summaryrefslogtreecommitdiffstats
path: root/src/resolve/resolved-dns-scope.c
diff options
context:
space:
mode:
authorLuca Boccassi <bluca@debian.org>2024-03-06 14:55:14 +0100
committerGitHub <noreply@github.com>2024-03-06 14:55:14 +0100
commitba6ec879bb73f36b02c73cd1a7d40fba779f3140 (patch)
tree9eb1d677aaefac245000bf628c78cc9218d3fbcf /src/resolve/resolved-dns-scope.c
parentstring-util: allow taking SIZE_MAX as size to shorten to (diff)
parentresolved: make resolved authoritative in resolveing our local host name (diff)
downloadsystemd-ba6ec879bb73f36b02c73cd1a7d40fba779f3140.tar.xz
systemd-ba6ec879bb73f36b02c73cd1a7d40fba779f3140.zip
Merge pull request #31621 from poettering/resolved-proxy-do
resolved: proxy upstream local requests to our stub with DO bit set
Diffstat (limited to 'src/resolve/resolved-dns-scope.c')
-rw-r--r--src/resolve/resolved-dns-scope.c80
1 files changed, 77 insertions, 3 deletions
diff --git a/src/resolve/resolved-dns-scope.c b/src/resolve/resolved-dns-scope.c
index f13233c8da..80a1707407 100644
--- a/src/resolve/resolved-dns-scope.c
+++ b/src/resolve/resolved-dns-scope.c
@@ -12,6 +12,7 @@
#include "random-util.h"
#include "resolved-dnssd.h"
#include "resolved-dns-scope.h"
+#include "resolved-dns-synthesize.h"
#include "resolved-dns-zone.h"
#include "resolved-llmnr.h"
#include "resolved-mdns.h"
@@ -596,12 +597,13 @@ static DnsScopeMatch match_subnet_reverse_lookups(
DnsScopeMatch dns_scope_good_domain(
DnsScope *s,
- DnsQuery *q) {
+ DnsQuery *q,
+ uint64_t query_flags) {
DnsQuestion *question;
const char *domain;
uint64_t flags;
- int ifindex;
+ int ifindex, r;
/* This returns the following return values:
*
@@ -655,6 +657,15 @@ DnsScopeMatch dns_scope_good_domain(
is_dns_proxy_stub_hostname(domain))
return DNS_SCOPE_NO;
+ /* Don't look up the local host name via the network, unless user turned of local synthesis of it */
+ if (manager_is_own_hostname(s->manager, domain) && shall_synthesize_own_hostname_rrs())
+ return DNS_SCOPE_NO;
+
+ /* Never send SOA or NS or DNSSEC request to LLMNR, where they make little sense. */
+ r = dns_question_types_suitable_for_protocol(question, s->protocol);
+ if (r <= 0)
+ return DNS_SCOPE_NO;
+
switch (s->protocol) {
case DNS_PROTOCOL_DNS: {
@@ -710,7 +721,8 @@ DnsScopeMatch dns_scope_good_domain(
/* If ResolveUnicastSingleLabel=yes and the query is single-label, then bump match result
to prevent LLMNR monopoly among candidates. */
- if (s->manager->resolve_unicast_single_label && dns_name_is_single_label(domain))
+ if ((s->manager->resolve_unicast_single_label || (query_flags & SD_RESOLVED_RELAX_SINGLE_LABEL)) &&
+ dns_name_is_single_label(domain))
return DNS_SCOPE_YES_BASE + 1;
/* Let's return the number of labels in the best matching result */
@@ -1686,3 +1698,65 @@ int dns_scope_dump_cache_to_json(DnsScope *scope, JsonVariant **ret) {
JSON_BUILD_PAIR_CONDITION(scope->link, "ifname", JSON_BUILD_STRING(scope->link ? scope->link->ifname : NULL)),
JSON_BUILD_PAIR_VARIANT("cache", cache)));
}
+
+int dns_type_suitable_for_protocol(uint16_t type, DnsProtocol protocol) {
+
+ /* Tests whether it makes sense to route queries for the specified DNS RR types to the specified
+ * protocol. For classic DNS pretty much all RR types are suitable, but for LLMNR/mDNS let's
+ * allowlist only a few that make sense. We use this when routing queries so that we can more quickly
+ * return errors for queries that will almost certainly fail/time-out otherwise. For example, this
+ * ensures that SOA, NS, or DS/DNSKEY queries are never routed to mDNS/LLMNR where they simply make
+ * no sense. */
+
+ if (dns_type_is_obsolete(type))
+ return false;
+
+ if (!dns_type_is_valid_query(type))
+ return false;
+
+ switch (protocol) {
+
+ case DNS_PROTOCOL_DNS:
+ return true;
+
+ case DNS_PROTOCOL_LLMNR:
+ return IN_SET(type,
+ DNS_TYPE_ANY,
+ DNS_TYPE_A,
+ DNS_TYPE_AAAA,
+ DNS_TYPE_CNAME,
+ DNS_TYPE_PTR,
+ DNS_TYPE_TXT);
+
+ case DNS_PROTOCOL_MDNS:
+ return IN_SET(type,
+ DNS_TYPE_ANY,
+ DNS_TYPE_A,
+ DNS_TYPE_AAAA,
+ DNS_TYPE_CNAME,
+ DNS_TYPE_PTR,
+ DNS_TYPE_TXT,
+ DNS_TYPE_SRV,
+ DNS_TYPE_NSEC,
+ DNS_TYPE_HINFO);
+
+ default:
+ return -EPROTONOSUPPORT;
+ }
+}
+
+int dns_question_types_suitable_for_protocol(DnsQuestion *q, DnsProtocol protocol) {
+ DnsResourceKey *key;
+ int r;
+
+ /* Tests whether the types in the specified question make any sense to be routed to the specified
+ * protocol, i.e. if dns_type_suitable_for_protocol() is true for any of the contained RR types */
+
+ DNS_QUESTION_FOREACH(key, q) {
+ r = dns_type_suitable_for_protocol(key->type, protocol);
+ if (r != 0)
+ return r;
+ }
+
+ return false;
+}