From 677b20b6738ee287d1b882815b3bcca67754e003 Mon Sep 17 00:00:00 2001

From: Lennart Poettering <lennart@poettering.net>

Date: Fri, 25 Nov 2022 12:15:56 +0100

Subject: [PATCH] resolved: introduce the _localdnsstub and _localdnsproxy

 special hostnames for 127.0.0.54 + 127.0.0.53

Let's give these special IP addresses names. After all name resolution

is our job here.

Fixes: #23623

(cherry picked from commit 17f244e8f9de008ea1c6e0880bdc924b95a66e2b)

Related: #2138081

---

 man/resolvectl.xml                    |  11 +--

 man/systemd-resolved.service.xml      |   6 ++

 src/basic/hostname-util.h             |   8 ++

 src/resolve/resolvectl.c              |   6 +-

 src/resolve/resolved-dns-scope.c      |   7 +-

 src/resolve/resolved-dns-synthesize.c | 110 +++++++++++++++++++++++++-

 test/units/testsuite-75.sh            |  11 +++

 7 files changed, 147 insertions(+), 12 deletions(-)

diff --git a/man/resolvectl.xml b/man/resolvectl.xml

index 2cb855c360..c966ca67bd 100644

--- a/man/resolvectl.xml

+++ b/man/resolvectl.xml

@@ -323,11 +323,12 @@

         <listitem><para>Takes a boolean parameter; used in conjunction with <command>query</command>. If true

         (the default), select domains are resolved on the local system, among them

-        <literal>localhost</literal>, <literal>_gateway</literal> and <literal>_outbound</literal>, or

-        entries from <filename>/etc/hosts</filename>. If false these domains are not resolved locally, and

-        either fail (in case of <literal>localhost</literal>, <literal>_gateway</literal> or

-        <literal>_outbound</literal> and suchlike) or go to the network via regular DNS/mDNS/LLMNR lookups

-        (in case of <filename>/etc/hosts</filename> entries).</para></listitem>

+        <literal>localhost</literal>, <literal>_gateway</literal>, <literal>_outbound</literal>,

+        <literal>_localdnsstub</literal> and <literal>_localdnsproxy</literal> or entries from

+        <filename>/etc/hosts</filename>. If false these domains are not resolved locally, and either fail (in

+        case of <literal>localhost</literal>, <literal>_gateway</literal> or <literal>_outbound</literal> and

+        suchlike) or go to the network via regular DNS/mDNS/LLMNR lookups (in case of

+        <filename>/etc/hosts</filename> entries).</para></listitem>

       </varlistentry>

       <varlistentry>

diff --git a/man/systemd-resolved.service.xml b/man/systemd-resolved.service.xml

index 7f30fa6536..c006c03b53 100644

--- a/man/systemd-resolved.service.xml

+++ b/man/systemd-resolved.service.xml

@@ -118,6 +118,12 @@

       local default gateway configured. This assigns a stable hostname to the local outbound IP addresses,

       useful for referencing them independently of the current network configuration state.</para></listitem>

+      <listitem><para>The hostname <literal>_localdnsstub</literal> is resolved to the IP address 127.0.0.53,

+      i.e. the address the local DNS stub (see above) is listening on.</para></listitem>

+

+      <listitem><para>The hostname <literal>_localdnsproxy</literal> is resolved to the IP address 127.0.0.54,

+      i.e. the address the local DNS proxy (see above) is listening on.</para></listitem>

+

       <listitem><para>The mappings defined in <filename>/etc/hosts</filename> are resolved to their

       configured addresses and back, but they will not affect lookups for non-address types (like MX).

       Support for <filename>/etc/hosts</filename> may be disabled with <varname>ReadEtcHosts=no</varname>,

diff --git a/src/basic/hostname-util.h b/src/basic/hostname-util.h

index a00b852395..bcac3d9fb0 100644

--- a/src/basic/hostname-util.h

+++ b/src/basic/hostname-util.h

@@ -60,4 +60,12 @@ static inline bool is_outbound_hostname(const char *hostname) {

         return STRCASE_IN_SET(hostname, "_outbound", "_outbound.");

 }

+static inline bool is_dns_stub_hostname(const char *hostname) {

+        return STRCASE_IN_SET(hostname, "_localdnsstub", "_localdnsstub.");

+}

+

+static inline bool is_dns_proxy_stub_hostname(const char *hostname) {

+        return STRCASE_IN_SET(hostname, "_localdnsproxy", "_localdnsproxy.");

