diff --git a/data/templates/dns-forwarding/recursor.conf.j2 b/data/templates/dns-forwarding/recursor.conf.j2
index e4e8e7044..5ac872f19 100644
--- a/data/templates/dns-forwarding/recursor.conf.j2
+++ b/data/templates/dns-forwarding/recursor.conf.j2
@@ -1,59 +1,73 @@
{# j2lint: disable=single-statement-per-line #}
### Autogenerated by service_dns_forwarding.py ###
# XXX: pdns recursor doesn't like whitespace near entry separators,
# especially in the semicolon-separated lists of name servers.
# Please be careful if you edit the template.
# Non-configurable defaults
daemon=yes
threads=1
allow-from={{ allow_from | join(',') }}
log-common-errors=yes
non-local-bind=yes
query-local-address={{ source_address | join(',') }}
lua-config-file={{ config_dir }}/recursor.conf.lua
# cache-size
max-cache-entries={{ cache_size }}
# negative TTL for NXDOMAIN
max-negative-ttl={{ negative_ttl }}
# timeout
network-timeout={{ timeout }}
# ignore-hosts-file
export-etc-hosts={{ 'no' if ignore_hosts_file is vyos_defined else 'yes' }}
# listen-address
local-address={{ listen_address | join(',') }}
# listen-port
local-port={{ port }}
# dnssec
dnssec={{ dnssec }}
{% if dns64_prefix is vyos_defined %}
# dns64-prefix
dns64-prefix={{ dns64_prefix }}
{% endif %}
{% if exclude_throttle_address is vyos_defined %}
# dont-throttle-netmasks
dont-throttle-netmasks={{ exclude_throttle_address | join(',') }}
{% endif %}
{% if serve_stale_extension is vyos_defined %}
# serve-stale-extensions
serve-stale-extensions={{ serve_stale_extension }}
{% endif %}
# serve rfc1918 records
serve-rfc1918={{ 'no' if no_serve_rfc1918 is vyos_defined else 'yes' }}
# zones
auth-zones={% for z in authoritative_zones %}{{ z.name }}={{ z.file }}{{- "," if not loop.last -}}{% endfor %}
forward-zones-file={{ config_dir }}/recursor.forward-zones.conf
+
+#ecs
+{% if options.ecs_add_for is vyos_defined %}
+ecs-add-for={{ options.ecs_add_for | join(',') }}
+{% endif %}
+
+{% if options.ecs_ipv4_bits is vyos_defined %}
+ecs-ipv4-bits={{ options.ecs_ipv4_bits }}
+{% endif %}
+
+{% if options.edns_subnet_allow_list is vyos_defined %}
+edns-subnet-allow-list={{ options.edns_subnet_allow_list | join(',') }}
+{% endif %}
+
diff --git a/interface-definitions/service_dns_forwarding.xml.in b/interface-definitions/service_dns_forwarding.xml.in
index 0f8863438..a54618e82 100644
--- a/interface-definitions/service_dns_forwarding.xml.in
+++ b/interface-definitions/service_dns_forwarding.xml.in
@@ -1,744 +1,801 @@
<?xml version="1.0"?>
<!-- DNS forwarder configuration -->
<interfaceDefinition>
<node name="service">
<children>
<node name="dns">
<properties>
<help>Domain Name System (DNS) related services</help>
</properties>
<children>
<node name="forwarding" owner="${vyos_conf_scripts_dir}/service_dns_forwarding.py">
<properties>
<help>DNS forwarding</help>
<priority>918</priority>
</properties>
<children>
<leafNode name="cache-size">
<properties>
<help>DNS forwarding cache size</help>
<valueHelp>
<format>u32:0-2147483647</format>
<description>DNS forwarding cache size</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 0-2147483647"/>
</constraint>
</properties>
<defaultValue>10000</defaultValue>
</leafNode>
<leafNode name="dhcp">
<properties>
<help>Interfaces whose DHCP client nameservers to forward requests to</help>
<completionHelp>
<script>${vyos_completion_dir}/list_interfaces</script>
</completionHelp>
<multi/>
</properties>
</leafNode>
<leafNode name="dns64-prefix">
<properties>
<help>Help to communicate between IPv6-only client and IPv4-only server</help>
<valueHelp>
<format>ipv6net</format>
<description>IPv6 address and /96 only prefix length</description>
</valueHelp>
<constraint>
<validator name="ipv6-prefix"/>
</constraint>
</properties>
</leafNode>
<leafNode name="dnssec">
<properties>
<help>DNSSEC mode</help>
<completionHelp>
<list>off process-no-validate process log-fail validate</list>
</completionHelp>
<valueHelp>
<format>off</format>
<description>No DNSSEC processing whatsoever!</description>
</valueHelp>
<valueHelp>
<format>process-no-validate</format>
<description>Respond with DNSSEC records to clients that ask for it. No validation done at all!</description>
</valueHelp>
<valueHelp>
<format>process</format>
