resolved: tweak domain routing logic a bit

author Lennart Poettering <lennart@poettering.net>

Fri, 8 Dec 2017 16:21:42 +0000 (17:21 +0100)

committer Lennart Poettering <lennart@poettering.net>

Fri, 8 Dec 2017 16:25:08 +0000 (17:25 +0100)
author Lennart Poettering <lennart@poettering.net>
Fri, 8 Dec 2017 16:21:42 +0000 (17:21 +0100)
committer Lennart Poettering <lennart@poettering.net>
Fri, 8 Dec 2017 16:25:08 +0000 (17:25 +0100)
diff --git a/src/resolve/resolved-dns-scope.c b/src/resolve/resolved-dns-scope.c

index a9071ee73e3ef581ead115f22484ad261a7b7b53..0a121cdcdf1c96295c0709f69742cf2f1128a5f5 100644 (file)
--- a/src/resolve/resolved-dns-scope.c
+++ b/src/resolve/resolved-dns-scope.c
@@ -403,7 +403,6 @@ int dns_scope_socket_tcp(DnsScope *s, int family, const union in_addr_union *add
  
  DnsScopeMatch dns_scope_good_domain(DnsScope *s, int ifindex, uint64_t flags, const char *domain) {
          DnsSearchDomain *d;
-        DnsServer *dns_server;
  
          assert(s);
          assert(domain);
@@ -436,24 +435,27 @@ DnsScopeMatch dns_scope_good_domain(DnsScope *s, int ifindex, uint64_t flags, co
          if (dns_name_endswith(domain, "invalid") > 0)
                  return DNS_SCOPE_NO;
  
-        /* Always honour search domains for routing queries. Note that
-         * we return DNS_SCOPE_YES here, rather than just
-         * DNS_SCOPE_MAYBE, which means wildcard scopes won't be
-         * considered anymore. */
-        LIST_FOREACH(domains, d, dns_scope_get_search_domains(s))
-                if (dns_name_endswith(domain, d->name) > 0)
-                        return DNS_SCOPE_YES;
-
-        /* If the DNS server has route-only domains, don't send other requests
-         * to it. This would be a privacy violation, will most probably fail
-         * anyway, and adds unnecessary load. */
-        dns_server = dns_scope_get_dns_server(s);
-        if (dns_server && dns_server_limited_domains(dns_server))
-                return DNS_SCOPE_NO;
-
          switch (s->protocol) {
  
-        case DNS_PROTOCOL_DNS:
+        case DNS_PROTOCOL_DNS: {
+                DnsServer *dns_server;
+
+                /* Never route things to scopes that lack DNS servers */
+                dns_server = dns_scope_get_dns_server(s);
+                if (!dns_server)
+                        return DNS_SCOPE_NO;
+
+                /* Always honour search domains for routing queries, except if this scope lacks DNS servers. Note that
+                 * we return DNS_SCOPE_YES here, rather than just DNS_SCOPE_MAYBE, which means other wildcard scopes
+                 * won't be considered anymore. */
+                LIST_FOREACH(domains, d, dns_scope_get_search_domains(s))
+                        if (dns_name_endswith(domain, d->name) > 0)
+                                return DNS_SCOPE_YES;
+
+                /* If the DNS server has route-only domains, don't send other requests to it. This would be a privacy
+                 * violation, will most probably fail anyway, and adds unnecessary load. */
+                if (dns_server_limited_domains(dns_server))
+                        return DNS_SCOPE_NO;
  
                  /* Exclude link-local IP ranges */
                  if (dns_name_endswith(domain, "254.169.in-addr.arpa") == 0 &&
@@ -468,6 +470,7 @@ DnsScopeMatch dns_scope_good_domain(DnsScope *s, int ifindex, uint64_t flags, co
                          return DNS_SCOPE_MAYBE;
  
                  return DNS_SCOPE_NO;
+        }
  
          case DNS_PROTOCOL_MDNS:
                  if ((s->family == AF_INET && dns_name_endswith(domain, "in-addr.arpa") > 0) ||
author	Lennart Poettering <lennart@poettering.net>
	Fri, 8 Dec 2017 16:21:42 +0000 (17:21 +0100)
committer	Lennart Poettering <lennart@poettering.net>
	Fri, 8 Dec 2017 16:25:08 +0000 (17:25 +0100)