diff --git a/interface-definitions/service_dns_forwarding.xml.in b/interface-definitions/service_dns_forwarding.xml.in
index b52b4bda3..5667028b7 100644
--- a/interface-definitions/service_dns_forwarding.xml.in
+++ b/interface-definitions/service_dns_forwarding.xml.in
@@ -1,801 +1,802 @@
<?xml version="1.0"?>
<!-- DNS forwarder configuration -->
<interfaceDefinition>
<node name="service">
<children>
<node name="dns">
<properties>
<help>Domain Name System (DNS) related services</help>
</properties>
<children>
<node name="forwarding" owner="${vyos_conf_scripts_dir}/service_dns_forwarding.py">
<properties>
<help>DNS forwarding</help>
<priority>918</priority>
</properties>
<children>
<leafNode name="cache-size">
<properties>
<help>DNS forwarding cache size</help>
<valueHelp>
<format>u32:0-2147483647</format>
<description>DNS forwarding cache size</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 0-2147483647"/>
</constraint>
</properties>
<defaultValue>10000</defaultValue>
</leafNode>
<leafNode name="dhcp">
<properties>
<help>Interfaces whose DHCP client nameservers to forward requests to</help>
<completionHelp>
<script>${vyos_completion_dir}/list_interfaces</script>
</completionHelp>
<multi/>
</properties>
</leafNode>
<leafNode name="dns64-prefix">
<properties>
<help>Help to communicate between IPv6-only client and IPv4-only server</help>
<valueHelp>
<format>ipv6net</format>
<description>IPv6 address and /96 only prefix length</description>
</valueHelp>
<constraint>
<validator name="ipv6-prefix"/>
</constraint>
</properties>
</leafNode>
<leafNode name="dnssec">
<properties>
<help>DNSSEC mode</help>
<completionHelp>
<list>off process-no-validate process log-fail validate</list>
</completionHelp>
<valueHelp>
<format>off</format>
<description>No DNSSEC processing whatsoever!</description>
</valueHelp>
<valueHelp>
<format>process-no-validate</format>
<description>Respond with DNSSEC records to clients that ask for it. No validation done at all!</description>
</valueHelp>
<valueHelp>
<format>process</format>
<description>Respond with DNSSEC records to clients that ask for it. Validation for clients that request it.</description>
</valueHelp>
<valueHelp>
<format>log-fail</format>
<description>Similar behaviour to process, but validate RRSIGs on responses and log bogus responses.</description>
</valueHelp>
<valueHelp>
<format>validate</format>
<description>Full blown DNSSEC validation. Send SERVFAIL to clients on bogus responses.</description>
</valueHelp>
<constraint>
<regex>(off|process-no-validate|process|log-fail|validate)</regex>
</constraint>
</properties>
<defaultValue>process-no-validate</defaultValue>
</leafNode>
<tagNode name="domain">
<properties>
<help>Domain to forward to a custom DNS server</help>
<valueHelp>
<format>txt</format>
<description>An absolute DNS domain name</description>
</valueHelp>
<constraint>
<validator name="fqdn"/>
</constraint>
</properties>
<children>
#include <include/name-server-ipv4-ipv6-port.xml.i>
<leafNode name="addnta">
<properties>
<help>Add NTA (negative trust anchor) for this domain (must be set if the domain does not support DNSSEC)</help>
<valueless/>
</properties>
</leafNode>
<leafNode name="recursion-desired">
<properties>
<help>Set the "recursion desired" bit in requests to the upstream nameserver</help>
<valueless/>
</properties>
</leafNode>
</children>
</tagNode>
<tagNode name="authoritative-domain">
<properties>
<help>Domain to host authoritative records for</help>
<valueHelp>
<format>txt</format>
<description>An absolute DNS domain name</description>
</valueHelp>
<constraint>
<regex>((?!-)[-_a-zA-Z0-9.]{1,63}|@|any)(?<!\.)</regex>
</constraint>
</properties>
