1 /* SPDX-License-Identifier: LGPL-2.1+ */
3 This file is part of systemd.
5 Copyright 2014 Lennart Poettering
7 systemd is free software; you can redistribute it and/or modify it
8 under the terms of the GNU Lesser General Public License as published by
9 the Free Software Foundation; either version 2.1 of the License, or
10 (at your option) any later version.
12 systemd is distributed in the hope that it will be useful, but
13 WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 Lesser General Public License for more details.
17 You should have received a copy of the GNU Lesser General Public License
18 along with systemd; If not, see <http://www.gnu.org/licenses/>.
21 #include "sd-messages.h"
23 #include "alloc-util.h"
24 #include "resolved-dns-server.h"
25 #include "resolved-dns-stub.h"
26 #include "resolved-resolv-conf.h"
27 #include "siphash24.h"
28 #include "string-table.h"
29 #include "string-util.h"
31 /* After how much time to repeat classic DNS requests */
32 #define DNS_TIMEOUT_MIN_USEC (750 * USEC_PER_MSEC)
33 #define DNS_TIMEOUT_MAX_USEC (SD_RESOLVED_QUERY_TIMEOUT_USEC / DNS_TRANSACTION_ATTEMPTS_MAX)
35 /* The amount of time to wait before retrying with a full feature set */
36 #define DNS_SERVER_FEATURE_GRACE_PERIOD_MAX_USEC (6 * USEC_PER_HOUR)
37 #define DNS_SERVER_FEATURE_GRACE_PERIOD_MIN_USEC (5 * USEC_PER_MINUTE)
39 /* The number of times we will attempt a certain feature set before degrading */
40 #define DNS_SERVER_FEATURE_RETRY_ATTEMPTS 3
48 const union in_addr_union
*in_addr
,
54 assert((type
== DNS_SERVER_LINK
) == !!l
);
57 if (!IN_SET(family
, AF_INET
, AF_INET6
))
61 if (l
->n_dns_servers
>= LINK_DNS_SERVERS_MAX
)
64 if (m
->n_dns_servers
>= MANAGER_DNS_SERVERS_MAX
)
68 s
= new0(DnsServer
, 1);
76 s
->address
= *in_addr
;
79 dns_server_reset_features(s
);
85 LIST_APPEND(servers
, l
->dns_servers
, s
);
89 case DNS_SERVER_SYSTEM
:
90 LIST_APPEND(servers
, m
->dns_servers
, s
);
94 case DNS_SERVER_FALLBACK
:
95 LIST_APPEND(servers
, m
->fallback_dns_servers
, s
);
100 assert_not_reached("Unknown server type");
105 /* A new DNS server that isn't fallback is added and the one
106 * we used so far was a fallback one? Then let's try to pick
108 if (type
!= DNS_SERVER_FALLBACK
&&
109 m
->current_dns_server
&&
110 m
->current_dns_server
->type
== DNS_SERVER_FALLBACK
)
111 manager_set_dns_server(m
, NULL
);
119 DnsServer
* dns_server_ref(DnsServer
*s
) {
123 assert(s
->n_ref
> 0);
129 DnsServer
* dns_server_unref(DnsServer
*s
) {
133 assert(s
->n_ref
> 0);
139 free(s
->server_string
);
143 void dns_server_unlink(DnsServer
*s
) {
147 /* This removes the specified server from the linked list of
148 * servers, but any server might still stay around if it has
149 * refs, for example from an ongoing transaction. */
156 case DNS_SERVER_LINK
:
158 assert(s
->link
->n_dns_servers
> 0);
159 LIST_REMOVE(servers
, s
->link
->dns_servers
, s
);
160 s
->link
->n_dns_servers
--;
163 case DNS_SERVER_SYSTEM
:
164 assert(s
->manager
->n_dns_servers
> 0);
165 LIST_REMOVE(servers
, s
->manager
->dns_servers
, s
);
166 s
->manager
->n_dns_servers
--;
169 case DNS_SERVER_FALLBACK
:
170 assert(s
->manager
->n_dns_servers
> 0);
171 LIST_REMOVE(servers
, s
->manager
->fallback_dns_servers
, s
);
172 s
->manager
->n_dns_servers
--;
178 if (s
->link
&& s
->link
->current_dns_server
== s
)
179 link_set_dns_server(s
->link
, NULL
);
181 if (s
->manager
