all: fix chlog; fix field alignment

CHANGELOG.md

@@ -23,6 +23,14 @@ See also the [v0.107.26 GitHub milestone][ms-v0.107.26].
 NOTE: Add new changes BELOW THIS COMMENT.
 -->
 
+### Added
+
+- The ability to set custom IP for EDNS Client Subnet by using the new
+  `dns.edns_client_subnet.use_custom` and `dns.edns_client_subnet.custom_ip`
+  fields ([#1472]).  The UI changes are coming in the upcoming releases.
+- The ability to use `dnstype` rules in the disallowed domains list ([#5468]).
+  This allows dropping requests based on their question types.
+
 ### Changed
 
 #### Configuration Changes
@@ -54,14 +62,6 @@ In this release, the schema version has changed from 16 to 17.
   `dns.edns_client_subnet.custom_ip`, and change the `schema_version` back to
   `16`.
 
-### Added
-
-- The ability to set custom IP for EDNS Client Subnet by using the new
-  `dns.edns_client_subnet.use_custom` and `dns.edns_client_subnet.custom_ip`
-  fields ([#1472]).  The UI changes are coming in the upcoming releases.
-- The ability to use `dnstype` rules in the disallowed domains list ([#5468]).
-  This allows dropping requests based on their question types.
-
 ### Fixed
 
 - Automatic update on MIPS64 and little-endian 32-bit MIPS architectures

internal/dnsforward/config.go

@@ -175,7 +175,7 @@ type FilteringConfig struct {
 	EnableDNSSEC bool `yaml:"enable_dnssec"`
 
 	// EDNSClientSubnet is the settings list for EDNS Client Subnet.
-	EDNSClientSubnet EDNSClientSubnet `yaml:"edns_client_subnet"`
+	EDNSClientSubnet *EDNSClientSubnet `yaml:"edns_client_subnet"`
 
 	// MaxGoroutines is the max number of parallel goroutines for processing
 	// incoming requests.
@@ -199,14 +199,14 @@ type FilteringConfig struct {
 
 // EDNSClientSubnet is the settings list for EDNS Client Subnet.
 type EDNSClientSubnet struct {
+	// CustomIP for EDNS Client Subnet.
+	CustomIP string `yaml:"custom_ip"`
+
 	// Enabled defines if EDNS Client Subnet is enabled.
 	Enabled bool `yaml:"enabled"`
 
 	// UseCustom defines if CustomIP should be used.
 	UseCustom bool `yaml:"use_custom"`
-
-	// CustomIP for EDNS Client Subnet.
-	CustomIP string `yaml:"custom_ip"`
 }
 
 // TLSConfig is the TLS configuration for HTTPS, DNS-over-HTTPS, and DNS-over-TLS
@@ -340,13 +340,14 @@ func (s *Server) createProxyConfig() (conf proxy.Config, err error) {
 	}
 
 	if srvConf.EDNSClientSubnet.UseCustom {
-		_, ipnet, nerr := net.ParseCIDR(srvConf.EDNSClientSubnet.CustomIP)
-		if nerr != nil {
-			return conf, fmt.Errorf("edns client subnet: %w", nerr)
+		// TODO(s.chzhen):  Add wrapper around netip.Addr.
+		ip, perr := netutil.ParseIP(srvConf.EDNSClientSubnet.CustomIP)
+		if perr != nil {
+			return conf, fmt.Errorf("edns: %w", perr)
 		}
 
 		// TODO(s.chzhen):  Use netip.Addr instead of net.IP inside dnsproxy.
-		conf.EDNSAddr = ipnet.IP
+		conf.EDNSAddr = ip
 	}
 
 	if srvConf.CacheSize != 0 {

internal/dnsforward/dns64_test.go

@@ -287,6 +287,9 @@ func TestServer_HandleDNSRequest_dns64(t *testing.T) {
 			UDPListenAddrs: []*net.UDPAddr{{}},
 			TCPListenAddrs: []*net.TCPAddr{{}},
 			UseDNS64:       true,
+			FilteringConfig: FilteringConfig{
+				EDNSClientSubnet: &EDNSClientSubnet{Enabled: false},
+			},
 		}, localUps)
 
