Pull request 2075: 1660-refactor-dns

Updates #1660. Squashed commit of the following: commit ed4923372bad717403c6f593586580daf00a90da Merge: 85e82520a 388583cef Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Fri Nov 17 16:00:13 2023 +0300 Merge branch 'master' into 1660-refactor-dns commit 85e82520a45c30a659af8b43879ca059e7a6755f Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Fri Nov 17 14:55:11 2023 +0300 home: imp dns conf commit bd255a77a77d0552f0a8306a045a98200a4ffb58 Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Fri Nov 17 14:30:50 2023 +0300 all: imp dns conf
2023-11-17 16:52:41 +03:00 · 2023-11-17 16:52:41 +03:00 · 1c0bf95b5a
parent 388583cefe
commit 1c0bf95b5a
4 changed files with 127 additions and 97 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -29,9 +29,10 @@ NOTE: Add new changes BELOW THIS COMMENT.
 #### Configuration changes
- Added new properties `clients.persistent.upstreams_cache_enabled` and
+- The property `dns.bogus_nxdomain` is now validated more strictly.
-  `clients.persistent.upstreams_cache_size` which describe cache configuration
+- Added new properties `clients.persistent.*.upstreams_cache_enabled` and
-  for each client custom upstream configuration.
+  `clients.persistent.*.upstreams_cache_size` that describe cache configuration
  for each client's custom upstream configuration.
 ### Fixed
--- a/internal/dnsforward/config.go
+++ b/internal/dnsforward/config.go
@ -334,16 +334,9 @@ func (s *Server) createProxyConfig() (conf proxy.Config, err error) {
 		srvConf.FastestTimeout.Duration,
 	)
-	for i, s := range srvConf.BogusNXDomain {
+	conf.BogusNXDomain, err = parseBogusNXDOMAIN(srvConf.BogusNXDomain)
-		var subnet netip.Prefix
+	if err != nil {
-		subnet, err = aghnet.ParseSubnet(s)
+		return proxy.Config{}, fmt.Errorf("bogus_nxdomain: %w", err)
 		if err != nil {
 			log.Error("subnet at index %d: %s", i, err)
 			continue
 		}
 		conf.BogusNXDomain = append(conf.BogusNXDomain, subnet)
 	}
 	err = s.prepareTLS(&conf)
@ -365,6 +358,21 @@ func (s *Server) createProxyConfig() (conf proxy.Config, err error) {
 	return conf, nil
 }
 // parseBogusNXDOMAIN parses the bogus NXDOMAIN strings into valid subnets.
 func parseBogusNXDOMAIN(confBogusNXDOMAIN []string) (subnets []netip.Prefix, err error) {
 	for i, s := range confBogusNXDOMAIN {
 		var subnet netip.Prefix
 		subnet, err = aghnet.ParseSubnet(s)
 		if err != nil {
 			return nil, fmt.Errorf("subnet at index %d: %w", i, err)
 		}
 		subnets = append(subnets, subnet)
 	}
 	return subnets, nil
 }
 const defaultBlockedResponseTTL = 3600
 // initDefaultSettings initializes default settings if nothing
--- a/internal/home/config.go
+++ b/internal/home/config.go
@ -115,6 +115,8 @@ type configuration struct {
 	// Theme is a UI theme for current user.
 	Theme Theme `yaml:"theme"`
 	// TODO(a.garipov): Make DNS and the fields below pointers and validate
 	// and/or reset on explicit nulling.
 	DNS      dnsConfig         `yaml:"dns"`
 	TLS      tlsConfigSettings `yaml:"tls"`
 	QueryLog queryLogConfig    `yaml:"querylog"`
@ -214,13 +216,13 @@ type dnsConfig struct {
 	// DNS64Prefixes is the list of NAT64 prefixes to be used for DNS64.
 	DNS64Prefixes []netip.Prefix `yaml:"dns64_prefixes"`
-	// ServeHTTP3 defines if HTTP/3 is be allowed for incoming requests.
+	// ServeHTTP3 defines if HTTP/3 is allowed for incoming requests.
 	//
 	// TODO(a.garipov): Add to the UI when HTTP/3 support is no longer
 	// experimental.
