diff options
| author | Luke Shumaker <lukeshu@sbcglobal.net> | 2016-09-14 18:33:57 -0400 |
|---|---|---|
| committer | Luke Shumaker <lukeshu@sbcglobal.net> | 2016-09-14 18:33:57 -0400 |
| commit | 3c72c8d3ee67388336aca58c5afa3fb93a9c24c0 (patch) | |
| tree | d072df7fee0f5906fad88c08398b2fe887cbc064 /src/grp-resolve | |
| parent | e51613a3291342c6006edda8783755fb8994fd75 (diff) | |
| parent | 6ba6ca19507add38549e07058c57489a8cd98cd1 (diff) | |
Merge branch 'notsystemd/postmove' into notsystemd/master
# Conflicts:
# src/grp-journal/systemd-journald/Makefile
# src/grp-login/systemd-logind/Makefile
# src/grp-machine/grp-import/systemd-export/Makefile
# src/grp-machine/grp-import/systemd-import/Makefile
# src/grp-machine/grp-import/systemd-pull/Makefile
# src/grp-machine/systemd-machined/Makefile
# src/grp-network/libnetworkd-core/Makefile
# src/grp-resolve/libbasic-dns/Makefile
# src/grp-resolve/systemd-resolved/Makefile
# src/grp-utils/systemd-path/Makefile
# src/libshared/src/Makefile
# src/libsystemd-network/include/systemd-network/sd-ndisc.h
# src/libsystemd/Makefile
# src/libsystemd/src/test.mk
# src/libudev/Makefile
# src/systemd-dbus1-generator/Makefile
# src/systemd-nspawn/nspawn.c
Signed-off-by: Luke Shumaker <lukeshu@sbcglobal.net>
Diffstat (limited to 'src/grp-resolve')
50 files changed, 2812 insertions, 425 deletions
diff --git a/src/grp-resolve/libbasic-dns/Makefile b/src/grp-resolve/libbasic-dns/Makefile index 1d342c5f3b..b1a760cc10 100644 --- a/src/grp-resolve/libbasic-dns/Makefile +++ b/src/grp-resolve/libbasic-dns/Makefile @@ -62,9 +62,15 @@ test_resolve_tables_SOURCES = \ $(basic_dns_sources) \ src/shared/test-tables.h +test_resolve_tables_CFLAGS = \ + $(AM_CFLAGS) \ + $(GCRYPT_CFLAGS) + test_resolve_tables_LDADD = \ libbasic-dns.la \ - libshared.la + libsystemd-shared.la \ + $(GCRYPT_LIBS) \ + -lm test_dns_packet_SOURCES = \ src/resolve/test-dns-packet.c \ @@ -74,9 +80,14 @@ test_dns_packet_CPPFLAGS = \ $(AM_CPPFLAGS) \ -DRESOLVE_TEST_DIR=\"$(abs_top_srcdir)/src/resolve/test-data\" +test_dns_packet_CFLAGS = \ + $(AM_CFLAGS) \ + $(GCRYPT_CFLAGS) + test_dns_packet_LDADD = \ libbasic-dns.la \ - libshared.la + $(GCRYPT_LIBS) \ + -lm EXTRA_DIST += \ src/resolve/test-data/_openpgpkey.fedoraproject.org.pkts \ @@ -95,9 +106,15 @@ test_dnssec_SOURCES = \ src/resolve/test-dnssec.c \ $(basic_dns_sources) +test_dnssec_CFLAGS = \ + $(AM_CFLAGS) \ + $(GCRYPT_CFLAGS) + test_dnssec_LDADD = \ libbasic-dns.la \ - libshared.la + libsystemd-shared.la \ + $(GCRYPT_LIBS) \ + -lm test_dnssec_complex_SOURCES = \ src/resolve/test-dnssec-complex.c \ @@ -105,7 +122,7 @@ test_dnssec_complex_SOURCES = \ src/resolve/dns-type.h test_dnssec_complex_LDADD = \ - libshared.la + libsystemd-shared.la noinst_LTLIBRARIES = libbasic-dns.la libbasic_dns_la_LIBADD = libshared.la diff --git a/src/grp-resolve/libbasic-dns/dns-type.c b/src/grp-resolve/libbasic-dns/dns-type.c index 6d5b9d616f..eceb72f545 100644 --- a/src/grp-resolve/libbasic-dns/dns-type.c +++ b/src/grp-resolve/libbasic-dns/dns-type.c @@ -97,6 +97,15 @@ bool dns_type_is_valid_query(uint16_t type) { DNS_TYPE_RRSIG); } +bool dns_type_is_zone_transer(uint16_t type) { + + /* Zone transfers, either normal or incremental */ + + return IN_SET(type, + DNS_TYPE_AXFR, + DNS_TYPE_IXFR); +} + bool dns_type_is_valid_rr(uint16_t type) { /* The types valid as RR in packets (but not necessarily diff --git a/src/grp-resolve/libbasic-dns/dns-type.h b/src/grp-resolve/libbasic-dns/dns-type.h index a8ee105e16..be548b6073 100644 --- a/src/grp-resolve/libbasic-dns/dns-type.h +++ b/src/grp-resolve/libbasic-dns/dns-type.h @@ -136,6 +136,7 @@ bool dns_type_is_obsolete(uint16_t type); bool dns_type_may_wildcard(uint16_t type); bool dns_type_apex_only(uint16_t type); bool dns_type_needs_authentication(uint16_t type); +bool dns_type_is_zone_transer(uint16_t type); int dns_type_to_af(uint16_t type); bool dns_class_is_pseudo(uint16_t class); diff --git a/src/grp-resolve/libbasic-dns/resolved-dns-answer.c b/src/grp-resolve/libbasic-dns/resolved-dns-answer.c index 1ade0507db..c45505b441 100644 --- a/src/grp-resolve/libbasic-dns/resolved-dns-answer.c +++ b/src/grp-resolve/libbasic-dns/resolved-dns-answer.c @@ -186,7 +186,7 @@ int dns_answer_add_extend(DnsAnswer **a, DnsResourceRecord *rr, int ifindex, Dns return dns_answer_add(*a, rr, ifindex, flags); } -int dns_answer_add_soa(DnsAnswer *a, const char *name, uint32_t ttl) { +int dns_answer_add_soa(DnsAnswer *a, const char *name, uint32_t ttl, int ifindex) { _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *soa = NULL; soa = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_SOA, name); @@ -209,7 +209,7 @@ int dns_answer_add_soa(DnsAnswer *a, const char *name, uint32_t ttl) { soa->soa.expire = 1; soa->soa.minimum = ttl; - return dns_answer_add(a, soa, 0, DNS_ANSWER_AUTHENTICATED); + return dns_answer_add(a, soa, ifindex, DNS_ANSWER_AUTHENTICATED); } int dns_answer_match_key(DnsAnswer *a, const DnsResourceKey *key, DnsAnswerFlags *ret_flags) { @@ -703,7 +703,7 @@ void dns_answer_order_by_scope(DnsAnswer *a, bool prefer_link_local) { if (a->items[i].rr->key->class == DNS_CLASS_IN && ((a->items[i].rr->key->type == DNS_TYPE_A && in_addr_is_link_local(AF_INET, (union in_addr_union*) &a->items[i].rr->a.in_addr) != prefer_link_local) || (a->items[i].rr->key->type == DNS_TYPE_AAAA && in_addr_is_link_local(AF_INET6, (union in_addr_union*) &a->items[i].rr->aaaa.in6_addr) != prefer_link_local))) - /* Order address records that are are not preferred to the end of the array */ + /* Order address records that are not preferred to the end of the array */ items[end--] = a->items[i]; else /* Order all other records to the beginning of the array */ diff --git a/src/grp-resolve/libbasic-dns/resolved-dns-answer.h b/src/grp-resolve/libbasic-dns/resolved-dns-answer.h index 92557a410a..bbb836fc7e 100644 --- a/src/grp-resolve/libbasic-dns/resolved-dns-answer.h +++ b/src/grp-resolve/libbasic-dns/resolved-dns-answer.h @@ -57,7 +57,7 @@ DnsAnswer *dns_answer_unref(DnsAnswer *a); int dns_answer_add(DnsAnswer *a, DnsResourceRecord *rr, int ifindex, DnsAnswerFlags flags); int dns_answer_add_extend(DnsAnswer **a, DnsResourceRecord *rr, int ifindex, DnsAnswerFlags flags); -int dns_answer_add_soa(DnsAnswer *a, const char *name, uint32_t ttl); +int dns_answer_add_soa(DnsAnswer *a, const char *name, uint32_t ttl, int ifindex); int dns_answer_match_key(DnsAnswer *a, const DnsResourceKey *key, DnsAnswerFlags *combined_flags); int dns_answer_contains_rr(DnsAnswer *a, DnsResourceRecord *rr, DnsAnswerFlags *combined_flags); @@ -88,6 +88,10 @@ static inline unsigned dns_answer_size(DnsAnswer *a) { return a ? a->n_rrs : 0; } +static inline bool dns_answer_isempty(DnsAnswer *a) { + return dns_answer_size(a) <= 0; +} + void dns_answer_dump(DnsAnswer *answer, FILE *f); DEFINE_TRIVIAL_CLEANUP_FUNC(DnsAnswer*, dns_answer_unref); diff --git a/src/grp-resolve/libbasic-dns/resolved-dns-dnssec.c b/src/grp-resolve/libbasic-dns/resolved-dns-dnssec.c index 7d58edcdfa..a53f2daa28 100644 --- a/src/grp-resolve/libbasic-dns/resolved-dns-dnssec.c +++ b/src/grp-resolve/libbasic-dns/resolved-dns-dnssec.c @@ -1643,7 +1643,7 @@ static int dnssec_nsec_in_path(DnsResourceRecord *rr, const char *name) { if (r <= 0) return r; - /* If the name we we are interested in is not a prefix of the common suffix of the NSEC RR's owner and next domain names, then we can't say anything either. */ + /* If the name we are interested in is not a prefix of the common suffix of the NSEC RR's owner and next domain names, then we can't say anything either. */ r = dns_name_common_suffix(dns_resource_key_name(rr->key), rr->nsec.next_domain_name, &common_suffix); if (r < 0) return r; diff --git a/src/grp-resolve/libbasic-dns/resolved-dns-packet.c b/src/grp-resolve/libbasic-dns/resolved-dns-packet.c index 37c0244b7e..e5a497e0ed 100644 --- a/src/grp-resolve/libbasic-dns/resolved-dns-packet.c +++ b/src/grp-resolve/libbasic-dns/resolved-dns-packet.c @@ -265,6 +265,7 @@ int dns_packet_validate_query(DnsPacket *p) { switch (p->protocol) { case DNS_PROTOCOL_LLMNR: + case DNS_PROTOCOL_DNS: /* RFC 4795, Section 2.1.1. says to discard all queries with QDCOUNT != 1 */ if (DNS_PACKET_QDCOUNT(p) != 1) return -EBADMSG; @@ -677,13 +678,15 @@ fail: } /* Append the OPT pseudo-RR described in RFC6891 */ -int dns_packet_append_opt(DnsPacket *p, uint16_t max_udp_size, bool edns0_do, size_t *start) { +int dns_packet_append_opt(DnsPacket *p, uint16_t max_udp_size, bool edns0_do, int rcode, size_t *start) { size_t saved_size; int r; assert(p); /* we must never advertise supported packet size smaller than the legacy max */ assert(max_udp_size >= DNS_PACKET_UNICAST_SIZE_MAX); + assert(rcode >= 0); + assert(rcode <= _DNS_RCODE_MAX); if (p->opt_start != (size_t) -1) return -EBUSY; @@ -702,13 +705,13 @@ int dns_packet_append_opt(DnsPacket *p, uint16_t max_udp_size, bool edns0_do, si if (r < 0) goto fail; - /* maximum udp packet that can be received */ + /* class: maximum udp packet that can be received */ r = dns_packet_append_uint16(p, max_udp_size, NULL); if (r < 0) goto fail; /* extended RCODE and VERSION */ - r = dns_packet_append_uint16(p, 0, NULL); + r = dns_packet_append_uint16(p, ((uint16_t) rcode & 0x0FF0) << 4, NULL); if (r < 0) goto fail; @@ -718,9 +721,8 @@ int dns_packet_append_opt(DnsPacket *p, uint16_t max_udp_size, bool edns0_do, si goto fail; /* RDLENGTH */ - - if (edns0_do) { - /* If DO is on, also append RFC6975 Algorithm data */ + if (edns0_do && !DNS_PACKET_QR(p)) { + /* If DO is on and this is not a reply, also append RFC6975 Algorithm data */ static const uint8_t rfc6975[] = { @@ -751,7 +753,6 @@ int dns_packet_append_opt(DnsPacket *p, uint16_t max_udp_size, bool edns0_do, si r = dns_packet_append_blob(p, rfc6975, sizeof(rfc6975), NULL); } else r = dns_packet_append_uint16(p, 0, NULL); - if (r < 0) goto fail; @@ -792,6 +793,7 @@ int dns_packet_truncate_opt(DnsPacket *p) { } int dns_packet_append_rr(DnsPacket *p, const DnsResourceRecord *rr, size_t *start, size_t *rdata_start) { + size_t saved_size, rdlength_offset, end, rdlength, rds; int r; @@ -1135,6 +1137,36 @@ fail: return r; } +int dns_packet_append_question(DnsPacket *p, DnsQuestion *q) { + DnsResourceKey *key; + int r; + + assert(p); + + DNS_QUESTION_FOREACH(key, q) { + r = dns_packet_append_key(p, key, NULL); + if (r < 0) + return r; + } + + return 0; +} + +int dns_packet_append_answer(DnsPacket *p, DnsAnswer *a) { + DnsResourceRecord *rr; + int r; + + assert(p); + + DNS_ANSWER_FOREACH(rr, a) { + r = dns_packet_append_rr(p, rr, NULL, NULL); + if (r < 0) + return r; + } + + return 0; +} + int dns_packet_read(DnsPacket *p, size_t sz, const void **ret, size_t *start) { assert(p); @@ -2030,8 +2062,10 @@ static bool opt_is_good(DnsResourceRecord *rr, bool *rfc6975) { assert(rr->key->type == DNS_TYPE_OPT); /* Check that the version is 0 */ - if (((rr->ttl >> 16) & UINT32_C(0xFF)) != 0) - return false; + if (((rr->ttl >> 16) & UINT32_C(0xFF)) != 0) { + *rfc6975 = false; + return true; /* if it's not version 0, it's OK, but we will ignore the OPT field contents */ + } p = rr->opt.data; l = rr->opt.data_size; @@ -2154,16 +2188,27 @@ int dns_packet_extract(DnsPacket *p) { continue; } - if (has_rfc6975) { - /* If the OPT RR contains RFC6975 algorithm data, then this is indication that - * the server just copied the OPT it got from us (which contained that data) - * back into the reply. If so, then it doesn't properly support EDNS, as - * RFC6975 makes it very clear that the algorithm data should only be contained - * in questions, never in replies. Crappy Belkin routers copy the OPT data for - * example, hence let's detect this so that we downgrade early. */ - log_debug("OPT RR contained RFC6975 data, ignoring."); - bad_opt = true; - continue; + if (DNS_PACKET_QR(p)) { + /* Additional checks for responses */ + + if (!DNS_RESOURCE_RECORD_OPT_VERSION_SUPPORTED(rr)) { + /* If this is a reply and we don't know the EDNS version then something + * is weird... */ + log_debug("EDNS version newer that our request, bad server."); + return -EBADMSG; + } + + if (has_rfc6975) { + /* If the OPT RR contains RFC6975 algorithm data, then this is indication that + * the server just copied the OPT it got from us (which contained that data) + * back into the reply. If so, then it doesn't properly support EDNS, as + * RFC6975 makes it very clear that the algorithm data should only be contained + * in questions, never in replies. Crappy Belkin routers copy the OPT data for + * example, hence let's detect this so that we downgrade early. */ + log_debug("OPT RR contained RFC6975 data, ignoring."); + bad_opt = true; + continue; + } } p->opt = dns_resource_record_ref(rr); diff --git a/src/grp-resolve/libbasic-dns/resolved-dns-packet.h b/src/grp-resolve/libbasic-dns/resolved-dns-packet.h index 2e0eba83b6..a9e95ebd75 100644 --- a/src/grp-resolve/libbasic-dns/resolved-dns-packet.h +++ b/src/grp-resolve/libbasic-dns/resolved-dns-packet.h @@ -118,6 +118,8 @@ static inline uint8_t* DNS_PACKET_DATA(DnsPacket *p) { #define DNS_PACKET_AD(p) ((be16toh(DNS_PACKET_HEADER(p)->flags) >> 5) & 1) #define DNS_PACKET_CD(p) ((be16toh(DNS_PACKET_HEADER(p)->flags) >> 4) & 1) +#define DNS_PACKET_FLAG_TC (UINT16_C(1) << 9) + static inline uint16_t DNS_PACKET_RCODE(DnsPacket *p) { uint16_t rcode; @@ -126,7 +128,34 @@ static inline uint16_t DNS_PACKET_RCODE(DnsPacket *p) { else rcode = 0; - return rcode | (be16toh(DNS_PACKET_HEADER(p)->flags) & 15); + return rcode | (be16toh(DNS_PACKET_HEADER(p)->flags) & 0xF); +} + +static inline uint16_t DNS_PACKET_PAYLOAD_SIZE_MAX(DnsPacket *p) { + + /* Returns the advertised maximum datagram size for replies, or the DNS default if there's nothing defined. */ + + if (p->opt) + return MAX(DNS_PACKET_UNICAST_SIZE_MAX, p->opt->key->class); + + return DNS_PACKET_UNICAST_SIZE_MAX; +} + +static inline bool DNS_PACKET_DO(DnsPacket *p) { + if (!p->opt) + return false; + + return !!(p->opt->ttl & (1U << 15)); +} + +static inline bool DNS_PACKET_VERSION_SUPPORTED(DnsPacket *p) { + /* Returns true if this packet is in a version we support. Which means either non-EDNS or EDNS(0), but not EDNS + * of any newer versions */ + + if (!p->opt) + return true; + + return DNS_RESOURCE_RECORD_OPT_VERSION_SUPPORTED(p->opt); } /* LLMNR defines some bits differently */ @@ -182,7 +211,9 @@ int dns_packet_append_label(DnsPacket *p, const char *s, size_t l, bool canonica int dns_packet_append_name(DnsPacket *p, const char *name, bool allow_compression, bool canonical_candidate, size_t *start); int dns_packet_append_key(DnsPacket *p, const DnsResourceKey *key, size_t *start); int dns_packet_append_rr(DnsPacket *p, const DnsResourceRecord *rr, size_t *start, size_t *rdata_start); -int dns_packet_append_opt(DnsPacket *p, uint16_t max_udp_size, bool edns0_do, size_t *start); +int dns_packet_append_opt(DnsPacket *p, uint16_t max_udp_size, bool edns0_do, int rcode, size_t *start); +int dns_packet_append_question(DnsPacket *p, DnsQuestion *q); +int dns_packet_append_answer(DnsPacket *p, DnsAnswer *a); void dns_packet_truncate(DnsPacket *p, size_t sz); int dns_packet_truncate_opt(DnsPacket *p); @@ -232,7 +263,8 @@ enum { DNS_RCODE_BADNAME = 20, DNS_RCODE_BADALG = 21, DNS_RCODE_BADTRUNC = 22, - _DNS_RCODE_MAX_DEFINED + _DNS_RCODE_MAX_DEFINED, + _DNS_RCODE_MAX = 4095 /* 4 bit rcode in the header plus 8 bit rcode in OPT, makes 12 bit */ }; const char* dns_rcode_to_string(int i) _const_; diff --git a/src/grp-resolve/libbasic-dns/resolved-dns-question.h b/src/grp-resolve/libbasic-dns/resolved-dns-question.h index 320bf53488..fe47a6bd9e 100644 --- a/src/grp-resolve/libbasic-dns/resolved-dns-question.h +++ b/src/grp-resolve/libbasic-dns/resolved-dns-question.h @@ -57,6 +57,10 @@ static inline unsigned dns_question_size(DnsQuestion *q) { return q ? q->n_keys : 0; } +static inline bool dns_question_isempty(DnsQuestion *q) { + return dns_question_size(q) <= 0; +} + DEFINE_TRIVIAL_CLEANUP_FUNC(DnsQuestion*, dns_question_unref); #define _DNS_QUESTION_FOREACH(u, key, q) \ diff --git a/src/grp-resolve/libbasic-dns/resolved-dns-rr.c b/src/grp-resolve/libbasic-dns/resolved-dns-rr.c index c6a60b65b7..73ca3c7fb9 100644 --- a/src/grp-resolve/libbasic-dns/resolved-dns-rr.c +++ b/src/grp-resolve/libbasic-dns/resolved-dns-rr.c @@ -1533,6 +1533,232 @@ const struct hash_ops dns_resource_record_hash_ops = { .compare = dns_resource_record_compare_func, }; +DnsResourceRecord *dns_resource_record_copy(DnsResourceRecord *rr) { + _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *copy = NULL; + DnsResourceRecord *t; + + assert(rr); + + copy = dns_resource_record_new(rr->key); + if (!copy) + return NULL; + + copy->ttl = rr->ttl; + copy->expiry = rr->expiry; + copy->n_skip_labels_signer = rr->n_skip_labels_signer; + copy->n_skip_labels_source = rr->n_skip_labels_source; + copy->unparseable = rr->unparseable; + + switch (rr->unparseable ? _DNS_TYPE_INVALID : rr->key->type) { + + case DNS_TYPE_SRV: + copy->srv.priority = rr->srv.priority; + copy->srv.weight = rr->srv.weight; + copy->srv.port = rr->srv.port; + copy->srv.name = strdup(rr->srv.name); + if (!copy->srv.name) + return NULL; + break; + + case DNS_TYPE_PTR: + case DNS_TYPE_NS: + case DNS_TYPE_CNAME: + case DNS_TYPE_DNAME: + copy->ptr.name = strdup(rr->ptr.name); + if (!copy->ptr.name) + return NULL; + break; + + case DNS_TYPE_HINFO: + copy->hinfo.cpu = strdup(rr->hinfo.cpu); + if (!copy->hinfo.cpu) + return NULL; + + copy->hinfo.os = strdup(rr->hinfo.os); + if(!copy->hinfo.os) + return NULL; + break; + + case DNS_TYPE_TXT: + case DNS_TYPE_SPF: + copy->txt.items = dns_txt_item_copy(rr->txt.items); + if (!copy->txt.items) + return NULL; + break; + + case DNS_TYPE_A: + copy->a = rr->a; + break; + + case DNS_TYPE_AAAA: + copy->aaaa = rr->aaaa; + break; + + case DNS_TYPE_SOA: + copy->soa.mname = strdup(rr->soa.mname); + if (!copy->soa.mname) + return NULL; + copy->soa.rname = strdup(rr->soa.rname); + if (!copy->soa.rname) + return NULL; + copy->soa.serial = rr->soa.serial; + copy->soa.refresh = rr->soa.refresh; + copy->soa.retry = rr->soa.retry; + copy->soa.expire = rr->soa.expire; + copy->soa.minimum = rr->soa.minimum; + break; + + case DNS_TYPE_MX: + copy->mx.priority = rr->mx.priority; + copy->mx.exchange = strdup(rr->mx.exchange); + if (!copy->mx.exchange) + return NULL; + break; + + case DNS_TYPE_LOC: + copy->loc = rr->loc; + break; + + case DNS_TYPE_SSHFP: + copy->sshfp.algorithm = rr->sshfp.algorithm; + copy->sshfp.fptype = rr->sshfp.fptype; + copy->sshfp.fingerprint = memdup(rr->sshfp.fingerprint, rr->sshfp.fingerprint_size); + if (!copy->sshfp.fingerprint) + return NULL; + copy->sshfp.fingerprint_size = rr->sshfp.fingerprint_size; + break; + + case DNS_TYPE_DNSKEY: + copy->dnskey.flags = rr->dnskey.flags; + copy->dnskey.protocol = rr->dnskey.protocol; + copy->dnskey.algorithm = rr->dnskey.algorithm; + copy->dnskey.key = memdup(rr->dnskey.key, rr->dnskey.key_size); + if (!copy->dnskey.key) + return NULL; + copy->dnskey.key_size = rr->dnskey.key_size; + break; + + case DNS_TYPE_RRSIG: + copy->rrsig.type_covered = rr->rrsig.type_covered; + copy->rrsig.algorithm = rr->rrsig.algorithm; + copy->rrsig.labels = rr->rrsig.labels; + copy->rrsig.original_ttl = rr->rrsig.original_ttl; + copy->rrsig.expiration = rr->rrsig.expiration; + copy->rrsig.inception = rr->rrsig.inception; + copy->rrsig.key_tag = rr->rrsig.key_tag; + copy->rrsig.signer = strdup(rr->rrsig.signer); + if (!copy->rrsig.signer) + return NULL; + copy->rrsig.signature = memdup(rr->rrsig.signature, rr->rrsig.signature_size); + if (!copy->rrsig.signature) + return NULL; + copy->rrsig.signature_size = rr->rrsig.signature_size; + break; + + case DNS_TYPE_NSEC: + copy->nsec.next_domain_name = strdup(rr->nsec.next_domain_name); + if (!copy->nsec.next_domain_name) + return NULL; + copy->nsec.types = bitmap_copy(rr->nsec.types); + if (!copy->nsec.types) + return NULL; + break; + + case DNS_TYPE_DS: + copy->ds.key_tag = rr->ds.key_tag; + copy->ds.algorithm = rr->ds.algorithm; + copy->ds.digest_type = rr->ds.digest_type; + copy->ds.digest = memdup(rr->ds.digest, rr->ds.digest_size); + if (!copy->ds.digest) + return NULL; + copy->ds.digest_size = rr->ds.digest_size; + break; + + case DNS_TYPE_NSEC3: + copy->nsec3.algorithm = rr->nsec3.algorithm; + copy->nsec3.flags = rr->nsec3.flags; + copy->nsec3.iterations = rr->nsec3.iterations; + copy->nsec3.salt = memdup(rr->nsec3.salt, rr->nsec3.salt_size); + if (!copy->nsec3.salt) + return NULL; + copy->nsec3.salt_size = rr->nsec3.salt_size; + copy->nsec3.next_hashed_name = memdup(rr->nsec3.next_hashed_name, rr->nsec3.next_hashed_name_size); + if (!copy->nsec3.next_hashed_name_size) + return NULL; + copy->nsec3.next_hashed_name_size = rr->nsec3.next_hashed_name_size; + copy->nsec3.types = bitmap_copy(rr->nsec3.types); + if (!copy->nsec3.types) + return NULL; + break; + + case DNS_TYPE_TLSA: + copy->tlsa.cert_usage = rr->tlsa.cert_usage; + copy->tlsa.selector = rr->tlsa.selector; + copy->tlsa.matching_type = rr->tlsa.matching_type; + copy->tlsa.data = memdup(rr->tlsa.data, rr->tlsa.data_size); + if (!copy->tlsa.data) + return NULL; + copy->tlsa.data_size = rr->tlsa.data_size; + break; + + case DNS_TYPE_CAA: + copy->caa.flags = rr->caa.flags; + copy->caa.tag = strdup(rr->caa.tag); + if (!copy->caa.tag) + return NULL; + copy->caa.value = memdup(rr->caa.value, rr->caa.value_size); + if (!copy->caa.value) + return NULL; + copy->caa.value_size = rr->caa.value_size; + break; + + case DNS_TYPE_OPT: + default: + copy->generic.data = memdup(rr->generic.data, rr->generic.data_size); + if (!copy->generic.data) + return NULL; + copy->generic.data_size = rr->generic.data_size; + break; + } + + t = copy; + copy = NULL; + + return t; +} + +int dns_resource_record_clamp_ttl(DnsResourceRecord **rr, uint32_t max_ttl) { + DnsResourceRecord *old_rr, *new_rr; + uint32_t new_ttl; + + assert(rr); + old_rr = *rr; + + if (old_rr->key->type == DNS_TYPE_OPT) + return -EINVAL; + + new_ttl = MIN(old_rr->ttl, max_ttl); + if (new_ttl == old_rr->ttl) + return 0; + + if (old_rr->n_ref == 1) { + /* Patch in place */ + old_rr->ttl = new_ttl; + return 1; + } + + new_rr = dns_resource_record_copy(old_rr); + if (!new_rr) + return -ENOMEM; + + new_rr->ttl = new_ttl; + + dns_resource_record_unref(*rr); + *rr = new_rr; + + return 1; +} + DnsTxtItem *dns_txt_item_free_all(DnsTxtItem *i) { DnsTxtItem *n; @@ -1565,6 +1791,25 @@ bool dns_txt_item_equal(DnsTxtItem *a, DnsTxtItem *b) { return dns_txt_item_equal(a->items_next, b->items_next); } +DnsTxtItem *dns_txt_item_copy(DnsTxtItem *first) { + DnsTxtItem *i, *copy = NULL, *end = NULL; + + LIST_FOREACH(items, i, first) { + DnsTxtItem *j; + + j = memdup(i, offsetof(DnsTxtItem, data) + i->length + 1); + if (!j) { + dns_txt_item_free_all(copy); + return NULL; + } + + LIST_INSERT_AFTER(items, copy, end, j); + end = j; + } + + return copy; +} + static const char* const dnssec_algorithm_table[_DNSSEC_ALGORITHM_MAX_DEFINED] = { /* Mnemonics as listed on https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml */ [DNSSEC_ALGORITHM_RSAMD5] = "RSAMD5", diff --git a/src/grp-resolve/libbasic-dns/resolved-dns-rr.h b/src/grp-resolve/libbasic-dns/resolved-dns-rr.h index daf9c8c210..13240e57ed 100644 --- a/src/grp-resolve/libbasic-dns/resolved-dns-rr.h +++ b/src/grp-resolve/libbasic-dns/resolved-dns-rr.h @@ -283,6 +283,13 @@ static inline size_t DNS_RESOURCE_RECORD_RDATA_SIZE(DnsResourceRecord *rr) { return rr->wire_format_size - rr->wire_format_rdata_offset; } +static inline uint8_t DNS_RESOURCE_RECORD_OPT_VERSION_SUPPORTED(DnsResourceRecord *rr) { + assert(rr); + assert(rr->key->type == DNS_TYPE_OPT); + + return ((rr->ttl >> 16) & 0xFF) == 0; +} + DnsResourceKey* dns_resource_key_new(uint16_t class, uint16_t type, const char *name); DnsResourceKey* dns_resource_key_new_redirect(const DnsResourceKey *key, const DnsResourceRecord *cname); int dns_resource_key_new_append_suffix(DnsResourceKey **ret, DnsResourceKey *key, char *name); @@ -319,6 +326,7 @@ int dns_resource_record_new_reverse(DnsResourceRecord **ret, int family, const u int dns_resource_record_new_address(DnsResourceRecord **ret, int family, const union in_addr_union *address, const char *name); int dns_resource_record_equal(const DnsResourceRecord *a, const DnsResourceRecord *b); const char* dns_resource_record_to_string(DnsResourceRecord *rr); +DnsResourceRecord *dns_resource_record_copy(DnsResourceRecord *rr); DEFINE_TRIVIAL_CLEANUP_FUNC(DnsResourceRecord*, dns_resource_record_unref); int dns_resource_record_to_wire_format(DnsResourceRecord *rr, bool canonical); @@ -328,8 +336,11 @@ int dns_resource_record_source(DnsResourceRecord *rr, const char **ret); int dns_resource_record_is_signer(DnsResourceRecord *rr, const char *zone); int dns_resource_record_is_synthetic(DnsResourceRecord *rr); +int dns_resource_record_clamp_ttl(DnsResourceRecord **rr, uint32_t max_ttl); + DnsTxtItem *dns_txt_item_free_all(DnsTxtItem *i); bool dns_txt_item_equal(DnsTxtItem *a, DnsTxtItem *b); +DnsTxtItem *dns_txt_item_copy(DnsTxtItem *i); void dns_resource_record_hash_func(const void *i, struct siphash *state); diff --git a/src/grp-resolve/libbasic-dns/test-dns-packet.c b/src/grp-resolve/libbasic-dns/test-dns-packet.c index 18d04b930d..c9e210fa94 100644 --- a/src/grp-resolve/libbasic-dns/test-dns-packet.c +++ b/src/grp-resolve/libbasic-dns/test-dns-packet.c @@ -27,12 +27,26 @@ #include "basic/macro.h" #include "basic/string-util.h" #include "basic/strv.h" +#include "basic/unaligned.h" #include "resolved-dns-packet.h" #include "resolved-dns-rr.h" #define HASH_KEY SD_ID128_MAKE(d3,1e,48,90,4b,fa,4c,fe,af,9d,d5,a1,d7,2e,8a,b1) +static void verify_rr_copy(DnsResourceRecord *rr) { + _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *copy = NULL; + const char *a, *b; + + assert_se(copy = dns_resource_record_copy(rr)); + assert_se(dns_resource_record_equal(copy, rr) > 0); + + assert_se(a = dns_resource_record_to_string(rr)); + assert_se(b = dns_resource_record_to_string(copy)); + + assert_se(streq(a, b)); +} + static uint64_t hash(DnsResourceRecord *rr) { struct siphash state; @@ -57,7 +71,7 @@ static void test_packet_from_file(const char* filename, bool canonical) { const char *s, *s2; uint64_t hash1, hash2; - packet_size = le64toh( *(uint64_t*)(data + offset) ); + packet_size = unaligned_read_le64(data + offset); assert_se(packet_size > 0); assert_se(offset + 8 + packet_size <= data_size); @@ -66,6 +80,8 @@ static void test_packet_from_file(const char* filename, bool canonical) { assert_se(dns_packet_append_blob(p, data + offset + 8, packet_size, NULL) >= 0); assert_se(dns_packet_read_rr(p, &rr, NULL, NULL) >= 0); + verify_rr_copy(rr); + s = dns_resource_record_to_string(rr); assert_se(s); puts(s); @@ -78,6 +94,8 @@ static void test_packet_from_file(const char* filename, bool canonical) { assert_se(dns_packet_append_blob(p2, rr->wire_format, rr->wire_format_size, NULL) >= 0); assert_se(dns_packet_read_rr(p2, &rr2, NULL, NULL) >= 0); + verify_rr_copy(rr); + s2 = dns_resource_record_to_string(rr); assert_se(s2); assert_se(streq(s, s2)); diff --git a/src/grp-resolve/nss-resolve/Makefile b/src/grp-resolve/nss-resolve/Makefile index acfbe831ae..8ed87994ce 100644 --- a/src/grp-resolve/nss-resolve/Makefile +++ b/src/grp-resolve/nss-resolve/Makefile @@ -38,6 +38,7 @@ libnss_resolve_la_LDFLAGS = \ libnss_resolve_la_LIBADD = \ libsystemd-internal.la \ + libbasic.la \ -ldl lib_LTLIBRARIES += \ diff --git a/src/grp-resolve/systemd-resolve/Makefile b/src/grp-resolve/systemd-resolve/Makefile index edb2270c3e..6a21bc2559 100644 --- a/src/grp-resolve/systemd-resolve/Makefile +++ b/src/grp-resolve/systemd-resolve/Makefile @@ -33,8 +33,14 @@ nodist_systemd_resolve_SOURCES = \ src/resolve/dns_type-from-name.h \ src/resolve/dns_type-to-name.h +systemd_resolve_CFLAGS = \ + $(AM_CFLAGS) \ + $(GCRYPT_CFLAGS) + systemd_resolve_LDADD = \ - libshared.la + libsystemd-shared.la \ + $(GCRYPT_LIBS) \ + -lm bin_PROGRAMS += \ systemd-resolve diff --git a/src/grp-resolve/systemd-resolve/resolve-tool.c b/src/grp-resolve/systemd-resolve/resolve-tool.c index dee23289b3..433a103b57 100644 --- a/src/grp-resolve/systemd-resolve/resolve-tool.c +++ b/src/grp-resolve/systemd-resolve/resolve-tool.c @@ -27,12 +27,16 @@ #include "basic/escape.h" #include "basic/in-addr-util.h" #include "basic/parse-util.h" +#include "basic/strv.h" #include "basic/terminal-util.h" #include "resolved-def.h" #include "resolved-dns-packet.h" #include "sd-bus/bus-error.h" +#include "sd-netlink/netlink-util.h" +#include "sd-netlink/sd-netlink.h" #include "shared/bus-util.h" #include "shared/gcrypt-util.h" +#include "shared/pager.h" #define DNS_CALL_TIMEOUT_USEC (45*USEC_PER_SEC) @@ -42,6 +46,7 @@ static uint16_t arg_type = 0; static uint16_t arg_class = 0; static bool arg_legend = true; static uint64_t arg_flags = 0; +static bool arg_no_pager = false; typedef enum ServiceFamily { SERVICE_FAMILY_TCP, @@ -66,6 +71,8 @@ static enum { MODE_RESOLVE_TLSA, MODE_STATISTICS, MODE_RESET_STATISTICS, + MODE_FLUSH_CACHES, + MODE_STATUS, } arg_mode = MODE_RESOLVE_HOST; static ServiceFamily service_family_from_string(const char *s) { @@ -198,7 +205,7 @@ static int resolve_host(sd_bus *bus, const char *name) { if (ifindex > 0 && !if_indextoname(ifindex, ifname)) log_warning_errno(errno, "Failed to resolve interface name for index %i: %m", ifindex); - r = in_addr_to_string(family, a, &pretty); + r = in_addr_ifindex_to_string(family, a, ifindex, &pretty); if (r < 0) return log_error_errno(r, "Failed to print address for %s: %m", name); @@ -252,7 +259,7 @@ static int resolve_address(sd_bus *bus, int family, const union in_addr_union *a if (ifindex <= 0) ifindex = arg_ifindex; - r = in_addr_to_string(family, address, &pretty); + r = in_addr_ifindex_to_string(family, address, ifindex, &pretty); if (r < 0) return log_oom(); @@ -344,31 +351,6 @@ static int resolve_address(sd_bus *bus, int family, const union in_addr_union *a return 0; } -static int parse_address(const char *s, int *family, union in_addr_union *address, int *ifindex) { - const char *percent, *a; - int ifi = 0; - int r; - - percent = strchr(s, '%'); - if (percent) { - if (parse_ifindex(percent+1, &ifi) < 0) { - ifi = if_nametoindex(percent+1); - if (ifi <= 0) - return -EINVAL; - } - - a = strndupa(s, percent - s); - } else - a = s; - - r = in_addr_from_string_auto(a, family, address); - if (r < 0) - return r; - - *ifindex = ifi; - return 0; -} - static int output_rr_packet(const void *d, size_t l, int ifindex) { _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *rr = NULL; _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL; @@ -658,10 +640,8 @@ static int resolve_service(sd_bus *bus, const char *name, const char *type, cons assert(bus); assert(domain); - if (isempty(name)) - name = NULL; - if (isempty(type)) - type = NULL; + name = empty_to_null(name); + type = empty_to_null(type); if (arg_ifindex > 0 && !if_indextoname(arg_ifindex, ifname)) return log_error_errno(errno, "Failed to resolve interface name for index %i: %m", arg_ifindex); @@ -820,10 +800,8 @@ static int resolve_service(sd_bus *bus, const char *name, const char *type, cons if (r < 0) return bus_log_parse_error(r); - if (isempty(canonical_name)) - canonical_name = NULL; - if (isempty(canonical_type)) - canonical_type = NULL; + canonical_name = empty_to_null(canonical_name); + canonical_type = empty_to_null(canonical_type); if (!streq_ptr(name, canonical_name) || !streq_ptr(type, canonical_type) || @@ -1041,6 +1019,490 @@ static int reset_statistics(sd_bus *bus) { return 0; } +static int flush_caches(sd_bus *bus) { + _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL; + int r; + + r = sd_bus_call_method(bus, + "org.freedesktop.resolve1", + "/org/freedesktop/resolve1", + "org.freedesktop.resolve1.Manager", + "FlushCaches", + &error, + NULL, + NULL); + if (r < 0) + return log_error_errno(r, "Failed to flush caches: %s", bus_error_message(&error, r)); + + return 0; +} + +static int map_link_dns_servers(sd_bus *bus, const char *member, sd_bus_message *m, sd_bus_error *error, void *userdata) { + char ***l = userdata; + int r; + + assert(bus); + assert(member); + assert(m); + assert(l); + + r = sd_bus_message_enter_container(m, 'a', "(iay)"); + if (r < 0) + return r; + + for (;;) { + const void *a; + char *pretty; + int family; + size_t sz; + + r = sd_bus_message_enter_container(m, 'r', "iay"); + if (r < 0) + return r; + if (r == 0) + break; + + r = sd_bus_message_read(m, "i", &family); + if (r < 0) + return r; + + r = sd_bus_message_read_array(m, 'y', &a, &sz); + if (r < 0) + return r; + + r = sd_bus_message_exit_container(m); + if (r < 0) + return r; + + if (!IN_SET(family, AF_INET, AF_INET6)) { + log_debug("Unexpected family, ignoring."); + continue; + } + + if (sz != FAMILY_ADDRESS_SIZE(family)) { + log_debug("Address size mismatch, ignoring."); + continue; + } + + r = in_addr_to_string(family, a, &pretty); + if (r < 0) + return r; + + r = strv_consume(l, pretty); + if (r < 0) + return r; + } + + r = sd_bus_message_exit_container(m); + if (r < 0) + return r; + + return 0; +} + +static int map_link_domains(sd_bus *bus, const char *member, sd_bus_message *m, sd_bus_error *error, void *userdata) { + char ***l = userdata; + int r; + + assert(bus); + assert(member); + assert(m); + assert(l); + + r = sd_bus_message_enter_container(m, 'a', "(sb)"); + if (r < 0) + return r; + + for (;;) { + const char *domain; + int route_only; + char *pretty; + + r = sd_bus_message_read(m, "(sb)", &domain, &route_only); + if (r < 0) + return r; + if (r == 0) + break; + + if (route_only) + pretty = strappend("~", domain); + else + pretty = strdup(domain); + if (!pretty) + return -ENOMEM; + + r = strv_consume(l, pretty); + if (r < 0) + return r; + } + + r = sd_bus_message_exit_container(m); + if (r < 0) + return r; + + return 0; +} + +static int status_ifindex(sd_bus *bus, int ifindex, const char *name, bool *empty_line) { + + struct link_info { + uint64_t scopes_mask; + char *llmnr; + char *mdns; + char *dnssec; + char **dns; + char **domains; + char **ntas; + int dnssec_supported; + } link_info = {}; + + static const struct bus_properties_map property_map[] = { + { "ScopesMask", "t", NULL, offsetof(struct link_info, scopes_mask) }, + { "DNS", "a(iay)", map_link_dns_servers, offsetof(struct link_info, dns) }, + { "Domains", "a(sb)", map_link_domains, offsetof(struct link_info, domains) }, + { "LLMNR", "s", NULL, offsetof(struct link_info, llmnr) }, + { "MulticastDNS", "s", NULL, offsetof(struct link_info, mdns) }, + { "DNSSEC", "s", NULL, offsetof(struct link_info, dnssec) }, + { "DNSSECNegativeTrustAnchors", "as", NULL, offsetof(struct link_info, ntas) }, + { "DNSSECSupported", "b", NULL, offsetof(struct link_info, dnssec_supported) }, + {} + }; + + _cleanup_free_ char *ifi = NULL, *p = NULL; + char ifname[IF_NAMESIZE] = ""; + char **i; + int r; + + assert(bus); + assert(ifindex > 0); + assert(empty_line); + + if (!name) { + if (!if_indextoname(ifindex, ifname)) + return log_error_errno(errno, "Failed to resolve interface name for %i: %m", ifindex); + + name = ifname; + } + + if (asprintf(&ifi, "%i", ifindex) < 0) + return log_oom(); + + r = sd_bus_path_encode("/org/freedesktop/resolve1/link", ifi, &p); + if (r < 0) + return log_oom(); + + r = bus_map_all_properties(bus, + "org.freedesktop.resolve1", + p, + property_map, + &link_info); + if (r < 0) { + log_error_errno(r, "Failed to get link data for %i: %m", ifindex); + goto finish; + } + + pager_open(arg_no_pager, false); + + if (*empty_line) + fputc('\n', stdout); + + printf("%sLink %i (%s)%s\n", + ansi_highlight(), ifindex, name, ansi_normal()); + + if (link_info.scopes_mask == 0) + printf(" Current Scopes: none\n"); + else + printf(" Current Scopes:%s%s%s%s%s\n", + link_info.scopes_mask & SD_RESOLVED_DNS ? " DNS" : "", + link_info.scopes_mask & SD_RESOLVED_LLMNR_IPV4 ? " LLMNR/IPv4" : "", + link_info.scopes_mask & SD_RESOLVED_LLMNR_IPV6 ? " LLMNR/IPv6" : "", + link_info.scopes_mask & SD_RESOLVED_MDNS_IPV4 ? " mDNS/IPv4" : "", + link_info.scopes_mask & SD_RESOLVED_MDNS_IPV6 ? " mDNS/IPv6" : ""); + + printf(" LLMNR setting: %s\n" + "MulticastDNS setting: %s\n" + " DNSSEC setting: %s\n" + " DNSSEC supported: %s\n", + strna(link_info.llmnr), + strna(link_info.mdns), + strna(link_info.dnssec), + yes_no(link_info.dnssec_supported)); + + STRV_FOREACH(i, link_info.dns) { + printf(" %s %s\n", + i == link_info.dns ? "DNS Servers:" : " ", + *i); + } + + STRV_FOREACH(i, link_info.domains) { + printf(" %s %s\n", + i == link_info.domains ? "DNS Domain:" : " ", + *i); + } + + STRV_FOREACH(i, link_info.ntas) { + printf(" %s %s\n", + i == link_info.ntas ? "DNSSEC NTA:" : " ", + *i); + } + + *empty_line = true; + + r = 0; + +finish: + strv_free(link_info.dns); + strv_free(link_info.domains); + free(link_info.llmnr); + free(link_info.mdns); + free(link_info.dnssec); + strv_free(link_info.ntas); + return r; +} + +static int map_global_dns_servers(sd_bus *bus, const char *member, sd_bus_message *m, sd_bus_error *error, void *userdata) { + char ***l = userdata; + int r; + + assert(bus); + assert(member); + assert(m); + assert(l); + + r = sd_bus_message_enter_container(m, 'a', "(iiay)"); + if (r < 0) + return r; + + for (;;) { + const void *a; + char *pretty; + int family, ifindex; + size_t sz; + + r = sd_bus_message_enter_container(m, 'r', "iiay"); + if (r < 0) + return r; + if (r == 0) + break; + + r = sd_bus_message_read(m, "ii", &ifindex, &family); + if (r < 0) + return r; + + r = sd_bus_message_read_array(m, 'y', &a, &sz); + if (r < 0) + return r; + + r = sd_bus_message_exit_container(m); + if (r < 0) + return r; + + if (ifindex != 0) /* only show the global ones here */ + continue; + + if (!IN_SET(family, AF_INET, AF_INET6)) { + log_debug("Unexpected family, ignoring."); + continue; + } + + if (sz != FAMILY_ADDRESS_SIZE(family)) { + log_debug("Address size mismatch, ignoring."); + continue; + } + + r = in_addr_to_string(family, a, &pretty); + if (r < 0) + return r; + + r = strv_consume(l, pretty); + if (r < 0) + return r; + } + + r = sd_bus_message_exit_container(m); + if (r < 0) + return r; + + return 0; +} + +static int map_global_domains(sd_bus *bus, const char *member, sd_bus_message *m, sd_bus_error *error, void *userdata) { + char ***l = userdata; + int r; + + assert(bus); + assert(member); + assert(m); + assert(l); + + r = sd_bus_message_enter_container(m, 'a', "(isb)"); + if (r < 0) + return r; + + for (;;) { + const char *domain; + int route_only, ifindex; + char *pretty; + + r = sd_bus_message_read(m, "(isb)", &ifindex, &domain, &route_only); + if (r < 0) + return r; + if (r == 0) + break; + + if (ifindex != 0) /* only show the global ones here */ + continue; + + if (route_only) + pretty = strappend("~", domain); + else + pretty = strdup(domain); + if (!pretty) + return -ENOMEM; + + r = strv_consume(l, pretty); + if (r < 0) + return r; + } + + r = sd_bus_message_exit_container(m); + if (r < 0) + return r; + + return 0; +} + +static int status_global(sd_bus *bus, bool *empty_line) { + + struct global_info { + char **dns; + char **domains; + char **ntas; + } global_info = {}; + + static const struct bus_properties_map property_map[] = { + { "DNS", "a(iiay)", map_global_dns_servers, offsetof(struct global_info, dns) }, + { "Domains", "a(isb)", map_global_domains, offsetof(struct global_info, domains) }, + { "DNSSECNegativeTrustAnchors", "as", NULL, offsetof(struct global_info, ntas) }, + {} + }; + + char **i; + int r; + + assert(bus); + assert(empty_line); + + r = bus_map_all_properties(bus, + "org.freedesktop.resolve1", + "/org/freedesktop/resolve1", + property_map, + &global_info); + if (r < 0) { + log_error_errno(r, "Failed to get global data: %m"); + goto finish; + } + + if (strv_isempty(global_info.dns) && strv_isempty(global_info.domains) && strv_isempty(global_info.ntas)) { + r = 0; + goto finish; + } + + pager_open(arg_no_pager, false); + + printf("%sGlobal%s\n", ansi_highlight(), ansi_normal()); + STRV_FOREACH(i, global_info.dns) { + printf(" %s %s\n", + i == global_info.dns ? "DNS Servers:" : " ", + *i); + } + + STRV_FOREACH(i, global_info.domains) { + printf(" %s %s\n", + i == global_info.domains ? "DNS Domain:" : " ", + *i); + } + + strv_sort(global_info.ntas); + STRV_FOREACH(i, global_info.ntas) { + printf(" %s %s\n", + i == global_info.ntas ? "DNSSEC NTA:" : " ", + *i); + } + + *empty_line = true; + + r = 0; + +finish: + strv_free(global_info.dns); + strv_free(global_info.domains); + strv_free(global_info.ntas); + + return r; +} + +static int status_all(sd_bus *bus) { + _cleanup_(sd_netlink_message_unrefp) sd_netlink_message *req = NULL, *reply = NULL; + _cleanup_(sd_netlink_unrefp) sd_netlink *rtnl = NULL; + sd_netlink_message *i; + bool empty_line = false; + int r; + + assert(bus); + + r = status_global(bus, &empty_line); + if (r < 0) + return r; + + r = sd_netlink_open(&rtnl); + if (r < 0) + return log_error_errno(r, "Failed to connect to netlink: %m"); + + r = sd_rtnl_message_new_link(rtnl, &req, RTM_GETLINK, 0); + if (r < 0) + return rtnl_log_create_error(r); + + r = sd_netlink_message_request_dump(req, true); + if (r < 0) + return rtnl_log_create_error(r); + + r = sd_netlink_call(rtnl, req, 0, &reply); + if (r < 0) + return log_error_errno(r, "Failed to enumerate links: %m"); + + r = 0; + for (i = reply; i; i = sd_netlink_message_next(i)) { + const char *name; + int ifindex, q; + uint16_t type; + + q = sd_netlink_message_get_type(i, &type); + if (q < 0) + return rtnl_log_parse_error(q); + + if (type != RTM_NEWLINK) + continue; + + q = sd_rtnl_message_link_get_ifindex(i, &ifindex); + if (q < 0) + return rtnl_log_parse_error(q); + + if (ifindex == LOOPBACK_IFINDEX) + continue; + + q = sd_netlink_message_read_string(i, IFLA_IFNAME, &name); + if (q < 0) + return rtnl_log_parse_error(q); + + q = status_ifindex(bus, ifindex, name, &empty_line); + if (q < 0 && r >= 0) + r = q; + } + + return r; +} + static void help_protocol_types(void) { if (arg_legend) puts("Known protocol types:"); @@ -1048,8 +1510,8 @@ static void help_protocol_types(void) { } static void help_dns_types(void) { - int i; const char *t; + int i; if (arg_legend) puts("Known DNS RR types:"); @@ -1061,8 +1523,8 @@ static void help_dns_types(void) { } static void help_dns_classes(void) { - int i; const char *t; + int i; if (arg_legend) puts("Known DNS RR classes:"); @@ -1083,6 +1545,7 @@ static void help(void) { "Resolve domain names, IPv4 and IPv6 addresses, DNS resource records, and services.