<children>
<node name="records">
<properties>
<help>DNS zone records</help>
</properties>
<children>
<tagNode name="a">
<properties>
<help>A record</help>
<valueHelp>
<format>txt</format>
<description>A DNS name relative to the root record</description>
</valueHelp>
<valueHelp>
<format>@</format>
<description>Root record</description>
</valueHelp>
<valueHelp>
<format>any</format>
<description>Wildcard record (any subdomain)</description>
</valueHelp>
<constraint>
<regex>([-_a-zA-Z0-9.]{1,63}|@|any)(?<!\.)</regex>
</constraint>
</properties>
<children>
<leafNode name="address">
<properties>
<help>IPv4 address</help>
<valueHelp>
<format>ipv4</format>
<description>IPv4 address</description>
</valueHelp>
<multi/>
<constraint>
<validator name="ipv4-address"/>
</constraint>
</properties>
</leafNode>
#include <include/dns/time-to-live.xml.i>
<leafNode name="ttl">
<defaultValue>300</defaultValue>
</leafNode>
#include <include/generic-disable-node.xml.i>
</children>
</tagNode>
<tagNode name="aaaa">
<properties>
<help>AAAA record</help>
<valueHelp>
<format>txt</format>
<description>A DNS name relative to the root record</description>
</valueHelp>
<valueHelp>
<format>@</format>
<description>Root record</description>
</valueHelp>
<valueHelp>
<format>any</format>
<description>Wildcard record (any subdomain)</description>
</valueHelp>
<constraint>
<regex>([-_a-zA-Z0-9.]{1,63}|@|any)(?<!\.)</regex>
</constraint>
</properties>
<children>
<leafNode name="address">
<properties>
<help>IPv6 address</help>
<valueHelp>
<format>ipv6</format>
<description>IPv6 address</description>
</valueHelp>
<multi/>
<constraint>
<validator name="ipv6-address"/>
</constraint>
</properties>
</leafNode>
#include <include/dns/time-to-live.xml.i>
<leafNode name="ttl">
<defaultValue>300</defaultValue>
</leafNode>
#include <include/generic-disable-node.xml.i>
</children>
</tagNode>
<tagNode name="cname">
<properties>
<help>CNAME record</help>
<valueHelp>
<format>txt</format>
<description>A DNS name relative to the root record</description>
</valueHelp>
<valueHelp>
<format>@</format>
<description>Root record</description>
</valueHelp>
<constraint>
<regex>([-_a-zA-Z0-9.]{1,63}|@)(?<!\.)</regex>
</constraint>
</properties>
<children>
<leafNode name="target">
<properties>
<help>Target DNS name</help>
<valueHelp>
<format>name.example.com</format>
<description>Absolute DNS name</description>
</valueHelp>
<constraint>
<regex>[-_a-zA-Z0-9.]{1,63}(?<!\.)</regex>
</constraint>
</properties>
</leafNode>
#include <include/dns/time-to-live.xml.i>
<leafNode name="ttl">
<defaultValue>300</defaultValue>
</leafNode>
#include <include/generic-disable-node.xml.i>
</children>
</tagNode>
<tagNode name="mx">
<properties>
<help>MX record</help>
<valueHelp>
<format>txt</format>
<description>A DNS name relative to the root record</description>
</valueHelp>
<valueHelp>
<format>@</format>
<description>Root record</description>
</valueHelp>
<constraint>
<regex>([-_a-zA-Z0-9.]{1,63}|@)(?<!\.)</regex>
</constraint>
</properties>
<children>
<tagNode name="server">
<properties>
<help>Mail server</help>
<valueHelp>
<format>name.example.com</format>
<description>Absolute DNS name</description>
</valueHelp>
<constraint>
<regex>[-_a-zA-Z0-9.]{1,63}(?<!\.)</regex>
</constraint>
</properties>
<children>
<leafNode name="priority">
<properties>
<help>Server priority</help>
<valueHelp>
<format>u32:1-999</format>
<description>Server priority (lower numbers are higher priority)</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-999"/>
</constraint>
</properties>
<defaultValue>10</defaultValue>
</leafNode>
</children>
</tagNode>
#include <include/dns/time-to-live.xml.i>
<leafNode name="ttl">
