1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
2
3 #include "sd-messages.h"
4
5 #include "alloc-util.h"
6 #include "resolved-bus.h"
7 #include "resolved-dns-server.h"
8 #include "resolved-dns-stub.h"
9 #include "resolved-manager.h"
10 #include "resolved-resolv-conf.h"
11 #include "siphash24.h"
12 #include "string-table.h"
13 #include "string-util.h"
14
15 /* The amount of time to wait before retrying with a full feature set */
16 #define DNS_SERVER_FEATURE_GRACE_PERIOD_MAX_USEC (6 * USEC_PER_HOUR)
17 #define DNS_SERVER_FEATURE_GRACE_PERIOD_MIN_USEC (5 * USEC_PER_MINUTE)
18
19 /* The number of times we will attempt a certain feature set before degrading */
20 #define DNS_SERVER_FEATURE_RETRY_ATTEMPTS 3
21
dns_server_new(Manager * m,DnsServer ** ret,DnsServerType type,Link * l,int family,const union in_addr_union * in_addr,uint16_t port,int ifindex,const char * server_name)22 int dns_server_new(
23 Manager *m,
24 DnsServer **ret,
25 DnsServerType type,
26 Link *l,
27 int family,
28 const union in_addr_union *in_addr,
29 uint16_t port,
30 int ifindex,
31 const char *server_name) {
32
33 _cleanup_free_ char *name = NULL;
34 DnsServer *s;
35
36 assert(m);
37 assert((type == DNS_SERVER_LINK) == !!l);
38 assert(in_addr);
39
40 if (!IN_SET(family, AF_INET, AF_INET6))
41 return -EAFNOSUPPORT;
42
43 if (l) {
44 if (l->n_dns_servers >= LINK_DNS_SERVERS_MAX)
45 return -E2BIG;
46 } else {
47 if (m->n_dns_servers >= MANAGER_DNS_SERVERS_MAX)
48 return -E2BIG;
49 }
50
51 if (!isempty(server_name)) {
52 name = strdup(server_name);
53 if (!name)
54 return -ENOMEM;
55 }
56
57 s = new(DnsServer, 1);
58 if (!s)
59 return -ENOMEM;
60
61 *s = (DnsServer) {
62 .n_ref = 1,
63 .manager = m,
64 .type = type,
65 .family = family,
66 .address = *in_addr,
67 .port = port,
68 .ifindex = ifindex,
69 .server_name = TAKE_PTR(name),
70 };
71
72 dns_server_reset_features(s);
73
74 switch (type) {
75
76 case DNS_SERVER_LINK:
77 s->link = l;
78 LIST_APPEND(servers, l->dns_servers, s);
79 l->n_dns_servers++;
80 break;
81
82 case DNS_SERVER_SYSTEM:
83 LIST_APPEND(servers, m->dns_servers, s);
84 m->n_dns_servers++;
85 break;
86
87 case DNS_SERVER_FALLBACK:
88 LIST_APPEND(servers, m->fallback_dns_servers, s);
89 m->n_dns_servers++;
90 break;
91
92 default:
93 assert_not_reached();
94 }
95
96 s->linked = true;
97
98 /* A new DNS server that isn't fallback is added and the one
99 * we used so far was a fallback one? Then let's try to pick
100 * the new one */
101 if (type != DNS_SERVER_FALLBACK &&
102 m->current_dns_server &&
103 m->current_dns_server->type == DNS_SERVER_FALLBACK)
104 manager_set_dns_server(m, NULL);
105
106 if (ret)
107 *ret = s;
108
109 return 0;
110 }
111
dns_server_free(DnsServer * s)112 static DnsServer* dns_server_free(DnsServer *s) {
113 assert(s);
114
115 dns_server_unref_stream(s);
116
117 #if ENABLE_DNS_OVER_TLS
118 dnstls_server_free(s);
119 #endif
120
121 free(s->server_string);
122 free(s->server_string_full);
123 free(s->server_name);
124 return mfree(s);
125 }
126
127 DEFINE_TRIVIAL_REF_UNREF_FUNC(DnsServer, dns_server, dns_server_free);
128
dns_server_unlink(DnsServer * s)129 void dns_server_unlink(DnsServer *s) {
130 assert(s);
131 assert(s->manager);
132
133 /* This removes the specified server from the linked list of
134 * servers, but any server might still stay around if it has
135 * refs, for example from an ongoing transaction. */
136
137 if (!s->linked)
138 return;
139
140 switch (s->type) {
141
142 case DNS_SERVER_LINK:
143 assert(s->link);
144 assert(s->link->n_dns_servers > 0);
145 LIST_REMOVE(servers, s->link->dns_servers, s);
146 s->link->n_dns_servers--;
147 break;
148
149 case DNS_SERVER_SYSTEM:
150 assert(s->manager->n_dns_servers > 0);
151 LIST_REMOVE(servers, s->manager->dns_servers, s);
152 s->manager->n_dns_servers--;
153 break;
154
155 case DNS_SERVER_FALLBACK:
156 assert(s->manager->n_dns_servers > 0);
157 LIST_REMOVE(servers, s->manager->fallback_dns_servers, s);
158 s->manager->n_dns_servers--;
159 break;
160 default:
161 assert_not_reached();
162 }
163
164 s->linked = false;
165
166 if (s->link && s->link->current_dns_server == s)
167 link_set_dns_server(s->link, NULL);
168
169 if (s->manager->current_dns_server == s)
170 manager_set_dns_server(s->manager, NULL);
171
172 /* No need to keep a default stream around anymore */
173 dns_server_unref_stream(s);
174
175 dns_server_unref(s);
176 }
177
dns_server_move_back_and_unmark(DnsServer * s)178 void dns_server_move_back_and_unmark(DnsServer *s) {
179 DnsServer *tail;
180
181 assert(s);
182
183 if (!s->marked)
184 return;
185
186 s->marked = false;
187
