diff options
| -rw-r--r-- | src/resolve/resolved-dns-query.c | 15 |
1 files changed, 12 insertions, 3 deletions
diff --git a/src/resolve/resolved-dns-query.c b/src/resolve/resolved-dns-query.c index 06d30d7863..b8bdff9dfa 100644 --- a/src/resolve/resolved-dns-query.c +++ b/src/resolve/resolved-dns-query.c @@ -967,6 +967,17 @@ static int dns_query_cname_redirect(DnsQuery *q, const DnsResourceRecord *cname) if (r == 0 && k == 0) /* No actual cname happened? */ return -ELOOP; + if (q->answer_protocol == DNS_PROTOCOL_DNS) { + /* Don't permit CNAME redirects from unicast DNS to LLMNR or MulticastDNS, so that global resources + * cannot invade the local namespace. The opposite way we permit: local names may redirect to global + * ones. */ + + q->flags &= ~(SD_RESOLVED_LLMNR|SD_RESOLVED_MDNS); /* mask away the local protocols */ + } + + /* Turn off searching for the new name */ + q->flags |= SD_RESOLVED_NO_SEARCH; + dns_question_unref(q->question_idna); q->question_idna = nq_idna; nq_idna = NULL; @@ -977,10 +988,8 @@ static int dns_query_cname_redirect(DnsQuery *q, const DnsResourceRecord *cname) dns_query_free_candidates(q); dns_query_reset_answer(q); - q->state = DNS_TRANSACTION_NULL; - /* Turn off searching for the new name */ - q->flags |= SD_RESOLVED_NO_SEARCH; + q->state = DNS_TRANSACTION_NULL; return 0; } |