Pull request 2075: 1660-refactor-dns

Updates #1660.

Squashed commit of the following:

commit ed4923372bad717403c6f593586580daf00a90da
Merge: 85e82520a 388583cef
Author: Ainar Garipov <A.Garipov@AdGuard.COM>
Date:   Fri Nov 17 16:00:13 2023 +0300

    Merge branch 'master' into 1660-refactor-dns

commit 85e82520a45c30a659af8b43879ca059e7a6755f
Author: Ainar Garipov <A.Garipov@AdGuard.COM>
Date:   Fri Nov 17 14:55:11 2023 +0300

    home: imp dns conf

commit bd255a77a77d0552f0a8306a045a98200a4ffb58
Author: Ainar Garipov <A.Garipov@AdGuard.COM>
Date:   Fri Nov 17 14:30:50 2023 +0300

    all: imp dns conf
This commit is contained in:
Ainar Garipov 2023-11-17 16:52:41 +03:00
parent 388583cefe
commit 1c0bf95b5a
4 changed files with 127 additions and 97 deletions

View File

@ -29,9 +29,10 @@ NOTE: Add new changes BELOW THIS COMMENT.
#### Configuration changes #### Configuration changes
- Added new properties `clients.persistent.upstreams_cache_enabled` and - The property `dns.bogus_nxdomain` is now validated more strictly.
`clients.persistent.upstreams_cache_size` which describe cache configuration - Added new properties `clients.persistent.*.upstreams_cache_enabled` and
for each client custom upstream configuration. `clients.persistent.*.upstreams_cache_size` that describe cache configuration
for each client's custom upstream configuration.
### Fixed ### Fixed

View File

@ -334,16 +334,9 @@ func (s *Server) createProxyConfig() (conf proxy.Config, err error) {
srvConf.FastestTimeout.Duration, srvConf.FastestTimeout.Duration,
) )
for i, s := range srvConf.BogusNXDomain { conf.BogusNXDomain, err = parseBogusNXDOMAIN(srvConf.BogusNXDomain)
var subnet netip.Prefix if err != nil {
subnet, err = aghnet.ParseSubnet(s) return proxy.Config{}, fmt.Errorf("bogus_nxdomain: %w", err)
if err != nil {
log.Error("subnet at index %d: %s", i, err)
continue
}
conf.BogusNXDomain = append(conf.BogusNXDomain, subnet)
} }
err = s.prepareTLS(&conf) err = s.prepareTLS(&conf)
@ -365,6 +358,21 @@ func (s *Server) createProxyConfig() (conf proxy.Config, err error) {
return conf, nil return conf, nil
} }
// parseBogusNXDOMAIN parses the bogus NXDOMAIN strings into valid subnets.
func parseBogusNXDOMAIN(confBogusNXDOMAIN []string) (subnets []netip.Prefix, err error) {
for i, s := range confBogusNXDOMAIN {
var subnet netip.Prefix
subnet, err = aghnet.ParseSubnet(s)
if err != nil {
return nil, fmt.Errorf("subnet at index %d: %w", i, err)
}
subnets = append(subnets, subnet)
}
return subnets, nil
}
const defaultBlockedResponseTTL = 3600 const defaultBlockedResponseTTL = 3600
// initDefaultSettings initializes default settings if nothing // initDefaultSettings initializes default settings if nothing

