summaryrefslogtreecommitdiff
path: root/src/resolve/resolved-manager.h
Commit message (Collapse)AuthorAgeFilesLines
* resolved: flush caches on memory pressure and support SIGRTMIN+18Lennart Poettering2023-03-011-0/+3
|
* resolved: beef up monitor protocol, include full query infoLennart Poettering2022-09-301-1/+1
|
* resolved: don't make monitoring optionalLennart Poettering2022-09-301-1/+0
| | | | | | | | | | | The socket is only accessible to privileged clients anyway, no need to add another (user unfriendly) restriction via opt-in setting. let's just allow this for privileged clients, mirroring "busctl monitor", or "tcpdump" and similar, which all just work if you have privs. (This does not break API, since we never did a release witht the "Monitor" dbus property or config setting in place, i.e. with cb456374e096f0ebe9b70d7ddd98e16a4be24ee6)
* resolved: rename 'notification' → 'monitor'Lennart Poettering2022-09-301-2/+2
| | | | | We expose this externally already as "monitor", name it internally the same way. (Which is nice since it mirrors busctl monitor)
* Implement DNS notifications from resolved via varlinkSuraj Krishnan2022-09-091-0/+6
| | | | | | | | | | | | | | | | | | | | * The new varlink interface exposes a method to subscribe to DNS resolutions on the system. The socket permissions are open for owner and group only. * Notifications are sent to subscriber(s), if any, after successful resolution of A and AAAA records. This feature could be used by applications for auditing/logging services downstream of the resolver. It could also be used to asynchronously update the firewall. For example, a system that has a tightly configured firewall could open up connections selectively to known good hosts based on a known allow-list of hostnames. Of course, updating the firewall asynchronously will require other design considerations (such as queueing packets in the user space while a verdict is made). See also: https://lists.freedesktop.org/archives/systemd-devel/2022-August/048202.html https://lists.freedesktop.org/archives/systemd-devel/2022-February/047441.html
* Revert "resolved: filter out our own stub resolvers when parsing servers"Lennart Poettering2022-02-161-1/+0
| | | | | | | | | | | | | | | | | | This reverts commit 0ad4efb14beea9148838a0d974821e3b98cafc47. See https://github.com/systemd/systemd/pull/20559#issuecomment-1028011030 for reasoning. Quoting: > I think it should be OK to advertise extra stub listeners to local > clients, but you prohibit this now. i.e. there are two different > concepts here, and we shouldn't mix them up: > > 1. tracking configured dns servers and advertise them to local programs > 2. actually using them ourselves > > I am pretty sure that our own stubs are OK for 1 but not OK for 2, > hence we should filter at the time of use not at the time of parse.
* resolved: filter out our own stub resolvers when parsing serversZbigniew Jędrzejewski-Szmek2021-12-151-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We get "upstream" dns server config from ~three places: /etc/resolv.conf, config files, and runtime config via dbus. With this commit, we'll filter out our own stub listeners if they are configured in either of the first two sources. For /etc/resolv.conf this is done quitely, and for our own config files, a LOG_INFO message is emitted, since this is a small inconsistency in the config. Setting loops like this over dbus is still allowed. The reason is that in the past we didn't treat this as an error, and if we were to start responding with an error, we could break a scenario that worked previously. E.g. NM sends us a list of servers, and one happens to be the our own. We would just not use that stub server before, but it'd still be shown in the dbus properties and such. We would have to return error for the whole message, also rejecting the other valid servers. I think it's easier to just keep that part unchanged. Test case: $ ls -l /etc/resolv.conf -rw-r--r-- 1 root root 57 Dec 15 10:26 /etc/resolv.conf $ cat /etc/resolv.conf nameserver 192.168.150.1 options edns0 trust-ad search . $ cat /etc/systemd/resolved.conf.d/stub.conf [Resolve] DNSStubListenerExtra=192.168.150.1 $ resolvectl ... Global resolv.conf mode: foreign DNS Servers: 192.168.150.1 Fallback DNS Servers: ... (with the patch): Global resolv.conf mode: foreign Fallback DNS Servers: ...
