From 9b91a87406623815907627ecc7d81979f511a726 Mon Sep 17 00:00:00 2001 From: Eugene Burkov Date: Thu, 16 Nov 2023 14:05:10 +0300 Subject: [PATCH] Pull request 2064: AG-23599 Upd proxy Merge in DNS/adguard-home from AG-23599-upd-proxy to master Squashed commit of the following: commit 31a4da2fe425d648a94f13060e8786ffae0be3ca Merge: 2c2fb253d 94bceaa84 Author: Eugene Burkov Date: Thu Nov 16 13:37:55 2023 +0300 Merge branch 'master' into AG-23599-upd-proxy commit 2c2fb253d489baa6b97a524b7e3327676ee6aa6f Author: Eugene Burkov Date: Wed Nov 15 19:03:20 2023 +0300 dnsforward: imp code commit 7384365758f80753cc4234184e7bd7311a85435d Author: Eugene Burkov Date: Tue Nov 14 17:02:07 2023 +0300 all: imp code commit 9c0be82285eed0602f593f805cfb7d02ace17a64 Author: Eugene Burkov Date: Fri Nov 10 20:21:00 2023 +0300 all: imp code, docs commit 5a47875882b5afd0264e4d473e884843745ff3f4 Author: Eugene Burkov Date: Thu Nov 9 16:50:51 2023 +0300 all: upd proxy --- go.mod | 2 +- go.sum | 4 +- internal/aghnet/hostscontainer.go | 47 +++++- internal/aghnet/net.go | 46 ++++++ internal/aghtest/interface.go | 21 +++ internal/aghtest/interface_test.go | 4 + internal/dnsforward/config.go | 117 ++++++++----- internal/dnsforward/dnsforward.go | 129 ++++++++++----- internal/dnsforward/dnsforward_test.go | 23 +-- internal/dnsforward/http.go | 41 ++--- internal/dnsforward/http_test.go | 3 +- internal/dnsforward/process.go | 9 +- internal/dnsforward/upstreams.go | 219 +++++-------------------- internal/filtering/filtering.go | 2 + internal/home/clients.go | 40 +++-- internal/home/clients_internal_test.go | 4 +- internal/home/dns.go | 5 +- internal/home/home.go | 31 ++-- internal/next/dnssvc/dnssvc.go | 42 ++++- 19 files changed, 443 insertions(+), 346 deletions(-) diff --git a/go.mod b/go.mod index 5e62e8ef..375bed97 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module github.com/AdguardTeam/AdGuardHome go 1.20 require ( - github.com/AdguardTeam/dnsproxy v0.57.3 + github.com/AdguardTeam/dnsproxy v0.58.0 github.com/AdguardTeam/golibs v0.17.2 github.com/AdguardTeam/urlfilter v0.17.3 github.com/NYTimes/gziphandler v1.1.1 diff --git a/go.sum b/go.sum index aa43d0dd..dcb90678 100644 --- a/go.sum +++ b/go.sum @@ -1,5 +1,5 @@ -github.com/AdguardTeam/dnsproxy v0.57.3 h1:0v7D+LQrOL2k2fvkG3Ft3Cn3ayUsvAdlOlJR+gLxSGA= -github.com/AdguardTeam/dnsproxy v0.57.3/go.mod h1:ZvkbM71HwpilgkCnTubDiR4Ba6x5Qvnhy2iasMWaTDM= +github.com/AdguardTeam/dnsproxy v0.58.0 h1:1zPmDYWIc60D5Mn2idt3TcH+CQzKBvkWzJ5/u49wraw= +github.com/AdguardTeam/dnsproxy v0.58.0/go.mod h1:ZvkbM71HwpilgkCnTubDiR4Ba6x5Qvnhy2iasMWaTDM= github.com/AdguardTeam/golibs v0.17.2 h1:vg6wHMjUKscnyPGRvxS5kAt7Uw4YxcJiITZliZ476W8= github.com/AdguardTeam/golibs v0.17.2/go.mod h1:DKhCIXHcUYtBhU8ibTLKh1paUL96n5zhQBlx763sj+U= github.com/AdguardTeam/urlfilter v0.17.3 h1:fg/ObbnO0Cv6aw0tW6N/ETDMhhNvmcUUOZ7HlmKC3rw= diff --git a/internal/aghnet/hostscontainer.go b/internal/aghnet/hostscontainer.go index 0d9a4bcc..e27b115f 100644 --- a/internal/aghnet/hostscontainer.go +++ b/internal/aghnet/hostscontainer.go @@ -1,14 +1,17 @@ package aghnet import ( + "context" "fmt" "io" "io/fs" "net/netip" "path" + "strings" "sync/atomic" "github.com/AdguardTeam/AdGuardHome/internal/aghos" + "github.com/AdguardTeam/dnsproxy/upstream" "github.com/AdguardTeam/golibs/errors" "github.com/AdguardTeam/golibs/hostsfile" "github.com/AdguardTeam/golibs/log" @@ -141,13 +144,9 @@ func NewHostsContainer( func (hc *HostsContainer) Close() (err error) { log.Debug("%s: closing", hostsContainerPrefix) - err = hc.watcher.Close() - if err != nil { - err = fmt.Errorf("closing fs watcher: %w", err) - - // Go on and close the container either way. - } + err = errors.Annotate(hc.watcher.Close(), "closing fs watcher: %w") + // Go on and close the container either way. close(hc.done) return err @@ -319,3 +318,39 @@ func (hc *HostsContainer) refresh() (err error) { return nil } + +// type check +var _ upstream.Resolver = (*HostsContainer)(nil) + +// LookupNetIP implements the [upstream.Resolver] interface for *HostsContainer. +func (hc *HostsContainer) LookupNetIP( + ctx context.Context, + network string, + hostname string, +) (addrs []netip.Addr, err error) { + // TODO(e.burkov): Think of extracting this logic to a golibs function if + // needed anywhere else. + var isDesiredProto func(ip netip.Addr) (ok bool) + switch network { + case "ip4": + isDesiredProto = (netip.Addr).Is4 + case "ip6": + isDesiredProto = (netip.Addr).Is6 + case "ip": + isDesiredProto = func(ip netip.Addr) (ok bool) { return true } + default: + return nil, fmt.Errorf("unsupported network: %q", network) + } + + idx := hc.current.Load() + recs := idx.names[strings.ToLower(hostname)] + + addrs = make([]netip.Addr, 0, len(recs)) + for _, rec := range recs { + if isDesiredProto(rec.Addr) { + addrs = append(addrs, rec.Addr) + } + } + + return slices.Clip(addrs), nil +} diff --git a/internal/aghnet/net.go b/internal/aghnet/net.go index a0489dd8..ac9fb7bd 100644 --- a/internal/aghnet/net.go +++ b/internal/aghnet/net.go @@ -10,9 +10,11 @@ import ( "net" "net/netip" "net/url" + "strings" "syscall" "github.com/AdguardTeam/AdGuardHome/internal/aghos" + "github.com/AdguardTeam/dnsproxy/upstream" "github.com/AdguardTeam/golibs/errors" "github.com/AdguardTeam/golibs/log" ) @@ -307,6 +309,50 @@ func ParseAddrPort(s string, defaultPort uint16) (ipp netip.AddrPort, err error) return ipp, nil } +// ParseSubnet parses s either as a CIDR prefix itself, or as an IP address, +// returning the corresponding single-IP CIDR prefix. +// +// TODO(e.burkov): Taken from dnsproxy, move to golibs. +func ParseSubnet(s string) (p netip.Prefix, err error) { + if strings.Contains(s, "/") { + p, err = netip.ParsePrefix(s) + if err != nil { + return netip.Prefix{}, err + } + } else { + var ip netip.Addr + ip, err = netip.ParseAddr(s) + if err != nil { + return netip.Prefix{}, err + } + + p = netip.PrefixFrom(ip, ip.BitLen()) + } + + return p, nil +} + +// ParseBootstraps returns the slice of upstream resolvers parsed from addrs. +// It additionally returns the closers for each resolver, that should be closed +// after use. +func ParseBootstraps( + addrs []string, + opts *upstream.Options, +) (boots []*upstream.UpstreamResolver, err error) { + boots = make([]*upstream.UpstreamResolver, 0, len(boots)) + for i, b := range addrs { + var r *upstream.UpstreamResolver + r, err = upstream.NewUpstreamResolver(b, opts) + if err != nil { + return nil, fmt.Errorf("bootstrap at index %d: %w", i, err) + } + + boots = append(boots, r) + } + + return boots, nil +} + // BroadcastFromPref calculates the broadcast IP address for p. func BroadcastFromPref(p netip.Prefix) (bc netip.Addr) { bc = p.Addr().Unmap() diff --git a/internal/aghtest/interface.go b/internal/aghtest/interface.go index 10789d8e..3d88f0c1 100644 --- a/internal/aghtest/interface.go +++ b/internal/aghtest/interface.go @@ -11,6 +11,7 @@ import ( "github.com/AdguardTeam/AdGuardHome/internal/next/agh" "github.com/AdguardTeam/AdGuardHome/internal/rdns" "github.com/AdguardTeam/AdGuardHome/internal/whois" + "github.com/AdguardTeam/dnsproxy/proxy" "github.com/AdguardTeam/dnsproxy/upstream" "github.com/miekg/dns" ) @@ -116,6 +117,26 @@ func (p *AddressUpdater) UpdateAddress(ip netip.Addr, host string, info *whois.I p.OnUpdateAddress(ip, host, info) } +// Package dnsforward + +// ClientsContainer is a fake [dnsforward.ClientsContainer] implementation for +// tests. +type ClientsContainer struct { + OnUpstreamConfigByID func( + id string, + boot upstream.Resolver, + ) (conf *proxy.UpstreamConfig, err error) +} + +// UpstreamConfigByID implements the [dnsforward.ClientsContainer] interface +// for *ClientsContainer. +func (c *ClientsContainer) UpstreamConfigByID( + id string, + boot upstream.Resolver, +) (conf *proxy.UpstreamConfig, err error) { + return c.OnUpstreamConfigByID(id, boot) +} + // Package filtering // Resolver is a fake [filtering.Resolver] implementation for tests. diff --git a/internal/aghtest/interface_test.go b/internal/aghtest/interface_test.go index a17c5e67..c1a376ba 100644 --- a/internal/aghtest/interface_test.go +++ b/internal/aghtest/interface_test.go @@ -2,6 +2,7 @@ package aghtest_test import ( "github.com/AdguardTeam/AdGuardHome/internal/aghtest" + "github.com/AdguardTeam/AdGuardHome/internal/dnsforward" "github.com/AdguardTeam/AdGuardHome/internal/filtering" ) @@ -9,3 +10,6 @@ import ( // type check var _ filtering.Resolver = (*aghtest.Resolver)(nil) + +// type check +var _ dnsforward.ClientsContainer = (*aghtest.ClientsContainer)(nil) diff --git a/internal/dnsforward/config.go b/internal/dnsforward/config.go index 32a0d52a..0947bf8f 100644 --- a/internal/dnsforward/config.go +++ b/internal/dnsforward/config.go @@ -27,6 +27,16 @@ import ( "golang.org/x/exp/slices" ) +// ClientsContainer provides information about preconfigured DNS clients. +type ClientsContainer interface { + // UpstreamConfigByID returns the custom upstream configuration for the + // client having id, using boot to initialize the one if necessary. It + // returns nil if there is no custom upstream configuration for the client. + // The id is expected to be either a string representation of an IP address + // or the ClientID. + UpstreamConfigByID(id string, boot upstream.Resolver) (conf *proxy.UpstreamConfig, err error) +} + // Config represents the DNS filtering configuration of AdGuard Home. The zero // Config is empty and ready for use. type Config struct { @@ -35,10 +45,9 @@ type Config struct { // FilterHandler is an optional additional filtering callback. FilterHandler func(cliAddr netip.Addr, clientID string, settings *filtering.Settings) `yaml:"-"` - // GetCustomUpstreamByClient is a callback that returns upstreams - // configuration based on the client IP address or ClientID. It returns - // nil if there are no custom upstreams for the client. - GetCustomUpstreamByClient func(id string) (conf *proxy.UpstreamConfig, err error) `yaml:"-"` + // ClientsContainer stores the information about special handling of some + // DNS clients. + ClientsContainer ClientsContainer `yaml:"-"` // Anti-DNS amplification @@ -323,8 +332,8 @@ func (s *Server) createProxyConfig() (conf proxy.Config, err error) { ) for i, s := range srvConf.BogusNXDomain { - var subnet *net.IPNet - subnet, err = netutil.ParseSubnet(s) + var subnet netip.Prefix + subnet, err = aghnet.ParseSubnet(s) if err != nil { log.Error("subnet at index %d: %s", i, err) @@ -423,10 +432,7 @@ func collectListenAddr( // collectDNSAddrs returns configured set of listening addresses. It also // returns a set of ports of each unspecified listening address. -func (conf *ServerConfig) collectDNSAddrs() ( - addrs map[netip.AddrPort]unit, - unspecPorts map[uint16]unit, -) { +func (conf *ServerConfig) collectDNSAddrs() (addrs mapAddrPortSet, unspecPorts map[uint16]unit) { // TODO(e.burkov): Perhaps, we shouldn't allocate as much memory, since the // TCP and UDP listening addresses are currently the same. addrs = make(map[netip.AddrPort]unit, len(conf.TCPListenAddrs)+len(conf.UDPListenAddrs)) @@ -446,20 +452,64 @@ func (conf *ServerConfig) collectDNSAddrs() ( // defaultPlainDNSPort is the default port for plain DNS. const defaultPlainDNSPort uint16 = 53 -// addrPortMatcher is a function that matches an IP address with port. -type addrPortMatcher func(addr netip.AddrPort) (ok bool) +// addrPortSet is a set of [netip.AddrPort] values. +type addrPortSet interface { + // Has returns true if addrPort is in the set. + Has(addrPort netip.AddrPort) (ok bool) +} + +// type check +var _ addrPortSet = emptyAddrPortSet{} + +// emptyAddrPortSet is the [addrPortSet] containing no values. +type emptyAddrPortSet struct{} + +// Has implements the [addrPortSet] interface for [emptyAddrPortSet]. +func (emptyAddrPortSet) Has(_ netip.AddrPort) (ok bool) { return false } + +// mapAddrPortSet is the [addrPortSet] containing values of [netip.AddrPort] as +// keys of a map. +type mapAddrPortSet map[netip.AddrPort]unit + +// type check +var _ addrPortSet = mapAddrPortSet{} + +// Has implements the [addrPortSet] interface for [mapAddrPortSet]. +func (m mapAddrPortSet) Has(addrPort netip.AddrPort) (ok bool) { + _, ok = m[addrPort] + + return ok +} + +// combinedAddrPortSet is the [addrPortSet] defined by some IP addresses along +// with ports, any combination of which