mirror of
https://github.com/systemd/systemd.git
synced 2024-12-22 17:35:35 +03:00
resolved: support for DNS-over-TLS
Add support for DNS-over-TLS using GnuTLS. To reduce latency also TLS False Start and TLS session resumption is supported.
This commit is contained in:
parent
91ccab1e40
commit
5d67a7ae74
14
meson.build
14
meson.build
@ -1137,6 +1137,18 @@ conf.set('DEFAULT_DNSSEC_MODE',
|
|||||||
'DNSSEC_' + default_dnssec.underscorify().to_upper())
|
'DNSSEC_' + default_dnssec.underscorify().to_upper())
|
||||||
substs.set('DEFAULT_DNSSEC_MODE', default_dnssec)
|
substs.set('DEFAULT_DNSSEC_MODE', default_dnssec)
|
||||||
|
|
||||||
|
default_private_dns = get_option('default-private-dns')
|
||||||
|
if fuzzer_build
|
||||||
|
default_private_dns = 'no'
|
||||||
|
endif
|
||||||
|
if default_private_dns != 'no' and conf.get('HAVE_GNUTLS') == 0
|
||||||
|
message('default-private-dns cannot be set to strict or opportunistic when gnutls is disabled. Setting default-private-dns to no.')
|
||||||
|
default_private_dns = 'no'
|
||||||
|
endif
|
||||||
|
conf.set('DEFAULT_PRIVATE_DNS_MODE',
|
||||||
|
'PRIVATE_DNS_' + default_private_dns.underscorify().to_upper())
|
||||||
|
substs.set('DEFAULT_PRIVATE_DNS_MODE', default_private_dns)
|
||||||
|
|
||||||
want_importd = get_option('importd')
|
want_importd = get_option('importd')
|
||||||
if want_importd != 'false'
|
if want_importd != 'false'
|
||||||
have = (conf.get('HAVE_LIBCURL') == 1 and
|
have = (conf.get('HAVE_LIBCURL') == 1 and
|
||||||
@ -1585,6 +1597,7 @@ if conf.get('ENABLE_RESOLVE') == 1
|
|||||||
libbasic_gcrypt,
|
libbasic_gcrypt,
|
||||||
libsystemd_resolve_core],
|
libsystemd_resolve_core],
|
||||||
dependencies : [threads,
|
dependencies : [threads,
|
||||||
|
libgnutls,
|
||||||
libgpg_error,
|
libgpg_error,
|
||||||
libm,
|
libm,
|
||||||
libidn],
|
libidn],
|
||||||
@ -2857,6 +2870,7 @@ status = [
|
|||||||
'symbolic gateway hostnames: @0@'.format(', '.join(gateway_hostnames)),
|
'symbolic gateway hostnames: @0@'.format(', '.join(gateway_hostnames)),
|
||||||
|
|
||||||
'default DNSSEC mode: @0@'.format(default_dnssec),
|
'default DNSSEC mode: @0@'.format(default_dnssec),
|
||||||
|
'default private DNS mode: @0@'.format(default_private_dns),
|
||||||
'default cgroup hierarchy: @0@'.format(default_hierarchy),
|
'default cgroup hierarchy: @0@'.format(default_hierarchy),
|
||||||
'default KillUserProcesses setting: @0@'.format(kill_user_processes)]
|
'default KillUserProcesses setting: @0@'.format(kill_user_processes)]
|
||||||
|
|
||||||
|
@ -193,6 +193,10 @@ option('default-dnssec', type : 'combo',
|
|||||||
description : 'default DNSSEC mode',
|
description : 'default DNSSEC mode',
|
||||||
choices : ['yes', 'allow-downgrade', 'no'],
|
choices : ['yes', 'allow-downgrade', 'no'],
|
||||||
value : 'allow-downgrade')
|
value : 'allow-downgrade')
|
||||||
|
option('default-private-dns', type : 'combo',
|
||||||
|
description : 'default private DNS mode',
|
||||||
|
choices : ['opportunistic', 'no'],
|
||||||
|
value : 'no')
|
||||||
option('dns-servers', type : 'string',
|
option('dns-servers', type : 'string',
|
||||||
description : 'space-separated list of default DNS servers',
|
description : 'space-separated list of default DNS servers',
|
||||||
value : '8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844')
|
value : '8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844')
|
||||||
|
@ -396,6 +396,13 @@ int manager_parse_config_file(Manager *m) {
|
|||||||
m->dnssec_mode = DNSSEC_NO;
|
m->dnssec_mode = DNSSEC_NO;
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#if ! HAVE_GNUTLS
|
||||||
|
if (m->private_dns_mode != PRIVATE_DNS_NO) {
|
||||||
|
log_warning("Private DNS option cannot be set to opportunistic when systemd-resolved is built without gnutls support. Turning off private DNS support.");
|
||||||
|
m->private_dns_mode = PRIVATE_DNS_NO;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
@ -56,8 +56,12 @@ int dns_scope_new(Manager *m, DnsScope **ret, Link *l, DnsProtocol protocol, int
|
|||||||
s->dnssec_mode = link_get_dnssec_mode(l);
|
s->dnssec_mode = link_get_dnssec_mode(l);
|
||||||
else
|
else
|
||||||
s->dnssec_mode = manager_get_dnssec_mode(m);
|
s->dnssec_mode = manager_get_dnssec_mode(m);
|
||||||
} else
|
|
||||||
|
s->private_dns_mode = manager_get_private_dns_mode(m);
|
||||||
|
} else {
|
||||||
s->dnssec_mode = DNSSEC_NO;
|
s->dnssec_mode = DNSSEC_NO;
|
||||||
|
s->private_dns_mode = PRIVATE_DNS_NO;
|
||||||
|
}
|
||||||
|
|
||||||
LIST_PREPEND(scopes, m->dns_scopes, s);
|
LIST_PREPEND(scopes, m->dns_scopes, s);
|
||||||
|
|
||||||
|
@ -35,6 +35,7 @@ struct DnsScope {
|
|||||||
DnsProtocol protocol;
|
DnsProtocol protocol;
|
||||||
int family;
|
int family;
|
||||||
DnssecMode dnssec_mode;
|
DnssecMode dnssec_mode;
|
||||||
|
PrivateDnsMode private_dns_mode;
|
||||||
|
|
||||||
Link *link;
|
Link *link;
|
||||||
|
|
||||||
|
@ -89,6 +89,11 @@ int dns_server_new(
|
|||||||
|
|
||||||
s->linked = true;
|
s->linked = true;
|
||||||
|
|
||||||
|
#if HAVE_GNUTLS
|
||||||
|
/* Do not verify cerificate */
|
||||||
|
gnutls_certificate_allocate_credentials(&s->tls_cert_cred);
|
||||||
|
#endif
|
||||||
|
|
||||||
/* A new DNS server that isn't fallback is added and the one
|
/* A new DNS server that isn't fallback is added and the one
|
||||||
* we used so far was a fallback one? Then let's try to pick
|
* we used so far was a fallback one? Then let's try to pick
|
||||||
* the new one */
|
* the new one */
|
||||||
@ -125,6 +130,14 @@ DnsServer* dns_server_unref(DnsServer *s) {
|
|||||||
|
|
||||||
dns_stream_unref(s->stream);
|
dns_stream_unref(s->stream);
|
||||||
|
|
||||||
|
#if HAVE_GNUTLS
|
||||||
|
if (s->tls_cert_cred)
|
||||||
|
gnutls_certificate_free_credentials(s->tls_cert_cred);
|
||||||
|
|
||||||
|
