1 /* SPDX-License-Identifier: LGPL-2.1+ */
3 #include "sd-messages.h"
5 #include "alloc-util.h"
6 #include "resolved-dns-server.h"
7 #include "resolved-dns-stub.h"
8 #include "resolved-resolv-conf.h"
10 #include "string-table.h"
11 #include "string-util.h"
13 /* The amount of time to wait before retrying with a full feature set */
14 #define DNS_SERVER_FEATURE_GRACE_PERIOD_MAX_USEC (6 * USEC_PER_HOUR)
15 #define DNS_SERVER_FEATURE_GRACE_PERIOD_MIN_USEC (5 * USEC_PER_MINUTE)
17 /* The number of times we will attempt a certain feature set before degrading */
18 #define DNS_SERVER_FEATURE_RETRY_ATTEMPTS 3
26 const union in_addr_union
*in_addr
,
32 assert((type
== DNS_SERVER_LINK
) == !!l
);
35 if (!IN_SET(family
, AF_INET
, AF_INET6
))
39 if (l
->n_dns_servers
>= LINK_DNS_SERVERS_MAX
)
42 if (m
->n_dns_servers
>= MANAGER_DNS_SERVERS_MAX
)
46 s
= new(DnsServer
, 1);
59 dns_server_reset_features(s
);
65 LIST_APPEND(servers
, l
->dns_servers
, s
);
69 case DNS_SERVER_SYSTEM
:
70 LIST_APPEND(servers
, m
->dns_servers
, s
);
74 case DNS_SERVER_FALLBACK
:
75 LIST_APPEND(servers
, m
->fallback_dns_servers
, s
);
80 assert_not_reached("Unknown server type");
85 #if ENABLE_DNS_OVER_TLS
86 dnstls_server_init(s
);
89 /* A new DNS server that isn't fallback is added and the one
90 * we used so far was a fallback one? Then let's try to pick
92 if (type
!= DNS_SERVER_FALLBACK
&&
93 m
->current_dns_server
&&
94 m
->current_dns_server
->type
== DNS_SERVER_FALLBACK
)
95 manager_set_dns_server(m
, NULL
);
103 static DnsServer
* dns_server_free(DnsServer
*s
) {
106 dns_server_unref_stream(s
);
108 #if ENABLE_DNS_OVER_TLS
109 dnstls_server_free(s
);
112 free(s
->server_string
);
116 DEFINE_TRIVIAL_REF_UNREF_FUNC(DnsServer
, dns_server
, dns_server_free
);
118 void dns_server_unlink(DnsServer
*s
) {
122 /* This removes the specified server from the linked list of
123 * servers, but any server might still stay around if it has
124 * refs, for example from an ongoing transaction. */
131 case DNS_SERVER_LINK
:
133 assert(s
->link
->n_dns_servers
> 0);
134 LIST_REMOVE(servers
, s
->link
->dns_servers
, s
);
135 s
->link
->n_dns_servers
--;
138 case DNS_SERVER_SYSTEM
:
139 assert(s
->manager
->n_dns_servers
> 0);
140 LIST_REMOVE(servers
, s
->manager
->dns_servers
, s
);
141 s
->manager
->n_dns_servers
--;
144 case DNS_SERVER_FALLBACK
:
145 assert(s
->manager
->n_dns_servers
> 0);
146 LIST_REMOVE(servers
, s
->manager
->fallback_dns_servers
, s
);
147 s
->manager
->n_dns_servers
--;
150 assert_not_reached("Unknown server type");
155 if (s
->link
&& s
->link
->current_dns_server
== s
)
156 link_set_dns_server(s
->link
, NULL
);
158 if (s
->manager
->current_dns_server
== s
)
159 manager_set_dns_server(s
->manager
, NULL
);
161 /* No need to keep a default stream around anymore */
162 dns_server_unref_stream(s
);
167 void dns_server_move_back_and_unmark(DnsServer
*s
) {
177 if (!s
->linked
|| !s
->servers_next
)
180 /* Move us to the end of the list, so that the order is
181 * strictly kept, if we are not at the end anyway. */
185 case DNS_SERVER_LINK
:
187 LIST_FIND_TAIL(servers
, s
, tail
);
188 LIST_REMOVE(servers
, s
->link
->dns_servers
, s
);
189 LIST_INSERT_AFTER(servers
