Copyright 2014 Lennart Poettering
6
7 systemd is free software; you can redistribute it and/or modify it
8 under the terms of the GNU Lesser General Public License as published by
9 the Free Software Foundation; either version 2.1 of the License, or
10 (at your option) any later version.
11
12 systemd is distributed in the hope that it will be useful, but
13 WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 Lesser General Public License for more details.
16
17 You should have received a copy of the GNU Lesser General Public License
18 along with systemd; If not, see <http://www.gnu.org/licenses/>.
19 ***/
20
21 #include "sd-messages.h"
22
23 #include "alloc-util.h"
24 #include "resolved-dns-server.h"
25 #include "resolved-dns-stub.h"
26 #include "resolved-resolv-conf.h"
27 #include "siphash24.h"
28 #include "string-table.h"
29 #include "string-util.h"
30
31 /* After how much time to repeat classic DNS requests */
32 #define DNS_TIMEOUT_MIN_USEC (750 * USEC_PER_MSEC)
33 #define DNS_TIMEOUT_MAX_USEC (SD_RESOLVED_QUERY_TIMEOUT_USEC / DNS_TRANSACTION_ATTEMPTS_MAX)
34
35 /* The amount of time to wait before retrying with a full feature set */
36 #define DNS_SERVER_FEATURE_GRACE_PERIOD_MAX_USEC (6 * USEC_PER_HOUR)
37 #define DNS_SERVER_FEATURE_GRACE_PERIOD_MIN_USEC (5 * USEC_PER_MINUTE)
38
39 /* The number of times we will attempt a certain feature set before degrading */
40 #define DNS_SERVER_FEATURE_RETRY_ATTEMPTS 3
41
42 int dns_server_new(
43 Manager *m,
44 DnsServer **ret,
45 DnsServerType type,
46 Link *l,
47 int family,
48 const union in_addr_union *in_addr,
49 int ifindex) {
50
51 DnsServer *s;
52
53 assert(m);
54 assert((type == DNS_SERVER_LINK) == !!l);
55 assert(in_addr);
56
57 if (!IN_SET(family, AF_INET, AF_INET6))
58 return -EAFNOSUPPORT;
59
60 if (l) {
61 if (l->n_dns_servers >= LINK_DNS_SERVERS_MAX)
62 return -E2BIG;
63 } else {
64 if (m->n_dns_servers >= MANAGER_DNS_SERVERS_MAX)
65 return -E2BIG;
66 }
67
68 s = new0(DnsServer, 1);
69 if (!s)
70 return -ENOMEM;
71
72 s->n_ref = 1;
73 s->manager = m;
74 s->type = type;
75 s->family = family;
76 s->address = *in_addr;
77 s->ifindex = ifindex;
78
79 dns_server_reset_features(s);
80
81 switch (type) {
82
83 case DNS_SERVER_LINK:
84 s->link = l;
85 LIST_APPEND(servers, l->dns_servers, s);
86 l->n_dns_servers++;
87 break;
88
89 case DNS_SERVER_SYSTEM:
90 LIST_APPEND(servers, m->dns_servers, s);
91 m->n_dns_servers++;
92 break;
93
94 case DNS_SERVER_FALLBACK:
95 LIST_APPEND(servers, m->fallback_dns_servers, s);
96 m->n_dns_servers++;
97 break;
98
99 default:
100 assert_not_reached("Unknown server type");
101 }
102
103 s->linked = true;
104
105 /* A new DNS server that isn't fallback is added and the one
106 * we used so far was a fallback one? Then let's try to pick
107 * the new one */
108 if (type != DNS_SERVER_FALLBACK &&
109 m->current_dns_server &&
110 m->current_dns_server->type == DNS_SERVER_FALLBACK)
111 manager_set_dns_server(m, NULL);
112
113 if (ret)
114 *ret = s;
115
116 return 0;
117 }
118
119 DnsServer* dns_server_ref(DnsServer *s) {
120 if (!s)
121 return NULL;
122
123 assert(s->n_ref > 0);
124 s->n_ref++;
125
126 return s;
127 }
128
129 DnsServer* dns_server_unref(DnsServer *s) {
130 if (!s)
131 return NULL;
132
133 assert(s->n_ref > 0);
134 s->n_ref--;
135
136 if (s->n_ref > 0)
137 return NULL;
138
139 free(s->server_string);
140 return mfree(s);
141 }
142