188 if (!s->linked || !s->servers_next)
189 return;
190
191 /* Move us to the end of the list, so that the order is
192 * strictly kept, if we are not at the end anyway. */
193
194 switch (s->type) {
195
196 case DNS_SERVER_LINK:
197 assert(s->link);
198 LIST_FIND_TAIL(servers, s, tail);
199 LIST_REMOVE(servers, s->link->dns_servers, s);
200 LIST_INSERT_AFTER(servers, s->link->dns_servers, tail, s);
201 break;
202
203 case DNS_SERVER_SYSTEM:
204 LIST_FIND_TAIL(servers, s, tail);
205 LIST_REMOVE(servers, s->manager->dns_servers, s);
206 LIST_INSERT_AFTER(servers, s->manager->dns_servers, tail, s);
207 break;
208
209 case DNS_SERVER_FALLBACK:
210 LIST_FIND_TAIL(servers, s, tail);
211 LIST_REMOVE(servers, s->manager->fallback_dns_servers, s);
212 LIST_INSERT_AFTER(servers, s->manager->fallback_dns_servers, tail, s);
213 break;
214
215 default:
216 assert_not_reached();
217 }
218 }
219
dns_server_verified(DnsServer * s,DnsServerFeatureLevel level)220 static void dns_server_verified(DnsServer *s, DnsServerFeatureLevel level) {
221 assert(s);
222
223 if (s->verified_feature_level > level)
224 return;
225
226 if (s->verified_feature_level != level) {
227 log_debug("Verified we get a response at feature level %s from DNS server %s.",
228 dns_server_feature_level_to_string(level),
229 strna(dns_server_string_full(s)));
230 s->verified_feature_level = level;
231 }
232
233 assert_se(sd_event_now(s->manager->event, CLOCK_BOOTTIME, &s->verified_usec) >= 0);
234 }
235
dns_server_reset_counters(DnsServer * s)236 static void dns_server_reset_counters(DnsServer *s) {
237 assert(s);
238
239 s->n_failed_udp = 0;
240 s->n_failed_tcp = 0;
241 s->n_failed_tls = 0;
242 s->packet_truncated = false;
243 s->packet_invalid = false;
244 s->verified_usec = 0;
245
246 /* Note that we do not reset s->packet_bad_opt and s->packet_rrsig_missing here. We reset them only when the
247 * grace period ends, but not when lowering the possible feature level, as a lower level feature level should
248 * not make RRSIGs appear or OPT appear, but rather make them disappear. If the reappear anyway, then that's
249 * indication for a differently broken OPT/RRSIG implementation, and we really don't want to support that
250 * either.
251 *
252 * This is particularly important to deal with certain Belkin routers which break OPT for certain lookups (A),
253 * but pass traffic through for others (AAAA). If we detect the broken behaviour on one lookup we should not
254 * re-enable it for another, because we cannot validate things anyway, given that the RRSIG/OPT data will be
255 * incomplete. */
256 }
257
dns_server_packet_received(DnsServer * s,int protocol,DnsServerFeatureLevel level,size_t fragsize)258 void dns_server_packet_received(DnsServer *s, int protocol, DnsServerFeatureLevel level, size_t fragsize) {
259 assert(s);
260
261 if (protocol == IPPROTO_UDP) {
262 if (s->possible_feature_level == level)
263 s->n_failed_udp = 0;
264 } else if (protocol == IPPROTO_TCP) {
265 if (DNS_SERVER_FEATURE_LEVEL_IS_TLS(level)) {
266 if (s->possible_feature_level == level)
267 s->n_failed_tls = 0;
268 } else {
269 if (s->possible_feature_level == level)
270 s->n_failed_tcp = 0;
271
272 /* Successful TCP connections are only useful to verify the TCP feature level. */
273 level = DNS_SERVER_FEATURE_LEVEL_TCP;
274 }
275 }
276
277 /* If the RRSIG data is missing, then we can only validate EDNS0 at max */
278 if (s->packet_rrsig_missing && level >= DNS_SERVER_FEATURE_LEVEL_DO)
279 level = DNS_SERVER_FEATURE_LEVEL_IS_TLS(level) ? DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN : DNS_SERVER_FEATURE_LEVEL_EDNS0;
280
281 /* If the OPT RR got lost, then we can only validate UDP at max */
282 if (s->packet_bad_opt && level >= DNS_SERVER_FEATURE_LEVEL_EDNS0)
283 level = DNS_SERVER_FEATURE_LEVEL_EDNS0 - 1;
284
285 dns_server_verified(s, level);
286
287 /* Remember the size of the largest UDP packet fragment we received from a server, we know that we
288 * can always announce support for packets with at least this size. */
289 if (protocol == IPPROTO_UDP && s->received_udp_fragment_max < fragsize)
290 s->received_udp_fragment_max = fragsize;
291 }
292
dns_server_packet_lost(DnsServer * s,int protocol,DnsServerFeatureLevel level)293 void dns_server_packet_lost(DnsServer *s, int protocol, DnsServerFeatureLevel level) {
294 assert(s);
295 assert(s->manager);
296
297 if (s->possible_feature_level != level)
298 return;
299
300 if (protocol == IPPROTO_UDP)
301 s->n_failed_udp++;
302 else if (protocol == IPPROTO_TCP) {
303 if (DNS_SERVER_FEATURE_LEVEL_IS_TLS(level))
304 s->n_failed_tls++;
305 else
306 s->n_failed_tcp++;
307 }
308 }