, s
->link
->dns_servers
, tail
, s
);
192 case DNS_SERVER_SYSTEM
:
193 LIST_FIND_TAIL(servers
, s
, tail
);
194 LIST_REMOVE(servers
, s
->manager
->dns_servers
, s
);
195 LIST_INSERT_AFTER(servers
, s
->manager
->dns_servers
, tail
, s
);
198 case DNS_SERVER_FALLBACK
:
199 LIST_FIND_TAIL(servers
, s
, tail
);
200 LIST_REMOVE(servers
, s
->manager
->fallback_dns_servers
, s
);
201 LIST_INSERT_AFTER(servers
, s
->manager
->fallback_dns_servers
, tail
, s
);
205 assert_not_reached("Unknown server type");
209 static void dns_server_verified(DnsServer
*s
, DnsServerFeatureLevel level
) {
212 if (s
->verified_feature_level
> level
)
215 if (s
->verified_feature_level
!= level
) {
216 log_debug("Verified we get a response at feature level %s from DNS server %s.",
217 dns_server_feature_level_to_string(level
),
218 dns_server_string(s
));
219 s
->verified_feature_level
= level
;
222 assert_se(sd_event_now(s
->manager
->event
, clock_boottime_or_monotonic(), &s
->verified_usec
) >= 0);
225 static void dns_server_reset_counters(DnsServer
*s
) {
231 s
->packet_truncated
= false;
232 s
->verified_usec
= 0;
234 /* Note that we do not reset s->packet_bad_opt and s->packet_rrsig_missing here. We reset them only when the
235 * grace period ends, but not when lowering the possible feature level, as a lower level feature level should
236 * not make RRSIGs appear or OPT appear, but rather make them disappear. If the reappear anyway, then that's
237 * indication for a differently broken OPT/RRSIG implementation, and we really don't want to support that
240 * This is particularly important to deal with certain Belkin routers which break OPT for certain lookups (A),
241 * but pass traffic through for others (AAAA). If we detect the broken behaviour on one lookup we should not
242 * reenable it for another, because we cannot validate things anyway, given that the RRSIG/OPT data will be
246 void dns_server_packet_received(DnsServer
*s
, int protocol
, DnsServerFeatureLevel level
, size_t size
) {
249 if (protocol
== IPPROTO_UDP
) {
250 if (s
->possible_feature_level
== level
)
252 } else if (protocol
== IPPROTO_TCP
) {
253 if (DNS_SERVER_FEATURE_LEVEL_IS_TLS(level
)) {
254 if (s
->possible_feature_level
== level
)
257 if (s
->possible_feature_level
== level
)
260 /* Successful TCP connections are only useful to verify the TCP feature level. */
261 level
= DNS_SERVER_FEATURE_LEVEL_TCP
;
265 /* If the RRSIG data is missing, then we can only validate EDNS0 at max */
266 if (s
->packet_rrsig_missing
&& level
>= DNS_SERVER_FEATURE_LEVEL_DO
)
267 level
= DNS_SERVER_FEATURE_LEVEL_IS_TLS(level
) ? DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN
: DNS_SERVER_FEATURE_LEVEL_EDNS0
;
269 /* If the OPT RR got lost, then we can only validate UDP at max */
270 if (s
->packet_bad_opt
&& level
>= DNS_SERVER_FEATURE_LEVEL_EDNS0
)
271 level
= DNS_SERVER_FEATURE_LEVEL_EDNS0
- 1;
273 /* Even if we successfully receive a reply to a request announcing support for large packets,
274 that does not mean we can necessarily receive large packets. */
275 if (level
== DNS_SERVER_FEATURE_LEVEL_LARGE
)
276 level
= DNS_SERVER_FEATURE_LEVEL_LARGE
- 1;
278 dns_server_verified(s
, level
);