if (s->tls_session_data.data)
|
||||||
|
gnutls_free(s->tls_session_data.data);
|
||||||
|
#endif
|
||||||
|
|
||||||
free(s->server_string);
|
free(s->server_string);
|
||||||
return mfree(s);
|
return mfree(s);
|
||||||
}
|
}
|
||||||
@ -236,6 +249,7 @@ static void dns_server_reset_counters(DnsServer *s) {
|
|||||||
|
|
||||||
s->n_failed_udp = 0;
|
s->n_failed_udp = 0;
|
||||||
s->n_failed_tcp = 0;
|
s->n_failed_tcp = 0;
|
||||||
|
s->n_failed_tls = 0;
|
||||||
s->packet_truncated = false;
|
s->packet_truncated = false;
|
||||||
s->verified_usec = 0;
|
s->verified_usec = 0;
|
||||||
|
|
||||||
@ -257,29 +271,32 @@ void dns_server_packet_received(DnsServer *s, int protocol, DnsServerFeatureLeve
|
|||||||
if (protocol == IPPROTO_UDP) {
|
if (protocol == IPPROTO_UDP) {
|
||||||
if (s->possible_feature_level == level)
|
if (s->possible_feature_level == level)
|
||||||
s->n_failed_udp = 0;
|
s->n_failed_udp = 0;
|
||||||
|
|
||||||
/* If the RRSIG data is missing, then we can only validate EDNS0 at max */
|
|
||||||
if (s->packet_rrsig_missing && level >= DNS_SERVER_FEATURE_LEVEL_DO)
|
|
||||||
level = DNS_SERVER_FEATURE_LEVEL_DO - 1;
|
|
||||||
|
|
||||||
/* If the OPT RR got lost, then we can only validate UDP at max */
|
|
||||||
if (s->packet_bad_opt && level >= DNS_SERVER_FEATURE_LEVEL_EDNS0)
|
|
||||||
level = DNS_SERVER_FEATURE_LEVEL_EDNS0 - 1;
|
|
||||||
|
|
||||||
/* Even if we successfully receive a reply to a request announcing support for large packets,
|
|
||||||
that does not mean we can necessarily receive large packets. */
|
|
||||||
if (level == DNS_SERVER_FEATURE_LEVEL_LARGE)
|
|
||||||
level = DNS_SERVER_FEATURE_LEVEL_LARGE - 1;
|
|
||||||
|
|
||||||
} else if (protocol == IPPROTO_TCP) {
|
} else if (protocol == IPPROTO_TCP) {
|
||||||
|
if (DNS_SERVER_FEATURE_LEVEL_IS_TLS(level)) {
|
||||||
|
if (s->possible_feature_level == level)
|
||||||
|
s->n_failed_tls = 0;
|
||||||
|
} else {
|
||||||
|
if (s->possible_feature_level == level)
|
||||||
|
s->n_failed_tcp = 0;
|
||||||
|
|
||||||
if (s->possible_feature_level == level)
|
/* Successful TCP connections are only useful to verify the TCP feature level. */
|
||||||
s->n_failed_tcp = 0;
|
level = DNS_SERVER_FEATURE_LEVEL_TCP;
|
||||||
|
}
|
||||||
/* Successful TCP connections are only useful to verify the TCP feature level. */
|
|
||||||
level = DNS_SERVER_FEATURE_LEVEL_TCP;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* If the RRSIG data is missing, then we can only validate EDNS0 at max */
|
||||||
|
if (s->packet_rrsig_missing && level >= DNS_SERVER_FEATURE_LEVEL_DO)
|
||||||
|
level = DNS_SERVER_FEATURE_LEVEL_IS_TLS(level) ? DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN : DNS_SERVER_FEATURE_LEVEL_EDNS0;
|
||||||
|
|
||||||
|
/* If the OPT RR got lost, then we can only validate UDP at max */
|
||||||
|
if (s->packet_bad_opt && level >= DNS_SERVER_FEATURE_LEVEL_EDNS0)
|
||||||
|
level = DNS_SERVER_FEATURE_LEVEL_EDNS0 - 1;
|
||||||
|
|
||||||
|
/* Even if we successfully receive a reply to a request announcing support for large packets,
|
||||||
|
that does not mean we can necessarily receive large packets. */
|
||||||
|
if (level == DNS_SERVER_FEATURE_LEVEL_LARGE)
|
||||||
|
level = DNS_SERVER_FEATURE_LEVEL_LARGE - 1;
|
||||||
|
|
||||||
dns_server_verified(s, level);
|
dns_server_verified(s, level);
|
||||||
|
|
||||||
/* Remember the size of the largest UDP packet we received from a server,
|
/* Remember the size of the largest UDP packet we received from a server,
|
||||||
@ -304,8 +321,12 @@ void dns_server_packet_lost(DnsServer *s, int protocol, DnsServerFeatureLevel le
|
|||||||
if (s->possible_feature_level == level) {
|
if (s->possible_feature_level == level) {
|
||||||
if (protocol == IPPROTO_UDP)
|
if (protocol == IPPROTO_UDP)
|
||||||
s->n_failed_udp++;
|
s->n_failed_udp++;
|
||||||
else if (protocol == IPPROTO_TCP)
|
else if (protocol == IPPROTO_TCP) {
|
||||||
s->n_failed_tcp++;
|
if (DNS_SERVER_FEATURE_LEVEL_IS_TLS(level))
|
||||||
|
s->n_failed_tls++;
|
||||||
|
else
|
||||||
|
s->n_failed_tcp++;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (s->resend_timeout > usec)
|
if (s->resend_timeout > usec)
|
||||||
@ -333,7 +354,7 @@ void dns_server_packet_rrsig_missing(DnsServer *s, DnsServerFeatureLevel level)
|
|||||||
|
|
||||||
/* If the RRSIG RRs are missing, we have to downgrade what we previously verified */
|
/* If the RRSIG RRs are missing, we have to downgrade what we previously verified */
|
||||||
if (s->verified_feature_level >= DNS_SERVER_FEATURE_LEVEL_DO)
|
if (s->verified_feature_level >= DNS_SERVER_FEATURE_LEVEL_DO)
|
||||||
s->verified_feature_level = DNS_SERVER_FEATURE_LEVEL_DO-1;
|
s->verified_feature_level = DNS_SERVER_FEATURE_LEVEL_IS_TLS(level) ? DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN : DNS_SERVER_FEATURE_LEVEL_EDNS0;
|
||||||
|
|
||||||
s->packet_rrsig_missing = true;
|
s->packet_rrsig_missing = true;
|
||||||
}
|
}
|
||||||
@ -395,9 +416,14 @@ DnsServerFeatureLevel dns_server_possible_feature_level(DnsServer *s) {
|
|||||||
|
|
||||||
/* Determine the best feature level we care about. If DNSSEC mode is off there's no point in using anything
|
/* Determine the best feature level we care about. If DNSSEC mode is off there's no point in using anything
|
||||||
* better than EDNS0, hence don't even try. */
|
* better than EDNS0, hence don't even try. */
|
||||||
best = dns_server_get_dnssec_mode(s) == DNSSEC_NO ?
|
if (dns_server_get_dnssec_mode(s) != DNSSEC_NO)
|
||||||
DNS_SERVER_FEATURE_LEVEL_EDNS0 :
|
best = dns_server_get_private_dns_mode(s) == PRIVATE_DNS_NO ?
|
||||||
DNS_SERVER_FEATURE_LEVEL_BEST;
|
DNS_SERVER_FEATURE_LEVEL_LARGE :
|
||||||
|
DNS_SERVER_FEATURE_LEVEL_TLS_DO;
|
||||||
|
else
|
||||||
|
best = dns_server_get_private_dns_mode(s) == PRIVATE_DNS_NO ?
