3 files changed, 13 insertions, 6 deletions

diff --git a/src/resolve/resolved-dns-scope.c b/src/resolve/resolved-dns-scope.c
index ac44cf2343..61bca04b94 100644
--- a/src/resolve/resolved-dns-scope.c
+++ b/src/resolve/resolved-dns-scope.c
@@ -822,7 +822,11 @@ static int dns_scope_make_conflict_packet(
                                                               0 /* (ad) */,
                                                               0 /* (cd) */,
                                                               0));
-        random_bytes(&DNS_PACKET_HEADER(p)->id, sizeof(uint16_t));
+
+        /* For mDNS, the transaction ID should always be 0 */
+        if (s->protocol != DNS_PROTOCOL_MDNS)
+                random_bytes(&DNS_PACKET_HEADER(p)->id, sizeof(uint16_t));
+
         DNS_PACKET_HEADER(p)->qdcount = htobe16(1);
         DNS_PACKET_HEADER(p)->arcount = htobe16(1);
 
diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c
index efed761001..c03aa5d287 100644
--- a/src/resolve/resolved-dns-transaction.c
+++ b/src/resolve/resolved-dns-transaction.c
@@ -919,7 +919,6 @@ static int dns_transaction_make_packet_mdns(DnsTransaction *t) {
         }
 
         DNS_PACKET_HEADER(p)->qdcount = htobe16(qdcount);
-        DNS_PACKET_HEADER(p)->id = t->id;
 
         /* Append known answer section if we're asking for any shared record */
         if (add_known_answers) {
diff --git a/src/resolve/resolved-mdns.c b/src/resolve/resolved-mdns.c
index abe63d58c1..d6973a6999 100644
--- a/src/resolve/resolved-mdns.c
+++ b/src/resolve/resolved-mdns.c
@@ -86,7 +86,7 @@ static int on_mdns_packet(sd_event_source *s, int fd, uint32_t revents, void *us
         }
 
         if (dns_packet_validate_reply(p) > 0) {
-                unsigned i;
+                DnsResourceRecord *rr;
 
                 log_debug("Got mDNS reply packet");
 
@@ -107,11 +107,15 @@ static int on_mdns_packet(sd_event_source *s, int fd, uint32_t revents, void *us
 
                 dns_scope_check_conflicts(scope, p);
 
-                for (i = 0; i < p->answer->n_rrs; i++) {
-                        DnsResourceRecord *rr;
+                DNS_ANSWER_FOREACH(rr, p->answer) {
+                        const char *name = DNS_RESOURCE_KEY_NAME(rr->key);
                         DnsTransaction *t;
 
-                        rr = p->answer->items[i].rr;
+                        /* If the received reply packet contains ANY record that is not .local or .in-addr.arpa,
+                         * we assume someone's playing tricks on us and discard the packet completely. */
+                        if (!(dns_name_endswith(name, "in-addr.arpa") > 0 ||
+                              dns_name_endswith(name, "local") > 0))
+                                return 0;
 
                         t = dns_scope_find_transaction(scope, rr->key, false);
                         if (t)