Add require_nolog and require_dnssec filters

This commit is contained in:
Frank Denis 2018-01-18 13:01:16 +01:00
parent fd7838ee58
commit 41a9bf5bf3
4 changed files with 78 additions and 30 deletions

View File

@ -13,35 +13,38 @@ import (
) )
type Config struct { type Config struct {
ServerNames []string `toml:"server_names"` ServerNames []string `toml:"server_names"`
ListenAddresses []string `toml:"listen_addresses"` ListenAddresses []string `toml:"listen_addresses"`
Daemonize bool Daemonize bool
ForceTCP bool `toml:"force_tcp"` ForceTCP bool `toml:"force_tcp"`
Timeout int `toml:"timeout_ms"` Timeout int `toml:"timeout_ms"`
CertRefreshDelay int `toml:"cert_refresh_delay"` CertRefreshDelay int `toml:"cert_refresh_delay"`
BlockIPv6 bool `toml:"block_ipv6"` BlockIPv6 bool `toml:"block_ipv6"`
Cache bool Cache bool
CacheSize int `toml:"cache_size"` CacheSize int `toml:"cache_size"`
CacheNegTTL uint32 `toml:"cache_neg_ttl"` CacheNegTTL uint32 `toml:"cache_neg_ttl"`
CacheMinTTL uint32 `toml:"cache_min_ttl"` CacheMinTTL uint32 `toml:"cache_min_ttl"`
CacheMaxTTL uint32 `toml:"cache_max_ttl"` CacheMaxTTL uint32 `toml:"cache_max_ttl"`
QueryLog QueryLogConfig `toml:"query_log"` QueryLog QueryLogConfig `toml:"query_log"`
BlockName BlockNameConfig `toml:"blacklist"` BlockName BlockNameConfig `toml:"blacklist"`
ForwardFile string `toml:"forwarding_rules"` ForwardFile string `toml:"forwarding_rules"`
ServersConfig map[string]ServerConfig `toml:"servers"` ServersConfig map[string]ServerConfig `toml:"servers"`
SourcesConfig map[string]SourceConfig `toml:"sources"` SourcesConfig map[string]SourceConfig `toml:"sources"`
SourceRequireDNSSEC bool `toml:"require_dnssec"`
SourceRequireNoLog bool `toml:"require_nolog"`
} }
func newConfig() Config { func newConfig() Config {
return Config{ return Config{
ListenAddresses: []string{"127.0.0.1:53"}, ListenAddresses: []string{"127.0.0.1:53"},
Timeout: 2500, Timeout: 2500,
CertRefreshDelay: 30, CertRefreshDelay: 30,
Cache: true, Cache: true,
CacheSize: 256, CacheSize: 256,
CacheNegTTL: 60, CacheNegTTL: 60,
CacheMinTTL: 60, CacheMinTTL: 60,
CacheMaxTTL: 8600, CacheMaxTTL: 8600,
SourceRequireNoLog: true,
} }
} }
@ -50,8 +53,8 @@ type ServerConfig struct {
ProviderName string `toml:"provider_name"` ProviderName string `toml:"provider_name"`
Address string Address string
PublicKey string `toml:"public_key"` PublicKey string `toml:"public_key"`
NoLog bool `toml:"no_log"`
DNSSEC bool `toml:"dnssec"` DNSSEC bool `toml:"dnssec"`
NoLog bool `toml:"no_log"`
} }
type SourceConfig struct { type SourceConfig struct {
@ -131,6 +134,15 @@ func ConfigLoad(proxy *Proxy, svcFlag *string, config_file string) error {
proxy.blockNameLogFile = config.BlockName.LogFile proxy.blockNameLogFile = config.BlockName.LogFile
proxy.forwardFile = config.ForwardFile proxy.forwardFile = config.ForwardFile
requiredProps := ServerInformalProperties(0)
if config.SourceRequireDNSSEC {
requiredProps |= ServerInformalPropertyDNSSEC
}
if config.SourceRequireNoLog {
requiredProps |= ServerInformalPropertyNoLog
}
for sourceName, source := range config.SourcesConfig { for sourceName, source := range config.SourcesConfig {
if source.URL == "" { if source.URL == "" {
return fmt.Errorf("Missing URL for source [%s]", sourceName) return fmt.Errorf("Missing URL for source [%s]", sourceName)
@ -158,7 +170,11 @@ func ConfigLoad(proxy *Proxy, svcFlag *string, config_file string) error {
continue continue
} }
for _, registeredServer := range registeredServers { for _, registeredServer := range registeredServers {
if len(config.ServerNames) > 0 && !includesName(config.ServerNames, registeredServer.name) { if len(config.ServerNames) > 0 {
if !includesName(config.ServerNames, registeredServer.name) {
continue
}
} else if registeredServer.stamp.props&requiredProps != requiredProps {
continue continue
} }
dlog.Infof("Adding [%s] to the set of wanted resolvers", registeredServer.name) dlog.Infof("Adding [%s] to the set of wanted resolvers", registeredServer.name)
@ -180,7 +196,14 @@ func ConfigLoad(proxy *Proxy, svcFlag *string, config_file string) error {
if len(serverConfig.Stamp) > 0 { if len(serverConfig.Stamp) > 0 {
dlog.Fatal("Stamps are not implemented yet") dlog.Fatal("Stamps are not implemented yet")
} else { } else {
stamp, err = NewServerStampFromLegacy(serverConfig.Address, serverConfig.PublicKey, serverConfig.ProviderName) props := ServerInformalProperties(0)
if serverConfig.DNSSEC {
props |= ServerInformalPropertyDNSSEC
}
if serverConfig.NoLog {
props |= ServerInformalPropertyNoLog
}
stamp, err = NewServerStampFromLegacy(serverConfig.Address, serverConfig.PublicKey, serverConfig.ProviderName, props)
if err != nil { if err != nil {
return err return err
} }