* resolved: add "proxy-only" stub on 127.0.0.54Lennart Poettering2021-11-221-0/+4
| | | | | | | | | | | | | | | | | | | | This beefs up the DNS stub logic to listen on two IP addresses: 127.0.0.53 (as before) + 127.0.0.54 (new). When the latter is contact our stub will operate in "bypass" mode only, i.e we'll try to pass DNS requests as unmodified upstream as we can (and not do mDNS/LLMNR and such, also no DNSSEC validation – but we'll still do DNS-over-TLS wrapping). This is supposed to be useful for container environments or tethering: this stub could be exposed (via NAT redirect) to clients of this system and we'll try to stay out of the way with doing too much DNS magic ourselves, but still expose whatever the current DNS server is from upstream under a stable address/port. How to use this: # iptables -t nat -I PREROUTING -p udp -i <interface> --dport 53 -j DNAT --to 127.0.0.54:53 # echo 1 > /proc/sys/net/ipv4/conf/<interface>/route_localnet
* resolved: disable path MTU discovery for UDP trafficLennart Poettering2021-02-181-0/+2
| | | | | | | | | This disables path MTU discovery both for our UDP upstream connections and our UDP stub, following the suggestions of: https://blog.apnic.net/2019/07/12/its-time-to-consider-avoiding-ip-fragmentation-in-the-dns/ This more or less follows the model of other DNS servers on this.
* resolved: instead of closing DNS UDP transaction fds right-away, add them to ↵Lennart Poettering2021-02-151-0/+5
| | | | | | | | | | | | | a socket "graveyard" The "socket graveyard" shall contain sockets we have sent a question out of, but not received a reply. If we'd close thus sockets immediately when we are not interested anymore, we'd trigger ICMP port unreachable messages once we after all *do* get a reply. Let's avoid that, by leaving the fds open for a bit longer, until a timeout is reached or a reply datagram received. Fixes: #17421
* Merge pull request #18605 from poettering/suppress-repeated-stubLennart Poettering2021-02-151-0/+1
|\ | | | | resolved: filter repeated stub queries
| * resolved: filter repeated stub queriesLennart Poettering2021-02-151-0/+1
| | | | | | | | | | | | | | Let's suppress repeated stub queries coming in, to minimize resource usage. Many DNS clients are pretty aggressive regarding repeating DNS requests, hence let's find them and suppress the follow-ups should we need more time to fulfill the queries.
* | resolved: move mdns event sources close to the fdsLennart Poettering2021-02-151-3/+2
|/
* resolved: refuse sending packets to our own stub listenersLennart Poettering2021-02-141-0/+2
| | | | | | | | | A previous commit made sure that when one of our own packets is looped back to us, we ignore it. But let's go one step further, and refuse operation if we notice the server we talk to is our own. This way we won't generate unnecessary traffic and can return a cleaner error. Fixes: #17413
* resolved: refuse packets looped back to usLennart Poettering2021-02-141-0/+2
| | | | Fixes: #17413
* resolved: rename manager_our_packet() → manager_packet_from_local_address()Lennart Poettering2021-02-141-1/+1
| | | | | | | | | Let's be more precise in naming this function, after all this doesn#t actually check if the packet is really ours, but just that the source IP address is a local one. Hence name it that way. (This is preparation to add a helper that checks if packet belongs to local transaction later on)
* resolved: use stat_inode_unmodified() to detect /etc/hosts changesLennart Poettering2020-12-031-3/+2
|
* resolved: automatically flush caches on clock changeLennart Poettering2020-12-031-1/+3
| | | | | | | | | | | | DNSSEC validation takes the system clock into account to validate signatures. This means if we had incorrect time and the time is then changed to the correct one we should flush out everything and re-validate taking the new time into account. (This logic will also trigger after system suspend, which is not bad either, given that quite possibly we are connected to a different network, and thus would get different DNS data, without us noticing otherwise via link beat).
* resolved: allow cache responses from local DNS serversPavel Sapezhko2020-11-271-0/+1
|
* license: LGPL-2.1+ -> LGPL-2.1-or-laterYu Watanabe2020-11-091-1/+1
|
* resolved: drop unused family argument from manager_routable()Lennart Poettering2020-11-031-1/+1
|
* resolved: move dns stub definitions to resolved-dns-stub.[ch]Lennart Poettering2020-09-081-12/+1
| | | | Just some moving around, no logic changes.
