From: Lennart Poettering <lennart@poettering.net>
Date: Fri, 14 Aug 2015 11:21:28 +0000 (+0200)
Subject: resolved: never allow routing of "localhost" queries to DNS or LLMNR
X-Git-Tag: v225~63^2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=9b644bf921ca3b1f3967a794932c8e56636908db;p=thirdparty%2Fsystemd.git

resolved: never allow routing of "localhost" queries to DNS or LLMNR

We should never allow leaking of "localhost" queries onto the network,
even if there's an explicit domain rotue set for this.
---

diff --git a/src/resolve/resolved-dns-scope.c b/src/resolve/resolved-dns-scope.c
index b8414da87e0..57d9071dfcf 100644
--- a/src/resolve/resolved-dns-scope.c
+++ b/src/resolve/resolved-dns-scope.c
@@ -325,10 +325,6 @@ DnsScopeMatch dns_scope_good_domain(DnsScope *s, int ifindex, uint64_t flags, co
         if ((SD_RESOLVED_FLAGS_MAKE(s->protocol, s->family) & flags) == 0)
                 return DNS_SCOPE_NO;
 
-        STRV_FOREACH(i, s->domains)
-                if (dns_name_endswith(domain, *i) > 0)
-                        return DNS_SCOPE_YES;
-
         if (dns_name_root(domain) != 0)
                 return DNS_SCOPE_NO;
 
@@ -340,6 +336,10 @@ DnsScopeMatch dns_scope_good_domain(DnsScope *s, int ifindex, uint64_t flags, co
             dns_name_equal(domain, "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa") > 0)
                 return DNS_SCOPE_NO;
 
+        STRV_FOREACH(i, s->domains)
+                if (dns_name_endswith(domain, *i) > 0)
+                        return DNS_SCOPE_YES;
+
         if (s->protocol == DNS_PROTOCOL_DNS) {
                 if (dns_name_endswith(domain, "254.169.in-addr.arpa") == 0 &&
                     dns_name_endswith(domain, "0.8.e.f.ip6.arpa") == 0 &&