summaryrefslogtreecommitdiff
path: root/src/resolve
AgeCommit message (Collapse)Author
2016-06-24Merge pull request #3594 from poettering/resolved-servfailMartin Pitt
resolved fixes for handling SERVFAIL errors from servers
2016-06-24resolved: add option to disable caching (#3592)Martin Pitt
In some cases, caching DNS results locally is not desirable, a it makes DNS cache poisoning attacks a tad easier and also allows users on the system to determine whether or not a particular domain got visited by another user. Thus provide a new "Cache" resolved.conf option to disable it.
2016-06-23resolved: when processing auxiliary DNSSEC transactions, accept those with ↵Lennart Poettering
SERVFAIL Some upstream DNS servers return SERVFAIL if we ask them for DNSSEC RRs, which some forwarding DNS servers pass on to us as SERVFAIL (other though as NOERROR...). This is should not be considered a problem, as long as the domain in question didn't have DNSSEC enabled. Hence: when making use of auxiliary transactions accept those that return SERVFAIL.
2016-06-23resolved: when caching replies, check rcode earlierLennart Poettering
This way we don't log complaints about packets without SOA in case we are not caching it anyway because the rcode is not SUCCESS or NXDOMAIN...
2016-06-23resolved: rework SERVFAIL handlingLennart Poettering
There might be two reasons why we get a SERVFAIL response from our selected DNS server: because this DNS server itself is bad, or because the DNS server actually serving the zone upstream is bad. So far we immediately downgraded our server feature level when getting SERVFAIL, under the assumption that the first case is the only possible case. However, this meant we'd downgrade immediately even if we encountered the second case described above. With this commit handling of SERVFAIL is reworked. As soon as we get a SERVFAIL on a transaction we retry the transaction with a lower feature level, without changing the feature level tracked for the DNS server itself. If that fails too, we downgrade further, and so on. If during this downgrading the SERVFAIL goes away we assume that the DNS server we are talking to is bad, but the zone is fine and propagate the detected feature level to the information we track about the DNS server. Should the SERVFAIL not go away this way we let the transaction fail and accept the SERVFAIL.
2016-06-21resolved: respond to local resolver requests on 127.0.0.53:53Lennart Poettering
In order to improve compatibility with local clients that speak DNS directly (and do not use NSS or our bus API) listen locally on 127.0.0.53:53 and process any queries made that way. Note that resolved does not implement a full DNS server on this port, but simply enough to allow normal, local clients to resolve RRs through resolved. Specifically it does not implement queries without the RD bit set (these are requests where recursive lookups are explicitly disabled), and neither queries with DNSSEC DO set in combination with DNSSEC CD (i.e. DNSSEC lookups with validation turned off). It also refuses zone transfers and obsolete RR types. All lookups done this way will be rejected with a clean error code, so that the client side can repeat the query with a reduced feature set. The code will set the DNSSEC AD flag however, depending on whether the data resolved has been validated (or comes from a local, trusted source). Lookups made via this mechanisms are propagated to LLMNR and mDNS as necessary, but this is only partially useful as DNS packets cannot carry IP scope data (i.e. the ifindex), and hence link-local addresses returned cannot be used properly (and given that LLMNR/mDNS are mostly about link-local communication this is quite a limitation). Also, given that DNS tends to use IDNA for non-ASCII names, while LLMNR/mDNS uses UTF-8 lookups cannot be mapped 1:1. In general this should improve compatibility with clients bypassing NSS but it is highly recommended for clients to instead use NSS or our native bus API. This patch also beefs up the DnsStream logic, as it reuses the code for local TCP listening. DnsStream now provides proper reference counting for its objects. In order to avoid feedback loops resolved will no silently ignore 127.0.0.53 specified as DNS server when reading configuration. resolved listens on 127.0.0.53:53 instead of 127.0.0.1:53 in order to leave the latter free for local, external DNS servers or forwarders. This also changes the "etc.conf" tmpfiles snippet to create a symlink from /etc/resolv.conf to /usr/lib/systemd/resolv.conf by default, thus making this stub the default mode of operation if /etc is not populated.
2016-06-21resolved: use DNS_{QUESTION|ANSWER}_FOREACH macros at two more placesLennart Poettering
2016-06-21resolved: extend dns_packet_append_opt() so that it can set the extended rcodeLennart Poettering
We don't make use of this yet, but later work will.
2016-06-21resolved: add dns_packet_add_{question,answer}() helperLennart Poettering
And make use of it at a couple of places.
2016-06-21resolved: add dns_answer_is_empty() and dns_question_is_empty() helpersLennart Poettering
And make use of them at a few places.
