diff options
36 files changed, 916 insertions, 118 deletions
diff --git a/man/resolvectl.xml b/man/resolvectl.xml index 7f981ac327..69c3c0f7ea 100644 --- a/man/resolvectl.xml +++ b/man/resolvectl.xml @@ -257,6 +257,7 @@ <term><option>llmnr [<replaceable>LINK</replaceable> [<replaceable>MODE</replaceable>]]</option></term> <term><option>mdns [<replaceable>LINK</replaceable> [<replaceable>MODE</replaceable>]]</option></term> <term><option>dnssec [<replaceable>LINK</replaceable> [<replaceable>MODE</replaceable>]]</option></term> + <term><option>privatedns [<replaceable>LINK</replaceable> [<replaceable>MODE</replaceable>]]</option></term> <term><option>nta [<replaceable>LINK</replaceable> [<replaceable>DOMAIN</replaceable>…]]</option></term> <listitem><para>Get/set per-interface DNS configuration. These commands may be used to configure various DNS @@ -268,10 +269,10 @@ through external means. The <option>dns</option> command expects IPv4 or IPv6 address specifications of DNS servers to use. The <option>domain</option> command expects valid DNS domains, possibly prefixed with <literal>~</literal>, and configures a per-interface search or route-only domain. The <option>llmnr</option>, - <option>mdns</option> and <option>dnssec</option> commands may be used to configure the per-interface LLMNR, - MulticastDNS and DNSSEC settings. Finally, <option>nta</option> command may be used to configure additional - per-interface DNSSEC NTA domains. For details about these settings, their possible values and their effect, - see the corresponding options in + <option>mdns</option>, <option>dnssec</option> and <option>privatedns</option> commands may be used to configure + the per-interface LLMNR, MulticastDNS, DNSSEC and PrivateDNS settings. Finally, <option>nta</option> command + may be used to configure additional per-interface DNSSEC NTA domains. For details about these settings, their + possible values and their effect, see the corresponding options in <citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para> </listitem> </varlistentry> @@ -282,8 +283,8 @@ <listitem><para>Revert the per-interface DNS configuration. If the DNS configuration is reverted all per-interface DNS setting are reset to their defaults, undoing all effects of <option>dns</option>, <option>domain</option>, <option>llmnr</option>, <option>mdns</option>, <option>dnssec</option>, - <option>nta=</option>. Note that when a network interface disappears all configuration is lost automatically, - an explicit reverting is not necessary in that case.</para></listitem> + <option>privatedns</option>, <option>nta=</option>. Note that when a network interface disappears all + configuration is lost automatically, an explicit reverting is not necessary in that case.</para></listitem> </varlistentry> </variablelist> diff --git a/man/resolved.conf.xml b/man/resolved.conf.xml index e87aa59bae..67cc409440 100644 --- a/man/resolved.conf.xml +++ b/man/resolved.conf.xml @@ -207,6 +207,38 @@ </varlistentry> <varlistentry> + <term><varname>PrivateDNS=</varname></term> + <listitem> + <para>Takes false or + <literal>opportunistic</literal>. When set to <literal>opportunistic</literal> + DNS request are attempted to send encrypted with DNS-over-TLS. + If the DNS server does not support TLS, DNS-over-TLS is disabled. + Note that this mode makes DNS-over-TLS vulnerable to "downgrade" + attacks, where an attacker might be able to trigger a downgrade + to non-encrypted mode by synthesizing a response that suggests + DNS-over-TLS was not supported. If set to false, DNS lookups + are send over UDP.</para> + + <para>Note that DNS-over-TLS requires additional data to be + send for setting up an encrypted connection, and thus results + in a small DNS look-up time penalty.</para> + + <para>Note as the resolver is not capable of authenticating + the server, it is vulnerable for "man-in-the-middle" attacks.</para> + + <para>In addition to this global PrivateDNS setting + <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> + also maintains per-link PrivateDNS settings. For system DNS + servers (see above), only the global PrivateDNS setting is in + effect. For per-link DNS servers the per-link + setting is in effect, unless it is unset in which case the + global setting is used instead.</para> + + <para>Defaults to off.</para> + </listitem> + </varlistentry> + + <varlistentry> <term><varname>Cache=</varname></term> <listitem><para>Takes a boolean argument. If "yes" (the default), resolving a domain name which already got queried earlier will return the previous result as long as it is still valid, and thus does not result in a new diff --git a/man/systemd.network.xml b/man/systemd.network.xml index d7bcf5a067..b43874b59c 100644 --- a/man/systemd.network.xml +++ b/man/systemd.network.xml @@ -385,6 +385,21 @@ </listitem> </varlistentry> <varlistentry> + <term><varname>PrivateDNS=</varname></term> + <listitem> + <para>Takes false or + <literal>opportunistic</literal>. When set to <literal>opportunistic</literal>, enables + <ulink + url="https://tools.ietf.org/html/rfc7858">DNS-over-TLS</ulink> + support on the link. This option defines a + per-interface setting for + <citerefentry><refentrytitle>resolved.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>'s + global <varname>PrivateDNS=</varname> option. Defaults to + false. This setting is read by + <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para> + </listitem> + </varlistentry> + <varlistentry> <term><varname>DNSSEC=</varname></term> <listitem> <para>A boolean or diff --git a/meson.build b/meson.build index 3644e8d5cb..c62d2afccd 100644 --- a/meson.build +++ b/meson.build @@ -1137,6 +1137,18 @@ conf.set('DEFAULT_DNSSEC_MODE', 'DNSSEC_' + default_dnssec.underscorify().to_upper()) substs.set('DEFAULT_DNSSEC_MODE', default_dnssec) +default_private_dns = get_option('default-private-dns') +if fuzzer_build + default_private_dns = 'no' +endif +if default_private_dns != 'no' and conf.get('HAVE_GNUTLS') == 0 + message('default-private-dns cannot be set to strict or opportunistic when gnutls is disabled. Setting default-private-dns to no.') + default_private_dns = 'no' +endif +conf.set('DEFAULT_PRIVATE_DNS_MODE', + 'PRIVATE_DNS_' + default_private_dns.underscorify().to_upper()) +substs.set('DEFAULT_PRIVATE_DNS_MODE', default_private_dns) + want_importd = get_option('importd') if want_importd != 'false' have = (conf.get('HAVE_LIBCURL') == 1 and @@ -1585,6 +1597,7 @@ if conf.get('ENABLE_RESOLVE') == 1 libbasic_gcrypt, libsystemd_resolve_core], dependencies : [threads, + libgnutls, libgpg_error, libm, libidn], @@ -2857,6 +2870,7 @@ status = [ 'symbolic gateway hostnames: @0@'.format(', '.join(gateway_hostnames)), 'default DNSSEC mode: @0@'.format(default_dnssec), + 'default private DNS mode: @0@'.format(default_private_dns), 'default cgroup hierarchy: @0@'.format(default_hierarchy), 'default KillUserProcesses setting: @0@'.format(kill_user_processes)] diff --git a/meson_options.txt b/meson_options.txt index 557d7843bc..c1d0cf6d7b 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -193,6 +193,10 @@ option('default-dnssec', type : 'combo', description : 'default DNSSEC mode', choices : ['yes', 'allow-downgrade', 'no'], value : 'allow-downgrade') +option('default-private-dns', type : 'combo', + description : 'default private DNS mode', + choices : ['opportunistic', 'no'], + value : 'no') option('dns-servers', type : 'string', description : 'space-separated list of default DNS servers', value : '8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844') diff --git a/src/basic/ordered-set.h b/src/basic/ordered-set.h index 3920ffdbf1..1943d06b4f 100644 --- a/src/basic/ordered-set.h +++ b/src/basic/ordered-set.h @@ -48,6 +48,14 @@ static inline bool ordered_set_iterate(OrderedSet *s, Iterator *i, void **value) return ordered_hashmap_iterate((OrderedHashmap*) s, i, value, NULL); } +static inline void* ordered_set_remove(OrderedSet *s, void *p) { + return ordered_hashmap_remove((OrderedHashmap*) s, p); +} + +static inline void* ordered_set_steal_first(OrderedSet *s) { + return ordered_hashmap_steal_first((OrderedHashmap*) s); +} + int ordered_set_consume(OrderedSet *s, void *p); int ordered_set_put_strdup(OrderedSet *s, const char *p); int ordered_set_put_strdupv(OrderedSet *s, char **l); diff --git a/src/libsystemd/sd-network/sd-network.c b/src/libsystemd/sd-network/sd-network.c index 4f3f6f9e1d..412a8ae82e 100644 --- a/src/libsystemd/sd-network/sd-network.c +++ b/src/libsystemd/sd-network/sd-network.c @@ -178,6 +178,10 @@ _public_ int sd_network_link_get_mdns(int ifindex, char **mdns) { return network_link_get_string(ifindex, "MDNS", mdns); } +_public_ int sd_network_link_get_private_dns(int ifindex, char **private_dns) { + return network_link_get_string(ifindex, "PRIVATE_DNS", private_dns); +} + _public_ int sd_network_link_get_dnssec(int ifindex, char **dnssec) { return