->current_dns_server
== s
)
182 manager_set_dns_server(s
->manager
, NULL
);
187 void dns_server_move_back_and_unmark(DnsServer
*s
) {
197 if (!s
->linked
|| !s
->servers_next
)
200 /* Move us to the end of the list, so that the order is
201 * strictly kept, if we are not at the end anyway. */
205 case DNS_SERVER_LINK
:
207 LIST_FIND_TAIL(servers
, s
, tail
);
208 LIST_REMOVE(servers
, s
->link
->dns_servers
, s
);
209 LIST_INSERT_AFTER(servers
, s
->link
->dns_servers
, tail
, s
);
212 case DNS_SERVER_SYSTEM
:
213 LIST_FIND_TAIL(servers
, s
, tail
);
214 LIST_REMOVE(servers
, s
->manager
->dns_servers
, s
);
215 LIST_INSERT_AFTER(servers
, s
->manager
->dns_servers
, tail
, s
);
218 case DNS_SERVER_FALLBACK
:
219 LIST_FIND_TAIL(servers
, s
, tail
);
220 LIST_REMOVE(servers
, s
->manager
->fallback_dns_servers
, s
);
221 LIST_INSERT_AFTER(servers
, s
->manager
->fallback_dns_servers
, tail
, s
);
225 assert_not_reached("Unknown server type");
229 static void dns_server_verified(DnsServer
*s
, DnsServerFeatureLevel level
) {
232 if (s
->verified_feature_level
> level
)
235 if (s
->verified_feature_level
!= level
) {
236 log_debug("Verified we get a response at feature level %s from DNS server %s.",
237 dns_server_feature_level_to_string(level
),
238 dns_server_string(s
));
239 s
->verified_feature_level
= level
;
242 assert_se(sd_event_now(s
->manager
->event
, clock_boottime_or_monotonic(), &s
->verified_usec
) >= 0);
245 static void dns_server_reset_counters(DnsServer
*s
) {
250 s
->packet_truncated
= false;
251 s
->verified_usec
= 0;
253 /* Note that we do not reset s->packet_bad_opt and s->packet_rrsig_missing here. We reset them only when the
254 * grace period ends, but not when lowering the possible feature level, as a lower level feature level should
255 * not make RRSIGs appear or OPT appear, but rather make them disappear. If the reappear anyway, then that's
256 * indication for a differently broken OPT/RRSIG implementation, and we really don't want to support that
259 * This is particularly important to deal with certain Belkin routers which break OPT for certain lookups (A),
260 * but pass traffic through for others (AAAA). If we detect the broken behaviour on one lookup we should not
261 * reenable it for another, because we cannot validate things anyway, given that the RRSIG/OPT data will be
265 void dns_server_packet_received(DnsServer
*s
, int protocol
, DnsServerFeatureLevel level
, usec_t rtt
, size_t size
) {
268 if (protocol
== IPPROTO_UDP
) {
269 if (s
->possible_feature_level
== level
)
272 /* If the RRSIG data is missing, then we can only validate EDNS0 at max */
273 if (s
->packet_rrsig_missing
&& level
>= DNS_SERVER_FEATURE_LEVEL_DO
)
274 level
= DNS_SERVER_FEATURE_LEVEL_DO
- 1;
276 /* If the OPT RR got lost, then we can only validate UDP at max */
277 if (s
->packet_bad_opt
&& level
>= DNS_SERVER_FEATURE_LEVEL_EDNS0
)
278 level
= DNS_SERVER_FEATURE_LEVEL_EDNS0
- 1;
280 /* Even if we successfully receive a reply to a request announcing support for large packets,
281 that does not mean we can necessarily receive large packets. */
282 if (level
== DNS_SERVER_FEATURE_LEVEL_LARGE
)
283 level
= DNS_SERVER_FEATURE_LEVEL_LARGE
- 1;
285 } else if (protocol
== IPPROTO_TCP
) {
287 if (s
->possible_feature_level
== level
)
290 /* Successful TCP connections are only useful to verify the TCP feature level. */
291 level
= DNS_SERVER_FEATURE_LEVEL_TCP