\n\n" " -h --help Show this help\n" " --version Show package version\n" + " --no-pager Do not pipe output into a pager\n" " -4 Resolve IPv4 addresses\n" " -6 Resolve IPv6 addresses\n" " -i --interface=INTERFACE Look on interface\n" @@ -1101,6 +1564,8 @@ static void help(void) { " --legend=BOOL Print headers and additional info (default: yes)\n" " --statistics Show resolver statistics\n" " --reset-statistics Reset resolver statistics\n" + " --status Show link and server status\n" + " --flush-caches Flush all local DNS caches\n" , program_invocation_short_name); } @@ -1118,6 +1583,9 @@ static int parse_argv(int argc, char *argv[]) { ARG_SEARCH, ARG_STATISTICS, ARG_RESET_STATISTICS, + ARG_STATUS, + ARG_FLUSH_CACHES, + ARG_NO_PAGER, }; static const struct option options[] = { @@ -1138,6 +1606,9 @@ static int parse_argv(int argc, char *argv[]) { { "search", required_argument, NULL, ARG_SEARCH }, { "statistics", no_argument, NULL, ARG_STATISTICS, }, { "reset-statistics", no_argument, NULL, ARG_RESET_STATISTICS }, + { "status", no_argument, NULL, ARG_STATUS }, + { "flush-caches", no_argument, NULL, ARG_FLUSH_CACHES }, + { "no-pager", no_argument, NULL, ARG_NO_PAGER }, {} }; @@ -1311,6 +1782,18 @@ static int parse_argv(int argc, char *argv[]) { arg_mode = MODE_RESET_STATISTICS; break; + case ARG_FLUSH_CACHES: + arg_mode = MODE_FLUSH_CACHES; + break; + + case ARG_STATUS: + arg_mode = MODE_STATUS; + break; + + case ARG_NO_PAGER: + arg_no_pager = true; + break; + case '?': return -EINVAL; @@ -1370,7 +1853,7 @@ int main(int argc, char **argv) { if (startswith(argv[optind], "dns:")) k = resolve_rfc4501(bus, argv[optind]); else { - k = parse_address(argv[optind], &family, &a, &ifindex); + k = in_addr_ifindex_from_string_auto(argv[optind], &family, &a, &ifindex); if (k >= 0) k = resolve_address(bus, family, &a, ifindex); else @@ -1477,8 +1960,48 @@ int main(int argc, char **argv) { r = reset_statistics(bus); break; + + case MODE_FLUSH_CACHES: + if (argc > optind) { + log_error("Too many arguments."); + r = -EINVAL; + goto finish; + } + + r = flush_caches(bus); + break; + + case MODE_STATUS: + + if (argc > optind) { + char **ifname; + bool empty_line = false; + + r = 0; + STRV_FOREACH(ifname, argv + optind) { + int ifindex, q; + + q = parse_ifindex(argv[optind], &ifindex); + if (q < 0) { + ifindex = if_nametoindex(argv[optind]); + if (ifindex <= 0) { + log_error_errno(errno, "Failed to resolve interface name: %s", argv[optind]); + continue; + } + } + + q = status_ifindex(bus, ifindex, NULL, &empty_line); + if (q < 0 && r >= 0) + r = q; + } + } else + r = status_all(bus); + + break; } finish: + pager_close(); + return r == 0 ? EXIT_SUCCESS : EXIT_FAILURE; } diff --git a/src/grp-resolve/systemd-resolve/systemd-resolve.xml b/src/grp-resolve/systemd-resolve/systemd-resolve.xml index 4b66f836a2..ca26bb4d49 100644 --- a/src/grp-resolve/systemd-resolve/systemd-resolve.xml +++ b/src/grp-resolve/systemd-resolve/systemd-resolve.xml @@ -114,6 +114,12 @@ and IPv6 addresses. If the parameters specified are formatted as IPv4 or IPv6 operation the reverse operation is done, and a hostname is retrieved for the specified addresses.</para> + <para>The program's output contains information about the protocol used for the look-up and on which network + interface the data was discovered. It also contains information on whether the information could be + authenticated. All data for which local DNSSEC validation succeeds is considered authenticated. Moreover all data + originating from local, trusted sources is also reported authenticated, including resolution of the local host + name, the <literal>localhost</literal> host name or all data from <filename>/etc/hosts</filename>.</para> + <para>The <option>--type=</option> switch may be used to specify a DNS resource record type (A, AAAA, SOA, MX, ...) in order to request a specific DNS resource record, instead of the address or reverse address lookups. The special value <literal>help</literal> may be used to list known values.</para> @@ -288,8 +294,21 @@ <listitem><para>Resets the statistics counters shown in <option>--statistics</option> to zero.</para></listitem> </varlistentry> + <varlistentry> + <term><option>--flush-caches</option></term> + + <listitem><para>Flushes all DNS resource record caches the service maintains locally.</para></listitem> + </varlistentry> + + <varlistentry> + <term><option>--status</option></term> + + <listitem><para>Shows the global and per-link DNS settings in currently in effect.</para></listitem> + </varlistentry> + <xi:include href="standard-options.xml" xpointer="help" /> <xi:include href="standard-options.xml" xpointer="version" /> + <xi:include href="standard-options.xml" xpointer="no-pager" /> </variablelist> </refsect1> diff --git a/src/grp-resolve/systemd-resolved/Makefile b/src/grp-resolve/systemd-resolved/Makefile index 30173ce08c..54a8b4f28c 100644 --- a/src/grp-resolve/systemd-resolved/Makefile +++ b/src/grp-resolve/systemd-resolved/Makefile @@ -65,6 +65,8 @@ systemd_resolved_SOURCES = \ src/resolve/resolved-dns-stream.c \ src/resolve/resolved-dns-trust-anchor.h \ src/resolve/resolved-dns-trust-anchor.c \ + src/resolve/resolved-dns-stub.h \ + src/resolve/resolved-dns-stub.c \ src/resolve/resolved-etc-hosts.h \ src/resolve/resolved-etc-hosts.c @@ -73,9 +75,15 @@ nodist_systemd_resolved_SOURCES = \ src/resolve/dns_type-to-name.h \ src/resolve/resolved-gperf.c +systemd_resolved_CFLAGS = \ + $(AM_CFLAGS) \ + $(GCRYPT_CFLAGS) + systemd_resolved_LDADD = \ libsystemd-network.la \ - libshared.la + libsystemd-shared.la \ + $(GCRYPT_LIBS) \ + -lm rootlibexec_PROGRAMS += \ systemd-resolved @@ -114,6 +122,9 @@ EXTRA_DIST += \ units/systemd-resolved.service.m4.in \ src/resolve/resolved.conf.in +dist_rootlibexec_DATA += \ + src/resolve/resolv.conf + systemd_resolved_LDADD += libbasic-dns.la sd.CPPFLAGS += -DPKGSYSCONFDIR=\"$(pkgsysconfdir)\" diff --git a/src/grp-resolve/systemd-resolved/resolv.conf b/src/grp-resolve/systemd-resolved/resolv.conf new file mode 100644 index 0000000000..b8034d6829 --- /dev/null +++ b/src/grp-resolve/systemd-resolved/resolv.conf @@ -0,0 +1,11 @@ +# This is a static resolv.conf file for connecting local clients to +# systemd-resolved via its DNS stub listener on 127.0.0.53. +# +# Third party programs must not access this file directly, but only through the +# symlink at /etc/resolv.conf. To manage resolv.conf(5) in a different way, +# replace this symlink by a static file or a different symlink. +# +# See systemd-resolved.service(8) for details about the supported modes of +# operation for /etc/resolv.conf. + +nameserver 127.0.0.53 diff --git a/src/grp-resolve/systemd-resolved/resolved-bus.c b/src/grp-resolve/systemd-resolved/resolved-bus.c index 1454e1f5f4..3c2a8b0892 100644 --- a/src/grp-resolve/systemd-resolved/resolved-bus.c +++ b/src/grp-resolve/systemd-resolved/resolved-bus.c @@ -246,17 +246,22 @@ static int parse_as_address(sd_bus_message *m, int ifindex, const char *hostname _cleanup_(sd_bus_message_unrefp) sd_bus_message *reply = NULL; _cleanup_free_ char *canonical = NULL; union in_addr_union parsed; - int r, ff; + int r, ff, parsed_ifindex = 0; /* Check if the hostname is actually already an IP address formatted as string. In that case just parse it, * let's not attempt to look it up. */ - r = in_addr_from_string_auto(hostname, &ff, &parsed); + r = in_addr_ifindex_from_string_auto(hostname, &ff, &parsed, &parsed_ifindex); if (r < 0) /* not an address */ return 0; if (family != AF_UNSPEC && ff != family) return sd_bus_reply_method_errorf(m, BUS_ERROR_NO_SUCH_RR, "The specified address is not of the requested family."); + if (ifindex > 0 && parsed_ifindex > 0 && parsed_ifindex != ifindex) + return sd_bus_reply_method_errorf(m, BUS_ERROR_NO_SUCH_RR, "The specified address interface index does not match requested interface."); + + if (parsed_ifindex > 0) + ifindex = parsed_ifindex; r = sd_bus_message_new_method_return(m, &reply); if (r < 0) @@ -289,7 +294,7 @@ static int parse_as_address(sd_bus_message *m, int ifindex, const char *hostname /* When an IP address is specified we just return it as canonical name, in order to avoid a DNS * look-up. However, we reformat it to make sure it's in a truly canonical form (i.e. on IPv6 the inner * omissions are always done the same way). */ - r = in_addr_to_string(ff, &parsed, &canonical); + r = in_addr_ifindex_to_string(ff, &parsed, ifindex, &canonical); if (r < 0) return r; @@ -643,6 +648,8 @@ static int bus_method_resolve_record(sd_bus_message *message, void *userdata, sd if (!dns_type_is_valid_query(type)) return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Specified resource record type %" PRIu16 " may not be used in a query.", type); + if (dns_type_is_zone_transer(type)) + return sd_bus_error_setf(error, SD_BUS_ERROR_NOT_SUPPORTED, "Zone transfers not permitted via this programming interface."); if (dns_type_is_obsolete(type)) return sd_bus_error_setf(error, SD_BUS_ERROR_NOT_SUPPORTED, "Specified DNS resource record type %" PRIu16 " is obsolete.", type); @@ -666,6 +673,10 @@ static int bus_method_resolve_record(sd_bus_message *message, void *userdata, sd if (r < 0) return r; + /* Let's request that the TTL is fixed up for locally cached entries, after all we return it in the wire format + * blob */ + q->clamp_ttl = true; + q->request = sd_bus_message_ref(message); q->complete = bus_method_resolve_record_complete; @@ -1222,7 +1233,7 @@ int bus_dns_server_append(sd_bus_message *reply, DnsServer *s, bool with_ifindex return r; if (with_ifindex) { - r = sd_bus_message_append(reply, "i", s->link ? s->link->ifindex : 0); + r = sd_bus_message_append(reply, "i", dns_server_ifindex(s)); if (r < 0) return r; } @@ -1410,6 +1421,36 @@ static int bus_property_get_dnssec_supported( return sd_bus_message_append(reply, "b", manager_dnssec_supported(m)); } +static int bus_property_get_ntas( + sd_bus *bus, + const char *path, + const char *interface, + const char *property, + sd_bus_message *reply, + void *userdata, + sd_bus_error *error) { + + Manager *m = userdata; + const char *domain; + Iterator i; + int r; + + assert(reply); + assert(m); + + r = sd_bus_message_open_container(reply, 'a', "s"); + if (r < 0) + return r; + + SET_FOREACH(domain, m->trust_anchor.negative_by_name, i) { + r = sd_bus_message_append(reply, "s", domain); + if (r < 0) + return r; + } + + return sd_bus_message_close_container(reply); +} + static int bus_method_reset_statistics(sd_bus_message *message, void *userdata, sd_bus_error *error) { Manager *m = userdata; DnsScope *s; @@ -1443,26 +1484,6 @@ static int get_any_link(Manager *m, int ifindex, Link **ret, sd_bus_error *error return 0; } -static int get_unmanaged_link(Manager *m, int ifindex, Link **ret, sd_bus_error *error) { - Link *l; - int r; - - assert(m); - assert(ret); - - r = get_any_link(m, ifindex, &l, error); - if (r < 0) - return r; - - if (l->flags & IFF_LOOPBACK) - return sd_bus_error_setf(error, BUS_ERROR_LINK_BUSY, "Link %s is loopback device.", l->name); - if (l->is_managed) - return sd_bus_error_setf(error, BUS_ERROR_LINK_BUSY, "Link %s is managed.", l->name); - - *ret = l; - return 0; -} - static int call_link_method(Manager *m, sd_bus_message *message, sd_bus_message_handler_t handler, sd_bus_error *error) { int ifindex, r; Link *l; @@ -1476,7 +1497,7 @@ static int call_link_method(Manager *m, sd_bus_message *message, sd_bus_message_ if (r < 0) return r; - r = get_unmanaged_link(m, ifindex, &l, error); + r = get_any_link(m, ifindex, &l, error); if (r < 0) return r; @@ -1536,6 +1557,17 @@ static int bus_method_get_link(sd_bus_message *message, void *userdata, sd_bus_e return sd_bus_reply_method_return(message, "o", p); } +static int bus_method_flush_caches(sd_bus_message *message, void *userdata, sd_bus_error *error) { + Manager *m = userdata; + + assert(message); + assert(m); + + manager_flush_caches(m); + + return sd_bus_reply_method_return(message, NULL); +} + static const sd_bus_vtable resolve_vtable[] = { SD_BUS_VTABLE_START(0), SD_BUS_PROPERTY("LLMNRHostname", "s", NULL, offsetof(Manager, llmnr_hostname), 0), @@ -1545,12 +1577,14 @@ static const sd_bus_vtable resolve_vtable[] = { SD_BUS_PROPERTY("CacheStatistics", "(ttt)", bus_property_get_cache_statistics, 0, 0), SD_BUS_PROPERTY("DNSSECStatistics", "(tttt)", bus_property_get_dnssec_statistics, 0, 0), SD_BUS_PROPERTY("DNSSECSupported", "b", bus_property_get_dnssec_supported, 0, 0), + SD_BUS_PROPERTY("DNSSECNegativeTrustAnchors", "as", bus_property_get_ntas, 0, 0), SD_BUS_METHOD("ResolveHostname", "isit", "a(iiay)st", bus_method_resolve_hostname, SD_BUS_VTABLE_UNPRIVILEGED), SD_BUS_METHOD("ResolveAddress", "iiayt", "a(is)t", bus_method_resolve_address, SD_BUS_VTABLE_UNPRIVILEGED), SD_BUS_METHOD("ResolveRecord", "isqqt", "a(iqqay)t", bus_method_resolve_record, SD_BUS_VTABLE_UNPRIVILEGED), SD_BUS_METHOD("ResolveService", "isssit", "a(qqqsa(iiay)s)aayssst", bus_method_resolve_service, SD_BUS_VTABLE_UNPRIVILEGED), SD_BUS_METHOD("ResetStatistics", NULL, NULL, bus_method_reset_statistics, 0), + SD_BUS_METHOD("FlushCaches", NULL, NULL, bus_method_flush_caches, 0), SD_BUS_METHOD("GetLink", "i", "o", bus_method_get_link, SD_BUS_VTABLE_UNPRIVILEGED), SD_BUS_METHOD("SetLinkDNS", "ia(iay)", NULL, bus_method_set_link_dns_servers, 0), SD_BUS_METHOD("SetLinkDomains", "ia(sb)", NULL, bus_method_set_link_domains, 0), diff --git a/src/grp-resolve/systemd-resolved/resolved-conf.c b/src/grp-resolve/systemd-resolved/resolved-conf.c index 4dc169094b..c6d70b5938 100644 --- a/src/grp-resolve/systemd-resolved/resolved-conf.c +++ b/src/grp-resolve/systemd-resolved/resolved-conf.c @@ -28,18 +28,22 @@ int manager_add_dns_server_by_string(Manager *m, DnsServerType type, const char *word) { union in_addr_union address; - int family, r; + int family, r, ifindex = 0; DnsServer *s; assert(m); assert(word); - r = in_addr_from_string_auto(word, &family, &address); + r = in_addr_ifindex_from_string_auto(word, &family, &address, &ifindex); if (r < 0) return r; + /* Silently filter out 0.0.0.0 and 127.0.0.53 (our own stub DNS listener) */ + if (!dns_server_address_valid(family, &address)) + return 0; + /* Filter out duplicates */ - s = dns_server_find(manager_get_first_dns_server(m, type), family, &address); + s = dns_server_find(manager_get_first_dns_server(m, type), family, &address, ifindex); if (s) { /* * Drop the marker. This is used to find the servers @@ -51,7 +55,7 @@ int manager_add_dns_server_by_string(Manager *m, DnsServerType type, const char return 0; } - return dns_server_new(m, NULL, type, NULL, family, &address); + return dns_server_new(m, NULL, type, NULL, family, &address, ifindex); } int manager_parse_dns_server_string_and_warn(Manager *m, DnsServerType type, const char *string) { @@ -71,7 +75,7 @@ int manager_parse_dns_server_string_and_warn(Manager *m, DnsServerType type, con r = manager_add_dns_server_by_string(m, type, word); if (r < 0) - log_warning_errno(r, "Failed to add DNS server address '%s', ignoring.", word); + log_warning_errno(r, "Failed to add DNS server address '%s', ignoring: %m", word); } return 0; @@ -126,7 +130,7 @@ int manager_parse_search_domains_and_warn(Manager *m, const char *string) { r = manager_add_search_domain_by_string(m, word); if (r < 0) - log_warning_errno(r, "Failed to add search domain '%s', ignoring.", word); + log_warning_errno(r, "Failed to add search domain '%s', ignoring: %m", word); } return 0; diff --git a/src/grp-resolve/systemd-resolved/resolved-dns-cache.c b/src/grp-resolve/systemd-resolved/resolved-dns-cache.c index 33e0582d98..690ed6f0c1 100644 --- a/src/grp-resolve/systemd-resolved/resolved-dns-cache.c +++ b/src/grp-resolve/systemd-resolved/resolved-dns-cache.c @@ -625,6 +625,12 @@ int dns_cache_put( dns_cache_remove_previous(c, key, answer); + /* We only care for positive replies and NXDOMAINs, on all + * other replies we will simply flush the respective entries, + * and that's it */ + if (!IN_SET(rcode, DNS_RCODE_SUCCESS, DNS_RCODE_NXDOMAIN)) + return 0; + if (dns_answer_size(answer) <= 0) { char key_str[DNS_RESOURCE_KEY_STRING_MAX]; @@ -633,12 +639,6 @@ int dns_cache_put( return 0; } - /* We only care for positive replies and NXDOMAINs, on all - * other replies we will simply flush the respective entries, - * and that's it */ - if (!IN_SET(rcode, DNS_RCODE_SUCCESS, DNS_RCODE_NXDOMAIN)) - return 0; - cache_keys = dns_answer_size(answer); if (key) cache_keys++; @@ -692,7 +692,7 @@ int dns_cache_put( return 0; /* See https://tools.ietf.org/html/rfc2308, which say that a - * matching SOA record in the packet is used to to enable + * matching SOA record in the packet is used to enable * negative caching. */ r = dns_answer_find_soa(answer, key, &soa, &flags); if (r < 0) @@ -791,7 +791,7 @@ static DnsCacheItem *dns_cache_get_by_key_follow_cname_dname_nsec(DnsCache *c, D return NULL; } -int dns_cache_lookup(DnsCache *c, DnsResourceKey *key, int *rcode, DnsAnswer **ret, bool *authenticated) { +int dns_cache_lookup(DnsCache *c, DnsResourceKey *key, bool clamp_ttl, int *rcode, DnsAnswer **ret, bool *authenticated) { _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL; char key_str[DNS_RESOURCE_KEY_STRING_MAX]; unsigned n = 0; @@ -799,6 +799,7 @@ int dns_cache_lookup(DnsCache *c, DnsResourceKey *key, int *rcode, DnsAnswer **r bool nxdomain = false; DnsCacheItem *j, *first, *nsec = NULL; bool have_authenticated = false, have_non_authenticated = false; + usec_t current; assert(c); assert(key); @@ -893,11 +894,24 @@ int dns_cache_lookup(DnsCache *c, DnsResourceKey *key, int *rcode, DnsAnswer **r if (!answer) return -ENOMEM; + if (clamp_ttl) + current = now(clock_boottime_or_monotonic()); + LIST_FOREACH(by_key, j, first) { + _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *rr = NULL; + if (!j->rr) continue; - r = dns_answer_add(answer, j->rr, j->ifindex, j->authenticated ? DNS_ANSWER_AUTHENTICATED : 0); + if (clamp_ttl) { + rr = dns_resource_record_ref(j->rr); + + r = dns_resource_record_clamp_ttl(&rr, LESS_BY(j->until, current) / USEC_PER_SEC); + if (r < 0) + return r; + } + + r = dns_answer_add(answer, rr ?: j->rr, j->ifindex, j->authenticated ? DNS_ANSWER_AUTHENTICATED : 0); if (r < 0) return r; } diff --git a/src/grp-resolve/systemd-resolved/resolved-dns-cache.h b/src/grp-resolve/systemd-resolved/resolved-dns-cache.h index e7cdd2e27a..7c1581c99b 100644 --- a/src/grp-resolve/systemd-resolved/resolved-dns-cache.h +++ b/src/grp-resolve/systemd-resolved/resolved-dns-cache.h @@ -40,7 +40,7 @@ void dns_cache_flush(DnsCache *c); void dns_cache_prune(DnsCache *c); int dns_cache_put(DnsCache *c, DnsResourceKey *key, int rcode, DnsAnswer *answer, bool authenticated, uint32_t nsec_ttl, usec_t timestamp, int owner_family, const union in_addr_union *owner_address); -int dns_cache_lookup(DnsCache *c, DnsResourceKey *key, int *rcode, DnsAnswer **answer, bool *authenticated); +int dns_cache_lookup(DnsCache *c, DnsResourceKey *key, bool clamp_ttl, int *rcode, DnsAnswer **answer, bool *authenticated); int dns_cache_check_conflicts(DnsCache *cache, DnsResourceRecord *rr, int owner_family, const union in_addr_union *owner_address); diff --git a/src/grp-resolve/systemd-resolved/resolved-dns-query.c b/src/grp-resolve/systemd-resolved/resolved-dns-query.c index 7b9282a69d..3a187ee349 100644 --- a/src/grp-resolve/systemd-resolved/resolved-dns-query.c +++ b/src/grp-resolve/systemd-resolved/resolved-dns-query.c @@ -155,6 +155,7 @@ static int dns_query_candidate_add_transaction(DnsQueryCandidate *c, DnsResource goto gc; } + t->clamp_ttl = c->query->clamp_ttl; return 1; gc: @@ -404,6 +405,16 @@ DnsQuery *dns_query_free(DnsQuery *q) { sd_bus_message_unref(q->request); sd_bus_track_unref(q->bus_track); + dns_packet_unref(q->request_dns_packet); + + if (q->request_dns_stream) { + /* Detach the stream from our query, in case something else keeps a reference to it. */ + q->request_dns_stream->complete = NULL; + q->request_dns_stream->on_packet = NULL; + q->request_dns_stream->query = NULL; + dns_stream_unref(q->request_dns_stream); + } + free(q->request_address_string); if (q->manager) { @@ -421,7 +432,8 @@ int dns_query_new( DnsQuery **ret, DnsQuestion *question_utf8, DnsQuestion *question_idna, - int ifindex, uint64_t flags) { + int ifindex, + uint64_t flags) { _cleanup_(dns_query_freep) DnsQuery *q = NULL; DnsResourceKey *key; @@ -509,7 +521,7 @@ int dns_query_make_auxiliary(DnsQuery *q, DnsQuery *auxiliary_for) { assert(q); assert(auxiliary_for); - /* Ensure that that the query is not auxiliary yet, and + /* Ensure that the query is not auxiliary yet, and * nothing else is auxiliary to it either */ assert(!q->auxiliary_for); assert(!q->auxiliary_queries); diff --git a/src/grp-resolve/systemd-resolved/resolved-dns-query.h b/src/grp-resolve/systemd-resolved/resolved-dns-query.h index 4a127930bd..a501cb1203 100644 --- a/src/grp-resolve/systemd-resolved/resolved-dns-query.h +++ b/src/grp-resolve/systemd-resolved/resolved-dns-query.h @@ -71,6 +71,10 @@ struct DnsQuery { * family */ bool suppress_unroutable_family; + + /* If true, the RR TTLs of the answer will be clamped by their current left validity in