Pull request: home: http dns plain

Merge in DNS/adguard-home from AG-28194-plain-dns to master

Squashed commit of the following:

commit a033982b949217d46a8ea609f63198916f779a61
Merge: 03fc28211 79d7a1ef4
Author: Dimitry Kolyshev <dkolyshev@adguard.com>
Date:   Tue Dec 12 12:07:39 2023 +0200

    Merge remote-tracking branch 'origin/master' into AG-28194-plain-dns

commit 03fc282119a6372fcb4ce17a5d89779ad84589f5
Merge: e31a65931 34a34dc05
Author: Dimitry Kolyshev <dkolyshev@adguard.com>
Date:   Tue Dec 12 11:07:46 2023 +0200

    Merge remote-tracking branch 'origin/master' into AG-28194-plain-dns

    # Conflicts:
    #	CHANGELOG.md

commit e31a659312fffe0cd5f57710843c8a6818515502
Merge: 0b735eb42 7b5cce517
Author: Dimitry Kolyshev <dkolyshev@adguard.com>
Date:   Mon Dec 11 11:09:07 2023 +0200

    Merge remote-tracking branch 'origin/master' into AG-28194-plain-dns

    # Conflicts:
    #	CHANGELOG.md

commit 0b735eb4261883961058aed562c1e72ad1a20915
Author: Dimitry Kolyshev <dkolyshev@adguard.com>
Date:   Fri Dec 8 15:22:27 2023 +0200

    Revert "safesearch: imp docs"

    This reverts commit bab6bf3467f8914a34413bbbcdc37e89ff0401a5.

commit bab6bf3467f8914a34413bbbcdc37e89ff0401a5
Author: Dimitry Kolyshev <dkolyshev@adguard.com>
Date:   Fri Dec 8 15:21:23 2023 +0200

    safesearch: imp docs

commit aa5e6e30e01bf947d645ac4a9578eeac09c92a19
Merge: 503888447 2b62901fe
Author: Dimitry Kolyshev <dkolyshev@adguard.com>
Date:   Fri Dec 8 14:48:13 2023 +0200

    Merge remote-tracking branch 'origin/AG-28194-plain-dns' into AG-28194-plain-dns

commit 503888447aaf30d48c3fb9a414e8a65beb1a4e23
Author: Dimitry Kolyshev <dkolyshev@adguard.com>
Date:   Fri Dec 8 14:47:23 2023 +0200

    home: imp code

commit 2b62901feb29c9613ae648fa5e83598157207a17
Author: Ildar Kamalov <ik@adguard.com>
Date:   Fri Dec 8 11:55:25 2023 +0300

    client: add plain dns description

commit 3d51fc8ea1955e599953070a4b330dd4e2fd44bc
Author: Dimitry Kolyshev <dkolyshev@adguard.com>
Date:   Fri Dec 8 10:15:53 2023 +0200

    all: changelog

commit 59697b5f1ab049bd2259ffe42cef7223531ef7aa
Merge: 81a15d081 b668c04ea
Author: Dimitry Kolyshev <dkolyshev@adguard.com>
Date:   Fri Dec 8 10:11:59 2023 +0200

    Merge remote-tracking branch 'origin/master' into AG-28194-plain-dns

commit 81a15d0818b18f99e651311a8502082b4a539e4b
Author: Natalia Sokolova <n.sokolova@adguard.com>
Date:   Thu Dec 7 17:30:05 2023 +0300

    client/src/__locales/en.json edited online with Bitbucket

commit 0cf2f880fbd1592c02e6df42319cba357f0d7bc8
Author: Natalia Sokolova <n.sokolova@adguard.com>
Date:   Thu Dec 7 17:29:51 2023 +0300

    client/src/__locales/en.json edited online with Bitbucket

commit 2f32c59b8b1d764d060a69c35787566cf5210063
Author: Dimitry Kolyshev <dkolyshev@adguard.com>
Date:   Thu Dec 7 13:14:04 2023 +0200