network_link_get_string(ifindex, "DNSSEC", dnssec); } diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c index c0496407ab..805a4a7957 100644 --- a/src/network/networkd-link.c +++ b/src/network/networkd-link.c @@ -3762,6 +3762,10 @@ int link_save(Link *link) { fprintf(f, "MDNS=%s\n", resolve_support_to_string(link->network->mdns)); + if (link->network->private_dns_mode != _PRIVATE_DNS_MODE_INVALID) + fprintf(f, "PRIVATE_DNS=%s\n", + private_dns_mode_to_string(link->network->private_dns_mode)); + if (link->network->dnssec_mode != _DNSSEC_MODE_INVALID) fprintf(f, "DNSSEC=%s\n", dnssec_mode_to_string(link->network->dnssec_mode)); diff --git a/src/network/networkd-network-gperf.gperf b/src/network/networkd-network-gperf.gperf index e6ca6631ed..38d168a596 100644 --- a/src/network/networkd-network-gperf.gperf +++ b/src/network/networkd-network-gperf.gperf @@ -60,6 +60,7 @@ Network.Domains, config_parse_domains, Network.DNS, config_parse_dns, 0, 0 Network.LLMNR, config_parse_resolve_support, 0, offsetof(Network, llmnr) Network.MulticastDNS, config_parse_resolve_support, 0, offsetof(Network, mdns) +Network.PrivateDNS, config_parse_private_dns_mode, 0, offsetof(Network, private_dns_mode) Network.DNSSEC, config_parse_dnssec_mode, 0, offsetof(Network, dnssec_mode) Network.DNSSECNegativeTrustAnchors, config_parse_dnssec_negative_trust_anchors, 0, 0 Network.NTP, config_parse_ntp, 0, offsetof(Network, ntp) diff --git a/src/network/networkd-network.c b/src/network/networkd-network.c index b2a75c7e98..fc7d9a3474 100644 --- a/src/network/networkd-network.c +++ b/src/network/networkd-network.c @@ -236,6 +236,7 @@ static int network_load_one(Manager *manager, const char *filename) { network->llmnr = RESOLVE_SUPPORT_YES; network->mdns = RESOLVE_SUPPORT_NO; network->dnssec_mode = _DNSSEC_MODE_INVALID; + network->private_dns_mode = _PRIVATE_DNS_MODE_INVALID; network->link_local = ADDRESS_FAMILY_IPV6; diff --git a/src/network/networkd-network.h b/src/network/networkd-network.h index 5b6b40d5da..3136835f8c 100644 --- a/src/network/networkd-network.h +++ b/src/network/networkd-network.h @@ -261,6 +261,7 @@ struct Network { ResolveSupport llmnr; ResolveSupport mdns; DnssecMode dnssec_mode; + PrivateDnsMode private_dns_mode; Set *dnssec_negative_trust_anchors; LIST_FIELDS(Network, networks); diff --git a/src/resolve/resolvectl.c b/src/resolve/resolvectl.c index 26b3a811ad..750001d407 100644 --- a/src/resolve/resolvectl.c +++ b/src/resolve/resolvectl.c @@ -56,6 +56,7 @@ char **arg_set_dns = NULL; char **arg_set_domain = NULL; static const char *arg_set_llmnr = NULL; static const char *arg_set_mdns = NULL; +static const char *arg_set_private_dns = NULL; static const char *arg_set_dnssec = NULL; static char **arg_set_nta = NULL; @@ -65,6 +66,7 @@ typedef enum StatusMode { STATUS_DOMAIN, STATUS_LLMNR, STATUS_MDNS, + STATUS_PRIVATE, STATUS_DNSSEC, STATUS_NTA, } StatusMode; @@ -1337,6 +1339,7 @@ static int status_ifindex(sd_bus *bus, int ifindex, const char *name, StatusMode uint64_t scopes_mask; const char *llmnr; const char *mdns; + const char *private_dns; const char *dnssec; char *current_dns; char **dns; @@ -1352,6 +1355,7 @@ static int status_ifindex(sd_bus *bus, int ifindex, const char *name, StatusMode { "Domains", "a(sb)", map_link_domains, offsetof(struct link_info, domains) }, { "LLMNR", "s", NULL, offsetof(struct link_info, llmnr) }, { "MulticastDNS", "s", NULL, offsetof(struct link_info, mdns) }, + { "PrivateDNS", "s", NULL, offsetof(struct link_info, private_dns) }, { "DNSSEC", "s", NULL, offsetof(struct link_info, dnssec) }, { "DNSSECNegativeTrustAnchors", "as", NULL, offsetof(struct link_info, ntas) }, { "DNSSECSupported", "b", NULL, offsetof(struct link_info, dnssec_supported) }, @@ -1430,6 +1434,15 @@ static int status_ifindex(sd_bus *bus, int ifindex, const char *name, StatusMode goto finish; } + if (mode == STATUS_PRIVATE) { + printf("%sLink %i (%s)%s: %s\n", + ansi_highlight(), ifindex, name, ansi_normal(), + strna(link_info.private_dns)); + + r = 0; + goto finish; + } + if (mode == STATUS_DNSSEC) { printf("%sLink %i (%s)%s: %s\n", ansi_highlight(), ifindex, name, ansi_normal(), @@ -1457,10 +1470,12 @@ static int status_ifindex(sd_bus *bus, int ifindex, const char *name, StatusMode printf(" LLMNR setting: %s\n" "MulticastDNS setting: %s\n" + " PrivateDNS setting: %s\n" " DNSSEC setting: %s\n" " DNSSEC supported: %s\n", strna(link_info.llmnr), strna(link_info.mdns), + strna(link_info.private_dns), strna(link_info.dnssec), yes_no(link_info.dnssec_supported)); @@ -1602,6 +1617,7 @@ static int status_global(sd_bus *bus, StatusMode mode, bool *empty_line) { char **ntas; const char *llmnr; const char *mdns; + const char *private_dns; const char *dnssec; bool dnssec_supported; } global_info = {}; @@ -1614,6 +1630,7 @@ static int status_global(sd_bus *bus, StatusMode mode, bool *empty_line) { { "DNSSECNegativeTrustAnchors", "as", NULL, offsetof(struct global_info, ntas) }, { "LLMNR", "s", NULL, offsetof(struct global_info, llmnr) }, { "MulticastDNS", "s", NULL, offsetof(struct global_info, mdns) }, + { "PrivateDNS", "s", NULL, offsetof(struct global_info, private_dns) }, { "DNSSEC", "s", NULL, offsetof(struct global_info, dnssec) }, { "DNSSECSupported", "b", NULL, offsetof(struct global_info, dnssec_supported) }, {} @@ -1673,6 +1690,14 @@ static int status_global(sd_bus *bus, StatusMode mode, bool *empty_line) { goto finish; } + if (mode == STATUS_PRIVATE) { + printf("%sGlobal%s: %s\n", ansi_highlight(), ansi_normal(), + strna(global_info.private_dns)); + + r = 0; + goto finish; + } + if (mode == STATUS_DNSSEC) { printf("%sGlobal%s: %s\n", ansi_highlight(), ansi_normal(), strna(global_info.dnssec)); @@ -1685,10 +1710,12 @@ static int status_global(sd_bus *bus, StatusMode mode, bool *empty_line) { printf(" LLMNR setting: %s\n" "MulticastDNS setting: %s\n" + " PrivateDNS setting: %s\n" " DNSSEC setting: %s\n" " DNSSEC supported: %s\n", strna(global_info.llmnr), strna(global_info.mdns), + strna(global_info.private_dns), strna(global_info.dnssec), yes_no(global_info.dnssec_supported)); @@ -2081,6 +2108,50 @@ static int verb_mdns(int argc, char **argv, void *userdata) { return 0; } +static int verb_private_dns(int argc, char **argv, void *userdata) { + _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL; + sd_bus *bus = userdata; + int ifindex, r; + + assert(bus); + + if (argc <= 1) + return status_all(bus, STATUS_PRIVATE); + + ifindex = parse_ifindex_with_warn(argv[1]); + if (ifindex < 0) + return ifindex; + + if (ifindex == LOOPBACK_IFINDEX) { + log_error("Interface can't be the loopback interface (lo). Sorry."); + return -EINVAL; + } + + if (argc == 2) + return status_ifindex(bus, ifindex, NULL, STATUS_PRIVATE, NULL); + + r = sd_bus_call_method(bus, + "org.freedesktop.resolve1", + "/org/freedesktop/resolve1", + "org.freedesktop.resolve1.Manager", + "SetLinkPrivateDNS", + &error, + NULL, + "is", ifindex, argv[2]); + if (r < 0) { + if (sd_bus_error_has_name(&error, BUS_ERROR_LINK_BUSY)) + return log_interface_is_managed(r, ifindex); + + if (arg_ifindex_permissive && + sd_bus_error_has_name(&error, BUS_ERROR_NO_SUCH_LINK)) + return 0; + + return log_error_errno(r, "Failed to set PrivateDNS configuration: %s", bus_error_message(&error, r)); + } + + return 0; +} + static int verb_dnssec(int argc, char **argv, void *userdata) { _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL; sd_bus *bus = userdata; @@ -2283,6 +2354,7 @@ static void compat_help(void) { " --set-domain=DOMAIN Set per-interface search domain\n" " --set-llmnr=MODE Set per-interface LLMNR mode\n" " --set-mdns=MODE Set per-interface MulticastDNS mode\n" + " --set-privatedns=MODE Set per-interface PrivateDNS mode\n" " --set-dnssec=MODE Set per-interface DNSSEC mode\n" " --set-nta=DOMAIN Set per-interface DNSSEC NTA\n" " --revert Revert per-interface configuration\n" @@ -2326,6 +2398,7 @@ static void native_help(void) { " domain [LINK [DOMAIN...]] Get/set per-interface search domain\n" " llmnr [LINK [MODE]] Get/set per-interface LLMNR mode\n" " mdns [LINK [MODE]] Get/set per-interface MulticastDNS mode\n" + " privatedns [LINK [MODE]] Get/set per-interface PrivateDNS mode\n" " dnssec [LINK [MODE]] Get/set per-interface DNSSEC mode\n" " nta [LINK [DOMAIN...]] Get/set per-interface DNSSEC NTA\n" " revert LINK Revert per-interface configuration\n" @@ -2359,6 +2432,7 @@ static int compat_parse_argv(int argc, char *argv[]) { ARG_SET_DOMAIN, ARG_SET_LLMNR, ARG_SET_MDNS, + ARG_SET_PRIVATE, ARG_SET_DNSSEC, ARG_SET_NTA, ARG_REVERT_LINK, @@ -2390,6 +2464,7 @@ static int compat_parse_argv(int argc, char *argv[]) { { "set-domain", required_argument, NULL, ARG_SET_DOMAIN }, { "set-llmnr", required_argument, NULL, ARG_SET_LLMNR }, { "set-mdns", required_argument, NULL, ARG_SET_MDNS }, + { "set-privatedns", required_argument, NULL, ARG_SET_PRIVATE }, { "set-dnssec", required_argument, NULL, ARG_SET_DNSSEC }, { "set-nta", required_argument, NULL, ARG_SET_NTA }, { "revert", no_argument, NULL, ARG_REVERT_LINK }, @@ -2608,6 +2683,11 @@ static int compat_parse_argv(int argc, char *argv[]) { arg_mode = MODE_SET_LINK; break; + case ARG_SET_PRIVATE: + arg_set_private_dns = optarg; + arg_mode = MODE_SET_LINK; + break; + case ARG_SET_DNSSEC: arg_set_dnssec = optarg; arg_mode = MODE_SET_LINK; @@ -2651,7 +2731,7 @@ static int compat_parse_argv(int argc, char *argv[]) { if (IN_SET(arg_mode, MODE_SET_LINK, MODE_REVERT_LINK)) { if (arg_ifindex <= 0) { - log_error("--set-dns=, --set-domain=, --set-llmnr=, --set-mdns=, --set-dnssec=, --set-nta= and --revert require --interface=."); + log_error("--set-dns=, --set-domain=, --set-llmnr=, --set-mdns=, --set-privatedns=, --set-dnssec=, --set-nta= and --revert require --interface=."); return -EINVAL; } @@ -2877,6 +2957,7 @@ static int native_main(int argc, char *argv[], sd_bus *bus) { { "domain", VERB_ANY, VERB_ANY, 0, verb_domain }, { "llmnr", VERB_ANY, 3, 0, verb_llmnr }, { "mdns", VERB_ANY, 3, 0, verb_mdns }, + { "privatedns", VERB_ANY, 3, 0, verb_private_dns }, { "dnssec", VERB_ANY, 3, 0, verb_dnssec }, { "nta", VERB_ANY, VERB_ANY, 0, verb_nta }, { "revert", 2, 2, 0, verb_revert_link }, @@ -2969,6 +3050,12 @@ static int compat_main(int argc, char *argv[], sd_bus *bus) { return r; } + if (arg_set_private_dns) { + r = translate("privatedns", arg_ifname, 1, (char **) &arg_set_private_dns, bus); + if (r < 0) + return r; + } + if (arg_set_dnssec) { r = translate("dnssec", arg_ifname, 1, (char **) &arg_set_dnssec, bus); if (r < 0) diff --git a/src/resolve/resolved-conf.c b/src/resolve/resolved-conf.c index e9fd148469..2825d2df18 100644 --- a/src/resolve/resolved-conf.c +++ b/src/resolve/resolved-conf.c @@ -396,6 +396,13 @@ int manager_parse_config_file(Manager *m) { m->dnssec_mode = DNSSEC_NO; } #endif + +#if ! HAVE_GNUTLS + if (m->private_dns_mode != PRIVATE_DNS_NO) { + log_warning("Private DNS option cannot be set to opportunistic when systemd-resolved is built without gnutls support. Turning off private DNS support."); + m->private_dns_mode = PRIVATE_DNS_NO; + } +#endif return 0; } diff --git a/src/resolve/resolved-dns-packet.c b/src/resolve/resolved-dns-packet.c index f5aeb3459c..48c799786c 100644 --- a/src/resolve/resolved-dns-packet.c +++ b/src/resolve/resolved-dns-packet.c @@ -2333,6 +2333,31 @@ int dns_packet_is_reply_for(DnsPacket *p, const DnsResourceKey *key) { return dns_resource_key_equal(p->question->keys[0], key); } +static void dns_packet_hash_func(const void *p, struct siphash *state) { + const DnsPacket *s = p; + + assert(s); + + siphash24_compress(&s->size, sizeof(s->size), state); + siphash24_compress(DNS_PACKET_DATA((DnsPacket*) s), s->size, state); +} + +static int dns_packet_compare_func(const void *a, const void *b) { + const DnsPacket *x = a, *y = b; + + if (x->size < y->size) + return -1; + if (x->size > y->size) + return 1; + + return memcmp(DNS_PACKET_DATA((DnsPacket*) x), DNS_PACKET_DATA((DnsPacket*) y), x->size); +} + +const struct hash_ops dns_packet_hash_ops = { + .hash = dns_packet_hash_func, + .compare = dns_packet_compare_func +}; + static const char* const dns_rcode_table[_DNS_RCODE_MAX_DEFINED] = { [DNS_RCODE_SUCCESS] = "SUCCESS", [DNS_RCODE_FORMERR] = "FORMERR", diff --git a/src/resolve/resolved-dns-packet.h b/src/resolve/resolved-dns-packet.h index df4b972648..3a3a3e2fd5 100644 --- a/src/resolve/resolved-dns-packet.h +++ b/src/resolve/resolved-dns-packet.h @@ -270,6 +270,8 @@ DnsProtocol dns_protocol_from_string(const char *s) _pure_; #define MDNS_MULTICAST_IPV4_ADDRESS ((struct in_addr) { .s_addr = htobe32(224U << 24 | 251U) }) #define MDNS_MULTICAST_IPV6_ADDRESS ((struct in6_addr) { .s6_addr = { 0xFF, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfb } }) +extern const struct hash_ops dns_packet_hash_ops; + static inline uint64_t SD_RESOLVED_FLAGS_MAKE(DnsProtocol protocol, int family, bool authenticated) { uint64_t f; diff --git a/src/resolve/resolved-dns-scope.c b/src/resolve/resolved-dns-scope.c index 763789c450..78e03d8121 100644 --- a/src/resolve/resolved-dns-scope.c +++ b/src/resolve/resolved-dns-scope.c @@ -52,12 +52,18 @@ int dns_scope_new(Manager *m, DnsScope **ret, Link *l, DnsProtocol protocol, int * not update it from the on, even if the setting * changes. */ - if (l) + if (l) { s->dnssec_mode = link_get_dnssec_mode(l); - else + s->private_dns_mode = link_get_private_dns_mode(l); + } else { s->dnssec_mode = manager_get_dnssec_mode(m); - } else + s->private_dns_mode = manager_get_private_dns_mode(m); + } + + } else { s->dnssec_mode = DNSSEC_NO; + s->private_dns_mode = PRIVATE_DNS_NO; + } LIST_PREPEND(scopes, m->dns_scopes, s); @@ -306,10 +312,11 @@ static int dns_scope_socket( int family, const union in_addr_union *address, DnsServer *server, - uint16_t port) { + uint16_t port, + union sockaddr_union *ret_socket_address) { _cleanup_close_ int fd = -1; - union sockaddr_union sa = {}; + union sockaddr_union sa; socklen_t salen; static const int one = 1; int r, ifindex; @@ -392,19 +399,27 @@ static int dns_scope_socket( } } - r = connect(fd, &sa.sa, salen); - if (r < 0 && errno != EINPROGRESS) - return -errno; + if (ret_socket_address) + *ret_socket_address = sa; + else { + r = connect(fd, &sa.sa, salen); + if (r < 0 && errno != EINPROGRESS) + return -errno; + } return TAKE_FD(fd); } int dns_scope_socket_udp(DnsScope *s, DnsServer *server, uint16_t port) { - return dns_scope_socket(s, SOCK_DGRAM, AF_UNSPEC, NULL, server, port); + return dns_scope_socket(s, SOCK_DGRAM, AF_UNSPEC, NULL, server, port, NULL); } -int dns_scope_socket_tcp(DnsScope *s, int family, const union in_addr_union *address, DnsServer *server, uint16_t port) { - return dns_scope_socket(s, SOCK_STREAM, family, address, server, port); +int dns_scope_socket_tcp(DnsScope *s, int family, const union in_addr_union *address, DnsServer *server, uint16_t port, union sockaddr_union *ret_socket_address) { + /* If ret_socket_address is not NULL, the caller is responisble + * for calling connect() or sendmsg(). This is required by TCP + * Fast Open, to be able to send the initial SYN packet along + * with the first data packet. */ + return dns_scope_socket(s, SOCK_STREAM, family, address, server, port, ret_socket_address); } DnsScopeMatch dns_scope_good_domain(DnsScope *s, int ifindex, uint64_t flags, const char *domain) { diff --git a/src/resolve/resolved-dns-scope.h b/src/resolve/resolved-dns-scope.h index 15c58251d0..45e6d31c67 100644 --- a/src/resolve/resolved-dns-scope.h +++ b/src/resolve/resolved-dns-scope.h @@ -35,6 +35,7 @@ struct DnsScope { DnsProtocol protocol; int family; DnssecMode dnssec_mode; + PrivateDnsMode private_dns_mode; Link *link; @@ -75,7 +76,7 @@ void dns_scope_packet_received(DnsScope *s, usec_t rtt); void dns_scope_packet_lost(DnsScope *s, usec_t usec); int dns_scope_emit_udp(DnsScope *s, int fd, DnsPacket *p); -int dns_scope_socket_tcp(DnsScope *s, int family, const union in_addr_union *address, DnsServer *server, uint16_t port); +int dns_scope_socket_tcp(DnsScope *s, int family, const union in_addr_union *address, DnsServer *server, uint16_t port, union sockaddr_union *ret_socket_address); int dns_scope_socket_udp(DnsScope *s, DnsServer *server, uint16_t port); DnsScopeMatch dns_scope_good_domain(DnsScope *s, int ifindex, uint64_t flags, const char *domain); diff --git a/src/resolve/resolved-dns-server.c b/src/resolve/resolved-dns-server.c index 35860e99db..164f4602bc 100644 --- a/src/resolve/resolved-dns-server.c +++ b/src/resolve/resolved-dns-server.c @@ -89,6 +89,11 @@ int dns_server_new( s->linked = true; +#if HAVE_GNUTLS + /* Do not verify cerificate */ + gnutls_certificate_allocate_credentials(&s->tls_cert_cred); +#endif + /* A new DNS server that isn't fallback is added and the one * we used so far was a fallback one? Then let's try to pick * the new one */ @@ -123,6 +128,16 @@ DnsServer* dns_server_unref(DnsServer *s) { if (s->n_ref > 0) return NULL; + dns_stream_unref(s->stream); + +#if HAVE_GNUTLS + if (s->tls_cert_cred) + gnutls_certificate_free_credentials(s->tls_cert_cred); + + if (s->tls_session_data.data) + gnutls_free(s->tls_session_data.data); +#endif + free(s->server_string); return mfree(s); } @@ -234,6 +249,7 @@ static void dns_server_reset_counters(DnsServer *s) { s->n_failed_udp = 0; s->n_failed_tcp = 0; + s->n_failed_tls = 0; s->packet_truncated = false; s->verified_usec = 0; @@ -255,28 +271,31 @@ void dns_server_packet_received(DnsServer *s, int protocol, DnsServerFeatureLeve if (protocol == IPPROTO_UDP) { if (s->possible_feature_level == level) s->n_failed_udp = 0; - - /* If the RRSIG data is missing, then we can only validate EDNS0 at max */ - if (s->packet_rrsig_missing && level >= DNS_SERVER_FEATURE_LEVEL_DO) - level = DNS_SERVER_FEATURE_LEVEL_DO - 1; - - /* If the OPT RR got lost, then we can only validate UDP at max */ - if (s->packet_bad_opt && level >= DNS_SERVER_FEATURE_LEVEL_EDNS0) - level = DNS_SERVER_FEATURE_LEVEL_EDNS0 - 1; - - /* Even if we successfully receive a reply to a request announcing support for large packets, - that does not mean we can necessarily receive large packets. */ - if (level == DNS_SERVER_FEATURE_LEVEL_LARGE) - level = DNS_SERVER_FEATURE_LEVEL_LARGE - 1; - } else if (protocol == IPPROTO_TCP) { + if (DNS_SERVER_FEATURE_LEVEL_IS_TLS(level)) { + if (s->possible_feature_level == level) + s->n_failed_tls = 0; + } else { + if (s->possible_feature_level == level) + s->n_failed_tcp = 0; + + /* Successful TCP connections are only useful to verify the TCP feature level. */ + level = DNS_SERVER_FEATURE_LEVEL_TCP; + } + } - if (s->possible_feature_level == level) - s->n_failed_tcp = 0; + /* If the RRSIG data is missing, then we can only validate EDNS0 at max */ + if (s->packet_rrsig_missing && level >= DNS_SERVER_FEATURE_LEVEL_DO) + level = DNS_SERVER_FEATURE_LEVEL_IS_TLS(level) ? DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN : DNS_SERVER_FEATURE_LEVEL_EDNS0; - /* Successful TCP connections are only useful to verify the TCP feature level. */ - level = DNS_SERVER_FEATURE_LEVEL_TCP; - } + /* If the OPT RR got lost, then we can only validate UDP at max */ + if (s->packet_bad_opt && level >= DNS_SERVER_FEATURE_LEVEL_EDNS0) + level = DNS_SERVER_FEATURE_LEVEL_EDNS0 - 1; + + /* Even if we successfully receive a reply to a request announcing support for large packets, + that does not mean we can necessarily receive large packets. */ + if (level == DNS_SERVER_FEATURE_LEVEL_LARGE) + level = DNS_SERVER_FEATURE_LEVEL_LARGE - 1; dns_server_verified(s, level); @@ -302,8 +321,12 @@ void dns_server_packet_lost(DnsServer *s, int protocol, DnsServerFeatureLevel le if (s->possible_feature_level == level) { if (protocol == IPPROTO_UDP) s->n_failed_udp++; - else if (protocol == IPPROTO_TCP) - s->n_failed_tcp++; + else if (protocol == IPPROTO_TCP) { + if (DNS_SERVER_FEATURE_LEVEL_IS_TLS(level)) + s->n_failed_tls++; + else + s->n_failed_tcp++; + } } if (s->resend_timeout > usec) @@ -331,7 +354,7 @@ void dns_server_packet_rrsig_missing(DnsServer *s, DnsServerFeatureLevel level) /* If the RRSIG RRs are missing, we have to downgrade what we previously verified */ if (s->verified_feature_level >= DNS_SERVER_FEATURE_LEVEL_DO) - s->verified_feature_level = DNS_SERVER_FEATURE_LEVEL_DO-1; + s->verified_feature_level = DNS_SERVER_FEATURE_LEVEL_IS_TLS(level) ? DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN : DNS_SERVER_FEATURE_LEVEL_EDNS0; s->packet_rrsig_missing = true; } @@ -393,9 +416,14 @@ DnsServerFeatureLevel dns_server_possible_feature_level(DnsServer *s) { /* Determine the best feature level we care about. If DNSSEC mode is off there's no point in using anything * better than EDNS0, hence don't even try. */ - best = dns_server_get_dnssec_mode(s) == DNSSEC_NO ? - DNS_SERVER_FEATURE_LEVEL_EDNS0 : - DNS_SERVER_FEATURE_LEVEL_BEST; + if (dns_server_get_dnssec_mode(s) != DNSSEC_NO) + best = dns_server_get_private_dns_mode(s) == PRIVATE_DNS_NO ? + DNS_SERVER_FEATURE_LEVEL_LARGE : + DNS_SERVER_FEATURE_LEVEL_TLS_DO; + else + best = dns_server_get_private_dns_mode(s) == PRIVATE_DNS_NO ? + DNS_SERVER_FEATURE_LEVEL_EDNS0 : + DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN; /* Clamp the feature level the highest level we care about. The DNSSEC mode might have changed since the last * time, hence let's downgrade if we are still at a higher level. */ @@ -429,7 +457,14 @@ DnsServerFeatureLevel dns_server_possible_feature_level(DnsServer *s) { * work. Upgrade back to UDP again. */ log_debug("Reached maximum number of failed TCP connection attempts, trying UDP again..."); s->possible_feature_level = DNS_SERVER_FEATURE_LEVEL_UDP; + } else if (s->n_failed_tls > 0 && + DNS_SERVER_FEATURE_LEVEL_IS_TLS(s->possible_feature_level)) { + /* We tried to connect using DNS-over-TLS, and it didn't work. Downgrade to plaintext UDP + * if we don't require DNS-over-TLS */ + + log_debug("Server doesn't support seem to support DNS-over-TLS, downgrading protocol..."); + s->possible_feature_level--; } else if (s->packet_bad_opt && s->possible_feature_level >= DNS_SERVER_FEATURE_LEVEL_EDNS0) { @@ -450,7 +485,7 @@ DnsServerFeatureLevel dns_server_possible_feature_level(DnsServer *s) { * not. */ log_debug("Detected server responses lack RRSIG records, downgrading feature level..."); - s->possible_feature_level = DNS_SERVER_FEATURE_LEVEL_EDNS0; + s->possible_feature_level = DNS_SERVER_FEATURE_LEVEL_IS_TLS(s->possible_feature_level) ? DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN : DNS_SERVER_FEATURE_LEVEL_EDNS0; } else if (s->n_failed_udp >= DNS_SERVER_FEATURE_RETRY_ATTEMPTS && s->possible_feature_level >= (dns_server_get_dnssec_mode(s) == DNSSEC_YES ? DNS_SERVER_FEATURE_LEVEL_LARGE : DNS_SERVER_FEATURE_LEVEL_UDP)) { @@ -793,6 +828,15 @@ DnssecMode dns_server_get_dnssec_mode(DnsServer *s) { return manager_get_dnssec_mode(s->manager); } +PrivateDnsMode dns_server_get_private_dns_mode(DnsServer *s) { + assert(s); + + if (s->link) + return link_get_private_dns_mode(s->link); + + return manager_get_private_dns_mode(s->manager); +} + void dns_server_flush_cache(DnsServer *s) { DnsServer *current; DnsScope *scope; @@ -902,7 +946,9 @@ static const char* const dns_server_feature_level_table[_DNS_SERVER_FEATURE_LEVE [DNS_SERVER_FEATURE_LEVEL_TCP] = "TCP", [DNS_SERVER_FEATURE_LEVEL_UDP] = "UDP", [DNS_SERVER_FEATURE_LEVEL_EDNS0] = "UDP+EDNS0", + [DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN] = "TLS+EDNS0", [DNS_SERVER_FEATURE_LEVEL_DO] = "UDP+EDNS0+DO", [DNS_SERVER_FEATURE_LEVEL_LARGE] = "UDP+EDNS0+DO+LARGE", + [DNS_SERVER_FEATURE_LEVEL_TLS_DO] = "TLS+EDNS0+D0", }; DEFINE_STRING_TABLE_LOOKUP(dns_server_feature_level, DnsServerFeatureLevel); diff --git a/src/resolve/resolved-dns-server.h b/src/resolve/resolved-dns-server.h index 36006904bf..a546eb3209 100644 --- a/src/resolve/resolved-dns-server.h +++ b/src/resolve/resolved-dns-server.h @@ -9,6 +9,10 @@ #include "in-addr-util.h" +#if HAVE_GNUTLS +#include <gnutls/gnutls.h> +#endif + typedef struct DnsServer DnsServer; typedef enum DnsServerType { @@ -25,14 +29,17 @@ typedef enum DnsServerFeatureLevel { DNS_SERVER_FEATURE_LEVEL_TCP, DNS_SERVER_FEATURE_LEVEL_UDP, DNS_SERVER_FEATURE_LEVEL_EDNS0, + DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN, DNS_SERVER_FEATURE_LEVEL_DO, DNS_SERVER_FEATURE_LEVEL_LARGE, + DNS_SERVER_FEATURE_LEVEL_TLS_DO, _DNS_SERVER_FEATURE_LEVEL_MAX, _DNS_SERVER_FEATURE_LEVEL_INVALID = -1 } DnsServerFeatureLevel; #define DNS_SERVER_FEATURE_LEVEL_WORST 0 #define DNS_SERVER_FEATURE_LEVEL_BEST (_DNS_SERVER_FEATURE_LEVEL_MAX - 1) +#define DNS_SERVER_FEATURE_LEVEL_IS_TLS(x) IN_SET(x, DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN, DNS_SERVER_FEATURE_LEVEL_TLS_DO) const char* dns_server_feature_level_to_string(int i) _const_; int dns_server_feature_level_from_string(const char *s) _pure_; @@ -53,6 +60,12 @@ struct DnsServer { int ifindex; /* for IPv6 link-local DNS servers */ char *server_string; + DnsStream *stream; + +#if HAVE_GNUTLS + gnutls_certificate_credentials_t tls_cert_cred; + gnutls_datum_t tls_session_data; +#endif usec_t resend_timeout; usec_t max_rtt; @@ -64,6 +77,7 @@ struct DnsServer { unsigned n_failed_udp; unsigned n_failed_tcp; + unsigned n_failed_tls; bool packet_truncated:1; bool packet_bad_opt:1; @@ -133,6 +147,7 @@ void manager_next_dns_server(Manager *m); bool dns_server_address_valid(int family, const union in_addr_union *sa); DnssecMode dns_server_get_dnssec_mode(DnsServer *s); +PrivateDnsMode dns_server_get_private_dns_mode(DnsServer *s); DEFINE_TRIVIAL_CLEANUP_FUNC(DnsServer*, dns_server_unref); diff --git a/src/resolve/resolved-dns-stream.c b/src/resolve/resolved-dns-stream.c index 85745e74ac..bd37077d50 100644 --- a/src/resolve/resolved-dns-stream.c +++ b/src/resolve/resolved-dns-stream.c @@ -16,6 +16,8 @@ #define DNS_STREAM_TIMEOUT_USEC (10 * USEC_PER_SEC) #define DNS_STREAMS_MAX 128 +#define WRITE_TLS_DATA 1 + static void dns_stream_stop(DnsStream *s) { assert(s); @@ -31,6 +33,13 @@ static int dns_stream_update_io(DnsStream *s) { if (s->write_packet && s->n_written < sizeof(s->write_size) + s->write_packet->size) f |= EPOLLOUT; + else if (!ordered_set_isempty(s->write_queue)) { + dns_packet_unref(s->write_packet); + s->write_packet = ordered_set_steal_first(s->write_queue); + s->write_size = htobe16(s->write_packet->size); + s->n_written = 0; + f |= EPOLLOUT; + } if (!s->read_packet || s->n_read < sizeof(s->read_size) + s->read_packet->size) f |= EPOLLIN; @@ -40,7 +49,19 @@ static int dns_stream_update_io(DnsStream *s) { static int dns_stream_complete(DnsStream *s, int error) { assert(s); - dns_stream_stop(s); +#if HAVE_GNUTLS + if (s->tls_session && IN_SET(error, ETIMEDOUT, 0)) { + int r; + + r = gnutls_bye(s->tls_session, GNUTLS_SHUT_RDWR); + if (r == GNUTLS_E_AGAIN && !s->tls_bye) { + dns_stream_ref(s); /* keep reference for closing TLS session */ + s->tls_bye = true; + } else + dns_stream_stop(s); + } else +#endif + dns_stream_stop(s); if (s->complete) s->complete(s, error); @@ -175,6 +196,114 @@ static int dns_stream_identify(DnsStream *s) { return 0; } +static ssize_t dns_stream_writev(DnsStream *s, const struct iovec *iov, size_t iovcnt, int flags) { + ssize_t r; + + assert(s); + assert(iov); + +#if HAVE_GNUTLS + if (s->tls_session && !