<defaultValue>300</defaultValue>
</leafNode>
#include <include/generic-disable-node.xml.i>
</children>
</tagNode>
<tagNode name="ns">
<properties>
<help>NS record</help>
<valueHelp>
<format>txt</format>
<description>A DNS name relative to the root record</description>
</valueHelp>
<constraint>
<regex>([-_a-zA-Z0-9.]{1,63}|@)(?<!\.)</regex>
</constraint>
</properties>
<children>
<leafNode name="target">
<properties>
<help>Target DNS server authoritative for subdomain</help>
<valueHelp>
<format>nsXX.example.com</format>
<description>Absolute DNS name</description>
</valueHelp>
<constraint>
<regex>[-_a-zA-Z0-9.]{1,63}(?<!\.)</regex>
</constraint>
+ <multi/>
</properties>
</leafNode>
#include <include/dns/time-to-live.xml.i>
<leafNode name="ttl">
<defaultValue>300</defaultValue>
</leafNode>
#include <include/generic-disable-node.xml.i>
</children>
</tagNode>
<tagNode name="ptr">
<properties>
<help>PTR record</help>
<valueHelp>
<format>txt</format>
<description>A DNS name relative to the root record</description>
</valueHelp>
<valueHelp>
<format>@</format>
<description>Root record</description>
</valueHelp>
<constraint>
<regex>([-_a-zA-Z0-9.]{1,63}|@)(?<!\.)</regex>
</constraint>
</properties>
<children>
<leafNode name="target">
<properties>
<help>Target DNS name</help>
<valueHelp>
<format>name.example.com</format>
<description>Absolute DNS name</description>
</valueHelp>
<constraint>
<regex>[-_a-zA-Z0-9.]{1,63}(?<!\.)</regex>
</constraint>
</properties>
</leafNode>
#include <include/dns/time-to-live.xml.i>
<leafNode name="ttl">
<defaultValue>300</defaultValue>
</leafNode>
#include <include/generic-disable-node.xml.i>
</children>
</tagNode>
<tagNode name="txt">
<properties>
<help>TXT record</help>
<valueHelp>
<format>txt</format>
<description>A DNS name relative to the root record</description>
</valueHelp>
<valueHelp>
<format>@</format>
<description>Root record</description>
</valueHelp>
<constraint>
<regex>([-_a-zA-Z0-9.]{1,63}|@)(?<!\.)</regex>
</constraint>
</properties>
<children>
<leafNode name="value">
<properties>
<help>Record contents</help>
<valueHelp>
<format>txt</format>
<description>Record contents</description>
</valueHelp>
<multi/>
</properties>
</leafNode>
#include <include/dns/time-to-live.xml.i>
<leafNode name="ttl">
<defaultValue>300</defaultValue>
</leafNode>
#include <include/generic-disable-node.xml.i>
</children>
</tagNode>
<tagNode name="spf">
<properties>
<help>SPF record</help>
<valueHelp>
<format>txt</format>
<description>A DNS name relative to the root record</description>
</valueHelp>
<valueHelp>
<format>@</format>
<description>Root record</description>
</valueHelp>
<constraint>
<regex>([-_a-zA-Z0-9.]{1,63}|@)(?<!\.)</regex>
</constraint>
</properties>
<children>
<leafNode name="value">
<properties>
<help>Record contents</help>
<valueHelp>
<format>txt</format>
<description>Record contents</description>
</valueHelp>
</properties>
</leafNode>
#include <include/dns/time-to-live.xml.i>
<leafNode name="ttl">
<defaultValue>300</defaultValue>
</leafNode>
#include <include/generic-disable-node.xml.i>
</children>
</tagNode>
<tagNode name="srv">
<properties>
<help>SRV record</help>
<valueHelp>
<format>txt</format>
<description>A DNS name relative to the root record</description>
</valueHelp>
<valueHelp>
<format>@</format>
<description>Root record</description>
</valueHelp>
<constraint>
<regex>([-_a-zA-Z0-9.]{1,63}|@)(?<!\.)</regex>
</constraint>
</properties>
<children>
<tagNode name="entry">
<properties>
<help>Service entry</help>
<valueHelp>
<format>u32:0-65535</format>
<description>Entry number</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 0-65535"/>
</constraint>
</properties>
<children>