View File

@ -22,6 +22,15 @@
listen_addresses = ["127.0.0.1:53", "[::1]:53"] listen_addresses = ["127.0.0.1:53", "[::1]:53"]
## Require servers defined by remote sources to satisfy specific properties
# Server must support DNS security extensions
require_dnssec = false
# Server must not log user queries
require_nolog = true
## Whether to the server as a background process (linux only) ## Whether to the server as a background process (linux only)
## Do not set to true if you are using systemd ## Do not set to true if you are using systemd

View File

@ -19,10 +19,18 @@ const (
DefaultPort = 443 DefaultPort = 443
) )
type ServerInformalProperties uint64
const (
ServerInformalPropertyDNSSEC = ServerInformalProperties(1) << 0
ServerInformalPropertyNoLog = ServerInformalProperties(1) << 1
)
type ServerStamp struct { type ServerStamp struct {
serverAddrStr string serverAddrStr string
serverPkStr string serverPkStr string
providerName string providerName string
props ServerInformalProperties
} }
type RegisteredServer struct { type RegisteredServer struct {
@ -30,7 +38,7 @@ type RegisteredServer struct {
stamp ServerStamp stamp ServerStamp
} }
func NewServerStampFromLegacy(serverAddrStr string, serverPkStr string, providerName string) (ServerStamp, error) { func NewServerStampFromLegacy(serverAddrStr string, serverPkStr string, providerName string, props ServerInformalProperties) (ServerStamp, error) {
if net.ParseIP(serverAddrStr) != nil { if net.ParseIP(serverAddrStr) != nil {
serverAddrStr = fmt.Sprintf("%s:%d", serverAddrStr, DefaultPort) serverAddrStr = fmt.Sprintf("%s:%d", serverAddrStr, DefaultPort)
} }
@ -38,6 +46,7 @@ func NewServerStampFromLegacy(serverAddrStr string, serverPkStr string, provider
serverAddrStr: serverAddrStr, serverAddrStr: serverAddrStr,
serverPkStr: serverPkStr, serverPkStr: serverPkStr,
providerName: providerName, providerName: providerName,
props: props,
}, nil }, nil
} }

View File

@ -145,7 +145,14 @@ func (source *Source) Parse() ([]RegisteredServer, error) {
serverAddrStr := record[10] serverAddrStr := record[10]
providerName := record[11] providerName := record[11]
serverPkStr := record[12] serverPkStr := record[12]
stamp, err := NewServerStampFromLegacy(serverAddrStr, serverPkStr, providerName) props := ServerInformalProperties(0)
if strings.EqualFold(record[7], "yes") {
props |= ServerInformalPropertyDNSSEC
}
if strings.EqualFold(record[8], "yes") {
props |= ServerInformalPropertyNoLog
}
stamp, err := NewServerStampFromLegacy(serverAddrStr, serverPkStr, providerName, props)
if err != nil { if err != nil {
return registeredServers, err return registeredServers, err
} }