resolved: don't query domain-limited DNS servers for other domains (#3621)

System Internals / systemd - Martin Pitt [ubuntu.com] - 30 September 2016 02:30 UTC

DNS servers which have route-only domains should only be used for the specified domains. Routing queries about other domains there is a privacy
violation, prone to fail (as that DNS server was not meant to be used for other domains), and puts unnecessary load onto that server.

Introduce a new helper function dns_server_limited_domains() that checks if the DNS server should only be used for some selected domains, i. e. has some route-only domains without "~.". Use that when determining whether to query it in the scope, and when writing resolv.conf.

Extend the test_route_only_dns() case to ensure that the DNS server limited to ~company does not appear in resolv.conf. Add test_route_only_dns_all_domains() to ensure that a server that also has ~. does appear in resolv.conf as global name server. These reproduce #3420.

Add a new test_resolved_domain_restricted_dns() test case that verifies that domain-limited DNS servers are only being used for those domains. This reproduces #3421.

Clarify what a "routing domain" is in the manpage.

Fixes #3420 Fixes #3421

b9fe94c resolved: don't query domain-limited DNS servers for other domains (#3621)
man/systemd.network.xml | 4 +-
src/resolve/resolved-dns-scope.c | 8 +++
src/resolve/resolved-dns-server.c | 21 +++++++
src/resolve/resolved-dns-server.h | 2 +
src/resolve/resolved-resolv-conf.c | 10 ++++
test/networkd-test.py | 110 +++++++++++++++++++++++++++++++++++-
6 files changed, 152 insertions(+), 3 deletions(-)

Upstream: github.com

  • Share