|
||||||
|
DNS_SERVER_FEATURE_LEVEL_EDNS0 :
|
||||||
|
DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN;
|
||||||
|
|
||||||
/* Clamp the feature level the highest level we care about. The DNSSEC mode might have changed since the last
|
/* Clamp the feature level the highest level we care about. The DNSSEC mode might have changed since the last
|
||||||
* time, hence let's downgrade if we are still at a higher level. */
|
* time, hence let's downgrade if we are still at a higher level. */
|
||||||
@ -431,7 +457,14 @@ DnsServerFeatureLevel dns_server_possible_feature_level(DnsServer *s) {
|
|||||||
* work. Upgrade back to UDP again. */
|
* work. Upgrade back to UDP again. */
|
||||||
log_debug("Reached maximum number of failed TCP connection attempts, trying UDP again...");
|
log_debug("Reached maximum number of failed TCP connection attempts, trying UDP again...");
|
||||||
s->possible_feature_level = DNS_SERVER_FEATURE_LEVEL_UDP;
|
s->possible_feature_level = DNS_SERVER_FEATURE_LEVEL_UDP;
|
||||||
|
} else if (s->n_failed_tls > 0 &&
|
||||||
|
DNS_SERVER_FEATURE_LEVEL_IS_TLS(s->possible_feature_level)) {
|
||||||
|
|
||||||
|
/* We tried to connect using DNS-over-TLS, and it didn't work. Downgrade to plaintext UDP
|
||||||
|
* if we don't require DNS-over-TLS */
|
||||||
|
|
||||||
|
log_debug("Server doesn't support seem to support DNS-over-TLS, downgrading protocol...");
|
||||||
|
s->possible_feature_level--;
|
||||||
} else if (s->packet_bad_opt &&
|
} else if (s->packet_bad_opt &&
|
||||||
s->possible_feature_level >= DNS_SERVER_FEATURE_LEVEL_EDNS0) {
|
s->possible_feature_level >= DNS_SERVER_FEATURE_LEVEL_EDNS0) {
|
||||||
|
|
||||||
@ -452,7 +485,7 @@ DnsServerFeatureLevel dns_server_possible_feature_level(DnsServer *s) {
|
|||||||
* not. */
|
* not. */
|
||||||
|
|
||||||
log_debug("Detected server responses lack RRSIG records, downgrading feature level...");
|
log_debug("Detected server responses lack RRSIG records, downgrading feature level...");
|
||||||
s->possible_feature_level = DNS_SERVER_FEATURE_LEVEL_EDNS0;
|
s->possible_feature_level = DNS_SERVER_FEATURE_LEVEL_IS_TLS(s->possible_feature_level) ? DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN : DNS_SERVER_FEATURE_LEVEL_EDNS0;
|
||||||
|
|
||||||
} else if (s->n_failed_udp >= DNS_SERVER_FEATURE_RETRY_ATTEMPTS &&
|
} else if (s->n_failed_udp >= DNS_SERVER_FEATURE_RETRY_ATTEMPTS &&
|
||||||
s->possible_feature_level >= (dns_server_get_dnssec_mode(s) == DNSSEC_YES ? DNS_SERVER_FEATURE_LEVEL_LARGE : DNS_SERVER_FEATURE_LEVEL_UDP)) {
|
s->possible_feature_level >= (dns_server_get_dnssec_mode(s) == DNSSEC_YES ? DNS_SERVER_FEATURE_LEVEL_LARGE : DNS_SERVER_FEATURE_LEVEL_UDP)) {
|
||||||
@ -795,6 +828,12 @@ DnssecMode dns_server_get_dnssec_mode(DnsServer *s) {
|
|||||||
return manager_get_dnssec_mode(s->manager);
|
return manager_get_dnssec_mode(s->manager);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
PrivateDnsMode dns_server_get_private_dns_mode(DnsServer *s) {
|
||||||
|
assert(s);
|
||||||
|
|
||||||
|
return manager_get_private_dns_mode(s->manager);
|
||||||
|
}
|
||||||
|
|
||||||
void dns_server_flush_cache(DnsServer *s) {
|
void dns_server_flush_cache(DnsServer *s) {
|
||||||
DnsServer *current;
|
DnsServer *current;
|
||||||
DnsScope *scope;
|
DnsScope *scope;
|
||||||
@ -904,7 +943,9 @@ static const char* const dns_server_feature_level_table[_DNS_SERVER_FEATURE_LEVE
|
|||||||
[DNS_SERVER_FEATURE_LEVEL_TCP] = "TCP",
|
[DNS_SERVER_FEATURE_LEVEL_TCP] = "TCP",
|
||||||
[DNS_SERVER_FEATURE_LEVEL_UDP] = "UDP",
|
[DNS_SERVER_FEATURE_LEVEL_UDP] = "UDP",
|
||||||
[DNS_SERVER_FEATURE_LEVEL_EDNS0] = "UDP+EDNS0",
|
[DNS_SERVER_FEATURE_LEVEL_EDNS0] = "UDP+EDNS0",
|
||||||
|
[DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN] = "TLS+EDNS0",
|
||||||
[DNS_SERVER_FEATURE_LEVEL_DO] = "UDP+EDNS0+DO",
|
[DNS_SERVER_FEATURE_LEVEL_DO] = "UDP+EDNS0+DO",
|
||||||
[DNS_SERVER_FEATURE_LEVEL_LARGE] = "UDP+EDNS0+DO+LARGE",
|
[DNS_SERVER_FEATURE_LEVEL_LARGE] = "UDP+EDNS0+DO+LARGE",
|
||||||
|
[DNS_SERVER_FEATURE_LEVEL_TLS_DO] = "TLS+EDNS0+D0",
|
||||||
};
|
};
|
||||||
DEFINE_STRING_TABLE_LOOKUP(dns_server_feature_level, DnsServerFeatureLevel);
|
DEFINE_STRING_TABLE_LOOKUP(dns_server_feature_level, DnsServerFeatureLevel);
|
||||||
|
@ -9,6 +9,10 @@
|
|||||||
|
|
||||||
#include "in-addr-util.h"
|
#include "in-addr-util.h"
|
||||||
|
|
||||||
|
#if HAVE_GNUTLS
|
||||||
|
#include <gnutls/gnutls.h>
|
||||||
|
#endif
|
||||||
|
|
||||||
typedef struct DnsServer DnsServer;
|
typedef struct DnsServer DnsServer;
|
||||||
|
|
||||||
typedef enum DnsServerType {
|
typedef enum DnsServerType {
|
||||||
@ -25,14 +29,17 @@ typedef enum DnsServerFeatureLevel {
|
|||||||
DNS_SERVER_FEATURE_LEVEL_TCP,
|
DNS_SERVER_FEATURE_LEVEL_TCP,
|
||||||
DNS_SERVER_FEATURE_LEVEL_UDP,
|
DNS_SERVER_FEATURE_LEVEL_UDP,
|
||||||
DNS_SERVER_FEATURE_LEVEL_EDNS0,
|
DNS_SERVER_FEATURE_LEVEL_EDNS0,
|
||||||
|
DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN,
|
||||||
DNS_SERVER_FEATURE_LEVEL_DO,
|
DNS_SERVER_FEATURE_LEVEL_DO,
|
||||||
DNS_SERVER_FEATURE_LEVEL_LARGE,
|
DNS_SERVER_FEATURE_LEVEL_LARGE,
|
||||||
|
DNS_SERVER_FEATURE_LEVEL_TLS_DO,
|
||||||
_DNS_SERVER_FEATURE_LEVEL_MAX,
|
_DNS_SERVER_FEATURE_LEVEL_MAX,
|
||||||
_DNS_SERVER_FEATURE_LEVEL_INVALID = -1
|
_DNS_SERVER_FEATURE_LEVEL_INVALID = -1
|
||||||
} DnsServerFeatureLevel;
|
} DnsServerFeatureLevel;
|
||||||
|
|
||||||
#define DNS_SERVER_FEATURE_LEVEL_WORST 0
|