View File

@ -115,6 +115,8 @@ type configuration struct {
// Theme is a UI theme for current user. // Theme is a UI theme for current user.
Theme Theme `yaml:"theme"` Theme Theme `yaml:"theme"`
// TODO(a.garipov): Make DNS and the fields below pointers and validate
// and/or reset on explicit nulling.
DNS dnsConfig `yaml:"dns"` DNS dnsConfig `yaml:"dns"`
TLS tlsConfigSettings `yaml:"tls"` TLS tlsConfigSettings `yaml:"tls"`
QueryLog queryLogConfig `yaml:"querylog"` QueryLog queryLogConfig `yaml:"querylog"`
@ -214,13 +216,13 @@ type dnsConfig struct {
// DNS64Prefixes is the list of NAT64 prefixes to be used for DNS64. // DNS64Prefixes is the list of NAT64 prefixes to be used for DNS64.
DNS64Prefixes []netip.Prefix `yaml:"dns64_prefixes"` DNS64Prefixes []netip.Prefix `yaml:"dns64_prefixes"`
// ServeHTTP3 defines if HTTP/3 is be allowed for incoming requests. // ServeHTTP3 defines if HTTP/3 is allowed for incoming requests.
// //
// TODO(a.garipov): Add to the UI when HTTP/3 support is no longer // TODO(a.garipov): Add to the UI when HTTP/3 support is no longer
// experimental. // experimental.
ServeHTTP3 bool `yaml:"serve_http3"` ServeHTTP3 bool `yaml:"serve_http3"`
// UseHTTP3Upstreams defines if HTTP/3 is be allowed for DNS-over-HTTPS // UseHTTP3Upstreams defines if HTTP/3 is allowed for DNS-over-HTTPS
// upstreams. // upstreams.
// //
// TODO(a.garipov): Add to the UI when HTTP/3 support is no longer // TODO(a.garipov): Add to the UI when HTTP/3 support is no longer