the cache */ + bool clamp_ttl; + DnsTransactionState state; unsigned n_cname_redirects; @@ -95,6 +99,10 @@ struct DnsQuery { unsigned block_all_complete; char *request_address_string; + /* DNS stub information */ + DnsPacket *request_dns_packet; + DnsStream *request_dns_stream; + /* Completion callback */ void (*complete)(DnsQuery* q); unsigned block_ready; diff --git a/src/grp-resolve/systemd-resolved/resolved-dns-scope.c b/src/grp-resolve/systemd-resolved/resolved-dns-scope.c index cf878cc783..9da091b5e9 100644 --- a/src/grp-resolve/systemd-resolved/resolved-dns-scope.c +++ b/src/grp-resolve/systemd-resolved/resolved-dns-scope.c @@ -233,7 +233,7 @@ static int dns_scope_emit_one(DnsScope *s, int fd, DnsPacket *p) { if (fd < 0) return fd; - r = manager_send(s->manager, fd, ifindex, family, &addr, LLMNR_PORT, p); + r = manager_send(s->manager, fd, ifindex, family, &addr, LLMNR_PORT, NULL, p); if (r < 0) return r; @@ -258,7 +258,7 @@ static int dns_scope_emit_one(DnsScope *s, int fd, DnsPacket *p) { if (fd < 0) return fd; - r = manager_send(s->manager, fd, ifindex, family, &addr, MDNS_PORT, p); + r = manager_send(s->manager, fd, ifindex, family, &addr, MDNS_PORT, NULL, p); if (r < 0) return r; @@ -308,7 +308,7 @@ static int dns_scope_socket( union sockaddr_union sa = {}; socklen_t salen; static const int one = 1; - int ret, r; + int ret, r, ifindex; assert(s); @@ -316,6 +316,8 @@ static int dns_scope_socket( assert(family == AF_UNSPEC); assert(!address); + ifindex = dns_server_ifindex(server); + sa.sa.sa_family = server->family; if (server->family == AF_INET) { sa.in.sin_port = htobe16(port); @@ -324,7 +326,7 @@ static int dns_scope_socket( } else if (server->family == AF_INET6) { sa.in6.sin6_port = htobe16(port); sa.in6.sin6_addr = server->address.in6; - sa.in6.sin6_scope_id = s->link ? s->link->ifindex : 0; + sa.in6.sin6_scope_id = ifindex; salen = sizeof(sa.in6); } else return -EAFNOSUPPORT; @@ -333,6 +335,7 @@ static int dns_scope_socket( assert(address); sa.sa.sa_family = family; + ifindex = s->link ? s->link->ifindex : 0; if (family == AF_INET) { sa.in.sin_port = htobe16(port); @@ -341,7 +344,7 @@ static int dns_scope_socket( } else if (family == AF_INET6) { sa.in6.sin6_port = htobe16(port); sa.in6.sin6_addr = address->in6; - sa.in6.sin6_scope_id = s->link ? s->link->ifindex : 0; + sa.in6.sin6_scope_id = ifindex; salen = sizeof(sa.in6); } else return -EAFNOSUPPORT; @@ -358,14 +361,14 @@ static int dns_scope_socket( } if (s->link) { - uint32_t ifindex = htobe32(s->link->ifindex); + be32_t ifindex_be = htobe32(ifindex); if (sa.sa.sa_family == AF_INET) { - r = setsockopt(fd, IPPROTO_IP, IP_UNICAST_IF, &ifindex, sizeof(ifindex)); + r = setsockopt(fd, IPPROTO_IP, IP_UNICAST_IF, &ifindex_be, sizeof(ifindex_be)); if (r < 0) return -errno; } else if (sa.sa.sa_family == AF_INET6) { - r = setsockopt(fd, IPPROTO_IPV6, IPV6_UNICAST_IF, &ifindex, sizeof(ifindex)); + r = setsockopt(fd, IPPROTO_IPV6, IPV6_UNICAST_IF, &ifindex_be, sizeof(ifindex_be)); if (r < 0) return -errno; } @@ -576,6 +579,7 @@ static int dns_scope_multicast_membership(DnsScope *s, bool b, struct in_addr in } int dns_scope_llmnr_membership(DnsScope *s, bool b) { + assert(s); if (s->protocol != DNS_PROTOCOL_LLMNR) return 0; @@ -584,6 +588,7 @@ int dns_scope_llmnr_membership(DnsScope *s, bool b) { } int dns_scope_mdns_membership(DnsScope *s, bool b) { + assert(s); if (s->protocol != DNS_PROTOCOL_MDNS) return 0; @@ -602,15 +607,14 @@ static int dns_scope_make_reply_packet( DnsPacket **ret) { _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL; - unsigned i; int r; assert(s); assert(ret); - if ((!q || q->n_keys <= 0) - && (!answer || answer->n_rrs <= 0) - && (!soa || soa->n_rrs <= 0)) + if (dns_question_isempty(q) && + dns_answer_isempty(answer) && + dns_answer_isempty(soa)) return -EINVAL; r = dns_packet_new(&p, s->protocol, 0); @@ -629,35 +633,20 @@ static int dns_scope_make_reply_packet( 0 /* (cd) */, rcode)); - if (q) { - for (i = 0; i < q->n_keys; i++) { - r = dns_packet_append_key(p, q->keys[i], NULL); - if (r < 0) - return r; - } - - DNS_PACKET_HEADER(p)->qdcount = htobe16(q->n_keys); - } - - if (answer) { - for (i = 0; i < answer->n_rrs; i++) { - r = dns_packet_append_rr(p, answer->items[i].rr, NULL, NULL); - if (r < 0) - return r; - } - - DNS_PACKET_HEADER(p)->ancount = htobe16(answer->n_rrs); - } + r = dns_packet_append_question(p, q); + if (r < 0) + return r; + DNS_PACKET_HEADER(p)->qdcount = htobe16(dns_question_size(q)); - if (soa) { - for (i = 0; i < soa->n_rrs; i++) { - r = dns_packet_append_rr(p, soa->items[i].rr, NULL, NULL); - if (r < 0) - return r; - } + r = dns_packet_append_answer(p, answer); + if (r < 0) + return r; + DNS_PACKET_HEADER(p)->ancount = htobe16(dns_answer_size(answer)); - DNS_PACKET_HEADER(p)->arcount = htobe16(soa->n_rrs); - } + r = dns_packet_append_answer(p, soa); + if (r < 0) + return r; + DNS_PACKET_HEADER(p)->arcount = htobe16(dns_answer_size(soa)); *ret = p; p = NULL; @@ -666,25 +655,25 @@ static int dns_scope_make_reply_packet( } static void dns_scope_verify_conflicts(DnsScope *s, DnsPacket *p) { - unsigned n; + DnsResourceRecord *rr; + DnsResourceKey *key; assert(s); assert(p); - if (p->question) - for (n = 0; n < p->question->n_keys; n++) - dns_zone_verify_conflicts(&s->zone, p->question->keys[n]); - if (p->answer) - for (n = 0; n < p->answer->n_rrs; n++) - dns_zone_verify_conflicts(&s->zone, p->answer->items[n].rr->key); + DNS_QUESTION_FOREACH(key, p->question) + dns_zone_verify_conflicts(&s->zone, key); + + DNS_ANSWER_FOREACH(rr, p->answer) + dns_zone_verify_conflicts(&s->zone, rr->key); } void dns_scope_process_query(DnsScope *s, DnsStream *stream, DnsPacket *p) { - _cleanup_(dns_packet_unrefp) DnsPacket *reply = NULL; _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL, *soa = NULL; + _cleanup_(dns_packet_unrefp) DnsPacket *reply = NULL; DnsResourceKey *key = NULL; bool tentative = false; - int r, fd; + int r; assert(s); assert(p); @@ -706,7 +695,7 @@ void dns_scope_process_query(DnsScope *s, DnsStream *stream, DnsPacket *p) { r = dns_packet_extract(p); if (r < 0) { - log_debug_errno(r, "Failed to extract resources from incoming packet: %m"); + log_debug_errno(r, "Failed to extract resource records from incoming packet: %m"); return; } @@ -716,10 +705,10 @@ void dns_scope_process_query(DnsScope *s, DnsStream *stream, DnsPacket *p) { return; } - assert(p->question->n_keys == 1); + assert(dns_question_size(p->question) == 1); key = p->question->keys[0]; - r = dns_zone_lookup(&s->zone, key, &answer, &soa, &tentative); + r = dns_zone_lookup(&s->zone, key, 0, &answer, &soa, &tentative); if (r < 0) { log_debug_errno(r, "Failed to lookup key: %m"); return; @@ -736,9 +725,21 @@ void dns_scope_process_query(DnsScope *s, DnsStream *stream, DnsPacket *p) { return; } - if (stream) + if (stream) { r = dns_stream_write_packet(stream, reply); - else { + if (r < 0) { + log_debug_errno(r, "Failed to enqueue reply packet: %m"); + return; + } + + /* Let's take an extra reference on this stream, so that it stays around after returning. The reference + * will be dangling until the stream is disconnected, and the default completion handler of the stream + * will then unref the stream and destroy it */ + if (DNS_STREAM_QUEUED(stream)) + dns_stream_ref(stream); + } else { + int fd; + if (!ratelimit_test(&s->ratelimit)) return; @@ -760,12 +761,11 @@ void dns_scope_process_query(DnsScope *s, DnsStream *stream, DnsPacket *p) { * verified uniqueness for all records. Also see RFC * 4795, Section 2.7 */ - r = manager_send(s->manager, fd, p->ifindex, p->family, &p->sender, p->sender_port, reply); - } - - if (r < 0) { - log_debug_errno(r, "Failed to send reply packet: %m"); - return; + r = manager_send(s->manager, fd, p->ifindex, p->family, &p->sender, p->sender_port, NULL, reply); + if (r < 0) { + log_debug_errno(r, "Failed to send reply packet: %m"); + return; + } } } @@ -1027,3 +1027,12 @@ bool dns_scope_network_good(DnsScope *s) { return manager_routable(s->manager, AF_UNSPEC); } + +int dns_scope_ifindex(DnsScope *s) { + assert(s); + + if (s->link) + return s->link->ifindex; + + return 0; +} diff --git a/src/grp-resolve/systemd-resolved/resolved-dns-scope.h b/src/grp-resolve/systemd-resolved/resolved-dns-scope.h index e3c4e15ead..c4bc95da45 100644 --- a/src/grp-resolve/systemd-resolved/resolved-dns-scope.h +++ b/src/grp-resolve/systemd-resolved/resolved-dns-scope.h @@ -109,3 +109,5 @@ DnsSearchDomain *dns_scope_get_search_domains(DnsScope *s); bool dns_scope_name_needs_search_domain(DnsScope *s, const char *name); bool dns_scope_network_good(DnsScope *s); + +int dns_scope_ifindex(DnsScope *s); diff --git a/src/grp-resolve/systemd-resolved/resolved-dns-server.c b/src/grp-resolve/systemd-resolved/resolved-dns-server.c index be11cfa743..bc97d89219 100644 --- a/src/grp-resolve/systemd-resolved/resolved-dns-server.c +++ b/src/grp-resolve/systemd-resolved/resolved-dns-server.c @@ -25,6 +25,7 @@ #include "basic/string-util.h" #include "resolved-dns-server.h" +#include "resolved-dns-stub.h" #include "resolved-resolv-conf.h" /* After how much time to repeat classic DNS requests */ @@ -44,7 +45,8 @@ int dns_server_new( DnsServerType type, Link *l, int family, - const union in_addr_union *in_addr) { + const union in_addr_union *in_addr, + int ifindex) { DnsServer *s; @@ -76,6 +78,7 @@ int dns_server_new( s->type = type; s->family = family; s->address = *in_addr; + s->ifindex = ifindex; s->resend_timeout = DNS_TIMEOUT_MIN_USEC; switch (type) { @@ -243,6 +246,26 @@ static void dns_server_verified(DnsServer *s, DnsServerFeatureLevel level) { assert_se(sd_event_now(s->manager->event, clock_boottime_or_monotonic(), &s->verified_usec) >= 0); } +static void dns_server_reset_counters(DnsServer *s) { + assert(s); + + s->n_failed_udp = 0; + s->n_failed_tcp = 0; + s->packet_truncated = false; + s->verified_usec = 0; + + /* Note that we do not reset s->packet_bad_opt and s->packet_rrsig_missing here. We reset them only when the + * grace period ends, but not when lowering the possible feature level, as a lower level feature level should + * not make RRSIGs appear or OPT appear, but rather make them disappear. If the reappear anyway, then that's + * indication for a differently broken OPT/RRSIG implementation, and we really don't want to support that + * either. + * + * This is particularly important to deal with certain Belkin routers which break OPT for certain lookups (A), + * but pass traffic through for others (AAAA). If we detect the broken behaviour on one lookup we should not + * reenable it for another, because we cannot validate things anyway, given that the RRSIG/OPT data will be + * incomplete. */ +} + void dns_server_packet_received(DnsServer *s, int protocol, DnsServerFeatureLevel level, usec_t rtt, size_t size) { assert(s); @@ -303,17 +326,6 @@ void dns_server_packet_lost(DnsServer *s, int protocol, DnsServerFeatureLevel le s->resend_timeout = MIN(s->resend_timeout * 2, DNS_TIMEOUT_MAX_USEC); } -void dns_server_packet_failed(DnsServer *s, DnsServerFeatureLevel level) { - assert(s); - - /* Invoked whenever we get a FORMERR, SERVFAIL or NOTIMP rcode from a server. */ - - if (s->possible_feature_level != level) - return; - - s->packet_failed = true; -} - void dns_server_packet_truncated(DnsServer *s, DnsServerFeatureLevel level) { assert(s); @@ -351,6 +363,24 @@ void dns_server_packet_bad_opt(DnsServer *s, DnsServerFeatureLevel level) { s->packet_bad_opt = true; } +void dns_server_packet_rcode_downgrade(DnsServer *s, DnsServerFeatureLevel level) { + assert(s); + + /* Invoked whenever we got a FORMERR, SERVFAIL or NOTIMP rcode from a server and downgrading the feature level + * for the transaction made it go away. In this case we immediately downgrade to the feature level that made + * things work. */ + + if (s->verified_feature_level > level) + s->verified_feature_level = level; + + if (s->possible_feature_level > level) { + s->possible_feature_level = level; + dns_server_reset_counters(s); + } + + log_debug("Downgrading transaction feature level fixed an RCODE error, downgrading server %s too.", dns_server_string(s)); +} + static bool dns_server_grace_period_expired(DnsServer *s) { usec_t ts; @@ -370,27 +400,6 @@ static bool dns_server_grace_period_expired(DnsServer *s) { return true; } -static void dns_server_reset_counters(DnsServer *s) { - assert(s); - - s->n_failed_udp = 0; - s->n_failed_tcp = 0; - s->packet_failed = false; - s->packet_truncated = false; - s->verified_usec = 0; - - /* Note that we do not reset s->packet_bad_opt and s->packet_rrsig_missing here. We reset them only when the - * grace period ends, but not when lowering the possible feature level, as a lower level feature level should - * not make RRSIGs appear or OPT appear, but rather make them disappear. If the reappear anyway, then that's - * indication for a differently broken OPT/RRSIG implementation, and we really don't want to support that - * either. - * - * This is particularly important to deal with certain Belkin routers which break OPT for certain lookups (A), - * but pass traffic through for others (AAAA). If we detect the broken behaviour on one lookup we should not - * reenable it for another, because we cannot validate things anyway, given that the RRSIG/OPT data will be - * incomplete. */ -} - DnsServerFeatureLevel dns_server_possible_feature_level(DnsServer *s) { assert(s); @@ -453,16 +462,6 @@ DnsServerFeatureLevel dns_server_possible_feature_level(DnsServer *s) { log_debug("Lost too many UDP packets, downgrading feature level..."); s->possible_feature_level--; - } else if (s->packet_failed && - s->possible_feature_level > DNS_SERVER_FEATURE_LEVEL_UDP) { - - /* We got a failure packet, and are at a feature level above UDP. Note that in this case we - * downgrade no further than UDP, under the assumption that a failure packet indicates an - * incompatible packet contents, but not a problem with the transport. */ - - log_debug("Got server failure, downgrading feature level..."); - s->possible_feature_level--; - } else if (s->n_failed_tcp >= DNS_SERVER_FEATURE_RETRY_ATTEMPTS && s->packet_truncated && s->possible_feature_level > DNS_SERVER_FEATURE_LEVEL_UDP) { @@ -516,14 +515,27 @@ int dns_server_adjust_opt(DnsServer *server, DnsPacket *packet, DnsServerFeature else packet_size = server->received_udp_packet_max; - return dns_packet_append_opt(packet, packet_size, edns_do, NULL); + return dns_packet_append_opt(packet, packet_size, edns_do, 0, NULL); +} + +int dns_server_ifindex(const DnsServer *s) { + assert(s); + + /* The link ifindex always takes precedence */ + if (s->link) + return s->link->ifindex; + + if (s->ifindex > 0) + return s->ifindex; + + return 0; } const char *dns_server_string(DnsServer *server) { assert(server); if (!server->server_string) - (void) in_addr_to_string(server->family, &server->address, &server->server_string); + (void) in_addr_ifindex_to_string(server->family, &server->address, dns_server_ifindex(server), &server->server_string); return strna(server->server_string); } @@ -572,17 +584,28 @@ static void dns_server_hash_func(const void *p, struct siphash *state) { siphash24_compress(&s->family, sizeof(s->family), state); siphash24_compress(&s->address, FAMILY_ADDRESS_SIZE(s->family), state); + siphash24_compress(&s->ifindex, sizeof(s->ifindex), state); } static int dns_server_compare_func(const void *a, const void *b) { const DnsServer *x = a, *y = b; + int r; if (x->family < y->family) return -1; if (x->family > y->family) return 1; - return memcmp(&x->address, &y->address, FAMILY_ADDRESS_SIZE(x->family)); + r = memcmp(&x->address, &y->address, FAMILY_ADDRESS_SIZE(x->family)); + if (r != 0) + return r; + + if (x->ifindex < y->ifindex) + return -1; + if (x->ifindex > y->ifindex) + return 1; + + return 0; } const struct hash_ops dns_server_hash_ops = { @@ -624,11 +647,11 @@ void dns_server_mark_all(DnsServer *first) { dns_server_mark_all(first->servers_next); } -DnsServer *dns_server_find(DnsServer *first, int family, const union in_addr_union *in_addr) { +DnsServer *dns_server_find(DnsServer *first, int family, const union in_addr_union *in_addr, int ifindex) { DnsServer *s; LIST_FOREACH(servers, s, first) - if (s->family == family && in_addr_equal(family, &s->address, in_addr) > 0) + if (s->family == family && in_addr_equal(family, &s->address, in_addr) > 0 && s->ifindex == ifindex) return s; return NULL; @@ -725,6 +748,19 @@ void manager_next_dns_server(Manager *m) { manager_set_dns_server(m, m->dns_servers); } +bool dns_server_address_valid(int family, const union in_addr_union *sa) { + + /* Refuses the 0 IP addresses as well as 127.0.0.53 (which is our own DNS stub) */ + + if (in_addr_is_null(family, sa)) + return false; + + if (family == AF_INET && sa->in.s_addr == htobe32(INADDR_DNS_STUB)) + return false; + + return true; +} + static const char* const dns_server_type_table[_DNS_SERVER_TYPE_MAX] = { [DNS_SERVER_SYSTEM] = "system", [DNS_SERVER_FALLBACK] = "fallback", diff --git a/src/grp-resolve/systemd-resolved/resolved-dns-server.h b/src/grp-resolve/systemd-resolved/resolved-dns-server.h index bfbf692c64..e1f0ac5fd9 100644 --- a/src/grp-resolve/systemd-resolved/resolved-dns-server.h +++ b/src/grp-resolve/systemd-resolved/resolved-dns-server.h @@ -62,6 +62,7 @@ struct DnsServer { int family; union in_addr_union address; + int ifindex; /* for IPv6 link-local DNS servers */ char *server_string; @@ -76,7 +77,6 @@ struct DnsServer { unsigned n_failed_udp; unsigned n_failed_tcp; - bool packet_failed:1; bool packet_truncated:1; bool packet_bad_opt:1; bool packet_rrsig_missing:1; @@ -101,7 +101,8 @@ int dns_server_new( DnsServerType type, Link *link, int family, - const union in_addr_union *address); + const union in_addr_union *address, + int ifindex); DnsServer* dns_server_ref(DnsServer *s); DnsServer* dns_server_unref(DnsServer *s); @@ -111,22 +112,23 @@ void dns_server_move_back_and_unmark(DnsServer *s); void dns_server_packet_received(DnsServer *s, int protocol, DnsServerFeatureLevel level, usec_t rtt, size_t size); void dns_server_packet_lost(DnsServer *s, int protocol, DnsServerFeatureLevel level, usec_t usec); -void dns_server_packet_failed(DnsServer *s, DnsServerFeatureLevel level); void dns_server_packet_truncated(DnsServer *s, DnsServerFeatureLevel level); void dns_server_packet_rrsig_missing(DnsServer *s, DnsServerFeatureLevel level); void dns_server_packet_bad_opt(DnsServer *s, DnsServerFeatureLevel level); +void dns_server_packet_rcode_downgrade(DnsServer *s, DnsServerFeatureLevel level); DnsServerFeatureLevel dns_server_possible_feature_level(DnsServer *s); int dns_server_adjust_opt(DnsServer *server, DnsPacket *packet, DnsServerFeatureLevel level); const char *dns_server_string(DnsServer *server); +int dns_server_ifindex(const DnsServer *s); bool dns_server_dnssec_supported(DnsServer *server); void dns_server_warn_downgrade(DnsServer *server); -DnsServer *dns_server_find(DnsServer *first, int family, const union in_addr_union *in_addr); +DnsServer *dns_server_find(DnsServer *first, int family, const union in_addr_union *in_addr, int ifindex); void dns_server_unlink_all(DnsServer *first); void dns_server_unlink_marked(DnsServer *first); @@ -138,6 +140,8 @@ DnsServer *manager_set_dns_server(Manager *m, DnsServer *s); DnsServer *manager_get_dns_server(Manager *m); void manager_next_dns_server(Manager *m); +bool dns_server_address_valid(int family, const union in_addr_union *sa); + DEFINE_TRIVIAL_CLEANUP_FUNC(DnsServer*, dns_server_unref); extern const struct hash_ops dns_server_hash_ops; diff --git a/src/grp-resolve/systemd-resolved/resolved-dns-stream.c b/src/grp-resolve/systemd-resolved/resolved-dns-stream.c index 0c55f6d6c7..4ba5b797b7 100644 --- a/src/grp-resolve/systemd-resolved/resolved-dns-stream.c +++ b/src/grp-resolve/systemd-resolved/resolved-dns-stream.c @@ -57,8 +57,8 @@ static int dns_stream_complete(DnsStream *s, int error) { if (s->complete) s->complete(s, error); - else - dns_stream_free(s); + else /* the default action if no completion function is set is to close the stream */ + dns_stream_unref(s); return 0; } @@ -324,10 +324,16 @@ static int on_stream_io(sd_event_source *es, int fd, uint32_t revents, void *use return 0; } -DnsStream *dns_stream_free(DnsStream *s) { +DnsStream *dns_stream_unref(DnsStream *s) { if (!s) return NULL; + assert(s->n_ref > 0); + s->n_ref--; + + if (s->n_ref > 0) + return NULL; + dns_stream_stop(s); if (s->manager) { @@ -340,13 +346,23 @@ DnsStream *dns_stream_free(DnsStream *s) { free(s); - return 0; + return NULL; } -DEFINE_TRIVIAL_CLEANUP_FUNC(DnsStream*, dns_stream_free); +DEFINE_TRIVIAL_CLEANUP_FUNC(DnsStream*, dns_stream_unref); + +DnsStream *dns_stream_ref(DnsStream *s) { + if (!s) + return NULL; + + assert(s->n_ref > 0); + s->n_ref++; + + return s; +} int dns_stream_new(Manager *m, DnsStream **ret, DnsProtocol protocol, int fd) { - _cleanup_(dns_stream_freep) DnsStream *s = NULL; + _cleanup_(dns_stream_unrefp) DnsStream *s = NULL; int r; assert(m); @@ -359,6 +375,7 @@ int dns_stream_new(Manager *m, DnsStream **ret, DnsProtocol protocol, int fd) { if (!s) return -ENOMEM; + s->n_ref = 1; s->fd = -1; s->protocol = protocol; diff --git