#define DNS_SERVER_FEATURE_LEVEL_WORST 0
|
||||||
#define DNS_SERVER_FEATURE_LEVEL_BEST (_DNS_SERVER_FEATURE_LEVEL_MAX - 1)
|
#define DNS_SERVER_FEATURE_LEVEL_BEST (_DNS_SERVER_FEATURE_LEVEL_MAX - 1)
|
||||||
|
#define DNS_SERVER_FEATURE_LEVEL_IS_TLS(x) IN_SET(x, DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN, DNS_SERVER_FEATURE_LEVEL_TLS_DO)
|
||||||
|
|
||||||
const char* dns_server_feature_level_to_string(int i) _const_;
|
const char* dns_server_feature_level_to_string(int i) _const_;
|
||||||
int dns_server_feature_level_from_string(const char *s) _pure_;
|
int dns_server_feature_level_from_string(const char *s) _pure_;
|
||||||
@ -55,6 +62,11 @@ struct DnsServer {
|
|||||||
char *server_string;
|
char *server_string;
|
||||||
DnsStream *stream;
|
DnsStream *stream;
|
||||||
|
|
||||||
|
#if HAVE_GNUTLS
|
||||||
|
gnutls_certificate_credentials_t tls_cert_cred;
|
||||||
|
gnutls_datum_t tls_session_data;
|
||||||
|
#endif
|
||||||
|
|
||||||
usec_t resend_timeout;
|
usec_t resend_timeout;
|
||||||
usec_t max_rtt;
|
usec_t max_rtt;
|
||||||
|
|
||||||
@ -65,6 +77,7 @@ struct DnsServer {
|
|||||||
|
|
||||||
unsigned n_failed_udp;
|
unsigned n_failed_udp;
|
||||||
unsigned n_failed_tcp;
|
unsigned n_failed_tcp;
|
||||||
|
unsigned n_failed_tls;
|
||||||
|
|
||||||
bool packet_truncated:1;
|
bool packet_truncated:1;
|
||||||
bool packet_bad_opt:1;
|
bool packet_bad_opt:1;
|
||||||
@ -134,6 +147,7 @@ void manager_next_dns_server(Manager *m);
|
|||||||
bool dns_server_address_valid(int family, const union in_addr_union *sa);
|
bool dns_server_address_valid(int family, const union in_addr_union *sa);
|
||||||
|
|
||||||
DnssecMode dns_server_get_dnssec_mode(DnsServer *s);
|
DnssecMode dns_server_get_dnssec_mode(DnsServer *s);
|
||||||
|
PrivateDnsMode dns_server_get_private_dns_mode(DnsServer *s);
|
||||||
|
|
||||||
DEFINE_TRIVIAL_CLEANUP_FUNC(DnsServer*, dns_server_unref);
|
DEFINE_TRIVIAL_CLEANUP_FUNC(DnsServer*, dns_server_unref);
|
||||||
|
|
||||||
|
@ -16,6 +16,8 @@
|
|||||||
#define DNS_STREAM_TIMEOUT_USEC (10 * USEC_PER_SEC)
|
#define DNS_STREAM_TIMEOUT_USEC (10 * USEC_PER_SEC)
|
||||||
#define DNS_STREAMS_MAX 128
|
#define DNS_STREAMS_MAX 128
|
||||||
|
|
||||||
|
#define WRITE_TLS_DATA 1
|
||||||
|
|
||||||
static void dns_stream_stop(DnsStream *s) {
|
static void dns_stream_stop(DnsStream *s) {
|
||||||
assert(s);
|
assert(s);
|
||||||
|
|
||||||
@ -47,7 +49,19 @@ static int dns_stream_update_io(DnsStream *s) {
|
|||||||
static int dns_stream_complete(DnsStream *s, int error) {
|
static int dns_stream_complete(DnsStream *s, int error) {
|
||||||
assert(s);
|
assert(s);
|
||||||
|
|
||||||
dns_stream_stop(s);
|
#if HAVE_GNUTLS
|
||||||
|
if (s->tls_session && IN_SET(error, ETIMEDOUT, 0)) {
|
||||||
|
int r;
|
||||||
|
|
||||||
|
r = gnutls_bye(s->tls_session, GNUTLS_SHUT_RDWR);
|
||||||
|
if (r == GNUTLS_E_AGAIN && !s->tls_bye) {
|
||||||
|
dns_stream_ref(s); /* keep reference for closing TLS session */
|
||||||
|
s->tls_bye = true;
|
||||||
|
} else
|
||||||
|
dns_stream_stop(s);
|
||||||
|
} else
|
||||||
|
#endif
|
||||||
|
dns_stream_stop(s);
|
||||||
|
|
||||||
if (s->complete)
|
if (s->complete)
|
||||||
s->complete(s, error);
|
s->complete(s, error);
|
||||||
@ -182,12 +196,39 @@ static int dns_stream_identify(DnsStream *s) {
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
static ssize_t dns_stream_writev(DnsStream *s, const struct iovec *iov, size_t iovcnt) {
|
static ssize_t dns_stream_writev(DnsStream *s, const struct iovec *iov, size_t iovcnt, int flags) {
|
||||||
ssize_t r;
|
ssize_t r;
|
||||||
|
|
||||||
assert(s);
|
assert(s);
|
||||||
assert(iov);
|
assert(iov);
|
||||||
|
|
||||||
|
#if HAVE_GNUTLS
|
||||||
|
if (s->tls_session && !(flags & WRITE_TLS_DATA)) {
|
||||||
|
ssize_t ss;
|
||||||
|
size_t i;
|
||||||
|
|
||||||
|
r = 0;
|
||||||
|
for (i = 0; i < iovcnt; i++) {
|
||||||
|
ss = gnutls_record_send(s->tls_session, iov[i].iov_base, iov[i].iov_len);
|
||||||
|
if (ss < 0) {
|
||||||
|
switch(ss) {
|
||||||
|
|
||||||
|
case GNUTLS_E_INTERRUPTED:
|
||||||
|
return -EINTR;
|
||||||
|
case GNUTLS_E_AGAIN:
|
||||||
|
return -EAGAIN;
|
||||||
|
default:
|
||||||
|
log_debug("Failed to invoke gnutls_record_send: %s", gnutls_strerror(ss));
|
||||||
|
return -EIO;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
r += ss;
|
||||||
|
if (ss != (ssize_t) iov[i].iov_len)
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
} else
|
||||||
|
#endif
|
||||||
if (s->tfo_salen > 0) {
|
if (s->tfo_salen > 0) {
|
||||||
struct msghdr hdr = {
|
struct msghdr hdr = {
|
||||||
.msg_iov = (struct iovec*) iov,
|
.msg_iov = (struct iovec*) iov,
|
||||||
@ -215,6 +256,54 @@ static ssize_t dns_stream_writev(DnsStream *s, const struct iovec *iov, size_t i
|
|||||||
return r;
|
return r;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static ssize_t dns_stream_read(DnsStream *s, void *buf, size_t count) {
|
||||||
|
ssize_t ss;
|
||||||
|
|
||||||
|
#if HAVE_GNUTLS
|
||||||
|
if (s->tls_session) {
|
||||||
|
ss = gnutls_record_recv(s->tls_session, buf, count);
|
||||||
|
if (ss < 0) {
|
||||||
|
switch(ss) {
|
||||||
|
|
||||||
|
case GNUTLS_E_INTERRUPTED:
|
||||||
|
return -EINTR;
|
||||||
|
case GNUTLS_E_AGAIN:
|
||||||
|
return -EAGAIN;
|
||||||
|
default:
|
||||||
|
log_debug("Failed to invoke gnutls_record_send: %s", gnutls_strerror(ss));
|
||||||
|
return -EIO;
|
||||||
|
}
|
||||||
|
} else if (s->on_connection) {
|
||||||
|
int r;
|
||||||
