git.ipfire.org Git - thirdparty/systemd.git/commit - src/resolve/resolved-dns-server.c

author	Martin Pitt <martin.pitt@ubuntu.com>
	Fri, 30 Sep 2016 07:30:08 +0000 (09:30 +0200)
committer	Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
	Fri, 30 Sep 2016 07:30:08 +0000 (09:30 +0200)
commit	b9fe94cad99968a58e169592d999306fd059eb14
tree	d791e9c45716a8842338f0ec4ac3562b79dfc751	tree \| snapshot
parent	a86b76753d7868c2d05f046f601bc7dc89fc2203	commit \| diff

resolved: don't query domain-limited DNS servers for other domains (#3621)

DNS servers which have route-only domains should only be used for
the specified domains. Routing queries about other domains there is a privacy
violation, prone to fail (as that DNS server was not meant to be used for other
domains), and puts unnecessary load onto that server.

Introduce a new helper function dns_server_limited_domains() that checks if the
DNS server should only be used for some selected domains, i. e. has some
route-only domains without "~.". Use that when determining whether to query it
in the scope, and when writing resolv.conf.

Extend the test_route_only_dns() case to ensure that the DNS server limited to
~company does not appear in resolv.conf. Add test_route_only_dns_all_domains()
to ensure that a server that also has ~. does appear in resolv.conf as global
name server. These reproduce #3420.

Add a new test_resolved_domain_restricted_dns() test case that verifies that
domain-limited DNS servers are only being used for those domains. This
reproduces #3421.

Clarify what a "routing domain" is in the manpage.

Fixes #3420
Fixes #3421

man/systemd.network.xml		diff \| blob \| blame \| history
src/resolve/resolved-dns-scope.c		diff \| blob \| blame \| history
src/resolve/resolved-dns-server.c		diff \| blob \| blame \| history
src/resolve/resolved-dns-server.h		diff \| blob \| blame \| history
src/resolve/resolved-resolv-conf.c		diff \| blob \| blame \| history
test/networkd-test.py		diff \| blob \| blame \| history