    home: imp code

commit 01e21a26bdd13c42c55c8ea3b5bbe84933bf0c04
Author: Dimitry Kolyshev <dkolyshev@adguard.com>
Date:   Thu Dec 7 12:14:02 2023 +0200

    all: imp docs

commit b6beec6df7c2a9077ddce018656c701b7e875b53
Author: Ildar Kamalov <ik@adguard.com>
Date:   Thu Dec 7 12:42:21 2023 +0300

    client: fix reset settings

commit 93448500d56a4652a3a060b274936c40015ac8ec
Author: Dimitry Kolyshev <dkolyshev@adguard.com>
Date:   Thu Dec 7 10:55:25 2023 +0200

    home: imp code

commit eb32f8268bee097a81463ba29f7ea52be6e7d88b
Author: Dimitry Kolyshev <dkolyshev@adguard.com>
Date:   Thu Dec 7 10:42:23 2023 +0200

    home: imp code

commit 873d1412cf7c07ed985985a47325779bcfbf650a
Merge: 627659680 214175eb4
Author: Dimitry Kolyshev <dkolyshev@adguard.com>
Date:   Thu Dec 7 10:22:25 2023 +0200

    Merge remote-tracking branch 'origin/master' into AG-28194-plain-dns

commit 627659680da8e973a3878d1722b276d30c7a27bb
Author: Ildar Kamalov <ik@adguard.com>
Date:   Wed Dec 6 17:39:14 2023 +0300

    client: handle plain dns setting

commit ffdbf05fede721d271a84482a5759284d18eb189
Author: Dimitry Kolyshev <dkolyshev@adguard.com>
Date:   Fri Dec 1 15:12:50 2023 +0200

    home: http dns plain

... and 1 more commit

CHANGELOG.md

@@ -23,6 +23,11 @@ See also the [v0.107.44 GitHub milestone][ms-v0.107.44].
 NOTE: Add new changes BELOW THIS COMMENT.
 -->
 
+### Added
+
+- Ability to disable plain-DNS serving via UI if an encrypted protocol is
+  already used ([#1660]).
+
 <!--
 NOTE: Add new changes ABOVE THIS COMMENT.
 -->

client/src/__locales/en.json

@@ -423,6 +423,9 @@
     "encryption_hostnames": "Hostnames",
     "encryption_reset": "Are you sure you want to reset encryption settings?",
     "encryption_warning": "Warning",
+    "encryption_plain_dns_enable": "Enable plain DNS",
+    "encryption_plain_dns_desc": "Plain DNS is enabled by default. You can disable it to force all devices to use encrypted DNS. To do this, you must enable at least one encrypted DNS protocol",
+    "encryption_plain_dns_error": "To disable plain DNS, enable at least one encrypted DNS protocol",
     "topline_expiring_certificate": "Your SSL certificate is about to expire. Update <0>Encryption settings</0>.",
     "topline_expired_certificate": "Your SSL certificate is expired. Update <0>Encryption settings</0>.",
     "form_error_port_range": "Enter port number in the range of 80-65535",

client/src/components/Settings/Encryption/Form.js

@@ -12,7 +12,7 @@ import {
     toNumber,
 } from '../../../helpers/form';
 import {
-    validateServerName, validateIsSafePort, validatePort, validatePortQuic, validatePortTLS,
+    validateServerName, validateIsSafePort, validatePort, validatePortQuic, validatePortTLS, validatePlainDns,
 } from '../../../helpers/validators';
 import i18n from '../../../i18n';
 import KeyStatus from './KeyStatus';
@@ -47,6 +47,7 @@ const clearFields = (change, setTlsConfig, validateTlsConfig, t) => {
         force_https: false,
         enabled: false,
         private_key_saved: false,
+        serve_plain_dns: true,
     };
     // eslint-disable-next-line no-alert
     if (window.confirm(t('encryption_reset'))) {
@@ -83,6 +84,7 @@ let Form = (props) => {
         handleSubmit,
         handleChange,
         isEnabled,
+        servePlainDns,
         certificateChain,
         privateKey,
         certificatePath,
@@ -109,21 +111,24 @@ let Form = (props) => {
         privateKeySaved,
     } = props;
 