* resolve: DNSStubListenerExtra → DnsStubListenerExtraLennart Poettering2020-09-081-2/+2
| | | | | All our other struct types use the "Dns" spelling, rather than "DNS". Do the same for this struct.
* resolve: use sd_event_source_set_io_fd_own() for stub listnersYu Watanabe2020-09-041-7/+1
|
* resolve: use in_addr_union to store addresses for extra dns stub listenersYu Watanabe2020-09-041-1/+5
|
* resolve: set DNS_STUB_LISTENER_YES if no protocol is specified in ↵Yu Watanabe2020-09-041-2/+4
| | | | DNSStubListenExtra=
* resolve: rename dns_stub_extra_event_source -> event_sourceYu Watanabe2020-09-041-1/+1
| | | | As the name is too redundant.
* resolve: allow configurable bind addressSusant Sahani2020-09-031-0/+10
|
* resolved: add minimal varlink api for resolving hostnames/addressesLennart Poettering2020-08-261-0/+3
| | | | | | This allows us to later port nss-resolve to use Varlink rather than D-Bus for resolution. This has the benefit that nss-resolve based resoluton works even without D-Bus being up. And it's faster too.
* resolved: optionally allow single-label A/AAAA queriesZbigniew Jędrzejewski-Szmek2020-06-181-0/+1
|
* resolved: drop bit-field annotations for fields in ManagerZbigniew Jędrzejewski-Szmek2020-06-181-2/+2
| | | | | | | Access to bit fields is less efficient, and since the Manager is a singleton, a byte or two of space in the structure doesn't matter at all. (And in this particular case, because of alignment issues, we wouldn't save anything anyway.)
* tree-wide: codespell fixesFrantisek Sumsal2020-05-251-1/+1
| | | | Another batch of codespell fixes as reported by Fossies.org
* resolved: port to stat_inode_unmodified()Lennart Poettering2020-05-131-1/+3
|
* netlink: port to recvmsg_safe()Lennart Poettering2020-05-121-0/+1
| | | | | | | | | | | | | | | | | | This also makes sure the control buffer is properly aligned. This matters, as otherwise the control buffer might not be aligned and the cmsg buffer counting might be off. The incorrect alignment is becoming visible by using recvmsg_safe() as we suddenly notice the MSG_CTRUNC bit set because of this. That said, apparently this isn't enough to make this work on all kernels. Since I couldn't figure this out, we now add 1K to the buffer to be sure. We do this once already, also for a pktinfo structure (though an IPv4/IPv6) one. I am puzzled by this, but this shouldn't matter much. it works locally just fine, except for those ubuntu CI kernels... While we are at it, make some other changes too, to simplify and modernize the function.
* resolved: Break include cyclesDaan De Meyer2020-05-071-2/+0
|
* resolve: reload /etc/hosts on inode changeGiedrius Statkevičius2020-04-031-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | On certain distributions such as NixOS the mtime of `/etc/hosts` is locked to a fixed value. In such cases, only checking the last mtime of `/etc/hosts` is not enough - we also need to check if the st_ino/st_dev match up. Thus, let's make sure make sure that systemd-resolved also rereads `/etc/hosts` if the inode or the device containing `/etc/hosts` changes. Test script: ```bash hosts="/etc/hosts" echo "127.0.0.1 testpr" > "hosts_new" mv "hosts_new" "$hosts" resolvectl query testpr || exit 1 mtime="$(stat -c %y "$hosts")" echo "127.0.0.1 newhost" > "hosts_tmp" touch -d "$mtime" "hosts_tmp" install -p "hosts_tmp" "$hosts" sleep 10 resolvectl query newhost || exit 1 rm -f "hosts_tmp" ``` Closes #14456.
* resolved: switch cache option to a tri-state option (systemd#5552).Jorge Niedbalski2019-07-171-1/+1
| | | | | | | | | | | | | Change the resolved.conf Cache option to a tri-state "no, no-negative, yes" values. If a lookup returns SERVFAIL systemd-resolved will cache the result for 30s (See 201d995), however, there are several use cases on which this condition is not acceptable (See systemd#5552 comments) and the only workaround would be to disable cache entirely or flush it , which isn't optimal. This change adds the 'no-negative' option when set it avoids putting in cache negative answers but still works the same heuristics for positive answers. Signed-off-by: Jorge Niedbalski <jnr@metaklass.org>
* resolved: move TLS data shared by all servers to managerIwan Timmer2019-06-181-0/+5
| | | | Instead of having a context and/or trusted CA list per server this is now moved to the server. Ensures future TLS configuration options are global instead of per server.
