Age | Commit message (Collapse) | Author |
|
When no network enables LLMNR or mDNS, it is not necessary to create
LLMNR or mDNS related sockets. So, let's create them only when
LLMNR- or mDNS-enabled network becomes active or at least one network
enables `LLMNR=` or `MulticastDNS=` options.
|
|
This changes resolved to use the compile-time fallback hostname the
configured one is not set. Note that if the local hostname is set to
"localhost" then we'll instead default to "linux" here, as for
mDNS/LLMNR exposing "localhost" is actively dangerous.
|
|
|
|
Previously, we'd only synthesize RRs for the LLMNR and mDNS versions of
the hostnames (i.e. the first label of the kernel hostname, as well as
the first label of the kernel hostname suffixed with .local). With this
change, we also synthesize an RR for the full hostname, which is
relevant in case it has more than one label.
Fixes: #5041
|
|
We use different idioms at different places. Let's replace this is the
one true new idiom, that is even a bit faster...
|
|
Signed-off-by: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com>
|
|
Signed-off-by: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com>
|
|
|
|
|
|
With commit 6f7da49d00 route-only domains do not get put into resolv.conf's
"search" list any more. Add a comment about the tri-state, to clarify its
semantics and why we are passing a bool parameter into an int type. Also add a
test case for it.
|
|
In some cases, caching DNS results locally is not desirable, a it makes DNS
cache poisoning attacks a tad easier and also allows users on the system to
determine whether or not a particular domain got visited by another user. Thus
provide a new "Cache" resolved.conf option to disable it.
|
|
In order to improve compatibility with local clients that speak DNS directly
(and do not use NSS or our bus API) listen locally on 127.0.0.53:53 and process
any queries made that way.
Note that resolved does not implement a full DNS server on this port, but
simply enough to allow normal, local clients to resolve RRs through resolved.
Specifically it does not implement queries without the RD bit set (these are
requests where recursive lookups are explicitly disabled), and neither queries
with DNSSEC DO set in combination with DNSSEC CD (i.e. DNSSEC lookups with
validation turned off). It also refuses zone transfers and obsolete RR types.
All lookups done this way will be rejected with a clean error code, so that the
client side can repeat the query with a reduced feature set.
The code will set the DNSSEC AD flag however, depending on whether the data
resolved has been validated (or comes from a local, trusted source).
Lookups made via this mechanisms are propagated to LLMNR and mDNS as necessary,
but this is only partially useful as DNS packets cannot carry IP scope data
(i.e. the ifindex), and hence link-local addresses returned cannot be used
properly (and given that LLMNR/mDNS are mostly about link-local communication
this is quite a limitation). Also, given that DNS tends to use IDNA for
non-ASCII names, while LLMNR/mDNS uses UTF-8 lookups cannot be mapped 1:1.
In general this should improve compatibility with clients bypassing NSS but
it is highly recommended for clients to instead use NSS or our native bus API.
This patch also beefs up the DnsStream logic, as it reuses the code for local
TCP listening. DnsStream now provides proper reference counting for its
objects.
In order to avoid feedback loops resolved will no silently ignore 127.0.0.53
specified as DNS server when reading configuration.
resolved listens on 127.0.0.53:53 instead of 127.0.0.1:53 in order to leave
the latter free for local, external DNS servers or forwarders.
This also changes the "etc.conf" tmpfiles snippet to create a symlink from
/etc/resolv.conf to /usr/lib/systemd/resolv.conf by default, thus making this
stub the default mode of operation if /etc is not populated.
|
|
restarts
Let's make sure that all settings pushed in stay around when systemd-resolved
is restarted.
|
|
After all, /etc/resolv.conf doesn't know the concept of "route-only domains",
hence the domains should really not appear there.
|
|
Follow-up for #3502.
|
|
And expose it in "resolve-tool --flush-caches".
|
|
|
|
changed via bus calls
This also moves log message generation into manager_write_resolv_conf(), so
that it is shorter to invoke the function, given that we have to invoke it at a
couple of additional places now.