-    const isSavingDisabled = invalid
+    const isSavingDisabled = () => {
-        || submitting
+        const processing = submitting || processingConfig || processingValidate;
-        || processingConfig
-        || processingValidate
-        || !valid_key
-        || !valid_cert
-        || !valid_pair;
 
+        if (servePlainDns && !isEnabled) {
+            return invalid || processing;
+        }
+
+        return invalid || processing || !valid_key || !valid_cert || !valid_pair;
+    };
+
+    const isDisabled = isSavingDisabled();
     const isWarning = valid_key && valid_cert && valid_pair;
 
     return (
         <form onSubmit={handleSubmit}>
             <div className="row">
                 <div className="col-12">
-                    <div className="form__group form__group--settings">
+                    <div className="form__group form__group--settings mb-3">
                         <Field
                             name="enabled"
                             type="checkbox"
@@ -135,6 +140,19 @@ let Form = (props) => {
                     <div className="form__desc">
                         <Trans>encryption_enable_desc</Trans>
                     </div>
+                    <div className="form__group mb-3 mt-5">
+                        <Field
+                            name="serve_plain_dns"
+                            type="checkbox"
+                            component={CheckboxField}
+                            placeholder={t('encryption_plain_dns_enable')}
+                            onChange={handleChange}
+                            validate={validatePlainDns}
+                        />
+                    </div>
+                    <div className="form__desc">
+                        <Trans>encryption_plain_dns_desc</Trans>
+                    </div>
                     <hr />
                 </div>
                 <div className="col-12">
@@ -412,8 +430,8 @@ let Form = (props) => {
             <div className="btn-list mt-2">
                 <button
                     type="submit"
+                    disabled={isDisabled}
                     className="btn btn-success btn-standart"
-                    disabled={isSavingDisabled}
                 >
                     <Trans>save_config</Trans>
                 </button>
@@ -434,6 +452,7 @@ Form.propTypes = {
     handleSubmit: PropTypes.func.isRequired,
     handleChange: PropTypes.func,
     isEnabled: PropTypes.bool.isRequired,
+    servePlainDns: PropTypes.bool.isRequired,
     certificateChain: PropTypes.string.isRequired,
     privateKey: PropTypes.string.isRequired,
     certificatePath: PropTypes.string.isRequired,
@@ -467,6 +486,7 @@ const selector = formValueSelector(FORM_NAME.ENCRYPTION);
 
 Form = connect((state) => {
     const isEnabled = selector(state, 'enabled');
+    const servePlainDns = selector(state, 'serve_plain_dns');
     const certificateChain = selector(state, 'certificate_chain');
     const privateKey = selector(state, 'private_key');
     const certificatePath = selector(state, 'certificate_path');
@@ -476,6 +496,7 @@ Form = connect((state) => {
     const privateKeySaved = selector(state, 'private_key_saved');
     return {
         isEnabled,
+        servePlainDns,
         certificateChain,
         privateKey,
         certificatePath,

client/src/components/Settings/Encryption/index.js

@@ -25,7 +25,8 @@ class Encryption extends Component {
 
     handleFormChange = debounce((values) => {
         const submitValues = this.getSubmitValues(values);
-        if (submitValues.enabled) {
+
+        if (submitValues.enabled || submitValues.serve_plain_dns) {
             this.props.validateTlsConfig(submitValues);
         }
     }, DEBOUNCE_TIMEOUT);
@@ -85,6 +86,7 @@ class Encryption extends Component {
             certificate_path,
             private_key_path,
             private_key_saved,
+            serve_plain_dns,
         } = encryption;
 
         const initialValues = this.getInitialValues({
@@ -99,6 +101,7 @@ class Encryption extends Component {
             certificate_path,
             private_key_path,
             private_key_saved,
+            serve_plain_dns,
         });
 
         return (

client/src/helpers/form.js

@@ -180,7 +180,7 @@ export const CheckboxField = ({
     {!disabled
     && touched
     && error
-    && <span className="form__message form__message--error"><Trans>{error}</Trans></span>}
+    && <div className="form__message form__message--error mt-1"><Trans>{error}</Trans></div>}
 </>;
 