<leafNode name="hostname">
<properties>
<help>Server hostname</help>
<valueHelp>
<format>name.example.com</format>
<description>Absolute DNS name</description>
</valueHelp>
<constraint>
<regex>[-_a-zA-Z0-9.]{1,63}(?<!\.)</regex>
</constraint>
</properties>
</leafNode>
<leafNode name="port">
<properties>
<help>Port number</help>
<valueHelp>
<format>u32:0-65535</format>
<description>TCP/UDP port number</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 0-65536"/>
</constraint>
</properties>
</leafNode>
<leafNode name="priority">
<properties>
<help>Entry priority</help>
<valueHelp>
<format>u32:0-65535</format>
<description>Entry priority (lower numbers are higher priority)</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 0-65535"/>
</constraint>
</properties>
<defaultValue>10</defaultValue>
</leafNode>
<leafNode name="weight">
<properties>
<help>Entry weight</help>
<valueHelp>
<format>u32:0-65535</format>
<description>Entry weight</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 0-65535"/>
</constraint>
</properties>
<defaultValue>0</defaultValue>
</leafNode>
</children>
</tagNode>
#include <include/dns/time-to-live.xml.i>
<leafNode name="ttl">
<defaultValue>300</defaultValue>
</leafNode>
#include <include/generic-disable-node.xml.i>
</children>
</tagNode>
<tagNode name="naptr">
<properties>
<help>NAPTR record</help>
<valueHelp>
<format>txt</format>
<description>A DNS name relative to the root record</description>
</valueHelp>
<valueHelp>
<format>@</format>
<description>Root record</description>
</valueHelp>
<constraint>
<regex>([-_a-zA-Z0-9.]{1,63}|@)(?<!\.)</regex>
</constraint>
</properties>
<children>
<tagNode name="rule">
<properties>
<help>NAPTR rule</help>
<valueHelp>
<format>u32:0-65535</format>
<description>Rule number</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 0-65535"/>
</constraint>
</properties>
<children>
<leafNode name="order">
<properties>
<help>Rule order</help>
<valueHelp>
<format>u32:0-65535</format>
<description>Rule order (lower order is evaluated first)</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 0-65535"/>
</constraint>
</properties>
</leafNode>
<leafNode name="preference">
<properties>
<help>Rule preference</help>
<valueHelp>
<format>u32:0-65535</format>
<description>Rule preference</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 0-65535"/>
</constraint>
</properties>
<defaultValue>0</defaultValue>
</leafNode>
<leafNode name="lookup-srv">
<properties>
<help>S flag</help>
<valueless/>
</properties>
</leafNode>
<leafNode name="lookup-a">
<properties>
<help>A flag</help>
<valueless/>
</properties>
</leafNode>
<leafNode name="resolve-uri">
<properties>
<help>U flag</help>
<valueless/>
</properties>
</leafNode>
<leafNode name="protocol-specific">
<properties>
<help>P flag</help>
<valueless/>
</properties>
</leafNode>
<leafNode name="service">
<properties>
<help>Service type</help>
<constraint>
<regex>[a-zA-Z][a-zA-Z0-9]{0,31}(\+[a-zA-Z][a-zA-Z0-9]{0,31})?</regex>
</constraint>
</properties>
</leafNode>
<leafNode name="regexp">
<properties>
<help>Regular expression</help>
</properties>
</leafNode>
<leafNode name="replacement">
<properties>
<help>Replacement DNS name</help>
<valueHelp>
<format>name.example.com</format>
<description>Absolute DNS name</description>
</valueHelp>
<constraint>
<regex>[-_a-zA-Z0-9.]{1,63}(?<!\.)</regex>
</constraint>
</properties>
</leafNode>
</children>
</tagNode>
#include <include/dns/time-to-live.xml.i>
<leafNode name="ttl">
<defaultValue>300</defaultValue>
</leafNode>
#include <include/generic-disable-node.xml.i>
</children>
</tagNode>
</children>
</node>
#include <include/generic-disable-node.xml.i>
</children>
</tagNode>