280 /* Remember the size of the largest UDP packet we received from a server,
281 we know that we can always announce support for packets with at least
283 if (protocol
== IPPROTO_UDP
&& s
->received_udp_packet_max
< size
)
284 s
->received_udp_packet_max
= size
;
287 void dns_server_packet_lost(DnsServer
*s
, int protocol
, DnsServerFeatureLevel level
) {
291 if (s
->possible_feature_level
== level
) {
292 if (protocol
== IPPROTO_UDP
)
294 else if (protocol
== IPPROTO_TCP
) {
295 if (DNS_SERVER_FEATURE_LEVEL_IS_TLS(level
))
303 void dns_server_packet_truncated(DnsServer
*s
, DnsServerFeatureLevel level
) {
306 /* Invoked whenever we get a packet with TC bit set. */
308 if (s
->possible_feature_level
!= level
)
311 s
->packet_truncated
= true;
314 void dns_server_packet_rrsig_missing(DnsServer
*s
, DnsServerFeatureLevel level
) {
317 if (level
< DNS_SERVER_FEATURE_LEVEL_DO
)
320 /* If the RRSIG RRs are missing, we have to downgrade what we previously verified */
321 if (s
->verified_feature_level
>= DNS_SERVER_FEATURE_LEVEL_DO
)
322 s
->verified_feature_level
= DNS_SERVER_FEATURE_LEVEL_IS_TLS(level
) ? DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN
: DNS_SERVER_FEATURE_LEVEL_EDNS0
;
324 s
->packet_rrsig_missing
= true;
327 void dns_server_packet_bad_opt(DnsServer
*s
, DnsServerFeatureLevel level
) {
330 if (level
< DNS_SERVER_FEATURE_LEVEL_EDNS0
)
333 /* If the OPT RR got lost, we have to downgrade what we previously verified */
334 if (s
->verified_feature_level
>= DNS_SERVER_FEATURE_LEVEL_EDNS0
)
335 s
->verified_feature_level
= DNS_SERVER_FEATURE_LEVEL_EDNS0
-1;
337 s
->packet_bad_opt
= true;
340 void dns_server_packet_rcode_downgrade(DnsServer
*s
, DnsServerFeatureLevel level
) {
343 /* Invoked whenever we got a FORMERR, SERVFAIL or NOTIMP rcode from a server and downgrading the feature level
344 * for the transaction made it go away. In this case we immediately downgrade to the feature level that made
347 if (s
->verified_feature_level
> level
)
348 s
->verified_feature_level
= level
;
350 if (s
->possible_feature_level
> level
) {
351 s
->possible_feature_level
= level
;
352 dns_server_reset_counters(s
);
355 log_debug("Downgrading transaction feature level fixed an RCODE error, downgrading server %s too.", dns_server_string(s
));
358 static bool dns_server_grace_period_expired(DnsServer
*s
) {
364 if (s
->verified_usec
== 0)
367 assert_se(sd_event_now(s
->manager
->event
, clock_boottime_or_monotonic(), &ts
) >= 0);
369 if (s
->verified_usec
+ s
->features_grace_period_usec
> ts
)
372 s
->features_grace_period_usec
= MIN(s
->features_grace_period_usec
* 2, DNS_SERVER_FEATURE_GRACE_PERIOD_MAX_USEC
);
377 DnsServerFeatureLevel
dns_server_possible_feature_level(DnsServer
*s
) {
378 DnsServerFeatureLevel best
;
382 /* Determine the best feature level we care about. If DNSSEC mode is off there's no point in using anything
383 * better than EDNS0, hence don't even try. */
384 if (dns_server_get_dnssec_mode(s
) != DNSSEC_NO
)
385 best
= dns_server_get_dns_over_tls_mode(s
) == DNS_OVER_TLS_NO
?
386 DNS_SERVER_FEATURE_LEVEL_LARGE
:
387 DNS_SERVER_FEATURE_LEVEL_TLS_DO
;
389 best
= dns_server_get_dns_over_tls_mode(s
) == DNS_OVER_TLS_NO
?