 CheckboxField.propTypes = {

client/src/helpers/validators.js

@@ -389,3 +389,18 @@ export const validateIPv6Subnet = (value) => {
     }
     return undefined;
 };
+
+/**
+ * @returns {undefined|string}
+ * @param value
+ * @param allValues
+ */
+export const validatePlainDns = (value, allValues) => {
+    const { enabled } = allValues;
+
+    if (!enabled && !value) {
+        return 'encryption_plain_dns_error';
+    }
+
+    return undefined;
+};

client/src/reducers/encryption.js

@@ -62,6 +62,7 @@ const encryption = handleActions({
     processingConfig: false,
     processingValidate: false,
     enabled: false,
+    serve_plain_dns: false,
     dns_names: null,
     force_https: false,
     issuer: '',

internal/home/home.go

@@ -608,7 +608,7 @@ func run(opts options, clientBuildFS fs.FS, done chan struct{}) {
 	Context.auth, err = initUsers()
 	fatalOnError(err)
 
-	Context.tls, err = newTLSManager(config.TLS)
+	Context.tls, err = newTLSManager(config.TLS, config.DNS.ServePlainDNS)
 	if err != nil {
 		log.Error("initializing tls: %s", err)
 		onConfigModified()

internal/home/tls.go

@@ -38,15 +38,19 @@ type tlsManager struct {
 
 	confLock sync.Mutex
 	conf     tlsConfigSettings
+
+	// servePlainDNS defines if plain DNS is allowed for incoming requests.
+	servePlainDNS bool
 }
 
 // newTLSManager initializes the manager of TLS configuration.  m is always
 // non-nil while any returned error indicates that the TLS configuration isn't
 // valid.  Thus TLS may be initialized later, e.g. via the web UI.
-func newTLSManager(conf tlsConfigSettings) (m *tlsManager, err error) {
+func newTLSManager(conf tlsConfigSettings, servePlainDNS bool) (m *tlsManager, err error) {
 	m = &tlsManager{
 		status:        &tlsConfigStatus{},
 		conf:          conf,
+		servePlainDNS: servePlainDNS,
 	}
 
 	if m.conf.Enabled {
@@ -283,21 +287,29 @@ type tlsConfig struct {
 	tlsConfigSettingsExt `json:",inline"`
 }
 
-// tlsConfigSettingsExt is used to (un)marshal the PrivateKeySaved field to
+// tlsConfigSettingsExt is used to (un)marshal PrivateKeySaved field and
-// ensure that clients don't send and receive previously saved private keys.
+// ServePlainDNS field.
 type tlsConfigSettingsExt struct {
 	tlsConfigSettings `json:",inline"`
 
 	// PrivateKeySaved is true if the private key is saved as a string and omit
-	// key from answer.
+	// key from answer.  It is used to ensure that clients don't send and
-	PrivateKeySaved bool `yaml:"-" json:"private_key_saved,inline"`
+	// receive previously saved private keys.
+	PrivateKeySaved bool `yaml:"-" json:"private_key_saved"`
+
+	// ServePlainDNS defines if plain DNS is allowed for incoming requests.  It
+	// is an [aghalg.NullBool] to be able to tell when it's set without using
+	// pointers.
+	ServePlainDNS aghalg.NullBool `yaml:"-" json:"serve_plain_dns"`
 }
 