309
dns_server_packet_truncated(DnsServer * s,DnsServerFeatureLevel level)310 void dns_server_packet_truncated(DnsServer *s, DnsServerFeatureLevel level) {
311 assert(s);
312
313 /* Invoked whenever we get a packet with TC bit set. */
314
315 if (s->possible_feature_level != level)
316 return;
317
318 s->packet_truncated = true;
319 }
320
dns_server_packet_rrsig_missing(DnsServer * s,DnsServerFeatureLevel level)321 void dns_server_packet_rrsig_missing(DnsServer *s, DnsServerFeatureLevel level) {
322 assert(s);
323
324 if (level < DNS_SERVER_FEATURE_LEVEL_DO)
325 return;
326
327 /* If the RRSIG RRs are missing, we have to downgrade what we previously verified */
328 if (s->verified_feature_level >= DNS_SERVER_FEATURE_LEVEL_DO)
329 s->verified_feature_level = DNS_SERVER_FEATURE_LEVEL_IS_TLS(level) ? DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN : DNS_SERVER_FEATURE_LEVEL_EDNS0;
330
331 s->packet_rrsig_missing = true;
332 }
333
dns_server_packet_bad_opt(DnsServer * s,DnsServerFeatureLevel level)334 void dns_server_packet_bad_opt(DnsServer *s, DnsServerFeatureLevel level) {
335 assert(s);
336
337 if (level < DNS_SERVER_FEATURE_LEVEL_EDNS0)
338 return;
339
340 /* If the OPT RR got lost, we have to downgrade what we previously verified */
341 if (s->verified_feature_level >= DNS_SERVER_FEATURE_LEVEL_EDNS0)
342 s->verified_feature_level = DNS_SERVER_FEATURE_LEVEL_EDNS0-1;
343
344 s->packet_bad_opt = true;
345 }
346
dns_server_packet_rcode_downgrade(DnsServer * s,DnsServerFeatureLevel level)347 void dns_server_packet_rcode_downgrade(DnsServer *s, DnsServerFeatureLevel level) {
348 assert(s);
349
350 /* Invoked whenever we got a FORMERR, SERVFAIL or NOTIMP rcode from a server and downgrading the feature level
351 * for the transaction made it go away. In this case we immediately downgrade to the feature level that made
352 * things work. */
353
354 if (s->verified_feature_level > level)
355 s->verified_feature_level = level;
356
357 if (s->possible_feature_level > level) {
358 s->possible_feature_level = level;
359 dns_server_reset_counters(s);
360 log_debug("Downgrading transaction feature level fixed an RCODE error, downgrading server %s too.", strna(dns_server_string_full(s)));
361 }
362 }
363
dns_server_packet_invalid(DnsServer * s,DnsServerFeatureLevel level)364 void dns_server_packet_invalid(DnsServer *s, DnsServerFeatureLevel level) {
365 assert(s);
366
367 /* Invoked whenever we got a packet we couldn't parse at all */
368
369 if (s->possible_feature_level != level)
370 return;
371
372 s->packet_invalid = true;
373 }
374
dns_server_packet_do_off(DnsServer * s,DnsServerFeatureLevel level)375 void dns_server_packet_do_off(DnsServer *s, DnsServerFeatureLevel level) {
376 assert(s);
377
378 /* Invoked whenever the DO flag was not copied from our request to the response. */
379
380 if (s->possible_feature_level != level)
381 return;
382
383 s->packet_do_off = true;
384 }
385
dns_server_packet_udp_fragmented(DnsServer * s,size_t fragsize)386 void dns_server_packet_udp_fragmented(DnsServer *s, size_t fragsize) {
387 assert(s);
388
389 /* Invoked whenever we got a fragmented UDP packet. Let's do two things: keep track of the largest
390 * fragment we ever received from the server, and remember this, so that we can use it to lower the
391 * advertised packet size in EDNS0 */
392
393 if (s->received_udp_fragment_max < fragsize)
394 s->received_udp_fragment_max = fragsize;
395
396 s->packet_fragmented = true;
397 }
398
dns_server_grace_period_expired(DnsServer * s)399 static bool dns_server_grace_period_expired(DnsServer *s) {
400 usec_t ts;
401
402 assert(s);
403 assert(s->manager);
404
405 if (s->verified_usec == 0)
406 return false;
407
408 assert_se(sd_event_now(s->manager->event, CLOCK_BOOTTIME, &ts) >= 0);
409
410 if (s->verified_usec + s->features_grace_period_usec > ts)
411 return false;
412
413 s->features_grace_period_usec = MIN(s->features_grace_period_usec * 2, DNS_SERVER_FEATURE_GRACE_PERIOD_MAX_USEC);
414
415 return true;
416 }
417
dns_server_possible_feature_level(DnsServer * s)418 DnsServerFeatureLevel dns_server_possible_feature_level(DnsServer *s) {
419 DnsServerFeatureLevel best;
420
421 assert(s);
422
423 /* Determine the best feature level we care about. If DNSSEC mode is off there's no point in using anything
424 * better than EDNS0, hence don't even try. */
425 if (dns_server_get_dnssec_mode(s) != DNSSEC_NO)
426 best = dns_server_get_dns_over_tls_mode(s) == DNS_OVER_TLS_NO ?
427 DNS_SERVER_FEATURE_LEVEL_DO :
428 DNS_SERVER_FEATURE_LEVEL_TLS_DO;
429 else
430 best = dns_server_get_dns_over_tls_mode(s) == DNS_OVER_TLS_NO ?