390 DNS_SERVER_FEATURE_LEVEL_EDNS0
:
391 DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN
;
393 /* Clamp the feature level the highest level we care about. The DNSSEC mode might have changed since the last
394 * time, hence let's downgrade if we are still at a higher level. */
395 if (s
->possible_feature_level
> best
)
396 s
->possible_feature_level
= best
;
398 if (s
->possible_feature_level
< best
&& dns_server_grace_period_expired(s
)) {
400 s
->possible_feature_level
= best
;
402 dns_server_reset_counters(s
);
404 s
->packet_bad_opt
= false;
405 s
->packet_rrsig_missing
= false;
407 log_info("Grace period over, resuming full feature set (%s) for DNS server %s.",
408 dns_server_feature_level_to_string(s
->possible_feature_level
),
409 dns_server_string(s
));
411 dns_server_flush_cache(s
);
413 } else if (s
->possible_feature_level
<= s
->verified_feature_level
)
414 s
->possible_feature_level
= s
->verified_feature_level
;
416 DnsServerFeatureLevel p
= s
->possible_feature_level
;
418 if (s
->n_failed_tcp
>= DNS_SERVER_FEATURE_RETRY_ATTEMPTS
&&
419 s
->possible_feature_level
== DNS_SERVER_FEATURE_LEVEL_TCP
) {
421 /* We are at the TCP (lowest) level, and we tried a couple of TCP connections, and it didn't
422 * work. Upgrade back to UDP again. */
423 log_debug("Reached maximum number of failed TCP connection attempts, trying UDP again...");
424 s
->possible_feature_level
= DNS_SERVER_FEATURE_LEVEL_UDP
;
425 } else if (s
->n_failed_tls
> 0 &&
426 DNS_SERVER_FEATURE_LEVEL_IS_TLS(s
->possible_feature_level
)) {
428 /* We tried to connect using DNS-over-TLS, and it didn't work. Downgrade to plaintext UDP
429 * if we don't require DNS-over-TLS */
431 log_debug("Server doesn't support DNS-over-TLS, downgrading protocol...");
432 s
->possible_feature_level
--;
433 } else if (s
->packet_bad_opt
&&
434 s
->possible_feature_level
>= DNS_SERVER_FEATURE_LEVEL_EDNS0
) {
436 /* A reply to one of our EDNS0 queries didn't carry a valid OPT RR, then downgrade to below
437 * EDNS0 levels. After all, some records generate different responses with and without OPT RR
438 * in the request. Example:
439 * https://open.nlnetlabs.nl/pipermail/dnssec-trigger/2014-November/000376.html */
441 log_debug("Server doesn't support EDNS(0) properly, downgrading feature level...");
442 s
->possible_feature_level
= DNS_SERVER_FEATURE_LEVEL_UDP
;
444 } else if (s
->packet_rrsig_missing
&&
445 s
->possible_feature_level
>= DNS_SERVER_FEATURE_LEVEL_DO
) {
447 /* RRSIG data was missing on a EDNS0 packet with DO bit set. This means the server doesn't
448 * augment responses with DNSSEC RRs. If so, let's better not ask the server for it anymore,
449 * after all some servers generate different replies depending if an OPT RR is in the query or
452 log_debug("Detected server responses lack RRSIG records, downgrading feature level...");
453 s
->possible_feature_level
= DNS_SERVER_FEATURE_LEVEL_IS_TLS(s
->possible_feature_level
) ? DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN
: DNS_SERVER_FEATURE_LEVEL_EDNS0
;
455 } else if (s
->n_failed_udp
>= DNS_SERVER_FEATURE_RETRY_ATTEMPTS
&&
456 s
->possible_feature_level
>= (dns_server_get_dnssec_mode(s
) == DNSSEC_YES
? DNS_SERVER_FEATURE_LEVEL_LARGE
: DNS_SERVER_FEATURE_LEVEL_UDP
)) {
458 /* We lost too many UDP packets in a row, and are on a feature level of UDP or higher. If the
459 * packets are lost, maybe the server cannot parse them, hence downgrading sounds like a good
460 * idea. We might downgrade all the way down to TCP this way.
