resolved: never allow routing of "localhost" queries to DNS or LLMNR

We should never allow leaking of "localhost" queries onto the network,
even if there's an explicit domain rotue set for this.

diff --git a/src/resolve/resolved-dns-scope.c b/src/resolve/resolved-dns-scope.c
index b8414da87e07f445c0c97e7dc11ce628ddd31497..57d9071dfcf49549f4806aa2abdc96fbe5ecedef 100644 (file)
--- a/src/resolve/resolved-dns-scope.c
+++ b/src/resolve/resolved-dns-scope.c
@@ -325,10 +325,6 @@ DnsScopeMatch dns_scope_good_domain(DnsScope *s, int ifindex, uint64_t flags, co
         if ((SD_RESOLVED_FLAGS_MAKE(s->protocol, s->family) & flags) == 0)
                 return DNS_SCOPE_NO;
 
-        STRV_FOREACH(i, s->domains)
-                if (dns_name_endswith(domain, *i) > 0)
-                        return DNS_SCOPE_YES;
-
         if (dns_name_root(domain) != 0)
                 return DNS_SCOPE_NO;
 
@@ -340,6 +336,10 @@ DnsScopeMatch dns_scope_good_domain(DnsScope *s, int ifindex, uint64_t flags, co
             dns_name_equal(domain, "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa") > 0)
                 return DNS_SCOPE_NO;
 
+        STRV_FOREACH(i, s->domains)
+                if (dns_name_endswith(domain, *i) > 0)
+                        return DNS_SCOPE_YES;
+
         if (s->protocol == DNS_PROTOCOL_DNS) {
                 if (dns_name_endswith(domain, "254.169.in-addr.arpa") == 0 &&
                     dns_name_endswith(domain, "0.8.e.f.ip6.arpa") == 0 &&