<description>Respond with DNSSEC records to clients that ask for it. Validation for clients that request it.</description>
</valueHelp>
<valueHelp>
<format>log-fail</format>
<description>Similar behaviour to process, but validate RRSIGs on responses and log bogus responses.</description>
</valueHelp>
<valueHelp>
<format>validate</format>
<description>Full blown DNSSEC validation. Send SERVFAIL to clients on bogus responses.</description>
</valueHelp>
<constraint>
<regex>(off|process-no-validate|process|log-fail|validate)</regex>
</constraint>
</properties>
<defaultValue>process-no-validate</defaultValue>
</leafNode>
<tagNode name="domain">
<properties>
<help>Domain to forward to a custom DNS server</help>
<valueHelp>
<format>txt</format>
<description>An absolute DNS domain name</description>
</valueHelp>
<constraint>
<validator name="fqdn"/>
</constraint>
</properties>
<children>
#include <include/name-server-ipv4-ipv6-port.xml.i>
<leafNode name="addnta">
<properties>
<help>Add NTA (negative trust anchor) for this domain (must be set if the domain does not support DNSSEC)</help>
<valueless/>
</properties>
</leafNode>
<leafNode name="recursion-desired">
<properties>
<help>Set the "recursion desired" bit in requests to the upstream nameserver</help>
<valueless/>
</properties>
</leafNode>
</children>
</tagNode>
<tagNode name="authoritative-domain">
<properties>
<help>Domain to host authoritative records for</help>
<valueHelp>
<format>txt</format>
<description>An absolute DNS domain name</description>
</valueHelp>
<constraint>
<validator name="fqdn"/>
</constraint>
</properties>
<children>
<node name="records">
<properties>
<help>DNS zone records</help>
</properties>
<children>
<tagNode name="a">
<properties>
<help>A record</help>
<valueHelp>
<format>txt</format>
<description>A DNS name relative to the root record</description>
</valueHelp>
<valueHelp>
<format>@</format>
<description>Root record</description>
</valueHelp>
<valueHelp>
<format>any</format>
<description>Wildcard record (any subdomain)</description>
</valueHelp>
<constraint>
<regex>([-_a-zA-Z0-9.]{1,63}|@|any)(?<!\.)</regex>
</constraint>
</properties>
<children>
<leafNode name="address">
<properties>
<help>IPv4 address</help>
<valueHelp>
<format>ipv4</format>
<description>IPv4 address</description>
</valueHelp>
<multi/>
<constraint>
<validator name="ipv4-address"/>
</constraint>
</properties>
</leafNode>
#include <include/dns/time-to-live.xml.i>
<leafNode name="ttl">
<defaultValue>300</defaultValue>
</leafNode>
#include <include/generic-disable-node.xml.i>
</children>
</tagNode>
<tagNode name="aaaa">
<properties>
<help>AAAA record</help>
<valueHelp>
<format>txt</format>
<description>A DNS name relative to the root record</description>
</valueHelp>
<valueHelp>
<format>@</format>
<description>Root record</description>
</valueHelp>
<valueHelp>
<format>any</format>
<description>Wildcard record (any subdomain)</description>
</valueHelp>
<constraint>
<regex>([-_a-zA-Z0-9.]{1,63}|@|any)(?<!\.)</regex>
</constraint>
</properties>
<children>
<leafNode name="address">
<properties>
<help>IPv6 address</help>
<valueHelp>
<format>ipv6</format>
<description>IPv6 address</description>
</valueHelp>
<multi/>
<constraint>
<validator name="ipv6-address"/>
</constraint>
</properties>
</leafNode>
#include <include/dns/time-to-live.xml.i>
<leafNode name="ttl">
<defaultValue>300</defaultValue>
</leafNode>
#include <include/generic-disable-node.xml.i>
</children>
</tagNode>
<tagNode name="cname">
<properties>
<help>CNAME record</help>
<valueHelp>
<format>txt</format>
<description>A DNS name relative to the root record</description>
</valueHelp>
<valueHelp>
<format>@</format>
<description>Root record</description>
</valueHelp>
<constraint>
<regex>([-_a-zA-Z0-9.]{1,63}|@)(?<!\.)</regex>
</constraint>
</properties>
<children>
<leafNode name="target">
<properties>
<help>Target DNS name</help>
<valueHelp>
<format>name.example.com</format>
<description>Absolute DNS name</description>
</valueHelp>
<constraint>
<regex>[-_a-zA-Z0-9.]{1,63}(?<!\.)</regex>
</constraint>
</properties>
</leafNode>
#include <include/dns/time-to-live.xml.i>
<leafNode name="ttl">
<defaultValue>300</defaultValue>
</leafNode>