2016-06-21resolved: when using the ResolveRecord() bus call, adjust TTL for caching timeLennart Poettering
When we return the full RR wire data, let's make sure the TTL included in it is adjusted by the time the RR sat in the cache. As an optimization we do this only for ResolveRecord() and not for ResolveHostname() and friends, since adjusting the TTL means copying the RR object, and we don#t want to do that if there's no reason to. (ResolveHostname() and friends don't return the TTL hence there's no reason to in that case)
2016-06-21resolved: explicitly refuse zone transfers using the bus APILennart Poettering
2016-06-21resolved: drop unused permit_domain_search variable from Manager objectLennart Poettering
2016-06-21resolved: make sure DNS configuration pushed in by the user stays around on ↵Lennart Poettering
restarts Let's make sure that all settings pushed in stay around when systemd-resolved is restarted.
2016-06-21resolved: fix negated boolean functionLennart Poettering
It's weird having a "negative" function link_is_unmanaged(), let's invert it and get rid of the negation this way, by renaming it to link_is_managed(). Internally we stored this as a positive boolean already, hence let's do this for the function too.
2016-06-21resolved: rework link_update_dns_servers() a bitLennart Poettering
Let's split the code from the inner loop out, into its own function link_update_dns_server_one(). This matches how things are already handled for the search domain logic. Also, this is preparation for a later commit that persists DNS server data pushed in via the bus.
2016-06-21resolved: make use of set_put_strdupv() where appropriateLennart Poettering
2016-06-21resolved: make sure that route-only domains are never added to /etc/resolv.confLennart Poettering
After all, /etc/resolv.conf doesn't know the concept of "route-only domains", hence the domains should really not appear there.
2016-06-21resolve: add "systemd-resolve --status" commandLennart Poettering
The new command shows the per-link and global DNS configuration currently in effect. This is useful to quickly see the DNS settings resolved acquired from networkd and that was pushed into it via the bus APIs.
2016-06-21resolved: export the effective per-link DNSSEC setting, not the internal oneLennart Poettering
Internally, we store the per-link DNSSEC setting as -1 (invalid) if there's no link-specific setting configured, and the global setting should be used. When exporting this one the bus we really should export the effective DNSSEC setting however, i.e. return the global one if there's non set per-link.
2016-06-21resolved: export global NTAs on the busLennart Poettering
We export them per-link, hence let's export the global NTAs too.
2016-06-16resolved: when restarting a transaction make sure to not touch it anymore ↵Lennart Poettering
(#3553) dns_transaction_maybe_restart() is supposed to return 1 if the the transaction has been restarted and 0 otherwise. dns_transaction_process_dnssec() relies on this behaviour. Before this change in case of restart we'd call dns_transaction_go() when restarting the lookup, returning its return value unmodified. This is wrong however, as that function returns 1 if the transaction is pending, and 0 if it completed immediately, which is a very different set of return values. Fix this, by always returning 1 on redirection. The wrong return value resulted in all kinds of bad memory accesses as we might continue processing a transaction that was redirected and completed immediately (and thus freed). This patch also adds comments to the two functions to clarify the return values for the future. Most likely fixes: #2942 #3475 #3484
2016-06-14resolved: in the ResolveHostname() bus call, accept IP addresses with scopeLennart Poettering
When we get a literal IP address as string that includes a zone suffix, process this properly and return the parsed ifindex back to the client, and include it in the canonical name in case of a link-local IP address.
2016-06-14resolved: make sure we initialize the ifindex of direct zone answers properlyLennart Poettering
Previously, after checking the local zone for a reply and finding one we'd not initialize the answer ifindex from that. Let's fix that.
2016-06-14resolve: port resolve tool to in_addr_ifindex_{from_string_auto|to_string}()Lennart Poettering
We can reuse some code here, so let's do it.
2016-06-13resolved: use single message for both dbus and signal calls (#3515)Zbigniew Jędrzejewski-Szmek
Follow-up for #3502.
2016-06-10resolved: move verification that link is unmanaged into the proper bus callsLennart Poettering
Previously, we checked only for the various SetLinkXYZ() calls on the Manager object exposed on the bus if the specified interface is managed/unmanaged by networkd (as we don't permit overriding DNS configuration via bus calls if networkd owns the device), but the equivalent SetXYZ() calls on the Link object did not have such a check. Fix that by moving the appropriate check into the latter, as the former just calls that anyway.
2016-06-10resolved: also add a way to flush all caches via the busLennart Poettering
And expose it in "resolve-tool --flush-caches".
