nss-resolve: expose various source-disablement settings as variables

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=2006761: > systemd-resolved always (reverse)-resolves the host's IP addresses and FQDN. > This can be harmful when an application (for instance, a DNS zone manager) is > installed on the same server instance. That application would expect > NXDOMAIN to be returned if the current server's IP does not belong in an > already managed reverse zone. This allows clients of nss-resolve to use the same config options that are available through the dbus api and as command-line options to resolvectl. The man page text is is mostly copied directly from c6f20515ab600098b5c2871bae2e9ecab3b41555.
2025-03-01 08:58:29 +03:00 · 2021-12-20 14:16:44 +01:00 · 2021-12-20 14:16:44 +01:00 · 8ef114c692
commit 8ef114c692
parent 616779c345
3 changed files with 73 additions and 11 deletions
--- a/man/nss-resolve.xml
+++ b/man/nss-resolve.xml
@ -76,6 +76,55 @@
        unreliable.</para></listitem>
      </varlistentry>
    </variablelist>
+
+    <variablelist class='environment-variables'>
+      <varlistentry>
+        <term><varname>$SYSTEMD_NSS_RESOLVE_SYNTHESIZE</varname></term>
+
+        <listitem><para>Takes a boolean argument. When false, synthetic records, e.g. for the local host
+        name, will not be returned. See section SYNTHETIC RECORDS in
+        <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+        for more information. This may be useful to query the "public" resource records, independent of the
+        configuration of the local machine.</para></listitem>
+      </varlistentry>
+    </variablelist>
+
+    <variablelist class='environment-variables'>
+      <varlistentry>
+        <term><varname>$SYSTEMD_NSS_RESOLVE_CACHE</varname></term>
+
+        <listitem><para>Takes a boolean argument. When false, the cache of previously queried records will
+        not be used by <filename>systemd-resolved</filename>.</para></listitem>
+      </varlistentry>
+    </variablelist>
+
+    <variablelist class='environment-variables'>
+      <varlistentry>
+        <term><varname>$SYSTEMD_NSS_RESOLVE_ZONE</varname></term>
+
+        <listitem><para>Takes a boolean argument. When false, answers using locally registered public
+        LLMNR/mDNS resource records will not be returned.</para></listitem>
+      </varlistentry>
+    </variablelist>
+
+    <variablelist class='environment-variables'>
+      <varlistentry>
+        <term><varname>$SYSTEMD_NSS_RESOLVE_TRUST_ANCHOR</varname></term>
+
+        <listitem><para>Takes a boolean argument. When false, answers using locally configured trust anchors
+        will not be used.</para></listitem>
+      </varlistentry>
+    </variablelist>
+
+    <variablelist class='environment-variables'>
+      <varlistentry>
+        <term><varname>$SYSTEMD_NSS_RESOLVE_NETWORK</varname></term>
+
+        <listitem><para>Takes a boolean argument. When false, answers will be returned without using the
+        network, i.e. either from local sources or the cache in <filename>systemd-resolved</filename>.
+        </para></listitem>
+      </varlistentry>
+    </variablelist>
  </refsect1>

  <refsect1>
--- a/src/nss-resolve/nss-resolve.c
+++ b/src/nss-resolve/nss-resolve.c
@ -198,19 +198,29 @@ static const JsonDispatch address_parameters_dispatch_table[] = {
        {}
 };

-static uint64_t query_flags(void) {
-        uint64_t f = 0;
+static uint64_t query_flag(
+                const char *name,
+                const int value,
+                uint64_t flag) {
        int r;

-        /* Allow callers to turn off validation, when we resolve via nss-resolve */
+        r = getenv_bool_secure(name);
+        if (r >= 0)
+                return r == value ? flag : 0;
+        if (r != -ENXIO)
+                log_debug_errno(r, "Failed to parse $%s, ignoring.", name);
+        return 0;
+}

-        r = getenv_bool_secure("SYSTEMD_NSS_RESOLVE_VALIDATE");
-        if (r < 0 && r != -ENXIO)
-                log_debug_errno(r, "Failed to parse $SYSTEMD_NSS_RESOLVE_VALIDATE value, ignoring.");
-        else if (r == 0)
-                f |= SD_RESOLVED_NO_VALIDATE;
-
-        return f;
+static uint64_t query_flags(void) {
+        /* Allow callers to turn off validation, synthetization, caching, etc., when we resolve via
+         * nss-resolve. */
+        return  query_flag("SYSTEMD_NSS_RESOLVE_VALIDATE", 0, SD_RESOLVED_NO_VALIDATE) |
+                query_flag("SYSTEMD_NSS_RESOLVE_SYNTHESIZE", 0, SD_RESOLVED_NO_SYNTHESIZE) |
+                query_flag("SYSTEMD_NSS_RESOLVE_CACHE", 0, SD_RESOLVED_NO_CACHE) |
+                query_flag("SYSTEMD_NSS_RESOLVE_ZONE", 0, SD_RESOLVED_NO_ZONE) |
+                query_flag("SYSTEMD_NSS_RESOLVE_TRUST_ANCHOR", 0, SD_RESOLVED_NO_TRUST_ANCHOR) |
+                query_flag("SYSTEMD_NSS_RESOLVE_NETWORK", 0, SD_RESOLVED_NO_NETWORK);
 }

 enum nss_status _nss_resolve_gethostbyname4_r(
--- a/src/test/test-nss-hosts.c
+++ b/src/test/test-nss-hosts.c
@ -7,6 +7,7 @@
 #include "af-list.h"
 #include "alloc-util.h"
 #include "dlfcn-util.h"
+#include "env-util.h"
 #include "errno-list.h"
 #include "format-util.h"
 #include "hexdecoct.h"
@ -135,7 +136,9 @@ static void test_gethostbyname4_r(void *handle, const char *module, const char *
        if (STR_IN_SET(module, "resolve", "mymachines") && status == NSS_STATUS_UNAVAIL)
                return;

-        if (STR_IN_SET(module, "myhostname", "resolve") && streq(name, "localhost")) {
+        if (STR_IN_SET(module, "myhostname", "resolve") &&
+            streq(name, "localhost") &&
+            getenv_bool_secure("SYSTEMD_NSS_RESOLVE_SYNTHESIZE") != 0) {
                assert_se(status == NSS_STATUS_SUCCESS);
                assert_se(n == 2);
        }