 		t.Run(tc.name, func(t *testing.T) {

internal/dnsforward/dns_test.go

@@ -467,6 +467,9 @@ func TestServer_ProcessRestrictLocal(t *testing.T) {
 	s := createTestServer(t, &filtering.Config{}, ServerConfig{
 		UDPListenAddrs: []*net.UDPAddr{{}},
 		TCPListenAddrs: []*net.TCPAddr{{}},
+		FilteringConfig: FilteringConfig{
+			EDNSClientSubnet: &EDNSClientSubnet{Enabled: false},
+		},
 	}, ups)
 	s.conf.UpstreamConfig.Upstreams = []upstream.Upstream{ups}
 	startDeferStop(t, s)
@@ -539,6 +542,9 @@ func TestServer_ProcessLocalPTR_usingResolvers(t *testing.T) {
 		ServerConfig{
 			UDPListenAddrs: []*net.UDPAddr{{}},
 			TCPListenAddrs: []*net.TCPAddr{{}},
+			FilteringConfig: FilteringConfig{
+				EDNSClientSubnet: &EDNSClientSubnet{Enabled: false},
+			},
 		},
 		aghtest.NewUpstreamMock(func(req *dns.Msg) (resp *dns.Msg, err error) {
 			return aghalg.Coalesce(

internal/dnsforward/dnsforward_test.go

@@ -155,6 +155,9 @@ func createTestTLS(t *testing.T, tlsConf TLSConfig) (s *Server, certPem []byte)
 	s = createTestServer(t, &filtering.Config{}, ServerConfig{
 		UDPListenAddrs: []*net.UDPAddr{{}},
 		TCPListenAddrs: []*net.TCPAddr{{}},
+		FilteringConfig: FilteringConfig{
+			EDNSClientSubnet: &EDNSClientSubnet{Enabled: false},
+		},
 	}, nil)
 
 	tlsConf.CertificateChainData, tlsConf.PrivateKeyData = certPem, keyPem
@@ -266,6 +269,9 @@ func TestServer(t *testing.T) {
 	s := createTestServer(t, &filtering.Config{}, ServerConfig{
 		UDPListenAddrs: []*net.UDPAddr{{}},
 		TCPListenAddrs: []*net.TCPAddr{{}},
+		FilteringConfig: FilteringConfig{
+			EDNSClientSubnet: &EDNSClientSubnet{Enabled: false},
+		},
 	}, nil)
 	s.conf.UpstreamConfig.Upstreams = []upstream.Upstream{newGoogleUpstream()}
 	startDeferStop(t, s)
@@ -304,7 +310,8 @@ func TestServer_timeout(t *testing.T) {
 		srvConf := &ServerConfig{
 			UpstreamTimeout: timeout,
 			FilteringConfig: FilteringConfig{
-				BlockingMode: BlockingModeDefault,
+				BlockingMode:     BlockingModeDefault,
+				EDNSClientSubnet: &EDNSClientSubnet{Enabled: false},
 			},
 		}
 
@@ -322,6 +329,9 @@ func TestServer_timeout(t *testing.T) {
 		require.NoError(t, err)
 
 		s.conf.FilteringConfig.BlockingMode = BlockingModeDefault
+		s.conf.FilteringConfig.EDNSClientSubnet = &EDNSClientSubnet{
+			Enabled: false,
+		}
 		err = s.Prepare(&s.conf)
 		require.NoError(t, err)
 
@@ -333,6 +343,9 @@ func TestServerWithProtectionDisabled(t *testing.T) {
 	s := createTestServer(t, &filtering.Config{}, ServerConfig{
 		UDPListenAddrs: []*net.UDPAddr{{}},
 		TCPListenAddrs: []*net.TCPAddr{{}},
+		FilteringConfig: FilteringConfig{
+			EDNSClientSubnet: &EDNSClientSubnet{Enabled: false},
+		},
 	}, nil)
 	s.conf.UpstreamConfig.Upstreams = []upstream.Upstream{newGoogleUpstream()}
 	startDeferStop(t, s)
@@ -437,6 +450,9 @@ func TestSafeSearch(t *testing.T) {
 		TCPListenAddrs: []*net.TCPAddr{{}},
 		FilteringConfig: FilteringConfig{
 			ProtectionEnabled: true,
+			EDNSClientSubnet: &EDNSClientSubnet{
+				Enabled: false,
+			},
 		},
 	}
 	s := createTestServer(t, filterConf, forwardConf, nil)
@@ -492,6 +508,11 @@ func TestInvalidRequest(t *testing.T) {
 	s := createTestServer(t, &filtering.Config{}, ServerConfig{
 		UDPListenAddrs: []*net.UDPAddr{{}},
 		TCPListenAddrs: []*net.TCPAddr{{}},
+		FilteringConfig: FilteringConfig{
+			EDNSClientSubnet: &EDNSClientSubnet{
+				Enabled: false,
+			},
+		},
 	}, nil)
 	startDeferStop(t, s)
 
