resolved: make resolved authoritative in resolveing our local host name

This is a kinda a follow-up for ce266330fc3bd6767451ac3400336cd9acebe9c1: it
makes resolved authoritative on our local hostname, and never contacts
DNS anymore for it.

We effectively already were authoritative for it, except if the user
queried for other RR types than just A/AAAA. This closes the gap and
refuses routing other RR type queries to DNS.

Fixes: #23662

diff --git a/docs/ENVIRONMENT.md b/docs/ENVIRONMENT.md
index 00492829bdc5dc565a4eeb4e2d4cce83d82758dd..4d3b7a2636226b6762e6118eb3eb8543ab7223e3 100644 (file)
--- a/docs/ENVIRONMENT.md
+++ b/docs/ENVIRONMENT.md
@@ -357,7 +357,8 @@ All tools:
 `systemd-resolved`:
 
 * `$SYSTEMD_RESOLVED_SYNTHESIZE_HOSTNAME` — if set to "0", `systemd-resolved`
-  won't synthesize system hostname on both regular and reverse lookups.
+  won't synthesize A/AAAA/PTR RRs for the system hostname on either regular nor
+  reverse lookups.
 
 `systemd-sysext`:
 

diff --git a/src/resolve/resolved-dns-query.c b/src/resolve/resolved-dns-query.c
index cb2368c67a384402d1db6afa320c3bac945779b9..801bbe8007e136d18684bd459525b813f11473f7 100644 (file)
--- a/src/resolve/resolved-dns-query.c
+++ b/src/resolve/resolved-dns-query.c
@@ -672,6 +672,8 @@ static int dns_query_synthesize_reply(DnsQuery *q, DnsTransactionState *state) {
                 q->answer_query_flags = SD_RESOLVED_AUTHENTICATED|SD_RESOLVED_CONFIDENTIAL|SD_RESOLVED_SYNTHETIC;
                 *state = DNS_TRANSACTION_RCODE_FAILURE;
 
+                log_debug("Found synthetic NXDOMAIN response.");
+
                 return 0;
         }
         if (r <= 0)
@@ -687,6 +689,8 @@ static int dns_query_synthesize_reply(DnsQuery *q, DnsTransactionState *state) {
 
         *state = DNS_TRANSACTION_SUCCESS;
 
+        log_debug("Found synthetic success response.");
+
         return 1;
 }
 

diff --git a/src/resolve/resolved-dns-scope.c b/src/resolve/resolved-dns-scope.c
index 0b5e907bcf919c6e1b2f65dc596d06247a9c39a4..7f7e8626d14bb9299ecb3ab0ebc841f545093664 100644 (file)
--- a/src/resolve/resolved-dns-scope.c
+++ b/src/resolve/resolved-dns-scope.c
@@ -12,6 +12,7 @@
 #include "random-util.h"
 #include "resolved-dnssd.h"
 #include "resolved-dns-scope.h"
+#include "resolved-dns-synthesize.h"
 #include "resolved-dns-zone.h"
 #include "resolved-llmnr.h"
 #include "resolved-mdns.h"
@@ -653,6 +654,10 @@ DnsScopeMatch dns_scope_good_domain(
             is_dns_proxy_stub_hostname(domain))
                 return DNS_SCOPE_NO;
 
+        /* Don't look up the local host name via the network, unless user turned of local synthesis of it */
+        if (manager_is_own_hostname(s->manager, domain) && shall_synthesize_own_hostname_rrs())
+                return DNS_SCOPE_NO;
+
         /* Never send SOA or NS or DNSSEC request to LLMNR, where they make little sense. */
         r = dns_question_types_suitable_for_protocol(question, s->protocol);
         if (r <= 0)

diff --git a/src/resolve/resolved-dns-synthesize.c b/src/resolve/resolved-dns-synthesize.c
index 5bde29c704b775e11fbac80010831420358275ee..6f483fdf0e6287a7fe747d9fe35b7d02199e3bd5 100644 (file)
--- a/src/resolve/resolved-dns-synthesize.c
+++ b/src/resolve/resolved-dns-synthesize.c
@@ -439,6 +439,20 @@ static int synthesize_gateway_ptr(
         return answer_add_addresses_ptr(answer, "_gateway", addresses, n, af, address);
 }
 
+bool shall_synthesize_own_hostname_rrs(void) {
+        static int cached = -1;
+        int r;
+
+        if (cached >= 0)
+                return cached;
+
+        r = secure_getenv_bool("SYSTEMD_RESOLVED_SYNTHESIZE_HOSTNAME");
+        if (r < 0 && r != -ENXIO)
+                log_debug_errno(r, "Failed to parse $SYSTEMD_RESOLVED_SYNTHESIZE_HOSTNAME: %m");
+
+        return (cached = r != 0);
+}
+
 int dns_synthesize_answer(
                 Manager *m,
                 DnsQuestion *q,
@@ -479,8 +493,9 @@ int dns_synthesize_answer(
 
                 } else if (manager_is_own_hostname(m, name)) {
 
-                        if (getenv_bool("SYSTEMD_RESOLVED_SYNTHESIZE_HOSTNAME") == 0)
+                        if (!shall_synthesize_own_hostname_rrs())
                                 continue;
+
                         r = synthesize_system_hostname_rr(m, key, ifindex, &answer);
                         if (r < 0)
                                 return log_error_errno(r, "Failed to synthesize system hostname RRs: %m");
@@ -530,7 +545,7 @@ int dns_synthesize_answer(
                 } else if (dns_name_address(name, &af, &address) > 0) {
                         int v, w, u;
 
-                        if (getenv_bool("SYSTEMD_RESOLVED_SYNTHESIZE_HOSTNAME") == 0)
+                        if (!shall_synthesize_own_hostname_rrs())
                                 continue;
 
                         v = synthesize_system_hostname_ptr(m, af, &address, ifindex, &answer);

diff --git a/src/resolve/resolved-dns-synthesize.h b/src/resolve/resolved-dns-synthesize.h
index bf271e862d54decfcdf7de57f0c3062a19d332fe..ca39e682b4dafc376360bc7812914e1c284fa871 100644 (file)
--- a/src/resolve/resolved-dns-synthesize.h
+++ b/src/resolve/resolved-dns-synthesize.h
@@ -9,3 +9,5 @@ int dns_synthesize_family(uint64_t flags);
 DnsProtocol dns_synthesize_protocol(uint64_t flags);
 
 int dns_synthesize_answer(Manager *m, DnsQuestion *q, int ifindex, DnsAnswer **ret);
+
+bool shall_synthesize_own_hostname_rrs(void);