<leafNode name="ignore-hosts-file">
<properties>
<help>Do not use local /etc/hosts file in name resolution</help>
<valueless/>
</properties>
</leafNode>
<leafNode name="no-serve-rfc1918">
<properties>
<help>Makes the server authoritatively not aware of RFC1918 addresses</help>
<valueless/>
</properties>
</leafNode>
<leafNode name="allow-from">
<properties>
<help>Networks allowed to query this server</help>
<valueHelp>
<format>ipv4net</format>
<description>IP address and prefix length</description>
</valueHelp>
<valueHelp>
<format>ipv6net</format>
<description>IPv6 address and prefix length</description>
</valueHelp>
<multi/>
<constraint>
<validator name="ip-prefix"/>
</constraint>
</properties>
</leafNode>
#include <include/listen-address.xml.i>
#include <include/port-number.xml.i>
<leafNode name="port">
<defaultValue>53</defaultValue>
</leafNode>
<leafNode name="negative-ttl">
<properties>
<help>Maximum amount of time negative entries are cached</help>
<valueHelp>
<format>u32:0-7200</format>
<description>Seconds to cache NXDOMAIN entries</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 0-7200"/>
</constraint>
</properties>
<defaultValue>3600</defaultValue>
</leafNode>
<leafNode name="serve-stale-extension">
<properties>
<help>Number of times the expired TTL of a record is extended by 30 seconds when serving stale</help>
<valueHelp>
<format>u32:0-65535</format>
<description>Number of times to extend the TTL</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 0-65535"/>
</constraint>
</properties>
<defaultValue>0</defaultValue>
</leafNode>
<leafNode name="timeout">
<properties>
<help>Number of milliseconds to wait for a remote authoritative server to respond</help>
<valueHelp>
<format>u32:10-60000</format>
<description>Network timeout in milliseconds</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 10-60000"/>
</constraint>
</properties>
<defaultValue>1500</defaultValue>
</leafNode>
#include <include/name-server-ipv4-ipv6-port.xml.i>
#include <include/source-address-ipv4-ipv6-multi.xml.i>
<leafNode name="source-address">
<defaultValue>0.0.0.0 ::</defaultValue>
</leafNode>
<leafNode name="system">
<properties>
<help>Use system name servers</help>
<valueless/>
</properties>
</leafNode>
<leafNode name="exclude-throttle-address">
<properties>
<help>IP address or subnet</help>
<valueHelp>
<format>ipv4</format>
<description>IPv4 address to match</description>
</valueHelp>
<valueHelp>
<format>ipv4net</format>
<description>IPv4 prefix to match</description>
</valueHelp>
<valueHelp>
<format>ipv6</format>
<description>IPv6 address</description>
</valueHelp>
<valueHelp>
<format>ipv6net</format>
<description>IPv6 address</description>
</valueHelp>
<multi/>
<constraint>
<validator name="ipv4-address"/>
<validator name="ipv4-prefix"/>
<validator name="ipv6-address"/>
<validator name="ipv6-prefix"/>
</constraint>
</properties>
</leafNode>
<node name="options">
<properties>
<help>DNS server options</help>
</properties>
<children>
<leafNode name="ecs-add-for">
<properties>
<help>Client netmask for which EDNS Client Subnet will be added</help>
<valueHelp>
<format>ipv4net</format>
<description>IPv4 prefix to match</description>
</valueHelp>
<valueHelp>
<format>!ipv4net</format>
<description>Match everything except the specified IPv4 prefix</description>
</valueHelp>
<valueHelp>
<format>ipv6net</format>
<description>IPv6 prefix to match</description>
</valueHelp>
<valueHelp>
<format>!ipv6net</format>
<description>Match everything except the specified IPv6 prefix</description>
</valueHelp>
<constraint>
<validator name="ipv4-prefix"/>
<validator name="ipv4-prefix-exclude"/>
<validator name="ipv6-prefix"/>