431 DNS_SERVER_FEATURE_LEVEL_EDNS0 :
432 DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN;
433
434 /* Clamp the feature level the highest level we care about. The DNSSEC mode might have changed since the last
435 * time, hence let's downgrade if we are still at a higher level. */
436 if (s->possible_feature_level > best)
437 s->possible_feature_level = best;
438
439 if (s->possible_feature_level < best && dns_server_grace_period_expired(s)) {
440
441 s->possible_feature_level = best;
442
443 dns_server_reset_counters(s);
444
445 s->packet_bad_opt = false;
446 s->packet_rrsig_missing = false;
447
448 log_info("Grace period over, resuming full feature set (%s) for DNS server %s.",
449 dns_server_feature_level_to_string(s->possible_feature_level),
450 strna(dns_server_string_full(s)));
451
452 dns_server_flush_cache(s);
453
454 } else if (s->possible_feature_level <= s->verified_feature_level)
455 s->possible_feature_level = s->verified_feature_level;
456 else {
457 DnsServerFeatureLevel p = s->possible_feature_level;
458 int log_level = LOG_WARNING;
459
460 if (s->n_failed_tcp >= DNS_SERVER_FEATURE_RETRY_ATTEMPTS &&
461 s->possible_feature_level == DNS_SERVER_FEATURE_LEVEL_TCP) {
462
463 /* We are at the TCP (lowest) level, and we tried a couple of TCP connections, and it didn't
464 * work. Upgrade back to UDP again. */
465 log_debug("Reached maximum number of failed TCP connection attempts, trying UDP again...");
466 s->possible_feature_level = DNS_SERVER_FEATURE_LEVEL_UDP;
467
468 } else if (s->n_failed_tls > 0 &&
469 DNS_SERVER_FEATURE_LEVEL_IS_TLS(s->possible_feature_level) &&
470 dns_server_get_dns_over_tls_mode(s) != DNS_OVER_TLS_YES) {
471
472 /* We tried to connect using DNS-over-TLS, and it didn't work. Downgrade to plaintext UDP
473 * if we don't require DNS-over-TLS */
474
475 log_debug("Server doesn't support DNS-over-TLS, downgrading protocol...");
476 s->possible_feature_level--;
477
478 } else if (s->packet_invalid &&
479 s->possible_feature_level > DNS_SERVER_FEATURE_LEVEL_UDP &&
480 s->possible_feature_level != DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN) {
481
482 /* Downgrade from DO to EDNS0 + from EDNS0 to UDP, from TLS+DO to plain TLS. Or in
483 * other words, if we receive a packet we cannot parse jump to the next lower feature
484 * level that actually has an influence on the packet layout (and not just the
485 * transport). */
486
487 log_debug("Got invalid packet from server, downgrading protocol...");
488 s->possible_feature_level =
489 s->possible_feature_level == DNS_SERVER_FEATURE_LEVEL_TLS_DO ? DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN :
490 DNS_SERVER_FEATURE_LEVEL_IS_DNSSEC(s->possible_feature_level) ? DNS_SERVER_FEATURE_LEVEL_EDNS0 :
491 DNS_SERVER_FEATURE_LEVEL_UDP;
492
493 } else if (s->packet_bad_opt &&
494 DNS_SERVER_FEATURE_LEVEL_IS_EDNS0(s->possible_feature_level) &&
495 dns_server_get_dnssec_mode(s) != DNSSEC_YES &&
496 dns_server_get_dns_over_tls_mode(s) != DNS_OVER_TLS_YES) {
497
498 /* A reply to one of our EDNS0 queries didn't carry a valid OPT RR, then downgrade to
499 * below EDNS0 levels. After all, some servers generate different responses with and
500 * without OPT RR in the request. Example:
501 *
502 * https://open.nlnetlabs.nl/pipermail/dnssec-trigger/2014-November/000376.html
503 *
504 * If we are in strict DNSSEC or DoT mode, we don't do this kind of downgrade
505 * however, as both modes imply EDNS0 to work (DNSSEC strictly requires it, and DoT
506 * only in our implementation). */
507
508 log_debug("Server doesn't support EDNS(0) properly, downgrading feature level...");
509 s->possible_feature_level = DNS_SERVER_FEATURE_LEVEL_UDP;
510
511 /* Users often don't control the DNS server they use so let's not complain too loudly
512 * when we can't use EDNS because the DNS server doesn't support it. */
513 log_level = LOG_NOTICE;
514
515 } else if (s->packet_do_off &&
516 DNS_SERVER_FEATURE_LEVEL_IS_DNSSEC(s->possible_feature_level) &&
517 dns_server_get_dnssec_mode(s) != DNSSEC_YES) {
518
519 /* The server didn't copy the DO bit from request to response, thus DNSSEC is not
520 * correctly implemented, let's downgrade if that's allowed. */
521
522 log_debug("Detected server didn't copy DO flag from request to response, downgrading feature level...");
523 s->possible_feature_level = DNS_SERVER_FEATURE_LEVEL_IS_TLS(s->possible_feature_level) ? DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN :
524 DNS_SERVER_FEATURE_LEVEL_EDNS0;
525
526 } else if (s->packet_rrsig_missing &&
527 DNS_SERVER_FEATURE_LEVEL_IS_DNSSEC(s->possible_feature_level) &&
528 dns_server_get_dnssec_mode(s) != DNSSEC_YES) {
529
530 /* RRSIG data was missing on an EDNS0 packet with DO bit set. This means the server
531 * doesn't augment responses with DNSSEC RRs. If so, let's better not ask the server
532 * for it anymore, after all some servers generate different replies depending if an
533 * OPT RR is in the query or not. If we are in strict DNSSEC mode, don't allow such
534 * downgrades however, since a DNSSEC feature level is a requirement for strict
535 * DNSSEC mode. */
536
537 log_debug("Detected server responses lack RRSIG records, downgrading feature level...");
538 s->possible_feature_level = DNS_SERVER_FEATURE_LEVEL_IS_TLS(s->possible_feature_level) ? DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN :
539 DNS_SERVER_FEATURE_LEVEL_EDNS0;
540
541 } else if (s->n_failed_udp >= DNS_SERVER_FEATURE_RETRY_ATTEMPTS &&
542 DNS_SERVER_FEATURE_LEVEL_IS_UDP(s->possible_feature_level) &&
543 ((s->possible_feature_level != DNS_SERVER_FEATURE_LEVEL_DO) || dns_server_get_dnssec_mode(s) != DNSSEC_YES)) {
544
545 /* We lost too many UDP packets in a row, and are on an UDP feature level. If the
546 * packets are lost, maybe the server cannot parse them, hence downgrading sounds
547 * like a good idea. We might downgrade all the way down to TCP this way.