* stream: track type of DnsStream objectLennart Poettering2019-02-151-1/+1
| | | | | | | | We use stream objects in four different cases: let's track them. This in particular allows us to make sure the limit on outgoing streams cannot be exhausted by having incoming streams as this means we can neatly separate the counters for all four types.
* resolve: bump max of dns servers/search domainsLennart Poettering2018-12-171-2/+2
| | | | | | | Apparently people want more of these (as #11175 shows). Since this is merely a safety limit for us, let's just bump all values substantially. Fixes: #11175
* resolved: keep addresses mapped to ::0 in a separate setZbigniew Jędrzejewski-Szmek2018-08-011-0/+1
| | | | | | | | | | | | | | We'd store every 0.0.0.0 and ::0 entry as a structure without any addresses allocated. This is a somewhat common use case, let's optimize it a bit. This gives some memory savings and a bit faster response time too: 'time build/test-resolved-etc-hosts hosts' goes from 7.7s to 5.6s, and memory use as reported by valgrind for ~10000 hosts is reduced ==18097== total heap usage: 29,902 allocs, 29,902 frees, 2,136,437 bytes allocated ==18240== total heap usage: 19,955 allocs, 19,955 frees, 1,556,021 bytes allocated Also rename 'suppress' to 'found' (with reverse meaning). I think this makes the intent clearer.
* resolved: put /etc/hosts hashmaps in a structure and pass that aroundZbigniew Jędrzejewski-Szmek2018-08-011-2/+6
| | | | | | | | | | | This hides the details of juggling the two hashmaps from the callers a bit. It also makes memory management a bit easier, because those two hashmaps share some strings, so we can only free them together. etc_hosts_parse() is made responsible to free the half-filled data structures on error, which makes the caller a bit simpler. No functional change. A refactoring to prepare for later changes.
* resolve: use in_addr_data type for storing addressYu Watanabe2018-07-311-1/+1
|
* resolve: add option to toggle reading /etc/hostsYu Watanabe2018-07-281-0/+1
| | | | Workaround for #9718.
* resolve: drop unused slotYu Watanabe2018-07-191-3/+0
|
* tree-wide: drop double newlineYu Watanabe2018-06-291-1/+0
|
* tree-wide: drop copyright headers from frequent contributorsZbigniew Jędrzejewski-Szmek2018-06-201-3/+0
| | | | | | | | Fixes #9320. for p in Shapovalov Chevalier Rozhkov Sievers Mack Herrmann Schmidt Rudenberg Sahani Landden Andersen Watanabe; do git grep -e 'Copyright.*'$p -l|xargs perl -i -0pe 's|/([*][*])?[*]\s+([*#]\s+)?Copyright[^\n]*'$p'[^\n]*\s*[*]([*][*])?/\n*|\n|gms; s|\s+([*#]\s+)?Copyright[^\n]*'$p'[^\n]*\n*|\n|gms' done
* tree-wide: beautify remaining copyright statementsLennart Poettering2018-06-141-1/+1
| | | | | | Let's unify an beautify our remaining copyright statements, with a unicode ©. This means our copyright statements are now always formatted the same way. Yay.
* tree-wide: drop 'This file is part of systemd' blurbLennart Poettering2018-06-141-2/+0
| | | | | | | | | | | | | | | | This part of the copyright blurb stems from the GPL use recommendations: https://www.gnu.org/licenses/gpl-howto.en.html The concept appears to originate in times where version control was per file, instead of per tree, and was a way to glue the files together. Ultimately, we nowadays don't live in that world anymore, and this information is entirely useless anyway, as people are very welcome to copy these files into any projects they like, and they shouldn't have to change bits that are part of our copyright header for that. hence, let's just get rid of this old cruft, and shorten our codebase a bit.
* resolve: rename PrivateDNS to DNSOverTLSIwan Timmer2018-06-141-2/+2
| | | PrivateDNS is not considered a good name for this option, so rename it to DNSOverTLS
View Lorry Controller Status