diff --git a/CHANGELOG.md b/CHANGELOG.md index 582c4cb35a3..43ec9462750 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -23,6 +23,14 @@ See also the [v0.107.26 GitHub milestone][ms-v0.107.26]. NOTE: Add new changes BELOW THIS COMMENT. --> +### Added + +- The ability to set custom IP for EDNS Client Subnet by using the new + `dns.edns_client_subnet.use_custom` and `dns.edns_client_subnet.custom_ip` + fields ([#1472]). The UI changes are coming in the upcoming releases. +- The ability to use `dnstype` rules in the disallowed domains list ([#5468]). + This allows dropping requests based on their question types. + ### Changed #### Configuration Changes @@ -54,14 +62,6 @@ In this release, the schema version has changed from 16 to 17. `dns.edns_client_subnet.custom_ip`, and change the `schema_version` back to `16`. -### Added - -- The ability to set custom IP for EDNS Client Subnet by using the new - `dns.edns_client_subnet.use_custom` and `dns.edns_client_subnet.custom_ip` - fields ([#1472]). The UI changes are coming in the upcoming releases. -- The ability to use `dnstype` rules in the disallowed domains list ([#5468]). - This allows dropping requests based on their question types. - ### Fixed - Automatic update on MIPS64 and little-endian 32-bit MIPS architectures diff --git a/internal/dnsforward/config.go b/internal/dnsforward/config.go index 9f38ff2f9d3..6648013ee17 100644 --- a/internal/dnsforward/config.go +++ b/internal/dnsforward/config.go @@ -175,7 +175,7 @@ type FilteringConfig struct { EnableDNSSEC bool `yaml:"enable_dnssec"` // EDNSClientSubnet is the settings list for EDNS Client Subnet. - EDNSClientSubnet EDNSClientSubnet `yaml:"edns_client_subnet"` + EDNSClientSubnet *EDNSClientSubnet `yaml:"edns_client_subnet"` // MaxGoroutines is the max number of parallel goroutines for processing // incoming requests. @@ -199,14 +199,14 @@ type FilteringConfig struct { // EDNSClientSubnet is the settings list for EDNS Client Subnet. type EDNSClientSubnet struct { + // CustomIP for EDNS Client Subnet. + CustomIP string `yaml:"custom_ip"` + // Enabled defines if EDNS Client Subnet is enabled. Enabled bool `yaml:"enabled"` // UseCustom defines if CustomIP should be used. UseCustom bool `yaml:"use_custom"` - - // CustomIP for EDNS Client Subnet. - CustomIP string `yaml:"custom_ip"` } // TLSConfig is the TLS configuration for HTTPS, DNS-over-HTTPS, and DNS-over-TLS @@ -340,13 +340,14 @@ func (s *Server) createProxyConfig() (conf proxy.Config, err error) { } if srvConf.EDNSClientSubnet.UseCustom { - _, ipnet, nerr := net.ParseCIDR(srvConf.EDNSClientSubnet.CustomIP) - if nerr != nil { - return conf, fmt.Errorf("edns client subnet: %w", nerr) + // TODO(s.chzhen): Add wrapper around netip.Addr. + ip, perr := netutil.ParseIP(srvConf.EDNSClientSubnet.CustomIP) + if perr != nil { + return conf, fmt.Errorf("edns: %w", perr) } // TODO(s.chzhen): Use netip.Addr instead of net.IP inside dnsproxy. - conf.EDNSAddr = ipnet.IP + conf.EDNSAddr = ip } if srvConf.CacheSize != 0 { diff --git a/internal/dnsforward/dns64_test.go b/internal/dnsforward/dns64_test.go index