548 *
549 * If strict DNSSEC mode is used we won't downgrade below DO level however, as packet loss
550 * might have many reasons, a broken DNSSEC implementation being only one reason. And if the
551 * user is strict on DNSSEC, then let's assume that DNSSEC is not the fault here. */
552
553 log_debug("Lost too many UDP packets, downgrading feature level...");
554 if (s->possible_feature_level == DNS_SERVER_FEATURE_LEVEL_DO) /* skip over TLS_PLAIN */
555 s->possible_feature_level = DNS_SERVER_FEATURE_LEVEL_EDNS0;
556 else
557 s->possible_feature_level--;
558
559 } else if (s->n_failed_tcp >= DNS_SERVER_FEATURE_RETRY_ATTEMPTS &&
560 s->packet_truncated &&
561 s->possible_feature_level > DNS_SERVER_FEATURE_LEVEL_UDP &&
562 DNS_SERVER_FEATURE_LEVEL_IS_UDP(s->possible_feature_level) &&
563 (!DNS_SERVER_FEATURE_LEVEL_IS_DNSSEC(s->possible_feature_level) || dns_server_get_dnssec_mode(s) != DNSSEC_YES)) {
564
565 /* We got too many TCP connection failures in a row, we had at least one truncated
566 * packet, and are on feature level above UDP. By downgrading things and getting rid
567 * of DNSSEC or EDNS0 data we hope to make the packet smaller, so that it still
568 * works via UDP given that TCP appears not to be a fallback. Note that if we are
569 * already at the lowest UDP level, we don't go further down, since that's TCP, and
570 * TCP failed too often after all. */
571
572 log_debug("Got too many failed TCP connection failures and truncated UDP packets, downgrading feature level...");
573
574 if (DNS_SERVER_FEATURE_LEVEL_IS_DNSSEC(s->possible_feature_level))
575 s->possible_feature_level = DNS_SERVER_FEATURE_LEVEL_EDNS0; /* Go DNSSEC → EDNS0 */
576 else
577 s->possible_feature_level = DNS_SERVER_FEATURE_LEVEL_UDP; /* Go EDNS0 → UDP */
578 }
579
580 if (p != s->possible_feature_level) {
581
582 /* We changed the feature level, reset the counting */
583 dns_server_reset_counters(s);
584
585 log_full(log_level, "Using degraded feature set %s instead of %s for DNS server %s.",
586 dns_server_feature_level_to_string(s->possible_feature_level),
587 dns_server_feature_level_to_string(p), strna(dns_server_string_full(s)));
588 }
589 }
590
591 return s->possible_feature_level;
592 }
593
dns_server_adjust_opt(DnsServer * server,DnsPacket * packet,DnsServerFeatureLevel level)594 int dns_server_adjust_opt(DnsServer *server, DnsPacket *packet, DnsServerFeatureLevel level) {
595 size_t packet_size, udp_size;
596 bool edns_do;
597 int r;
598
599 assert(server);
600 assert(packet);
601 assert(packet->protocol == DNS_PROTOCOL_DNS);
602
603 /* Fix the OPT field in the packet to match our current feature level. */
604
605 r = dns_packet_truncate_opt(packet);
606 if (r < 0)
607 return r;
608
609 if (level < DNS_SERVER_FEATURE_LEVEL_EDNS0)
610 return 0;
611
612 edns_do = level >= DNS_SERVER_FEATURE_LEVEL_DO;
613
614 udp_size = udp_header_size(server->family);
615
616 if (in_addr_is_localhost(server->family, &server->address) > 0)
617 packet_size = 65536 - udp_size; /* force linux loopback MTU if localhost address */
618 else {
619 /* Use the MTU pointing to the server, subtract the IP/UDP header size */
620 packet_size = LESS_BY(dns_server_get_mtu(server), udp_size);
621
622 /* On the Internet we want to avoid fragmentation for security reasons. If we saw
623 * fragmented packets, the above was too large, let's clamp it to the largest
624 * fragment we saw */
625 if (server->packet_fragmented)
626 packet_size = MIN(server->received_udp_fragment_max, packet_size);
627
628 /* Let's not pick ridiculously large sizes, i.e. not more than 4K. No one appears
629 * to ever use such large sized on the Internet IRL, hence let's not either. */
630 packet_size = MIN(packet_size, 4096U);
631 }
632
633 /* Strictly speaking we quite possibly can receive larger datagrams than the MTU (since the
634 * MTU is for egress, not for ingress), but more often than not the value is symmetric, and
635 * we want something that does the right thing in the majority of cases, and not just in the
636 * theoretical edge case. */
637
638 /* Safety clamp, never advertise less than 512 or more than 65535 */
639 packet_size = CLAMP(packet_size,
640 DNS_PACKET_UNICAST_SIZE_MAX,
641 DNS_PACKET_SIZE_MAX);
642
643 log_debug("Announcing packet size %zu in egress EDNS(0) packet.", packet_size);
644
645 return dns_packet_append_opt(packet, packet_size, edns_do, /* include_rfc6975 = */ true, NULL, 0, NULL);
646 }
647
dns_server_ifindex(const DnsServer * s)648 int dns_server_ifindex(const DnsServer *s) {
649 assert(s);
650
651 /* The link ifindex always takes precedence */