a/src/grp-resolve/systemd-resolved/resolved-dns-stream.h b/src/grp-resolve/systemd-resolved/resolved-dns-stream.h index 65be14c5ed..6538da457a 100644 --- a/src/grp-resolve/systemd-resolved/resolved-dns-stream.h +++ b/src/grp-resolve/systemd-resolved/resolved-dns-stream.h @@ -27,8 +27,16 @@ typedef struct DnsStream DnsStream; #include "resolved-dns-transaction.h" #include "resolved-manager.h" +/* Streams are used by three subsystems: + * + * 1. The normal transaction logic when doing a DNS or LLMNR lookup via TCP + * 2. The LLMNR logic when accepting a TCP-based lookup + * 3. The DNS stub logic when accepting a TCP-based lookup + */ + struct DnsStream { Manager *manager; + int n_ref; DnsProtocol protocol; @@ -51,12 +59,23 @@ struct DnsStream { int (*on_packet)(DnsStream *s); int (*complete)(DnsStream *s, int error); - DnsTransaction *transaction; + DnsTransaction *transaction; /* when used by the transaction logic */ + DnsQuery *query; /* when used by the DNS stub logic */ LIST_FIELDS(DnsStream, streams); }; int dns_stream_new(Manager *m, DnsStream **s, DnsProtocol protocol, int fd); -DnsStream *dns_stream_free(DnsStream *s); +DnsStream *dns_stream_unref(DnsStream *s); +DnsStream *dns_stream_ref(DnsStream *s); int dns_stream_write_packet(DnsStream *s, DnsPacket *p); + +static inline bool DNS_STREAM_QUEUED(DnsStream *s) { + assert(s); + + if (s->fd < 0) /* already stopped? */ + return false; + + return !!s->write_packet; +} diff --git a/src/grp-resolve/systemd-resolved/resolved-dns-stub.c b/src/grp-resolve/systemd-resolved/resolved-dns-stub.c new file mode 100644 index 0000000000..520a67a7b4 --- /dev/null +++ b/src/grp-resolve/systemd-resolved/resolved-dns-stub.c @@ -0,0 +1,573 @@ +/*** + This file is part of systemd. + + Copyright 2016 Lennart Poettering + + systemd is free software; you can redistribute it and/or modify it + under the terms of the GNU Lesser General Public License as published by + the Free Software Foundation; either version 2.1 of the License, or + (at your option) any later version. + + systemd is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public License + along with systemd; If not, see <http://www.gnu.org/licenses/>. +***/ + +#include "basic/fd-util.h" +#include "basic/socket-util.h" + +#include "resolved-dns-stub.h" + +/* The MTU of the loopback device is 64K on Linux, advertise that as maximum datagram size, but subtract the Ethernet, + * IP and UDP header sizes */ +#define ADVERTISE_DATAGRAM_SIZE_MAX (65536U-14U-20U-8U) + +static int dns_stub_make_reply_packet( + uint16_t id, + int rcode, + DnsQuestion *q, + DnsAnswer *answer, + bool add_opt, /* add an OPT RR to this packet */ + bool edns0_do, /* set the EDNS0 DNSSEC OK bit */ + bool ad, /* set the DNSSEC authenticated data bit */ + DnsPacket **ret) { + + _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL; + DnsResourceRecord *rr; + unsigned c = 0; + int r; + + /* Note that we don't bother with any additional RRs, as this is stub is for local lookups only, and hence + * roundtrips aren't expensive. */ + + r = dns_packet_new(&p, DNS_PROTOCOL_DNS, 0); + if (r < 0) + return r; + + /* If the client didn't do EDNS, clamp the rcode to 4 bit */ + if (!add_opt && rcode > 0xF) + rcode = DNS_RCODE_SERVFAIL; + + DNS_PACKET_HEADER(p)->id = id; + DNS_PACKET_HEADER(p)->flags = htobe16(DNS_PACKET_MAKE_FLAGS( + 1 /* qr */, + 0 /* opcode */, + 0 /* aa */, + 0 /* tc */, + 1 /* rd */, + 1 /* ra */, + ad /* ad */, + 0 /* cd */, + rcode)); + + r = dns_packet_append_question(p, q); + if (r < 0) + return r; + DNS_PACKET_HEADER(p)->qdcount = htobe16(dns_question_size(q)); + + DNS_ANSWER_FOREACH(rr, answer) { + r = dns_question_matches_rr(q, rr, NULL); + if (r < 0) + return r; + if (r > 0) + goto add; + + r = dns_question_matches_cname_or_dname(q, rr, NULL); + if (r < 0) + return r; + if (r > 0) + goto add; + + continue; + add: + r = dns_packet_append_rr(p, rr, NULL, NULL); + if (r < 0) + return r; + + c++; + } + DNS_PACKET_HEADER(p)->ancount = htobe16(c); + + if (add_opt) { + r = dns_packet_append_opt(p, ADVERTISE_DATAGRAM_SIZE_MAX, edns0_do, rcode, NULL); + if (r < 0) + return r; + } + + *ret = p; + p = NULL; + + return 0; +} + +static void dns_stub_detach_stream(DnsStream *s) { + assert(s); + + s->complete = NULL; + s->on_packet = NULL; + s->query = NULL; +} + +static int dns_stub_send(Manager *m, DnsStream *s, DnsPacket *p, DnsPacket *reply) { + int r; + + assert(m); + assert(p); + assert(reply); + + if (s) + r = dns_stream_write_packet(s, reply); + else { + int fd; + + /* Truncate the message to the right size */ + if (reply->size > DNS_PACKET_PAYLOAD_SIZE_MAX(p)) { + dns_packet_truncate(reply, DNS_PACKET_UNICAST_SIZE_MAX); + DNS_PACKET_HEADER(reply)->flags = htobe16(be16toh(DNS_PACKET_HEADER(reply)->flags) | DNS_PACKET_FLAG_TC); + } + + fd = manager_dns_stub_udp_fd(m); + if (fd < 0) + return log_debug_errno(fd, "Failed to get reply socket: %m"); + + /* Note that it is essential here that we explicitly choose the source IP address for this packet. This + * is because otherwise the kernel will choose it automatically based on the routing table and will + * thus pick 127.0.0.1 rather than 127.0.0.53. */ + + r = manager_send(m, fd, LOOPBACK_IFINDEX, p->family, &p->sender, p->sender_port, &p->destination, reply); + } + if (r < 0) + return log_debug_errno(r, "Failed to send reply packet: %m"); + + return 0; +} + +static int dns_stub_send_failure(Manager *m, DnsStream *s, DnsPacket *p, int rcode) { + _cleanup_(dns_packet_unrefp) DnsPacket *reply = NULL; + int r; + + assert(m); + assert(p); + + r = dns_stub_make_reply_packet(DNS_PACKET_ID(p), rcode, p->question, NULL, !!p->opt, DNS_PACKET_DO(p), false, &reply); + if (r < 0) + return log_debug_errno(r, "Failed to build failure packet: %m"); + + return dns_stub_send(m, s, p, reply); +} + +static void dns_stub_query_complete(DnsQuery *q) { + int r; + + assert(q); + assert(q->request_dns_packet); + + switch (q->state) { + + case DNS_TRANSACTION_SUCCESS: { + _cleanup_(dns_packet_unrefp) DnsPacket *reply = NULL; + + r = dns_stub_make_reply_packet( + DNS_PACKET_ID(q->request_dns_packet), + q->answer_rcode, + q->question_idna, + q->answer, + !!q->request_dns_packet->opt, + DNS_PACKET_DO(q->request_dns_packet), + DNS_PACKET_DO(q->request_dns_packet) && q->answer_authenticated, + &reply); + if (r < 0) { + log_debug_errno(r, "Failed to build reply packet: %m"); + break; + } + + (void) dns_stub_send(q->manager, q->request_dns_stream, q->request_dns_packet, reply); + break; + } + + case DNS_TRANSACTION_RCODE_FAILURE: + (void) dns_stub_send_failure(q->manager, q->request_dns_stream, q->request_dns_packet, q->answer_rcode); + break; + + case DNS_TRANSACTION_NOT_FOUND: + (void) dns_stub_send_failure(q->manager, q->request_dns_stream, q->request_dns_packet, DNS_RCODE_NXDOMAIN); + break; + + case DNS_TRANSACTION_TIMEOUT: + case DNS_TRANSACTION_ATTEMPTS_MAX_REACHED: + /* Propagate a timeout as a no packet, i.e. that the client also gets a timeout */ + break; + + case DNS_TRANSACTION_NO_SERVERS: + case DNS_TRANSACTION_INVALID_REPLY: + case DNS_TRANSACTION_ERRNO: + case DNS_TRANSACTION_ABORTED: + case DNS_TRANSACTION_DNSSEC_FAILED: + case DNS_TRANSACTION_NO_TRUST_ANCHOR: + case DNS_TRANSACTION_RR_TYPE_UNSUPPORTED: + case DNS_TRANSACTION_NETWORK_DOWN: + (void) dns_stub_send_failure(q->manager, q->request_dns_stream, q->request_dns_packet, DNS_RCODE_SERVFAIL); + break; + + case DNS_TRANSACTION_NULL: + case DNS_TRANSACTION_PENDING: + case DNS_TRANSACTION_VALIDATING: + default: + assert_not_reached("Impossible state"); + } + + /* If there's a packet to write set, let's leave the stream around */ + if (q->request_dns_stream && DNS_STREAM_QUEUED(q->request_dns_stream)) { + + /* Detach the stream from our query (make it an orphan), but do not drop the reference to it. The + * default completion action of the stream will drop the reference. */ + + dns_stub_detach_stream(q->request_dns_stream); + q->request_dns_stream = NULL; + } + + dns_query_free(q); +} + +static int dns_stub_stream_complete(DnsStream *s, int error) { + assert(s); + + log_debug_errno(error, "DNS TCP connection terminated, destroying query: %m"); + + assert(s->query); + dns_query_free(s->query); + + return 0; +} + +static void dns_stub_process_query(Manager *m, DnsStream *s, DnsPacket *p) { + DnsQuery *q = NULL; + int r; + + assert(m); + assert(p); + assert(p->protocol == DNS_PROTOCOL_DNS); + + /* Takes ownership of the *s stream object */ + + if (in_addr_is_localhost(p->family, &p->sender) <= 0 || + in_addr_is_localhost(p->family, &p->destination) <= 0) { + log_error("Got packet on unexpected IP range, refusing."); + dns_stub_send_failure(m, s, p, DNS_RCODE_SERVFAIL); + goto fail; + } + + r = dns_packet_extract(p); + if (r < 0) { + log_debug_errno(r, "Failed to extract resources from incoming packet, ignoring packet: %m"); + dns_stub_send_failure(m, s, p, DNS_RCODE_FORMERR); + goto fail; + } + + if (!DNS_PACKET_VERSION_SUPPORTED(p)) { + log_debug("Got EDNS OPT field with unsupported version number."); + dns_stub_send_failure(m, s, p, DNS_RCODE_BADVERS); + goto fail; + } + + if (dns_type_is_obsolete(p->question->keys[0]->type)) { + log_debug("Got message with obsolete key type, refusing."); + dns_stub_send_failure(m, s, p, DNS_RCODE_NOTIMP); + goto fail; + } + + if (dns_type_is_zone_transer(p->question->keys[0]->type)) { + log_debug("Got request for zone transfer, refusing."); + dns_stub_send_failure(m, s, p, DNS_RCODE_NOTIMP); + goto fail; + } + + if (!DNS_PACKET_RD(p)) { + /* If the "rd" bit is off (i.e. recursion was not requested), then refuse operation */ + log_debug("Got request with recursion disabled, refusing."); + dns_stub_send_failure(m, s, p, DNS_RCODE_REFUSED); + goto fail; + } + + if (DNS_PACKET_DO(p) && DNS_PACKET_CD(p)) { + log_debug("Got request with DNSSEC CD bit set, refusing."); + dns_stub_send_failure(m, s, p, DNS_RCODE_NOTIMP); + goto fail; + } + + r = dns_query_new(m, &q, p->question, p->question, 0, SD_RESOLVED_PROTOCOLS_ALL|SD_RESOLVED_NO_SEARCH|SD_RESOLVED_NO_CNAME); + if (r < 0) { + log_error_errno(r, "Failed to generate query object: %m"); + dns_stub_send_failure(m, s, p, DNS_RCODE_SERVFAIL); + goto fail; + } + + /* Request that the TTL is corrected by the cached time for this lookup, so that we return vaguely useful TTLs */ + q->clamp_ttl = true; + + q->request_dns_packet = dns_packet_ref(p); + q->request_dns_stream = dns_stream_ref(s); /* make sure the stream stays around until we can send a reply through it */ + q->complete = dns_stub_query_complete; + + if (s) { + s->on_packet = NULL; + s->complete = dns_stub_stream_complete; + s->query = q; + } + + r = dns_query_go(q); + if (r < 0) { + log_error_errno(r, "Failed to start query: %m"); + dns_stub_send_failure(m, s, p, DNS_RCODE_SERVFAIL); + goto fail; + } + + log_info("Processing query..."); + return; + +fail: + if (s && DNS_STREAM_QUEUED(s)) + dns_stub_detach_stream(s); + + dns_query_free(q); +} + +static int on_dns_stub_packet(sd_event_source *s, int fd, uint32_t revents, void *userdata) { + _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL; + Manager *m = userdata; + int r; + + r = manager_recv(m, fd, DNS_PROTOCOL_DNS, &p); + if (r <= 0) + return r; + + if (dns_packet_validate_query(p) > 0) { + log_debug("Got DNS stub UDP query packet for id %u", DNS_PACKET_ID(p)); + + dns_stub_process_query(m, NULL, p); + } else + log_debug("Invalid DNS stub UDP packet, ignoring."); + + return 0; +} + +int manager_dns_stub_udp_fd(Manager *m) { + static const int one = 1; + + union sockaddr_union sa = { + .in.sin_family = AF_INET, + .in.sin_port = htobe16(53), + .in.sin_addr.s_addr = htobe32(INADDR_DNS_STUB), + }; + + int r; + + if (m->dns_stub_udp_fd >= 0) + return m->dns_stub_udp_fd; + + m->dns_stub_udp_fd = socket(AF_INET, SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0); + if (m->dns_stub_udp_fd < 0) + return -errno; + + r = setsockopt(m->dns_stub_udp_fd, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one)); + if (r < 0) { + r = -errno; + goto fail; + } + + r = setsockopt(m->dns_stub_udp_fd, IPPROTO_IP, IP_PKTINFO, &one, sizeof(one)); + if (r < 0) { + r = -errno; + goto fail; + } + + r = setsockopt(m->dns_stub_udp_fd, IPPROTO_IP, IP_RECVTTL, &one, sizeof(one)); + if (r < 0) { + r = -errno; + goto fail; + } + + /* Make sure no traffic from outside the local host can leak to onto this socket */ + r = setsockopt(m->dns_stub_udp_fd, SOL_SOCKET, SO_BINDTODEVICE, "lo", 3); + if (r < 0) { + r = -errno; + goto fail; + } + + r = bind(m->dns_stub_udp_fd, &sa.sa, sizeof(sa.in)); + if (r < 0) { + r = -errno; + goto fail; + } + + r = sd_event_add_io(m->event, &m->dns_stub_udp_event_source, m->dns_stub_udp_fd, EPOLLIN, on_dns_stub_packet, m); + if (r < 0) + goto fail; + + (void) sd_event_source_set_description(m->dns_stub_udp_event_source, "dns-stub-udp"); + + return m->dns_stub_udp_fd; + +fail: + m->dns_stub_udp_fd = safe_close(m->dns_stub_udp_fd); + return r; +} + +static int on_dns_stub_stream_packet(DnsStream *s) { + assert(s); + assert(s->read_packet); + + if (dns_packet_validate_query(s->read_packet) > 0) { + log_debug("Got DNS stub TCP query packet for id %u", DNS_PACKET_ID(s->read_packet)); + + dns_stub_process_query(s->manager, s, s->read_packet); + } else + log_debug("Invalid DNS stub TCP packet, ignoring."); + + /* Drop the reference to the stream. Either a query was created and added its own reference to the stream now, + * or that didn't happen in which case we want to free the stream */ + dns_stream_unref(s); + + return 0; +} + +static int on_dns_stub_stream(sd_event_source *s, int fd, uint32_t revents, void *userdata) { + DnsStream *stream; + Manager *m = userdata; + int cfd, r; + + cfd = accept4(fd, NULL, NULL, SOCK_NONBLOCK|SOCK_CLOEXEC); + if (cfd < 0) { + if (errno == EAGAIN || errno == EINTR) + return 0; + + return -errno; + } + + r = dns_stream_new(m, &stream, DNS_PROTOCOL_DNS, cfd); + if (r < 0) { + safe_close(cfd); + return r; + } + + stream->on_packet = on_dns_stub_stream_packet; + + /* We let the reference to the stream dangling here, it will either be dropped by the default "complete" action + * of the stream, or by our packet callback, or when the manager is shut down. */ + + return 0; +} + +int manager_dns_stub_tcp_fd(Manager *m) { + static const int one = 1; + + union sockaddr_union sa = { + .in.sin_family = AF_INET, + .in.sin_addr.s_addr = htobe32(INADDR_DNS_STUB), + .in.sin_port = htobe16(53), + }; + + int r; + + if (m->dns_stub_tcp_fd >= 0) + return m->dns_stub_tcp_fd; + + m->dns_stub_tcp_fd = socket(AF_INET, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0); + if (m->dns_stub_tcp_fd < 0) + return -errno; + + r = setsockopt(m->dns_stub_tcp_fd, IPPROTO_IP, IP_TTL, &one, sizeof(one)); + if (r < 0) { + r = -errno; + goto fail; + } + + r = setsockopt(m->dns_stub_tcp_fd, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one)); + if (r < 0) { + r = -errno; + goto fail; + } + + r = setsockopt(m->dns_stub_tcp_fd, IPPROTO_IP, IP_PKTINFO, &one, sizeof(one)); + if (r < 0) { + r = -errno; + goto fail; + } + + r = setsockopt(m->dns_stub_tcp_fd, IPPROTO_IP, IP_RECVTTL, &one, sizeof(one)); + if (r < 0) { + r = -errno; + goto fail; + } + + /* Make sure no traffic from outside the local host can leak to onto this socket */ + r = setsockopt(m->dns_stub_tcp_fd, SOL_SOCKET, SO_BINDTODEVICE, "lo", 3); + if (r < 0) { + r = -errno; + goto fail; + } + + r = bind(m->dns_stub_tcp_fd, &sa.sa, sizeof(sa.in)); + if (r < 0) { + r = -errno; + goto fail; + } + + r = listen(m->dns_stub_tcp_fd, SOMAXCONN); + if (r < 0) { + r = -errno; + goto fail; + } + + r = sd_event_add_io(m->event, &m->dns_stub_tcp_event_source, m->dns_stub_tcp_fd, EPOLLIN, on_dns_stub_stream, m); + if (r < 0) + goto fail; + + (void) sd_event_source_set_description(m->dns_stub_tcp_event_source, "dns-stub-tcp"); + + return m->dns_stub_tcp_fd; + +fail: + m->dns_stub_tcp_fd = safe_close(m->dns_stub_tcp_fd); + return r; +} + +int manager_dns_stub_start(Manager *m) { + int r; + + assert(m); + + r = manager_dns_stub_udp_fd(m); + if (r == -EADDRINUSE) + goto eaddrinuse; + if (r < 0) + return r; + + r = manager_dns_stub_tcp_fd(m); + if (r == -EADDRINUSE) + goto eaddrinuse; + if (r < 0) + return r; + + return 0; + +eaddrinuse: + log_warning("Another process is already listening on 127.0.0.53:53. Turning off local DNS stub support."); + manager_dns_stub_stop(m); + + return 0; +} + +void manager_dns_stub_stop(Manager *m) { + assert(m); + + m->dns_stub_udp_event_source = sd_event_source_unref(m->dns_stub_udp_event_source); + m->dns_stub_tcp_event_source = sd_event_source_unref(m->dns_stub_tcp_event_source); + + m->dns_stub_udp_fd = safe_close(m->dns_stub_udp_fd); + m->dns_stub_tcp_fd = safe_close(m->dns_stub_tcp_fd); +} diff --git a/src/grp-resolve/systemd-resolved/resolved-dns-stub.h b/src/grp-resolve/systemd-resolved/resolved-dns-stub.h new file mode 100644 index 0000000000..fce4d25ede --- /dev/null +++ b/src/grp-resolve/systemd-resolved/resolved-dns-stub.h @@ -0,0 +1,31 @@ +#pragma once + +/*** + This file is part of systemd. + + Copyright 2016 Lennart Poettering + + systemd is free software; you can redistribute it and/or modify it + under the terms of the GNU Lesser General Public License as published by + the Free Software Foundation; either version 2.1 of the License, or + (at your option) any later version. + + systemd is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public License + along with systemd; If not, see <http://www.gnu.org/licenses/>. +***/ + +#include "resolved-manager.h" + +/* 127.0.0.53 in native endian */ +#define INADDR_DNS_STUB ((in_addr_t) 0x7f000035U) + +int manager_dns_stub_udp_fd(Manager *m); +int manager_dns_stub_tcp_fd(Manager *m); + +void manager_dns_stub_stop(Manager *m); +int manager_dns_stub_start(Manager *m); diff --git a/src/grp-resolve/systemd-resolved/resolved-dns-transaction.c b/src/grp-resolve/systemd-resolved/resolved-dns-transaction.c index 3a19b12b47..3cf72e0ff8 100644 --- a/src/grp-resolve/systemd-resolved/resolved-dns-transaction.c +++ b/src/grp-resolve/systemd-resolved/resolved-dns-transaction.c @@ -61,7 +61,14 @@ static void dns_transaction_flush_dnssec_transactions(DnsTransaction *t) { static void dns_transaction_close_connection(DnsTransaction *t) { assert(t); - t->stream = dns_stream_free(t->stream); + if (t->stream) { + /* Let's detach the stream from our transaction, in case something else keeps a reference to it. */ + t->stream->complete = NULL; + t->stream->on_packet = NULL; + t->stream->transaction = NULL; + t->stream = dns_stream_unref(t->stream); + } + t->dns_udp_event_source = sd_event_source_unref(t->dns_udp_event_source); t->dns_udp_fd = safe_close(t->dns_udp_fd); } @@ -208,6 +215,7 @@ int dns_transaction_new(DnsTransaction **ret, DnsScope *s, DnsResourceKey *key) t->answer_nsec_ttl = (uint32_t) -1; t->key = dns_resource_key_ref(key); t->current_feature_level = _DNS_SERVER_FEATURE_LEVEL_INVALID; + t->clamp_feature_level = _DNS_SERVER_FEATURE_LEVEL_INVALID; t->id = pick_new_id(s->manager); @@ -372,22 +380,38 @@ static int dns_transaction_pick_server(DnsTransaction *t) { assert(t); assert(t->scope->protocol == DNS_PROTOCOL_DNS); + /* Pick a DNS server and a feature level for it. */ + server = dns_scope_get_dns_server(t->scope); if (!server) return -ESRCH; + /* If we changed the server invalidate the feature level clamping, as the new server might have completely + * different properties. */ + if (server != t->server) + t->clamp_feature_level = _DNS_SERVER_FEATURE_LEVEL_INVALID; + t->current_feature_level = dns_server_possible_feature_level(server); + /* Clamp the feature level if that is requested. */ + if (t->clamp_feature_level != _DNS_SERVER_FEATURE_LEVEL_INVALID && + t->current_feature_level > t->clamp_feature_level) + t->current_feature_level = t->clamp_feature_level; + + log_debug("Using feature level %s for transaction %u.", dns_server_feature_level_to_string(t->current_feature_level), t->id); + if (server == t->server) return 0; dns_server_unref(t->server); t->server = dns_server_ref(server); + log_debug("Using DNS server %s for transaction %u.", dns_server_string(t->server), t->id); + return 1; } -static void dns_transaction_retry(DnsTransaction *t) { +static void dns_transaction_retry(DnsTransaction *t, bool next_server) { int r; assert(t); @@ -395,7 +419,8 @@ static void dns_transaction_retry(DnsTransaction *t) { log_debug("Retrying transaction %" PRIu16 ".", t->id); /* Before we try again, switch to a new server. */ - dns_scope_next_dns_server(t->scope); + if (next_server) + dns_scope_next_dns_server(t->scope); r = dns_transaction_go(t); if (r < 0) { @@ -405,8 +430,12 @@ static void dns_transaction_retry(DnsTransaction *t) { } static int dns_transaction_maybe_restart(DnsTransaction *t) { + int r; + assert(t); + /* Returns > 0 if the transaction was restarted, 0 if not */ + if (!t->server) return 0; @@ -421,7 +450,12 @@ static int dns_transaction_maybe_restart(DnsTransaction *t) { log_debug("Server feature level is now lower than when we began our transaction. Restarting with new ID."); dns_transaction_shuffle_id(t); - return dns_transaction_go(t); + + r = dns_transaction_go(t); + if (r < 0) + return r; + + return 1; } static int