462 * If strict DNSSEC mode is used we won't downgrade below DO level however, as packet loss
463 * might have many reasons, a broken DNSSEC implementation being only one reason. And if the
464 * user is strict on DNSSEC, then let's assume that DNSSEC is not the fault here. */
466 log_debug("Lost too many UDP packets, downgrading feature level...");
467 s
->possible_feature_level
--;
469 } else if (s
->n_failed_tcp
>= DNS_SERVER_FEATURE_RETRY_ATTEMPTS
&&
470 s
->packet_truncated
&&
471 s
->possible_feature_level
> (dns_server_get_dnssec_mode(s
) == DNSSEC_YES
? DNS_SERVER_FEATURE_LEVEL_LARGE
: DNS_SERVER_FEATURE_LEVEL_UDP
)) {
473 /* We got too many TCP connection failures in a row, we had at least one truncated packet, and
474 * are on a feature level above UDP. By downgrading things and getting rid of DNSSEC or EDNS0
475 * data we hope to make the packet smaller, so that it still works via UDP given that TCP
476 * appears not to be a fallback. Note that if we are already at the lowest UDP level, we don't
477 * go further down, since that's TCP, and TCP failed too often after all. */
479 log_debug("Got too many failed TCP connection failures and truncated UDP packets, downgrading feature level...");
480 s
->possible_feature_level
--;
483 if (p
!= s
->possible_feature_level
) {
485 /* We changed the feature level, reset the counting */
486 dns_server_reset_counters(s
);
488 log_warning("Using degraded feature set (%s) for DNS server %s.",
489 dns_server_feature_level_to_string(s
->possible_feature_level
),
490 dns_server_string(s
));
494 return s
->possible_feature_level
;
497 int dns_server_adjust_opt(DnsServer
*server
, DnsPacket
*packet
, DnsServerFeatureLevel level
) {
504 assert(packet
->protocol
== DNS_PROTOCOL_DNS
);
506 /* Fix the OPT field in the packet to match our current feature level. */
508 r
= dns_packet_truncate_opt(packet
);
512 if (level
< DNS_SERVER_FEATURE_LEVEL_EDNS0
)
515 edns_do
= level
>= DNS_SERVER_FEATURE_LEVEL_DO
;
517 if (level
>= DNS_SERVER_FEATURE_LEVEL_LARGE
)
518 packet_size
= DNS_PACKET_UNICAST_SIZE_LARGE_MAX
;
520 packet_size
= server
->received_udp_packet_max
;
522 return dns_packet_append_opt(packet
, packet_size
, edns_do
, 0, NULL
);
525 int dns_server_ifindex(const DnsServer
*s
) {
528 /* The link ifindex always takes precedence */
530 return s
->link
->ifindex
;
538 const char *dns_server_string(DnsServer
*server
) {
541 if (!server
->server_string
)
542 (void) in_addr_ifindex_to_string(server
->family
, &server
->address
, dns_server_ifindex(server
), &server
->server_string
);
544 return strna(server
->server_string
);
547 bool dns_server_dnssec_supported(DnsServer
*server
) {
550 /* Returns whether the server supports DNSSEC according to what we know about it */
552 if (server
->possible_feature_level
< DNS_SERVER_FEATURE_LEVEL_DO
)
555 if (server
->packet_bad_opt
)
558 if (server
->packet_rrsig_missing
)
561 /* DNSSEC servers need to support TCP properly (see RFC5966), if they don't, we assume DNSSEC is borked too */
562 if (server
->n_failed_tcp
>= DNS_SERVER_FEATURE_RETRY_ATTEMPTS
)
568 void dns_server_warn_downgrade(DnsServer
*server
) {
571 if (server
->warned_downgrade
)
574 log_struct(LOG_NOTICE
,
575 "MESSAGE_ID=" SD_MESSAGE_DNSSEC_DOWNGRADE_STR
,
576 LOG_MESSAGE("Server %s does not support DNSSEC, downgrading to non-DNSSEC mode.", dns_server_string(server
)),
577 "DNS_SERVER=%s", dns_server_string(server
),
578 "DNS_SERVER_FEATURE_LEVEL=%s", dns_server_feature_level_to_string(server
->possible_feature_level
));
580 server
->warned_downgrade
= true;
583 bool dns_server_limited_domains(DnsServer
*server
) {
584 DnsSearchDomain
*domain
;
585 bool domain_restricted
= false;
587 /* Check if the server has route-only domains without ~., i. e. whether
588 * it should only be used for particular domains */
