summaryrefslogtreecommitdiff
path: root/src/resolve
AgeCommit message (Collapse)Author
2017-01-24resolve: fix strv memleakZbigniew Jędrzejewski-Szmek
sd_bus_message_read_strv() returns a normal strv...
2017-01-10build-sys: add check for gperf lookup function signature (#5055)Mike Gilbert
gperf-3.1 generates lookup functions that take a size_t length parameter instead of unsigned int. Test for this at configure time. Fixes: https://github.com/systemd/systemd/issues/5039
2016-12-22resolved: correctly handle non-address RR types with /etc/hosts lookups (#4808)Martin Pitt
Fix wrong condition test in manager_etc_hosts_lookup(), which caused it to return an IPv4 answer when an IPv6 question was asked, and vice versa. Also only return success if we actually found any A or AAAA record. In systemd-resolved.service(8), point out that /etc/hosts mappings only affect address-type lookups, not other types. The test case currently disables DNSSEC in resolved, as there is a bug where "-t MX" fails due to "DNSSEC validation failed" even after "downgrading to non-DNSSEC mode". This should be dropped once that bug gets fixed. Fixes #4801
2016-12-06core: introduce parse_ip_port (#4825)Susant Sahani
1. Listed in TODO. 2. Tree wide replace safe_atou16 with parse_ip_port incase it's used for ports.
2016-12-02treewide: fix typos (#4802)Torstein Husebø
2016-11-11tree-wide: make invocations of extract_first_word more uniform (#4627)Zbigniew Jędrzejewski-Szmek
extract_first_words deals fine with the string being NULL, so drop the upfront check for that.
2016-11-10resolved: unlink private resolv.conf on exitChristian Hesse
This fixes the logic with systemd-nspawn which checks for private resov.conf to decide whether or not to mount it into the container.
2016-11-10resolved: use macro for private resolve.confChristian Hesse
Use the macro from header file to have a single definition of the path.
2016-11-03Merge pull request #4510 from keszybz/tree-wide-cleanupsLennart Poettering
Tree wide cleanups
2016-10-24resolved: properly check for the root domainLennart Poettering
Fix-up for #4164
2016-10-23tree-wide: drop NULL sentinel from strjoinZbigniew Jędrzejewski-Szmek
This makes strjoin and strjoina more similar and avoids the useless final argument. spatch -I . -I ./src -I ./src/basic -I ./src/basic -I ./src/shared -I ./src/shared -I ./src/network -I ./src/locale -I ./src/login -I ./src/journal -I ./src/journal -I ./src/timedate -I ./src/timesync -I ./src/nspawn -I ./src/resolve -I ./src/resolve -I ./src/systemd -I ./src/core -I ./src/core -I ./src/libudev -I ./src/udev -I ./src/udev/net -I ./src/udev -I ./src/libsystemd/sd-bus -I ./src/libsystemd/sd-event -I ./src/libsystemd/sd-login -I ./src/libsystemd/sd-netlink -I ./src/libsystemd/sd-network -I ./src/libsystemd/sd-hwdb -I ./src/libsystemd/sd-device -I ./src/libsystemd/sd-id128 -I ./src/libsystemd-network --sp-file coccinelle/strjoin.cocci --in-place $(git ls-files src/*.c) git grep -e '\bstrjoin\b.*NULL' -l|xargs sed -i -r 's/strjoin\((.*), NULL\)/strjoin(\1)/' This might have missed a few cases (spatch has a really hard time dealing with _cleanup_ macros), but that's no big issue, they can always be fixed later.
2016-10-16tree-wide: use mfree moreZbigniew Jędrzejewski-Szmek
2016-10-11resolve: remove unsed counter (#4349)Thomas H. P. Andersen
It was introduced but never used in 45ec7efb.
2016-10-10resolved: initialize variable (#4338)Thomas H. P. Andersen
r was not initialized and would be used if "tcp" was the only option used for the stub. We should initialize it to 0 to indicate that no error happened in the udp case.
2016-10-09resolved: also disable stub listener on EPERMZbigniew Jędrzejewski-Szmek
When running in a user namespace without private networking, resolved would fail to start. There isn't much difference between EADDRINUSE and EPERM, so treat them the same, except for the warning message text.
2016-10-09resolved: simplify error handling in manager_dns_stub_{udp,tcp}_fd()Zbigniew Jędrzejewski-Szmek
Make sure an error is always printed… When systemd-resolved is started in a user namespace without private network, it would fail on setsockopt, but the error wouldn't be particularly informative: "Failed to start manager: permission denied."