143 void dns_server_unlink(DnsServer *s) {
144 assert(s);
145 assert(s->manager);
146
147 /* This removes the specified server from the linked list of
148 * servers, but any server might still stay around if it has
149 * refs, for example from an ongoing transaction. */
150
151 if (!s->linked)
152 return;
153
154 switch (s->type) {
155
156 case DNS_SERVER_LINK:
157 assert(s->link);
158 assert(s->link->n_dns_servers > 0);
159 LIST_REMOVE(servers, s->link->dns_servers, s);
160 s->link->n_dns_servers--;
161 break;
162
163 case DNS_SERVER_SYSTEM:
164 assert(s->manager->n_dns_servers > 0);
165 LIST_REMOVE(servers, s->manager->dns_servers, s);
166 s->manager->n_dns_servers--;
167 break;
168
169 case DNS_SERVER_FALLBACK:
170 assert(s->manager->n_dns_servers > 0);
171 LIST_REMOVE(servers, s->manager->fallback_dns_servers, s);
172 s->manager->n_dns_servers--;
173 break;
174 }
175
176 s->linked = false;
177
178 if (s->link && s->link->current_dns_server == s)
179 link_set_dns_server(s->link, NULL);
180
181 if (s->manager->current_dns_server == s)
182 manager_set_dns_server(s->manager, NULL);
183
184 dns_server_unref(s);
185 }
186
187 void dns_server_move_back_and_unmark(DnsServer *s) {
188 DnsServer *tail;
189
190 assert(s);
191
192 if (!s->marked)
193 return;
194
195 s->marked = false;
196
197 if (!s->linked || !s->servers_next)
198 return;
199
200 /* Move us to the end of the list, so that the order is
201 * strictly kept, if we are not at the end anyway. */
202
203 switch (s->type) {
204
205 case DNS_SERVER_LINK:
206 assert(s->link);
207 LIST_FIND_TAIL(servers, s, tail);
208 LIST_REMOVE(servers, s->link->dns_servers, s);
209 LIST_INSERT_AFTER(servers, s->link->dns_servers, tail, s);
210 break;
211
212 case DNS_SERVER_SYSTEM:
213 LIST_FIND_TAIL(servers, s, tail);
214 LIST_REMOVE(servers, s->manager->dns_servers, s);
215 LIST_INSERT_AFTER(servers, s->manager->dns_servers, tail, s);
216 break;
217
218 case DNS_SERVER_FALLBACK:
219 LIST_FIND_TAIL(servers, s, tail);
220 LIST_REMOVE(servers, s->manager->fallback_dns_servers, s);
221 LIST_INSERT_AFTER(servers, s->manager->fallback_dns_servers, tail, s);
222 break;
223
224 default:
225 assert_not_reached("Unknown server type");
226 }
227 }
228
229 static void dns_server_verified(DnsServer *s, DnsServerFeatureLevel level) {
230 assert(s);
231
232 if (s->verified_feature_level > level)
233 return;
234
235 if (s->verified_feature_level != level) {
236 log_debug("Verified we get a response at feature level %s from DNS server %s.",
237 dns_server_feature_level_to_string(level),
238 dns_server_string(s));
239 s->verified_feature_level = level;
240 }
241
242 assert_se(sd_event_now(s->manager->event, clock_boottime_or_monotonic(), &s->verified_usec) >= 0);
243 }
244
245 static void dns_server_reset_counters(DnsServer *s) {
246 assert(s);
247
248 s->n_failed_udp = 0;
249 s->n_failed_tcp = 0;
250 s->packet_truncated = false;
251 s->verified_usec = 0;
252
253 /* Note that we do not reset s->packet_bad_opt and s->packet_rrsig_missing here. We reset them only when the
254 * grace period ends, but not when lowering the possible feature level, as a lower level feature level should
255 * not make RRSIGs appear or OPT appear, but rather make them disappear. If the reappear anyway, then that's
256 * indication for a differently broken OPT/RRSIG implementation, and we really don't want to support that
257 * either.
