resolved: don't follow CNAMEs originating from DNS on LLMNR

Fixes: #2514

diff --git a/src/resolve/resolved-dns-query.c b/src/resolve/resolved-dns-query.c
index 06d30d78638e75c241af148a0720ed6db7c421e2..b8bdff9dfa1c5a9d223f801b580548945c1f7782 100644 (file)
--- a/src/resolve/resolved-dns-query.c
+++ b/src/resolve/resolved-dns-query.c
@@ -967,6 +967,17 @@ static int dns_query_cname_redirect(DnsQuery *q, const DnsResourceRecord *cname)
         if (r == 0 && k == 0) /* No actual cname happened? */
                 return -ELOOP;
 
+        if (q->answer_protocol == DNS_PROTOCOL_DNS) {
+                /* Don't permit CNAME redirects from unicast DNS to LLMNR or MulticastDNS, so that global resources
+                 * cannot invade the local namespace. The opposite way we permit: local names may redirect to global
+                 * ones. */
+
+                q->flags &= ~(SD_RESOLVED_LLMNR|SD_RESOLVED_MDNS); /* mask away the local protocols */
+        }
+
+        /* Turn off searching for the new name */
+        q->flags |= SD_RESOLVED_NO_SEARCH;
+
         dns_question_unref(q->question_idna);
         q->question_idna = nq_idna;
         nq_idna = NULL;
@@ -977,10 +988,8 @@ static int dns_query_cname_redirect(DnsQuery *q, const DnsResourceRecord *cname)
 
         dns_query_free_candidates(q);
         dns_query_reset_answer(q);
-        q->state = DNS_TRANSACTION_NULL;
 
-        /* Turn off searching for the new name */
-        q->flags |= SD_RESOLVED_NO_SEARCH;
+        q->state = DNS_TRANSACTION_NULL;
 
         return 0;
 }