+}

+

 int get_pretty_hostname(char **ret);

diff --git a/src/resolve/resolvectl.c b/src/resolve/resolvectl.c

index b07761a495..2a7347ca27 100644

--- a/src/resolve/resolvectl.c

+++ b/src/resolve/resolvectl.c

@@ -478,7 +478,11 @@ static bool single_label_nonsynthetic(const char *name) {

         if (!dns_name_is_single_label(name))

                 return false;

-        if (is_localhost(name) || is_gateway_hostname(name))

+        if (is_localhost(name) ||

+            is_gateway_hostname(name) ||

+            is_outbound_hostname(name) ||

+            is_dns_stub_hostname(name) ||

+            is_dns_proxy_stub_hostname(name))

                 return false;

         r = resolve_system_hostname(NULL, &first_label);

diff --git a/src/resolve/resolved-dns-scope.c b/src/resolve/resolved-dns-scope.c

index 4f744499aa..607109ee0f 100644

--- a/src/resolve/resolved-dns-scope.c

+++ b/src/resolve/resolved-dns-scope.c

@@ -635,8 +635,11 @@ DnsScopeMatch dns_scope_good_domain(

         if (dns_name_dont_resolve(domain))

                 return DNS_SCOPE_NO;

-        /* Never go to network for the _gateway or _outbound domain — they're something special, synthesized locally. */

-        if (is_gateway_hostname(domain) || is_outbound_hostname(domain))

+        /* Never go to network for the _gateway, _outbound, _localdnsstub, _localdnsproxy domain — they're something special, synthesized locally. */

+        if (is_gateway_hostname(domain) ||

+            is_outbound_hostname(domain) ||

+            is_dns_stub_hostname(domain) ||

+            is_dns_proxy_stub_hostname(domain))

                 return DNS_SCOPE_NO;

         switch (s->protocol) {

diff --git a/src/resolve/resolved-dns-synthesize.c b/src/resolve/resolved-dns-synthesize.c

index b3442ad906..fa8b4a5760 100644

--- a/src/resolve/resolved-dns-synthesize.c

+++ b/src/resolve/resolved-dns-synthesize.c

@@ -356,7 +356,90 @@ static int synthesize_gateway_rr(

         return 1; /* > 0 means: we have some gateway */

 }

-static int synthesize_gateway_ptr(Manager *m, int af, const union in_addr_union *address, int ifindex, DnsAnswer **answer) {

+static int synthesize_dns_stub_rr(

+                Manager *m,

+                const DnsResourceKey *key,

+                in_addr_t addr,

+                DnsAnswer **answer) {

+

+        _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *rr = NULL;

+        int r;

+

+        assert(m);

+        assert(key);

+        assert(answer);

+

+        if (!IN_SET(key->type, DNS_TYPE_A, DNS_TYPE_ANY))

+                return 1; /* we still consider ourselves the owner of this name */

+

+        r = dns_answer_reserve(answer, 1);

+        if (r < 0)

+                return r;

+

+        rr = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_A, dns_resource_key_name(key));

+        if (!rr)

+                return -ENOMEM;

+

+        rr->a.in_addr.s_addr = htobe32(addr);

+

+        r = dns_answer_add(*answer, rr, LOOPBACK_IFINDEX, DNS_ANSWER_AUTHENTICATED, NULL);

+        if (r < 0)

+                return r;

+

+        return 1;

+}

+

+static int synthesize_dns_stub_ptr(

+                Manager *m,

+                int af,

+                const union in_addr_union *address,

+                DnsAnswer **answer) {

+

+        int r;

+

+        assert(m);

+        assert(address);

+        assert(answer);

+

+        if (af != AF_INET)

+                return 0;

+

+        if (address->in.s_addr == htobe32(INADDR_DNS_STUB)) {

+

+                r = dns_answer_reserve(answer, 1);

+                if (r < 0)

+                        return r;

+

+                r = answer_add_ptr(answer, "53.0.0.127.in-addr.arpa", "_localdnsstub", LOOPBACK_IFINDEX, DNS_ANSWER_AUTHENTICATED);

+                if (r < 0)

+                        return r;

+

+                return 1;

+        }

+

+        if (address->in.s_addr == htobe32(INADDR_DNS_PROXY_STUB)) {

+

+                r = dns_answer_reserve(answer, 1);

+                if (r < 0)

+                        return r;

+

+                r = answer_add_ptr(answer, "54.0.0.127.in-addr.arpa", "_localdnsproxy", LOOPBACK_IFINDEX, DNS_ANSWER_AUTHENTICATED);