258 *
259 * This is particularly important to deal with certain Belkin routers which break OPT for certain lookups (A),
260 * but pass traffic through for others (AAAA). If we detect the broken behaviour on one lookup we should not
261 * reenable it for another, because we cannot validate things anyway, given that the RRSIG/OPT data will be
262 * incomplete. */
263 }
264
265 void dns_server_packet_received(DnsServer *s, int protocol, DnsServerFeatureLevel level, usec_t rtt, size_t size) {
266 assert(s);
267
268 if (protocol == IPPROTO_UDP) {
269 if (s->possible_feature_level == level)
270 s->n_failed_udp = 0;
271
272 /* If the RRSIG data is missing, then we can only validate EDNS0 at max */
273 if (s->packet_rrsig_missing && level >= DNS_SERVER_FEATURE_LEVEL_DO)
274 level = DNS_SERVER_FEATURE_LEVEL_DO - 1;
275
276 /* If the OPT RR got lost, then we can only validate UDP at max */
277 if (s->packet_bad_opt && level >= DNS_SERVER_FEATURE_LEVEL_EDNS0)
278 level = DNS_SERVER_FEATURE_LEVEL_EDNS0 - 1;
279
280 /* Even if we successfully receive a reply to a request announcing support for large packets,
281 that does not mean we can necessarily receive large packets. */
282 if (level == DNS_SERVER_FEATURE_LEVEL_LARGE)
283 level = DNS_SERVER_FEATURE_LEVEL_LARGE - 1;
284
285 } else if (protocol == IPPROTO_TCP) {
286
287 if (s->possible_feature_level == level)
288 s->n_failed_tcp = 0;
289
290 /* Successful TCP connections are only useful to verify the TCP feature level. */
291 level = DNS_SERVER_FEATURE_LEVEL_TCP;
292 }
293
294 dns_server_verified(s, level);
295
296 /* Remember the size of the largest UDP packet we received from a server,
297 we know that we can always announce support for packets with at least
298 this size. */
299 if (protocol == IPPROTO_UDP && s->received_udp_packet_max < size)
300 s->received_udp_packet_max = size;
301
302 if (s->max_rtt < rtt) {
303 s->max_rtt = rtt;
304 s->resend_timeout = CLAMP(s->max_rtt * 2, DNS_TIMEOUT_MIN_USEC, DNS_TIMEOUT_MAX_USEC);
305 } else if (s->resend_timeout > rtt)
306 /* If we received the packet faster than the resend_timeout, bias
307 * the resend_timeout back to the rtt. */
308 s->resend_timeout = CLAMP((2 * s->resend_timeout + rtt) / 3, DNS_TIMEOUT_MIN_USEC, DNS_TIMEOUT_MAX_USEC);
309 }
310
311 void dns_server_packet_lost(DnsServer *s, int protocol, DnsServerFeatureLevel level, usec_t usec) {
312 assert(s);
313 assert(s->manager);
314
315 if (s->possible_feature_level == level) {
316 if (protocol == IPPROTO_UDP)
317 s->n_failed_udp++;
318 else if (protocol == IPPROTO_TCP)
319 s->n_failed_tcp++;
320 }
321
322 if (s->resend_timeout > usec)
323 return;
324
325 s->resend_timeout = MIN(s->resend_timeout * 2, DNS_TIMEOUT_MAX_USEC);
326 }
327
328 void dns_server_packet_truncated(DnsServer *s, DnsServerFeatureLevel level) {
329 assert(s);
330
331 /* Invoked whenever we get a packet with TC bit set. */
332
333 if (s->possible_feature_level != level)
334 return;
335
336 s->packet_truncated = true;
337 }
338
339 void dns_server_packet_rrsig_missing(DnsServer *s, DnsServerFeatureLevel level) {
340 assert(s);
341
342 if (level < DNS_SERVER_FEATURE_LEVEL_DO)
343 return;
344
345 /* If the RRSIG RRs are missing, we have to downgrade what we previously verified */
346 if (s->verified_feature_level >= DNS_SERVER_FEATURE_LEVEL_DO)
347 s->verified_feature_level = DNS_SERVER_FEATURE_LEVEL_DO-1;
348
349 s->packet_rrsig_missing = true;
350 }
351
352 void dns_server_packet_bad_opt(DnsServer *s, DnsServerFeatureLevel level) {
353 assert(s);
354