;
294 dns_server_verified(s
, level
);
296 /* Remember the size of the largest UDP packet we received from a server,
297 we know that we can always announce support for packets with at least
299 if (protocol
== IPPROTO_UDP
&& s
->received_udp_packet_max
< size
)
300 s
->received_udp_packet_max
= size
;
302 if (s
->max_rtt
< rtt
) {
304 s
->resend_timeout
= CLAMP(s
->max_rtt
* 2, DNS_TIMEOUT_MIN_USEC
, DNS_TIMEOUT_MAX_USEC
);
305 } else if (s
->resend_timeout
> rtt
)
306 /* If we received the packet faster than the resend_timeout, bias
307 * the resend_timeout back to the rtt. */
308 s
->resend_timeout
= CLAMP((2 * s
->resend_timeout
+ rtt
) / 3, DNS_TIMEOUT_MIN_USEC
, DNS_TIMEOUT_MAX_USEC
);
311 void dns_server_packet_lost(DnsServer
*s
, int protocol
, DnsServerFeatureLevel level
, usec_t usec
) {
315 if (s
->possible_feature_level
== level
) {
316 if (protocol
== IPPROTO_UDP
)
318 else if (protocol
== IPPROTO_TCP
)
322 if (s
->resend_timeout
> usec
)
325 s
->resend_timeout
= MIN(s
->resend_timeout
* 2, DNS_TIMEOUT_MAX_USEC
);
328 void dns_server_packet_truncated(DnsServer
*s
, DnsServerFeatureLevel level
) {
331 /* Invoked whenever we get a packet with TC bit set. */
333 if (s
->possible_feature_level
!= level
)
336 s
->packet_truncated
= true;
339 void dns_server_packet_rrsig_missing(DnsServer
*s
, DnsServerFeatureLevel level
) {
342 if (level
< DNS_SERVER_FEATURE_LEVEL_DO
)
345 /* If the RRSIG RRs are missing, we have to downgrade what we previously verified */
346 if (s
->verified_feature_level
>= DNS_SERVER_FEATURE_LEVEL_DO
)
347 s
->verified_feature_level
= DNS_SERVER_FEATURE_LEVEL_DO
-1;
349 s
->packet_rrsig_missing
= true;
352 void dns_server_packet_bad_opt(DnsServer
*s
, DnsServerFeatureLevel level
) {
355 if (level
< DNS_SERVER_FEATURE_LEVEL_EDNS0
)
358 /* If the OPT RR got lost, we have to downgrade what we previously verified */
359 if (s
->verified_feature_level
>= DNS_SERVER_FEATURE_LEVEL_EDNS0
)
360 s
->verified_feature_level
= DNS_SERVER_FEATURE_LEVEL_EDNS0
-1;
362 s
->packet_bad_opt
= true;
365 void dns_server_packet_rcode_downgrade(DnsServer
*s
, DnsServerFeatureLevel level
) {
368 /* Invoked whenever we got a FORMERR, SERVFAIL or NOTIMP rcode from a server and downgrading the feature level
369 * for the transaction made it go away. In this case we immediately downgrade to the feature level that made
372 if (s
->verified_feature_level
> level
)
373 s
->verified_feature_level
= level
;
375 if (s
->possible_feature_level
> level
) {
376 s
->possible_feature_level
= level
;
377 dns_server_reset_counters(s
);
380 log_debug("Downgrading transaction feature level fixed an RCODE error, downgrading server %s too.", dns_server_string(s
));
383 static bool dns_server_grace_period_expired(DnsServer
*s
) {
389 if (s
->verified_usec
== 0)
392 assert_se(sd_event_now(s
->manager
->event
, clock_boottime_or_monotonic(), &ts
) >= 0);
394 if (s
->verified_usec
+ s
->features_grace_period_usec
> ts
)
397 s
->features_grace_period_usec
= MIN(s
->features_grace_period_usec
* 2, DNS_SERVER_FEATURE_GRACE_PERIOD_MAX_USEC
);
402 DnsServerFeatureLevel
dns_server_possible_feature_level(DnsServer
*s
) {
403 DnsServerFeatureLevel best
;
407 /* Determine the best feature level we care about. If DNSSEC mode is off there's no point in using anything
408 * better than EDNS0, hence don't even try. */
409 best
= dns_server_get_dnssec_mode(s
) == DNSSEC_NO
?