f1df9500b1c..85a07fc1dc3 100644 --- a/internal/dnsforward/dns64_test.go +++ b/internal/dnsforward/dns64_test.go @@ -287,6 +287,9 @@ func TestServer_HandleDNSRequest_dns64(t *testing.T) { UDPListenAddrs: []*net.UDPAddr{{}}, TCPListenAddrs: []*net.TCPAddr{{}}, UseDNS64: true, + FilteringConfig: FilteringConfig{ + EDNSClientSubnet: &EDNSClientSubnet{Enabled: false}, + }, }, localUps) t.Run(tc.name, func(t *testing.T) { diff --git a/internal/dnsforward/dns_test.go b/internal/dnsforward/dns_test.go index d07c30dc525..076d3c06258 100644 --- a/internal/dnsforward/dns_test.go +++ b/internal/dnsforward/dns_test.go @@ -467,6 +467,9 @@ func TestServer_ProcessRestrictLocal(t *testing.T) { s := createTestServer(t, &filtering.Config{}, ServerConfig{ UDPListenAddrs: []*net.UDPAddr{{}}, TCPListenAddrs: []*net.TCPAddr{{}}, + FilteringConfig: FilteringConfig{ + EDNSClientSubnet: &EDNSClientSubnet{Enabled: false}, + }, }, ups) s.conf.UpstreamConfig.Upstreams = []upstream.Upstream{ups} startDeferStop(t, s) @@ -539,6 +542,9 @@ func TestServer_ProcessLocalPTR_usingResolvers(t *testing.T) { ServerConfig{ UDPListenAddrs: []*net.UDPAddr{{}}, TCPListenAddrs: []*net.TCPAddr{{}}, + FilteringConfig: FilteringConfig{ + EDNSClientSubnet: &EDNSClientSubnet{Enabled: false}, + }, }, aghtest.NewUpstreamMock(func(req *dns.Msg) (resp *dns.Msg, err error) { return aghalg.Coalesce( diff --git a/internal/dnsforward/dnsforward_test.go b/internal/dnsforward/dnsforward_test.go index 6d928422d7b..72bbe9396ff 100644 --- a/internal/dnsforward/dnsforward_test.go +++ b/internal/dnsforward/dnsforward_test.go @@ -155,6 +155,9 @@ func createTestTLS(t *testing.T, tlsConf TLSConfig) (s *Server, certPem []byte) s = createTestServer(t, &filtering.Config{}, ServerConfig{ UDPListenAddrs: []*net.UDPAddr{{}}, TCPListenAddrs: []*net.TCPAddr{{}}, + FilteringConfig: FilteringConfig{ + EDNSClientSubnet: &EDNSClientSubnet{Enabled: false}, + }, }, nil) tlsConf.CertificateChainData, tlsConf.PrivateKeyData = certPem, keyPem @@ -266,6 +269,9 @@ func TestServer(t *testing.T) { s := createTestServer(t, &filtering.Config{}, ServerConfig{ UDPListenAddrs: []*net.UDPAddr{{}}, TCPListenAddrs: []*net.TCPAddr{{}}, + FilteringConfig: FilteringConfig{ + EDNSClientSubnet: &EDNSClientSubnet{Enabled: false}, + }, }, nil) s.conf.UpstreamConfig.Upstreams = []upstream.Upstream{newGoogleUpstream()} startDeferStop(t, s) @@ -304,7 +310,8 @@ func TestServer_timeout(t *testing.T) { srvConf := &ServerConfig{ UpstreamTimeout: timeout, FilteringConfig: FilteringConfig{ - BlockingMode: BlockingModeDefault, + BlockingMode: BlockingModeDefault, + EDNSClientSubnet: &EDNSClientSubnet{Enabled: false}, }, } @@ -322,6 +329,9 @@ func TestServer_timeout(t *testing.T) { require.NoError(t, err) s.conf.FilteringConfig.BlockingMode = BlockingModeDefault + s.conf.FilteringConfig.EDNSClientSubnet = &EDNSClientSubnet{ + Enabled: false, + } err = s.Prepare(&s.conf) require.NoError(t, err) @@ -333,6 +343,9 @@ func TestServerWithProtectionDisabled(t *testing.T) { s := createTestServer(t, &filtering.Config{}, ServerConfig{ UDPListenAddrs: []*net.UDPAddr{{}}, TCPListenAddrs: []*net.TCPAddr{{}}, + FilteringConfig: FilteringConfig{ + EDNSClientSubnet: &EDNSClientSubnet{Enabled: false}, + }, }, nil) s.conf.UpstreamConfig.Upstreams = []upstream.Upstream{newGoogleUpstream()} startDeferStop(t, s) @@ -437,6 +450,9 @@ func TestSafeSearch(t *testing.T) { TCPListenAddrs: []*net.TCPAddr{{}}, FilteringConfig: FilteringConfig{ ProtectionEnabled: true, + EDNSClientSubnet: &EDNSClientSubnet{ + Enabled: false, + }, }, } s := createTestServer(t, filterConf, forwardConf, nil) @@ -492,6 +508,11 @@ func TestInvalidRequest(t *testing.T) { s := createTestServer(t, &filtering.Config{}, ServerConfig{ UDPListenAddrs: []*net.UDPAddr{{}}, TCPListenAddrs: []*net.TCPAddr{{}}, + FilteringConfig: FilteringConfig{ + EDNSClientSubnet: &EDNSClientSubnet{ + Enabled: false, + }, + }, }, nil) startDeferStop(t, s) @@ -518,6 +539,9 @@ func TestBlockedRequest(t *testing.T) { FilteringConfig: FilteringConfig{ ProtectionEnabled: true, BlockingMode: BlockingModeDefault, + EDNSClientSubnet: &EDNSClientSubnet{ + Enabled: false, + }, }, } s := createTestServer(t, &filtering.Config{}, forwardConf, nil) @@ -543,6 +567,9 @@ func TestServerCustomClientUpstream(t *testing.T) { TCPListenAddrs: []*net.TCPAddr{{}}, FilteringConfig: FilteringConfig{ ProtectionEnabled: true, + EDNSClientSubnet: &EDNSClientSubnet{ + Enabled: false, + }, }, } s := createTestServer(t, &filtering.Config{}, forwardConf, nil) @@ -591,6 +618,11 @@ func TestBlockCNAMEProtectionEnabled(t *testing.T) { s := createTestServer(t, &filtering.Config{}, ServerConfig{ UDPListenAddrs: []*net.UDPAddr{{}}, TCPListenAddrs: []*net.TCPAddr{{}}, + FilteringConfig: FilteringConfig{ + EDNSClientSubnet: &EDNSClientSubnet{ + Enabled: false, + }, + }, }, nil) testUpstm := &aghtest.Upstream{ CName: testCNAMEs, @@ -621,6 +653,9 @@ func TestBlockCNAME(t *testing.T) { FilteringConfig: FilteringConfig{ ProtectionEnabled: true, BlockingMode: BlockingModeDefault, + EDNSClientSubnet: &EDNSClientSubnet{ + Enabled: false, + }, }, } s := createTestServer(t, &filtering.Config{}, forwardConf, nil) @@ -690,6 +725,9 @@ func TestClientRulesForCNAMEMatching(t *testing.T) { FilterHandler: func(_ net.IP, _ string, settings *filtering.Settings) { settings.FilteringEnabled = false }, + EDNSClientSubnet: &EDNSClientSubnet{ + Enabled: false, + }, }, } s := createTestServer(t, &filtering.Config{}, forwardConf, nil) @@ -731,6 +769,9 @@ func TestNullBlockedRequest(t *testing.T) { FilteringConfig: FilteringConfig{ ProtectionEnabled: true, BlockingMode: BlockingModeNullIP, + EDNSClientSubnet: &EDNSClientSubnet{ + Enabled: false, + }, }, } s := createTestServer(t, &filtering.Config{}, forwardConf, nil) @@ -783,6 +824,9 @@ func TestBlockedCustomIP(t *testing.T) { BlockingMode: BlockingModeCustomIP, BlockingIPv4: nil, UpstreamDNS: []string{"8.8.8.8:53", "8.8.4.4:53"}, + EDNSClientSubnet: &EDNSClientSubnet{ + Enabled: false, + }, }, } @@ -831,6 +875,9 @@ func TestBlockedByHosts(t *testing.T) { FilteringConfig: FilteringConfig{ ProtectionEnabled: true, BlockingMode: BlockingModeDefault, + EDNSClientSubnet: &EDNSClientSubnet{ + Enabled: false, + }, }, } @@ -864,6 +911,9 @@ func TestBlockedBySafeBrowsing(t *testing.T) { FilteringConfig: FilteringConfig{ SafeBrowsingBlockHost: ans4.String(), ProtectionEnabled: true, + EDNSClientSubnet: &EDNSClientSubnet{ + Enabled: false, + }, }, } s := createTestServer(t, filterConf, forwardConf, nil) @@ -918,6 +968,9 @@ func TestRewrite(t *testing.T) { ProtectionEnabled: true, BlockingMode: BlockingModeDefault, UpstreamDNS: []string{"8.8.8.8:53"}, + EDNSClientSubnet: &EDNSClientSubnet{ + Enabled: false, + }, }, })) @@ -1032,6 +1085,7 @@ func TestPTRResponseFromDHCPLeases(t *testing.T) { s.conf.UpstreamDNS = []string{"127.0.0.1:53"} s.conf.FilteringConfig.ProtectionEnabled = true s.conf.FilteringConfig.BlockingMode = BlockingModeDefault + s.conf.FilteringConfig.EDNSClientSubnet = &EDNSClientSubnet{Enabled: false} err = s.Prepare(&s.conf) require.NoError(t, err) @@ -1107,6 +1161,7 @@ func TestPTRResponseFromHosts(t *testing.T) { s.conf.TCPListenAddrs = []*net.TCPAddr{{}} s.conf.UpstreamDNS = []string{"127.0.0.1:53"} s.conf.FilteringConfig.BlockingMode = BlockingModeDefault + s.conf.FilteringConfig.EDNSClientSubnet = &EDNSClientSubnet{Enabled: false} err = s.Prepare(&s.conf) require.NoError(t, err) diff --git a/internal/dnsforward/filter_test.go b/internal/dnsforward/filter_test.go index 7fa0985a56e..3fbe58cc338 100644 --- a/internal/dnsforward/filter_test.go +++ b/internal/dnsforward/filter_test.go @@ -29,6 +29,9 @@ func TestHandleDNSRequest_filterDNSResponse(t *testing.T) { FilteringConfig: FilteringConfig{ ProtectionEnabled: true, BlockingMode: BlockingModeDefault, + EDNSClientSubnet: &EDNSClientSubnet{ + Enabled: false, + }, }, } filters := []filtering.Filter{{ diff --git a/internal/dnsforward/http_test.go b/internal/dnsforward/http_test.go index db3356dc90d..9d48151dd93 100644 --- a/internal/dnsforward/http_test.go +++ b/internal/dnsforward/http_test.go @@ -69,6 +69,7 @@ func TestDNSForwardHTTP_handleGetConfig(t *testing.T) { ProtectionEnabled: true, BlockingMode: BlockingModeDefault, UpstreamDNS: []string{"8.8.8.8:53", "8.8.4.4:53"}, + EDNSClientSubnet: &EDNSClientSubnet{Enabled: false}, }, ConfigModified: func() {}, } @@ -144,6 +145,7 @@ func TestDNSForwardHTTP_handleSetConfig(t *testing.T) { ProtectionEnabled: true, BlockingMode: BlockingModeDefault, UpstreamDNS: []string{"8.8.8.8:53", "8.8.4.4:53"}, + EDNSClientSubnet: &EDNSClientSubnet{Enabled: false}, }, ConfigModified: func() {}, } @@ -227,7 +229,10 @@ func TestDNSForwardHTTP_handleSetConfig(t *testing.T) { require.True(t, ok) t.Run(tc.name, func(t *testing.T) { - t.Cleanup(func() { s.conf = defaultConf }) + t.Cleanup(func() { + s.conf = defaultConf + s.conf.FilteringConfig.EDNSClientSubnet.Enabled = false + }) rBody := io.NopCloser(bytes.NewReader(caseData.Req)) var r *http.Request @@ -443,6 +448,9 @@ func TestServer_handleTestUpstreaDNS(t *testing.T) { UDPListenAddrs: []*net.UDPAddr{{}}, TCPListenAddrs: []*net.TCPAddr{{}}, UpstreamTimeout: upsTimeout, + FilteringConfig: FilteringConfig{ + EDNSClientSubnet: &EDNSClientSubnet{Enabled: false}, + }, }, nil) startDeferStop(t, srv)