355 if (level < DNS_SERVER_FEATURE_LEVEL_EDNS0)
356 return;
357
358 /* If the OPT RR got lost, we have to downgrade what we previously verified */
359 if (s->verified_feature_level >= DNS_SERVER_FEATURE_LEVEL_EDNS0)
360 s->verified_feature_level = DNS_SERVER_FEATURE_LEVEL_EDNS0-1;
361
362 s->packet_bad_opt = true;
363 }
364
365 void dns_server_packet_rcode_downgrade(DnsServer *s, DnsServerFeatureLevel level) {
366 assert(s);
367
368 /* Invoked whenever we got a FORMERR, SERVFAIL or NOTIMP rcode from a server and downgrading the feature level
369 * for the transaction made it go away. In this case we immediately downgrade to the feature level that made
370 * things work. */
371
372 if (s->verified_feature_level > level)
373 s->verified_feature_level = level;
374
375 if (s->possible_feature_level > level) {
376 s->possible_feature_level = level;
377 dns_server_reset_counters(s);
378 }
379
380 log_debug("Downgrading transaction feature level fixed an RCODE error, downgrading server %s too.", dns_server_string(s));
381 }
382
383 static bool dns_server_grace_period_expired(DnsServer *s) {
384 usec_t ts;
385
386 assert(s);
387 assert(s->manager);
388
389 if (s->verified_usec == 0)
390 return false;
391
392 assert_se(sd_event_now(s->manager->event, clock_boottime_or_monotonic(), &ts) >= 0);
393
394 if (s->verified_usec + s->features_grace_period_usec > ts)
395 return false;
396
397 s->features_grace_period_usec = MIN(s->features_grace_period_usec * 2, DNS_SERVER_FEATURE_GRACE_PERIOD_MAX_USEC);
398
399 return true;
400 }
401
402 DnsServerFeatureLevel dns_server_possible_feature_level(DnsServer *s) {
403 DnsServerFeatureLevel best;
404
405 assert(s);
406
407 /* Determine the best feature level we care about. If DNSSEC mode is off there's no point in using anything
408 * better than EDNS0, hence don't even try. */
409 best = dns_server_get_dnssec_mode(s) == DNSSEC_NO ?
410 DNS_SERVER_FEATURE_LEVEL_EDNS0 :
411 DNS_SERVER_FEATURE_LEVEL_BEST;
412
413 /* Clamp the feature level the highest level we care about. The DNSSEC mode might have changed since the last
414 * time, hence let's downgrade if we are still at a higher level. */
415 if (s->possible_feature_level > best)
416 s->possible_feature_level = best;
417
418 if (s->possible_feature_level < best && dns_server_grace_period_expired(s)) {
419
420 s->possible_feature_level = best;
421
422 dns_server_reset_counters(s);
423
424 s->packet_bad_opt = false;
425 s->packet_rrsig_missing = false;
426
427 log_info("Grace period over, resuming full feature set (%s) for DNS server %s.",
428 dns_server_feature_level_to_string(s->possible_feature_level),
429 dns_server_string(s));
430
431 dns_server_flush_cache(s);
432
433 } else if (s->possible_feature_level <= s->verified_feature_level)
434 s->possible_feature_level = s->verified_feature_level;
435 else {
436 DnsServerFeatureLevel p = s->possible_feature_level;
437
438 if (s->n_failed_tcp >= DNS_SERVER_FEATURE_RETRY_ATTEMPTS &&
439 s->possible_feature_level == DNS_SERVER_FEATURE_LEVEL_TCP) {
440
441 /* We are at the TCP (lowest) level, and we tried a couple of TCP connections, and it didn't
442 * work. Upgrade back to UDP again. */
443 log_debug("Reached maximum number of failed TCP connection attempts, trying UDP again...");
444 s->possible_feature_level = DNS_SERVER_FEATURE_LEVEL_UDP;
445
446 } else if (s->packet_bad_opt &&
447 s->possible_feature_level >= DNS_SERVER_FEATURE_LEVEL_EDNS0) {
448
449 /* A reply to one of our EDNS0 queries didn't carry a valid OPT RR, then downgrade to below
