Ensure all calls to getaddrinfo are headed by a block_dns check.

If block_dns is set, call getaddrinfo with AI_NUMERICHOST set and
AI_CANONNAME clear.

Some paths may not have set AI_CANONNAME, but it's easier to audit
this way when the getaddrinfo prelude is uniform across call sites,
and the compiler can optimize it away.

lib/krb5/krbhst.c

@@ -430,6 +430,11 @@ krb5_krbhst_get_addrinfo(krb5_context context, krb5_krbhst_info *host,
 	snprintf (portstr, sizeof(portstr), "%d", host->port);
 	make_hints(&hints, host->proto);
 
+	if (krb5_config_get_bool(context, NULL, "libdefaults", "block_dns",
+		NULL)) {
+	    hints.ai_flags &= ~AI_CANONNAME;
+	    hints.ai_flags |= AI_NUMERICHOST;
+	}
 	ret = getaddrinfo(host->hostname, portstr, &hints, &host->ai);
 	if (ret) {
 	    ret = krb5_eai_to_heim_errno(ret, errno);
@@ -550,6 +555,11 @@ fallback_get_hosts(krb5_context context, struct krb5_krbhst_data *kd,
 
     make_hints(&hints, proto);
     snprintf(portstr, sizeof(portstr), "%d", port);
+    if (krb5_config_get_bool(context, NULL, "libdefaults", "block_dns",
+	    NULL)) {
+	hints.ai_flags &= ~AI_CANONNAME;
+	hints.ai_flags |= AI_NUMERICHOST;
+    }
     ret = getaddrinfo(host, portstr, &hints, &ai);
     if (ret) {
 	/* no more hosts, so we're done here */
@@ -718,6 +728,13 @@ plugin_get_hosts(krb5_context context,
 {
     struct plctx ctx = { type, kd, 0 };
 
+    /*
+     * XXX Need a way to pass this through -- unsure if any of this is
+     * useful without DNS, though.
+     */
+    if (krb5_config_get_bool(context, NULL, "libdefaults", "block_dns", NULL))
+	return;
+
     if (_krb5_homedir_access(context))
 	ctx.flags |= KRB5_PLF_ALLOW_HOMEDIR;