is considered being in the set. +type combinedAddrPortSet struct { + // TODO(e.burkov): Use sorted slices in combination with binary search. + ports map[uint16]unit + addrs []netip.Addr +} + +// type check +var _ addrPortSet = (*combinedAddrPortSet)(nil) + +// Has implements the [addrPortSet] interface for [*combinedAddrPortSet]. +func (m *combinedAddrPortSet) Has(addrPort netip.AddrPort) (ok bool) { + _, ok = m.ports[addrPort.Port()] + + return ok && slices.Contains(m.addrs, addrPort.Addr()) +} // filterOut filters out all the upstreams that match um. It returns all the // closing errors joined. -func (m addrPortMatcher) filterOut(upsConf *proxy.UpstreamConfig) (err error) { +func filterOutAddrs(upsConf *proxy.UpstreamConfig, set addrPortSet) (err error) { var errs []error delFunc := func(u upstream.Upstream) (ok bool) { // TODO(e.burkov): We should probably consider the protocol of u to // only filter out the listening addresses of the same protocol. addr, parseErr := aghnet.ParseAddrPort(u.Address(), defaultPlainDNSPort) - if parseErr != nil || !m(addr) { + if parseErr != nil || !set.Has(addr) { // Don't filter out the upstream if it either cannot be parsed, or - // does not match um. + // does not match m. return false } @@ -479,26 +529,20 @@ func (m addrPortMatcher) filterOut(upsConf *proxy.UpstreamConfig) (err error) { return errors.Join(errs...) } -// ourAddrsMatcher returns a matcher that matches all the configured listening +// ourAddrsSet returns an addrPortSet that contains all the configured listening // addresses. -func (conf *ServerConfig) ourAddrsMatcher() (m addrPortMatcher, err error) { +func (conf *ServerConfig) ourAddrsSet() (m addrPortSet, err error) { addrs, unspecPorts := conf.collectDNSAddrs() - if len(addrs) == 0 { + switch { + case len(addrs) == 0: log.Debug("dnsforward: no listen addresses") - // Match no addresses. - return func(_ netip.AddrPort) (ok bool) { return false }, nil - } - - if len(unspecPorts) == 0 { + return emptyAddrPortSet{}, nil + case len(unspecPorts) == 0: log.Debug("dnsforward: filtering out addresses %s", addrs) - m = func(a netip.AddrPort) (ok bool) { - _, ok = addrs[a] - - return ok - } - } else { + return addrs, nil + default: var ifaceAddrs []netip.Addr ifaceAddrs, err = aghnet.CollectAllIfacesAddrs() if err != nil { @@ -508,16 +552,11 @@ func (conf *ServerConfig) ourAddrsMatcher() (m addrPortMatcher, err error) { log.Debug("dnsforward: filtering out addresses %s on ports %d", ifaceAddrs, unspecPorts) - m = func(a netip.AddrPort) (ok bool) { - if _, ok = unspecPorts[a.Port()]; ok { - return slices.Contains(ifaceAddrs, a.Addr()) - } - - return false - } + return &combinedAddrPortSet{ + ports: unspecPorts, + addrs: ifaceAddrs, + }, nil } - - return m, nil } // prepareTLS - prepares TLS configuration for the DNS proxy @@ -574,7 +613,7 @@ func (s *Server) prepareTLS(proxyConfig *proxy.Config) (err error) { // isWildcard returns true if host is a wildcard hostname. func isWildcard(host string) (ok bool) { - return len(host) >= 2 && host[0] == '*' && host[1] == '.' + return strings.HasPrefix(host, "*.") } // matchesDomainWildcard returns true if host matches the domain wildcard diff --git a/internal/dnsforward/dnsforward.go b/internal/dnsforward/dnsforward.go index d4c61205..1fa7979e 100644 --- a/internal/dnsforward/dnsforward.go +++ b/internal/dnsforward/dnsforward.go @@ -3,6 +3,7 @@ package dnsforward import ( "fmt" + "io" "net" "net/http" "net/netip" @@ -135,8 +136,21 @@ type Server struct { // PTR resolving. sysResolvers SystemResolvers - // recDetector is a cache for recursive requests. It is used to detect - // and prevent recursive requests only for private upstreams. + // etcHosts contains the data from the system's hosts files. + etcHosts upstream.Resolver + + // bootstrap is the resolver for upstreams' hostnames. + bootstrap upstream.Resolver + + // bootResolvers are the resolvers that should be used for + // bootstrapping along with [etcHosts]. + // + // TODO(e.burkov): Use [proxy.UpstreamConfig] when it will implement the + // [upstream.Resolver] interface. + bootResolvers []*upstream.UpstreamResolver + + // recDetector is a cache for recursive requests. It is used to detect and + // prevent recursive requests only for private upstreams. // // See https://github.com/adguardTeam/adGuardHome/issues/3185#issuecomment-851048135. recDetector *recursionDetector @@ -153,8 +167,8 @@ type Server struct { // during the BeforeRequestHandler stage. clientIDCache cache.Cache - // DNS proxy instance for internal usage - // We don't Start() it and so no listen port is required. + // internalProxy resolves internal requests from the application itself. It + // isn't started and so no listen ports are required. internalProxy *proxy.Proxy // isRunning is true if the DNS server is running. @@ -185,6 +199,7 @@ type DNSCreateParams struct { DHCPServer DHCP PrivateNets netutil.SubnetSet Anonymizer *aghnet.IPMut + EtcHosts *aghnet.HostsContainer LocalDomain string } @@ -224,6 +239,7 @@ func NewServer(p DNSCreateParams) (s *Server, err error) { privateNets: p.PrivateNets, // TODO(e.burkov): Use some case-insensitive string comparison. localDomainSuffix: strings.ToLower(localDomainSuffix), + etcHosts: p.EtcHosts, recDetector: newRecursionDetector(recursionTTL, cachedRecurrentReqNum), clientIDCache: cache.New(cache.Config{ EnableLRU: true, @@ -421,7 +437,7 @@ func hostFromPTR(resp *dns.Msg) (host string, ttl time.Duration, err error) { return "", 0, ErrRDNSNoData } -// Start starts the DNS server. +// Start starts the DNS server. It must only be called after [Server.Prepare]. func (s *Server) Start() error { s.serverLock.Lock() defer s.serverLock.Unlock() @@ -429,12 +445,14 @@ func (s *Server) Start() error { return s.startLocked() } -// startLocked starts the DNS server without locking. For internal use only. +// startLocked starts the DNS server without locking. s.serverLock is expected +// to be locked. func (s *Server) startLocked() error { err := s.dnsProxy.Start() if err == nil { s.isRunning = true } + return err } @@ -443,21 +461,20 @@ func (s *Server) startLocked() error { // faster than ordinary upstreams. const