on_stream_complete(DnsStream *s, int error) { @@ -436,7 +470,7 @@ static int on_stream_complete(DnsStream *s, int error) { t = s->transaction; p = dns_packet_ref(s->read_packet); - t->stream = dns_stream_free(t->stream); + dns_transaction_close_connection(t); if (ERRNO_IS_DISCONNECT(error)) { usec_t usec; @@ -452,7 +486,7 @@ static int on_stream_complete(DnsStream *s, int error) { assert_se(sd_event_now(t->scope->manager->event, clock_boottime_or_monotonic(), &usec) >= 0); dns_server_packet_lost(t->server, IPPROTO_TCP, t->current_feature_level, usec - t->start_usec); - dns_transaction_retry(t); + dns_transaction_retry(t, true); return 0; } if (error != 0) { @@ -548,7 +582,7 @@ static int dns_transaction_open_tcp(DnsTransaction *t) { r = dns_stream_write_packet(t->stream, t->sent); if (r < 0) { - t->stream = dns_stream_free(t->stream); + t->stream = dns_stream_unref(t->stream); return r; } @@ -558,8 +592,7 @@ static int dns_transaction_open_tcp(DnsTransaction *t) { /* The interface index is difficult to determine if we are * connecting to the local host, hence fill this in right away * instead of determining it from the socket */ - if (t->scope->link) - t->stream->ifindex = t->scope->link->ifindex; + t->stream->ifindex = dns_scope_ifindex(t->scope); dns_transaction_reset_answer(t); @@ -576,6 +609,10 @@ static void dns_transaction_cache_answer(DnsTransaction *t) { if (!IN_SET(t->scope->protocol, DNS_PROTOCOL_DNS, DNS_PROTOCOL_LLMNR)) return; + /* Caching disabled? */ + if (!t->scope->manager->enable_cache) + return; + /* We never cache if this packet is from the local host, under * the assumption that a locally running DNS server would * cache this anyway, and probably knows better when to flush @@ -627,14 +664,15 @@ static int dns_transaction_dnssec_ready(DnsTransaction *t) { return 0; case DNS_TRANSACTION_RCODE_FAILURE: - if (dt->answer_rcode != DNS_RCODE_NXDOMAIN) { + if (!IN_SET(dt->answer_rcode, DNS_RCODE_NXDOMAIN, DNS_RCODE_SERVFAIL)) { log_debug("Auxiliary DNSSEC RR query failed with rcode=%s.", dns_rcode_to_string(dt->answer_rcode)); goto fail; } - /* Fall-through: NXDOMAIN is good enough for us. This is because some DNS servers erronously - * return NXDOMAIN for empty non-terminals (Akamai...), and we need to handle that nicely, when - * asking for parent SOA or similar RRs to make unsigned proofs. */ + /* Fall-through: NXDOMAIN/SERVFAIL is good enough for us. This is because some DNS servers + * erronously return NXDOMAIN/SERVFAIL for empty non-terminals (Akamai...) or missing DS + * records (Facebook), and we need to handle that nicely, when asking for parent SOA or similar + * RRs to make unsigned proofs. */ case DNS_TRANSACTION_SUCCESS: /* All good. */ @@ -799,12 +837,9 @@ void dns_transaction_process_reply(DnsTransaction *t, DnsPacket *p) { switch (t->scope->protocol) { case DNS_PROTOCOL_LLMNR: - assert(t->scope->link); + /* For LLMNR we will not accept any packets from other interfaces */ - /* For LLMNR we will not accept any packets from other - * interfaces */ - - if (p->ifindex != t->scope->link->ifindex) + if (p->ifindex != dns_scope_ifindex(t->scope)) return; if (p->family != t->scope->family) @@ -821,10 +856,9 @@ void dns_transaction_process_reply(DnsTransaction *t, DnsPacket *p) { break; case DNS_PROTOCOL_MDNS: - assert(t->scope->link); - /* For mDNS we will not accept any packets from other interfaces */ - if (p->ifindex != t->scope->link->ifindex) + + if (p->ifindex != dns_scope_ifindex(t->scope)) return; if (p->family != t->scope->family) @@ -875,10 +909,22 @@ void dns_transaction_process_reply(DnsTransaction *t, DnsPacket *p) { if (IN_SET(DNS_PACKET_RCODE(p), DNS_RCODE_FORMERR, DNS_RCODE_SERVFAIL, DNS_RCODE_NOTIMP)) { /* Request failed, immediately try again with reduced features */ - log_debug("Server returned error: %s", dns_rcode_to_string(DNS_PACKET_RCODE(p))); - dns_server_packet_failed(t->server, t->current_feature_level); - dns_transaction_retry(t); + if (t->current_feature_level <= DNS_SERVER_FEATURE_LEVEL_WORST) { + /* This was already at the lowest possible feature level? If so, we can't downgrade + * this transaction anymore, hence let's process the response, and accept the rcode. */ + log_debug("Server returned error: %s", dns_rcode_to_string(DNS_PACKET_RCODE(p))); + break; + } + + /* Reduce this feature level by one and try again. */ + t->clamp_feature_level = t->current_feature_level - 1; + + log_debug("Server returned error %s, retrying transaction with reduced feature level %s.", + dns_rcode_to_string(DNS_PACKET_RCODE(p)), + dns_server_feature_level_to_string(t->clamp_feature_level)); + + dns_transaction_retry(t, false /* use the same server */); return; } else if (DNS_PACKET_TC(p)) dns_server_packet_truncated(t->server, t->current_feature_level); @@ -923,7 +969,7 @@ void dns_transaction_process_reply(DnsTransaction *t, DnsPacket *p) { goto fail; /* On DNS, couldn't send? Try immediately again, with a new server */ - dns_transaction_retry(t); + dns_transaction_retry(t, true); } return; @@ -936,11 +982,19 @@ void dns_transaction_process_reply(DnsTransaction *t, DnsPacket *p) { return; } - /* Report that the OPT RR was missing */ if (t->server) { + /* Report that we successfully received a valid packet with a good rcode after we initially got a bad + * rcode and subsequently downgraded the protocol */ + + if (IN_SET(DNS_PACKET_RCODE(p), DNS_RCODE_SUCCESS, DNS_RCODE_NXDOMAIN) && + t->clamp_feature_level != _DNS_SERVER_FEATURE_LEVEL_INVALID) + dns_server_packet_rcode_downgrade(t->server, t->clamp_feature_level); + + /* Report that the OPT RR was missing */ if (!p->opt) dns_server_packet_bad_opt(t->server, t->current_feature_level); + /* Report that we successfully received a packet */ dns_server_packet_received(t->server, p->ipproto, t->current_feature_level, ts - t->start_usec, p->size); } @@ -1027,7 +1081,7 @@ static int on_dns_packet(sd_event_source *s, int fd, uint32_t revents, void *use assert_se(sd_event_now(t->scope->manager->event, clock_boottime_or_monotonic(), &usec) >= 0); dns_server_packet_lost(t->server, IPPROTO_UDP, t->current_feature_level, usec - t->start_usec); - dns_transaction_retry(t); + dns_transaction_retry(t, true); return 0; } if (r < 0) { @@ -1136,7 +1190,7 @@ static int on_transaction_timeout(sd_event_source *s, usec_t usec, void *userdat log_debug("Timeout reached on transaction %" PRIu16 ".", t->id); - dns_transaction_retry(t); + dns_transaction_retry(t, true); return 0; } @@ -1247,7 +1301,7 @@ static int dns_transaction_prepare(DnsTransaction *t, usec_t ts) { * for probing or verifying a zone item. */ if (set_isempty(t->notify_zone_items)) { - r = dns_zone_lookup(&t->scope->zone, t->key, &t->answer, NULL, NULL); + r = dns_zone_lookup(&t->scope->zone, t->key, dns_scope_ifindex(t->scope), &t->answer, NULL, NULL); if (r < 0) return r; if (r > 0) { @@ -1271,7 +1325,7 @@ static int dns_transaction_prepare(DnsTransaction *t, usec_t ts) { /* Let's then prune all outdated entries */ dns_cache_prune(&t->scope->cache); - r = dns_cache_lookup(&t->scope->cache, t->key, &t->answer_rcode, &t->answer, &t->answer_authenticated); + r = dns_cache_lookup(&t->scope->cache, t->key, t->clamp_ttl, &t->answer_rcode, &t->answer, &t->answer_authenticated); if (r < 0) return r; if (r > 0) { @@ -1427,6 +1481,9 @@ int dns_transaction_go(DnsTransaction *t) { assert(t); + /* Returns > 0 if the transaction is now pending, returns 0 if could be processed immediately and has finished + * now. */ + assert_se(sd_event_now(t->scope->manager->event, clock_boottime_or_monotonic(), &ts) >= 0); r = dns_transaction_prepare(t, ts); @@ -1764,8 +1821,10 @@ static bool dns_transaction_dnssec_supported(DnsTransaction *t) { if (!t->server) return true; - if (t->current_feature_level < DNS_SERVER_FEATURE_LEVEL_DO) - return false; + /* Note that we do not check the feature level actually used for the transaction but instead the feature level + * the server is known to support currently, as the transaction feature level might be lower than what the + * server actually supports, since we might have downgraded this transaction's feature level because we got a + * SERVFAIL earlier and wanted to check whether downgrading fixes it. */ return dns_server_dnssec_supported(t->server); } @@ -2857,7 +2916,7 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) { if (!dns_transaction_dnssec_supported_full(t)) { /* The server does not support DNSSEC, or doesn't augment responses with RRSIGs. */ t->answer_dnssec_result = DNSSEC_INCOMPATIBLE_SERVER; - log_debug("Not validating response for %" PRIu16 ", server lacks DNSSEC support.", t->id); + log_debug("Not validating response for %" PRIu16 ", used server feature level does not support DNSSEC.", t->id); return 0; } diff --git a/src/grp-resolve/systemd-resolved/resolved-dns-transaction.h b/src/grp-resolve/systemd-resolved/resolved-dns-transaction.h index 96cedd7bc8..5837e982d4 100644 --- a/src/grp-resolve/systemd-resolved/resolved-dns-transaction.h +++ b/src/grp-resolve/systemd-resolved/resolved-dns-transaction.h @@ -77,6 +77,8 @@ struct DnsTransaction { bool initial_jitter_scheduled:1; bool initial_jitter_elapsed:1; + bool clamp_ttl:1; + DnsPacket *sent, *received; DnsAnswer *answer; @@ -118,6 +120,9 @@ struct DnsTransaction { /* The features of the DNS server at time of transaction start */ DnsServerFeatureLevel current_feature_level; + /* If we got SERVFAIL back, we retry the lookup, using a lower feature level than we used before. */ + DnsServerFeatureLevel clamp_feature_level; + /* Query candidates this transaction is referenced by and that * shall be notified about this specific transaction * completing. */ diff --git a/src/grp-resolve/systemd-resolved/resolved-dns-zone.c b/src/grp-resolve/systemd-resolved/resolved-dns-zone.c index 3d5bc9ea82..d3ef27fefd 100644 --- a/src/grp-resolve/systemd-resolved/resolved-dns-zone.c +++ b/src/grp-resolve/systemd-resolved/resolved-dns-zone.c @@ -288,13 +288,16 @@ int dns_zone_put(DnsZone *z, DnsScope *s, DnsResourceRecord *rr, bool probe) { return 0; } -int dns_zone_lookup(DnsZone *z, DnsResourceKey *key, DnsAnswer **ret_answer, DnsAnswer **ret_soa, bool *ret_tentative) { +int dns_zone_lookup(DnsZone *z, DnsResourceKey *key, int ifindex, DnsAnswer **ret_answer, DnsAnswer **ret_soa, bool *ret_tentative) { _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL, *soa = NULL; unsigned n_answer = 0; DnsZoneItem *j, *first; bool tentative = true, need_soa = false; int r; + /* Note that we don't actually need the ifindex for anything. However when it is passed we'll initialize the + * ifindex field in the answer with it */ + assert(z); assert(key); assert(ret_answer); @@ -390,7 +393,7 @@ int dns_zone_lookup(DnsZone *z, DnsResourceKey *key, DnsAnswer **ret_answer, Dns if (k < 0) return k; if (k > 0) { - r = dns_answer_add(answer, j->rr, 0, DNS_ANSWER_AUTHENTICATED); + r = dns_answer_add(answer, j->rr, ifindex, DNS_ANSWER_AUTHENTICATED); if (r < 0) return r; @@ -399,7 +402,7 @@ int dns_zone_lookup(DnsZone *z, DnsResourceKey *key, DnsAnswer **ret_answer, Dns } if (found && !added) { - r = dns_answer_add_soa(soa, dns_resource_key_name(key), LLMNR_DEFAULT_TTL); + r = dns_answer_add_soa(soa, dns_resource_key_name(key), LLMNR_DEFAULT_TTL, ifindex); if (r < 0) return r; } @@ -416,7 +419,7 @@ int dns_zone_lookup(DnsZone *z, DnsResourceKey *key, DnsAnswer **ret_answer, Dns if (j->state != DNS_ZONE_ITEM_PROBING) tentative = false; - r = dns_answer_add(answer, j->rr, 0, DNS_ANSWER_AUTHENTICATED); + r = dns_answer_add(answer, j->rr, ifindex, DNS_ANSWER_AUTHENTICATED); if (r < 0) return r; } @@ -436,7 +439,7 @@ int dns_zone_lookup(DnsZone *z, DnsResourceKey *key, DnsAnswer **ret_answer, Dns } if (add_soa) { - r = dns_answer_add_soa(soa, dns_resource_key_name(key), LLMNR_DEFAULT_TTL); + r = dns_answer_add_soa(soa, dns_resource_key_name(key), LLMNR_DEFAULT_TTL, ifindex); if (r < 0) return r; } diff --git a/src/grp-resolve/systemd-resolved/resolved-dns-zone.h b/src/grp-resolve/systemd-resolved/resolved-dns-zone.h index 0c43bf2b96..789fe24cde 100644 --- a/src/grp-resolve/systemd-resolved/resolved-dns-zone.h +++ b/src/grp-resolve/systemd-resolved/resolved-dns-zone.h @@ -66,7 +66,7 @@ void dns_zone_flush(DnsZone *z); int dns_zone_put(DnsZone *z, DnsScope *s, DnsResourceRecord *rr, bool probe); void dns_zone_remove_rr(DnsZone *z, DnsResourceRecord *rr); -int dns_zone_lookup(DnsZone *z, DnsResourceKey *key, DnsAnswer **answer, DnsAnswer **soa, bool *tentative); +int dns_zone_lookup(DnsZone *z, DnsResourceKey *key, int ifindex, DnsAnswer **answer, DnsAnswer **soa, bool *tentative); void dns_zone_item_conflict(DnsZoneItem *i); void dns_zone_item_notify(DnsZoneItem *i); diff --git a/src/grp-resolve/systemd-resolved/resolved-gperf.gperf b/src/grp-resolve/systemd-resolved/resolved-gperf.gperf index 7a0a3e3a3d..f3a7c48abc 100644 --- a/src/grp-resolve/systemd-resolved/resolved-gperf.gperf +++ b/src/grp-resolve/systemd-resolved/resolved-gperf.gperf @@ -21,3 +21,4 @@ Resolve.FallbackDNS, config_parse_dns_servers, DNS_SERVER_FALLBACK, 0 Resolve.Domains, config_parse_search_domains, 0, 0 Resolve.LLMNR, config_parse_resolve_support, 0, offsetof(Manager, llmnr_support) Resolve.DNSSEC, config_parse_dnssec_mode, 0, offsetof(Manager, dnssec_mode) +Resolve.Cache, config_parse_bool, 0, offsetof(Manager, enable_cache) diff --git a/src/grp-resolve/systemd-resolved/resolved-link-bus.c b/src/grp-resolve/systemd-resolved/resolved-link-bus.c index 122c4dd45d..9cbadece42 100644 --- a/src/grp-resolve/systemd-resolved/resolved-link-bus.c +++ b/src/grp-resolve/systemd-resolved/resolved-link-bus.c @@ -20,14 +20,32 @@ #include "basic/alloc-util.h" #include "basic/parse-util.h" #include "basic/strv.h" +#include "sd-bus/bus-common-errors.h" #include "shared/bus-util.h" #include "shared/resolve-util.h" #include "resolved-bus.h" #include "resolved-link-bus.h" +#include "resolved-resolv-conf.h" static BUS_DEFINE_PROPERTY_GET_ENUM(property_get_resolve_support, resolve_support, ResolveSupport); -static BUS_DEFINE_PROPERTY_GET_ENUM(property_get_dnssec_mode, dnssec_mode, DnssecMode); + +static int property_get_dnssec_mode( + sd_bus *bus, + const char *path, + const char *interface, + const char *property, + sd_bus_message *reply, + void *userdata, + sd_bus_error *error) { + + Link *l = userdata; + + assert(reply); + assert(l); + + return sd_bus_message_append(reply, "s", dnssec_mode_to_string(link_get_dnssec_mode(l))); +} static int property_get_dns( sd_bus *bus, @@ -158,6 +176,17 @@ static int property_get_dnssec_supported( return sd_bus_message_append(reply, "b", link_dnssec_supported(l)); } +static int verify_unmanaged_link(Link *l, sd_bus_error *error) { + assert(l); + + if (l->flags & IFF_LOOPBACK) + return sd_bus_error_setf(error, BUS_ERROR_LINK_BUSY, "Link %s is loopback device.", l->name); + if (l->is_managed) + return sd_bus_error_setf(error, BUS_ERROR_LINK_BUSY, "Link %s is managed.", l->name); + + return 0; +} + int bus_link_method_set_dns_servers(sd_bus_message *message, void *userdata, sd_bus_error *error) { _cleanup_free_ struct in_addr_data *dns = NULL; size_t allocated = 0, n = 0; @@ -168,6 +197,10 @@ int bus_link_method_set_dns_servers(sd_bus_message *message, void *userdata, sd_ assert(message); assert(l); + r = verify_unmanaged_link(l, error); + if (r < 0) + return r; + r = sd_bus_message_enter_container(message, 'a', "(iay)"); if (r < 0) return r; @@ -198,6 +231,9 @@ int bus_link_method_set_dns_servers(sd_bus_message *message, void *userdata, sd_ if (sz != FAMILY_ADDRESS_SIZE(family)) return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid address size"); + if (!dns_server_address_valid(family, d)) + return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid DNS server address"); + r = sd_bus_message_exit_container(message); if (r < 0) return r; @@ -219,11 +255,11 @@ int bus_link_method_set_dns_servers(sd_bus_message *message, void *userdata, sd_ for (i = 0; i < n; i++) { DnsServer *s; - s = dns_server_find(l->dns_servers, dns[i].family, &dns[i].address); + s = dns_server_find(l->dns_servers, dns[i].family, &dns[i].address, 0); if (s) dns_server_move_back_and_unmark(s); else { - r = dns_server_new(l->manager, NULL, DNS_SERVER_LINK, l, dns[i].family, &dns[i].address); + r = dns_server_new(l->manager, NULL, DNS_SERVER_LINK, l, dns[i].family, &dns[i].address, 0); if (r < 0) goto clear; } @@ -233,6 +269,9 @@ int bus_link_method_set_dns_servers(sd_bus_message *message, void *userdata, sd_ dns_server_unlink_marked(l->dns_servers); link_allocate_scopes(l); + (void) link_save_user(l); + (void) manager_write_resolv_conf(l->manager); + return sd_bus_reply_method_return(message, NULL); clear: @@ -247,6 +286,10 @@ int bus_link_method_set_domains(sd_bus_message *message, void *userdata, sd_bus_ assert(message); assert(l); + r = verify_unmanaged_link(l, error); + if (r < 0) + return r; + r = sd_bus_message_enter_container(message, 'a', "(sb)"); if (r < 0) return r; @@ -307,6 +350,10 @@ int bus_link_method_set_domains(sd_bus_message *message, void *userdata, sd_bus_ goto clear; dns_search_domain_unlink_marked(l->search_domains); + + (void) link_save_user(l); + (void) manager_write_resolv_conf(l->manager); + return sd_bus_reply_method_return(message, NULL); clear: @@ -323,6 +370,10 @@ int bus_link_method_set_llmnr(sd_bus_message *message, void *userdata, sd_bus_er assert(message); assert(l); + r = verify_unmanaged_link(l, error); + if (r < 0) + return r; + r = sd_bus_message_read(message, "s", &llmnr); if (r < 0) return r; @@ -339,6 +390,8 @@ int bus_link_method_set_llmnr(sd_bus_message *message, void *userdata, sd_bus_er link_allocate_scopes(l); link_add_rrs(l, false); + (void) link_save_user(l); + return sd_bus_reply_method_return(message, NULL); } @@ -351,6 +404,10 @@ int bus_link_method_set_mdns(sd_bus_message *message, void *userdata, sd_bus_err assert(message); assert(l); + r = verify_unmanaged_link(l, error); + if (r < 0) + return r; + r = sd_bus_message_read(message, "s", &mdns); if (r < 0) return r; @@ -367,6 +424,8 @@ int bus_link_method_set_mdns(sd_bus_message *message, void *userdata, sd_bus_err link_allocate_scopes(l); link_add_rrs(l, false); + (void) link_save_user(l); + return sd_bus_reply_method_return(message, NULL); } @@ -379,6 +438,10 @@ int bus_link_method_set_dnssec(sd_bus_message *message, void *userdata, sd_bus_e assert(message); assert(l); + r = verify_unmanaged_link(l, error); + if (r < 0) + return r; + r = sd_bus_message_read(message, "s", &dnssec); if (r < 0) return r; @@ -393,6 +456,8 @@ int bus_link_method_set_dnssec(sd_bus_message *message, void *userdata, sd_bus_e link_set_dnssec_mode(l, mode); + (void) link_save_user(l); + return sd_bus_reply_method_return(message, NULL); } @@ -406,6 +471,10 @@ int bus_link_method_set_dnssec_negative_trust_anchors(sd_bus_message *message, v assert(message); assert(l); + r = verify_unmanaged_link(l, error); + if (r < 0) + return r; + r = sd_bus_message_read_strv(message, &ntas); if (r < 0) return r; @@ -432,19 +501,29 @@ int bus_link_method_set_dnssec_negative_trust_anchors(sd_bus_message *message, v l->dnssec_negative_trust_anchors = ns; ns = NULL; + (void) link_save_user(l); + return sd_bus_reply_method_return(message, NULL); } int bus_link_method_revert(sd_bus_message *message, void *userdata, sd_bus_error *error) { Link *l = userdata; + int r; assert(message); assert(l); + r = verify_unmanaged_link(l, error); + if (r < 0) + return r; + link_flush_settings(l); link_allocate_scopes(l); link_add_rrs(l, false); + (void) link_save_user(l); + (void) manager_write_resolv_conf(l->manager); + return sd_bus_reply_method_return(message, NULL); } @@ -456,7 +535,7 @@ const sd_bus_vtable link_vtable[] = { SD_BUS_PROPERTY("Domains", "a(sb)", property_get_domains, 0, 0), SD_BUS_PROPERTY("LLMNR", "s", property_get_resolve_support, offsetof(Link, llmnr_support), 0), SD_BUS_PROPERTY("MulticastDNS", "s", property_get_resolve_support, offsetof(Link, mdns_support), 0), - SD_BUS_PROPERTY("DNSSEC", "s", property_get_dnssec_mode, offsetof(Link, dnssec_mode), 0), + SD_BUS_PROPERTY("DNSSEC", "s", property_get_dnssec_mode, 0, 0), SD_BUS_PROPERTY("DNSSECNegativeTrustAnchors", "as", property_get_ntas, 0, 0), SD_BUS_PROPERTY("DNSSECSupported", "b", property_get_dnssec_supported, 0, 0), diff --git a/src/grp-resolve/systemd-resolved/resolved-link.c b/src/grp-resolve/systemd-resolved/resolved-link.c index 1d23e49172..d37ebbc419 100644 --- a/src/grp-resolve/systemd-resolved/resolved-link.c +++ b/src/grp-resolve/systemd-resolved/resolved-link.c @@ -20,7 +20,10 @@ #include <net/if.h> #include "basic/alloc-util.h" +#include "basic/fd-util.h" +#include "basic/fileio.h" #include "basic/missing.h" +#include "basic/mkdir.h" #include "basic/parse-util.h" #include "basic/string-util.h" #include "basic/strv.h" @@ -49,6 +52,9 @@ int link_new(Manager *m, Link **ret, int ifindex) { l->dnssec_mode = _DNSSEC_MODE_INVALID; l->operstate = IF_OPER_UNKNOWN; + if (asprintf(&l->state_file, "/run/systemd/resolve/netif/%i", ifindex) < 0) + return -ENOMEM; + r = hashmap_put(m->links, INT_TO_PTR(ifindex), l); if (r < 0) return r; @@ -93,6 +99,8 @@ Link *link_free(Link *l) { dns_scope_free(l->mdns_ipv4_scope); dns_scope_free(l->mdns_ipv6_scope); + free(l->state_file); + free(l); return