#include <include/generic-disable-node.xml.i>
</children>
</tagNode>
<tagNode name="mx">
<properties>
<help>MX record</help>
<valueHelp>
<format>txt</format>
<description>A DNS name relative to the root record</description>
</valueHelp>
<valueHelp>
<format>@</format>
<description>Root record</description>
</valueHelp>
<constraint>
<regex>([-_a-zA-Z0-9.]{1,63}|@)(?<!\.)</regex>
</constraint>
</properties>
<children>
<tagNode name="server">
<properties>
<help>Mail server</help>
<valueHelp>
<format>name.example.com</format>
<description>Absolute DNS name</description>
</valueHelp>
<constraint>
<regex>[-_a-zA-Z0-9.]{1,63}(?<!\.)</regex>
</constraint>
</properties>
<children>
<leafNode name="priority">
<properties>
<help>Server priority</help>
<valueHelp>
<format>u32:1-999</format>
<description>Server priority (lower numbers are higher priority)</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-999"/>
</constraint>
</properties>
<defaultValue>10</defaultValue>
</leafNode>
</children>
</tagNode>
#include <include/dns/time-to-live.xml.i>
<leafNode name="ttl">
<defaultValue>300</defaultValue>
</leafNode>
#include <include/generic-disable-node.xml.i>
</children>
</tagNode>
<tagNode name="ns">
<properties>
<help>NS record</help>
<valueHelp>
<format>txt</format>
<description>A DNS name relative to the root record</description>
</valueHelp>
<constraint>
<regex>([-_a-zA-Z0-9.]{1,63}|@)(?<!\.)</regex>
</constraint>
</properties>
<children>
<leafNode name="target">
<properties>
<help>Target DNS server authoritative for subdomain</help>
<valueHelp>
<format>nsXX.example.com</format>
<description>Absolute DNS name</description>
</valueHelp>
<constraint>
<regex>[-_a-zA-Z0-9.]{1,63}(?<!\.)</regex>
</constraint>
</properties>
</leafNode>
#include <include/dns/time-to-live.xml.i>
<leafNode name="ttl">
<defaultValue>300</defaultValue>
</leafNode>
#include <include/generic-disable-node.xml.i>
</children>
</tagNode>
<tagNode name="ptr">
<properties>
<help>PTR record</help>
<valueHelp>
<format>txt</format>
<description>A DNS name relative to the root record</description>
</valueHelp>
<valueHelp>
<format>@</format>
<description>Root record</description>
</valueHelp>
<constraint>
<regex>([-_a-zA-Z0-9.]{1,63}|@)(?<!\.)</regex>
</constraint>
</properties>
<children>
<leafNode name="target">
<properties>
<help>Target DNS name</help>
<valueHelp>
<format>name.example.com</format>
<description>Absolute DNS name</description>
</valueHelp>
<constraint>
<regex>[-_a-zA-Z0-9.]{1,63}(?<!\.)</regex>
</constraint>
</properties>
</leafNode>
#include <include/dns/time-to-live.xml.i>
<leafNode name="ttl">
<defaultValue>300</defaultValue>
</leafNode>
#include <include/generic-disable-node.xml.i>
</children>
</tagNode>
<tagNode name="txt">
<properties>
<help>TXT record</help>
<valueHelp>
<format>txt</format>
<description>A DNS name relative to the root record</description>
</valueHelp>
<valueHelp>
<format>@</format>
<description>Root record</description>
</valueHelp>
<constraint>
<regex>([-_a-zA-Z0-9.]{1,63}|@)(?<!\.)</regex>
</constraint>
</properties>
<children>
<leafNode name="value">
<properties>
<help>Record contents</help>
<valueHelp>
<format>txt</format>
<description>Record contents</description>
</valueHelp>
<multi/>
</properties>
</leafNode>
#include <include/dns/time-to-live.xml.i>
<leafNode name="ttl">
<defaultValue>300</defaultValue>
</leafNode>
#include <include/generic-disable-node.xml.i>
</children>
</tagNode>
<tagNode name="spf">
<properties>
<help>SPF record</help>
<valueHelp>
<format>txt</format>
<description>A DNS name relative to the root record</description>
</valueHelp>
<valueHelp>
<format>@</format>
<description>Root record</description>
</valueHelp>
<constraint>
<regex>([-_a-zA-Z0-9.]{1,63}|@)(?<!\.)</regex>
</constraint>
</properties>
<children>
<leafNode name="value">
<properties>
<help>Record contents</help>
<valueHelp>
<format>txt</format>
<description>Record contents</description>
</valueHelp>
</properties>
</leafNode>
#include <include/dns/time-to-live.xml.i>
<leafNode name="ttl">
<defaultValue>300</defaultValue>
</leafNode>
#include <include/generic-disable-node.xml.i>
</children>
</tagNode>
<tagNode name="srv">
<properties>
<help>SRV record</help>
<valueHelp>