652 if (s->link)
653 return s->link->ifindex;
654
655 if (s->ifindex > 0)
656 return s->ifindex;
657
658 return 0;
659 }
660
dns_server_port(const DnsServer * s)661 uint16_t dns_server_port(const DnsServer *s) {
662 assert(s);
663
664 if (s->port > 0)
665 return s->port;
666
667 return 53;
668 }
669
dns_server_string(DnsServer * server)670 const char *dns_server_string(DnsServer *server) {
671 assert(server);
672
673 if (!server->server_string)
674 (void) in_addr_ifindex_to_string(server->family, &server->address, dns_server_ifindex(server), &server->server_string);
675
676 return server->server_string;
677 }
678
dns_server_string_full(DnsServer * server)679 const char *dns_server_string_full(DnsServer *server) {
680 assert(server);
681
682 if (!server->server_string_full)
683 (void) in_addr_port_ifindex_name_to_string(
684 server->family,
685 &server->address,
686 server->port,
687 dns_server_ifindex(server),
688 server->server_name,
689 &server->server_string_full);
690
691 return server->server_string_full;
692 }
693
dns_server_dnssec_supported(DnsServer * server)694 bool dns_server_dnssec_supported(DnsServer *server) {
695 assert(server);
696
697 /* Returns whether the server supports DNSSEC according to what we know about it */
698
699 if (dns_server_get_dnssec_mode(server) == DNSSEC_YES) /* If strict DNSSEC mode is enabled, always assume DNSSEC mode is supported. */
700 return true;
701
702 if (!DNS_SERVER_FEATURE_LEVEL_IS_DNSSEC(server->possible_feature_level))
703 return false;
704
705 if (server->packet_bad_opt)
706 return false;
707
708 if (server->packet_rrsig_missing)
709 return false;
710
711 if (server->packet_do_off)
712 return false;
713
714 /* DNSSEC servers need to support TCP properly (see RFC5966), if they don't, we assume DNSSEC is borked too */
715 if (server->n_failed_tcp >= DNS_SERVER_FEATURE_RETRY_ATTEMPTS)
716 return false;
717
718 return true;
719 }
720
dns_server_warn_downgrade(DnsServer * server)721 void dns_server_warn_downgrade(DnsServer *server) {
722 assert(server);
723
724 if (server->warned_downgrade)
725 return;
726
727 log_struct(LOG_NOTICE,
728 "MESSAGE_ID=" SD_MESSAGE_DNSSEC_DOWNGRADE_STR,
729 LOG_MESSAGE("Server %s does not support DNSSEC, downgrading to non-DNSSEC mode.",
730 strna(dns_server_string_full(server))),
731 "DNS_SERVER=%s", strna(dns_server_string_full(server)),
732 "DNS_SERVER_FEATURE_LEVEL=%s", dns_server_feature_level_to_string(server->possible_feature_level));
733
734 server->warned_downgrade = true;
735 }
736
dns_server_get_mtu(DnsServer * s)737 size_t dns_server_get_mtu(DnsServer *s) {
738 assert(s);
739
740 if (s->link && s->link->mtu != 0)
741 return s->link->mtu;
742
743 return manager_find_mtu(s->manager);
744 }
745
dns_server_hash_func(const DnsServer * s,struct siphash * state)746 static void dns_server_hash_func(const DnsServer *s, struct siphash *state) {
747 assert(s);
748
749 siphash24_compress(&s->family, sizeof(s->family), state);
750 siphash24_compress(&s->address, FAMILY_ADDRESS_SIZE(s->family), state);
751 siphash24_compress(&s->port, sizeof(s->port), state);
752 siphash24_compress(&s->ifindex, sizeof(s->ifindex), state);
753 siphash24_compress_string(s->server_name, state);
754 }
755
dns_server_compare_func(const DnsServer * x,const DnsServer * y)756 static int dns_server_compare_func(const DnsServer *x, const DnsServer *y) {
757 int r;
758
759 r = CMP(x->family, y->family);
760 if (r != 0)
761 return r;
762
763 r = memcmp(&x->address, &y->address, FAMILY_ADDRESS_SIZE(x->family));
764 if (r != 0)
765 return r;
766
767 r = CMP(x->port, y->port);
768 if (r != 0)
769 return r;
770
771 r = CMP(x->ifindex, y->ifindex);
772 if (r != 0)
773 return r;
774
775 return streq_ptr(x->server_name, y->server_name);
776 }
777
778 DEFINE_HASH_OPS(dns_server_hash_ops, DnsServer, dns_server_hash_func, dns_server_compare_func);
779
dns_server_unlink_all(DnsServer * first)780 void dns_server_unlink_all(DnsServer *first) {
781 DnsServer *next;
782
783 if (!first)
784 return;
785
786 next = first->servers_next;
787 dns_server_unlink(first);
788
789 dns_server_unlink_all(next);
790 }
791
dns_server_unlink_marked(DnsServer * server)792 bool dns_server_unlink_marked(DnsServer *server) {
793 bool changed = false;
794
795 while (server) {
796 DnsServer *next;
797
798 next = server->servers_next;
799
800 if (server->marked) {
801 dns_server_unlink(server);
802 changed = true;
803 }
804
805 server = next;
806 }
807
808 return changed;
809 }
810
dns_server_mark_all(DnsServer * server)811 void dns_server_mark_all(DnsServer *server) {