(flags & WRITE_TLS_DATA)) { + ssize_t ss; + size_t i; + + r = 0; + for (i = 0; i < iovcnt; i++) { + ss = gnutls_record_send(s->tls_session, iov[i].iov_base, iov[i].iov_len); + if (ss < 0) { + switch(ss) { + + case GNUTLS_E_INTERRUPTED: + return -EINTR; + case GNUTLS_E_AGAIN: + return -EAGAIN; + default: + log_debug("Failed to invoke gnutls_record_send: %s", gnutls_strerror(ss)); + return -EIO; + } + } + + r += ss; + if (ss != (ssize_t) iov[i].iov_len) + continue; + } + } else +#endif + if (s->tfo_salen > 0) { + struct msghdr hdr = { + .msg_iov = (struct iovec*) iov, + .msg_iovlen = iovcnt, + .msg_name = &s->tfo_address.sa, + .msg_namelen = s->tfo_salen + }; + + r = sendmsg(s->fd, &hdr, MSG_FASTOPEN); + if (r < 0) { + if (errno == EOPNOTSUPP) { + s->tfo_salen = 0; + r = connect(s->fd, &s->tfo_address.sa, s->tfo_salen); + if (r < 0) + return -errno; + + r = -EAGAIN; + } else if (errno == EINPROGRESS) + r = -EAGAIN; + } else + s->tfo_salen = 0; /* connection is made */ + } else + r = writev(s->fd, iov, iovcnt); + + return r; +} + +static ssize_t dns_stream_read(DnsStream *s, void *buf, size_t count) { + ssize_t ss; + +#if HAVE_GNUTLS + if (s->tls_session) { + ss = gnutls_record_recv(s->tls_session, buf, count); + if (ss < 0) { + switch(ss) { + + case GNUTLS_E_INTERRUPTED: + return -EINTR; + case GNUTLS_E_AGAIN: + return -EAGAIN; + default: + log_debug("Failed to invoke gnutls_record_send: %s", gnutls_strerror(ss)); + return -EIO; + } + } else if (s->on_connection) { + int r; + + r = s->on_connection(s); + s->on_connection = NULL; /* only call once */ + if (r < 0) + return r; + } + } else +#endif + ss = read(s->fd, buf, count); + + return ss; +} + +#if HAVE_GNUTLS +static ssize_t dns_stream_tls_writev(gnutls_transport_ptr_t p, const giovec_t * iov, int iovcnt) { + int r; + + assert(p); + + r = dns_stream_writev((DnsStream*) p, (struct iovec*) iov, iovcnt, WRITE_TLS_DATA); + if (r < 0) { + errno = -r; + return -1; + } + + return r; +} +#endif + static int on_stream_timeout(sd_event_source *es, usec_t usec, void *userdata) { DnsStream *s = userdata; @@ -189,9 +318,46 @@ static int on_stream_io(sd_event_source *es, int fd, uint32_t revents, void *use assert(s); - r = dns_stream_identify(s); - if (r < 0) - return dns_stream_complete(s, -r); +#if HAVE_GNUTLS + if (s->tls_bye) { + assert(s->tls_session); + + r = gnutls_bye(s->tls_session, GNUTLS_SHUT_RDWR); + if (r != GNUTLS_E_AGAIN) { + s->tls_bye = false; + dns_stream_unref(s); + } + + return 0; + } + + if (s->tls_handshake < 0) { + assert(s->tls_session); + + s->tls_handshake = gnutls_handshake(s->tls_session); + if (s->tls_handshake >= 0) { + if (s->on_connection && !(gnutls_session_get_flags(s->tls_session) & GNUTLS_SFLAGS_FALSE_START)) { + r = s->on_connection(s); + s->on_connection = NULL; /* only call once */ + if (r < 0) + return r; + } + } else { + if (gnutls_error_is_fatal(s->tls_handshake)) + return dns_stream_complete(s, ECONNREFUSED); + else + return 0; + } + + } +#endif + + /* only identify after connecting */ + if (s->tfo_salen == 0) { + r = dns_stream_identify(s); + if (r < 0) + return dns_stream_complete(s, -r); + } if ((revents & EPOLLOUT) && s->write_packet && @@ -207,7 +373,7 @@ static int on_stream_io(sd_event_source *es, int fd, uint32_t revents, void *use IOVEC_INCREMENT(iov, 2, s->n_written); - ss = writev(fd, iov, 2); + ss = dns_stream_writev(s, iov, 2, 0); if (ss < 0) { if (!IN_SET(errno, EINTR, EAGAIN)) return dns_stream_complete(s, errno); @@ -229,7 +395,7 @@ static int on_stream_io(sd_event_source *es, int fd, uint32_t revents, void *use if (s->n_read < sizeof(s->read_size)) { ssize_t ss; - ss = read(fd, (uint8_t*) &s->read_size + s->n_read, sizeof(s->read_size) - s->n_read); + ss = dns_stream_read(s, (uint8_t*) &s->read_size + s->n_read, sizeof(s->read_size) - s->n_read); if (ss < 0) { if (!IN_SET(errno, EINTR, EAGAIN)) return dns_stream_complete(s, errno); @@ -277,7 +443,7 @@ static int on_stream_io(sd_event_source *es, int fd, uint32_t revents, void *use } } - ss = read(fd, + ss = dns_stream_read(s, (uint8_t*) DNS_PACKET_DATA(s->read_packet) + s->n_read - sizeof(s->read_size), sizeof(s->read_size) + be16toh(s->read_size) - s->n_read); if (ss < 0) { @@ -291,15 +457,18 @@ static int on_stream_io(sd_event_source *es, int fd, uint32_t revents, void *use /* Are we done? If so, disable the event source for EPOLLIN */ if (s->n_read >= sizeof(s->read_size) + be16toh(s->read_size)) { - r = dns_stream_update_io(s); - if (r < 0) - return dns_stream_complete(s, -r); - /* If there's a packet handler * installed, call that. Note that * this is optional... */ - if (s->on_packet) - return s->on_packet(s); + if (s->on_packet) { + r = s->on_packet(s); + if (r < 0) + return r; + } + + r = dns_stream_update_io(s); + if (r < 0) + return dns_stream_complete(s, -r); } } } @@ -312,6 +481,9 @@ static int on_stream_io(sd_event_source *es, int fd, uint32_t revents, void *use } DnsStream *dns_stream_unref(DnsStream *s) { + DnsPacket *p; + Iterator i; + if (!s) return NULL; @@ -323,19 +495,31 @@ DnsStream *dns_stream_unref(DnsStream *s) { dns_stream_stop(s); + if (s->server && s->server->stream == s) + s->server->stream = NULL; + if (s->manager) { LIST_REMOVE(streams, s->manager->dns_streams, s); s->manager->n_dns_streams--; } +#if HAVE_GNUTLS + if (s->tls_session) + gnutls_deinit(s->tls_session); +#endif + + ORDERED_SET_FOREACH(p, s->write_queue, i) + dns_packet_unref(ordered_set_remove(s->write_queue, p)); + dns_packet_unref(s->write_packet); dns_packet_unref(s->read_packet); + dns_server_unref(s->server); + + ordered_set_free(s->write_queue); return mfree(s); } -DEFINE_TRIVIAL_CLEANUP_FUNC(DnsStream*, dns_stream_unref); - DnsStream *dns_stream_ref(DnsStream *s) { if (!s) return NULL; @@ -346,7 +530,7 @@ DnsStream *dns_stream_ref(DnsStream *s) { return s; } -int dns_stream_new(Manager *m, DnsStream **ret, DnsProtocol protocol, int fd) { +int dns_stream_new(Manager *m, DnsStream **ret, DnsProtocol protocol, int fd, const union sockaddr_union *tfo_address) { _cleanup_(dns_stream_unrefp) DnsStream *s = NULL; int r; @@ -360,6 +544,10 @@ int dns_stream_new(Manager *m, DnsStream **ret, DnsProtocol protocol, int fd) { if (!s) return -ENOMEM; + r = ordered_set_ensure_allocated(&s->write_queue, &dns_packet_hash_ops); + if (r < 0) + return r; + s->n_ref = 1; s->fd = -1; s->protocol = protocol; @@ -384,6 +572,11 @@ int dns_stream_new(Manager *m, DnsStream **ret, DnsProtocol protocol, int fd) { LIST_PREPEND(streams, m->dns_streams, s); s->manager = m; s->fd = fd; + if (tfo_address) { + s->tfo_address = *tfo_address; + s->tfo_salen = tfo_address->sa.sa_family == AF_INET6 ? sizeof(tfo_address->in6) : sizeof(tfo_address->in); + } + m->n_dns_streams++; *ret = TAKE_PTR(s); @@ -391,15 +584,31 @@ int dns_stream_new(Manager *m, DnsStream **ret, DnsProtocol protocol, int fd) { return 0; } +#if HAVE_GNUTLS +int dns_stream_connect_tls(DnsStream *s, gnutls_session_t tls_session) { + gnutls_transport_set_ptr2(tls_session, (gnutls_transport_ptr_t) (long) s->fd, s); + gnutls_transport_set_vec_push_function(tls_session, &dns_stream_tls_writev); + + s->encrypted = true; + s->tls_session = tls_session; + s->tls_handshake = gnutls_handshake(tls_session); + if (s->tls_handshake < 0 && gnutls_error_is_fatal(s->tls_handshake)) + return -ECONNREFUSED; + + return 0; +} +#endif + int dns_stream_write_packet(DnsStream *s, DnsPacket *p) { + int r; + assert(s); - if (s->write_packet) - return -EBUSY; + r = ordered_set_put(s->write_queue, p); + if (r < 0) + return r; - s->write_packet = dns_packet_ref(p); - s->write_size = htobe16(p->size); - s->n_written = 0; + dns_packet_ref(p); return dns_stream_update_io(s); } diff --git a/src/resolve/resolved-dns-stream.h b/src/resolve/resolved-dns-stream.h index 148ef9af9d..5542e9e2ba 100644 --- a/src/resolve/resolved-dns-stream.h +++ b/src/resolve/resolved-dns-stream.h @@ -15,6 +15,10 @@ typedef struct DnsStream DnsStream; #include "resolved-dns-transaction.h" #include "resolved-manager.h" +#if HAVE_GNUTLS +#include <gnutls/gnutls.h> +#endif + /* Streams are used by three subsystems: * * 1. The normal transaction logic when doing a DNS or LLMNR lookup via TCP @@ -37,26 +41,47 @@ struct DnsStream { uint32_t ttl; bool identified; + /* only when using TCP fast open */ + union sockaddr_union tfo_address; + socklen_t tfo_salen; + +#if HAVE_GNUTLS + gnutls_session_t tls_session; + int tls_handshake; + bool tls_bye; +#endif + sd_event_source *io_event_source; sd_event_source *timeout_event_source; be16_t