2016-10-08systemd-resolve: use sha256 for local-part of openpgp key (#4193)Stefan Schweter
2016-10-07Merge pull request #4061 from dm0-/coreos-1545Lennart Poettering
resolved: add an option to disable the stub resolver
2016-10-07resolved: add an option to control the DNS stub listenerDavid Michael
2016-10-06tree-wide: drop some misleading compiler warningsLennart Poettering
gcc at some optimization levels thinks thes variables were used without initialization. it's wrong, but let's make the message go anyway.
2016-10-06resolved: properly handle BADCOOKIE DNS errorLennart Poettering
Add this new error code (documented in RFC7873) to our list of known errors.
2016-09-30resolved: don't query domain-limited DNS servers for other domains (#3621)Martin Pitt
DNS servers which have route-only domains should only be used for the specified domains. Routing queries about other domains there is a privacy violation, prone to fail (as that DNS server was not meant to be used for other domains), and puts unnecessary load onto that server. Introduce a new helper function dns_server_limited_domains() that checks if the DNS server should only be used for some selected domains, i. e. has some route-only domains without "~.". Use that when determining whether to query it in the scope, and when writing resolv.conf. Extend the test_route_only_dns() case to ensure that the DNS server limited to ~company does not appear in resolv.conf. Add test_route_only_dns_all_domains() to ensure that a server that also has ~. does appear in resolv.conf as global name server. These reproduce #3420. Add a new test_resolved_domain_restricted_dns() test case that verifies that domain-limited DNS servers are only being used for those domains. This reproduces #3421. Clarify what a "routing domain" is in the manpage. Fixes #3420 Fixes #3421
2016-09-16tree-wide: rename config_parse_many to …_nulstrZbigniew Jędrzejewski-Szmek
In preparation for adding a version which takes a strv.
2016-08-31resolved: directly include some required headers instead of inheritingDavid Michael
2016-08-31resolved: remove unused prototypeDavid Michael
2016-08-31resolved: include d.f.ip6.arpa in default NTA listLennart Poettering
Fixes: #4049
2016-08-04nspawn,resolve: short --help output to fit within 80 columnsZbigniew Jędrzejewski-Szmek
make dist-check-help FTW!
2016-07-18resolved: replace bitwise and with logical andThomas Hindoe Paaboel Andersen
2016-07-17systemd-resolve: remove spurious newline with no global settingsZbigniew Jędrzejewski-Szmek
2016-07-17systemd-resolve: use plural "DNS Servers"Zbigniew Jędrzejewski-Szmek
Usually multiple DNS servers are configured, and it looks strange to have singular in the heading.
2016-07-11treewide: fix typos and remove accidental repetition of wordsTorstein Husebø
2016-06-28resolved: add test for route-only domain filtering (#3609)Martin Pitt
With commit 6f7da49d00 route-only domains do not get put into resolv.conf's "search" list any more. Add a comment about the tri-state, to clarify its semantics and why we are passing a bool parameter into an int type. Also add a test case for it.
2016-06-24Merge pull request #3594 from poettering/resolved-servfailMartin Pitt
resolved fixes for handling SERVFAIL errors from servers
2016-06-24resolved: add option to disable caching (#3592)Martin Pitt
In some cases, caching DNS results locally is not desirable, a it makes DNS cache poisoning attacks a tad easier and also allows users on the system to determine whether or not a particular domain got visited by another user. Thus provide a new "Cache" resolved.conf option to disable it.
2016-06-23resolved: when processing auxiliary DNSSEC transactions, accept those with ↵Lennart Poettering
SERVFAIL Some upstream DNS servers return SERVFAIL if we ask them for DNSSEC RRs, which some forwarding DNS servers pass on to us as SERVFAIL (other though as NOERROR...). This is should not be considered a problem, as long as the domain in question didn't have DNSSEC enabled. Hence: when making use of auxiliary transactions accept those that return SERVFAIL.
2016-06-23resolved: when caching replies, check rcode earlierLennart Poettering
This way we don't log complaints about packets without SOA in case we are not caching it anyway because the rcode is not SUCCESS or NXDOMAIN...
2016-06-23resolved: rework SERVFAIL handlingLennart Poettering
There might be two reasons why we get a SERVFAIL response from our selected DNS server: because this DNS server itself is bad, or because the DNS server actually serving the zone upstream is bad. So far we immediately downgraded our server feature level when getting SERVFAIL, under the assumption that the first case is the only possible case. However, this meant we'd downgrade immediately even if we encountered the second case described above. With this commit handling of SERVFAIL is reworked. As soon as we get a SERVFAIL on a transaction we retry the transaction with a lower feature level, without changing the feature level tracked for the DNS server itself. If that fails too, we downgrade further, and so on. If during this downgrading the SERVFAIL goes away we assume that the DNS server we are talking to is bad, but the zone is fine and propagate the detected feature level to the information we track about the DNS server. Should the SERVFAIL not go away this way we let the transaction fail and accept the SERVFAIL.