 	ServeHTTP3 bool `yaml:"serve_http3"`
-	// UseHTTP3Upstreams defines if HTTP/3 is be allowed for DNS-over-HTTPS
+	// UseHTTP3Upstreams defines if HTTP/3 is allowed for DNS-over-HTTPS
 	// upstreams.
 	//
 	// TODO(a.garipov): Add to the UI when HTTP/3 support is no longer
--- a/internal/home/dns.go
+++ b/internal/home/dns.go
@ -150,7 +150,7 @@ func initDNSServer(
 	Context.clients.dnsServer = Context.dnsServer
-	dnsConf, err := newServerConfig(tlsConf, httpReg)
+	dnsConf, err := newServerConfig(&config.DNS, config.Clients.Sources, tlsConf, httpReg)
 	if err != nil {
 		closeDNSServer()
@ -223,21 +223,36 @@ func ipsToUDPAddrs(ips []netip.Addr, port uint16) (udpAddrs []*net.UDPAddr) {
 	return udpAddrs
 }
 // newServerConfig converts values from the configuration file into the internal
 // DNS server configuration.  All arguments must not be nil.
 func newServerConfig(
 	dnsConf *dnsConfig,
 	clientSrcConf *clientSourcesConfig,
 	tlsConf *tlsConfigSettings,
 	httpReg aghhttp.RegisterFunc,
 ) (newConf *dnsforward.ServerConfig, err error) {
 	dnsConf := config.DNS
 	hosts := aghalg.CoalesceSlice(dnsConf.BindHosts, []netip.Addr{netutil.IPv4Localhost()})
 	fwdConf := dnsConf.Config
 	fwdConf.FilterHandler = applyAdditionalFiltering
 	fwdConf.ClientsContainer = &Context.clients
 	newConf = &dnsforward.ServerConfig{
-		UDPListenAddrs: ipsToUDPAddrs(hosts, dnsConf.Port),
+		UDPListenAddrs:         ipsToUDPAddrs(hosts, dnsConf.Port),
-		TCPListenAddrs: ipsToTCPAddrs(hosts, dnsConf.Port),
+		TCPListenAddrs:         ipsToTCPAddrs(hosts, dnsConf.Port),
-		Config:         dnsConf.Config,
+		Config:                 fwdConf,
-		ConfigModified: onConfigModified,
+		TLSConfig:              newDNSTLSConfig(tlsConf, hosts),
-		HTTPRegister:   httpReg,
+		TLSAllowUnencryptedDoH: tlsConf.AllowUnencryptedDoH,
-		UseDNS64:       config.DNS.UseDNS64,
+		UpstreamTimeout:        dnsConf.UpstreamTimeout.Duration,
-		DNS64Prefixes:  config.DNS.DNS64Prefixes,
+		TLSv12Roots:            Context.tlsRoots,
 		ConfigModified:         onConfigModified,
 		HTTPRegister:           httpReg,
 		LocalPTRResolvers:      dnsConf.LocalPTRResolvers,
 		UseDNS64:               dnsConf.UseDNS64,
 		DNS64Prefixes:          dnsConf.DNS64Prefixes,
 		UsePrivateRDNS:         dnsConf.UsePrivateRDNS,
 		ServeHTTP3:             dnsConf.ServeHTTP3,
 		UseHTTP3Upstreams:      dnsConf.UseHTTP3Upstreams,
 	}
 	var initialAddresses []netip.Addr
@ -255,79 +270,81 @@ func newServerConfig(
 		AddressUpdater:   &Context.clients,
 		InitialAddresses: initialAddresses,
 		CatchPanics:      true,
-		UseRDNS:          config.Clients.Sources.RDNS,
+		UseRDNS:          clientSrcConf.RDNS,
-		UseWHOIS:         config.Clients.Sources.WHOIS,
+		UseWHOIS:         clientSrcConf.WHOIS,
 	}
-	if tlsConf.Enabled {
+	newConf.DNSCryptConfig, err = newDNSCryptConfig(tlsConf, hosts)
-		newConf.TLSConfig = tlsConf.TLSConfig
+	if err != nil {
-		newConf.TLSConfig.ServerName = tlsConf.ServerName
+		// Don't wrap the error, because it's already wrapped by
-
+		// newDNSCryptConfig.
