diff options
| author |   Lennart Poettering <lennart@poettering.net> | 2024-03-05 13:48:59 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2024-03-05 15:31:32 +0100 |
| commit | 6399be223b73ce520654242ad08de387b08b738a (patch) | |
| tree | b300217662581af1826129d4a9a789471f3716a8 | |
| parent | resolved: make outselves authoritative for /etc/hosts entries in full (diff) | |
| download | systemd-6399be223b73ce520654242ad08de387b08b738a.tar.xz systemd-6399be223b73ce520654242ad08de387b08b738a.zip | |
resolved: make resolved authoritative in resolveing our local host name
This is a kinda a follow-up for ce266330fc3bd6767451ac3400336cd9acebe9c1: it
makes resolved authoritative on our local hostname, and never contacts
DNS anymore for it.
We effectively already were authoritative for it, except if the user
queried for other RR types than just A/AAAA. This closes the gap and
refuses routing other RR type queries to DNS.
Fixes: #23662
| -rw-r--r-- | docs/ENVIRONMENT.md | 3 | ||||
| -rw-r--r-- | src/resolve/resolved-dns-query.c | 4 | ||||
| -rw-r--r-- | src/resolve/resolved-dns-scope.c | 5 | ||||
| -rw-r--r-- | src/resolve/resolved-dns-synthesize.c | 19 | ||||
| -rw-r--r-- | src/resolve/resolved-dns-synthesize.h | 2 |
5 files changed, 30 insertions, 3 deletions
diff --git a/docs/ENVIRONMENT.md b/docs/ENVIRONMENT.md index 00492829bdc..4d3b7a26362 100644 --- a/docs/ENVIRONMENT.md +++ b/docs/ENVIRONMENT.md @@ -357,7 +357,8 @@ All tools: `systemd-resolved`: * `$SYSTEMD_RESOLVED_SYNTHESIZE_HOSTNAME` — if set to "0", `systemd-resolved` - won't synthesize system hostname on both regular and reverse lookups. + won't synthesize A/AAAA/PTR RRs for the system hostname on either regular nor + reverse lookups. `systemd-sysext`: diff --git a/src/resolve/resolved-dns-query.c b/src/resolve/resolved-dns-query.c index cb2368c67a3..801bbe8007e 100644 --- a/src/resolve/resolved-dns-query.c +++ b/src/resolve/resolved-dns-query.c @@ -672,6 +672,8 @@ static int dns_query_synthesize_reply(DnsQuery *q, DnsTransactionState *state) { q->answer_query_flags = SD_RESOLVED_AUTHENTICATED|SD_RESOLVED_CONFIDENTIAL|SD_RESOLVED_SYNTHETIC; *state = DNS_TRANSACTION_RCODE_FAILURE; + log_debug("Found synthetic NXDOMAIN response."); + return 0; } if (r <= 0) @@ -687,6 +689,8 @@ static int dns_query_synthesize_reply(DnsQuery *q, DnsTransactionState *state) { *state = DNS_TRANSACTION_SUCCESS; + log_debug("Found synthetic success response."); + return 1; } diff --git a/src/resolve/resolved-dns-scope.c b/src/resolve/resolved-dns-scope.c index 0b5e907bcf9..7f7e8626d14 100644 --- a/src/resolve/resolved-dns-scope.c +++ b/src/resolve/resolved-dns-scope.c @@ -12,6 +12,7 @@ #include "random-util.h" #include "resolved-dnssd.h" #include "resolved-dns-scope.h" +#include "resolved-dns-synthesize.h" #include "resolved-dns-zone.h" #include "resolved-llmnr.h" #include "resolved-mdns.h" @@ -653,6 +654,10 @@ DnsScopeMatch dns_scope_good_domain( is_dns_proxy_stub_hostname(domain)) return DNS_SCOPE_NO; + /* Don't look up the local host name via the network, unless user turned of local synthesis of it */ + if (manager_is_own_hostname(s->manager, domain) && shall_synthesize_own_hostname_rrs()) + return DNS_SCOPE_NO; + /* Never send SOA or NS or DNSSEC request to LLMNR, where they make little sense. */ r = dns_question_types_suitable_for_protocol(question, s->protocol); if (r <= 0) diff --git a/src/resolve/resolved-dns-synthesize.c b/src/resolve/resolved-dns-synthesize.c index 5bde29c704b..6f483fdf0e6 100644 --- a/src/resolve/resolved-dns-synthesize.c +++ b/src/resolve/resolved-dns-synthesize.c @@ -439,6 +439,20 @@ static int synthesize_gateway_ptr( return answer_add_addresses_ptr(answer, "_gateway", addresses, n, af, address); } +bool shall_synthesize_own_hostname_rrs(void) { + static int cached = -1; + int r; + + if (cached >= 0) + return cached; + + r = secure_getenv_bool("SYSTEMD_RESOLVED_SYNTHESIZE_HOSTNAME"); + if (r < 0 && r != -ENXIO) + log_debug_errno(r, "Failed to parse $SYSTEMD_RESOLVED_SYNTHESIZE_HOSTNAME: %m"); + + return (cached = r != 0); +} + int dns_synthesize_answer( Manager *m, DnsQuestion *q, @@ -479,8 +493,9 @@ int dns_synthesize_answer( } else if (manager_is_own_hostname(m, name)) { - if (getenv_bool("SYSTEMD_RESOLVED_SYNTHESIZE_HOSTNAME") == 0) + if (!shall_synthesize_own_hostname_rrs()) continue; + r = synthesize_system_hostname_rr(m, key, ifindex, &answer); if (r < 0) return log_error_errno(r, "Failed to synthesize system hostname RRs: %m"); @@ -530,7 +545,7 @@ int dns_synthesize_answer( } else if (dns_name_address(name, &af, &address) > 0) { int v, w, u; - if (getenv_bool("SYSTEMD_RESOLVED_SYNTHESIZE_HOSTNAME") == 0) + if (!shall_synthesize_own_hostname_rrs()) continue; v = synthesize_system_hostname_ptr(m, af, &address, ifindex, &answer); diff --git a/src/resolve/resolved-dns-synthesize.h b/src/resolve/resolved-dns-synthesize.h index bf271e862d5..ca39e682b4d 100644 --- a/src/resolve/resolved-dns-synthesize.h +++ b/src/resolve/resolved-dns-synthesize.h @@ -9,3 +9,5 @@ int dns_synthesize_family(uint64_t flags); DnsProtocol dns_synthesize_protocol(uint64_t flags); int dns_synthesize_answer(Manager *m, DnsQuestion *q, int ifindex, DnsAnswer **ret); + +bool shall_synthesize_own_hostname_rrs(void); |