summaryrefslogtreecommitdiff
path: root/src/resolve
AgeCommit message (Collapse)Author
2016-12-17FSDG: systemd-resolved: Default to hostname "gnu-linux" instead of "linux"Luke Shumaker
2016-10-24resolved: properly check for the root domainLennart Poettering
Fix-up for #4164
2016-10-16tree-wide: use mfree moreZbigniew Jędrzejewski-Szmek
2016-10-11resolve: remove unsed counter (#4349)Thomas H. P. Andersen
It was introduced but never used in 45ec7efb.
2016-10-10resolved: initialize variable (#4338)Thomas H. P. Andersen
r was not initialized and would be used if "tcp" was the only option used for the stub. We should initialize it to 0 to indicate that no error happened in the udp case.
2016-10-09resolved: also disable stub listener on EPERMZbigniew Jędrzejewski-Szmek
When running in a user namespace without private networking, resolved would fail to start. There isn't much difference between EADDRINUSE and EPERM, so treat them the same, except for the warning message text.
2016-10-09resolved: simplify error handling in manager_dns_stub_{udp,tcp}_fd()Zbigniew Jędrzejewski-Szmek
Make sure an error is always printed… When systemd-resolved is started in a user namespace without private network, it would fail on setsockopt, but the error wouldn't be particularly informative: "Failed to start manager: permission denied."
2016-10-08systemd-resolve: use sha256 for local-part of openpgp key (#4193)Stefan Schweter
2016-10-07Merge pull request #4061 from dm0-/coreos-1545Lennart Poettering
resolved: add an option to disable the stub resolver
2016-10-07resolved: add an option to control the DNS stub listenerDavid Michael
2016-10-06tree-wide: drop some misleading compiler warningsLennart Poettering
gcc at some optimization levels thinks thes variables were used without initialization. it's wrong, but let's make the message go anyway.
2016-10-06resolved: properly handle BADCOOKIE DNS errorLennart Poettering
Add this new error code (documented in RFC7873) to our list of known errors.
2016-09-30resolved: don't query domain-limited DNS servers for other domains (#3621)Martin Pitt
DNS servers which have route-only domains should only be used for the specified domains. Routing queries about other domains there is a privacy violation, prone to fail (as that DNS server was not meant to be used for other domains), and puts unnecessary load onto that server. Introduce a new helper function dns_server_limited_domains() that checks if the DNS server should only be used for some selected domains, i. e. has some route-only domains without "~.". Use that when determining whether to query it in the scope, and when writing resolv.conf. Extend the test_route_only_dns() case to ensure that the DNS server limited to ~company does not appear in resolv.conf. Add test_route_only_dns_all_domains() to ensure that a server that also has ~. does appear in resolv.conf as global name server. These reproduce #3420. Add a new test_resolved_domain_restricted_dns() test case that verifies that domain-limited DNS servers are only being used for those domains. This reproduces #3421. Clarify what a "routing domain" is in the manpage. Fixes #3420 Fixes #3421
2016-09-16tree-wide: rename config_parse_many to …_nulstrZbigniew Jędrzejewski-Szmek
In preparation for adding a version which takes a strv.
2016-08-31resolved: directly include some required headers instead of inheritingDavid Michael
2016-08-31resolved: remove unused prototypeDavid Michael
2016-08-31resolved: include d.f.ip6.arpa in default NTA listLennart Poettering
Fixes: #4049
2016-08-04nspawn,resolve: short --help output to fit within 80 columnsZbigniew Jędrzejewski-Szmek
make dist-check-help FTW!
2016-07-18resolved: replace bitwise and with logical andThomas Hindoe Paaboel Andersen
2016-07-17systemd-resolve: remove spurious newline with no global settingsZbigniew Jędrzejewski-Szmek
2016-07-17systemd-resolve: use plural "DNS Servers"Zbigniew Jędrzejewski-Szmek
Usually multiple DNS servers are configured, and it looks strange to have singular in the heading.
2016-07-11treewide: fix typos and remove accidental repetition of wordsTorstein Husebø
2016-06-28resolved: add test for route-only domain filtering (#3609)Martin Pitt
With commit 6f7da49d00 route-only domains do not get put into resolv.conf's "search" list any more. Add a comment about the tri-state, to clarify its semantics and why we are passing a bool parameter into an int type. Also add a test case for it.
