resolved: never attempt to resolve loopback addresses via DNS/LLMNR/mDNS

We already refuse to resolve "localhost", hence we should also refuse
resolving "127.0.0.1" and friends.

diff --git a/src/resolve/resolved-dns-scope.c b/src/resolve/resolved-dns-scope.c
index 927a1ddc26d9fc8d16b48de908679ebf22719bdf..4bc415702882fdc80b345ec1b27056012636d72e 100644 (file)
--- a/src/resolve/resolved-dns-scope.c
+++ b/src/resolve/resolved-dns-scope.c
@@ -313,6 +313,11 @@ DnsScopeMatch dns_scope_good_domain(DnsScope *s, int ifindex, uint64_t flags, co
         if (is_localhost(domain))
                 return DNS_SCOPE_NO;
 
+        /* Never resolve any loopback IP address via DNS, LLMNR or mDNS */
+        if (dns_name_endswith(domain, "127.in-addr.arpa") > 0 ||
+            dns_name_equal(domain, "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa") > 0)
+                return DNS_SCOPE_NO;
+
         if (s->protocol == DNS_PROTOCOL_DNS) {
                 if (dns_name_endswith(domain, "254.169.in-addr.arpa") == 0 &&
                     dns_name_endswith(domain, "0.8.e.f.ip6.arpa") == 0 &&

diff --git a/src/test/test-dns-domain.c b/src/test/test-dns-domain.c
index 31e110cf0d6ee41b0c37b17c4ec6d5731afdaa43..0042722c99a0e961b4b637b7aad7f66af84df83a 100644 (file)
--- a/src/test/test-dns-domain.c
+++ b/src/test/test-dns-domain.c
@@ -247,6 +247,8 @@ static void test_dns_name_reverse_one(const char *address, const char *name) {
 static void test_dns_name_reverse(void) {
         test_dns_name_reverse_one("47.11.8.15", "15.8.11.47.in-addr.arpa");
         test_dns_name_reverse_one("fe80::47", "7.4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa");
+        test_dns_name_reverse_one("127.0.0.1", "1.0.0.127.in-addr.arpa");
+        test_dns_name_reverse_one("::1", "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa");
 }
 
 int main(int argc, char *argv[]) {