|
|
||||||
|
r = s->on_connection(s);
|
||||||
|
s->on_connection = NULL; /* only call once */
|
||||||
|
if (r < 0)
|
||||||
|
return r;
|
||||||
|
}
|
||||||
|
} else
|
||||||
|
#endif
|
||||||
|
ss = read(s->fd, buf, count);
|
||||||
|
|
||||||
|
return ss;
|
||||||
|
}
|
||||||
|
|
||||||
|
#if HAVE_GNUTLS
|
||||||
|
static ssize_t dns_stream_tls_writev(gnutls_transport_ptr_t p, const giovec_t * iov, int iovcnt) {
|
||||||
|
int r;
|
||||||
|
|
||||||
|
assert(p);
|
||||||
|
|
||||||
|
r = dns_stream_writev((DnsStream*) p, (struct iovec*) iov, iovcnt, WRITE_TLS_DATA);
|
||||||
|
if (r < 0) {
|
||||||
|
errno = -r;
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
return r;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
static int on_stream_timeout(sd_event_source *es, usec_t usec, void *userdata) {
|
static int on_stream_timeout(sd_event_source *es, usec_t usec, void *userdata) {
|
||||||
DnsStream *s = userdata;
|
DnsStream *s = userdata;
|
||||||
|
|
||||||
@ -229,6 +318,40 @@ static int on_stream_io(sd_event_source *es, int fd, uint32_t revents, void *use
|
|||||||
|
|
||||||
assert(s);
|
assert(s);
|
||||||
|
|
||||||
|
#if HAVE_GNUTLS
|
||||||
|
if (s->tls_bye) {
|
||||||
|
assert(s->tls_session);
|
||||||
|
|
||||||
|
r = gnutls_bye(s->tls_session, GNUTLS_SHUT_RDWR);
|
||||||
|
if (r != GNUTLS_E_AGAIN) {
|
||||||
|
s->tls_bye = false;
|
||||||
|
dns_stream_unref(s);
|
||||||
|
}
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (s->tls_handshake < 0) {
|
||||||
|
assert(s->tls_session);
|
||||||
|
|
||||||
|
s->tls_handshake = gnutls_handshake(s->tls_session);
|
||||||
|
if (s->tls_handshake >= 0) {
|
||||||
|
if (s->on_connection && !(gnutls_session_get_flags(s->tls_session) & GNUTLS_SFLAGS_FALSE_START)) {
|
||||||
|
r = s->on_connection(s);
|
||||||
|
s->on_connection = NULL; /* only call once */
|
||||||
|
if (r < 0)
|
||||||
|
return r;
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
if (gnutls_error_is_fatal(s->tls_handshake))
|
||||||
|
return dns_stream_complete(s, ECONNREFUSED);
|
||||||
|
else
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
/* only identify after connecting */
|
/* only identify after connecting */
|
||||||
if (s->tfo_salen == 0) {
|
if (s->tfo_salen == 0) {
|
||||||
r = dns_stream_identify(s);
|
r = dns_stream_identify(s);
|
||||||
@ -250,7 +373,7 @@ static int on_stream_io(sd_event_source *es, int fd, uint32_t revents, void *use
|
|||||||
|
|
||||||
IOVEC_INCREMENT(iov, 2, s->n_written);
|
IOVEC_INCREMENT(iov, 2, s->n_written);
|
||||||
|
|
||||||
ss = dns_stream_writev(s, iov, 2);
|
ss = dns_stream_writev(s, iov, 2, 0);
|
||||||
if (ss < 0) {
|
if (ss < 0) {
|
||||||
if (!IN_SET(errno, EINTR, EAGAIN))
|
if (!IN_SET(errno, EINTR, EAGAIN))
|
||||||
return dns_stream_complete(s, errno);
|
return dns_stream_complete(s, errno);
|
||||||
@ -272,7 +395,7 @@ static int on_stream_io(sd_event_source *es, int fd, uint32_t revents, void *use
|
|||||||
if (s->n_read < sizeof(s->read_size)) {
|
if (s->n_read < sizeof(s->read_size)) {
|
||||||
ssize_t ss;
|
ssize_t ss;
|
||||||
|
|
||||||
ss = read(fd, (uint8_t*) &s->read_size + s->n_read, sizeof(s->read_size) - s->n_read);
|
ss = dns_stream_read(s, (uint8_t*) &s->read_size + s->n_read, sizeof(s->read_size) - s->n_read);
|
||||||
if (ss < 0) {
|
if (ss < 0) {
|
||||||
if (!IN_SET(errno, EINTR, EAGAIN))
|
if (!IN_SET(errno, EINTR, EAGAIN))
|
||||||
return dns_stream_complete(s, errno);
|
return dns_stream_complete(s, errno);
|
||||||
@ -320,7 +443,7 @@ static int on_stream_io(sd_event_source *es, int fd, uint32_t revents, void *use
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
ss = read(fd,
|
ss = dns_stream_read(s,
|
||||||
(uint8_t*) DNS_PACKET_DATA(s->read_packet) + s->n_read - sizeof(s->read_size),
|
(uint8_t*) DNS_PACKET_DATA(s->read_packet) + s->n_read - sizeof(s->read_size),
|
||||||
sizeof(s->read_size) + be16toh(s->read_size) - s->n_read);
|
sizeof(s->read_size) + be16toh(s->read_size) - s->n_read);
|
||||||
if (ss < 0) {
|
if (ss < 0) {
|
||||||
@ -380,6 +503,11 @@ DnsStream *dns_stream_unref(DnsStream *s) {
|
|||||||
s->manager->n_dns_streams--;
|
s->manager->n_dns_streams--;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#if HAVE_GNUTLS
|
||||||
|
if (s->tls_session)
|
||||||
|
gnutls_deinit(s->tls_session);
|
||||||
|
#endif
|
||||||
|
|
||||||
ORDERED_SET_FOREACH(p, s->write_queue, i)
|
ORDERED_SET_FOREACH(p, s->write_queue, i)
|
||||||
dns_packet_unref(ordered_set_remove(s->write_queue, p));
|
dns_packet_unref(ordered_set_remove(s->write_queue, p));
|
||||||
|
|
||||||
@ -456,6 +584,21 @@ int dns_stream_new(Manager *m, DnsStream **ret, DnsProtocol protocol, int fd, co
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#if HAVE_GNUTLS
|
||||||
|
int dns_stream_connect_tls(DnsStream *s, gnutls_session_t tls_session) {
|
||||||
|
gnutls_transport_set_ptr2(tls_session, (gnutls_transport_ptr_t) (long) s->fd, s);
|
||||||
|
gnutls_transport_set_vec_push_function(tls_session, &dns_stream_tls_writev);
|
||||||
|
|
||||||
|
s->encrypted = true;
|
||||||
|
s->tls_session = tls_session;
|
||||||
|
s->tls_handshake = gnutls_handshake(tls_session);
|
||||||
|
if (s->tls_handshake < 0 && gnutls_error_is_fatal(s->tls_handshake))
|
||||||
|
return -ECONNREFUSED;
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
int dns_stream_write_packet(DnsStream *s, DnsPacket *p) {
|
int dns_stream_write_packet(DnsStream *s, DnsPacket *p) {
|
||||||
int r;
|
int r;