410 DNS_SERVER_FEATURE_LEVEL_EDNS0
:
411 DNS_SERVER_FEATURE_LEVEL_BEST
;
413 /* Clamp the feature level the highest level we care about. The DNSSEC mode might have changed since the last
414 * time, hence let's downgrade if we are still at a higher level. */
415 if (s
->possible_feature_level
> best
)
416 s
->possible_feature_level
= best
;
418 if (s
->possible_feature_level
< best
&& dns_server_grace_period_expired(s
)) {
420 s
->possible_feature_level
= best
;
422 dns_server_reset_counters(s
);
424 s
->packet_bad_opt
= false;
425 s
->packet_rrsig_missing
= false;
427 log_info("Grace period over, resuming full feature set (%s) for DNS server %s.",
428 dns_server_feature_level_to_string(s
->possible_feature_level
),
429 dns_server_string(s
));
431 dns_server_flush_cache(s
);
433 } else if (s
->possible_feature_level
<= s
->verified_feature_level
)
434 s
->possible_feature_level
= s
->verified_feature_level
;
436 DnsServerFeatureLevel p
= s
->possible_feature_level
;
438 if (s
->n_failed_tcp
>= DNS_SERVER_FEATURE_RETRY_ATTEMPTS
&&
439 s
->possible_feature_level
== DNS_SERVER_FEATURE_LEVEL_TCP
) {
441 /* We are at the TCP (lowest) level, and we tried a couple of TCP connections, and it didn't
442 * work. Upgrade back to UDP again. */
443 log_debug("Reached maximum number of failed TCP connection attempts, trying UDP again...");
444 s
->possible_feature_level
= DNS_SERVER_FEATURE_LEVEL_UDP
;
446 } else if (s
->packet_bad_opt
&&
447 s
->possible_feature_level
>= DNS_SERVER_FEATURE_LEVEL_EDNS0
) {
449 /* A reply to one of our EDNS0 queries didn't carry a valid OPT RR, then downgrade to below
450 * EDNS0 levels. After all, some records generate different responses with and without OPT RR
451 * in the request. Example:
452 * https://open.nlnetlabs.nl/pipermail/dnssec-trigger/2014-November/000376.html */
454 log_debug("Server doesn't support EDNS(0) properly, downgrading feature level...");
455 s
->possible_feature_level
= DNS_SERVER_FEATURE_LEVEL_UDP
;
457 } else if (s
->packet_rrsig_missing
&&
458 s
->possible_feature_level
>= DNS_SERVER_FEATURE_LEVEL_DO
) {
460 /* RRSIG data was missing on a EDNS0 packet with DO bit set. This means the server doesn't
461 * augment responses with DNSSEC RRs. If so, let's better not ask the server for it anymore,
462 * after all some servers generate different replies depending if an OPT RR is in the query or
465 log_debug("Detected server responses lack RRSIG records, downgrading feature level...");
466 s
->possible_feature_level
= DNS_SERVER_FEATURE_LEVEL_EDNS0
;
468 } else if (s
->n_failed_udp
>= DNS_SERVER_FEATURE_RETRY_ATTEMPTS
&&
469 s
->possible_feature_level
>= (dns_server_get_dnssec_mode(s
) == DNSSEC_YES
? DNS_SERVER_FEATURE_LEVEL_LARGE
: DNS_SERVER_FEATURE_LEVEL_UDP
)) {
471 /* We lost too many UDP packets in a row, and are on a feature level of UDP or higher. If the
472 * packets are lost, maybe the server cannot parse them, hence downgrading sounds like a good
473 * idea. We might downgrade all the way down to TCP this way.