-		if tlsConf.PortHTTPS != 0 {
+		return nil, err
 			newConf.HTTPSListenAddrs = ipsToTCPAddrs(hosts, tlsConf.PortHTTPS)
 		}
 		if tlsConf.PortDNSOverTLS != 0 {
 			newConf.TLSListenAddrs = ipsToTCPAddrs(hosts, tlsConf.PortDNSOverTLS)
 		}
 		if tlsConf.PortDNSOverQUIC != 0 {
 			newConf.QUICListenAddrs = ipsToUDPAddrs(hosts, tlsConf.PortDNSOverQUIC)
 		}
 		if tlsConf.PortDNSCrypt != 0 {
 			newConf.DNSCryptConfig, err = newDNSCrypt(hosts, *tlsConf)
 			if err != nil {
 				// Don't wrap the error, because it's already wrapped by
 				// newDNSCrypt.
 				return nil, err
 			}
 		}
 	}
 	newConf.TLSv12Roots = Context.tlsRoots
 	newConf.TLSAllowUnencryptedDoH = tlsConf.AllowUnencryptedDoH
 	newConf.FilterHandler = applyAdditionalFiltering
 	newConf.ClientsContainer = &Context.clients
 	newConf.LocalPTRResolvers = dnsConf.LocalPTRResolvers
 	newConf.UpstreamTimeout = dnsConf.UpstreamTimeout.Duration
 	newConf.UsePrivateRDNS = dnsConf.UsePrivateRDNS
 	newConf.ServeHTTP3 = dnsConf.ServeHTTP3
 	newConf.UseHTTP3Upstreams = dnsConf.UseHTTP3Upstreams
 	return newConf, nil
 }
-func newDNSCrypt(hosts []netip.Addr, tlsConf tlsConfigSettings) (dnscc dnsforward.DNSCryptConfig, err error) {
+// newDNSTLSConfig converts values from the configuration file into the internal
-	if tlsConf.DNSCryptConfigFile == "" {
+// TLS settings for the DNS server.  tlsConf must not be nil.
-		return dnscc, errors.Error("no dnscrypt_config_file")
+func newDNSTLSConfig(conf *tlsConfigSettings, addrs []netip.Addr) (dnsConf dnsforward.TLSConfig) {
 	if !conf.Enabled {
 		return dnsforward.TLSConfig{}
 	}
-	f, err := os.Open(tlsConf.DNSCryptConfigFile)
+	dnsConf = conf.TLSConfig
 	dnsConf.ServerName = conf.ServerName
 	if conf.PortHTTPS != 0 {
 		dnsConf.HTTPSListenAddrs = ipsToTCPAddrs(addrs, conf.PortHTTPS)
 	}
 	if conf.PortDNSOverTLS != 0 {
 		dnsConf.TLSListenAddrs = ipsToTCPAddrs(addrs, conf.PortDNSOverTLS)
 	}
 	if conf.PortDNSOverQUIC != 0 {
 		dnsConf.QUICListenAddrs = ipsToUDPAddrs(addrs, conf.PortDNSOverQUIC)
 	}
 	return dnsConf
 }
 // newDNSCryptConfig converts values from the configuration file into the
 // internal DNSCrypt settings for the DNS server.  conf must not be nil.