View File

@ -150,7 +150,7 @@ func initDNSServer(
Context.clients.dnsServer = Context.dnsServer Context.clients.dnsServer = Context.dnsServer
dnsConf, err := newServerConfig(tlsConf, httpReg) dnsConf, err := newServerConfig(&config.DNS, config.Clients.Sources, tlsConf, httpReg)
if err != nil { if err != nil {
closeDNSServer() closeDNSServer()
@ -223,21 +223,36 @@ func ipsToUDPAddrs(ips []netip.Addr, port uint16) (udpAddrs []*net.UDPAddr) {
return udpAddrs return udpAddrs
} }
// newServerConfig converts values from the configuration file into the internal
// DNS server configuration. All arguments must not be nil.
func newServerConfig( func newServerConfig(
dnsConf *dnsConfig,
clientSrcConf *clientSourcesConfig,
tlsConf *tlsConfigSettings, tlsConf *tlsConfigSettings,
httpReg aghhttp.RegisterFunc, httpReg aghhttp.RegisterFunc,
) (newConf *dnsforward.ServerConfig, err error) { ) (newConf *dnsforward.ServerConfig, err error) {
dnsConf := config.DNS
hosts := aghalg.CoalesceSlice(dnsConf.BindHosts, []netip.Addr{netutil.IPv4Localhost()}) hosts := aghalg.CoalesceSlice(dnsConf.BindHosts, []netip.Addr{netutil.IPv4Localhost()})
fwdConf := dnsConf.Config
fwdConf.FilterHandler = applyAdditionalFiltering
fwdConf.ClientsContainer = &Context.clients
newConf = &dnsforward.ServerConfig{ newConf = &dnsforward.ServerConfig{
UDPListenAddrs: ipsToUDPAddrs(hosts, dnsConf.Port), UDPListenAddrs: ipsToUDPAddrs(hosts, dnsConf.Port),
TCPListenAddrs: ipsToTCPAddrs(hosts, dnsConf.Port), TCPListenAddrs: ipsToTCPAddrs(hosts, dnsConf.Port),
Config: dnsConf.Config, Config: fwdConf,
ConfigModified: onConfigModified, TLSConfig: newDNSTLSConfig(tlsConf, hosts),
HTTPRegister: httpReg, TLSAllowUnencryptedDoH: tlsConf.AllowUnencryptedDoH,
UseDNS64: config.DNS.UseDNS64, UpstreamTimeout: dnsConf.UpstreamTimeout.Duration,
DNS64Prefixes: config.DNS.DNS64Prefixes, TLSv12Roots: Context.tlsRoots,
ConfigModified: onConfigModified,
HTTPRegister: httpReg,
LocalPTRResolvers: dnsConf.LocalPTRResolvers,
UseDNS64: dnsConf.UseDNS64,
DNS64Prefixes: dnsConf.DNS64Prefixes,
UsePrivateRDNS: dnsConf.UsePrivateRDNS,
ServeHTTP3: dnsConf.ServeHTTP3,
UseHTTP3Upstreams: dnsConf.UseHTTP3Upstreams,
} }
var initialAddresses []netip.Addr var initialAddresses []netip.Addr
@ -255,79 +270,81 @@ func newServerConfig(
AddressUpdater: &Context.clients, AddressUpdater: &Context.clients,
InitialAddresses: initialAddresses, InitialAddresses: initialAddresses,
CatchPanics: true, CatchPanics: true,
UseRDNS: config.Clients.Sources.RDNS, UseRDNS: clientSrcConf.RDNS,
UseWHOIS: config.Clients.Sources.WHOIS, UseWHOIS: clientSrcConf.WHOIS,
} }
if tlsConf.Enabled { newConf.DNSCryptConfig, err = newDNSCryptConfig(tlsConf, hosts)
newConf.TLSConfig = tlsConf.TLSConfig if err != nil {
newConf.TLSConfig.ServerName = tlsConf.ServerName // Don't wrap the error, because it's already wrapped by
// newDNSCryptConfig.
if tlsConf.PortHTTPS != 0 { return nil, err
newConf.HTTPSListenAddrs = ipsToTCPAddrs(hosts, tlsConf.PortHTTPS)
}
if tlsConf.PortDNSOverTLS != 0 {
newConf.TLSListenAddrs = ipsToTCPAddrs(hosts, tlsConf.PortDNSOverTLS)
}
if tlsConf.PortDNSOverQUIC != 0 {
newConf.QUICListenAddrs = ipsToUDPAddrs(hosts, tlsConf.PortDNSOverQUIC)
}
if tlsConf.PortDNSCrypt != 0 {
newConf.DNSCryptConfig, err = newDNSCrypt(hosts, *tlsConf)
if err != nil {
// Don't wrap the error, because it's already wrapped by
// newDNSCrypt.
return nil, err
}
}
} }
newConf.TLSv12Roots = Context.tlsRoots
newConf.TLSAllowUnencryptedDoH = tlsConf.AllowUnencryptedDoH
newConf.FilterHandler = applyAdditionalFiltering
newConf.ClientsContainer = &Context.clients
newConf.LocalPTRResolvers = dnsConf.LocalPTRResolvers
newConf.UpstreamTimeout = dnsConf.UpstreamTimeout.Duration
newConf.UsePrivateRDNS = dnsConf.UsePrivateRDNS
newConf.ServeHTTP3 = dnsConf.ServeHTTP3
newConf.UseHTTP3Upstreams = dnsConf.UseHTTP3Upstreams
return newConf, nil return newConf, nil
} }
func newDNSCrypt(hosts []netip.Addr, tlsConf tlsConfigSettings) (dnscc dnsforward.DNSCryptConfig, err error) { // newDNSTLSConfig converts values from the configuration file into the internal
if tlsConf.DNSCryptConfigFile == "" { // TLS settings for the DNS server. tlsConf must not be nil.