475 * If strict DNSSEC mode is used we won't downgrade below DO level however, as packet loss
476 * might have many reasons, a broken DNSSEC implementation being only one reason. And if the
477 * user is strict on DNSSEC, then let's assume that DNSSEC is not the fault here. */
479 log_debug("Lost too many UDP packets, downgrading feature level...");
480 s
->possible_feature_level
--;
482 } else if (s
->n_failed_tcp
>= DNS_SERVER_FEATURE_RETRY_ATTEMPTS
&&
483 s
->packet_truncated
&&
484 s
->possible_feature_level
> (dns_server_get_dnssec_mode(s
) == DNSSEC_YES
? DNS_SERVER_FEATURE_LEVEL_LARGE
: DNS_SERVER_FEATURE_LEVEL_UDP
)) {
486 /* We got too many TCP connection failures in a row, we had at least one truncated packet, and
487 * are on a feature level above UDP. By downgrading things and getting rid of DNSSEC or EDNS0
488 * data we hope to make the packet smaller, so that it still works via UDP given that TCP
489 * appears not to be a fallback. Note that if we are already at the lowest UDP level, we don't
490 * go further down, since that's TCP, and TCP failed too often after all. */
492 log_debug("Got too many failed TCP connection failures and truncated UDP packets, downgrading feature level...");
493 s
->possible_feature_level
--;
496 if (p
!= s
->possible_feature_level
) {
498 /* We changed the feature level, reset the counting */
499 dns_server_reset_counters(s
);
501 log_warning("Using degraded feature set (%s) for DNS server %s.",
502 dns_server_feature_level_to_string(s
->possible_feature_level
),
503 dns_server_string(s
));
507 return s
->possible_feature_level
;
510 int dns_server_adjust_opt(DnsServer
*server
, DnsPacket
*packet
, DnsServerFeatureLevel level
) {
517 assert(packet
->protocol
== DNS_PROTOCOL_DNS
);
519 /* Fix the OPT field in the packet to match our current feature level. */
521 r
= dns_packet_truncate_opt(packet
);
525 if (level
< DNS_SERVER_FEATURE_LEVEL_EDNS0
)
528 edns_do
= level
>= DNS_SERVER_FEATURE_LEVEL_DO
;
530 if (level
>= DNS_SERVER_FEATURE_LEVEL_LARGE
)
531 packet_size
= DNS_PACKET_UNICAST_SIZE_LARGE_MAX
;
533 packet_size
= server
->received_udp_packet_max
;
535 return dns_packet_append_opt(packet
, packet_size
, edns_do
, 0, NULL
);
538 int dns_server_ifindex(const DnsServer
*s
) {
541 /* The link ifindex always takes precedence */
543 return s
->link
->ifindex
;
551 const char *dns_server_string(DnsServer
*server
) {
554 if (!server
->server_string
)
555 (void) in_addr_ifindex_to_string(server
->family
, &server
->address
, dns_server_ifindex(server
), &server
->server_string
);
557 return strna(server
->server_string
);
560 bool dns_server_dnssec_supported(DnsServer
*server
) {
563 /* Returns whether the server supports DNSSEC according to what we know about it */
565 if (server
->possible_feature_level
< DNS_SERVER_FEATURE_LEVEL_DO
)
568 if (server
->packet_bad_opt
)
571 if (server
->packet_rrsig_missing
)
574 /* DNSSEC servers need to support TCP properly (see RFC5966), if they don't, we assume DNSSEC is borked too */
575 if (server
->n_failed_tcp
>= DNS_SERVER_FEATURE_RETRY_ATTEMPTS
)
581 void dns_server_warn_downgrade(DnsServer
*server
) {
584 if (server
->warned_downgrade
)
587 log_struct(LOG_NOTICE
,
588 "MESSAGE_ID=" SD_MESSAGE_DNSSEC_DOWNGRADE_STR
,
589 LOG_MESSAGE("Server %s does not support DNSSEC, downgrading to non-DNSSEC mode.", dns_server_string(server
)),
590 "DNS_SERVER=%s", dns_server_string(server
),
591 "DNS_SERVER_FEATURE_LEVEL=%s", dns_server_feature_level_to_string(server
->possible_feature_level
),
594 server
->warned_downgrade