<validator name="ipv6-prefix-exclude"/>
</constraint>
<multi/>
</properties>
</leafNode>
<leafNode name="ecs-ipv4-bits">
<properties>
<help>Number of bits of IPv4 address to pass for EDNS Client Subnet</help>
<valueHelp>
<format>u32:0-32</format>
<description>Number of bits of IPv4 address</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 0-32"/>
</constraint>
</properties>
</leafNode>
<leafNode name="edns-subnet-allow-list">
<properties>
<help>Netmask or domain that we should enable EDNS subnet for</help>
<valueHelp>
<format>txt</format>
<description>Netmask or domain</description>
</valueHelp>
<multi/>
</properties>
</leafNode>
</children>
</node>
</children>
</node>
</children>
</node>
</children>
</node>
</interfaceDefinition>
diff --git a/src/conf_mode/service_dns_forwarding.py b/src/conf_mode/service_dns_forwarding.py
index 7e863073a..e8318a83e 100755
--- a/src/conf_mode/service_dns_forwarding.py
+++ b/src/conf_mode/service_dns_forwarding.py
@@ -1,369 +1,382 @@
#!/usr/bin/env python3
#
# Copyright (C) 2018-2024 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import os
from sys import exit
from glob import glob
from vyos.config import Config
from vyos.hostsd_client import Client as hostsd_client
from vyos.template import render
from vyos.template import bracketize_ipv6
from vyos.utils.network import interface_exists
from vyos.utils.process import call
from vyos.utils.permission import chown
from vyos import ConfigError
from vyos import airbag
airbag.enable()
pdns_rec_user_group = 'pdns'
pdns_rec_run_dir = '/run/pdns-recursor'
pdns_rec_lua_conf_file = f'{pdns_rec_run_dir}/recursor.conf.lua'
pdns_rec_hostsd_lua_conf_file = f'{pdns_rec_run_dir}/recursor.vyos-hostsd.conf.lua'
pdns_rec_hostsd_zones_file = f'{pdns_rec_run_dir}/recursor.forward-zones.conf'
pdns_rec_config_file = f'{pdns_rec_run_dir}/recursor.conf'
pdns_rec_systemd_override = '/run/systemd/system/pdns-recursor.service.d/override.conf'
hostsd_tag = 'static'
def get_config(config=None):
if config:
conf = config
else:
conf = Config()
base = ['service', 'dns', 'forwarding']
if not conf.exists(base):
return None
dns = conf.get_config_dict(base, key_mangling=('-', '_'),
no_tag_node_value_mangle=True,
get_first_key=True,
with_recursive_defaults=True)
dns['config_file'] = pdns_rec_config_file
dns['config_dir'] = os.path.dirname(pdns_rec_config_file)
# some additions to the default dictionary
if 'system' in dns:
base_nameservers = ['system', 'name-server']
if conf.exists(base_nameservers):
dns.update({'system_name_server': conf.return_values(base_nameservers)})
if 'authoritative_domain' in dns:
dns['authoritative_zones'] = []
dns['authoritative_zone_errors'] = []
for node in dns['authoritative_domain']:
zonedata = dns['authoritative_domain'][node]
if ('disable' in zonedata) or (not 'records' in zonedata):
continue
zone = {
'name': node,
'file': "{}/zone.{}.conf".format(pdns_rec_run_dir, node),
'records': [],
}
recorddata = zonedata['records']
for rtype in [ 'a', 'aaaa', 'cname', 'mx', 'ns', 'ptr', 'txt', 'spf', 'srv', 'naptr' ]:
if rtype not in recorddata:
continue
for subnode in recorddata[rtype]:
if 'disable' in recorddata[rtype][subnode]:
continue
rdata = recorddata[rtype][subnode]
if rtype in [ 'a', 'aaaa' ]:
if not 'address' in rdata:
dns['authoritative_zone_errors'].append(f'{subnode}.{node}: at least one address is required')
continue
if subnode == 'any':
subnode = '*'
for address in rdata['address']:
zone['records'].append({
'name': subnode,
'type': rtype.upper(),
'ttl': rdata['ttl'],
'value': address
})
- elif rtype in ['cname', 'ptr', 'ns']:
+ elif rtype in ['cname', 'ptr']:
if not 'target' in rdata:
dns['authoritative_zone_errors'].append(f'{subnode}.{node}: target is required')