NULL; } @@ -165,7 +173,7 @@ void link_add_rrs(Link *l, bool force_remove) { link_address_add_rrs(a, force_remove); } -int link_update_rtnl(Link *l, sd_netlink_message *m) { +int link_process_rtnl(Link *l, sd_netlink_message *m) { const char *n = NULL; int r; @@ -190,6 +198,27 @@ int link_update_rtnl(Link *l, sd_netlink_message *m) { return 0; } +static int link_update_dns_server_one(Link *l, const char *name) { + union in_addr_union a; + DnsServer *s; + int family, r; + + assert(l); + assert(name); + + r = in_addr_from_string_auto(name, &family, &a); + if (r < 0) + return r; + + s = dns_server_find(l->dns_servers, family, &a, 0); + if (s) { + dns_server_move_back_and_unmark(s); + return 0; + } + + return dns_server_new(l->manager, NULL, DNS_SERVER_LINK, l, family, &a, 0); +} + static int link_update_dns_servers(Link *l) { _cleanup_strv_free_ char **nameservers = NULL; char **nameserver; @@ -208,22 +237,9 @@ static int link_update_dns_servers(Link *l) { dns_server_mark_all(l->dns_servers); STRV_FOREACH(nameserver, nameservers) { - union in_addr_union a; - DnsServer *s; - int family; - - r = in_addr_from_string_auto(*nameserver, &family, &a); + r = link_update_dns_server_one(l, *nameserver); if (r < 0) goto clear; - - s = dns_server_find(l->dns_servers, family, &a); - if (s) - dns_server_move_back_and_unmark(s); - else { - r = dns_server_new(l->manager, NULL, DNS_SERVER_LINK, l, family, &a); - if (r < 0) - goto clear; - } } dns_server_unlink_marked(l->dns_servers); @@ -341,7 +357,6 @@ clear: static int link_update_dnssec_negative_trust_anchors(Link *l) { _cleanup_strv_free_ char **ntas = NULL; _cleanup_set_free_free_ Set *ns = NULL; - char **i; int r; assert(l); @@ -358,11 +373,9 @@ static int link_update_dnssec_negative_trust_anchors(Link *l) { if (!ns) return -ENOMEM; - STRV_FOREACH(i, ntas) { - r = set_put_strdup(ns, *i); - if (r < 0) - return r; - } + r = set_put_strdupv(ns, ntas); + if (r < 0) + return r; set_free_free(l->dnssec_negative_trust_anchors); l->dnssec_negative_trust_anchors = ns; @@ -379,6 +392,9 @@ static int link_update_search_domain_one(Link *l, const char *name, bool route_o DnsSearchDomain *d; int r; + assert(l); + assert(name); + r = dns_search_domain_find(l->search_domains, name, &d); if (r < 0) return r; @@ -439,7 +455,7 @@ clear: return r; } -static int link_is_unmanaged(Link *l) { +static int link_is_managed(Link *l) { _cleanup_free_ char *state = NULL; int r; @@ -447,11 +463,11 @@ static int link_is_unmanaged(Link *l) { r = sd_network_link_get_setup_state(l->ifindex, &state); if (r == -ENODATA) - return 1; + return 0; if (r < 0) return r; - return STR_IN_SET(state, "pending", "unmanaged"); + return !STR_IN_SET(state, "pending", "unmanaged"); } static void link_read_settings(Link *l) { @@ -461,12 +477,12 @@ static void link_read_settings(Link *l) { /* Read settings from networkd, except when networkd is not managing this interface. */ - r = link_is_unmanaged(l); + r = link_is_managed(l); if (r < 0) { log_warning_errno(r, "Failed to determine whether interface %s is managed: %m", l->name); return; } - if (r > 0) { + if (r == 0) { /* If this link used to be managed, but is now unmanaged, flush all our settings — but only once. */ if (l->is_managed) @@ -503,10 +519,11 @@ static void link_read_settings(Link *l) { log_warning_errno(r, "Failed to read search domains for interface %s, ignoring: %m", l->name); } -int link_update_monitor(Link *l) { +int link_update(Link *l) { assert(l); link_read_settings(l); + link_load_user(l); link_allocate_scopes(l); link_add_rrs(l, false); @@ -838,3 +855,261 @@ bool link_address_relevant(LinkAddress *a, bool local_multicast) { return true; } + +static bool link_needs_save(Link *l) { + assert(l); + + /* Returns true if any of the settings where set different from the default */ + + if (l->is_managed) + return false; + + if (l->llmnr_support != RESOLVE_SUPPORT_YES || + l->mdns_support != RESOLVE_SUPPORT_NO || + l->dnssec_mode != _DNSSEC_MODE_INVALID) + return true; + + if (l->dns_servers || + l->search_domains) + return true; + + if (!set_isempty(l->dnssec_negative_trust_anchors)) + return true; + + return false; +} + +int link_save_user(Link *l) { + _cleanup_free_ char *temp_path = NULL; + _cleanup_fclose_ FILE *f = NULL; + const char *v; + int r; + + assert(l); + assert(l->state_file); + + if (!link_needs_save(l)) { + (void) unlink(l->state_file); + return 0; + } + + r = mkdir_parents(l->state_file, 0700); + if (r < 0) + goto fail; + + r = fopen_temporary(l->state_file, &f, &temp_path); + if (r < 0) + goto fail; + + fputs("# This is private data. Do not parse.\n", f); + + v = resolve_support_to_string(l->llmnr_support); + if (v) + fprintf(f, "LLMNR=%s\n", v); + + v = resolve_support_to_string(l->mdns_support); + if (v) + fprintf(f, "MDNS=%s\n", v); + + v = dnssec_mode_to_string(l->dnssec_mode); + if (v) + fprintf(f, "DNSSEC=%s\n", v); + + if (l->dns_servers) { + DnsServer *server; + + fputs("SERVERS=", f); + LIST_FOREACH(servers, server, l->dns_servers) { + + if (server != l->dns_servers) + fputc(' ', f); + + v = dns_server_string(server); + if (!v) { + r = -ENOMEM; + goto fail; + } + + fputs(v, f); + } + fputc('\n', f); + } + + if (l->search_domains) { + DnsSearchDomain *domain; + + fputs("DOMAINS=", f); + LIST_FOREACH(domains, domain, l->search_domains) { + + if (domain != l->search_domains) + fputc(' ', f); + + if (domain->route_only) + fputc('~', f); + + fputs(DNS_SEARCH_DOMAIN_NAME(domain), f); + } + fputc('\n', f); + } + + if (!set_isempty(l->dnssec_negative_trust_anchors)) { + bool space = false; + Iterator i; + char *nta; + + fputs("NTAS=", f); + SET_FOREACH(nta, l->dnssec_negative_trust_anchors, i) { + + if (space) + fputc(' ', f); + + fputs(nta, f); + space = true; + } + fputc('\n', f); + } + + r = fflush_and_check(f); + if (r < 0) + goto fail; + + if (rename(temp_path, l->state_file) < 0) { + r = -errno; + goto fail; + } + + return 0; + +fail: + (void) unlink(l->state_file); + + if (temp_path) + (void) unlink(temp_path); + + return log_error_errno(r, "Failed to save link data %s: %m", l->state_file); +} + +int link_load_user(Link *l) { + _cleanup_free_ char + *llmnr = NULL, + *mdns = NULL, + *dnssec = NULL, + *servers = NULL, + *domains = NULL, + *ntas = NULL; + + ResolveSupport s; + int r; + + assert(l); + assert(l->state_file); + + /* Try to load only a single time */ + if (l->loaded) + return 0; + l->loaded = true; + + if (l->is_managed) + return 0; /* if the device is managed, then networkd is our configuration source, not the bus API */ + + r = parse_env_file(l->state_file, NEWLINE, + "LLMNR", &llmnr, + "MDNS", &mdns, + "DNSSEC", &dnssec, + "SERVERS", &servers, + "DOMAINS", &domains, + "NTAS", &ntas, + NULL); + if (r == -ENOENT) + return 0; + if (r < 0) + goto fail; + + link_flush_settings(l); + + /* If we can't recognize the LLMNR or MDNS setting we don't override the default */ + s = resolve_support_from_string(llmnr); + if (s >= 0) + l->llmnr_support = s; + + s = resolve_support_from_string(mdns); + if (s >= 0) + l->mdns_support = s; + + /* If we can't recognize the DNSSEC setting, then set it to invalid, so that the daemon default is used. */ + l->dnssec_mode = dnssec_mode_from_string(dnssec); + + if (servers) { + const char *p = servers; + + for (;;) { + _cleanup_free_ char *word = NULL; + + r = extract_first_word(&p, &word, NULL, 0); + if (r < 0) + goto fail; + if (r == 0) + break; + + r = link_update_dns_server_one(l, word); + if (r < 0) { + log_debug_errno(r, "Failed to load DNS server '%s', ignoring: %m", word); + continue; + } + } + } + + if (domains) { + const char *p = domains; + + for (;;) { + _cleanup_free_ char *word = NULL; + const char *n; + bool is_route; + + r = extract_first_word(&p, &word, NULL, 0); + if (r < 0) + goto fail; + if (r == 0) + break; + + is_route = word[0] == '~'; + n = is_route ? word + 1 : word; + + r = link_update_search_domain_one(l, n, is_route); + if (r < 0) { + log_debug_errno(r, "Failed to load search domain '%s', ignoring: %m", word); + continue; + } + } + } + + if (ntas) { + _cleanup_set_free_free_ Set *ns = NULL; + + ns = set_new(&dns_name_hash_ops); + if (!ns) { + r = -ENOMEM; + goto fail; + } + + r = set_put_strsplit(ns, ntas, NULL, 0); + if (r < 0) + goto fail; + + l->dnssec_negative_trust_anchors = ns; + ns = NULL; + } + + return 0; + +fail: + return log_error_errno(r, "Failed to load link data %s: %m", l->state_file); +} + +void link_remove_user(Link *l) { + assert(l); + assert(l->state_file); + + (void) unlink(l->state_file); +} diff --git a/src/grp-resolve/systemd-resolved/resolved-link.h b/src/grp-resolve/systemd-resolved/resolved-link.h index 98b440b563..def8b097e4 100644 --- a/src/grp-resolve/systemd-resolved/resolved-link.h +++ b/src/grp-resolve/systemd-resolved/resolved-link.h @@ -82,12 +82,15 @@ struct Link { char name[IF_NAMESIZE]; uint32_t mtu; uint8_t operstate; + + bool loaded; + char *state_file; }; int link_new(Manager *m, Link **ret, int ifindex); Link *link_free(Link *l); -int link_update_rtnl(Link *l, sd_netlink_message *m); -int link_update_monitor(Link *l); +int link_process_rtnl(Link *l, sd_netlink_message *m); +int link_update(Link *l); bool link_relevant(Link *l, int family, bool local_multicast); LinkAddress* link_find_address(Link *l, int family, const union in_addr_union *in_addr); void link_add_rrs(Link *l, bool force_remove); @@ -103,6 +106,10 @@ void link_next_dns_server(Link *l); DnssecMode link_get_dnssec_mode(Link *l); bool link_dnssec_supported(Link *l); +int link_save_user(Link *l); +int link_load_user(Link *l); +void link_remove_user(Link *l); + int link_address_new(Link *l, LinkAddress **ret, int family, const union in_addr_union *in_addr); LinkAddress *link_address_free(LinkAddress *a); int link_address_update_rtnl(LinkAddress *a, sd_netlink_message *m); diff --git a/src/grp-resolve/systemd-resolved/resolved-llmnr.c b/src/grp-resolve/systemd-resolved/resolved-llmnr.c index 24b7a4784f..1092b8b659 100644 --- a/src/grp-resolve/systemd-resolved/resolved-llmnr.c +++ b/src/grp-resolve/systemd-resolved/resolved-llmnr.c @@ -92,18 +92,19 @@ static int on_llmnr_packet(sd_event_source *s, int fd, uint32_t revents, void *u DnsScope *scope; int r; + assert(s); + assert(fd >= 0); + assert(m); + r = manager_recv(m, fd, DNS_PROTOCOL_LLMNR, &p); if (r <= 0) return r; scope = manager_find_scope(m, p); - if (!scope) { + if (!scope) log_warning("Got LLMNR UDP packet on unknown scope. Ignoring."); - return 0; - } - - if (dns_packet_validate_reply(p) > 0) { - log_debug("Got LLMNR reply packet for id %u", DNS_PACKET_ID(p)); + else if (dns_packet_validate_reply(p) > 0) { + log_debug("Got LLMNR UDP reply packet for id %u", DNS_PACKET_ID(p)); dns_scope_check_conflicts(scope, p); @@ -112,7 +113,7 @@ static int on_llmnr_packet(sd_event_source *s, int fd, uint32_t revents, void *u dns_transaction_process_reply(t, p); } else if (dns_packet_validate_query(p) > 0) { - log_debug("Got LLMNR query packet for id %u", DNS_PACKET_ID(p)); + log_debug("Got LLMNR UDP query packet for id %u", DNS_PACKET_ID(p)); dns_scope_process_query(scope, NULL, p); } else @@ -284,25 +285,19 @@ static int on_llmnr_stream_packet(DnsStream *s) { DnsScope *scope; assert(s); + assert(s->read_packet); scope = manager_find_scope(s->manager, s->read_packet); - if (!scope) { + if (!scope) log_warning("Got LLMNR TCP packet on unknown scope. Ignoring."); - return 0; - } - - if (dns_packet_validate_query(s->read_packet) > 0) { - log_debug("Got query packet for id %u", DNS_PACKET_ID(s->read_packet)); + else if (dns_packet_validate_query(s->read_packet) > 0) { + log_debug("Got LLMNR TCP query packet for id %u", DNS_PACKET_ID(s->read_packet)); dns_scope_process_query(scope, s, s->read_packet); - - /* If no reply packet was set, we free the stream */ - if (s->write_packet) - return 0; } else - log_debug("Invalid LLMNR TCP packet."); + log_debug("Invalid LLMNR TCP packet, ignoring."); - dns_stream_free(s); + dns_stream_unref(s); return 0; } diff --git a/src/grp-resolve/systemd-resolved/resolved-manager.c b/src/grp-resolve/systemd-resolved/resolved-manager.c index a326823c3a..0fff82bd98 100644 --- a/src/grp-resolve/systemd-resolved/resolved-manager.c +++ b/src/grp-resolve/systemd-resolved/resolved-manager.c @@ -23,6 +23,7 @@ #include "basic/af-list.h" #include "basic/alloc-util.h" +#include "basic/dirent-util.h" #include "basic/fd-util.h" #include "basic/fileio-label.h" #include "basic/hostname-util.h" @@ -39,6 +40,7 @@ #include "resolved-bus.h" #include "resolved-conf.h" +#include "resolved-dns-stub.h" #include "resolved-etc-hosts.h" #include "resolved-llmnr.h" #include "resolved-manager.h" @@ -78,11 +80,11 @@ static int manager_process_link(sd_netlink *rtnl, sd_netlink_message *mm, void * goto fail; } - r = link_update_rtnl(l, mm); + r = link_process_rtnl(l, mm); if (r < 0) goto fail; - r = link_update_monitor(l); + r = link_update(l); if (r < 0) goto fail; @@ -95,6 +97,7 @@ static int manager_process_link(sd_netlink *rtnl, sd_netlink_message *mm, void * case RTM_DELLINK: if (l) { log_debug("Removing link %i/%s", l->ifindex, l->name); + link_remove_user(l); link_free(l); } @@ -279,14 +282,12 @@ static int on_network_event(sd_event_source *s, int fd, uint32_t revents, void * sd_network_monitor_flush(m->network_monitor); HASHMAP_FOREACH(l, m->links, i) { - r = link_update_monitor(l); + r = link_update(l); if (r < 0) log_warning_errno(r, "Failed to update monitor information for %i: %m", l->ifindex); } - r = manager_write_resolv_conf(m); - if (r < 0) - log_warning_errno(r, "Could not update "PRIVATE_RESOLV_CONF": %m"); + (void) manager_write_resolv_conf(m); return 0; } @@ -468,6 +469,18 @@ static int manager_sigusr1(sd_event_source *s, const struct signalfd_siginfo *si return 0; } +static int manager_sigusr2(sd_event_source *s, const struct signalfd_siginfo *si, void *userdata) { + Manager *m = userdata; + + assert(s); + assert(si); + assert(m); + + manager_flush_caches(m); + + return 0; +} + int manager_new(Manager **ret) { _cleanup_(manager_freep) Manager *m = NULL; int r; @@ -481,11 +494,13 @@ int manager_new(Manager **ret) { m->llmnr_ipv4_udp_fd = m->llmnr_ipv6_udp_fd = -1; m->llmnr_ipv4_tcp_fd = m->llmnr_ipv6_tcp_fd = -1; m->mdns_ipv4_fd = m->mdns_ipv6_fd = -1; + m->dns_stub_udp_fd = m->dns_stub_tcp_fd = -1; m->hostname_fd = -1; m->llmnr_support = RESOLVE_SUPPORT_YES; m->mdns_support = RESOLVE_SUPPORT_NO; m->dnssec_mode = DEFAULT_DNSSEC_MODE; + m->enable_cache = true; m->read_resolv_conf = true; m->need_builtin_fallbacks = true; m->etc_hosts_last = m->etc_hosts_mtime = USEC_INFINITY; @@ -528,6 +543,9 @@ int manager_new(Manager **ret) { return r; (void) sd_event_add_signal(m->event, &m->sigusr1_event_source, SIGUSR1, manager_sigusr1, m); + (void) sd_event_add_signal(m->event, &m->sigusr2_event_source, SIGUSR2, manager_sigusr2, m); + + manager_cleanup_saved_user(m); *ret = m; m = NULL; @@ -540,6 +558,10 @@ int manager_start(Manager *m) { assert(m); + r = manager_dns_stub_start(m); + if (r < 0) + return r; + r = manager_llmnr_start(m); if (r < 0) return r; @@ -569,6 +591,11 @@ Manager *manager_free(Manager *m) { dns_scope_free(m->unicast_scope); + /* At this point only orphaned streams should remain. All others should have been freed already by their + * owners */ + while (m->dns_streams) + dns_stream_unref(m->dns_streams); + hashmap_free(m->links); hashmap_free(m->dns_transactions); @@ -580,12 +607,14 @@ Manager *manager_free(Manager *m) { manager_llmnr_stop(m); manager_mdns_stop(m); + manager_dns_stub_stop(m); sd_bus_slot_unref(m->prepare_for_sleep_slot); sd_event_source_unref(m->bus_retry_event_source); sd_bus_unref(m->bus); sd_event_source_unref(m->sigusr1_event_source); + sd_event_source_unref(m->sigusr2_event_source); sd_event_unref(m->event); @@ -643,6 +672,8 @@ int manager_recv(Manager *m, int fd, DnsProtocol protocol, DnsPacket **ret) { mh.msg_controllen = sizeof(control); l = recvmsg(fd, &mh, 0); + if (l == 0) + return 0; if (l < 0) { if (errno == EAGAIN || errno == EINTR) return 0; @@ -650,9 +681,6 @@ int manager_recv(Manager *m, int fd, DnsProtocol protocol, DnsPacket **ret) { return -errno; } - if (l <= 0) - return -EIO; - assert(!(mh.msg_flags & MSG_CTRUNC)); assert(!(mh.msg_flags & MSG_TRUNC)); @@ -794,7 +822,14 @@ int manager_write(Manager *m, int fd, DnsPacket *p) { return 0; } -static int manager_ipv4_send(Manager *m, int fd, int ifindex, const struct in_addr *addr, uint16_t port, DnsPacket *p) { +static int manager_ipv4_send( + Manager *m, + int fd, + int ifindex, + const struct in_addr *destination, + uint16_t port, + const struct in_addr *source, + DnsPacket *p) { union sockaddr_union sa = { .in.sin_family = AF_INET, }; @@ -807,14 +842,14 @@ static int manager_ipv4_send(Manager *m, int fd, int ifindex, const struct in_ad assert(m); assert(fd >= 0); - assert(addr); + assert(destination); assert(port > 0); assert(p); iov.iov_base = DNS_PACKET_DATA(p); iov.iov_len = p->size; - sa.in.sin_addr = *addr; + sa.in.sin_addr = *destination; sa.in.sin_port = htobe16(port), mh.msg_iov = &iov; @@ -838,12 +873,23 @@ static int manager_ipv4_send(Manager *m, int fd, int ifindex, const struct in_ad pi = (struct in_pktinfo*) CMSG_DATA(cmsg); pi->ipi_ifindex = ifindex; + + if (source) + pi->ipi_spec_dst = *source; } return sendmsg_loop(fd, &mh, 0); } -static int manager_ipv6_send(Manager *m, int fd, int ifindex, const struct in6_addr *addr, uint16_t port, DnsPacket *p) { +static int manager_ipv6_send( + Manager *m, + int fd, + int ifindex, + const struct in6_addr *destination, + uint16_t port, + const struct in6_addr *source, + DnsPacket *p) { + union sockaddr_union sa = { .in6.sin6_family = AF_INET6, }; @@ -856,14 +902,14 @@ static int manager_ipv6_send(Manager *m, int fd, int ifindex, const struct in6_a assert(m); assert(fd >= 0); - assert(addr); + assert(destination); assert(port > 0); assert(p); iov.iov_base = DNS_PACKET_DATA(p); iov.iov_len = p->size; - sa.in6.sin6_addr = *addr; + sa.in6.sin6_addr = *destination; sa.in6.sin6_port = htobe16(port), sa.in6.sin6_scope_id = ifindex; @@ -888,24 +934,36 @@ static int manager_ipv6_send(Manager *m, int fd, int ifindex, const struct in6_a pi = (struct in6_pktinfo*) CMSG_DATA(cmsg); pi->ipi6_ifindex = ifindex; + + if (source) + pi->ipi6_addr = *source; } return sendmsg_loop(fd, &mh, 0); } -int manager_send(Manager *m, int fd, int ifindex, int family, const union in_addr_union *addr, uint16_t port, DnsPacket *p) { +int manager_send( + Manager *m, + int fd, + int ifindex, + int family, + const union in_addr_union *destination, + uint16_t port, + const union in_addr_union *source, + DnsPacket *p) { + assert(m); assert(fd >= 0); - assert(addr); + assert(destination); assert(port > 0); assert(p); log_debug("Sending %s packet with id %" PRIu16 " on interface %i/%s.", DNS_PACKET_QR(p) ? "response" : "query", DNS_PACKET_ID(p), ifindex, af_to_name(family)); if (family == AF_INET) - return manager_ipv4_send(m, fd, ifindex, &addr->in, port, p); - else if (family == AF_INET6) - return manager_ipv6_send(m, fd, ifindex, &addr->in6, port, p); + return manager_ipv4_send(m, fd, ifindex, &destination->in, port, &source->in, p); + if (family == AF_INET6) + return manager_ipv6_send(m, fd, ifindex, &destination->in6, port, &source->in6, p); return -EAFNOSUPPORT; } @@ -1142,7 +1200,12 @@ int manager_compile_dns_servers(Manager *m, OrderedSet **dns) { return 0; } -int manager_compile_search_domains(Manager *m, OrderedSet **domains) { +/* filter_route is a tri-state: + * < 0: no filtering + * = 0 or false: return only domains which should be used for searching + * > 0 or true: return only domains which are for routing only + */ +int manager_compile_search_domains(Manager *m, OrderedSet **domains, int filter_route) { DnsSearchDomain *d; Iterator i; Link *l; @@ -1156,6 +1219,11 @@ int manager_compile_search_domains(Manager *m, OrderedSet **domains) { return r; LIST_FOREACH(domains, d, m->search_domains) { + + if (filter_route >= 0 && + d->route_only != !!filter_route) + continue; + r = ordered_set_put(*domains, d->name); if (r == -EEXIST) continue; @@ -1166,6 +1234,11 @@ int manager_compile_search_domains(Manager *m, OrderedSet **domains) { HASHMAP_FOREACH(l, m->links, i) { LIST_FOREACH(domains, d, l->search_domains) { + + if (filter_route >= 0 && + d->route_only != !!filter_route) + continue; + r = ordered_set_put(*domains, d->name); if (r == -EEXIST) continue; @@ -1237,3 +1310,69 @@ bool manager_routable(Manager *m, int family) { return false; } + +void manager_flush_caches(Manager *m) { + DnsScope *scope; + + assert(m); + + LIST_FOREACH(scopes, scope, m->dns_scopes) + dns_cache_flush(&scope->cache); + + log_info("Flushed all caches."); +} + +void manager_cleanup_saved_user(Manager *m) { + _cleanup_closedir_ DIR *d = NULL; + struct dirent *de; + int r; + + assert(m); + + /* Clean up all saved per-link files in /run/systemd/resolve/netif/ that don't have a matching interface + * anymore. These files are created to persist settings pushed in by the user via the bus, so that resolved can + * be restarted without losing this data. */ + + d = opendir("/run/systemd/resolve/netif/"); + if (!d) { + if (errno == ENOENT) + return; + + log_warning_errno(errno, "Failed