= true;
597 bool dns_server_limited_domains(DnsServer
*server
) {
598 DnsSearchDomain
*domain
;
599 bool domain_restricted
= false;
601 /* Check if the server has route-only domains without ~., i. e. whether
602 * it should only be used for particular domains */
606 LIST_FOREACH(domains
, domain
, server
->link
->search_domains
)
607 if (domain
->route_only
) {
608 domain_restricted
= true;
609 /* ~. means "any domain", thus it is a global server */
610 if (dns_name_is_root(DNS_SEARCH_DOMAIN_NAME(domain
)))
614 return domain_restricted
;
617 static void dns_server_hash_func(const void *p
, struct siphash
*state
) {
618 const DnsServer
*s
= p
;
622 siphash24_compress(&s
->family
, sizeof(s
->family
), state
);
623 siphash24_compress(&s
->address
, FAMILY_ADDRESS_SIZE(s
->family
), state
);
624 siphash24_compress(&s
->ifindex
, sizeof(s
->ifindex
), state
);
627 static int dns_server_compare_func(const void *a
, const void *b
) {
628 const DnsServer
*x
= a
, *y
= b
;
631 if (x
->family
< y
->family
)
633 if (x
->family
> y
->family
)
636 r
= memcmp(&x
->address
, &y
->address
, FAMILY_ADDRESS_SIZE(x
->family
));
640 if (x
->ifindex
< y
->ifindex
)
642 if (x
->ifindex
> y
->ifindex
)
648 const struct hash_ops dns_server_hash_ops
= {
649 .hash
= dns_server_hash_func
,
650 .compare
= dns_server_compare_func
653 void dns_server_unlink_all(DnsServer
*first
) {
659 next
= first
->servers_next
;
660 dns_server_unlink(first
);
662 dns_server_unlink_all(next
);
665 void dns_server_unlink_marked(DnsServer
*first
) {
671 next
= first
->servers_next
;
674 dns_server_unlink(first
);
676 dns_server_unlink_marked(next
);
679 void dns_server_mark_all(DnsServer
*first
) {
683 first
->marked
= true;
684 dns_server_mark_all(first
->servers_next
);
687 DnsServer
*dns_server_find(DnsServer
*first
, int family
, const union in_addr_union
*in_addr
, int ifindex
) {
690 LIST_FOREACH(servers
, s
, first
)
691 if (s
->family
== family
&& in_addr_equal(family
, &s
->address
, in_addr
) > 0 && s
->ifindex
== ifindex
)
697 DnsServer
*manager_get_first_dns_server(Manager
*m
, DnsServerType t
) {
702 case DNS_SERVER_SYSTEM
:
703 return m
->dns_servers
;
705 case DNS_SERVER_FALLBACK
:
706 return m
->fallback_dns_servers
;
713 DnsServer
*manager_set_dns_server(Manager
*m
, DnsServer
*s
) {
716 if (m
->current_dns_server
== s
)
720 log_debug("Switching to %s DNS server %s.",
721 dns_server_type_to_string(s
->type
),
722 dns_server_string(s
));
724 dns_server_unref(m
->current_dns_server
);
725 m
->current_dns_server
= dns_server_ref(s
);
727 if (m
->unicast_scope
)
728 dns_cache_flush(&m
->unicast_scope
->cache
);
733 DnsServer
*manager_get_dns_server(Manager
*m
) {
737 /* Try to read updates resolv.conf */
738 manager_read_resolv_conf(m
);
740 /* If no DNS server was chosen so far, pick the first one */
741 if (!m
->current_dns_server
)
742 manager_set_dns_server(m
, m
->dns_servers
);
744 if (!m
->current_dns_server
) {
748 /* No DNS servers configured, let's see if there are
749 * any on any links. If not, we use the fallback
752 HASHMAP_FOREACH(l
, m
->links
, i
)
753 if (l
->dns_servers
) {
759 manager_set_dns_server(m
, m
->fallback_dns_servers
);
762 return m
->current_dns_server
;
765 void manager_next_dns_server(Manager
*m
) {
768 /* If there's currently no DNS server set, then the next
769 * manager_get_dns_server() will find one */
770 if (!m
->current_dns_server
)
773 /* Change to the next one, but make sure to follow the linked
774 * list only if the server is still linked. */
775 if (m
->current_dns_server
->linked