592 LIST_FOREACH(domains
, domain
, server
->link
->search_domains
)
593 if (domain
->route_only
) {
594 domain_restricted
= true;
595 /* ~. means "any domain", thus it is a global server */
596 if (dns_name_is_root(DNS_SEARCH_DOMAIN_NAME(domain
)))
600 return domain_restricted
;
603 static void dns_server_hash_func(const DnsServer
*s
, struct siphash
*state
) {
606 siphash24_compress(&s
->family
, sizeof(s
->family
), state
);
607 siphash24_compress(&s
->address
, FAMILY_ADDRESS_SIZE(s
->family
), state
);
608 siphash24_compress(&s
->ifindex
, sizeof(s
->ifindex
), state
);
611 static int dns_server_compare_func(const DnsServer
*x
, const DnsServer
*y
) {
614 r
= CMP(x
->family
, y
->family
);
618 r
= memcmp(&x
->address
, &y
->address
, FAMILY_ADDRESS_SIZE(x
->family
));
622 r
= CMP(x
->ifindex
, y
->ifindex
);
629 DEFINE_HASH_OPS(dns_server_hash_ops
, DnsServer
, dns_server_hash_func
, dns_server_compare_func
);
631 void dns_server_unlink_all(DnsServer
*first
) {
637 next
= first
->servers_next
;
638 dns_server_unlink(first
);
640 dns_server_unlink_all(next
);
643 void dns_server_unlink_marked(DnsServer
*first
) {
649 next
= first
->servers_next
;
652 dns_server_unlink(first
);
654 dns_server_unlink_marked(next
);
657 void dns_server_mark_all(DnsServer
*first
) {
661 first
->marked
= true;
662 dns_server_mark_all(first
->servers_next
);
665 DnsServer
*dns_server_find(DnsServer
*first
, int family
, const union in_addr_union
*in_addr
, int ifindex
) {
668 LIST_FOREACH(servers
, s
, first
)
669 if (s
->family
== family
&& in_addr_equal(family
, &s
->address
, in_addr
) > 0 && s
->ifindex
== ifindex
)
675 DnsServer
*manager_get_first_dns_server(Manager
*m
, DnsServerType t
) {
680 case DNS_SERVER_SYSTEM
:
681 return m
->dns_servers
;
683 case DNS_SERVER_FALLBACK
:
684 return m
->fallback_dns_servers
;
691 DnsServer
*manager_set_dns_server(Manager
*m
, DnsServer
*s
) {
694 if (m
->current_dns_server
== s
)
698 log_debug("Switching to %s DNS server %s.",
699 dns_server_type_to_string(s
->type
),
700 dns_server_string(s
));
702 dns_server_unref(m
->current_dns_server
);
703 m
->current_dns_server
= dns_server_ref(s
);
705 if (m
->unicast_scope
)
706 dns_cache_flush(&m
->unicast_scope
->cache
);
711 DnsServer
*manager_get_dns_server(Manager
*m
) {
715 /* Try to read updates resolv.conf */
716 manager_read_resolv_conf(m
);
718 /* If no DNS server was chosen so far, pick the first one */
719 if (!m
->current_dns_server
)
720 manager_set_dns_server(m
, m
->dns_servers
);
722 if (!m
->current_dns_server
) {
726 /* No DNS servers configured, let's see if there are
727 * any on any links. If not, we use the fallback
730 HASHMAP_FOREACH(l
, m
->links
, i
)
731 if (l
->dns_servers
) {
737 manager_set_dns_server(m
, m
->fallback_dns_servers
);
740 return m
->current_dns_server
;
743 void manager_next_dns_server(Manager
*m
) {
746 /* If there's currently no DNS server set, then the next
747 * manager_get_dns_server() will find one */
748 if (!m
->current_dns_server
)
751 /* Change to the next one, but make sure to follow the linked
752 * list only if the server is still linked. */
753 if (m
->current_dns_server
->linked
&& m
->current_dns_server
->servers_next
) {
754 manager_set_dns_server(m
, m
->current_dns_server
->servers_next
);
758 /* If there was no next one, then start from the beginning of
760 if (m
->current_dns_server
->type
== DNS_SERVER_FALLBACK
)
761 manager_set_dns_server(m
, m
->fallback_dns_servers
);
763 manager_set_dns_server(m
, m
->dns_servers
);
766 bool dns_server_address_valid(int family
, const union in_addr_union
*sa
) {
768 /* Refuses the 0 IP addresses as well as 127.0.0.53 (which is our own DNS stub) */
770 if (in_addr_is_null(family
, sa
))
773 if (family
== AF_INET
&& sa
->in
.s_addr
