From: Ronan Pigott <ronan@rjp.ie>
Date: Wed, 6 Mar 2024 01:05:57 +0000 (-0700)
Subject: resolved: decrease mdns/llmnr priority for the reverse mapping domains
X-Git-Tag: v256-rc1~616
X-Git-Url: http://git-history.diyao.me/?a=commitdiff_plain;h=da920fe176bd77f2ab36024ed5002a32108fc144;p=systemd%2F.git

resolved: decrease mdns/llmnr priority for the reverse mapping domains

Previously all queries to the reverse mapping domains (in-addr.arpa and
ip6.arpa) were considered to be in-scope for mdns and llmnr at the same
priority as DNS. This caused sd-resolved to ignore NXDOMAIN responses
from dns in favor of lengthy timeouts.

This narrows the scope of mdns and llmnr so they are not invariably
considered as fallbacks for these domains. Now, mdns/llmnr on a link
will only be used as a fallback when there is no suitable DNS scope, and
when that link is DefaultRoute.
---

diff --git a/src/resolve/resolved-dns-scope.c b/src/resolve/resolved-dns-scope.c
index 80a1707407..351f2375df 100644
--- a/src/resolve/resolved-dns-scope.c
+++ b/src/resolve/resolved-dns-scope.c
@@ -608,6 +608,7 @@ DnsScopeMatch dns_scope_good_domain(
         /* This returns the following return values:
          *
          *    DNS_SCOPE_NO         → This scope is not suitable for lookups of this domain, at all
+         *    DNS_SCOPE_LAST_RESORT→ This scope is not suitable, unless we have no alternative
          *    DNS_SCOPE_MAYBE      → This scope is suitable, but only if nothing else wants it
          *    DNS_SCOPE_YES_BASE+n → This scope is suitable, and 'n' suffix labels match
          *
@@ -766,7 +767,7 @@ DnsScopeMatch dns_scope_good_domain(
 
                 if ((s->family == AF_INET && dns_name_endswith(domain, "in-addr.arpa") > 0) ||
                     (s->family == AF_INET6 && dns_name_endswith(domain, "ip6.arpa") > 0))
-                        return DNS_SCOPE_MAYBE;
+                        return DNS_SCOPE_LAST_RESORT;
 
                 if ((dns_name_endswith(domain, "local") > 0 && /* only resolve names ending in .local via mDNS */
                      dns_name_equal(domain, "local") == 0 &&   /* but not the single-label "local" name itself */
@@ -789,7 +790,7 @@ DnsScopeMatch dns_scope_good_domain(
 
                 if ((s->family == AF_INET && dns_name_endswith(domain, "in-addr.arpa") > 0) ||
                     (s->family == AF_INET6 && dns_name_endswith(domain, "ip6.arpa") > 0))
-                        return DNS_SCOPE_MAYBE;
+                        return DNS_SCOPE_LAST_RESORT;
 
                 if ((dns_name_is_single_label(domain) && /* only resolve single label names via LLMNR */
                      dns_name_equal(domain, "local") == 0 && /* don't resolve "local" with LLMNR, it's the top-level domain of mDNS after all, see above */
diff --git a/src/resolve/resolved-dns-scope.h b/src/resolve/resolved-dns-scope.h
index 76b6ed6838..23f147b8bd 100644
--- a/src/resolve/resolved-dns-scope.h
+++ b/src/resolve/resolved-dns-scope.h
@@ -18,6 +18,7 @@ typedef struct DnsScope DnsScope;
 
 typedef enum DnsScopeMatch {
         DNS_SCOPE_NO,
+        DNS_SCOPE_LAST_RESORT,
         DNS_SCOPE_MAYBE,
         DNS_SCOPE_YES_BASE, /* Add the number of matching labels to this */
         DNS_SCOPE_YES_END = DNS_SCOPE_YES_BASE + DNS_N_LABELS_MAX,