2016-06-24Merge pull request #3594 from poettering/resolved-servfailMartin Pitt
resolved fixes for handling SERVFAIL errors from servers
2016-06-24resolved: add option to disable caching (#3592)Martin Pitt
In some cases, caching DNS results locally is not desirable, a it makes DNS cache poisoning attacks a tad easier and also allows users on the system to determine whether or not a particular domain got visited by another user. Thus provide a new "Cache" resolved.conf option to disable it.
2016-06-23resolved: when processing auxiliary DNSSEC transactions, accept those with ↵Lennart Poettering
SERVFAIL Some upstream DNS servers return SERVFAIL if we ask them for DNSSEC RRs, which some forwarding DNS servers pass on to us as SERVFAIL (other though as NOERROR...). This is should not be considered a problem, as long as the domain in question didn't have DNSSEC enabled. Hence: when making use of auxiliary transactions accept those that return SERVFAIL.
2016-06-23resolved: when caching replies, check rcode earlierLennart Poettering
This way we don't log complaints about packets without SOA in case we are not caching it anyway because the rcode is not SUCCESS or NXDOMAIN...
2016-06-23resolved: rework SERVFAIL handlingLennart Poettering
There might be two reasons why we get a SERVFAIL response from our selected DNS server: because this DNS server itself is bad, or because the DNS server actually serving the zone upstream is bad. So far we immediately downgraded our server feature level when getting SERVFAIL, under the assumption that the first case is the only possible case. However, this meant we'd downgrade immediately even if we encountered the second case described above. With this commit handling of SERVFAIL is reworked. As soon as we get a SERVFAIL on a transaction we retry the transaction with a lower feature level, without changing the feature level tracked for the DNS server itself. If that fails too, we downgrade further, and so on. If during this downgrading the SERVFAIL goes away we assume that the DNS server we are talking to is bad, but the zone is fine and propagate the detected feature level to the information we track about the DNS server. Should the SERVFAIL not go away this way we let the transaction fail and accept the SERVFAIL.
2016-06-21resolved: respond to local resolver requests on 127.0.0.53:53Lennart Poettering
In order to improve compatibility with local clients that speak DNS directly (and do not use NSS or our bus API) listen locally on 127.0.0.53:53 and process any queries made that way. Note that resolved does not implement a full DNS server on this port, but simply enough to allow normal, local clients to resolve RRs through resolved. Specifically it does not implement queries without the RD bit set (these are requests where recursive lookups are explicitly disabled), and neither queries with DNSSEC DO set in combination with DNSSEC CD (i.e. DNSSEC lookups with validation turned off). It also refuses zone transfers and obsolete RR types. All lookups done this way will be rejected with a clean error code, so that the client side can repeat the query with a reduced feature set. The code will set the DNSSEC AD flag however, depending on whether the data resolved has been validated (or comes from a local, trusted source). Lookups made via this mechanisms are propagated to LLMNR and mDNS as necessary, but this is only partially useful as DNS packets cannot carry IP scope data (i.e. the ifindex), and hence link-local addresses returned cannot be used properly (and given that LLMNR/mDNS are mostly about link-local communication this is quite a limitation). Also, given that DNS tends to use IDNA for non-ASCII names, while LLMNR/mDNS uses UTF-8 lookups cannot be mapped 1:1. In general this should improve compatibility with clients bypassing NSS but it is highly recommended for clients to instead use NSS or our native bus API. This patch also beefs up the DnsStream logic, as it reuses the code for local TCP listening. DnsStream now provides proper reference counting for its objects. In order to avoid feedback loops resolved will no silently ignore 127.0.0.53 specified as DNS server when reading configuration. resolved listens on 127.0.0.53:53 instead of 127.0.0.1:53 in order to leave the latter free for local, external DNS servers or forwarders. This also changes the "etc.conf" tmpfiles snippet to create a symlink from /etc/resolv.conf to /usr/lib/systemd/resolv.conf by default, thus making this stub the default mode of operation if /etc is not populated.
2016-06-21resolved: use DNS_{QUESTION|ANSWER}_FOREACH macros at two more placesLennart Poettering
2016-06-21resolved: extend dns_packet_append_opt() so that it can set the extended rcodeLennart Poettering
We don't make use of this yet, but later work will.
2016-06-21resolved: add dns_packet_add_{question,answer}() helperLennart Poettering
And make use of it at a couple of places.
2016-06-21resolved: add dns_answer_is_empty() and dns_question_is_empty() helpersLennart Poettering
And make use of them at a few places.