defaultLocalTimeout = 1 * time.Second -// setupLocalResolvers initializes the resolvers for local addresses. For -// internal use only. -func (s *Server) setupLocalResolvers() (err error) { - matcher, err := s.conf.ourAddrsMatcher() +// setupLocalResolvers initializes the resolvers for local addresses. It +// assumes s.serverLock is locked or the Server not running. +func (s *Server) setupLocalResolvers(boot upstream.Resolver) (err error) { + set, err := s.conf.ourAddrsSet() if err != nil { // Don't wrap the error because it's informative enough as is. return err } - bootstraps := s.conf.BootstrapDNS resolvers := s.conf.LocalPTRResolvers filterConfig := false if len(resolvers) == 0 { - sysResolvers := slices.DeleteFunc(s.sysResolvers.Addrs(), matcher) + sysResolvers := slices.DeleteFunc(slices.Clone(s.sysResolvers.Addrs()), set.Has) resolvers = make([]string, 0, len(sysResolvers)) for _, r := range sysResolvers { resolvers = append(resolvers, r.String()) @@ -470,7 +487,7 @@ func (s *Server) setupLocalResolvers() (err error) { log.Debug("dnsforward: upstreams to resolve ptr for local addresses: %v", resolvers) uc, err := s.prepareUpstreamConfig(resolvers, nil, &upstream.Options{ - Bootstrap: bootstraps, + Bootstrap: boot, Timeout: defaultLocalTimeout, // TODO(e.burkov): Should we verify server's certificates? PreferIPv6: s.conf.BootstrapPreferIPv6, @@ -480,7 +497,7 @@ func (s *Server) setupLocalResolvers() (err error) { } if filterConfig { - if err = matcher.filterOut(uc); err != nil { + if err = filterOutAddrs(uc, set); err != nil { return fmt.Errorf("filtering private upstreams: %w", err) } } @@ -491,6 +508,7 @@ func (s *Server) setupLocalResolvers() (err error) { }, } + // TODO(e.burkov): Should we also consider the DNS64 usage? if s.conf.UsePrivateRDNS && // Only set the upstream config if there are any upstreams. It's safe // to put nil into [proxy.Config.PrivateRDNSUpstreamConfig]. @@ -517,31 +535,19 @@ func (s *Server) Prepare(conf *ServerConfig) (err error) { s.initDefaultSettings() - err = s.prepareIpsetListSettings() - if err != nil { - // Don't wrap the error, because it's informative enough as is. - return fmt.Errorf("preparing ipset settings: %w", err) - } - - err = s.prepareUpstreamSettings() + boot, err := s.prepareInternalDNS() if err != nil { // Don't wrap the error, because it's informative enough as is. return err } - var proxyConfig proxy.Config - proxyConfig, err = s.createProxyConfig() + proxyConfig, err := s.createProxyConfig() if err != nil { return fmt.Errorf("preparing proxy: %w", err) } s.setupDNS64() - err = s.prepareInternalProxy() - if err != nil { - return fmt.Errorf("preparing internal proxy: %w", err) - } - s.access, err = newAccessCtx( s.conf.AllowedClients, s.conf.DisallowedClients, @@ -556,7 +562,7 @@ func (s *Server) Prepare(conf *ServerConfig) (err error) { // TODO(e.burkov): Remove once the local resolvers logic moved to dnsproxy. s.dnsProxy = &proxy.Proxy{Config: proxyConfig} - err = s.setupLocalResolvers() + err = s.setupLocalResolvers(boot) if err != nil { return fmt.Errorf("setting up resolvers: %w", err) } @@ -575,6 +581,38 @@ func (s *Server) Prepare(conf *ServerConfig) (err error) { return nil } +// prepareInternalDNS initializes the internal state of s before initializing +// the primary DNS proxy instance. It assumes s.serverLock is locked or the +// Server not running. +func (s *Server) prepareInternalDNS() (boot upstream.Resolver, err error) { + err = s.prepareIpsetListSettings() + if err != nil { + return nil, fmt.Errorf("preparing ipset settings: %w", err) + } + + s.bootstrap, s.bootResolvers, err = s.createBootstrap(s.conf.BootstrapDNS, &upstream.Options{ + Timeout: DefaultTimeout, + HTTPVersions: UpstreamHTTPVersions(s.conf.UseHTTP3Upstreams), + }) + if err != nil { + // Don't wrap the error, because it's informative enough as is. + return nil, err + } + + err = s.prepareUpstreamSettings(boot) + if err != nil { + // Don't wrap the error, because it's informative enough as is. + return s.bootstrap, err + } + + err = s.prepareInternalProxy() + if err != nil { + return s.bootstrap, fmt.Errorf("preparing internal proxy: %w", err) + } + + return s.bootstrap, nil +} + // setupFallbackDNS initializes the fallback DNS servers. func (s *Server) setupFallbackDNS() (err error) { fallbacks := s.conf.FallbackDNS @@ -598,7 +636,8 @@ func (s *Server) setupFallbackDNS() (err error) { return nil } -// setupAddrProc initializes the address processor. For internal use only. +// setupAddrProc initializes the address processor. It assumes s.serverLock is +// locked or the Server not running. func (s *Server) setupAddrProc() { // TODO(a.garipov): This is a crutch for tests; remove. if s.conf.AddrProcConf == nil { @@ -687,7 +726,8 @@ func (s *Server) Stop() error { return s.stopLocked() } -// stopLocked stops the DNS server without locking. For internal use only. +// stopLocked stops the DNS server without locking. s.serverLock is expected to +// be locked. func (s *Server) stopLocked() (err error) { // TODO(e.burkov, a.garipov): Return critical errors, not just log them. // This will require filtering all the non-critical errors in @@ -700,18 +740,11 @@ func (s *Server) stopLocked() (err error) { } } - if upsConf := s.internalProxy.UpstreamConfig; upsConf != nil { - err = upsConf.Close() - if err != nil { - log.Error("dnsforward: closing internal resolvers: %s", err) - } - } + logCloserErr(s.internalProxy.UpstreamConfig, "dnsforward: closing internal resolvers: %s") + logCloserErr(s.localResolvers.UpstreamConfig, "dnsforward: closing local resolvers: %s") - if upsConf := s.localResolvers.UpstreamConfig; upsConf != nil { - err = upsConf.Close() - if err != nil { - log.Error("dnsforward: closing local resolvers: %s", err) - } + for _, b := range s.bootResolvers { + logCloserErr(b, "dnsforward: closing bootstrap %s: %s", b.Address()) } s.isRunning = false @@ -719,6 +752,18 @@ func (s *Server) stopLocked() (err error) { return nil } +// logCloserErr logs the error returned by c, if any. +func logCloserErr(c io.Closer, format string, args ...any) { + if c == nil { + return + } + + err := c.Close() + if err != nil { + log.Error(format, append(args, err)...) + } +} + // IsRunning returns true if the DNS server is running. func (s *Server) IsRunning() bool { s.serverLock.RLock() diff --git a/internal/dnsforward/dnsforward_test.go b/internal/dnsforward/dnsforward_test.go index f315a661..2b52aba0 100644 --- a/internal/dnsforward/dnsforward_test.go +++ b/internal/dnsforward/dnsforward_test.go @@ -656,17 +656,20 @@ func TestServerCustomClientUpstream(t *testing.T) { s := createTestServer(t, &filtering.Config{ BlockingMode: filtering.BlockingModeDefault, }, forwardConf, nil) - s.conf.GetCustomUpstreamByClient = func(_ string) (conf *proxy.UpstreamConfig, err error) { - ups := aghtest.NewUpstreamMock(func(req *dns.Msg) (resp *dns.Msg, err error) { - return aghalg.Coalesce( - aghtest.MatchedResponse(req, dns.TypeA, "host", "192.168.0.1"), - new(dns.Msg).SetRcode(req, dns.RcodeNameError), - ), nil - }) - return &proxy.UpstreamConfig{ - Upstreams: []upstream.Upstream{ups}, - }, nil + ups := aghtest.NewUpstreamMock(func(req *dns.Msg) (resp *dns.Msg, err error) { + return aghalg.Coalesce( + aghtest.MatchedResponse(req, dns.TypeA, "host", "192.168.0.1"), + new(dns.Msg).SetRcode(req, dns.RcodeNameError), + ), nil + }) + s.conf.ClientsContainer = &aghtest.ClientsContainer{ + OnUpstreamConfigByID: func( + _ string, + _ upstream.Resolver, + ) (conf *proxy.UpstreamConfig, err error) { + return &proxy.UpstreamConfig{Upstreams: []upstream.Upstream{ups}}, nil + }, } startDeferStop(t, s) diff --git a/internal/dnsforward/http.go b/internal/dnsforward/http.go index 816e7aff..53874578 100644 --- a/internal/dnsforward/http.go +++ b/internal/dnsforward/http.go @@ -4,6 +4,7 @@ import ( "encoding/json" "fmt" "io" + "net" "net/http" "net/netip" "strings" @@ -197,13 +198,13 @@ func (s *Server) getDNSConfig() (c *jsonDNSConfig) { // defaultLocalPTRUpstreams returns the list of default local PTR resolvers // filtered of AdGuard Home's own DNS server addresses. It may appear empty. func (s *Server) defaultLocalPTRUpstreams() (ups []string, err error) { - matcher, err := s.conf.ourAddrsMatcher() + matcher, err := s.conf.ourAddrsSet() if err != nil { // Don't wrap the error because it's informative enough as is. return nil, err } - sysResolvers := slices.DeleteFunc(s.sysResolvers.Addrs(), matcher) + sysResolvers := slices.DeleteFunc(s.sysResolvers.Addrs(), matcher.Has) ups = make([]string, 0, len(sysResolvers)) for _, r := range sysResolvers { ups = append(ups, r.String()) @@ -575,7 +576,7 @@ func newUpstreamConfig(upstreams []string) (conf *proxy.UpstreamConfig, err erro conf, err = proxy.ParseUpstreamsConfig( upstreams, &upstream.Options{ - Bootstrap: []string{}, + Bootstrap: net.DefaultResolver, Timeout: DefaultTimeout, }, ) @@ -890,22 +891,11 @@ func (s *Server) checkUpstreamAddr( } }() - opts = &upstream.Options{ + u, err := upstream.AddressToUpstream(addr, &upstream.Options{ Bootstrap: opts.Bootstrap, Timeout: opts.Timeout, PreferIPv6: opts.PreferIPv6, - } - - // dnsFilter can be nil during application update. - if s.dnsFilter != nil { - recs := s.dnsFilter.EtcHostsRecords(extractUpstreamHost(addr)) - for _, rec := range recs { - opts.ServerIPAddrs = append(opts.ServerIPAddrs, rec.Addr.AsSlice()) - } - sortNetIPAddrs(opts.ServerIPAddrs, opts.PreferIPv6) - } - - u, err := upstream.AddressToUpstream(addr, opts) + }) if err != nil { return fmt.Errorf("creating upstream for %q: %w", addr, err) } @@ -915,6 +905,13 @@ func (s *Server) checkUpstreamAddr( return check(u) } +// closeBoots closes all the provided bootstrap servers and logs errors if any. +func closeBoots(boots []*upstream.UpstreamResolver) { + for _, c := range boots { + logCloserErr(c, "dnsforward: closing bootstrap %s: %s", c.Address()) + } +} + // handleTestUpstreamDNS handles requests to the POST /control/test_upstream_dns // endpoint. func (s *Server) handleTestUpstreamDNS(w http.ResponseWriter, r *http.Request) { @@ -929,15 +926,21 @@ func (s *Server) handleTestUpstreamDNS(w http.ResponseWriter, r *http.Request) { req.Upstreams = stringutil.FilterOut(req.Upstreams, IsCommentOrEmpty) req.FallbackDNS = stringutil.FilterOut(req.FallbackDNS, IsCommentOrEmpty) req.PrivateUpstreams = stringutil.FilterOut(req.PrivateUpstreams, IsCommentOrEmpty) + req.BootstrapDNS = stringutil.FilterOut(req.BootstrapDNS, IsCommentOrEmpty) opts := &upstream.Options{ - Bootstrap: req.BootstrapDNS, Timeout: s.conf.UpstreamTimeout, PreferIPv6: s.conf.BootstrapPreferIPv6, } - if len(opts.Bootstrap) == 0 { - opts.Bootstrap = defaultBootstrap + + var boots []*upstream.UpstreamResolver + opts.Bootstrap, boots, err = s.createBootstrap(req.BootstrapDNS, opts) + if err != nil { + aghhttp.Error(r, w, http.StatusBadRequest, "Failed to parse bootstrap servers: %s", err) + + return } + defer closeBoots(boots) wg := &sync.WaitGroup{} m := &sync.Map{} diff --git a/internal/dnsforward/http_test.go b/internal/dnsforward/http_test.go index 2beed7f6..99b03786 100644 --- a/internal/dnsforward/http_test.go +++ b/internal/dnsforward/http_test.go @@ -223,7 +223,7 @@ func TestDNSForwardHTTP_handleSetConfig(t *testing.T) { `upstream servers: validating upstream "!!!": not an ip:port`, }, { name: "bootstraps_bad", - wantSet: `validating dns config: checking bootstrap a: invalid address: bootstrap a:53: ` + + wantSet: `validating dns config: checking bootstrap a: invalid address: not a bootstrap: ` + `ParseAddr("a"): unable to parse IP`, }, { name: "cache_bad_ttl", @@ -534,6 +534,7 @@ func TestServer_HandleTestUpstreamDNS(t *testing.T) { EDNSClientSubnet: &EDNSClientSubnet{Enabled: false}, }, }, nil) + srv.etcHosts = hc startDeferStop(t, srv) testCases := []struct { diff --git a/internal/dnsforward/process.go b/internal/dnsforward/process.go index 0b572d8b..11e7459d 100644 --- a/internal/dnsforward/process.go +++ b/internal/dnsforward/process.go @@ -831,14 +831,13 @@ func (s *Server) dhcpHostFromRequest(q *dns.Question) (reqHost string) { // setCustomUpstream sets custom upstream settings in pctx, if necessary. func (s *Server) setCustomUpstream(pctx *proxy.DNSContext, clientID string) { - customUpsByClient := s.conf.GetCustomUpstreamByClient - if pctx.Addr == nil || customUpsByClient == nil { + if pctx.Addr == nil || s.conf.ClientsContainer == nil { return } // Use the ClientID first, since it has a higher priority. id := stringutil.Coalesce(clientID, ipStringFromAddr(pctx.Addr)) - upsConf, err := customUpsByClient(id) + upsConf, err := s.conf.ClientsContainer.UpstreamConfigByID(id, s.bootstrap) if err != nil { log.Error("dnsforward: getting custom upstreams for client %s: %s", id, err) @@ -847,9 +846,9 @@ func (s *Server) setCustomUpstream(pctx *proxy.DNSContext, clientID string) { if upsConf != nil { log.Debug("dnsforward: using custom upstreams for client %s", id) - } - pctx.CustomUpstreamConfig = upsConf + pctx.CustomUpstreamConfig = upsConf + } } // Apply filtering logic after we have received response from upstream servers diff --git a/internal/dnsforward/upstreams.go b/internal/dnsforward/upstreams.go index f30dce69..e71a9672 100644 --- a/internal/dnsforward/upstreams.go +++ b/internal/dnsforward/upstreams.go @@ -1,21 +1,15 @@ package dnsforward import ( - "bytes" "fmt" - "net" - "net/url" "os" - "strings" "time" + "github.com/AdguardTeam/AdGuardHome/internal/aghnet" "github.com/AdguardTeam/dnsproxy/proxy" "github.com/AdguardTeam/dnsproxy/upstream" "github.com/AdguardTeam/golibs/log" - "github.com/AdguardTeam/golibs/netutil" "github.com/AdguardTeam/golibs/stringutil" - "golang.org/x/exp/maps" - "golang.org/x/exp/slices" ) // loadUpstreams parses upstream DNS servers from the configured file or from @@ -39,7 +33,7 @@ func (s *Server) loadUpstreams() (upstreams []string, err error) { } // prepareUpstreamSettings sets upstream DNS server settings. -func (s *Server) prepareUpstreamSettings() (err error) { +func (s *Server) prepareUpstreamSettings(boot upstream.Resolver) (err error) { // Load upstreams either from the file, or from the settings var upstreams []string upstreams, err = s.loadUpstreams() @@ -48,7 +42,7 @@ func (s *Server) prepareUpstreamSettings() (err error) { } s.conf.UpstreamConfig, err = s.prepareUpstreamConfig(upstreams, defaultDNS, &upstream.Options{ - Bootstrap: s.conf.BootstrapDNS, + Bootstrap: boot, Timeout: s.conf.UpstreamTimeout, HTTPVersions: UpstreamHTTPVersions(s.conf.UseHTTP3Upstreams), PreferIPv6: s.conf.BootstrapPreferIPv6, @@ -92,178 +86,9 @@ func (s *Server) prepareUpstreamConfig( uc.Upstreams = defaultUpstreamConfig.Upstreams } - // dnsFilter can be nil during application update. - if s.dnsFilter != nil { - err = s.replaceUpstreamsWithHosts(uc, opts) - if err != nil { - return nil, fmt.Errorf("resolving upstreams with hosts: %w", err) - } - } - return uc, nil } -// replaceUpstreamsWithHosts replaces unique upstreams with their resolved -// versions based on the system hosts file. -// -// TODO(e.burkov): This should be performed inside dnsproxy, which should -// actually consider /etc/hosts. See TODO on [aghnet.HostsContainer]. -func (s *Server) replaceUpstreamsWithHosts( - upsConf *proxy.UpstreamConfig, - opts *upstream.Options, -) (err error) { - resolved := map[string]*upstream.Options{} - - err = s.resolveUpstreamsWithHosts(resolved, upsConf.Upstreams, opts) - if err != nil { - return fmt.Errorf("resolving upstreams: %w", err) - } - - hosts := maps.Keys(upsConf.DomainReservedUpstreams) - // TODO(e.burkov): Think of extracting sorted range into an util function. - slices.Sort(hosts) - for _, host := range hosts { - err = s.resolveUpstreamsWithHosts(resolved, upsConf.DomainReservedUpstreams[host], opts) - if err != nil { - return fmt.Errorf("resolving upstreams reserved for %s: %w", host, err) - } - } - - hosts = maps.Keys(upsConf.SpecifiedDomainUpstreams) - slices.Sort(hosts) - for _, host := range hosts { - err = s.resolveUpstreamsWithHosts(resolved, upsConf.SpecifiedDomainUpstreams[host], opts) - if err != nil { - return fmt.Errorf("resolving upstreams specific for %s: %w", host, err) - } - } - - return nil -} - -// resolveUpstreamsWithHosts resolves the IP addresses of each of the upstreams -// and replaces those both in upstreams and resolved. Upstreams that failed to -// resolve are placed to resolved as-is. This function only returns error of -// upstreams closing. -func (s *Server) resolveUpstreamsWithHosts( - resolved map[string]*upstream.Options, - upstreams []upstream.Upstream, - opts *upstream.Options, -) (err error) { - for i := range upstreams { - u := upstreams[i] - addr := u.Address() - host := extractUpstreamHost(addr) - - withIPs, ok := resolved[host] - if !ok { - recs := s.dnsFilter.EtcHostsRecords(host) - if len(recs) == 0 { - resolved[host] = nil - - return nil - } - - withIPs = opts.Clone() - withIPs.ServerIPAddrs = make([]net.IP, 0, len(recs)) - for _, rec := range recs { - withIPs.ServerIPAddrs = append(withIPs.ServerIPAddrs, rec.Addr.AsSlice()) - } - - sortNetIPAddrs(withIPs.ServerIPAddrs, opts.PreferIPv6) - resolved[host] = withIPs - } else if withIPs == nil { - continue - } - - if err = u.Close(); err != nil { - return fmt.Errorf("closing upstream %s: %w", addr, err) - } - - upstreams[i], err = upstream.AddressToUpstream(addr, withIPs) - if err != nil { - return fmt.Errorf("replacing upstream %s with resolved %s: %w", addr, host, err) - } - - log.Debug("dnsforward: using %s for %s", withIPs.ServerIPAddrs, upstreams[i].Address()) - } - - return nil -} - -// extractUpstreamHost returns the hostname of addr without port with an -// assumption that any address passed here has already been successfully parsed -// by [upstream.AddressToUpstream]. This function essentially mirrors the logic -// of [upstream.AddressToUpstream], see TODO on [replaceUpstreamsWithHosts]. -func extractUpstreamHost(addr string) (host string) { - var err error - if strings.Contains(addr, "://") { - var u *url.URL - u, err = url.Parse(addr) - if err != nil { - log.Debug("dnsforward: parsing upstream %s: %s", addr, err) - - return addr - } - - return u.Hostname() - } - - // Probably, plain UDP upstream defined by address or address:port. - host, err = netutil.SplitHost(addr) - if err != nil { - return addr - } - - return host -} - -// sortNetIPAddrs sorts addrs in accordance with the protocol preferences. -// Invalid addresses are sorted near the end. -// -// TODO(e.burkov): This function taken from dnsproxy, which also already -// contains