diff options
author | Luca Boccassi <bluca@debian.org> | 2024-03-06 14:55:14 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-03-06 14:55:14 +0100 |
commit | ba6ec879bb73f36b02c73cd1a7d40fba779f3140 (patch) | |
tree | 9eb1d677aaefac245000bf628c78cc9218d3fbcf /src/resolve/resolved-dns-scope.c | |
parent | string-util: allow taking SIZE_MAX as size to shorten to (diff) | |
parent | resolved: make resolved authoritative in resolveing our local host name (diff) | |
download | systemd-ba6ec879bb73f36b02c73cd1a7d40fba779f3140.tar.xz systemd-ba6ec879bb73f36b02c73cd1a7d40fba779f3140.zip |
Merge pull request #31621 from poettering/resolved-proxy-do
resolved: proxy upstream local requests to our stub with DO bit set
Diffstat (limited to 'src/resolve/resolved-dns-scope.c')
-rw-r--r-- | src/resolve/resolved-dns-scope.c | 80 |
1 files changed, 77 insertions, 3 deletions
diff --git a/src/resolve/resolved-dns-scope.c b/src/resolve/resolved-dns-scope.c index f13233c8da..80a1707407 100644 --- a/src/resolve/resolved-dns-scope.c +++ b/src/resolve/resolved-dns-scope.c @@ -12,6 +12,7 @@ #include "random-util.h" #include "resolved-dnssd.h" #include "resolved-dns-scope.h" +#include "resolved-dns-synthesize.h" #include "resolved-dns-zone.h" #include "resolved-llmnr.h" #include "resolved-mdns.h" @@ -596,12 +597,13 @@ static DnsScopeMatch match_subnet_reverse_lookups( DnsScopeMatch dns_scope_good_domain( DnsScope *s, - DnsQuery *q) { + DnsQuery *q, + uint64_t query_flags) { DnsQuestion *question; const char *domain; uint64_t flags; - int ifindex; + int ifindex, r; /* This returns the following return values: * @@ -655,6 +657,15 @@ DnsScopeMatch dns_scope_good_domain( is_dns_proxy_stub_hostname(domain)) return DNS_SCOPE_NO; + /* Don't look up the local host name via the network, unless user turned of local synthesis of it */ + if (manager_is_own_hostname(s->manager, domain) && shall_synthesize_own_hostname_rrs()) + return DNS_SCOPE_NO; + + /* Never send SOA or NS or DNSSEC request to LLMNR, where they make little sense. */ + r = dns_question_types_suitable_for_protocol(question, s->protocol); + if (r <= 0) + return DNS_SCOPE_NO; + switch (s->protocol) { case DNS_PROTOCOL_DNS: { @@ -710,7 +721,8 @@ DnsScopeMatch dns_scope_good_domain( /* If ResolveUnicastSingleLabel=yes and the query is single-label, then bump match result to prevent LLMNR monopoly among candidates. */ - if (s->manager->resolve_unicast_single_label && dns_name_is_single_label(domain)) + if ((s->manager->resolve_unicast_single_label || (query_flags & SD_RESOLVED_RELAX_SINGLE_LABEL)) && + dns_name_is_single_label(domain)) return DNS_SCOPE_YES_BASE + 1; /* Let's return the number of labels in the best matching result */ @@ -1686,3 +1698,65 @@ int dns_scope_dump_cache_to_json(DnsScope *scope, JsonVariant **ret) { JSON_BUILD_PAIR_CONDITION(scope->link, "ifname", JSON_BUILD_STRING(scope->link ? scope->link->ifname : NULL)), JSON_BUILD_PAIR_VARIANT("cache", cache))); } + +int dns_type_suitable_for_protocol(uint16_t type, DnsProtocol protocol) { + + /* Tests whether it makes sense to route queries for the specified DNS RR types to the specified + * protocol. For classic DNS pretty much all RR types are suitable, but for LLMNR/mDNS let's + * allowlist only a few that make sense. We use this when routing queries so that we can more quickly + * return errors for queries that will almost certainly fail/time-out otherwise. For example, this + * ensures that SOA, NS, or DS/DNSKEY queries are never routed to mDNS/LLMNR where they simply make + * no sense. */ + + if (dns_type_is_obsolete(type)) + return false; + + if (!dns_type_is_valid_query(type)) + return false; + + switch (protocol) { + + case DNS_PROTOCOL_DNS: + return true; + + case DNS_PROTOCOL_LLMNR: + return IN_SET(type, + DNS_TYPE_ANY, + DNS_TYPE_A, + DNS_TYPE_AAAA, + DNS_TYPE_CNAME, + DNS_TYPE_PTR, + DNS_TYPE_TXT); + + case DNS_PROTOCOL_MDNS: + return IN_SET(type, + DNS_TYPE_ANY, + DNS_TYPE_A, + DNS_TYPE_AAAA, + DNS_TYPE_CNAME, + DNS_TYPE_PTR, + DNS_TYPE_TXT, + DNS_TYPE_SRV, + DNS_TYPE_NSEC, + DNS_TYPE_HINFO); + + default: + return -EPROTONOSUPPORT; + } +} + +int dns_question_types_suitable_for_protocol(DnsQuestion *q, DnsProtocol protocol) { + DnsResourceKey *key; + int r; + + /* Tests whether the types in the specified question make any sense to be routed to the specified + * protocol, i.e. if dns_type_suitable_for_protocol() is true for any of the contained RR types */ + + DNS_QUESTION_FOREACH(key, q) { + r = dns_type_suitable_for_protocol(key->type, protocol); + if (r != 0) + return r; + } + + return false; +} |