continue
zone['records'].append({
'name': subnode,
'type': rtype.upper(),
'ttl': rdata['ttl'],
'value': '{}.'.format(rdata['target'])
})
+ elif rtype == 'ns':
+ if not 'target' in rdata:
+ dns['authoritative_zone_errors'].append(f'{subnode}.{node}: at leaast one target is required')
+ continue
+
+ for target in rdata['target']:
+ zone['records'].append({
+ 'name': subnode,
+ 'type': rtype.upper(),
+ 'ttl': rdata['ttl'],
+ 'value': '{}.'.format(target)
+ })
+
elif rtype == 'mx':
if not 'server' in rdata:
dns['authoritative_zone_errors'].append(f'{subnode}.{node}: at least one server is required')
continue
for servername in rdata['server']:
serverdata = rdata['server'][servername]
zone['records'].append({
'name': subnode,
'type': rtype.upper(),
'ttl': rdata['ttl'],
'value': '{} {}.'.format(serverdata['priority'], servername)
})
elif rtype == 'txt':
if not 'value' in rdata:
dns['authoritative_zone_errors'].append(f'{subnode}.{node}: at least one value is required')
continue
for value in rdata['value']:
zone['records'].append({
'name': subnode,
'type': rtype.upper(),
'ttl': rdata['ttl'],
'value': "\"{}\"".format(value.replace("\"", "\\\""))
})
elif rtype == 'spf':
if not 'value' in rdata:
dns['authoritative_zone_errors'].append(f'{subnode}.{node}: value is required')
continue
zone['records'].append({
'name': subnode,
'type': rtype.upper(),
'ttl': rdata['ttl'],
'value': '"{}"'.format(rdata['value'].replace("\"", "\\\""))
})
elif rtype == 'srv':
if not 'entry' in rdata:
dns['authoritative_zone_errors'].append(f'{subnode}.{node}: at least one entry is required')
continue
for entryno in rdata['entry']:
entrydata = rdata['entry'][entryno]
if not 'hostname' in entrydata:
dns['authoritative_zone_errors'].append(f'{subnode}.{node}: hostname is required for entry {entryno}')
continue
if not 'port' in entrydata:
dns['authoritative_zone_errors'].append(f'{subnode}.{node}: port is required for entry {entryno}')
continue
zone['records'].append({
'name': subnode,
'type': rtype.upper(),
'ttl': rdata['ttl'],
'value': '{} {} {} {}.'.format(entrydata['priority'], entrydata['weight'], entrydata['port'], entrydata['hostname'])
})
elif rtype == 'naptr':
if not 'rule' in rdata:
dns['authoritative_zone_errors'].append(f'{subnode}.{node}: at least one rule is required')
continue
for ruleno in rdata['rule']:
ruledata = rdata['rule'][ruleno]
flags = ""
if 'lookup-srv' in ruledata:
flags += "S"
if 'lookup-a' in ruledata:
flags += "A"
if 'resolve-uri' in ruledata:
flags += "U"
if 'protocol-specific' in ruledata:
flags += "P"
if 'order' in ruledata:
order = ruledata['order']
else:
order = ruleno
if 'regexp' in ruledata:
regexp= ruledata['regexp'].replace("\"", "\\\"")
else:
regexp = ''
if ruledata['replacement']:
replacement = '{}.'.format(ruledata['replacement'])
else:
replacement = ''
zone['records'].append({
'name': subnode,
'type': rtype.upper(),
'ttl': rdata['ttl'],
'value': '{} {} "{}" "{}" "{}" {}'.format(order, ruledata['preference'], flags, ruledata['service'], regexp, replacement)
})
dns['authoritative_zones'].append(zone)
return dns
def verify(dns):
# bail out early - looks like removal from running config
if not dns:
return None
if 'listen_address' not in dns:
raise ConfigError('DNS forwarding requires a listen-address')
if 'allow_from' not in dns:
raise ConfigError('DNS forwarding requires an allow-from network')
# we can not use dict_search() when testing for domain servers
# as a domain will contains dot's which is out dictionary delimiter.
if 'domain' in dns:
for domain in dns['domain']:
if 'name_server' not in dns['domain'][domain]:
raise ConfigError(f'No server configured for domain {domain}!')