== htobe32(INADDR_DNS_STUB
))
779 DnssecMode
dns_server_get_dnssec_mode(DnsServer
*s
) {
783 return link_get_dnssec_mode(s
->link
);
785 return manager_get_dnssec_mode(s
->manager
);
788 DnsOverTlsMode
dns_server_get_dns_over_tls_mode(DnsServer
*s
) {
792 return link_get_dns_over_tls_mode(s
->link
);
794 return manager_get_dns_over_tls_mode(s
->manager
);
797 void dns_server_flush_cache(DnsServer
*s
) {
803 /* Flush the cache of the scope this server belongs to */
805 current
= s
->link
? s
->link
->current_dns_server
: s
->manager
->current_dns_server
;
809 scope
= s
->link
? s
->link
->unicast_scope
: s
->manager
->unicast_scope
;
813 dns_cache_flush(&scope
->cache
);
816 void dns_server_reset_features(DnsServer
*s
) {
819 s
->verified_feature_level
= _DNS_SERVER_FEATURE_LEVEL_INVALID
;
820 s
->possible_feature_level
= DNS_SERVER_FEATURE_LEVEL_BEST
;
822 s
->received_udp_packet_max
= DNS_PACKET_UNICAST_SIZE_MAX
;
824 s
->packet_bad_opt
= false;
825 s
->packet_rrsig_missing
= false;
827 s
->features_grace_period_usec
= DNS_SERVER_FEATURE_GRACE_PERIOD_MIN_USEC
;
829 s
->warned_downgrade
= false;
831 dns_server_reset_counters(s
);
833 /* Let's close the default stream, so that we reprobe with the new features */
834 dns_server_unref_stream(s
);
837 void dns_server_reset_features_all(DnsServer
*s
) {
840 LIST_FOREACH(servers
, i
, s
)
841 dns_server_reset_features(i
);
844 void dns_server_dump(DnsServer
*s
, FILE *f
) {
850 fputs("[Server ", f
);
851 fputs(dns_server_string(s
), f
);
853 fputs(dns_server_type_to_string(s
->type
), f
);
855 if (s
->type
== DNS_SERVER_LINK
) {
858 fputs(" interface=", f
);
859 fputs(s
->link
->name
, f
);
864 fputs("\tVerified feature level: ", f
);
865 fputs(strna(dns_server_feature_level_to_string(s
->verified_feature_level
)), f
);
868 fputs("\tPossible feature level: ", f
);
869 fputs(strna(dns_server_feature_level_to_string(s
->possible_feature_level
)), f
);
872 fputs("\tDNSSEC Mode: ", f
);
873 fputs(strna(dnssec_mode_to_string(dns_server_get_dnssec_mode(s
))), f
);
876 fputs("\tCan do DNSSEC: ", f
);
877 fputs(yes_no(dns_server_dnssec_supported(s
)), f
);
881 "\tMaximum UDP packet size received: %zu\n"
882 "\tFailed UDP attempts: %u\n"
883 "\tFailed TCP attempts: %u\n"
884 "\tSeen truncated packet: %s\n"
885 "\tSeen OPT RR getting lost: %s\n"
886 "\tSeen RRSIG RR missing: %s\n",
887 s
->received_udp_packet_max
,
890 yes_no(s
->packet_truncated
),
891 yes_no(s
->packet_bad_opt
),
892 yes_no(s
->packet_rrsig_missing
));
895 void dns_server_unref_stream(DnsServer
*s
) {
900 /* Detaches the default stream of this server. Some special care needs to be taken here, as that stream and
901 * this server reference each other. First, take the stream out of the server. It's destructor will check if it
902 * is registered with us, hence let's invalidate this separatly, so that it is already unregistered. */
903 ref
= TAKE_PTR(s
->stream
);
905 /* And then, unref it */
906 dns_stream_unref(ref
);
909 static const char* const dns_server_type_table
[_DNS_SERVER_TYPE_MAX
] = {
910 [DNS_SERVER_SYSTEM
] = "system",
911 [DNS_SERVER_FALLBACK
] = "fallback",
912 [DNS_SERVER_LINK
] = "link",
914 DEFINE_STRING_TABLE_LOOKUP(dns_server_type
, DnsServerType
);
916 static const char* const dns_server_feature_level_table
[_DNS_SERVER_FEATURE_LEVEL_MAX
] = {
917 [DNS_SERVER_FEATURE_LEVEL_TCP
] = "TCP",
918 [DNS_SERVER_FEATURE_LEVEL_UDP
] = "UDP",
919 [DNS_SERVER_FEATURE_LEVEL_EDNS0
] = "UDP+EDNS0",
920 [DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN
] = "TLS+EDNS0",
921 [DNS_SERVER_FEATURE_LEVEL_DO
] = "UDP+EDNS0+DO",
922 [DNS_SERVER_FEATURE_LEVEL_LARGE
] = "UDP+EDNS0+DO+LARGE",
923 [DNS_SERVER_FEATURE_LEVEL_TLS_DO
] = "TLS+EDNS0+D0",
925 DEFINE_STRING_TABLE_LOOKUP(dns_server_feature_level
, DnsServerFeatureLevel
);