|
||||||
|
|
||||||
|
@ -15,6 +15,10 @@ typedef struct DnsStream DnsStream;
|
|||||||
#include "resolved-dns-transaction.h"
|
#include "resolved-dns-transaction.h"
|
||||||
#include "resolved-manager.h"
|
#include "resolved-manager.h"
|
||||||
|
|
||||||
|
#if HAVE_GNUTLS
|
||||||
|
#include <gnutls/gnutls.h>
|
||||||
|
#endif
|
||||||
|
|
||||||
/* Streams are used by three subsystems:
|
/* Streams are used by three subsystems:
|
||||||
*
|
*
|
||||||
* 1. The normal transaction logic when doing a DNS or LLMNR lookup via TCP
|
* 1. The normal transaction logic when doing a DNS or LLMNR lookup via TCP
|
||||||
@ -41,6 +45,12 @@ struct DnsStream {
|
|||||||
union sockaddr_union tfo_address;
|
union sockaddr_union tfo_address;
|
||||||
socklen_t tfo_salen;
|
socklen_t tfo_salen;
|
||||||
|
|
||||||
|
#if HAVE_GNUTLS
|
||||||
|
gnutls_session_t tls_session;
|
||||||
|
int tls_handshake;
|
||||||
|
bool tls_bye;
|
||||||
|
#endif
|
||||||
|
|
||||||
sd_event_source *io_event_source;
|
sd_event_source *io_event_source;
|
||||||
sd_event_source *timeout_event_source;
|
sd_event_source *timeout_event_source;
|
||||||
|
|
||||||
@ -49,6 +59,7 @@ struct DnsStream {
|
|||||||
size_t n_written, n_read;
|
size_t n_written, n_read;
|
||||||
OrderedSet *write_queue;
|
OrderedSet *write_queue;
|
||||||
|
|
||||||
|
int (*on_connection)(DnsStream *s);
|
||||||
int (*on_packet)(DnsStream *s);
|
int (*on_packet)(DnsStream *s);
|
||||||
int (*complete)(DnsStream *s, int error);
|
int (*complete)(DnsStream *s, int error);
|
||||||
|
|
||||||
@ -56,10 +67,16 @@ struct DnsStream {
|
|||||||
DnsServer *server; /* when used by the transaction logic */
|
DnsServer *server; /* when used by the transaction logic */
|
||||||
DnsQuery *query; /* when used by the DNS stub logic */
|
DnsQuery *query; /* when used by the DNS stub logic */
|
||||||
|
|
||||||
|
/* used when DNS-over-TLS is enabled */
|
||||||
|
bool encrypted:1;
|
||||||
|
|
||||||
LIST_FIELDS(DnsStream, streams);
|
LIST_FIELDS(DnsStream, streams);
|
||||||
};
|
};
|
||||||
|
|
||||||
int dns_stream_new(Manager *m, DnsStream **s, DnsProtocol protocol, int fd, const union sockaddr_union *tfo_address);
|
int dns_stream_new(Manager *m, DnsStream **s, DnsProtocol protocol, int fd, const union sockaddr_union *tfo_address);
|
||||||
|
#if HAVE_GNUTLS
|
||||||
|
int dns_stream_connect_tls(DnsStream *s, gnutls_session_t tls_session);
|
||||||
|
#endif
|
||||||
DnsStream *dns_stream_unref(DnsStream *s);
|
DnsStream *dns_stream_unref(DnsStream *s);
|
||||||
DnsStream *dns_stream_ref(DnsStream *s);
|
DnsStream *dns_stream_ref(DnsStream *s);
|
||||||
|
|
||||||
|
@ -18,6 +18,10 @@
|
|||||||
#include "resolved-llmnr.h"
|
#include "resolved-llmnr.h"
|
||||||
#include "string-table.h"
|
#include "string-table.h"
|
||||||
|
|
||||||
|
#if HAVE_GNUTLS
|
||||||
|
#include <gnutls/socket.h>
|
||||||
|
#endif
|
||||||
|
|
||||||
#define TRANSACTIONS_MAX 4096
|
#define TRANSACTIONS_MAX 4096
|
||||||
#define TRANSACTION_TCP_TIMEOUT_USEC (10U*USEC_PER_SEC)
|
#define TRANSACTION_TCP_TIMEOUT_USEC (10U*USEC_PER_SEC)
|
||||||
|
|
||||||
@ -499,6 +503,20 @@ static int dns_transaction_on_stream_packet(DnsTransaction *t, DnsPacket *p) {
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static int on_stream_connection(DnsStream *s) {
|
||||||
|
#if HAVE_GNUTLS
|
||||||
|
/* Store TLS Ticket for faster succesive TLS handshakes */
|
||||||
|
if (s->tls_session && s->server) {
|
||||||
|
if (s->server->tls_session_data.data)
|
||||||
|
gnutls_free(s->server->tls_session_data.data);
|
||||||
|
|
||||||
|
gnutls_session_get_data2(s->tls_session, &s->server->tls_session_data);
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
static int on_stream_complete(DnsStream *s, int error) {
|
static int on_stream_complete(DnsStream *s, int error) {
|
||||||
DnsTransaction *t, *n;
|
DnsTransaction *t, *n;
|
||||||
int r = 0;
|
int r = 0;
|
||||||
@ -559,6 +577,9 @@ static int dns_transaction_emit_tcp(DnsTransaction *t) {
|
|||||||
_cleanup_(dns_stream_unrefp) DnsStream *s = NULL;
|
_cleanup_(dns_stream_unrefp) DnsStream *s = NULL;
|
||||||
union sockaddr_union sa;
|
union sockaddr_union sa;
|
||||||
int r;
|
int r;
|
||||||
|
#if HAVE_GNUTLS
|
||||||
|
gnutls_session_t gs;
|
||||||
|
#endif
|
||||||
|
|
||||||
assert(t);
|
assert(t);
|
||||||
|
|
||||||
@ -578,10 +599,10 @@ static int dns_transaction_emit_tcp(DnsTransaction *t) {
|
|||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
|
|
||||||
if (t->server->stream)
|
if (t->server->stream && (DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level) == t->server->stream->encrypted))
|
||||||
s = dns_stream_ref(t->server->stream);
|
s = dns_stream_ref(t->server->stream);
|
||||||
else
|
else
|
||||||
fd = dns_scope_socket_tcp(t->scope, AF_UNSPEC, NULL, t->server, 53, &sa);
|
fd = dns_scope_socket_tcp(t->scope, AF_UNSPEC, NULL, t->server, DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level) ? 853 : 53, &sa);
|
||||||
|
|
||||||
break;
|
break;
|
||||||
|
|
||||||
@ -630,6 +651,33 @@ static int dns_transaction_emit_tcp(DnsTransaction *t) {
|
|||||||
s->server = dns_server_ref(t->server);
|
s->server = dns_server_ref(t->server);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#if HAVE_GNUTLS
|
||||||
|
if (DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level)) {
|
||||||
|
r = gnutls_init(&gs, GNUTLS_CLIENT | GNUTLS_ENABLE_FALSE_START | GNUTLS_NONBLOCK);
|
||||||
|
if (r < 0)
|
||||||
|
return r;
|