if 'dns64_prefix' in dns:
dns_prefix = dns['dns64_prefix'].split('/')[1]
# RFC 6147 requires prefix /96
if int(dns_prefix) != 96:
raise ConfigError('DNS 6to4 prefix must be of length /96')
if ('authoritative_zone_errors' in dns) and dns['authoritative_zone_errors']:
for error in dns['authoritative_zone_errors']:
print(error)
raise ConfigError('Invalid authoritative records have been defined')
if 'system' in dns:
if not 'system_name_server' in dns:
print('Warning: No "system name-server" configured')
return None
def generate(dns):
# bail out early - looks like removal from running config
if not dns:
return None
render(pdns_rec_systemd_override, 'dns-forwarding/override.conf.j2', dns)
render(pdns_rec_config_file, 'dns-forwarding/recursor.conf.j2', dns,
user=pdns_rec_user_group, group=pdns_rec_user_group)
render(pdns_rec_config_file, 'dns-forwarding/recursor.conf.j2', dns,
user=pdns_rec_user_group, group=pdns_rec_user_group)
render(pdns_rec_lua_conf_file, 'dns-forwarding/recursor.conf.lua.j2', dns,
user=pdns_rec_user_group, group=pdns_rec_user_group)
for zone_filename in glob(f'{pdns_rec_run_dir}/zone.*.conf'):
os.unlink(zone_filename)
if 'authoritative_zones' in dns:
for zone in dns['authoritative_zones']:
render(zone['file'], 'dns-forwarding/recursor.zone.conf.j2',
zone, user=pdns_rec_user_group, group=pdns_rec_user_group)
# if vyos-hostsd didn't create its files yet, create them (empty)
for file in [pdns_rec_hostsd_lua_conf_file, pdns_rec_hostsd_zones_file]:
with open(file, 'a'):
pass
chown(file, user=pdns_rec_user_group, group=pdns_rec_user_group)
return None
def apply(dns):
systemd_service = 'pdns-recursor.service'
# Reload systemd manager configuration
call('systemctl daemon-reload')
if not dns:
# DNS forwarding is removed in the commit
call(f'systemctl stop {systemd_service}')
if os.path.isfile(pdns_rec_config_file):
os.unlink(pdns_rec_config_file)
for zone_filename in glob(f'{pdns_rec_run_dir}/zone.*.conf'):
os.unlink(zone_filename)
else:
### first apply vyos-hostsd config
hc = hostsd_client()
# add static nameservers to hostsd so they can be joined with other
# sources
hc.delete_name_servers([hostsd_tag])
if 'name_server' in dns:
# 'name_server' is of the form
# {'192.0.2.1': {'port': 53}, '2001:db8::1': {'port': 853}, ...}
# canonicalize them as ['192.0.2.1:53', '[2001:db8::1]:853', ...]
nslist = [(lambda h, p: f"{bracketize_ipv6(h)}:{p['port']}")(h, p)
for (h, p) in dns['name_server'].items()]
hc.add_name_servers({hostsd_tag: nslist})
# delete all nameserver tags
hc.delete_name_server_tags_recursor(hc.get_name_server_tags_recursor())
## add nameserver tags - the order determines the nameserver order!
# our own tag (static)
hc.add_name_server_tags_recursor([hostsd_tag])
if 'system' in dns:
hc.add_name_server_tags_recursor(['system'])
else:
hc.delete_name_server_tags_recursor(['system'])
# add dhcp nameserver tags for configured interfaces
if 'system_name_server' in dns:
for interface in dns['system_name_server']:
# system_name_server key contains both IP addresses and interface
# names (DHCP) to use DNS servers. We need to check if the
# value is an interface name - only if this is the case, add the
# interface based DNS forwarder.
if interface_exists(interface):
hc.add_name_server_tags_recursor(['dhcp-' + interface,
'dhcpv6-' + interface ])
# hostsd will generate the forward-zones file
# the list and keys() are required as get returns a dict, not list
hc.delete_forward_zones(list(hc.get_forward_zones().keys()))
if 'domain' in dns:
zones = dns['domain']
for domain in zones.keys():
# 'name_server' is of the form
# {'192.0.2.1': {'port': 53}, '2001:db8::1': {'port': 853}, ...}
# canonicalize them as ['192.0.2.1:53', '[2001:db8::1]:853', ...]
zones[domain]['name_server'] = [(lambda h, p: f"{bracketize_ipv6(h)}:{p['port']}")(h, p)
for (h, p) in zones[domain]['name_server'].items()]
hc.add_forward_zones(zones)
# hostsd generates NTAs for the authoritative zones
# the list and keys() are required as get returns a dict, not list
hc.delete_authoritative_zones(list(hc.get_authoritative_zones()))
if 'authoritative_zones' in dns:
hc.add_authoritative_zones(list(map(lambda zone: zone['name'], dns['authoritative_zones'])))
# call hostsd to generate forward-zones and its lua-config-file
hc.apply()
### finally (re)start pdns-recursor
call(f'systemctl reload-or-restart {systemd_service}')
if __name__ == '__main__':
try:
c = get_config()
verify(c)
generate(c)
apply(c)
except ConfigError as e:
print(e)
exit(1)