+                if (r < 0)

+                        return r;

+

+                return 1;

+        }

+

+        return 0;

+}

+

+static int synthesize_gateway_ptr(

+                Manager *m,

+                int af,

+                const union in_addr_union *address,

+                int ifindex,

+                DnsAnswer **answer) {

+

         _cleanup_free_ struct local_address *addresses = NULL;

         int n;

@@ -437,7 +520,22 @@ int dns_synthesize_answer(

                                 continue;

                         }

-                } else if ((dns_name_endswith(name, "127.in-addr.arpa") > 0 && dns_name_equal(name, "2.0.0.127.in-addr.arpa") == 0) ||

+                } else if (is_dns_stub_hostname(name)) {

+

+                        r = synthesize_dns_stub_rr(m, key, INADDR_DNS_STUB, &answer);

+                        if (r < 0)

+                                return log_error_errno(r, "Failed to synthesize local DNS stub RRs: %m");

+

+                } else if (is_dns_proxy_stub_hostname(name)) {

+

+                        r = synthesize_dns_stub_rr(m, key, INADDR_DNS_PROXY_STUB, &answer);

+                        if (r < 0)

+                                return log_error_errno(r, "Failed to synthesize local DNS stub RRs: %m");

+

+                } else if ((dns_name_endswith(name, "127.in-addr.arpa") > 0 &&

+                            dns_name_equal(name, "2.0.0.127.in-addr.arpa") == 0 &&

+                            dns_name_equal(name, "53.0.0.127.in-addr.arpa") == 0 &&

+                            dns_name_equal(name, "54.0.0.127.in-addr.arpa") == 0) ||

                            dns_name_equal(name, "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa") > 0) {

                         r = synthesize_localhost_ptr(m, key, ifindex, &answer);

@@ -445,7 +543,7 @@ int dns_synthesize_answer(

                                 return log_error_errno(r, "Failed to synthesize localhost PTR RRs: %m");

                 } else if (dns_name_address(name, &af, &address) > 0) {

-                        int v, w;

+                        int v, w, u;

                         if (getenv_bool("SYSTEMD_RESOLVED_SYNTHESIZE_HOSTNAME") == 0)

                                 continue;

@@ -458,7 +556,11 @@ int dns_synthesize_answer(

                         if (w < 0)

                                 return log_error_errno(w, "Failed to synthesize gateway hostname PTR RR: %m");

-                        if (v == 0 && w == 0) /* This IP address is neither a local one nor a gateway */

+                        u = synthesize_dns_stub_ptr(m, af, &address, &answer);

+                        if (u < 0)

+                                return log_error_errno(u, "Failed to synthesize local stub hostname PTR PR: %m");

+

+                        if (v == 0 && w == 0 && u == 0) /* This IP address is neither a local one, nor a gateway, nor a stub address */

                                 continue;

                         /* Note that we never synthesize reverse PTR for _outbound, since those are local

diff --git a/test/units/testsuite-75.sh b/test/units/testsuite-75.sh

index 1a656fcdc1..0c68e0636f 100755

--- a/test/units/testsuite-75.sh

+++ b/test/units/testsuite-75.sh

@@ -56,6 +56,17 @@ echo nameserver 10.0.3.3 10.0.3.4 | "$RESOLVCONF" -a hoge.foo.dhcp

 assert_in '10.0.3.1 10.0.3.2' "$(resolvectl dns hoge)"

 assert_in '10.0.3.3 10.0.3.4' "$(resolvectl dns hoge.foo)"

+# Tests for _localdnsstub and _localdnsproxy

+assert_in '127.0.0.53' "$(resolvectl query _localdnsstub)"

+assert_in '_localdnsstub' "$(resolvectl query 127.0.0.53)"

+assert_in '127.0.0.54' "$(resolvectl query _localdnsproxy)"

+assert_in '_localdnsproxy' "$(resolvectl query 127.0.0.54)"

+

+assert_in '127.0.0.53' "$(dig @127.0.0.53 _localdnsstub)"

+assert_in '_localdnsstub' "$(dig @127.0.0.53 -x 127.0.0.53)"

+assert_in '127.0.0.54' "$(dig @127.0.0.53 _localdnsproxy)"

+assert_in '_localdnsproxy' "$(dig @127.0.0.53 -x 127.0.0.54)"

+

 # Tests for mDNS and LLMNR settings

 mkdir -p /run/systemd/resolved.conf.d

 {