Fixes: #3225
|
|
Make sure we can parse DNS server addresses that use the "zone id" syntax for
local link addresses, i.e. "fe80::c256:27ff:febb:12f%wlp3s0", when reading
/etc/resolv.conf.
Also make sure we spit this out correctly again when writing /etc/resolv.conf
and via the bus.
Fixes: #3359
|
|
packet (#3323)
Fixes:
-bash-4.3# ss --udp -l -p
State Recv-Q Send-Q Local Address:Port Peer Address:Port
UNCONN 0 0 *:5355 *:* users:(("systemd-resolve",pid=601,fd=12))
UNCONN 0 0 :::5355 :::* users:(("systemd-resolve",pid=601,fd=14))
-bash-4.3# nping --udp -p 5355 --data-length 0 -c 1 localhost
-bash-4.3# journalctl -u systemd-resolved -b --no-hostname
...
May 21 14:59:22 systemd-resolved[601]: Event source llmnr-ipv4-udp (type io) returned error, disabling: Input/output error
...
-bash-4.3# nping --udp -p 5355 --data-length 1000 -c 1 localhost
-bash-4.3# ss --udp -l
State Recv-Q Send-Q Local Address:Port Peer Address:Port
UNCONN 2304 0 *:5355 *:*
UNCONN 0 0 :::5355 :::*
|
|
resolve: dumping of binary packets
|
|
When the buffer is allocated on the stack we do not have to check for
failure everywhere. This is especially useful in debug statements, because
we can put dns_resource_key_to_string() call in the debug statement, and
we do not need a seperate if (log_level >= LOG_DEBUG) for the conversion.
dns_resource_key_to_string() is changed not to provide any whitespace
padding. Most callers were stripping the whitespace with strstrip(),
and it did not look to well anyway. systemd-resolve output is not column
aligned anymore.
The result of the conversion is not stored in DnsTransaction object
anymore. It is used only for debugging, so it seems fine to generate it
when needed.
Various debug statements are extended to provide more information.
|
|
Networkd, resolved, build-sys fixes
|
|
Let's make sure DNSSEC gets more testing, by defaulting DNSSEC to
"allow-downgrade" mode. Since distros should probably not ship DNSSEC enabled
by default add a configure switch to disable this again.
DNSSEC in "allow-downgrade" mode should mostly work without affecting user
experience. There's one exception: some captive portal systems rewrite DNS in
order to redirect HTTP traffic to the captive portal. If these systems
implement DNS servers that are otherwise DNSSEC-capable (which in fact is
pretty unlikely, but still...), then this will result in the captive portal
being inaccessible. To fix this support in NetworkManager (or any other network
management solution that does captive portal detection) is required, which
simply turns off DNSSEC during the captive portal detection, and resets it back
to the default (i.e. on) after captive portal authentication is complete.
|
|
Fixes: #2457
|
|
This should be handled fine now by .dir-locals.el, so need to carry that
stuff in every file.
|
|
Previously, if a hostanem is resolved with AF_UNSPEC specified, this would be used as indication to resolve both an
AF_INET and an AF_INET6 address. With this change this logic is altered: an AF_INET address is only resolved if there's
actually a routable IPv4 address on the specific interface, and similar an AF_INET6 address is only resolved if there's
a routable IPv6 address. With this in place, it's ensured that the returned data is actually connectable by
applications. This logic mimics glibc's resolver behaviour.
Note that if the client asks explicitly for AF_INET or AF_INET6 it will get what it asked for.
This also simplifies the logic how it is determined whether a specific lookup shall take place on a scope.
Specifically, the checks with dns_scope_good_key() are now moved out of the transaction code and into the query code,
so that we don't even create a transaction object on a specific scope if we cannot execute the resolution on it anyway.
|
|
Otherwise it's unclear if it's /etc/resolv.conf or some
other file that is meant.
|
|
Lets make sure we always take notice of network changes before answering client requests.
This way, calls like SetLinkDNS() become race-free as the specified interface index is guarantee to have been processed
if it exists before we make changes to it.
|
|
This way the difference between lookups via NSS and our native bus API should become minimal.
|
|
Also, don't consider RRs that aren't primary to the lookups we do as relevant to the lookups.
|
|
Not only report whether the server actually supports DNSSEC, but also first check whether DNSSEC is actually enabled
for it in our local configuration.