||||||
|
|
||||||
|
/* As DNS-over-TLS is a recent protocol, older TLS versions can be disabled */
|
||||||
|
r = gnutls_priority_set_direct(gs, "NORMAL:-VERS-ALL:+VERS-TLS1.2", NULL);
|
||||||
|
if (r < 0)
|
||||||
|
return r;
|
||||||
|
|
||||||
|
r = gnutls_credentials_set(gs, GNUTLS_CRD_CERTIFICATE, t->server->tls_cert_cred);
|
||||||
|
if (r < 0)
|
||||||
|
return r;
|
||||||
|
|
||||||
|
if (t->server && t->server->tls_session_data.size > 0)
|
||||||
|
gnutls_session_set_data(gs, t->server->tls_session_data.data, t->server->tls_session_data.size);
|
||||||
|
|
||||||
|
gnutls_handshake_set_timeout(gs, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT);
|
||||||
|
|
||||||
|
r = dns_stream_connect_tls(s, gs);
|
||||||
|
if (r < 0)
|
||||||
|
return r;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
s->on_connection = on_stream_connection;
|
||||||
s->complete = on_stream_complete;
|
s->complete = on_stream_complete;
|
||||||
s->on_packet = dns_stream_on_packet;
|
s->on_packet = dns_stream_on_packet;
|
||||||
|
|
||||||
@ -993,7 +1041,17 @@ void dns_transaction_process_reply(DnsTransaction *t, DnsPacket *p) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* Reduce this feature level by one and try again. */
|
/* Reduce this feature level by one and try again. */
|
||||||
t->clamp_feature_level = t->current_feature_level - 1;
|
switch (t->current_feature_level) {
|
||||||
|
case DNS_SERVER_FEATURE_LEVEL_TLS_DO:
|
||||||
|
t->clamp_feature_level = DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN;
|
||||||
|
break;
|
||||||
|
case DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN + 1:
|
||||||
|
/* Skip plain TLS when TLS is not supported */
|
||||||
|
t->clamp_feature_level = DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN - 1;
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
t->clamp_feature_level = t->current_feature_level - 1;
|
||||||
|
}
|
||||||
|
|
||||||
log_debug("Server returned error %s, retrying transaction with reduced feature level %s.",
|
log_debug("Server returned error %s, retrying transaction with reduced feature level %s.",
|
||||||
dns_rcode_to_string(DNS_PACKET_RCODE(p)),
|
dns_rcode_to_string(DNS_PACKET_RCODE(p)),
|
||||||
@ -1209,7 +1267,7 @@ static int dns_transaction_emit_udp(DnsTransaction *t) {
|
|||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
|
|
||||||
if (t->current_feature_level < DNS_SERVER_FEATURE_LEVEL_UDP)
|
if (t->current_feature_level < DNS_SERVER_FEATURE_LEVEL_UDP || DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level))
|
||||||
return -EAGAIN; /* Sorry, can't do UDP, try TCP! */
|
return -EAGAIN; /* Sorry, can't do UDP, try TCP! */
|
||||||
|
|
||||||
if (!dns_server_dnssec_supported(t->server) && dns_type_is_dnssec(t->key->type))
|
if (!dns_server_dnssec_supported(t->server) && dns_type_is_dnssec(t->key->type))
|
||||||
@ -1699,7 +1757,7 @@ int dns_transaction_go(DnsTransaction *t) {
|
|||||||
if (r == -EMSGSIZE)
|
if (r == -EMSGSIZE)
|
||||||
log_debug("Sending query via TCP since it is too large.");
|
log_debug("Sending query via TCP since it is too large.");
|
||||||
else if (r == -EAGAIN)
|
else if (r == -EAGAIN)
|
||||||
log_debug("Sending query via TCP since server doesn't support UDP.");
|
log_debug("Sending query via TCP since UDP isn't supported.");
|
||||||
if (IN_SET(r, -EMSGSIZE, -EAGAIN))
|
if (IN_SET(r, -EMSGSIZE, -EAGAIN))
|
||||||
r = dns_transaction_emit_tcp(t);
|
r = dns_transaction_emit_tcp(t);
|
||||||
}
|
}
|
||||||
|
@ -23,5 +23,6 @@ Resolve.Domains, config_parse_search_domains, 0,
|
|||||||
Resolve.LLMNR, config_parse_resolve_support, 0, offsetof(Manager, llmnr_support)
|
Resolve.LLMNR, config_parse_resolve_support, 0, offsetof(Manager, llmnr_support)
|
||||||
Resolve.MulticastDNS, config_parse_resolve_support, 0, offsetof(Manager, mdns_support)
|
Resolve.MulticastDNS, config_parse_resolve_support, 0, offsetof(Manager, mdns_support)
|
||||||
Resolve.DNSSEC, config_parse_dnssec_mode, 0, offsetof(Manager, dnssec_mode)
|
Resolve.DNSSEC, config_parse_dnssec_mode, 0, offsetof(Manager, dnssec_mode)
|
||||||
|
Resolve.PrivateDNS, config_parse_private_dns_mode, 0, offsetof(Manager, private_dns_mode)
|
||||||
Resolve.Cache, config_parse_bool, 0, offsetof(Manager, enable_cache)
|
Resolve.Cache, config_parse_bool, 0, offsetof(Manager, enable_cache)
|
||||||
Resolve.DNSStubListener, config_parse_dns_stub_listener_mode, 0, offsetof(Manager, dns_stub_listener_mode)
|
Resolve.DNSStubListener, config_parse_dns_stub_listener_mode, 0, offsetof(Manager, dns_stub_listener_mode)
|
||||||
|
@ -580,6 +580,7 @@ int manager_new(Manager **ret) {
|
|||||||
m->llmnr_support = RESOLVE_SUPPORT_YES;
|
m->llmnr_support = RESOLVE_SUPPORT_YES;
|
||||||
m->mdns_support = RESOLVE_SUPPORT_YES;
|
m->mdns_support = RESOLVE_SUPPORT_YES;
|
||||||
m->dnssec_mode = DEFAULT_DNSSEC_MODE;
|
m->dnssec_mode = DEFAULT_DNSSEC_MODE;
|
||||||
|
m->private_dns_mode = DEFAULT_PRIVATE_DNS_MODE;
|
||||||
m->enable_cache = true;
|
m->enable_cache = true;
|
||||||
m->dns_stub_listener_mode = DNS_STUB_LISTENER_UDP;
|
m->dns_stub_listener_mode = DNS_STUB_LISTENER_UDP;
|
||||||
m->read_resolv_conf = true;
|
m->read_resolv_conf = true;
|
||||||
@ -1384,6 +1385,15 @@ bool manager_dnssec_supported(Manager *m) {
|
|||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
PrivateDnsMode manager_get_private_dns_mode(Manager *m) {
|
||||||
|
assert(m);
|
||||||
|
|
||||||
|
if (m->private_dns_mode != _PRIVATE_DNS_MODE_INVALID)