812 while (server) {
813 server->marked = true;
814 server = server->servers_next;
815 }
816 }
817
dns_server_find(DnsServer * first,int family,const union in_addr_union * in_addr,uint16_t port,int ifindex,const char * name)818 DnsServer *dns_server_find(DnsServer *first, int family, const union in_addr_union *in_addr, uint16_t port, int ifindex, const char *name) {
819 LIST_FOREACH(servers, s, first)
820 if (s->family == family &&
821 in_addr_equal(family, &s->address, in_addr) > 0 &&
822 s->port == port &&
823 s->ifindex == ifindex &&
824 streq_ptr(s->server_name, name))
825 return s;
826
827 return NULL;
828 }
829
manager_get_first_dns_server(Manager * m,DnsServerType t)830 DnsServer *manager_get_first_dns_server(Manager *m, DnsServerType t) {
831 assert(m);
832
833 switch (t) {
834
835 case DNS_SERVER_SYSTEM:
836 return m->dns_servers;
837
838 case DNS_SERVER_FALLBACK:
839 return m->fallback_dns_servers;
840
841 default:
842 return NULL;
843 }
844 }
845
manager_set_dns_server(Manager * m,DnsServer * s)846 DnsServer *manager_set_dns_server(Manager *m, DnsServer *s) {
847 assert(m);
848
849 if (m->current_dns_server == s)
850 return s;
851
852 /* Let's log about the server switch, at debug level. Except if we switch from a non-fallback server
853 * to a fallback server or back, since that is noteworthy and possibly a configuration issue */
854 if (s)
855 log_full((s->type == DNS_SERVER_FALLBACK) != (m->current_dns_server && m->current_dns_server->type == DNS_SERVER_FALLBACK) ? LOG_NOTICE : LOG_DEBUG,
856 "Switching to %s DNS server %s.", dns_server_type_to_string(s->type), strna(dns_server_string_full(s)));
857
858 dns_server_unref(m->current_dns_server);
859 m->current_dns_server = dns_server_ref(s);
860
861 if (m->unicast_scope)
862 dns_cache_flush(&m->unicast_scope->cache);
863
864 (void) manager_send_changed(m, "CurrentDNSServer");
865
866 return s;
867 }
868
manager_get_dns_server(Manager * m)869 DnsServer *manager_get_dns_server(Manager *m) {
870 Link *l;
871 assert(m);
872
873 /* Try to read updates resolv.conf */
874 manager_read_resolv_conf(m);
875
876 /* If no DNS server was chosen so far, pick the first one */
877 if (!m->current_dns_server ||
878 /* In case m->current_dns_server != m->dns_servers */
879 manager_server_is_stub(m, m->current_dns_server))
880 manager_set_dns_server(m, m->dns_servers);
881
882 while (m->current_dns_server &&
883 manager_server_is_stub(m, m->current_dns_server)) {
884 manager_next_dns_server(m, NULL);
885 if (m->current_dns_server == m->dns_servers)
886 manager_set_dns_server(m, NULL);
887 }
888
889 if (!m->current_dns_server) {
890 bool found = false;
891
892 /* No DNS servers configured, let's see if there are
893 * any on any links. If not, we use the fallback
894 * servers */
895
896 HASHMAP_FOREACH(l, m->links)
897 if (l->dns_servers) {
898 found = true;
899 break;
900 }
901
902 if (!found)
903 manager_set_dns_server(m, m->fallback_dns_servers);
904 }
905
906 return m->current_dns_server;
907 }
908
manager_next_dns_server(Manager * m,DnsServer * if_current)909 void manager_next_dns_server(Manager *m, DnsServer *if_current) {
910 assert(m);
911
912 /* If the DNS server is already a different one than the one specified in 'if_current' don't do anything */
913 if (if_current && m->current_dns_server != if_current)
914 return;
915
916 /* If there's currently no DNS server set, then the next manager_get_dns_server() will find one */
917 if (!m->current_dns_server)
918 return;
919
920 /* Change to the next one, but make sure to follow the linked list only if the server is still
921 * linked. */
922 if (m->current_dns_server->linked && m->current_dns_server->servers_next) {
923 manager_set_dns_server(m, m->current_dns_server->servers_next);
924 return;
925 }
926
927 /* If there was no next one, then start from the beginning of the list */
928 if (m->current_dns_server->type == DNS_SERVER_FALLBACK)
929 manager_set_dns_server(m, m->fallback_dns_servers);
930 else
931 manager_set_dns_server(m, m->dns_servers);
932 }
933
dns_server_get_dnssec_mode(DnsServer * s)934 DnssecMode dns_server_get_dnssec_mode(DnsServer *s) {
935 assert(s);
936
937 if (s->link)
938 return link_get_dnssec_mode(s->link);
939
940 return manager_get_dnssec_mode(s->manager);
941 }
942
dns_server_get_dns_over_tls_mode(DnsServer * s)943 DnsOverTlsMode dns_server_get_dns_over_tls_mode(DnsServer *s) {
944 assert(s);
945
946 if (s->link)
947 return link_get_dns_over_tls_mode(s->link);
948
949 return manager_get_dns_over_tls_mode(s->manager);
950 }
951