Also, export a per-link DNSSECSupported property in addition to the existing manager-wide property.
|
|
|
|
This adds a DNSSEC= setting to .network files, and makes resolved honour
them.
|
|
networkd previously knew an enum "ResolveSupport" for configuring
per-interface LLMNR support, resolved had a similar enum just called
"Support", with the same value and similar pasers.
Unify this, call the enum ResolveSupport, and port both daemons to it.
|
|
In a couple of cases we maintain configuration settings that know an on
and off state, like a boolean, plus some additional states. We generally
parse them as booleans first, and if that fails check for specific
additional values.
This adds a generalized set of macros for parsing such settings, and
ports one use in resolved and another in networkd over to it.
|
|
|
|
Follow what LLMNR does, and create per-link DnsScope objects.
|
|
Just hook up mDNS listeners with an empty packet dispather function,
introduce a config directive, man page updates etc.
|
|
When doing DNSSEC lookups we need to know one or more DS or DNSKEY RRs
as trust anchors to validate lookups. With this change we add a
compiled-in trust anchor database, serving the root DS key as of today,
retrieved from:
https://data.iana.org/root-anchors/root-anchors.xml
The interface is kept generic, so that additional DS or DNSKEY RRs may
be served via the same interface, for example by provisioning them
locally in external files to support "islands" of security.
The trust anchor database becomes the fourth source of RRs we maintain,
besides, the network, the local cache, and the local zone.
|
|
GLIB has recently started to officially support the gcc cleanup
attribute in its public API, hence let's do the same for our APIs.
With this patch we'll define an xyz_unrefp() call for each public
xyz_unref() call, to make it easy to use inside a
__attribute__((cleanup())) expression. Then, all code is ported over to
make use of this.
The new calls are also documented in the man pages, with examples how to
use them (well, I only added docs where the _unref() call itself already
had docs, and the examples, only cover sd_bus_unrefp() and
sd_event_unrefp()).
This also renames sd_lldp_free() to sd_lldp_unref(), since that's how we
tend to call our destructors these days.
Note that this defines no public macro that wraps gcc's attribute and
makes it easier to use. While I think it's our duty in the library to
make our stuff easy to use, I figure it's not our duty to make gcc's own
features easy to use on its own. Most likely, client code which wants to
make use of this should define its own:
#define _cleanup_(function) __attribute__((cleanup(function)))
Or similar, to make the gcc feature easier to use.
Making this logic public has the benefit that we can remove three header
files whose only purpose was to define these functions internally.
See #2008.
|
|
The new dns_label_escape() call now operates on a buffer passed in,
similar to dns_label_unescape(). This should make decoding a bit faster,
and nicer.
|
|
Let's split this out from the resolv.conf parser, so that this becomes
generically useful.
|
|
This copies concepts we introduced for the DnsSearchDomain stuff, and
reworks the operations on lists of dns servers to be reusable and
generic for use both with the Link and the Manager object.
|
|
With this change, we add a new object to resolved, "DnsSearchDomain="
which wraps a search domain. This is then used to introduce a global
search domain list, in addition to the existing per-link search domain
list which is reword to make use of this new object too.
This is preparation for implement proper unicast DNS search domain
support.
|
|
Closes #342.
|
|
Previously, there was a chance of memory corruption, because when
switching to the next DNS server we didn't care whether they linked list
of DNS servers was still valid.
Clean up lifecycle of the dns server logic:
- When a DnsServer object is still in the linked list of DnsServers for
a link or the manager, indicate so with a "linked" boolean field, and
never follow the linked list if that boolean is not set.
- When picking a DnsServer to use for a link ot manager, always
explicitly take a reference.
This also rearranges some logic, to make the tracking of dns servers by
link and globally more alike.
|
|
resolved-dns-server.c
|
|
No functional changes.
|
|
Let's use the same parser when parsing dns server information from
/etc/resolv.conf and our native configuration file.
Also, move all code that manages lists of dns servers to a single place.
resolved-dns-server.c
|