 func newDNSCryptConfig(
 	conf *tlsConfigSettings,
 	addrs []netip.Addr,
 ) (dnsCryptConf dnsforward.DNSCryptConfig, err error) {
 	if !conf.Enabled || conf.PortDNSCrypt == 0 {
 		return dnsforward.DNSCryptConfig{}, nil
 	}
 	if conf.DNSCryptConfigFile == "" {
 		return dnsforward.DNSCryptConfig{}, errors.Error("no dnscrypt_config_file")
 	}
 	f, err := os.Open(conf.DNSCryptConfigFile)
 	if err != nil {
-		return dnscc, fmt.Errorf("opening dnscrypt config: %w", err)
+		return dnsforward.DNSCryptConfig{}, fmt.Errorf("opening dnscrypt config: %w", err)
 	}
 	defer func() { err = errors.WithDeferred(err, f.Close()) }()
 	rc := &dnscrypt.ResolverConfig{}
 	err = yaml.NewDecoder(f).Decode(rc)
 	if err != nil {
-		return dnscc, fmt.Errorf("decoding dnscrypt config: %w", err)
+		return dnsforward.DNSCryptConfig{}, fmt.Errorf("decoding dnscrypt config: %w", err)
 	}
 	cert, err := rc.CreateCert()
 	if err != nil {
-		return dnscc, fmt.Errorf("creating dnscrypt cert: %w", err)
+		return dnsforward.DNSCryptConfig{}, fmt.Errorf("creating dnscrypt cert: %w", err)
 	}
 	return dnsforward.DNSCryptConfig{
 		ResolverCert:   cert,
 		ProviderName:   rc.ProviderName,
-		UDPListenAddrs: ipsToUDPAddrs(hosts, tlsConf.PortDNSCrypt),
+		UDPListenAddrs: ipsToUDPAddrs(addrs, conf.PortDNSCrypt),
-		TCPListenAddrs: ipsToTCPAddrs(hosts, tlsConf.PortDNSCrypt),
+		TCPListenAddrs: ipsToTCPAddrs(addrs, conf.PortDNSCrypt),
 		Enabled:        true,
 	}, nil
 }
@ -343,34 +360,36 @@ func getDNSEncryption() (de dnsEncryption) {
 	Context.tls.WriteDiskConfig(&tlsConf)
-	if tlsConf.Enabled && len(tlsConf.ServerName) != 0 {
+	if !tlsConf.Enabled || len(tlsConf.ServerName) == 0 {
-		hostname := tlsConf.ServerName
+		return dnsEncryption{}
-		if tlsConf.PortHTTPS != 0 {
+	}
 			addr := hostname
 			if p := tlsConf.PortHTTPS; p != defaultPortHTTPS {
 				addr = netutil.JoinHostPort(addr, p)
 			}
-			de.https = (&url.URL{
+	hostname := tlsConf.ServerName
-				Scheme: "https",
+	if tlsConf.PortHTTPS != 0 {
-				Host:   addr,
+		addr := hostname
-				Path:   "/dns-query",
+		if p := tlsConf.PortHTTPS; p != defaultPortHTTPS {
-			}).String()
+			addr = netutil.JoinHostPort(addr, p)
 		}
-		if p := tlsConf.PortDNSOverTLS; p != 0 {
+		de.https = (&url.URL{
-			de.tls = (&url.URL{
+			Scheme: "https",
-				Scheme: "tls",
+			Host:   addr,
-				Host:   netutil.JoinHostPort(hostname, p),
+			Path:   "/dns-query",
-			}).String()
+		}).String()
-		}
+	}
-		if p := tlsConf.PortDNSOverQUIC; p != 0 {
+	if p := tlsConf.PortDNSOverTLS; p != 0 {
-			de.quic = (&url.URL{
+		de.tls = (&url.URL{
-				Scheme: "quic",
+			Scheme: "tls",
-				Host:   netutil.JoinHostPort(hostname, p),
+			Host:   netutil.JoinHostPort(hostname, p),
-			}).String()
+		}).String()
-		}
+	}
 	if p := tlsConf.PortDNSOverQUIC; p != 0 {
 		de.quic = (&url.URL{
 			Scheme: "quic",
 			Host:   netutil.JoinHostPort(hostname, p),
 		}).String()
 	}
 	return de
@ -455,7 +474,7 @@ func reconfigureDNSServer() (err error) {
 	tlsConf := &tlsConfigSettings{}
 	Context.tls.WriteDiskConfig(tlsConf)
-	newConf, err := newServerConfig(tlsConf, httpRegister)
+	newConf, err := newServerConfig(&config.DNS, config.Clients.Sources, tlsConf, httpRegister)
 	if err != nil {
 		return fmt.Errorf("generating forwarding dns server config: %w", err)
 	}