450 * EDNS0 levels. After all, some records generate different responses with and without OPT RR
451 * in the request. Example:
452 * https://open.nlnetlabs.nl/pipermail/dnssec-trigger/2014-November/000376.html */
453
454 log_debug("Server doesn't support EDNS(0) properly, downgrading feature level...");
455 s->possible_feature_level = DNS_SERVER_FEATURE_LEVEL_UDP;
456
457 } else if (s->packet_rrsig_missing &&
458 s->possible_feature_level >= DNS_SERVER_FEATURE_LEVEL_DO) {
459
460 /* RRSIG data was missing on a EDNS0 packet with DO bit set. This means the server doesn't
461 * augment responses with DNSSEC RRs. If so, let's better not ask the server for it anymore,
462 * after all some servers generate different replies depending if an OPT RR is in the query or
463 * not. */
464
465 log_debug("Detected server responses lack RRSIG records, downgrading feature level...");
466 s->possible_feature_level = DNS_SERVER_FEATURE_LEVEL_EDNS0;
467
468 } else if (s->n_failed_udp >= DNS_SERVER_FEATURE_RETRY_ATTEMPTS &&
469 s->possible_feature_level >= (dns_server_get_dnssec_mode(s) == DNSSEC_YES ? DNS_SERVER_FEATURE_LEVEL_LARGE : DNS_SERVER_FEATURE_LEVEL_UDP)) {
470
471 /* We lost too many UDP packets in a row, and are on a feature level of UDP or higher. If the
472 * packets are lost, maybe the server cannot parse them, hence downgrading sounds like a good
473 * idea. We might downgrade all the way down to TCP this way.
474 *
475 * If strict DNSSEC mode is used we won't downgrade below DO level however, as packet loss
476 * might have many reasons, a broken DNSSEC implementation being only one reason. And if the
477 * user is strict on DNSSEC, then let's assume that DNSSEC is not the fault here. */
478
479 log_debug("Lost too many UDP packets, downgrading feature level...");
480 s->possible_feature_level--;
481
482 } else if (s->n_failed_tcp >= DNS_SERVER_FEATURE_RETRY_ATTEMPTS &&
483 s->packet_truncated &&
484 s->possible_feature_level > (dns_server_get_dnssec_mode(s) == DNSSEC_YES ? DNS_SERVER_FEATURE_LEVEL_LARGE : DNS_SERVER_FEATURE_LEVEL_UDP)) {
485
486 /* We got too many TCP connection failures in a row, we had at least one truncated packet, and
487 * are on a feature level above UDP. By downgrading things and getting rid of DNSSEC or EDNS0
488 * data we hope to make the packet smaller, so that it still works via UDP given that TCP
489 * appears not to be a fallback. Note that if we are already at the lowest UDP level, we don't
490 * go further down, since that's TCP, and TCP failed too often after all. */
491
492 log_debug("Got too many failed TCP connection failures and truncated UDP packets, downgrading feature level...");
493 s->possible_feature_level--;
494 }
495
496 if (p != s->possible_feature_level) {
497
498 /* We changed the feature level, reset the counting */
499 dns_server_reset_counters(s);
500
501 log_warning("Using degraded feature set (%s) for DNS server %s.",
502 dns_server_feature_level_to_string(s->possible_feature_level),
503 dns_server_string(s));
504 }
505 }
506
507 return s->possible_feature_level;
508 }
509
510 int dns_server_adjust_opt(DnsServer *server, DnsPacket *packet, DnsServerFeatureLevel level) {
511 size_t packet_size;
512 bool edns_do;
513 int r;
514
515 assert(server);
516 assert(packet);
517 assert(packet->protocol == DNS_PROTOCOL_DNS);
518
519 /* Fix the OPT field in the packet to match our current feature level. */
520
521 r = dns_packet_truncate_opt(packet);
522 if (r < 0)
523 return r;
524
525 if (level < DNS_SERVER_FEATURE_LEVEL_EDNS0)
526 return 0;
527
