2 files changed, 28 insertions, 7 deletions

diff --git a/src/resolve/resolved-dns-scope.c b/src/resolve/resolved-dns-scope.c
index e155df0efa..178482727c 100644
--- a/src/resolve/resolved-dns-scope.c
+++ b/src/resolve/resolved-dns-scope.c
@@ -630,8 +630,8 @@ DnsScopeMatch dns_scope_good_domain(
         if (dns_name_endswith(domain, "invalid") > 0)
                 return DNS_SCOPE_NO;
 
-        /* Never go to network for the _gateway domain, it's something special, synthesized locally. */
-        if (is_gateway_hostname(domain))
+        /* Never go to network for the _gateway or _outbound domain — they're something special, synthesized locally. */
+        if (is_gateway_hostname(domain) || is_outbound_hostname(domain))
                 return DNS_SCOPE_NO;
 
         switch (s->protocol) {
@@ -739,6 +739,7 @@ DnsScopeMatch dns_scope_good_domain(
 
                 if ((dns_name_is_single_label(domain) && /* only resolve single label names via LLMNR */
                      !is_gateway_hostname(domain) && /* don't resolve "_gateway" with LLMNR, let local synthesizing logic handle that */
+                     !is_outbound_hostname(domain) && /* similar for "_outbound" */
                      dns_name_equal(domain, "local") == 0 && /* don't resolve "local" with LLMNR, it's the top-level domain of mDNS after all, see above */
                      manager_is_own_hostname(s->manager, domain) <= 0))  /* never resolve the local hostname via LLMNR */
                         return DNS_SCOPE_YES_BASE + 1; /* Return +1, as we consider ourselves authoritative
diff --git a/src/resolve/resolved-dns-synthesize.c b/src/resolve/resolved-dns-synthesize.c
index d4a4be71b0..ef1423f441 100644
--- a/src/resolve/resolved-dns-synthesize.c
+++ b/src/resolve/resolved-dns-synthesize.c
@@ -311,27 +311,33 @@ static int synthesize_system_hostname_ptr(Manager *m, int af, const union in_add
         return added;
 }
 
-static int synthesize_gateway_rr(Manager *m, const DnsResourceKey *key, int ifindex, DnsAnswer **answer) {
+static int synthesize_gateway_rr(
+                Manager *m,
+                const DnsResourceKey *key,
+                int ifindex,
+                int (*lookup)(sd_netlink *context, int ifindex, int af, struct local_address **ret), /* either local_gateways() or local_outbound() */
+                DnsAnswer **answer) {
         _cleanup_free_ struct local_address *addresses = NULL;
         int n = 0, af, r;
 
         assert(m);
         assert(key);
+        assert(lookup);
         assert(answer);
 
         af = dns_type_to_af(key->type);
         if (af >= 0) {
-                n = local_gateways(m->rtnl, ifindex, af, &addresses);
+                n = lookup(m->rtnl, ifindex, af, &addresses);
                 if (n < 0) /* < 0 means: error */
                         return n;
 
                 if (n == 0) { /* == 0 means we have no gateway */
                         /* See if there's a gateway on the other protocol */
                         if (af == AF_INET)
-                                n = local_gateways(m->rtnl, ifindex, AF_INET6, NULL);
+                                n = lookup(m->rtnl, ifindex, AF_INET6, NULL);
                         else {
                                 assert(af == AF_INET6);
-                                n = local_gateways(m->rtnl, ifindex, AF_INET, NULL);
+                                n = lookup(m->rtnl, ifindex, AF_INET, NULL);
                         }
                         if (n <= 0) /* error (if < 0) or really no gateway at all (if == 0) */
                                 return n;
@@ -402,7 +408,7 @@ int dns_synthesize_answer(
 
                 } else if (is_gateway_hostname(name)) {
 
-                        r = synthesize_gateway_rr(m, key, ifindex, &answer);
+                        r = synthesize_gateway_rr(m, key, ifindex, local_gateways, &answer);
                         if (r < 0)
                                 return log_error_errno(r, "Failed to synthesize gateway RRs: %m");
                         if (r == 0) { /* if we have no gateway return NXDOMAIN */
@@ -410,6 +416,16 @@ int dns_synthesize_answer(
                                 continue;
                         }
 
+                } else if (is_outbound_hostname(name)) {
+
+                        r = synthesize_gateway_rr(m, key, ifindex, local_outbounds, &answer);
+                        if (r < 0)
+                                return log_error_errno(r, "Failed to synthesize outbound RRs: %m");
+                        if (r == 0) { /* if we have no gateway return NXDOMAIN */
+                                nxdomain = true;
+                                continue;
+                        }
+
                 } else if ((dns_name_endswith(name, "127.in-addr.arpa") > 0 && dns_name_equal(name, "2.0.0.127.in-addr.arpa") == 0) ||
                            dns_name_equal(name, "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa") > 0) {
 
@@ -431,6 +447,10 @@ int dns_synthesize_answer(
                         if (v == 0 && w == 0) /* This IP address is neither a local one nor a gateway */
                                 continue;
 
+                        /* Note that we never synthesize reverse PTR for _outbound, since those are local
+                         * addresses and thus mapped to the local hostname anyway, hence they already have a
+                         * mapping. */
+
                 } else
                         continue;