2016-06-21resolved: when using the ResolveRecord() bus call, adjust TTL for caching timeLennart Poettering
When we return the full RR wire data, let's make sure the TTL included in it is adjusted by the time the RR sat in the cache. As an optimization we do this only for ResolveRecord() and not for ResolveHostname() and friends, since adjusting the TTL means copying the RR object, and we don#t want to do that if there's no reason to. (ResolveHostname() and friends don't return the TTL hence there's no reason to in that case)
2016-06-21resolved: explicitly refuse zone transfers using the bus APILennart Poettering
2016-06-21resolved: drop unused permit_domain_search variable from Manager objectLennart Poettering
2016-06-21resolved: make sure DNS configuration pushed in by the user stays around on ↵Lennart Poettering
restarts Let's make sure that all settings pushed in stay around when systemd-resolved is restarted.
2016-06-21resolved: fix negated boolean functionLennart Poettering
It's weird having a "negative" function link_is_unmanaged(), let's invert it and get rid of the negation this way, by renaming it to link_is_managed(). Internally we stored this as a positive boolean already, hence let's do this for the function too.
2016-06-21resolved: rework link_update_dns_servers() a bitLennart Poettering
Let's split the code from the inner loop out, into its own function link_update_dns_server_one(). This matches how things are already handled for the search domain logic. Also, this is preparation for a later commit that persists DNS server data pushed in via the bus.
2016-06-21resolved: make use of set_put_strdupv() where appropriateLennart Poettering
2016-06-21resolved: make sure that route-only domains are never added to /etc/resolv.confLennart Poettering
After all, /etc/resolv.conf doesn't know the concept of "route-only domains", hence the domains should really not appear there.
2016-06-21resolve: add "systemd-resolve --status" commandLennart Poettering
The new command shows the per-link and global DNS configuration currently in effect. This is useful to quickly see the DNS settings resolved acquired from networkd and that was pushed into it via the bus APIs.
2016-06-21resolved: export the effective per-link DNSSEC setting, not the internal oneLennart Poettering
Internally, we store the per-link DNSSEC setting as -1 (invalid) if there's no link-specific setting configured, and the global setting should be used. When exporting this one the bus we really should export the effective DNSSEC setting however, i.e. return the global one if there's non set per-link.
2016-06-21resolved: export global NTAs on the busLennart Poettering
We export them per-link, hence let's export the global NTAs too.
2016-06-16resolved: when restarting a transaction make sure to not touch it anymore ↵Lennart Poettering
(#3553) dns_transaction_maybe_restart() is supposed to return 1 if the the transaction has been restarted and 0 otherwise. dns_transaction_process_dnssec() relies on this behaviour. Before this change in case of restart we'd call dns_transaction_go() when restarting the lookup, returning its return value unmodified. This is wrong however, as that function returns 1 if the transaction is pending, and 0 if it completed immediately, which is a very different set of return values. Fix this, by always returning 1 on redirection. The wrong return value resulted in all kinds of bad memory accesses as we might continue processing a transaction that was redirected and completed immediately (and thus freed). This patch also adds comments to the two functions to clarify the return values for the future. Most likely fixes: #2942 #3475 #3484
2016-06-14resolved: in the ResolveHostname() bus call, accept IP addresses with scopeLennart Poettering
When we get a literal IP address as string that includes a zone suffix, process this properly and return the parsed ifindex back to the client, and include it in the canonical name in case of a link-local IP address.
2016-06-14resolved: make sure we initialize the ifindex of direct zone answers properlyLennart Poettering
Previously, after checking the local zone for a reply and finding one we'd not initialize the answer ifindex from that. Let's fix that.
2016-06-14resolve: port resolve tool to in_addr_ifindex_{from_string_auto|to_string}()Lennart Poettering
We can reuse some code here, so let's do it.
2016-06-13resolved: use single message for both dbus and signal calls (#3515)Zbigniew Jędrzejewski-Szmek
Follow-up for #3502.
2016-06-10resolved: move verification that link is unmanaged into the proper bus callsLennart Poettering
Previously, we checked only for the various SetLinkXYZ() calls on the Manager object exposed on the bus if the specified interface is managed/unmanaged by networkd (as we don't permit overriding DNS configuration via bus calls if networkd owns the device), but the equivalent SetXYZ() calls on the Link object did not have such a check. Fix that by moving the appropriate check into the latter, as the former just calls that anyway.