2016-06-10resolved: flush all caches if SIGUSR2 is receivedLennart Poettering
2016-06-06resolved: also rewrite private /etc/resolv.conf when configuration is ↵Lennart Poettering
changed via bus calls This also moves log message generation into manager_write_resolv_conf(), so that it is shorter to invoke the function, given that we have to invoke it at a couple of additional places now. Fixes: #3225
2016-06-06resolved: support IPv6 DNS servers on the local linkLennart Poettering
Make sure we can parse DNS server addresses that use the "zone id" syntax for local link addresses, i.e. "fe80::c256:27ff:febb:12f%wlp3s0", when reading /etc/resolv.conf. Also make sure we spit this out correctly again when writing /etc/resolv.conf and via the bus. Fixes: #3359
2016-06-04Merge pull request #3392 from poettering/assorted-stuffZbigniew Jędrzejewski-Szmek
Assorted stuff
2016-06-03resolved: fix comments in resolve.conf for search domain overflows (#3422)Martin Pitt
Write comments about "too many search domains" and "Total length of all search domains is too long" just once. Also put it on a separate line, as resolv.conf(5) only specifies comments in a line by themselves. This is ugly to do if write_resolv_conf_search() gets called once for every search domain. So change it to receive the complete OrderedSet instead and do the iteration by itself. Add test cases to networkd-test.py. https://launchpad.net/bugs/1588229
2016-05-30util-lib: make localed's nonempty() generic, rename it to empty_to_null() ↵Lennart Poettering
and make use of it everywhere
2016-05-26resolve/test-dns-packet: Fix unaligned access in test_packet_from_file().John Paul Adrian Glaubitz
2016-05-23resolved: don't stop handle messages after receiving a zero length UDP ↵Evgeny Vereshchagin
packet (#3323) Fixes: -bash-4.3# ss --udp -l -p State Recv-Q Send-Q Local Address:Port Peer Address:Port UNCONN 0 0 *:5355 *:* users:(("systemd-resolve",pid=601,fd=12)) UNCONN 0 0 :::5355 :::* users:(("systemd-resolve",pid=601,fd=14)) -bash-4.3# nping --udp -p 5355 --data-length 0 -c 1 localhost -bash-4.3# journalctl -u systemd-resolved -b --no-hostname ... May 21 14:59:22 systemd-resolved[601]: Event source llmnr-ipv4-udp (type io) returned error, disabling: Input/output error ... -bash-4.3# nping --udp -p 5355 --data-length 1000 -c 1 localhost -bash-4.3# ss --udp -l State Recv-Q Send-Q Local Address:Port Peer Address:Port UNCONN 2304 0 *:5355 *:* UNCONN 0 0 :::5355 :::*
2016-05-20resolved: fix accounting of dns serves on a link (#3291)Zbigniew Jędrzejewski-Szmek
After a few link up/down events I got this warning: May 17 22:05:10 laptop systemd-resolved[2983]: Failed to read DNS servers for interface wlp3s0, ignoring: Argument list too long
2016-05-04treewide: fix typos (#3187)Torstein Husebø
2016-05-02resolved: work around broken DNS zones set up by incapdns.netLennart Poettering
incapdns.net returns NXDOMAIN for the SOA of the zone itself but is not a terminal. This is against the specs, but we really should be able to deal with this. Previously, when verifying whether an NXDOMAIN response for a SOA/NS lookup is rightfully unsigned we'd issue a SOA lookup for the parent's domain, to derive the state from that. If the parent SOA would get an NXDOMAIN, we'd continue upwards, until we hit a signed top-level domain, which suggests that the domain actually exists. With this change whenver we need to authenticate an NXDOMAIN SOA reply, we'll request the DS RR for the zone first, and use for validation, since that this must be from the parent's zone, not the incorrect lower zone. Fixes: #2894
2016-04-21tree-wide: use mdash instead of a two minusesZbigniew Jędrzejewski-Szmek
2016-04-13tree-wide: remove useless NULLs from strjoinaZbigniew Jędrzejewski-Szmek
The coccinelle patch didn't work in some places, I have no idea why.
2016-04-12test-dnssec: drop unused variableLennart Poettering
2016-04-12Do not report masked units as changed (#2921)Zbigniew Jędrzejewski-Szmek
* core/unit: extract checking of stat paths into helper function The same code was repeated three times. * core: treat masked files as "unchanged" systemctl prints the "unit file changed on disk" warning for a masked unit. I think it's better to print nothing in that case. When a masked unit is loaded, set mtime as 0. When checking if a unit with mtime of 0 needs reload, check that the mask is still in place. * test-dnssec: fix build without gcrypt Also reorder the test functions to follow the way they are called from main().
2016-04-08resolved: handle oom properlyZbigniew Jędrzejewski-Szmek
CID #1349699-1349700.
2016-03-27build-sys: fix build with libgrcypt disabledZbigniew Jędrzejewski-Szmek
- Move gcrypt.h include inside grcrypt-util.h. - Allow gcrypt-util.[ch] to be compiled even without gcrypt. This allows the logic in files using gcrypt to be simplified. - Fix compilation of systemd-resolve without gcrypt. systemd-resolved already supported that. Fixes #2711.
2016-03-05tree-wide: use SET_FLAG() macro to make code more clearAlexander Kuleshov
2016-03-01selinux: always try to load the full selinux dbZbigniew Jędrzejewski-Szmek
https://github.com/systemd/systemd/pull/2508#issuecomment-190901170 Maybe fixes https://bugzilla.redhat.com/show_bug.cgi?id=1308771.
2016-02-29Merge pull request #2702 from poettering/resolved-iterate-fixZbigniew Jędrzejewski-Szmek
resolved iteration fix
2016-02-24treewide: fix typos and then/that useTorstein Husebø
2016-02-23dnssec: only run tests that require gcrypt if we have itSteven Siloti