2016-06-21resolved: respond to local resolver requests on 127.0.0.53:53Lennart Poettering
In order to improve compatibility with local clients that speak DNS directly (and do not use NSS or our bus API) listen locally on 127.0.0.53:53 and process any queries made that way. Note that resolved does not implement a full DNS server on this port, but simply enough to allow normal, local clients to resolve RRs through resolved. Specifically it does not implement queries without the RD bit set (these are requests where recursive lookups are explicitly disabled), and neither queries with DNSSEC DO set in combination with DNSSEC CD (i.e. DNSSEC lookups with validation turned off). It also refuses zone transfers and obsolete RR types. All lookups done this way will be rejected with a clean error code, so that the client side can repeat the query with a reduced feature set. The code will set the DNSSEC AD flag however, depending on whether the data resolved has been validated (or comes from a local, trusted source). Lookups made via this mechanisms are propagated to LLMNR and mDNS as necessary, but this is only partially useful as DNS packets cannot carry IP scope data (i.e. the ifindex), and hence link-local addresses returned cannot be used properly (and given that LLMNR/mDNS are mostly about link-local communication this is quite a limitation). Also, given that DNS tends to use IDNA for non-ASCII names, while LLMNR/mDNS uses UTF-8 lookups cannot be mapped 1:1. In general this should improve compatibility with clients bypassing NSS but it is highly recommended for clients to instead use NSS or our native bus API. This patch also beefs up the DnsStream logic, as it reuses the code for local TCP listening. DnsStream now provides proper reference counting for its objects. In order to avoid feedback loops resolved will no silently ignore 127.0.0.53 specified as DNS server when reading configuration. resolved listens on 127.0.0.53:53 instead of 127.0.0.1:53 in order to leave the latter free for local, external DNS servers or forwarders. This also changes the "etc.conf" tmpfiles snippet to create a symlink from /etc/resolv.conf to /usr/lib/systemd/resolv.conf by default, thus making this stub the default mode of operation if /etc is not populated.
2016-06-21resolved: use DNS_{QUESTION|ANSWER}_FOREACH macros at two more placesLennart Poettering
2016-06-21resolved: extend dns_packet_append_opt() so that it can set the extended rcodeLennart Poettering
We don't make use of this yet, but later work will.
2016-06-21resolved: add dns_packet_add_{question,answer}() helperLennart Poettering
And make use of it at a couple of places.
2016-06-21resolved: add dns_answer_is_empty() and dns_question_is_empty() helpersLennart Poettering
And make use of them at a few places.
2016-06-21resolved: when using the ResolveRecord() bus call, adjust TTL for caching timeLennart Poettering
When we return the full RR wire data, let's make sure the TTL included in it is adjusted by the time the RR sat in the cache. As an optimization we do this only for ResolveRecord() and not for ResolveHostname() and friends, since adjusting the TTL means copying the RR object, and we don#t want to do that if there's no reason to. (ResolveHostname() and friends don't return the TTL hence there's no reason to in that case)
2016-06-21resolved: explicitly refuse zone transfers using the bus APILennart Poettering
2016-06-21resolved: drop unused permit_domain_search variable from Manager objectLennart Poettering
2016-06-21resolved: make sure DNS configuration pushed in by the user stays around on ↵Lennart Poettering
restarts Let's make sure that all settings pushed in stay around when systemd-resolved is restarted.
2016-06-21resolved: fix negated boolean functionLennart Poettering
It's weird having a "negative" function link_is_unmanaged(), let's invert it and get rid of the negation this way, by renaming it to link_is_managed(). Internally we stored this as a positive boolean already, hence let's do this for the function too.
2016-06-21resolved: rework link_update_dns_servers() a bitLennart Poettering
Let's split the code from the inner loop out, into its own function link_update_dns_server_one(). This matches how things are already handled for the search domain logic. Also, this is preparation for a later commit that persists DNS server data pushed in via the bus.
2016-06-21resolved: make use of set_put_strdupv() where appropriateLennart Poettering
2016-06-21resolved: make sure that route-only domains are never added to /etc/resolv.confLennart Poettering
After all, /etc/resolv.conf doesn't know the concept of "route-only domains", hence the domains should really not appear there.