528 edns_do = level >= DNS_SERVER_FEATURE_LEVEL_DO;
529
530 if (level >= DNS_SERVER_FEATURE_LEVEL_LARGE)
531 packet_size = DNS_PACKET_UNICAST_SIZE_LARGE_MAX;
532 else
533 packet_size = server->received_udp_packet_max;
534
535 return dns_packet_append_opt(packet, packet_size, edns_do, 0, NULL);
536 }
537
538 int dns_server_ifindex(const DnsServer *s) {
539 assert(s);
540
541 /* The link ifindex always takes precedence */
542 if (s->link)
543 return s->link->ifindex;
544
545 if (s->ifindex > 0)
546 return s->ifindex;
547
548 return 0;
549 }
550
551 const char *dns_server_string(DnsServer *server) {
552 assert(server);
553
554 if (!server->server_string)
555 (void) in_addr_ifindex_to_string(server->family, &server->address, dns_server_ifindex(server), &server->server_string);
556
557 return strna(server->server_string);
558 }
559
560 bool dns_server_dnssec_supported(DnsServer *server) {
561 assert(server);
562
563 /* Returns whether the server supports DNSSEC according to what we know about it */
564
565 if (server->possible_feature_level < DNS_SERVER_FEATURE_LEVEL_DO)
566 return false;
567
568 if (server->packet_bad_opt)
569 return false;
570
571 if (server->packet_rrsig_missing)
572 return false;
573
574 /* DNSSEC servers need to support TCP properly (see RFC5966), if they don't, we assume DNSSEC is borked too */
575 if (server->n_failed_tcp >= DNS_SERVER_FEATURE_RETRY_ATTEMPTS)
576 return false;
577
578 return true;
579 }
580
581 void dns_server_warn_downgrade(DnsServer *server) {
582 assert(server);
583
584 if (server->warned_downgrade)
585 return;
586
587 log_struct(LOG_NOTICE,
588 "MESSAGE_ID=" SD_MESSAGE_DNSSEC_DOWNGRADE_STR,
589 LOG_MESSAGE("Server %s does not support DNSSEC, downgrading to non-DNSSEC mode.", dns_server_string(server)),
590 "DNS_SERVER=%s", dns_server_string(server),
591 "DNS_SERVER_FEATURE_LEVEL=%s", dns_server_feature_level_to_string(server->possible_feature_level),
592 NULL);
593
594 server->warned_downgrade = true;
595 }
596
597 bool dns_server_limited_domains(DnsServer *server) {
598 DnsSearchDomain *domain;
599 bool domain_restricted = false;
600
601 /* Check if the server has route-only domains without ~., i. e. whether
602 * it should only be used for particular domains */
603 if (!server->link)
604 return false;
605
606 LIST_FOREACH(domains, domain, server->link->search_domains)
607 if (domain->route_only) {
608 domain_restricted = true;
609 /* ~. means "any domain", thus it is a global server */
610 if (dns_name_is_root(DNS_SEARCH_DOMAIN_NAME(domain)))
611 return false;
612 }
613
614 return domain_restricted;
615 }
616
617 static void dns_server_hash_func(const void *p, struct siphash *state) {
618 const DnsServer *s = p;
619
620 assert(s);
621
622 siphash24_compress(&s->family, sizeof(s->family), state);
623 siphash24_compress(&s->address, FAMILY_ADDRESS_SIZE(s->family), state);
624 siphash24_compress(&s->ifindex, sizeof(s->ifindex), state);
625 }
626
627 static int dns_server_compare_func(const void *a, const void *b) {
628 const DnsServer *x = a, *y = b;
629 int r;
630
631 if (x->family < y->family)
632 return -1;
633 if (x->family > y->family)
634 return 1;
635
636 r = memcmp(&x->address, &y->address, FAMILY_ADDRESS_SIZE(x->family));
637 if (r != 0)
638 return r;
639
640 if (x->ifindex < y->ifindex)
641 return -1;
642 if (x->ifindex > y->ifindex)
643 return 1;
644
645 return 0;
646 }
647
648 const struct hash_ops dns_server_hash_ops = {
649 .hash = dns_server_hash_func,
650 .compare = dns_server_compare_func
651 };
652
653 void dns_server_unlink_all(DnsServer *first) {