+// handleTLSStatus is the handler for the GET /control/tls/status HTTP API.
 func (m *tlsManager) handleTLSStatus(w http.ResponseWriter, r *http.Request) {
 	m.confLock.Lock()
 	data := tlsConfig{
 		tlsConfigSettingsExt: tlsConfigSettingsExt{
 			tlsConfigSettings: m.conf,
+			ServePlainDNS:     aghalg.BoolToNullBool(m.servePlainDNS),
 		},
 		tlsConfigStatus: m.status,
 	}
@@ -306,6 +318,7 @@ func (m *tlsManager) handleTLSStatus(w http.ResponseWriter, r *http.Request) {
 	marshalTLS(w, r, data)
 }
 
+// handleTLSValidate is the handler for the POST /control/tls/validate HTTP API.
 func (m *tlsManager) handleTLSValidate(w http.ResponseWriter, r *http.Request) {
 	setts, err := unmarshalTLS(r)
 	if err != nil {
@@ -318,33 +331,11 @@ func (m *tlsManager) handleTLSValidate(w http.ResponseWriter, r *http.Request) {
 		setts.PrivateKey = m.conf.PrivateKey
 	}
 
-	if setts.Enabled {
+	if err = validateTLSSettings(setts); err != nil {
-		err = validatePorts(
-			tcpPort(config.HTTPConfig.Address.Port()),
-			tcpPort(setts.PortHTTPS),
-			tcpPort(setts.PortDNSOverTLS),
-			tcpPort(setts.PortDNSCrypt),
-			udpPort(config.DNS.Port),
-			udpPort(setts.PortDNSOverQUIC),
-		)
-		if err != nil {
 		aghhttp.Error(r, w, http.StatusBadRequest, "%s", err)
 
 		return
 	}
-	}
-
-	if !webCheckPortAvailable(setts.PortHTTPS) {
-		aghhttp.Error(
-			r,
-			w,
-			http.StatusBadRequest,
-			"port %d is not available, cannot enable HTTPS on it",
-			setts.PortHTTPS,
-		)
-
-		return
-	}
 
 	// Skip the error check, since we are only interested in the value of
 	// status.WarningValidation.
@@ -358,7 +349,12 @@ func (m *tlsManager) handleTLSValidate(w http.ResponseWriter, r *http.Request) {
 	marshalTLS(w, r, resp)
 }
 
-func (m *tlsManager) setConfig(newConf tlsConfigSettings, status *tlsConfigStatus) (restartHTTPS bool) {
+// setConfig updates manager conf with the given one.
+func (m *tlsManager) setConfig(
+	newConf tlsConfigSettings,
+	status *tlsConfigStatus,
+	servePlain aghalg.NullBool,
+) (restartHTTPS bool) {
 	m.confLock.Lock()
 	defer m.confLock.Unlock()
 
@@ -390,9 +386,15 @@ func (m *tlsManager) setConfig(newConf tlsConfigSettings, status *tlsConfigStatu
 	m.conf.PrivateKeyData = newConf.PrivateKeyData
 	m.status = status
 
+	if servePlain != aghalg.NBNull {
+		m.servePlainDNS = servePlain == aghalg.NBTrue
+	}
+
 	return restartHTTPS
 }
 
+// handleTLSConfigure is the handler for the POST /control/tls/configure HTTP
+// API.
 func (m *tlsManager) handleTLSConfigure(w http.ResponseWriter, r *http.Request) {
 	req, err := unmarshalTLS(r)
 	if err != nil {
@@ -405,34 +407,11 @@ func (m *tlsManager) handleTLSConfigure(w http.ResponseWriter, r *http.Request)
 		req.PrivateKey = m.conf.PrivateKey
 	}
 