@@ -518,6 +539,9 @@ func TestBlockedRequest(t *testing.T) {
 		FilteringConfig: FilteringConfig{
 			ProtectionEnabled: true,
 			BlockingMode:      BlockingModeDefault,
+			EDNSClientSubnet: &EDNSClientSubnet{
+				Enabled: false,
+			},
 		},
 	}
 	s := createTestServer(t, &filtering.Config{}, forwardConf, nil)
@@ -543,6 +567,9 @@ func TestServerCustomClientUpstream(t *testing.T) {
 		TCPListenAddrs: []*net.TCPAddr{{}},
 		FilteringConfig: FilteringConfig{
 			ProtectionEnabled: true,
+			EDNSClientSubnet: &EDNSClientSubnet{
+				Enabled: false,
+			},
 		},
 	}
 	s := createTestServer(t, &filtering.Config{}, forwardConf, nil)
@@ -591,6 +618,11 @@ func TestBlockCNAMEProtectionEnabled(t *testing.T) {
 	s := createTestServer(t, &filtering.Config{}, ServerConfig{
 		UDPListenAddrs: []*net.UDPAddr{{}},
 		TCPListenAddrs: []*net.TCPAddr{{}},
+		FilteringConfig: FilteringConfig{
+			EDNSClientSubnet: &EDNSClientSubnet{
+				Enabled: false,
+			},
+		},
 	}, nil)
 	testUpstm := &aghtest.Upstream{
 		CName: testCNAMEs,
@@ -621,6 +653,9 @@ func TestBlockCNAME(t *testing.T) {
 		FilteringConfig: FilteringConfig{
 			ProtectionEnabled: true,
 			BlockingMode:      BlockingModeDefault,
+			EDNSClientSubnet: &EDNSClientSubnet{
+				Enabled: false,
+			},
 		},
 	}
 	s := createTestServer(t, &filtering.Config{}, forwardConf, nil)
@@ -690,6 +725,9 @@ func TestClientRulesForCNAMEMatching(t *testing.T) {
 			FilterHandler: func(_ net.IP, _ string, settings *filtering.Settings) {
 				settings.FilteringEnabled = false
 			},
+			EDNSClientSubnet: &EDNSClientSubnet{
+				Enabled: false,
+			},
 		},
 	}
 	s := createTestServer(t, &filtering.Config{}, forwardConf, nil)
@@ -731,6 +769,9 @@ func TestNullBlockedRequest(t *testing.T) {
 		FilteringConfig: FilteringConfig{
 			ProtectionEnabled: true,
 			BlockingMode:      BlockingModeNullIP,
+			EDNSClientSubnet: &EDNSClientSubnet{
+				Enabled: false,
+			},
 		},
 	}
 	s := createTestServer(t, &filtering.Config{}, forwardConf, nil)
@@ -783,6 +824,9 @@ func TestBlockedCustomIP(t *testing.T) {
 			BlockingMode:      BlockingModeCustomIP,
 			BlockingIPv4:      nil,
 			UpstreamDNS:       []string{"8.8.8.8:53", "8.8.4.4:53"},
+			EDNSClientSubnet: &EDNSClientSubnet{
+				Enabled: false,
+			},
 		},
 	}
 
@@ -831,6 +875,9 @@ func TestBlockedByHosts(t *testing.T) {
 		FilteringConfig: FilteringConfig{
 			ProtectionEnabled: true,
 			BlockingMode:      BlockingModeDefault,
+			EDNSClientSubnet: &EDNSClientSubnet{
+				Enabled: false,
+			},
 		},
 	}
 