to open interface directory: %m"); + return; + } + + FOREACH_DIRENT_ALL(de, d, log_error_errno(errno, "Failed to read interface directory: %m")) { + _cleanup_free_ char *p = NULL; + int ifindex; + Link *l; + + if (!IN_SET(de->d_type, DT_UNKNOWN, DT_REG)) + continue; + + if (STR_IN_SET(de->d_name, ".", "..")) + continue; + + r = parse_ifindex(de->d_name, &ifindex); + if (r < 0) /* Probably some temporary file from a previous run. Delete it */ + goto rm; + + l = hashmap_get(m->links, INT_TO_PTR(ifindex)); + if (!l) /* link vanished */ + goto rm; + + if (l->is_managed) /* now managed by networkd, hence the bus settings are useless */ + goto rm; + + continue; + + rm: + p = strappend("/run/systemd/resolve/netif/", de->d_name); + if (!p) { + log_oom(); + return; + } + + (void) unlink(p); + } +} diff --git a/src/grp-resolve/systemd-resolved/resolved-manager.h b/src/grp-resolve/systemd-resolved/resolved-manager.h index dd2a534213..6c5274ce56 100644 --- a/src/grp-resolve/systemd-resolved/resolved-manager.h +++ b/src/grp-resolve/systemd-resolved/resolved-manager.h @@ -46,6 +46,7 @@ struct Manager { ResolveSupport llmnr_support; ResolveSupport mdns_support; DnssecMode dnssec_mode; + bool enable_cache; /* Network */ Hashmap *links; @@ -72,7 +73,6 @@ struct Manager { LIST_HEAD(DnsSearchDomain, search_domains); unsigned n_search_domains; - bool permit_domain_search; bool need_builtin_fallbacks:1; @@ -120,6 +120,7 @@ struct Manager { sd_bus_slot *prepare_for_sleep_slot; sd_event_source *sigusr1_event_source; + sd_event_source *sigusr2_event_source; unsigned n_transactions_total; unsigned n_dnssec_verdict[_DNSSEC_VERDICT_MAX]; @@ -128,6 +129,13 @@ struct Manager { Set* etc_hosts_by_address; Hashmap* etc_hosts_by_name; usec_t etc_hosts_last, etc_hosts_mtime; + + /* Local DNS stub on 127.0.0.53:53 */ + int dns_stub_udp_fd; + int dns_stub_tcp_fd; + + sd_event_source *dns_stub_udp_event_source; + sd_event_source *dns_stub_tcp_event_source; }; /* Manager */ @@ -140,7 +148,7 @@ int manager_start(Manager *m); uint32_t manager_find_mtu(Manager *m); int manager_write(Manager *m, int fd, DnsPacket *p); -int manager_send(Manager *m, int fd, int ifindex, int family, const union in_addr_union *addr, uint16_t port, DnsPacket *p); +int manager_send(Manager *m, int fd, int ifindex, int family, const union in_addr_union *destination, uint16_t port, const union in_addr_union *source, DnsPacket *p); int manager_recv(Manager *m, int fd, DnsProtocol protocol, DnsPacket **ret); int manager_find_ifindex(Manager *m, int family, const union in_addr_union *in_addr); @@ -161,7 +169,7 @@ DEFINE_TRIVIAL_CLEANUP_FUNC(Manager*, manager_free); int manager_is_own_hostname(Manager *m, const char *name); int manager_compile_dns_servers(Manager *m, OrderedSet **servers); -int manager_compile_search_domains(Manager *m, OrderedSet **domains); +int manager_compile_search_domains(Manager *m, OrderedSet **domains, int filter_route); DnssecMode manager_get_dnssec_mode(Manager *m); bool manager_dnssec_supported(Manager *m); @@ -169,3 +177,7 @@ bool manager_dnssec_supported(Manager *m); void manager_dnssec_verdict(Manager *m, DnssecVerdict verdict, const DnsResourceKey *key); bool manager_routable(Manager *m, int family); + +void manager_flush_caches(Manager *m); + +void manager_cleanup_saved_user(Manager *m); diff --git a/src/grp-resolve/systemd-resolved/resolved-resolv-conf.c b/src/grp-resolve/systemd-resolved/resolved-resolv-conf.c index c50796de2e..5d6b4203bc 100644 --- a/src/grp-resolve/systemd-resolved/resolved-resolv-conf.c +++ b/src/grp-resolve/systemd-resolved/resolved-resolv-conf.c @@ -93,7 +93,7 @@ int manager_read_resolv_conf(Manager *m) { a = first_word(l, "nameserver"); if (a) { - r = manager_add_dns_server_by_string(m, DNS_SERVER_SYSTEM, a); + r = manager_parse_dns_server_string_and_warn(m, DNS_SERVER_SYSTEM, a); if (r < 0) log_warning_errno(r, "Failed to parse DNS server address '%s', ignoring.", a); @@ -150,9 +150,7 @@ static void write_resolv_conf_server(DnsServer *s, FILE *f, unsigned *count) { assert(f); assert(count); - (void) dns_server_string(s); - - if (!s->server_string) { + if (!dns_server_string(s)) { log_warning("Our of memory, or invalid DNS address. Ignoring server."); return; } @@ -161,44 +159,49 @@ static void write_resolv_conf_server(DnsServer *s, FILE *f, unsigned *count) { fputs("# Too many DNS servers configured, the following entries may be ignored.\n", f); (*count)++; - fprintf(f, "nameserver %s\n", s->server_string); + fprintf(f, "nameserver %s\n", dns_server_string(s)); } static void write_resolv_conf_search( - const char *domain, - FILE *f, - unsigned *count, - unsigned *length) { + OrderedSet *domains, + FILE *f) { + unsigned length = 0, count = 0; + Iterator i; + char *domain; - assert(domain); + assert(domains); assert(f); - assert(length); - if (*count >= MAXDNSRCH || - *length + strlen(domain) > 256) { - if (*count == MAXDNSRCH) - fputs(" # Too many search domains configured, remaining ones ignored.", f); - if (*length <= 256) - fputs(" # Total length of all search domains is too long, remaining ones ignored.", f); + fputs("search", f); - return; + ORDERED_SET_FOREACH(domain, domains, i) { + if (++count > MAXDNSRCH) { + fputs("\n# Too many search domains configured, remaining ones ignored.", f); + break; + } + length += strlen(domain) + 1; + if (length > 256) { + fputs("\n# Total length of all search domains is too long, remaining ones ignored.", f); + break; + } + fputc(' ', f); + fputs(domain, f); } - (*length) += strlen(domain); - (*count)++; - - fputc(' ', f); - fputs(domain, f); + fputs("\n", f); } static int write_resolv_conf_contents(FILE *f, OrderedSet *dns, OrderedSet *domains) { Iterator i; fputs("# This file is managed by systemd-resolved(8). Do not edit.\n#\n" - "# Third party programs must not access this file directly, but\n" - "# only through the symlink at /etc/resolv.conf. To manage\n" - "# resolv.conf(5) in a different way, replace the symlink by a\n" - "# static file or a different symlink.\n\n", f); + "# This is a dynamic resolv.conf file for connecting local clients directly to\n" + "# all known DNS servers.\n#\n" + "# Third party programs must not access this file directly, but only through the\n" + "# symlink at /etc/resolv.conf. To manage resolv.conf(5) in a different way,\n" + "# replace this symlink by a static file or a different symlink.\n#\n" + "# See systemd-resolved.service(8) for details about the supported modes of\n" + "# operation for /etc/resolv.conf.\n\n", f); if (ordered_set_isempty(dns)) fputs("# No DNS servers known.\n", f); @@ -210,15 +213,8 @@ static int write_resolv_conf_contents(FILE *f, OrderedSet *dns, OrderedSet *doma write_resolv_conf_server(s, f, &count); } - if (!ordered_set_isempty(domains)) { - unsigned length = 0, count = 0; - char *domain; - - fputs("search", f); - ORDERED_SET_FOREACH(domain, domains, i) - write_resolv_conf_search(domain, f, &count, &length); - fputs("\n", f); - } + if (!ordered_set_isempty(domains)) + write_resolv_conf_search(domains, f); return fflush_and_check(f); } @@ -233,29 +229,31 @@ int manager_write_resolv_conf(Manager *m) { assert(m); /* Read the system /etc/resolv.conf first */ - manager_read_resolv_conf(m); + (void) manager_read_resolv_conf(m); /* Add the full list to a set, to filter out duplicates */ r = manager_compile_dns_servers(m, &dns); if (r < 0) - return r; + return log_warning_errno(r, "Failed to compile list of DNS servers: %m"); - r = manager_compile_search_domains(m, &domains); + r = manager_compile_search_domains(m, &domains, false); if (r < 0) - return r; + return log_warning_errno(r, "Failed to compile list of search domains: %m"); r = fopen_temporary_label(PRIVATE_RESOLV_CONF, PRIVATE_RESOLV_CONF, &f, &temp_path); if (r < 0) - return r; + return log_warning_errno(r, "Failed to open private resolv.conf file for writing: %m"); - fchmod(fileno(f), 0644); + (void) fchmod(fileno(f), 0644); r = write_resolv_conf_contents(f, dns, domains); - if (r < 0) + if (r < 0) { + log_error_errno(r, "Failed to write private resolv.conf contents: %m"); goto fail; + } if (rename(temp_path, PRIVATE_RESOLV_CONF) < 0) { - r = -errno; + r = log_error_errno(errno, "Failed to move private resolv.conf file into place: %m"); goto fail; } @@ -264,5 +262,6 @@ int manager_write_resolv_conf(Manager *m) { fail: (void) unlink(PRIVATE_RESOLV_CONF); (void) unlink(temp_path); + return r; } diff --git a/src/grp-resolve/systemd-resolved/resolved.c b/src/grp-resolve/systemd-resolved/resolved.c index 07952227ce..39fa423eeb 100644 --- a/src/grp-resolve/systemd-resolved/resolved.c +++ b/src/grp-resolve/systemd-resolved/resolved.c @@ -68,11 +68,15 @@ int main(int argc, char *argv[]) { goto finish; } - r = drop_privileges(uid, gid, 0); + /* Drop privileges, but keep three caps. Note that we drop those too, later on (see below) */ + r = drop_privileges(uid, gid, + (UINT64_C(1) << CAP_NET_RAW)| /* needed for SO_BINDTODEVICE */ + (UINT64_C(1) << CAP_NET_BIND_SERVICE)| /* needed to bind on port 53 */ + (UINT64_C(1) << CAP_SETPCAP) /* needed in order to drop the caps later */); if (r < 0) goto finish; - assert_se(sigprocmask_many(SIG_BLOCK, NULL, SIGTERM, SIGINT, SIGUSR1, -1) >= 0); + assert_se(sigprocmask_many(SIG_BLOCK, NULL, SIGTERM, SIGINT, SIGUSR1, SIGUSR2, -1) >= 0); r = manager_new(&m); if (r < 0) { @@ -86,11 +90,15 @@ int main(int argc, char *argv[]) { goto finish; } - /* Write finish default resolv.conf to avoid a dangling - * symlink */ - r = manager_write_resolv_conf(m); - if (r < 0) - log_warning_errno(r, "Could not create "PRIVATE_RESOLV_CONF": %m"); + /* Write finish default resolv.conf to avoid a dangling symlink */ + (void) manager_write_resolv_conf(m); + + /* Let's drop the remaining caps now */ + r = capability_bounding_set_drop(0, true); + if (r < 0) { + log_error_errno(r, "Failed to drop remaining caps: %m"); + goto finish; + } sd_notify(false, "READY=1\n" diff --git a/src/grp-resolve/systemd-resolved/resolved.conf.in b/src/grp-resolve/systemd-resolved/resolved.conf.in index a288588924..3bd8389c88 100644 --- a/src/grp-resolve/systemd-resolved/resolved.conf.in +++ b/src/grp-resolve/systemd-resolved/resolved.conf.in @@ -17,3 +17,4 @@ #Domains= #LLMNR=yes #DNSSEC=@DEFAULT_DNSSEC_MODE@ +#Cache=yes diff --git a/src/grp-resolve/systemd-resolved/resolved.conf.xml b/src/grp-resolve/systemd-resolved/resolved.conf.xml index 920ce9e89b..7556c6ff31 100644 --- a/src/grp-resolve/systemd-resolved/resolved.conf.xml +++ b/src/grp-resolve/systemd-resolved/resolved.conf.xml @@ -202,6 +202,17 @@ </listitem> </varlistentry> + <varlistentry> + <term><varname>Cache=</varname></term> + <listitem><para>Takes a boolean argument. If "yes" (the default), resolving a domain name which already got + queried earlier will return the previous result as long as it is still valid, and thus does not result in a new + network request. Be aware that that turning off caching comes at a performance penalty, which is particularly + high when DNSSEC is used.</para> + + <para>Note that caching is turned off implicitly if the configured DNS server is on a host-local IP address + (such as 127.0.0.1 or ::1), in order to avoid duplicate local caching.</para></listitem> + </varlistentry> + </variablelist> </refsect1> diff --git a/src/grp-resolve/systemd-resolved/systemd-resolved.service.m4.in b/src/grp-resolve/systemd-resolved/systemd-resolved.service.m4.in index 8e1c1dea79..15ab56a066 100644 --- a/src/grp-resolve/systemd-resolved/systemd-resolved.service.m4.in +++ b/src/grp-resolve/systemd-resolved/systemd-resolved.service.m4.in @@ -23,10 +23,12 @@ Type=notify Restart=always RestartSec=0 ExecStart=@rootlibexecdir@/systemd-resolved -CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER +CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER CAP_NET_RAW CAP_NET_BIND_SERVICE ProtectSystem=full ProtectHome=yes WatchdogSec=3min +MemoryDenyWriteExecute=yes +SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io [Install] WantedBy=multi-user.target diff --git a/src/grp-resolve/systemd-resolved/systemd-resolved.service.xml b/src/grp-resolve/systemd-resolved/systemd-resolved.service.xml index 829729ca09..aa1c2365e5 100644 --- a/src/grp-resolve/systemd-resolved/systemd-resolved.service.xml +++ b/src/grp-resolve/systemd-resolved/systemd-resolved.service.xml @@ -58,27 +58,45 @@ <para><command>systemd-resolved</command> is a system service that provides network name resolution to local applications. It implements a caching and validating DNS/DNSSEC stub resolver, as well as an LLMNR resolver and - responder. In addition it maintains the <filename>/run/systemd/resolve/resolv.conf</filename> file for - compatibility with traditional Linux programs. This file may be symlinked from - <filename>/etc/resolv.conf</filename>.</para> - - <para>The glibc NSS module - <citerefentry><refentrytitle>nss-resolve</refentrytitle><manvolnum>8</manvolnum></citerefentry> is required to - permit glibc's NSS resolver functions to resolve host names via <command>systemd-resolved</command>.</para> - - <para>The DNS servers contacted are determined from the global - settings in <filename>/etc/systemd/resolved.conf</filename>, the - per-link static settings in <filename>/etc/systemd/network/*.network</filename> files, - and the per-link dynamic settings received over DHCP. See - <citerefentry><refentrytitle>resolved.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry> - and - <citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry> - for details. To improve compatibility, - <filename>/etc/resolv.conf</filename> is read in order to discover - configured system DNS servers, but only if it is not a symlink - to <filename>/run/systemd/resolve/resolv.conf</filename> (see above).</para> + responder. Local applications may submit network name resolution requests via three interfaces:</para> + + <itemizedlist> + <listitem><para>The native, fully-featured API <command>systemd-resolved</command> exposes on the bus. See the + <ulink url="http://www.freedesktop.org/wiki/Software/systemd/resolved">API Documentation</ulink> for + details. Usage of this API is generally recommended to clients as it is asynchronous and fully featured (for + example, properly returns DNSSEC validation status and interface scope for addresses as necessary for supporting + link-local networking).</para></listitem> + + <listitem><para>The glibc + <citerefentry><refentrytitle>getaddrinfo</refentrytitle><manvolnum>3</manvolnum></citerefentry> API as defined + by <ulink url="https://tools.ietf.org/html/rfc3493">RFC3493</ulink> and its related resolver functions, + including <citerefentry><refentrytitle>gethostbyname</refentrytitle><manvolnum>3</manvolnum></citerefentry>. This + API is widely supported, including beyond the Linux platform. In its current form it does not expose DNSSEC + validation status information however, and is synchronous only. This API is backed by the glibc Name Service + Switch (<citerefentry><refentrytitle>nss</refentrytitle><manvolnum>5</manvolnum></citerefentry>). Usage of the + glibc NSS module <citerefentry><refentrytitle>nss-resolve</refentrytitle><manvolnum>8</manvolnum></citerefentry> + is required in order to allow glibc's NSS resolver functions to resolve host names via + <command>systemd-resolved</command>.</para></listitem> + + <listitem><para>Additionally, <command>systemd-resolved</command> provides a local DNS stub listener on IP + address 127.0.0.53 on the local loopback interface. Programs issuing DNS requests directly, bypassing any local + API may be directed to this stub, in order to connect them to <command>systemd-resolved</command>. Note however + that it is strongly recommended that local programs use the glibc NSS or bus APIs instead (as described above), + as various network resolution concepts (such as link-local addressing, or LLMNR Unicode domains) cannot be mapped + to the unicast DNS protocol.</para></listitem> + </itemizedlist> + + <para>The DNS servers contacted are determined from the global settings in + <filename>/etc/systemd/resolved.conf</filename>, the per-link static settings in + <filename>/etc/systemd/network/*.network</filename> files, the per-link dynamic settings received over DHCP and any + DNS server information made available by other system services. See + <citerefentry><refentrytitle>resolved.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry> and + <citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry> for details + about systemd's own configuration files for DNS servers. To improve compatibility, + <filename>/etc/resolv.conf</filename> is read in order to discover configured system DNS servers, but only if it is + not a symlink to <filename>/run/systemd/resolve/resolv.conf</filename> (see below).</para> - <para><command>systemd-resolved</command> synthesizes DNS RRs for the following cases:</para> + <para><command>systemd-resolved</command> synthesizes DNS resource records (RRs) for the following cases:</para> <itemizedlist> <listitem><para>The local, configured hostname is resolved to @@ -137,15 +155,68 @@ per-interface domains are exclusively routed to the matching interfaces.</para> - <para>Note that <filename>/run/systemd/resolve/resolv.conf</filename> should not be used directly by applications, - but only through a symlink from <filename>/etc/resolv.conf</filename>.</para> - <para>See the <ulink url="http://www.freedesktop.org/wiki/Software/systemd/resolved"> resolved D-Bus API Documentation</ulink> for information about the APIs <filename>systemd-resolved</filename> provides.</para> </refsect1> <refsect1> + <title><filename>/etc/resolv.conf</filename></title> + + <para>Three modes of handling <filename>/etc/resolv.conf</filename> (see + <citerefentry><refentrytitle>resolv.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>) are + supported:</para> + + <itemizedlist> + <listitem><para>A static file <filename>/usr/lib/systemd/resolv.conf</filename> is provided that lists + the 127.0.0.53 DNS stub (see above) as only DNS server. This file may be symlinked from + <filename>/etc/resolv.conf</filename> in order to connect all local clients that bypass local DNS APIs to + <command>systemd-resolved</command>. This mode of operation is recommended.</para></listitem> + + <listitem><para><command>systemd-resolved</command> maintains the + <filename>/run/systemd/resolve/resolv.conf</filename> file for compatibility with traditional Linux + programs. This file may be symlinked from <filename>/etc/resolv.conf</filename> and is always kept up-to-date, + containing information about all known DNS servers. Note the file format's limitations: it does not know a + concept of per-interface DNS servers and hence only contains system-wide DNS server definitions. Note that + <filename>/run/systemd/resolve/resolv.conf</filename> should not be used directly by applications, but only + through a symlink from <filename>/etc/resolv.conf</filename>. If this mode of operation is used local clients + that bypass any local DNS API will also bypass <command>systemd-resolved</command> and will talk directly to the + known DNS servers.</para> </listitem> + + <listitem><para>Alternatively, <filename>/etc/resolv.conf</filename> may be managed by other packages, in which + case <command>systemd-resolved</command> will read it for DNS configuration data. In this mode of operation + <command>systemd-resolved</command> is consumer rather than provider of this configuration + file. </para></listitem> + </itemizedlist> + + <para>Note that the selected mode of operation for this file is detected fully automatically, depending on whether + <filename>/etc/resolv.conf</filename> is a symlink to <filename>/run/systemd/resolve/resolv.conf</filename> or + lists 127.0.0.53 as DNS server.</para> + </refsect1> + + <refsect1> + <title>Signals</title> + + <variablelist> + <varlistentry> + <term><constant>SIGUSR1</constant></term> + + <listitem><para>Upon reception of the SIGUSR1 process signal <command>systemd-resolved</command> will dump the + contents of all DNS resource record caches it maintains into the system logs.</para></listitem> + </varlistentry> + + <varlistentry> + <term><constant>SIGUSR2</constant></term> + + <listitem><para>Upon reception of the SIGUSR2 process signal <command>systemd-resolved</command> will flush all + caches it maintains. Note that it should normally not be necessary to request this explicitly – except for + debugging purposes – as <command>systemd-resolved</command> flushes the caches automatically anyway any time + the host's network configuration changes.</para></listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1> <title>See Also</title> <para> <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, diff --git a/src/grp-resolve/systemd-resolved/systemd-resolved.tmpfiles b/src/grp-resolve/systemd-resolved/systemd-resolved.tmpfiles index 3160f5cf7e..760fe11412 100644 --- a/src/grp-resolve/systemd-resolved/systemd-resolved.tmpfiles +++ b/src/grp-resolve/systemd-resolved/systemd-resolved.tmpfiles @@ -7,4 +7,4 @@ # See tmpfiles.d(5) for details -L! /etc/resolv.conf - - - - ../run/systemd/resolve/resolv.conf +L! /etc/resolv.conf - - - - ../usr/lib/systemd/resolv.conf |