654 DnsServer *next;
655
656 if (!first)
657 return;
658
659 next = first->servers_next;
660 dns_server_unlink(first);
661
662 dns_server_unlink_all(next);
663 }
664
665 void dns_server_unlink_marked(DnsServer *first) {
666 DnsServer *next;
667
668 if (!first)
669 return;
670
671 next = first->servers_next;
672
673 if (first->marked)
674 dns_server_unlink(first);
675
676 dns_server_unlink_marked(next);
677 }
678
679 void dns_server_mark_all(DnsServer *first) {
680 if (!first)
681 return;
682
683 first->marked = true;
684 dns_server_mark_all(first->servers_next);
685 }
686
687 DnsServer *dns_server_find(DnsServer *first, int family, const union in_addr_union *in_addr, int ifindex) {
688 DnsServer *s;
689
690 LIST_FOREACH(servers, s, first)
691 if (s->family == family && in_addr_equal(family, &s->address, in_addr) > 0 && s->ifindex == ifindex)
692 return s;
693
694 return NULL;
695 }
696
697 DnsServer *manager_get_first_dns_server(Manager *m, DnsServerType t) {
698 assert(m);
699
700 switch (t) {
701
702 case DNS_SERVER_SYSTEM:
703 return m->dns_servers;
704
705 case DNS_SERVER_FALLBACK:
706 return m->fallback_dns_servers;
707
708 default:
709 return NULL;
710 }
711 }
712
713 DnsServer *manager_set_dns_server(Manager *m, DnsServer *s) {
714 assert(m);
715
716 if (m->current_dns_server == s)
717 return s;
718
719 if (s)
720 log_debug("Switching to %s DNS server %s.",
721 dns_server_type_to_string(s->type),
722 dns_server_string(s));
723
724 dns_server_unref(m->current_dns_server);
725 m->current_dns_server = dns_server_ref(s);
726
727 if (m->unicast_scope)
728 dns_cache_flush(&m->unicast_scope->cache);
729
730 return s;
731 }
732
733 DnsServer *manager_get_dns_server(Manager *m) {
734 Link *l;
735 assert(m);
736
737 /* Try to read updates resolv.conf */
738 manager_read_resolv_conf(m);
739
740 /* If no DNS server was chosen so far, pick the first one */
741 if (!m->current_dns_server)
742 manager_set_dns_server(m, m->dns_servers);
743
744 if (!m->current_dns_server) {
745 bool found = false;
746 Iterator i;
747
748 /* No DNS servers configured, let's see if there are
749 * any on any links. If not, we use the fallback
750 * servers */
751
752 HASHMAP_FOREACH(l, m->links, i)
753 if (l->dns_servers) {
754 found = true;
755 break;
756 }
757
758 if (!found)
759 manager_set_dns_server(m, m->fallback_dns_servers);
760 }
761
762 return m->current_dns_server;
763 }
764
765 void manager_next_dns_server(Manager *m) {
766 assert(m);
767
768 /* If there's currently no DNS server set, then the next
769 * manager_get_dns_server() will find one */
770 if (!m->current_dns_server)
771 return;
772
773 /* Change to the next one, but make sure to follow the linked
774 * list only if the server is still linked. */
775 if (m->current_dns_server->linked && m->current_dns_server->servers_next) {
776 manager_set_dns_server(m, m->current_dns_server->servers_next);
777 return;
778 }
779
780 /* If there was no next one, then start from the beginning of
781 * the list */
782 if (m->current_dns_server->type == DNS_SERVER_FALLBACK)
783 manager_set_dns_server(m, m->fallback_dns_servers);
784 else
785 manager_set_dns_server(m, m->dns_servers);
786 }
787
788 bool dns_server_address_valid(int family, const union in_addr_union *sa) {
789
790 /* Refuses the 0 IP addresses as well as 127.0.0.53 (which is our own DNS stub) */
791
792 if (in_addr_is_null(family, sa))
793 return false;
794
795 if (family == AF_INET && sa->in.s_addr == htobe32(INADDR_DNS_STUB))
796 return false;
797
798 return true;