@@ -864,6 +911,9 @@ func TestBlockedBySafeBrowsing(t *testing.T) {
 		FilteringConfig: FilteringConfig{
 			SafeBrowsingBlockHost: ans4.String(),
 			ProtectionEnabled:     true,
+			EDNSClientSubnet: &EDNSClientSubnet{
+				Enabled: false,
+			},
 		},
 	}
 	s := createTestServer(t, filterConf, forwardConf, nil)
@@ -918,6 +968,9 @@ func TestRewrite(t *testing.T) {
 			ProtectionEnabled: true,
 			BlockingMode:      BlockingModeDefault,
 			UpstreamDNS:       []string{"8.8.8.8:53"},
+			EDNSClientSubnet: &EDNSClientSubnet{
+				Enabled: false,
+			},
 		},
 	}))
 
@@ -1032,6 +1085,7 @@ func TestPTRResponseFromDHCPLeases(t *testing.T) {
 	s.conf.UpstreamDNS = []string{"127.0.0.1:53"}
 	s.conf.FilteringConfig.ProtectionEnabled = true
 	s.conf.FilteringConfig.BlockingMode = BlockingModeDefault
+	s.conf.FilteringConfig.EDNSClientSubnet = &EDNSClientSubnet{Enabled: false}
 
 	err = s.Prepare(&s.conf)
 	require.NoError(t, err)
@@ -1107,6 +1161,7 @@ func TestPTRResponseFromHosts(t *testing.T) {
 	s.conf.TCPListenAddrs = []*net.TCPAddr{{}}
 	s.conf.UpstreamDNS = []string{"127.0.0.1:53"}
 	s.conf.FilteringConfig.BlockingMode = BlockingModeDefault
+	s.conf.FilteringConfig.EDNSClientSubnet = &EDNSClientSubnet{Enabled: false}
 
 	err = s.Prepare(&s.conf)
 	require.NoError(t, err)

internal/dnsforward/filter_test.go

@@ -29,6 +29,9 @@ func TestHandleDNSRequest_filterDNSResponse(t *testing.T) {
 		FilteringConfig: FilteringConfig{
 			ProtectionEnabled: true,
 			BlockingMode:      BlockingModeDefault,
+			EDNSClientSubnet: &EDNSClientSubnet{
+				Enabled: false,
+			},
 		},
 	}
 	filters := []filtering.Filter{{

internal/dnsforward/http_test.go

@@ -69,6 +69,7 @@ func TestDNSForwardHTTP_handleGetConfig(t *testing.T) {
 			ProtectionEnabled: true,
 			BlockingMode:      BlockingModeDefault,
 			UpstreamDNS:       []string{"8.8.8.8:53", "8.8.4.4:53"},
+			EDNSClientSubnet:  &EDNSClientSubnet{Enabled: false},
 		},
 		ConfigModified: func() {},
 	}
@@ -144,6 +145,7 @@ func TestDNSForwardHTTP_handleSetConfig(t *testing.T) {
 			ProtectionEnabled: true,
 			BlockingMode:      BlockingModeDefault,
 			UpstreamDNS:       []string{"8.8.8.8:53", "8.8.4.4:53"},
+			EDNSClientSubnet:  &EDNSClientSubnet{Enabled: false},
 		},
 		ConfigModified: func() {},
 	}
@@ -227,7 +229,10 @@ func TestDNSForwardHTTP_handleSetConfig(t *testing.T) {
 		require.True(t, ok)
 
 		t.Run(tc.name, func(t *testing.T) {
-			t.Cleanup(func() { s.conf = defaultConf })
+			t.Cleanup(func() {
+				s.conf = defaultConf
+				s.conf.FilteringConfig.EDNSClientSubnet.Enabled = false
+			})
 
 			rBody := io.NopCloser(bytes.NewReader(caseData.Req))
 			var r *http.Request
@@ -443,6 +448,9 @@ func TestServer_handleTestUpstreaDNS(t *testing.T) {
 		UDPListenAddrs:  []*net.UDPAddr{{}},
 		TCPListenAddrs:  []*net.TCPAddr{{}},
 		UpstreamTimeout: upsTimeout,
+		FilteringConfig: FilteringConfig{
+			EDNSClientSubnet: &EDNSClientSubnet{Enabled: false},
+		},
 	}, nil)
 	startDeferStop(t, srv)