|
||||||
|
return m->private_dns_mode;
|
||||||
|
|
||||||
|
return _PRIVATE_DNS_MODE_INVALID;
|
||||||
|
}
|
||||||
|
|
||||||
void manager_dnssec_verdict(Manager *m, DnssecVerdict verdict, const DnsResourceKey *key) {
|
void manager_dnssec_verdict(Manager *m, DnssecVerdict verdict, const DnsResourceKey *key) {
|
||||||
|
|
||||||
assert(verdict >= 0);
|
assert(verdict >= 0);
|
||||||
|
@ -35,6 +35,7 @@ struct Manager {
|
|||||||
ResolveSupport llmnr_support;
|
ResolveSupport llmnr_support;
|
||||||
ResolveSupport mdns_support;
|
ResolveSupport mdns_support;
|
||||||
DnssecMode dnssec_mode;
|
DnssecMode dnssec_mode;
|
||||||
|
PrivateDnsMode private_dns_mode;
|
||||||
bool enable_cache;
|
bool enable_cache;
|
||||||
DnsStubListenerMode dns_stub_listener_mode;
|
DnsStubListenerMode dns_stub_listener_mode;
|
||||||
|
|
||||||
@ -172,6 +173,8 @@ int manager_compile_search_domains(Manager *m, OrderedSet **domains, int filter_
|
|||||||
DnssecMode manager_get_dnssec_mode(Manager *m);
|
DnssecMode manager_get_dnssec_mode(Manager *m);
|
||||||
bool manager_dnssec_supported(Manager *m);
|
bool manager_dnssec_supported(Manager *m);
|
||||||
|
|
||||||
|
PrivateDnsMode manager_get_private_dns_mode(Manager *m);
|
||||||
|
|
||||||
void manager_dnssec_verdict(Manager *m, DnssecVerdict verdict, const DnsResourceKey *key);
|
void manager_dnssec_verdict(Manager *m, DnssecVerdict verdict, const DnsResourceKey *key);
|
||||||
|
|
||||||
bool manager_routable(Manager *m, int family);
|
bool manager_routable(Manager *m, int family);
|
||||||
|
@ -18,5 +18,6 @@
|
|||||||
#LLMNR=yes
|
#LLMNR=yes
|
||||||
#MulticastDNS=yes
|
#MulticastDNS=yes
|
||||||
#DNSSEC=@DEFAULT_DNSSEC_MODE@
|
#DNSSEC=@DEFAULT_DNSSEC_MODE@
|
||||||
|
#PrivateDNS=@DEFAULT_PRIVATE_DNS@
|
||||||
#Cache=yes
|
#Cache=yes
|
||||||
#DNSStubListener=udp
|
#DNSStubListener=udp
|
||||||
|
@ -11,6 +11,7 @@
|
|||||||
|
|
||||||
DEFINE_CONFIG_PARSE_ENUM(config_parse_resolve_support, resolve_support, ResolveSupport, "Failed to parse resolve support setting");
|
DEFINE_CONFIG_PARSE_ENUM(config_parse_resolve_support, resolve_support, ResolveSupport, "Failed to parse resolve support setting");
|
||||||
DEFINE_CONFIG_PARSE_ENUM(config_parse_dnssec_mode, dnssec_mode, DnssecMode, "Failed to parse DNSSEC mode setting");
|
DEFINE_CONFIG_PARSE_ENUM(config_parse_dnssec_mode, dnssec_mode, DnssecMode, "Failed to parse DNSSEC mode setting");
|
||||||
|
DEFINE_CONFIG_PARSE_ENUM(config_parse_private_dns_mode, private_dns_mode, PrivateDnsMode, "Failed to parse private DNS mode setting");
|
||||||
|
|
||||||
static const char* const resolve_support_table[_RESOLVE_SUPPORT_MAX] = {
|
static const char* const resolve_support_table[_RESOLVE_SUPPORT_MAX] = {
|
||||||
[RESOLVE_SUPPORT_NO] = "no",
|
[RESOLVE_SUPPORT_NO] = "no",
|
||||||
@ -25,3 +26,9 @@ static const char* const dnssec_mode_table[_DNSSEC_MODE_MAX] = {
|
|||||||
[DNSSEC_YES] = "yes",
|
[DNSSEC_YES] = "yes",
|
||||||
};
|
};
|
||||||
DEFINE_STRING_TABLE_LOOKUP_WITH_BOOLEAN(dnssec_mode, DnssecMode, DNSSEC_YES);
|
DEFINE_STRING_TABLE_LOOKUP_WITH_BOOLEAN(dnssec_mode, DnssecMode, DNSSEC_YES);
|
||||||
|
|
||||||
|
static const char* const private_dns_mode_table[_PRIVATE_DNS_MODE_MAX] = {
|
||||||
|
[PRIVATE_DNS_NO] = "no",
|
||||||
|
[PRIVATE_DNS_OPPORTUNISTIC] = "opportunistic",
|
||||||
|
};
|
||||||
|
DEFINE_STRING_TABLE_LOOKUP_WITH_BOOLEAN(private_dns_mode, PrivateDnsMode, PRIVATE_DNS_OPPORTUNISTIC);
|
||||||
|
@ -12,6 +12,7 @@
|
|||||||
|
|
||||||
typedef enum ResolveSupport ResolveSupport;
|
typedef enum ResolveSupport ResolveSupport;
|
||||||
typedef enum DnssecMode DnssecMode;
|
typedef enum DnssecMode DnssecMode;
|
||||||
|
typedef enum PrivateDnsMode PrivateDnsMode;
|
||||||
|
|
||||||
enum ResolveSupport {
|
enum ResolveSupport {
|
||||||
RESOLVE_SUPPORT_NO,
|
RESOLVE_SUPPORT_NO,
|
||||||
@ -39,11 +40,27 @@ enum DnssecMode {
|
|||||||
_DNSSEC_MODE_INVALID = -1
|
_DNSSEC_MODE_INVALID = -1
|
||||||
};
|
};
|
||||||
|
|
||||||
|
enum PrivateDnsMode {
|
||||||
|
/* No connection is made for DNS-over-TLS */
|
||||||
|
PRIVATE_DNS_NO,
|
||||||
|
|
||||||
|
/* Try to connect using DNS-over-TLS, but if connection fails,
|
||||||
|
* fallback to using an unencrypted connection */
|
||||||
|
PRIVATE_DNS_OPPORTUNISTIC,
|
||||||
|
|
||||||
|
_PRIVATE_DNS_MODE_MAX,
|
||||||
|
_PRIVATE_DNS_MODE_INVALID = -1
|
||||||
|
};
|
||||||
|
|
||||||
CONFIG_PARSER_PROTOTYPE(config_parse_resolve_support);
|
CONFIG_PARSER_PROTOTYPE(config_parse_resolve_support);
|
||||||
CONFIG_PARSER_PROTOTYPE(config_parse_dnssec_mode);
|
CONFIG_PARSER_PROTOTYPE(config_parse_dnssec_mode);
|
||||||
|
CONFIG_PARSER_PROTOTYPE(config_parse_private_dns_mode);
|
||||||
|
|
||||||
const char* resolve_support_to_string(ResolveSupport p) _const_;
|
const char* resolve_support_to_string(ResolveSupport p) _const_;
|
||||||
ResolveSupport resolve_support_from_string(const char *s) _pure_;
|
ResolveSupport resolve_support_from_string(const char *s) _pure_;
|
||||||
|
|
||||||
const char* dnssec_mode_to_string(DnssecMode p) _const_;
|
const char* dnssec_mode_to_string(DnssecMode p) _const_;
|
||||||
DnssecMode dnssec_mode_from_string(const char *s) _pure_;
|
DnssecMode dnssec_mode_from_string(const char *s) _pure_;
|
||||||
|
|
||||||
|
const char* private_dns_mode_to_string(PrivateDnsMode p) _const_;
|
||||||
|
PrivateDnsMode private_dns_mode_from_string(const char *s) _pure_;
|
||||||
|
Loading…
Reference in New Issue
Block a user