a few similar functions. Think of moving to golibs. -func sortNetIPAddrs(addrs []net.IP, preferIPv6 bool) { - l := len(addrs) - if l <= 1 { - return - } - - slices.SortStableFunc(addrs, func(addrA, addrB net.IP) (res int) { - switch len(addrA) { - case net.IPv4len, net.IPv6len: - switch len(addrB) { - case net.IPv4len, net.IPv6len: - // Go on. - default: - return -1 - } - default: - return 1 - } - - // Treat IPv6-mapped IPv4 addresses as IPv6 addresses. - aIs4, bIs4 := addrA.To4() != nil, addrB.To4() != nil - if aIs4 == bIs4 { - return bytes.Compare(addrA, addrB) - } - - if aIs4 { - if preferIPv6 { - return 1 - } - - return -1 - } - - if preferIPv6 { - return -1 - } - - return 1 - }) -} - // UpstreamHTTPVersions returns the HTTP versions for upstream configuration // depending on configuration. func UpstreamHTTPVersions(http3 bool) (v []upstream.HTTPVersion) { @@ -295,3 +120,41 @@ func setProxyUpstreamMode( conf.UpstreamMode = proxy.UModeLoadBalance } } + +// createBootstrap returns a bootstrap resolver based on the configuration of s. +// boots are the upstream resolvers that should be closed after use. r is the +// actual bootstrap resolver, which may include the system hosts. +// +// TODO(e.burkov): This function currently returns a resolver and a slice of +// the upstream resolvers, which are essentially the same. boots are returned +// for being able to close them afterwards, but it introduces an implicit +// contract that r could only be used before that. Anyway, this code should +// improve when the [proxy.UpstreamConfig] will become an [upstream.Resolver] +// and be used here. +func (s *Server) createBootstrap( + addrs []string, + opts *upstream.Options, +) (r upstream.Resolver, boots []*upstream.UpstreamResolver, err error) { + if len(addrs) == 0 { + addrs = defaultBootstrap + } + + boots, err = aghnet.ParseBootstraps(addrs, opts) + if err != nil { + // Don't wrap the error, since it's informative enough as is. + return nil, nil, err + } + + var parallel upstream.ParallelResolver + for _, b := range boots { + parallel = append(parallel, b) + } + + if s.etcHosts != nil { + r = upstream.ConsequentResolver{s.etcHosts, parallel} + } else { + r = parallel + } + + return r, boots, nil +} diff --git a/internal/filtering/filtering.go b/internal/filtering/filtering.go index 6fae9c60..703f6c71 100644 --- a/internal/filtering/filtering.go +++ b/internal/filtering/filtering.go @@ -98,6 +98,8 @@ type Config struct { // EtcHosts is a container of IP-hostname pairs taken from the operating // system configuration files (e.g. /etc/hosts). + // + // TODO(e.burkov): Move it to dnsforward entirely. EtcHosts *aghnet.HostsContainer `yaml:"-"` // Called when the configuration is changed by HTTP request diff --git a/internal/home/clients.go b/internal/home/clients.go index 68e0b7d1..d9f5dcd4 100644 --- a/internal/home/clients.go +++ b/internal/home/clients.go @@ -126,7 +126,13 @@ func (clients *clientsContainer) Init( return nil } - if clients.etcHosts != nil { + // The clients.etcHosts may be nil even if config.Clients.Sources.HostsFile + // is true, because of the deprecated option --no-etc-hosts. + // + // TODO(e.burkov): The option should probably be returned, since hosts file + // currently used not only for clients' information enrichment, but also in + // the filtering module and upstream addresses resolution. + if config.Clients.Sources.HostsFile && clients.etcHosts != nil { go clients.handleHostsUpdates() } @@ -419,11 +425,14 @@ func (clients *clientsContainer) shouldCountClient(ids []string) (y bool) { return true } -// findUpstreams returns upstreams configured for the client, identified either -// by its IP address or its ClientID. upsConf is nil if the client isn't found -// or if the client has no custom upstreams. -func (clients *clientsContainer) findUpstreams( +// type check +var _ dnsforward.ClientsContainer = (*clientsContainer)(nil) + +// UpstreamConfigByID implements the [dnsforward.ClientsContainer] interface for +// *clientsContainer. +func (clients *clientsContainer) UpstreamConfigByID( id string, + bootstrap upstream.Resolver, ) (upsConf *proxy.UpstreamConfig, err error) { clients.lock.Lock() defer clients.lock.Unlock() @@ -431,6 +440,8 @@ func (clients *clientsContainer) findUpstreams( c, ok := clients.findLocked(id) if !ok { return nil, nil + } else if c.upstreamConfig != nil { + return c.upstreamConfig, nil } upstreams := stringutil.FilterOut(c.Upstreams, dnsforward.IsCommentOrEmpty) @@ -438,21 +449,18 @@ func (clients *clientsContainer) findUpstreams( return nil, nil } - if c.upstreamConfig != nil { - return c.upstreamConfig, nil - } - var conf *proxy.UpstreamConfig conf, err = proxy.ParseUpstreamsConfig( upstreams, &upstream.Options{ - Bootstrap: config.DNS.BootstrapDNS, + Bootstrap: bootstrap, Timeout: config.DNS.UpstreamTimeout.Duration, HTTPVersions: dnsforward.UpstreamHTTPVersions(config.DNS.UseHTTP3Upstreams), PreferIPv6: config.DNS.BootstrapPreferIPv6, }, ) if err != nil { + // Don't wrap the error since it's informative enough as is. return nil, err } @@ -672,10 +680,6 @@ func (clients *clientsContainer) Del(name string) (ok bool) { return false } - if err := c.closeUpstreams(); err != nil { - log.Error("client container: removing client %s: %s", name, err) - } - clients.del(c) return true @@ -683,10 +687,14 @@ func (clients *clientsContainer) Del(name string) (ok bool) { // del removes c from the indexes. clients.lock is expected to be locked. func (clients *clientsContainer) del(c *Client) { - // update Name index + if err := c.closeUpstreams(); err != nil { + log.Error("client container: removing client %s: %s", c.Name, err) + } + + // Update the name index. delete(clients.list, c.Name) - // update ID index + // Update the ID index. for _, id := range c.IDs { delete(clients.idIndex, id) } diff --git a/internal/home/clients_internal_test.go b/internal/home/clients_internal_test.go index b8ef598f..2efd2d4a 100644 --- a/internal/home/clients_internal_test.go +++ b/internal/home/clients_internal_test.go @@ -355,11 +355,11 @@ func TestClientsCustomUpstream(t *testing.T) { require.NoError(t, err) assert.True(t, ok) - config, err := clients.findUpstreams("1.2.3.4") + config, err := clients.UpstreamConfigByID("1.2.3.4", net.DefaultResolver) assert.Nil(t, config) assert.NoError(t, err) - config, err = clients.findUpstreams("1.1.1.1") + config, err = clients.UpstreamConfigByID("1.1.1.1", net.DefaultResolver) require.NotNil(t, config) assert.NoError(t, err) assert.Len(t, config.Upstreams, 1) diff --git a/internal/home/dns.go b/internal/home/dns.go index d26dd0d8..fa822eeb 100644 --- a/internal/home/dns.go +++ b/internal/home/dns.go @@ -138,8 +138,9 @@ func initDNSServer( QueryLog: qlog, PrivateNets: privateNets, Anonymizer: anonymizer, - LocalDomain: config.DHCP.LocalDomainName, DHCPServer: dhcpSrv, + EtcHosts: Context.etcHosts, + LocalDomain: config.DHCP.LocalDomainName, }) if err != nil { closeDNSServer() @@ -288,7 +289,7 @@ func newServerConfig( newConf.TLSAllowUnencryptedDoH = tlsConf.AllowUnencryptedDoH newConf.FilterHandler = applyAdditionalFiltering - newConf.GetCustomUpstreamByClient = Context.clients.findUpstreams + newConf.ClientsContainer = &Context.clients newConf.LocalPTRResolvers = dnsConf.LocalPTRResolvers newConf.UpstreamTimeout = dnsConf.UpstreamTimeout.Duration diff --git a/internal/home/home.go b/internal/home/home.go index 7e57652e..ab2d83a2 100644 --- a/internal/home/home.go +++ b/internal/home/home.go @@ -6,7 +6,6 @@ import ( "crypto/x509" "fmt" "io/fs" - "net" "net/http" "net/netip" "net/url" @@ -160,7 +159,7 @@ func setupContext(opts options) (err error) { os.Exit(0) } - if !opts.noEtcHosts && config.Clients.Sources.HostsFile { + if !opts.noEtcHosts { err = setupHostsContainer() if err != nil { // Don't wrap the error, because it's informative enough as is. @@ -239,13 +238,13 @@ func setupHostsContainer() (err error) { ) if err != nil { closeErr := hostsWatcher.Close() - if errors.Is(err, aghnet.ErrNoHostsPaths) && closeErr == nil { + if errors.Is(err, aghnet.ErrNoHostsPaths) { log.Info("warning: initing hosts container: %s", err) - return nil + return closeErr } - return errors.WithDeferred(fmt.Errorf("initing hosts container: %w", err), closeErr) + return errors.Join(fmt.Errorf("initializing hosts container: %w", err), closeErr) } return nil @@ -294,19 +293,13 @@ func initContextClients() (err error) { arpDB = arpdb.New() } - err = Context.clients.Init( + return Context.clients.Init( config.Clients.Persistent, Context.dhcpServer, Context.etcHosts, arpDB, config.Filtering, ) - if err != nil { - // Don't wrap the error, because it's informative enough as is. - return err - } - - return nil } // setupBindOpts overrides bind host/port from the opts. @@ -376,11 +369,15 @@ func setupDNSFilteringConf(conf *filtering.Config) (err error) { upsOpts := &upstream.Options{ Timeout: dnsTimeout, - ServerIPAddrs: []net.IP{ - {94, 140, 14, 15}, - {94, 140, 15, 16}, - net.ParseIP("2a10:50c0::bad1:ff"), - net.ParseIP("2a10:50c0::bad2:ff"), + Bootstrap: upstream.StaticResolver{ + // 94.140.14.15. + netip.AddrFrom4([4]byte{94, 140, 14, 15}), + // 94.140.14.16. + netip.AddrFrom4([4]byte{94, 140, 14, 16}), + // 2a10:50c0::bad1:ff. + netip.AddrFrom16([16]byte{42, 16, 80, 192, 12: 186, 209, 0, 255}), + // 2a10:50c0::bad2:ff. + netip.AddrFrom16([16]byte{42, 16, 80, 192, 12: 186, 210, 0, 255}), }, } diff --git a/internal/next/dnssvc/dnssvc.go b/internal/next/dnssvc/dnssvc.go index 07ce4096..e0056dcb 100644 --- a/internal/next/dnssvc/dnssvc.go +++ b/internal/next/dnssvc/dnssvc.go @@ -12,11 +12,14 @@ import ( "sync/atomic" "time" + "github.com/AdguardTeam/AdGuardHome/internal/aghnet" "github.com/AdguardTeam/AdGuardHome/internal/next/agh" + // TODO(a.garipov): Add a “dnsproxy proxy” package to shield us from changes // and replacement of module dnsproxy. "github.com/AdguardTeam/dnsproxy/proxy" "github.com/AdguardTeam/dnsproxy/upstream" + "github.com/AdguardTeam/golibs/errors" ) // Service is the AdGuard Home DNS service. A nil *Service is a valid @@ -27,6 +30,7 @@ import ( type Service struct { proxy *proxy.Proxy bootstraps []string + bootstrapResolvers []*upstream.UpstreamResolver upstreams []string dns64Prefixes []netip.Prefix upsTimeout time.Duration @@ -52,7 +56,7 @@ func New(c *Config) (svc *Service, err error) { useDNS64: c.UseDNS64, } - upstreams, err := addressesToUpstreams( + upstreams, resolvers, err := addressesToUpstreams( c.UpstreamServers, c.BootstrapServers, c.UpstreamTimeout, @@ -62,6 +66,7 @@ func New(c *Config) (svc *Service, err error) { return nil, fmt.Errorf("converting upstreams: %w", err) } + svc.bootstrapResolvers = resolvers svc.proxy = &proxy.Proxy{ Config: proxy.Config{ UDPListenAddr: udpAddrs(c.Addresses), @@ -90,20 +95,37 @@ func addressesToUpstreams( bootstraps []string, timeout time.Duration, preferIPv6 bool, -) (upstreams []upstream.Upstream, err error) { +) (upstreams []upstream.Upstream, boots []*upstream.UpstreamResolver, err error) { + opts := &upstream.Options{ + Timeout: timeout, + PreferIPv6: preferIPv6, + } + + boots, err = aghnet.ParseBootstraps(bootstraps, opts) + if err != nil { + // Don't wrap the error, since it's informative enough as is. + return nil, nil, err + } + + // TODO(e.burkov): Add system hosts resolver here. + var bootstrap upstream.ParallelResolver + for _, r := range boots { + bootstrap = append(bootstrap, r) + } + upstreams = make([]upstream.Upstream, len(upsStrs)) for i, upsStr := range upsStrs { upstreams[i], err = upstream.AddressToUpstream(upsStr, &upstream.Options{ - Bootstrap: bootstraps, + Bootstrap: bootstrap, Timeout: timeout, PreferIPv6: preferIPv6, }) if err != nil { - return nil, fmt.Errorf("upstream at index %d: %w", i, err) + return nil, boots, fmt.Errorf("upstream at index %d: %w", i, err) } } - return upstreams, nil + return upstreams, boots, nil } // tcpAddrs converts []netip.AddrPort into []*net.TCPAddr. @@ -162,7 +184,15 @@ func (svc *Service) Shutdown(ctx context.Context) (err error) { return nil } - return svc.proxy.Stop() + errs := []error{ + svc.proxy.Stop(), + } + + for _, b := range svc.bootstrapResolvers { + errs = append(errs, errors.Annotate(b.Close(), "closing bootstrap %s: %w", b.Address())) + } + + return errors.Join(errs...) } // Config returns the current configuration of the web service. Config must not