return dnscc, errors.Error("no dnscrypt_config_file") func newDNSTLSConfig(conf *tlsConfigSettings, addrs []netip.Addr) (dnsConf dnsforward.TLSConfig) {
if !conf.Enabled {
return dnsforward.TLSConfig{}
} }
f, err := os.Open(tlsConf.DNSCryptConfigFile) dnsConf = conf.TLSConfig
dnsConf.ServerName = conf.ServerName
if conf.PortHTTPS != 0 {
dnsConf.HTTPSListenAddrs = ipsToTCPAddrs(addrs, conf.PortHTTPS)
}
if conf.PortDNSOverTLS != 0 {
dnsConf.TLSListenAddrs = ipsToTCPAddrs(addrs, conf.PortDNSOverTLS)
}
if conf.PortDNSOverQUIC != 0 {
dnsConf.QUICListenAddrs = ipsToUDPAddrs(addrs, conf.PortDNSOverQUIC)
}
return dnsConf
}
// newDNSCryptConfig converts values from the configuration file into the
// internal DNSCrypt settings for the DNS server. conf must not be nil.
func newDNSCryptConfig(
conf *tlsConfigSettings,
addrs []netip.Addr,
) (dnsCryptConf dnsforward.DNSCryptConfig, err error) {
if !conf.Enabled || conf.PortDNSCrypt == 0 {
return dnsforward.DNSCryptConfig{}, nil
}
if conf.DNSCryptConfigFile == "" {
return dnsforward.DNSCryptConfig{}, errors.Error("no dnscrypt_config_file")
}
f, err := os.Open(conf.DNSCryptConfigFile)
if err != nil { if err != nil {
return dnscc, fmt.Errorf("opening dnscrypt config: %w", err) return dnsforward.DNSCryptConfig{}, fmt.Errorf("opening dnscrypt config: %w", err)
} }
defer func() { err = errors.WithDeferred(err, f.Close()) }() defer func() { err = errors.WithDeferred(err, f.Close()) }()
rc := &dnscrypt.ResolverConfig{} rc := &dnscrypt.ResolverConfig{}
err = yaml.NewDecoder(f).Decode(rc) err = yaml.NewDecoder(f).Decode(rc)
if err != nil { if err != nil {
return dnscc, fmt.Errorf("decoding dnscrypt config: %w", err) return dnsforward.DNSCryptConfig{}, fmt.Errorf("decoding dnscrypt config: %w", err)
} }
cert, err := rc.CreateCert() cert, err := rc.CreateCert()
if err != nil { if err != nil {
return dnscc, fmt.Errorf("creating dnscrypt cert: %w", err) return dnsforward.DNSCryptConfig{}, fmt.Errorf("creating dnscrypt cert: %w", err)
} }
return dnsforward.DNSCryptConfig{ return dnsforward.DNSCryptConfig{
ResolverCert: cert, ResolverCert: cert,
ProviderName: rc.ProviderName, ProviderName: rc.ProviderName,
UDPListenAddrs: ipsToUDPAddrs(hosts, tlsConf.PortDNSCrypt), UDPListenAddrs: ipsToUDPAddrs(addrs, conf.PortDNSCrypt),
TCPListenAddrs: ipsToTCPAddrs(hosts, tlsConf.PortDNSCrypt), TCPListenAddrs: ipsToTCPAddrs(addrs, conf.PortDNSCrypt),
Enabled: true, Enabled: true,
}, nil }, nil
} }
@ -343,34 +360,36 @@ func getDNSEncryption() (de dnsEncryption) {
Context.tls.WriteDiskConfig(&tlsConf) Context.tls.WriteDiskConfig(&tlsConf)
if tlsConf.Enabled && len(tlsConf.ServerName) != 0 { if !tlsConf.Enabled || len(tlsConf.ServerName) == 0 {
hostname := tlsConf.ServerName return dnsEncryption{}
if tlsConf.PortHTTPS != 0 { }
addr := hostname
if p := tlsConf.PortHTTPS; p != defaultPortHTTPS {
addr = netutil.JoinHostPort(addr, p)
}
de.https = (&url.URL{ hostname := tlsConf.ServerName
Scheme: "https", if tlsConf.PortHTTPS != 0 {
Host: addr, addr := hostname
Path: "/dns-query", if p := tlsConf.PortHTTPS; p != defaultPortHTTPS {
}).String() addr = netutil.JoinHostPort(addr, p)
} }
if p := tlsConf.PortDNSOverTLS; p != 0 { de.https = (&url.URL{
de.tls = (&url.URL{ Scheme: "https",
Scheme: "tls", Host: addr,
Host: netutil.JoinHostPort(hostname, p), Path: "/dns-query",
}).String() }).String()
} }
if p := tlsConf.PortDNSOverQUIC; p != 0 { if p := tlsConf.PortDNSOverTLS; p != 0 {
de.quic = (&url.URL{ de.tls = (&url.URL{
Scheme: "quic", Scheme: "tls",
Host: netutil.JoinHostPort(hostname, p), Host: netutil.JoinHostPort(hostname, p),
}).String() }).String()
} }
if p := tlsConf.PortDNSOverQUIC; p != 0 {
de.quic = (&url.URL{
Scheme: "quic",
Host: netutil.JoinHostPort(hostname, p),
}).String()
} }
return de return de
@ -455,7 +474,7 @@ func reconfigureDNSServer() (err error) {
tlsConf := &tlsConfigSettings{} tlsConf := &tlsConfigSettings{}
Context.tls.WriteDiskConfig(tlsConf) Context.tls.WriteDiskConfig(tlsConf)
newConf, err := newServerConfig(tlsConf, httpRegister) newConf, err := newServerConfig(&config.DNS, config.Clients.Sources, tlsConf, httpRegister)
if err != nil { if err != nil {
return fmt.Errorf("generating forwarding dns server config: %w", err) return fmt.Errorf("generating forwarding dns server config: %w", err)
} }