-	if req.Enabled {
+	if err = validateTLSSettings(req); err != nil {
-		err = validatePorts(
-			tcpPort(config.HTTPConfig.Address.Port()),
-			tcpPort(req.PortHTTPS),
-			tcpPort(req.PortDNSOverTLS),
-			tcpPort(req.PortDNSCrypt),
-			udpPort(config.DNS.Port),
-			udpPort(req.PortDNSOverQUIC),
-		)
-		if err != nil {
 		aghhttp.Error(r, w, http.StatusBadRequest, "%s", err)
 
 		return
 	}
-	}
-
-	// TODO(e.burkov):  Investigate and perhaps check other ports.
-	if !webCheckPortAvailable(req.PortHTTPS) {
-		aghhttp.Error(
-			r,
-			w,
-			http.StatusBadRequest,
-			"port %d is not available, cannot enable https on it",
-			req.PortHTTPS,
-		)
-
-		return
-	}
 
 	status := &tlsConfigStatus{}
 	err = loadTLSConf(&req.tlsConfigSettings, status)
@@ -447,8 +426,18 @@ func (m *tlsManager) handleTLSConfigure(w http.ResponseWriter, r *http.Request)
 		return
 	}
 
-	restartHTTPS := m.setConfig(req.tlsConfigSettings, status)
+	restartHTTPS := m.setConfig(req.tlsConfigSettings, status, req.ServePlainDNS)
 	m.setCertFileTime()
+
+	if req.ServePlainDNS != aghalg.NBNull {
+		func() {
+			m.confLock.Lock()
+			defer m.confLock.Unlock()
+
+			config.DNS.ServePlainDNS = req.ServePlainDNS == aghalg.NBTrue
+		}()
+	}
+
 	onConfigModified()
 
 	err = reconfigureDNSServer()
@@ -479,6 +468,33 @@ func (m *tlsManager) handleTLSConfigure(w http.ResponseWriter, r *http.Request)
 	}
 }
 
+// validateTLSSettings returns error if the setts are not valid.
+func validateTLSSettings(setts tlsConfigSettingsExt) (err error) {
+	if setts.Enabled {
+		err = validatePorts(
+			tcpPort(config.HTTPConfig.Address.Port()),
+			tcpPort(setts.PortHTTPS),
+			tcpPort(setts.PortDNSOverTLS),
+			tcpPort(setts.PortDNSCrypt),
+			udpPort(config.DNS.Port),
+			udpPort(setts.PortDNSOverQUIC),
+		)
+		if err != nil {
+			// Don't wrap the error since it's informative enough as is.
+			return err
+		}
+	} else if setts.ServePlainDNS == aghalg.NBFalse {
+		// TODO(a.garipov): Support full disabling of all DNS.
+		return errors.Error("plain DNS is required in case encryption protocols are disabled")
+	}
+
+	if !webCheckPortAvailable(setts.PortHTTPS) {
+		return fmt.Errorf("port %d is not available, cannot enable HTTPS on it", setts.PortHTTPS)
+	}
+
+	return nil
+}
+
 // validatePorts validates the uniqueness of TCP and UDP ports for AdGuard Home
 // DNS protocols.
 func validatePorts(

openapi/CHANGELOG.md

@@ -6,6 +6,12 @@
 
 ## v0.107.42: API changes
 
+### The new field `"serve_plain_dns"` in `TlsConfig`
+
+* The new field `"serve_plain_dns"` in `POST /control/tls/configure`,
+  `POST /control/tls/validate` and `GET /control/tls/status` is true if plain
+  DNS is allowed for incoming requests.
+
 ### The new fields `"upstreams_cache_enabled"` and `"upstreams_cache_size"` in `Client` object
 
 * The new field `"upstreams_cache_enabled"` in `GET /control/clients`,

openapi/openapi.yaml

@@ -2463,6 +2463,11 @@
           'example': true
           'description': >
             Set to true if both certificate and private key are correct.
+        'serve_plain_dns':
+          'type': 'boolean'
+          'example': true
+          'description': >
+            Set to true if plain DNS is allowed for incoming requests.
     'NetInterface':
       'type': 'object'
       'description': 'Network interface info'