dns_server_flush_cache(DnsServer * s)952 void dns_server_flush_cache(DnsServer *s) {
953 DnsServer *current;
954 DnsScope *scope;
955
956 assert(s);
957
958 /* Flush the cache of the scope this server belongs to */
959
960 current = s->link ? s->link->current_dns_server : s->manager->current_dns_server;
961 if (current != s)
962 return;
963
964 scope = s->link ? s->link->unicast_scope : s->manager->unicast_scope;
965 if (!scope)
966 return;
967
968 dns_cache_flush(&scope->cache);
969 }
970
dns_server_reset_features(DnsServer * s)971 void dns_server_reset_features(DnsServer *s) {
972 assert(s);
973
974 s->verified_feature_level = _DNS_SERVER_FEATURE_LEVEL_INVALID;
975 s->possible_feature_level = DNS_SERVER_FEATURE_LEVEL_BEST;
976
977 s->received_udp_fragment_max = DNS_PACKET_UNICAST_SIZE_MAX;
978
979 s->packet_bad_opt = false;
980 s->packet_rrsig_missing = false;
981 s->packet_do_off = false;
982
983 s->features_grace_period_usec = DNS_SERVER_FEATURE_GRACE_PERIOD_MIN_USEC;
984
985 s->warned_downgrade = false;
986
987 dns_server_reset_counters(s);
988
989 /* Let's close the default stream, so that we reprobe with the new features */
990 dns_server_unref_stream(s);
991 }
992
dns_server_reset_features_all(DnsServer * s)993 void dns_server_reset_features_all(DnsServer *s) {
994 LIST_FOREACH(servers, i, s)
995 dns_server_reset_features(i);
996 }
997
dns_server_dump(DnsServer * s,FILE * f)998 void dns_server_dump(DnsServer *s, FILE *f) {
999 assert(s);
1000
1001 if (!f)
1002 f = stdout;
1003
1004 fputs("[Server ", f);
1005 fputs(strna(dns_server_string_full(s)), f);
1006 fputs(" type=", f);
1007 fputs(dns_server_type_to_string(s->type), f);
1008
1009 if (s->type == DNS_SERVER_LINK) {
1010 assert(s->link);
1011
1012 fputs(" interface=", f);
1013 fputs(s->link->ifname, f);
1014 }
1015
1016 fputs("]\n", f);
1017
1018 fputs("\tVerified feature level: ", f);
1019 fputs(strna(dns_server_feature_level_to_string(s->verified_feature_level)), f);
1020 fputc('\n', f);
1021
1022 fputs("\tPossible feature level: ", f);
1023 fputs(strna(dns_server_feature_level_to_string(s->possible_feature_level)), f);
1024 fputc('\n', f);
1025
1026 fputs("\tDNSSEC Mode: ", f);
1027 fputs(strna(dnssec_mode_to_string(dns_server_get_dnssec_mode(s))), f);
1028 fputc('\n', f);
1029
1030 fputs("\tCan do DNSSEC: ", f);
1031 fputs(yes_no(dns_server_dnssec_supported(s)), f);
1032 fputc('\n', f);
1033
1034 fprintf(f,
1035 "\tMaximum UDP fragment size received: %zu\n"
1036 "\tFailed UDP attempts: %u\n"
1037 "\tFailed TCP attempts: %u\n"
1038 "\tSeen truncated packet: %s\n"
1039 "\tSeen OPT RR getting lost: %s\n"
1040 "\tSeen RRSIG RR missing: %s\n"
1041 "\tSeen invalid packet: %s\n"
1042 "\tServer dropped DO flag: %s\n",
1043 s->received_udp_fragment_max,
1044 s->n_failed_udp,
1045 s->n_failed_tcp,
1046 yes_no(s->packet_truncated),
1047 yes_no(s->packet_bad_opt),
1048 yes_no(s->packet_rrsig_missing),
1049 yes_no(s->packet_invalid),
1050 yes_no(s->packet_do_off));
1051 }
1052
dns_server_unref_stream(DnsServer * s)1053 void dns_server_unref_stream(DnsServer *s) {
1054 DnsStream *ref;
1055
1056 assert(s);
1057
1058 /* Detaches the default stream of this server. Some special care needs to be taken here, as that stream and
1059 * this server reference each other. First, take the stream out of the server. It's destructor will check if it
1060 * is registered with us, hence let's invalidate this separately, so that it is already unregistered. */
1061 ref = TAKE_PTR(s->stream);
1062
1063 /* And then, unref it */
1064 dns_stream_unref(ref);
1065 }
1066
dns_server_scope(DnsServer * s)1067 DnsScope *dns_server_scope(DnsServer *s) {
1068 assert(s);
1069 assert((s->type == DNS_SERVER_LINK) == !!s->link);
1070
1071 if (s->link)
1072 return s->link->unicast_scope;
1073
1074 return s->manager->unicast_scope;
1075 }
1076
1077 static const char* const dns_server_type_table[_DNS_SERVER_TYPE_MAX] = {
1078 [DNS_SERVER_SYSTEM] = "system",
1079 [DNS_SERVER_FALLBACK] = "fallback",
1080 [DNS_SERVER_LINK] = "link",
1081 };
1082 DEFINE_STRING_TABLE_LOOKUP(dns_server_type, DnsServerType);
1083
1084 static const char* const dns_server_feature_level_table[_DNS_SERVER_FEATURE_LEVEL_MAX] = {
1085 [DNS_SERVER_FEATURE_LEVEL_TCP] = "TCP",
1086 [DNS_SERVER_FEATURE_LEVEL_UDP] = "UDP",
1087 [DNS_SERVER_FEATURE_LEVEL_EDNS0] = "UDP+EDNS0",
1088 [DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN] = "TLS+EDNS0",
1089 [DNS_SERVER_FEATURE_LEVEL_DO] = "UDP+EDNS0+DO",
1090 [DNS_SERVER_FEATURE_LEVEL_TLS_DO] = "TLS+EDNS0+D0",
1091 };
1092 DEFINE_STRING_TABLE_LOOKUP(dns_server_feature_level, DnsServerFeatureLevel);
1093