summaryrefslogtreecommitdiffstats
path: root/src/resolve
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2017-12-08 17:21:42 +0100
committerLennart Poettering <lennart@poettering.net>2017-12-08 17:25:08 +0100
commit613dca46d22ca7d47fcbd78bfb4bca7f6541ebaf (patch)
tree06b59823638d7177495bec59080c42710c25c2b4 /src/resolve
parentresolved: synchronize introduction blurbs in all three resolv.conf files we p... (diff)
downloadsystemd-613dca46d22ca7d47fcbd78bfb4bca7f6541ebaf.tar.xz
systemd-613dca46d22ca7d47fcbd78bfb4bca7f6541ebaf.zip
resolved: tweak domain routing logic a bit
This makes sure that a classic DNS scope that has no DNS servers assigned is never considered for routing requests to even if it has matching search/routing domains associated. This is inspired by #7544, where lookup requests are refused since a scope with no DNS server is configured. This change does not deliver what the reporter intended, but is generally useful in general, as it makes us mor robust to misconfiguration.
Diffstat (limited to 'src/resolve')
-rw-r--r--src/resolve/resolved-dns-scope.c37
1 files changed, 20 insertions, 17 deletions
diff --git a/src/resolve/resolved-dns-scope.c b/src/resolve/resolved-dns-scope.c
index a9071ee73e..0a121cdcdf 100644
--- a/src/resolve/resolved-dns-scope.c
+++ b/src/resolve/resolved-dns-scope.c
@@ -403,7 +403,6 @@ int dns_scope_socket_tcp(DnsScope *s, int family, const union in_addr_union *add
DnsScopeMatch dns_scope_good_domain(DnsScope *s, int ifindex, uint64_t flags, const char *domain) {
DnsSearchDomain *d;
- DnsServer *dns_server;
assert(s);
assert(domain);
@@ -436,24 +435,27 @@ DnsScopeMatch dns_scope_good_domain(DnsScope *s, int ifindex, uint64_t flags, co
if (dns_name_endswith(domain, "invalid") > 0)
return DNS_SCOPE_NO;
- /* Always honour search domains for routing queries. Note that
- * we return DNS_SCOPE_YES here, rather than just
- * DNS_SCOPE_MAYBE, which means wildcard scopes won't be
- * considered anymore. */
- LIST_FOREACH(domains, d, dns_scope_get_search_domains(s))
- if (dns_name_endswith(domain, d->name) > 0)
- return DNS_SCOPE_YES;
-
- /* If the DNS server has route-only domains, don't send other requests
- * to it. This would be a privacy violation, will most probably fail
- * anyway, and adds unnecessary load. */
- dns_server = dns_scope_get_dns_server(s);
- if (dns_server && dns_server_limited_domains(dns_server))
- return DNS_SCOPE_NO;
-
switch (s->protocol) {
- case DNS_PROTOCOL_DNS:
+ case DNS_PROTOCOL_DNS: {
+ DnsServer *dns_server;
+
+ /* Never route things to scopes that lack DNS servers */
+ dns_server = dns_scope_get_dns_server(s);
+ if (!dns_server)
+ return DNS_SCOPE_NO;
+
+ /* Always honour search domains for routing queries, except if this scope lacks DNS servers. Note that
+ * we return DNS_SCOPE_YES here, rather than just DNS_SCOPE_MAYBE, which means other wildcard scopes
+ * won't be considered anymore. */
+ LIST_FOREACH(domains, d, dns_scope_get_search_domains(s))
+ if (dns_name_endswith(domain, d->name) > 0)
+ return DNS_SCOPE_YES;
+
+ /* If the DNS server has route-only domains, don't send other requests to it. This would be a privacy
+ * violation, will most probably fail anyway, and adds unnecessary load. */
+ if (dns_server_limited_domains(dns_server))
+ return DNS_SCOPE_NO;
/* Exclude link-local IP ranges */
if (dns_name_endswith(domain, "254.169.in-addr.arpa") == 0 &&
@@ -468,6 +470,7 @@ DnsScopeMatch dns_scope_good_domain(DnsScope *s, int ifindex, uint64_t flags, co
return DNS_SCOPE_MAYBE;
return DNS_SCOPE_NO;
+ }
case DNS_PROTOCOL_MDNS:
if ((s->family == AF_INET && dns_name_endswith(domain, "in-addr.arpa") > 0) ||