&& m
->current_dns_server
->servers_next
) {
776 manager_set_dns_server(m
, m
->current_dns_server
->servers_next
);
780 /* If there was no next one, then start from the beginning of
782 if (m
->current_dns_server
->type
== DNS_SERVER_FALLBACK
)
783 manager_set_dns_server(m
, m
->fallback_dns_servers
);
785 manager_set_dns_server(m
, m
->dns_servers
);
788 bool dns_server_address_valid(int family
, const union in_addr_union
*sa
) {
790 /* Refuses the 0 IP addresses as well as 127.0.0.53 (which is our own DNS stub) */
792 if (in_addr_is_null(family
, sa
))
795 if (family
== AF_INET
&& sa
->in
.s_addr
== htobe32(INADDR_DNS_STUB
))
801 DnssecMode
dns_server_get_dnssec_mode(DnsServer
*s
) {
805 return link_get_dnssec_mode(s
->link
);
807 return manager_get_dnssec_mode(s
->manager
);
810 void dns_server_flush_cache(DnsServer
*s
) {
816 /* Flush the cache of the scope this server belongs to */
818 current
= s
->link
? s
->link
->current_dns_server
: s
->manager
->current_dns_server
;
822 scope
= s
->link
? s
->link
->unicast_scope
: s
->manager
->unicast_scope
;
826 dns_cache_flush(&scope
->cache
);
829 void dns_server_reset_features(DnsServer
*s
) {
833 s
->resend_timeout
= DNS_TIMEOUT_MIN_USEC
;
835 s
->verified_feature_level
= _DNS_SERVER_FEATURE_LEVEL_INVALID
;
836 s
->possible_feature_level
= DNS_SERVER_FEATURE_LEVEL_BEST
;
838 s
->received_udp_packet_max
= DNS_PACKET_UNICAST_SIZE_MAX
;
840 s
->packet_bad_opt
= false;
841 s
->packet_rrsig_missing
= false;
843 s
->features_grace_period_usec
= DNS_SERVER_FEATURE_GRACE_PERIOD_MIN_USEC
;
845 s
->warned_downgrade
= false;
847 dns_server_reset_counters(s
);
850 void dns_server_reset_features_all(DnsServer
*s
) {
853 LIST_FOREACH(servers
, i
, s
)
854 dns_server_reset_features(i
);
857 void dns_server_dump(DnsServer
*s
, FILE *f
) {
863 fputs("[Server ", f
);
864 fputs(dns_server_string(s
), f
);
866 fputs(dns_server_type_to_string(s
->type
), f
);
868 if (s
->type
== DNS_SERVER_LINK
) {
871 fputs(" interface=", f
);
872 fputs(s
->link
->name
, f
);
877 fputs("\tVerified feature level: ", f
);
878 fputs(strna(dns_server_feature_level_to_string(s
->verified_feature_level
)), f
);
881 fputs("\tPossible feature level: ", f
);
882 fputs(strna(dns_server_feature_level_to_string(s
->possible_feature_level
)), f
);
885 fputs("\tDNSSEC Mode: ", f
);
886 fputs(strna(dnssec_mode_to_string(dns_server_get_dnssec_mode(s
))), f
);
889 fputs("\tCan do DNSSEC: ", f
);
890 fputs(yes_no(dns_server_dnssec_supported(s
)), f
);
894 "\tMaximum UDP packet size received: %zu\n"
895 "\tFailed UDP attempts: %u\n"
896 "\tFailed TCP attempts: %u\n"
897 "\tSeen truncated packet: %s\n"
898 "\tSeen OPT RR getting lost: %s\n"
899 "\tSeen RRSIG RR missing: %s\n",
900 s
->received_udp_packet_max
,
903 yes_no(s
->packet_truncated
),
904 yes_no(s
->packet_bad_opt
),
905 yes_no(s
->packet_rrsig_missing
));
908 static const char* const dns_server_type_table
[_DNS_SERVER_TYPE_MAX
] = {
909 [DNS_SERVER_SYSTEM
] = "system",
910 [DNS_SERVER_FALLBACK
] = "fallback",
911 [DNS_SERVER_LINK
] = "link",
913 DEFINE_STRING_TABLE_LOOKUP(dns_server_type
, DnsServerType
);
915 static const char* const dns_server_feature_level_table
[_DNS_SERVER_FEATURE_LEVEL_MAX
] = {
916 [DNS_SERVER_FEATURE_LEVEL_TCP
] = "TCP",
917 [DNS_SERVER_FEATURE_LEVEL_UDP
] = "UDP",
918 [DNS_SERVER_FEATURE_LEVEL_EDNS0
] = "UDP+EDNS0",
919 [DNS_SERVER_FEATURE_LEVEL_DO
] = "UDP+EDNS0+DO",
920 [DNS_SERVER_FEATURE_LEVEL_LARGE
] = "UDP+EDNS0+DO+LARGE",
922 DEFINE_STRING_TABLE_LOOKUP(dns_server_feature_level
, DnsServerFeatureLevel
);