799 }
800
801 DnssecMode dns_server_get_dnssec_mode(DnsServer *s) {
802 assert(s);
803
804 if (s->link)
805 return link_get_dnssec_mode(s->link);
806
807 return manager_get_dnssec_mode(s->manager);
808 }
809
810 void dns_server_flush_cache(DnsServer *s) {
811 DnsServer *current;
812 DnsScope *scope;
813
814 assert(s);
815
816 /* Flush the cache of the scope this server belongs to */
817
818 current = s->link ? s->link->current_dns_server : s->manager->current_dns_server;
819 if (current != s)
820 return;
821
822 scope = s->link ? s->link->unicast_scope : s->manager->unicast_scope;
823 if (!scope)
824 return;
825
826 dns_cache_flush(&scope->cache);
827 }
828
829 void dns_server_reset_features(DnsServer *s) {
830 assert(s);
831
832 s->max_rtt = 0;
833 s->resend_timeout = DNS_TIMEOUT_MIN_USEC;
834
835 s->verified_feature_level = _DNS_SERVER_FEATURE_LEVEL_INVALID;
836 s->possible_feature_level = DNS_SERVER_FEATURE_LEVEL_BEST;
837
838 s->received_udp_packet_max = DNS_PACKET_UNICAST_SIZE_MAX;
839
840 s->packet_bad_opt = false;
841 s->packet_rrsig_missing = false;
842
843 s->features_grace_period_usec = DNS_SERVER_FEATURE_GRACE_PERIOD_MIN_USEC;
844
845 s->warned_downgrade = false;
846
847 dns_server_reset_counters(s);
848 }
849
850 void dns_server_reset_features_all(DnsServer *s) {
851 DnsServer *i;
852
853 LIST_FOREACH(servers, i, s)
854 dns_server_reset_features(i);
855 }
856
857 void dns_server_dump(DnsServer *s, FILE *f) {
858 assert(s);
859
860 if (!f)
861 f = stdout;
862
863 fputs("[Server ", f);
864 fputs(dns_server_string(s), f);
865 fputs(" type=", f);
866 fputs(dns_server_type_to_string(s->type), f);
867
868 if (s->type == DNS_SERVER_LINK) {
869 assert(s->link);
870
871 fputs(" interface=", f);
872 fputs(s->link->name, f);
873 }
874
875 fputs("]\n", f);
876
877 fputs("\tVerified feature level: ", f);
878 fputs(strna(dns_server_feature_level_to_string(s->verified_feature_level)), f);
879 fputc('\n', f);
880
881 fputs("\tPossible feature level: ", f);
882 fputs(strna(dns_server_feature_level_to_string(s->possible_feature_level)), f);
883 fputc('\n', f);
884
885 fputs("\tDNSSEC Mode: ", f);
886 fputs(strna(dnssec_mode_to_string(dns_server_get_dnssec_mode(s))), f);
887 fputc('\n', f);
888
889 fputs("\tCan do DNSSEC: ", f);
890 fputs(yes_no(dns_server_dnssec_supported(s)), f);
891 fputc('\n', f);
892
893 fprintf(f,
894 "\tMaximum UDP packet size received: %zu\n"
895 "\tFailed UDP attempts: %u\n"
896 "\tFailed TCP attempts: %u\n"
897 "\tSeen truncated packet: %s\n"
898 "\tSeen OPT RR getting lost: %s\n"
899 "\tSeen RRSIG RR missing: %s\n",
900 s->received_udp_packet_max,
901 s->n_failed_udp,
902 s->n_failed_tcp,
903 yes_no(s->packet_truncated),
904 yes_no(s->packet_bad_opt),
905 yes_no(s->packet_rrsig_missing));
906 }
907
908 static const char* const dns_server_type_table[_DNS_SERVER_TYPE_MAX] = {
909 [DNS_SERVER_SYSTEM] = "system",
910 [DNS_SERVER_FALLBACK] = "fallback",
911 [DNS_SERVER_LINK] = "link",
912 };
913 DEFINE_STRING_TABLE_LOOKUP(dns_server_type, DnsServerType);
914
915 static const char* const dns_server_feature_level_table[_DNS_SERVER_FEATURE_LEVEL_MAX] = {
916 [DNS_SERVER_FEATURE_LEVEL_TCP] = "TCP",
917 [DNS_SERVER_FEATURE_LEVEL_UDP] = "UDP",
918 [DNS_SERVER_FEATURE_LEVEL_EDNS0] = "UDP+EDNS0",
919 [DNS_SERVER_FEATURE_LEVEL_DO] = "UDP+EDNS0+DO",
920 [DNS_SERVER_FEATURE_LEVEL_LARGE] = "UDP+EDNS0+DO+LARGE",
921 };
922 DEFINE_STRING_TABLE_LOOKUP(dns_server_feature_level, DnsServerFeatureLevel);
Unnamed repository; edit this file 'description' to name the repository.