write_size, read_size; DnsPacket *write_packet, *read_packet; size_t n_written, n_read; + OrderedSet *write_queue; + int (*on_connection)(DnsStream *s); int (*on_packet)(DnsStream *s); int (*complete)(DnsStream *s, int error); - DnsTransaction *transaction; /* when used by the transaction logic */ + LIST_HEAD(DnsTransaction, transactions); /* when used by the transaction logic */ + DnsServer *server; /* when used by the transaction logic */ DnsQuery *query; /* when used by the DNS stub logic */ + /* used when DNS-over-TLS is enabled */ + bool encrypted:1; + LIST_FIELDS(DnsStream, streams); }; -int dns_stream_new(Manager *m, DnsStream **s, DnsProtocol protocol, int fd); +int dns_stream_new(Manager *m, DnsStream **s, DnsProtocol protocol, int fd, const union sockaddr_union *tfo_address); +#if HAVE_GNUTLS +int dns_stream_connect_tls(DnsStream *s, gnutls_session_t tls_session); +#endif DnsStream *dns_stream_unref(DnsStream *s); DnsStream *dns_stream_ref(DnsStream *s); +DEFINE_TRIVIAL_CLEANUP_FUNC(DnsStream*, dns_stream_unref); + int dns_stream_write_packet(DnsStream *s, DnsPacket *p); static inline bool DNS_STREAM_QUEUED(DnsStream *s) { diff --git a/src/resolve/resolved-dns-stub.c b/src/resolve/resolved-dns-stub.c index 6b47a48df6..298d8132be 100644 --- a/src/resolve/resolved-dns-stub.c +++ b/src/resolve/resolved-dns-stub.c @@ -469,7 +469,7 @@ static int on_dns_stub_stream(sd_event_source *s, int fd, uint32_t revents, void return -errno; } - r = dns_stream_new(m, &stream, DNS_PROTOCOL_DNS, cfd); + r = dns_stream_new(m, &stream, DNS_PROTOCOL_DNS, cfd, NULL); if (r < 0) { safe_close(cfd); return r; diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c index acfe987cbe..99c7496090 100644 --- a/src/resolve/resolved-dns-transaction.c +++ b/src/resolve/resolved-dns-transaction.c @@ -18,6 +18,10 @@ #include "resolved-llmnr.h" #include "string-table.h" +#if HAVE_GNUTLS +#include <gnutls/socket.h> +#endif + #define TRANSACTIONS_MAX 4096 #define TRANSACTION_TCP_TIMEOUT_USEC (10U*USEC_PER_SEC) @@ -51,9 +55,11 @@ static void dns_transaction_close_connection(DnsTransaction *t) { if (t->stream) { /* Let's detach the stream from our transaction, in case something else keeps a reference to it. */ - t->stream->complete = NULL; - t->stream->on_packet = NULL; - t->stream->transaction = NULL; + LIST_REMOVE(transactions_by_stream, t->stream->transactions, t); + + /* Remove packet in case it's still in the queue */ + dns_packet_unref(ordered_set_remove(t->stream->write_queue, t->sent)); + t->stream = dns_stream_unref(t->stream); } @@ -448,42 +454,31 @@ static int dns_transaction_maybe_restart(DnsTransaction *t) { return 1; } -static int on_stream_complete(DnsStream *s, int error) { - _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL; - DnsTransaction *t; - - assert(s); - assert(s->transaction); - - /* Copy the data we care about out of the stream before we - * destroy it. */ - t = s->transaction; - p = dns_packet_ref(s->read_packet); +static void on_transaction_stream_error(DnsTransaction *t, int error) { + assert(t); dns_transaction_close_connection(t); if (ERRNO_IS_DISCONNECT(error)) { - usec_t usec; - if (t->scope->protocol == DNS_PROTOCOL_LLMNR) { /* If the LLMNR/TCP connection failed, the host doesn't support LLMNR, and we cannot answer the * question on this scope. */ dns_transaction_complete(t, DNS_TRANSACTION_NOT_FOUND); - return 0; } - log_debug_errno(error, "Connection failure for DNS TCP stream: %m"); - assert_se(sd_event_now(t->scope->manager->event, clock_boottime_or_monotonic(), &usec) >= 0); - dns_server_packet_lost(t->server, IPPROTO_TCP, t->current_feature_level, usec - t->start_usec); - dns_transaction_retry(t, true); - return 0; } if (error != 0) { t->answer_errno = error; dns_transaction_complete(t, DNS_TRANSACTION_ERRNO); - return 0; } +} + +static int dns_transaction_on_stream_packet(DnsTransaction *t, DnsPacket *p) { + assert(t); + assert(p); + + dns_transaction_close_connection(t); if (dns_packet_validate_reply(p) <= 0) { log_debug("Invalid TCP reply packet."); @@ -508,9 +503,83 @@ static int on_stream_complete(DnsStream *s, int error) { return 0; } -static int dns_transaction_open_tcp(DnsTransaction *t) { +static int on_stream_connection(DnsStream *s) { +#if HAVE_GNUTLS + /* Store TLS Ticket for faster succesive TLS handshakes */ + if (s->tls_session && s->server) { + if (s->server->tls_session_data.data) + gnutls_free(s->server->tls_session_data.data); + + gnutls_session_get_data2(s->tls_session, &s->server->tls_session_data); + } +#endif + + return 0; +} + +static int on_stream_complete(DnsStream *s, int error) { + DnsTransaction *t, *n; + int r = 0; + + /* Do not let new transactions use this stream */ + if (s->server && s->server->stream == s) + s->server->stream = dns_stream_unref(s->server->stream); + + if (ERRNO_IS_DISCONNECT(error) && s->protocol != DNS_PROTOCOL_LLMNR) { + usec_t usec; + + log_debug_errno(error, "Connection failure for DNS TCP stream: %m"); + + if (s->transactions) { + t = s->transactions; + assert_se(sd_event_now(t->scope->manager->event, clock_boottime_or_monotonic(), &usec) >= 0); + dns_server_packet_lost(t->server, IPPROTO_UDP, t->current_feature_level, usec - t->start_usec); + } + } + + LIST_FOREACH_SAFE(transactions_by_stream, t, n, s->transactions) + if (error != 0) + on_transaction_stream_error(t, error); + else if (DNS_PACKET_ID(s->read_packet) == t->id) + /* As each transaction have a unique id the return code is only set once */ + r = dns_transaction_on_stream_packet(t, s->read_packet); + + return r; +} + +static int dns_stream_on_packet(DnsStream *s) { + _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL; + int r = 0; + DnsTransaction *t; + + /* Take ownership of packet to be able to receive new packets */ + p = TAKE_PTR(s->read_packet); + s->n_read = 0; + + t = hashmap_get(s->manager->dns_transactions, UINT_TO_PTR(DNS_PACKET_ID(p))); + + /* Ignore incorrect transaction id as transaction can have been canceled */ + if (t) + r = dns_transaction_on_stream_packet(t, p); + else { + if (dns_packet_validate_reply(p) <= 0) { + log_debug("Invalid TCP reply packet."); + on_stream_complete(s, 0); + } + return 0; + } + + return r; +} + +static int dns_transaction_emit_tcp(DnsTransaction *t) { _cleanup_close_ int fd = -1; + _cleanup_(dns_stream_unrefp) DnsStream *s = NULL; + union sockaddr_union sa; int r; +#if HAVE_GNUTLS + gnutls_session_t gs; +#endif assert(t); @@ -530,13 +599,17 @@ static int dns_transaction_open_tcp(DnsTransaction *t) { if (r < 0) return r; - fd = dns_scope_socket_tcp(t->scope, AF_UNSPEC, NULL, t->server, 53); + if (t->server->stream && (DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level) == t->server->stream->encrypted)) + s = dns_stream_ref(t->server->stream); + else + fd = dns_scope_socket_tcp(t->scope, AF_UNSPEC, NULL, t->server, DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level) ? 853 : 53, &sa); + break; case DNS_PROTOCOL_LLMNR: /* When we already received a reply to this (but it was truncated), send to its sender address */ if (t->received) - fd = dns_scope_socket_tcp(t->scope, t->received->family, &t->received->sender, NULL, t->received->sender_port); + fd = dns_scope_socket_tcp(t->scope, t->received->family, &t->received->sender, NULL, t->received->sender_port, &sa); else { union in_addr_union address; int family = AF_UNSPEC; @@ -553,7 +626,7 @@ static int dns_transaction_open_tcp(DnsTransaction *t) { if (family != t->scope->family) return -ESRCH; - fd = dns_scope_socket_tcp(t->scope, family, &address, NULL, LLMNR_PORT); + fd = dns_scope_socket_tcp(t->scope, family, &address, NULL, LLMNR_PORT, &sa); } break; @@ -562,28 +635,67 @@ static int dns_transaction_open_tcp(DnsTransaction *t) { return -EAFNOSUPPORT; } - if (fd < 0) - return fd; + if (!s) { + if (fd < 0) + return fd; - r = dns_stream_new(t->scope->manager, &t->stream, t->scope->protocol, fd); - if (r < 0) - return r; - fd = -1; + r = dns_stream_new(t->scope->manager, &s, t->scope->protocol, fd, &sa); + if (r < 0) + return r; + + fd = -1; + + if (t->server) { + dns_stream_unref(t->server->stream); + t->server->stream = dns_stream_ref(s); + s->server = dns_server_ref(t->server); + } + +#if HAVE_GNUTLS + if (DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level)) { + r = gnutls_init(&gs, GNUTLS_CLIENT | GNUTLS_ENABLE_FALSE_START | GNUTLS_NONBLOCK); + if (r < 0) + return r; + + /* As DNS-over-TLS is a recent protocol, older TLS versions can be disabled */ + r = gnutls_priority_set_direct(gs, "NORMAL:-VERS-ALL:+VERS-TLS1.2", NULL); + if (r < 0) + return r; + + r = gnutls_credentials_set(gs, GNUTLS_CRD_CERTIFICATE, t->server->tls_cert_cred); + if (r < 0) + return r; + + if (t->server && t->server->tls_session_data.size > 0) + gnutls_session_set_data(gs, t->server->tls_session_data.data, t->server->tls_session_data.size); + + gnutls_handshake_set_timeout(gs, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT); + + r = dns_stream_connect_tls(s, gs); + if (r < 0) + return r; + } +#endif + + s->on_connection = on_stream_connection; + s->complete = on_stream_complete; + s->on_packet = dns_stream_on_packet; + + /* The interface index is difficult to determine if we are + * connecting to the local host, hence fill this in right away + * instead of determining it from the socket */ + s->ifindex = dns_scope_ifindex(t->scope); + } + + t->stream = TAKE_PTR(s); + LIST_PREPEND(transactions_by_stream, t->stream->transactions, t); r = dns_stream_write_packet(t->stream, t->sent); if (r < 0) { - t->stream = dns_stream_unref(t->stream); + dns_transaction_close_connection(t); return r; } - t->stream->complete = on_stream_complete; - t->stream->transaction = t; - - /* The interface index is difficult to determine if we are - * connecting to the local host, hence fill this in right away - * instead of determining it from the socket */ - t->stream->ifindex = dns_scope_ifindex(t->scope); - dns_transaction_reset_answer(t); t->tried_stream = true; @@ -929,7 +1041,17 @@ void dns_transaction_process_reply(DnsTransaction *t, DnsPacket *p) { } /* Reduce this feature level by one and try again. */ - t->clamp_feature_level = t->current_feature_level - 1; + switch (t->current_feature_level) { + case DNS_SERVER_FEATURE_LEVEL_TLS_DO: + t->clamp_feature_level = DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN; + break; + case DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN + 1: + /* Skip plain TLS when TLS is not supported */ + t->clamp_feature_level = DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN - 1; + break; + default: + t->clamp_feature_level = t->current_feature_level - 1; + } log_debug("Server returned error %s, retrying transaction with reduced feature level %s.", dns_rcode_to_string(DNS_PACKET_RCODE(p)), @@ -971,7 +1093,7 @@ void dns_transaction_process_reply(DnsTransaction *t, DnsPacket *p) { log_debug("Reply truncated, retrying via TCP."); /* Response was truncated, let's try again with good old TCP */ - r = dns_transaction_open_tcp(t); + r = dns_transaction_emit_tcp(t); if (r == -ESRCH) { /* No servers found? Damn! */ dns_transaction_complete(t, DNS_TRANSACTION_NO_SERVERS); @@ -1145,7 +1267,7 @@ static int dns_transaction_emit_udp(DnsTransaction *t) { if (r < 0) return r; - if (t->current_feature_level < DNS_SERVER_FEATURE_LEVEL_UDP) + if (t->current_feature_level < DNS_SERVER_FEATURE_LEVEL_UDP || DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level)) return -EAGAIN; /* Sorry, can't do UDP, try TCP! */ if (!dns_server_dnssec_supported(t->server) && dns_type_is_dnssec(t->key->type)) @@ -1627,7 +1749,7 @@ int dns_transaction_go(DnsTransaction *t) { /* RFC 4795, Section 2.4. says reverse lookups shall * always be made via TCP on LLMNR */ - r = dns_transaction_open_tcp(t); + r = dns_transaction_emit_tcp(t); } else { /* Try via UDP, and if that fails due to large size or lack of * support try via TCP */ @@ -1635,9 +1757,9 @@ int dns_transaction_go(DnsTransaction *t) { if (r == -EMSGSIZE) log_debug("Sending query via TCP since it is too large."); else if (r == -EAGAIN) - log_debug("Sending query via TCP since server doesn't support UDP."); + log_debug("Sending query via TCP since UDP isn't supported."); if (IN_SET(r, -EMSGSIZE, -EAGAIN)) - r = dns_transaction_open_tcp(t); + r = dns_transaction_emit_tcp(t); } if (r == -ESRCH) { diff --git a/src/resolve/resolved-dns-transaction.h b/src/resolve/resolved-dns-transaction.h index ae6d402306..8b44f65f9a 100644 --- a/src/resolve/resolved-dns-transaction.h +++ b/src/resolve/resolved-dns-transaction.h @@ -136,6 +136,7 @@ struct DnsTransaction { unsigned block_gc; LIST_FIELDS(DnsTransaction, transactions_by_scope); + LIST_FIELDS(DnsTransaction, transactions_by_stream); }; int dns_transaction_new(DnsTransaction **ret, DnsScope *s, DnsResourceKey *key); diff --git a/src/resolve/resolved-gperf.gperf b/src/resolve/resolved-gperf.gperf index a5865ce6c2..e076241fb6 100644 --- a/src/resolve/resolved-gperf.gperf +++ b/src/resolve/resolved-gperf.gperf @@ -23,5 +23,6 @@ Resolve.Domains, config_parse_search_domains, 0, Resolve.LLMNR, config_parse_resolve_support, 0, offsetof(Manager, llmnr_support) Resolve.MulticastDNS, config_parse_resolve_support, 0, offsetof(Manager, mdns_support) Resolve.DNSSEC, config_parse_dnssec_mode, 0, offsetof(Manager, dnssec_mode) +Resolve.PrivateDNS, config_parse_private_dns_mode, 0, offsetof(Manager, private_dns_mode) Resolve.Cache, config_parse_bool, 0, offsetof(Manager, enable_cache) Resolve.DNSStubListener, config_parse_dns_stub_listener_mode, 0, offsetof(Manager, dns_stub_listener_mode) diff --git a/src/resolve/resolved-link-bus.c b/src/resolve/resolved-link-bus.c index a1fc3ad9d5..3e06f1fe4b 100644 --- a/src/resolve/resolved-link-bus.c +++ b/src/resolve/resolved-link-bus.c @@ -18,6 +18,23 @@ static BUS_DEFINE_PROPERTY_GET(property_get_dnssec_supported, "b", Link, link_dnssec_supported); static BUS_DEFINE_PROPERTY_GET2(property_get_dnssec_mode, "s", Link, link_get_dnssec_mode, dnssec_mode_to_string); +static int property_get_private_dns_mode( + sd_bus *bus, + const char *path, + const char *interface, + const char *property, + sd_bus_message *reply, + void *userdata, + sd_bus_error *error) { + + Link *l = userdata; + + assert(reply); + assert(l); + + return sd_bus_message_append(reply, "s", private_dns_mode_to_string(link_get_private_dns_mode(l))); +} + static int property_get_dns( sd_bus *bus, const char *path, @@ -402,6 +419,38 @@ int bus_link_method_set_mdns(sd_bus_message *message, void *userdata, sd_bus_err return sd_bus_reply_method_return(message, NULL); } +int bus_link_method_set_private_dns(sd_bus_message *message, void *userdata, sd_bus_error *error) { + Link *l = userdata; + const char *private_dns; + PrivateDnsMode mode; + int r; + + assert(message); + assert(l); + + r = verify_unmanaged_link(l, error); + if (r < 0) + return r; + + r = sd_bus_message_read(message, "s", &private_dns); + if (r < 0) + return r; + + if (isempty(private_dns)) + mode = _PRIVATE_DNS_MODE_INVALID; + else { + mode = private_dns_mode_from_string(private_dns); + if (mode < 0) + return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid PrivateDNS setting: %s", private_dns); + } + + link_set_private_dns_mode(l, mode); + + (void) link_save_user(l); + + return sd_bus_reply_method_return(message, NULL); +} + int bus_link_method_set_dnssec(sd_bus_message *message, void *userdata, sd_bus_error *error) { Link *l = userdata; const char *dnssec; @@ -508,6 +557,7 @@ const sd_bus_vtable link_vtable[] = { SD_BUS_PROPERTY("Domains", "a(sb)", property_get_domains, 0, 0), SD_BUS_PROPERTY("LLMNR", "s", bus_property_get_resolve_support, offsetof(Link, llmnr_support), 0), SD_BUS_PROPERTY("MulticastDNS", "s", bus_property_get_resolve_support, offsetof(Link, mdns_support), 0), + SD_BUS_PROPERTY("PrivateDNS", "s", property_get_private_dns_mode, 0, 0), SD_BUS_PROPERTY("DNSSEC", "s", property_get_dnssec_mode, 0, 0), SD_BUS_PROPERTY("DNSSECNegativeTrustAnchors", "as", property_get_ntas, 0, 0), SD_BUS_PROPERTY("DNSSECSupported", "b", property_get_dnssec_supported, 0, 0), @@ -516,6 +566,7 @@ const sd_bus_vtable link_vtable[] = { SD_BUS_METHOD("SetDomains", "a(sb)", NULL, bus_link_method_set_domains, 0), SD_BUS_METHOD("SetLLMNR", "s", NULL, bus_link_method_set_llmnr, 0), SD_BUS_METHOD("SetMulticastDNS", "s", NULL, bus_link_method_set_mdns, 0), + SD_BUS_METHOD("SetPrivateDNS", "s", NULL, bus_link_method_set_private_dns, 0), SD_BUS_METHOD("SetDNSSEC", "s", NULL, bus_link_method_set_dnssec, 0), SD_BUS_METHOD("SetDNSSECNegativeTrustAnchors", "as", NULL, bus_link_method_set_dnssec_negative_trust_anchors, 0), SD_BUS_METHOD("Revert", NULL, NULL, bus_link_method_revert, 0), diff --git a/src/resolve/resolved-link-bus.h b/src/resolve/resolved-link-bus.h index e55c00777d..1632621230 100644 --- a/src/resolve/resolved-link-bus.h +++ b/src/resolve/resolved-link-bus.h @@ -21,6 +21,7 @@ int bus_link_method_set_dns_servers(sd_bus_message *message, void *userdata, sd_ int bus_link_method_set_domains(sd_bus_message *message, void *userdata, sd_bus_error *error); int bus_link_method_set_llmnr(sd_bus_message *message, void *userdata, sd_bus_error *error); int bus_link_method_set_mdns(sd_bus_message *message, void *userdata, sd_bus_error *error); +int bus_link_method_set_private_dns(sd_bus_message *message, void *userdata, sd_bus_error *error); int bus_link_method_set_dnssec(sd_bus_message *message, void *userdata, sd_bus_error *error); int bus_link_method_set_dnssec_negative_trust_anchors(sd_bus_message *message, void *userdata, sd_bus_error *error); int bus_link_method_revert(sd_bus_message *message, void *userdata, sd_bus_error *error); diff --git a/src/resolve/resolved-link.c b/src/resolve/resolved-link.c index ccce2fdb43..aceea66ed6 100644 --- a/src/resolve/resolved-link.c +++ b/src/resolve/resolved-link.c @@ -41,6 +41,7 @@ int link_new(Manager *m, Link **ret, int ifindex) { l->llmnr_support = RESOLVE_SUPPORT_YES; l->mdns_support = RESOLVE_SUPPORT_NO; l->dnssec_mode = _DNSSEC_MODE_INVALID; + l->private_dns_mode = _PRIVATE_DNS_MODE_INVALID; l->operstate = IF_OPER_UNKNOWN; if (asprintf(&l->state_file, "/run/systemd/resolve/netif/%i", ifindex) < 0) @@ -65,6 +66,7 @@ void link_flush_settings(Link *l) { l->llmnr_support = RESOLVE_SUPPORT_YES; l->mdns_support = RESOLVE_SUPPORT_NO; l->dnssec_mode = _DNSSEC_MODE_INVALID; + l->private_dns_mode = _PRIVATE_DNS_MODE_INVALID; dns_server_unlink_all(l->dns_servers); dns_search_domain_unlink_all(l->search_domains); @@ -352,6 +354,46 @@ clear: return r; } +void link_set_private_dns_mode(Link *l, PrivateDnsMode mode) { + + assert(l); + +#if ! HAVE_GNUTLS + if (mode != PRIVATE_DNS_NO) + log_warning("Private DNS option for the link cannot be set to opportunistic when systemd-resolved is built without gnutls support. Turning off Private DNS support."); + return; +#endif + + l->private_dns_mode = mode; +} + +static int link_update_private_dns_mode(Link *l) { + _cleanup_free_ char *b = NULL; + int r; + + assert(l); + + r = sd_network_link_get_private_dns(l->ifindex, &b); + if (r == -ENODATA) { + r = 0; + goto clear; + } + if (r < 0) + goto clear; + + l->private_dns_mode = private_dns_mode_from_string(b); + if (l->private_dns_mode < 0) { + r = -EINVAL; + goto clear; + } + + return 0; + +clear: + l->private_dns_mode = _PRIVATE_DNS_MODE_INVALID; + return r; +} + void link_set_dnssec_mode(Link *l, DnssecMode mode) { assert(l); @@ -559,6 +601,10 @@ static void link_read_settings(Link *l) { if (r < 0) log_warning_errno(r, "Failed to read mDNS support for interface %s, ignoring: %m", l->name); + r = link_update_private_dns_mode(l); + if (r < 0) + log_warning_errno(r, "Failed to read Private DNS mode for interface %s, ignoring: %m", l->name); + r = link_update_dnssec_mode(l); if (r < 0) log_warning_errno(r, "Failed to read DNSSEC mode for interface %s, ignoring: %m", l->name); @@ -692,6 +738,15 @@ void link_next_dns_server(Link *l) { link_set_dns_server(l, l->dns_servers); } +PrivateDnsMode link_get_private_dns_mode(Link *l) { + assert(l); + + if (l->private_dns_mode != _PRIVATE_DNS_MODE_INVALID) + return l->private_dns_mode; + + return manager_get_private_dns_mode(l->manager); +} + DnssecMode link_get_dnssec_mode(Link *l) { assert(l); diff --git a/src/resolve/resolved-link.h b/src/resolve/resolved-link.h index d8e65cd472..cedcdd6753 100644 --- a/src/resolve/resolved-link.h +++ b/src/resolve/resolved-link.h @@ -59,6 +59,7 @@ struct Link { ResolveSupport llmnr_support; ResolveSupport mdns_support; + PrivateDnsMode private_dns_mode; DnssecMode dnssec_mode; Set *dnssec_negative_trust_anchors; @@ -90,6 +91,7 @@ void link_add_rrs(Link *l, bool force_remove); void link_flush_settings(Link *l); void link_set_dnssec_mode(Link *l, DnssecMode mode); +void link_set_private_dns_mode(Link *l, PrivateDnsMode mode); void link_allocate_scopes(Link *l); DnsServer* link_set_dns_server(Link *l, DnsServer *s); @@ -99,6 +101,8 @@ void link_next_dns_server(Link *l); DnssecMode link_get_dnssec_mode(Link *l); bool link_dnssec_supported(Link *l); +PrivateDnsMode link_get_private_dns_mode(Link *l); + int link_save_user(Link *l); int link_load_user(Link *l); void link_remove_user(Link *l); diff --git a/src/resolve/resolved-llmnr.c b/src/resolve/resolved-llmnr.c index ca49df8090..9eef59be0d 100644 --- a/src/resolve/resolved-llmnr.c +++ b/src/resolve/resolved-llmnr.c @@ -345,7 +345,7 @@ static int on_llmnr_stream(sd_event_source *s, int fd, uint32_t revents, void *u return -errno; } - r = dns_stream_new(m, &stream, DNS_PROTOCOL_LLMNR, cfd); + r = dns_stream_new(m, &stream, DNS_PROTOCOL_LLMNR, cfd, NULL); if (r < 0) { safe_close(cfd); return r; diff --git a/src/resolve/resolved-manager.c b/src/resolve/resolved-manager.c index c17622a074..7532b39be5 100644 --- a/src/resolve/resolved-manager.c +++ b/src/resolve/resolved-manager.c @@ -580,6 +580,7 @@ int manager_new(Manager **ret) { m->llmnr_support = RESOLVE_SUPPORT_YES; m->mdns_support = RESOLVE_SUPPORT_YES; m->dnssec_mode = DEFAULT_DNSSEC_MODE; + m->private_dns_mode = DEFAULT_PRIVATE_DNS_MODE; m->enable_cache = true; m->dns_stub_listener_mode = DNS_STUB_LISTENER_UDP; m->read_resolv_conf = true; @@ -1384,6 +1385,15 @@ bool manager_dnssec_supported(Manager *m) { return true; } +PrivateDnsMode manager_get_private_dns_mode(Manager *m) { + assert(m); + + if (m->private_dns_mode != _PRIVATE_DNS_MODE_INVALID) + return m->private_dns_mode; + + return _PRIVATE_DNS_MODE_INVALID; +} + void manager_dnssec_verdict(Manager *m, DnssecVerdict verdict, const DnsResourceKey *key) { assert(verdict >= 0); diff --git a/src/resolve/resolved-manager.h b/src/resolve/resolved-manager.h index 372d43c1a5..4bba8b897d 100644 --- a/src/resolve/resolved-manager.h +++ b/src/resolve/resolved-manager.h @@ -35,6 +35,7 @@ struct Manager { ResolveSupport llmnr_support; ResolveSupport mdns_support; DnssecMode dnssec_mode; + PrivateDnsMode private_dns_mode; bool enable_cache; DnsStubListenerMode dns_stub_listener_mode; @@ -172,6 +173,8 @@ int manager_compile_search_domains(Manager *m, OrderedSet **domains, int filter_ DnssecMode manager_get_dnssec_mode(Manager *m); bool manager_dnssec_supported(Manager *m); +PrivateDnsMode manager_get_private_dns_mode(Manager *m); + void manager_dnssec_verdict(Manager *m, DnssecVerdict verdict, const DnsResourceKey *key); bool manager_routable(Manager *m, int family); diff --git a/src/resolve/resolved.conf.in b/src/resolve/resolved.conf.in index e6b20620e2..60c48087a6 100644 --- a/src/resolve/resolved.conf.in +++ b/src/resolve/resolved.conf.in @@ -18,5 +18,6 @@ #LLMNR=yes #MulticastDNS=yes #DNSSEC=@DEFAULT_DNSSEC_MODE@ +#PrivateDNS=@DEFAULT_PRIVATE_DNS_MODE@ #Cache=yes #DNSStubListener=udp diff --git a/src/shared/resolve-util.c b/src/shared/resolve-util.c index 37a0e4e350..c626da5ed4 100644 --- a/src/shared/resolve-util.c +++ b/src/shared/resolve-util.c @@ -11,6 +11,7 @@ DEFINE_CONFIG_PARSE_ENUM(config_parse_resolve_support, resolve_support, ResolveSupport, "Failed to parse resolve support setting"); DEFINE_CONFIG_PARSE_ENUM(config_parse_dnssec_mode, dnssec_mode, DnssecMode, "Failed to parse DNSSEC mode setting"); +DEFINE_CONFIG_PARSE_ENUM(config_parse_private_dns_mode, private_dns_mode, PrivateDnsMode, "Failed to parse private DNS mode setting"); static const char* const resolve_support_table[_RESOLVE_SUPPORT_MAX] = { [RESOLVE_SUPPORT_NO] = "no", @@ -25,3 +26,9 @@ static const char* const dnssec_mode_table[_DNSSEC_MODE_MAX] = { [DNSSEC_YES] = "yes", }; DEFINE_STRING_TABLE_LOOKUP_WITH_BOOLEAN(dnssec_mode, DnssecMode, DNSSEC_YES); + +static const char* const private_dns_mode_table[_PRIVATE_DNS_MODE_MAX] = { + [PRIVATE_DNS_NO] = "no", + [PRIVATE_DNS_OPPORTUNISTIC] = "opportunistic", +}; +DEFINE_STRING_TABLE_LOOKUP_WITH_BOOLEAN(private_dns_mode, PrivateDnsMode, PRIVATE_DNS_OPPORTUNISTIC); diff --git a/src/shared/resolve-util.h b/src/shared/resolve-util.h index 069e32963e..784bb2d6bd 100644 --- a/src/shared/resolve-util.h +++ b/src/shared/resolve-util.h @@ -12,6 +12,7 @@ typedef enum ResolveSupport ResolveSupport; typedef enum DnssecMode DnssecMode; +typedef enum PrivateDnsMode PrivateDnsMode; enum ResolveSupport { RESOLVE_SUPPORT_NO, @@ -39,11 +40,27 @@ enum DnssecMode { _DNSSEC_MODE_INVALID = -1 }; +enum PrivateDnsMode { + /* No connection is made for DNS-over-TLS */ + PRIVATE_DNS_NO, + + /* Try to connect using DNS-over-TLS, but if connection fails, + * fallback to using an unencrypted connection */ + PRIVATE_DNS_OPPORTUNISTIC, + + _PRIVATE_DNS_MODE_MAX, + _PRIVATE_DNS_MODE_INVALID = -1 +}; + CONFIG_PARSER_PROTOTYPE(config_parse_resolve_support); CONFIG_PARSER_PROTOTYPE(config_parse_dnssec_mode); +CONFIG_PARSER_PROTOTYPE(config_parse_private_dns_mode); const char* resolve_support_to_string(ResolveSupport p) _const_; ResolveSupport resolve_support_from_string(const char *s) _pure_; const char* dnssec_mode_to_string(DnssecMode p) _const_; DnssecMode dnssec_mode_from_string(const char *s) _pure_; + +const char* private_dns_mode_to_string(PrivateDnsMode p) _const_; +PrivateDnsMode private_dns_mode_from_string(const char *s) _pure_; diff --git a/src/systemd/sd-network.h b/src/systemd/sd-network.h index 2d48946d2a..64bfb4fc09 100644 --- a/src/systemd/sd-network.h +++ b/src/systemd/sd-network.h @@ -129,6 +129,14 @@ int sd_network_link_get_llmnr(int ifindex, char **llmnr); */ int sd_network_link_get_mdns(int ifindex, char **mdns); +/* Indicates whether or not Private DNS should be enabled for the + * link. + * Possible levels of support: strict, no, opportunistic + * Possible return codes: + * -ENODATA: networkd is not aware of the link + */ +int sd_network_link_get_private_dns(int ifindex, char **private_dns); + /* Indicates whether or not DNSSEC should be enabled for the link * Possible levels of support: yes, no, allow-downgrade * Possible return codes: |