<format>txt</format>
<description>A DNS name relative to the root record</description>
</valueHelp>
<valueHelp>
<format>@</format>
<description>Root record</description>
</valueHelp>
<constraint>
<regex>([-_a-zA-Z0-9.]{1,63}|@)(?<!\.)</regex>
</constraint>
</properties>
<children>
<tagNode name="entry">
<properties>
<help>Service entry</help>
<valueHelp>
<format>u32:0-65535</format>
<description>Entry number</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 0-65535"/>
</constraint>
</properties>
<children>
<leafNode name="hostname">
<properties>
<help>Server hostname</help>
<valueHelp>
<format>name.example.com</format>
<description>Absolute DNS name</description>
</valueHelp>
<constraint>
<regex>[-_a-zA-Z0-9.]{1,63}(?<!\.)</regex>
</constraint>
</properties>
</leafNode>
<leafNode name="port">
<properties>
<help>Port number</help>
<valueHelp>
<format>u32:0-65535</format>
<description>TCP/UDP port number</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 0-65536"/>
</constraint>
</properties>
</leafNode>
<leafNode name="priority">
<properties>
<help>Entry priority</help>
<valueHelp>
<format>u32:0-65535</format>
<description>Entry priority (lower numbers are higher priority)</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 0-65535"/>
</constraint>
</properties>
<defaultValue>10</defaultValue>
</leafNode>
<leafNode name="weight">
<properties>
<help>Entry weight</help>
<valueHelp>
<format>u32:0-65535</format>
<description>Entry weight</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 0-65535"/>
</constraint>
</properties>
<defaultValue>0</defaultValue>
</leafNode>
</children>
</tagNode>
#include <include/dns/time-to-live.xml.i>
<leafNode name="ttl">
<defaultValue>300</defaultValue>
</leafNode>
#include <include/generic-disable-node.xml.i>
</children>
</tagNode>
<tagNode name="naptr">
<properties>
<help>NAPTR record</help>
<valueHelp>
<format>txt</format>
<description>A DNS name relative to the root record</description>
</valueHelp>
<valueHelp>
<format>@</format>
<description>Root record</description>
</valueHelp>
<constraint>
<regex>([-_a-zA-Z0-9.]{1,63}|@)(?<!\.)</regex>
</constraint>
</properties>
<children>
<tagNode name="rule">
<properties>
<help>NAPTR rule</help>
<valueHelp>
<format>u32:0-65535</format>
<description>Rule number</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 0-65535"/>
</constraint>
</properties>
<children>
<leafNode name="order">
<properties>
<help>Rule order</help>
<valueHelp>
<format>u32:0-65535</format>
<description>Rule order (lower order is evaluated first)</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 0-65535"/>
</constraint>
</properties>
</leafNode>
<leafNode name="preference">
<properties>
<help>Rule preference</help>
<valueHelp>
<format>u32:0-65535</format>
<description>Rule preference</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 0-65535"/>
</constraint>
</properties>
<defaultValue>0</defaultValue>
</leafNode>
<leafNode name="lookup-srv">
<properties>
<help>S flag</help>
<valueless/>
</properties>
</leafNode>
<leafNode name="lookup-a">
<properties>
<help>A flag</help>
<valueless/>
</properties>
</leafNode>
<leafNode name="resolve-uri">
<properties>
<help>U flag</help>
<valueless/>
</properties>
</leafNode>
<leafNode name="protocol-specific">
<properties>
<help>P flag</help>
<valueless/>
</properties>
</leafNode>
<leafNode name="service">
<properties>
<help>Service type</help>
<constraint>
<regex>[a-zA-Z][a-zA-Z0-9]{0,31}(\+[a-zA-Z][a-zA-Z0-9]{0,31})?</regex>
</constraint>
</properties>
</leafNode>
<leafNode name="regexp">
<properties>
<help>Regular expression</help>
</properties>
</leafNode>
<leafNode name="replacement">
<properties>
<help>Replacement DNS name</help>
<valueHelp>
<format>name.example.com</format>
<description>Absolute DNS name</description>
</valueHelp>
<constraint>
<regex>[-_a-zA-Z0-9.]{1,63}(?<!\.)</regex>
</constraint>
</properties>
</leafNode>
</children>
</tagNode>
#include <include/dns/time-to-live.xml.i>
<leafNode name="ttl">
<defaultValue>300</defaultValue>
</leafNode>
#include <include/generic-disable-node.xml.i>
</children>
</tagNode>
</children>
</node>
#include <include/generic-disable-node.xml.i>
</children>
</tagNode>
<leafNode name="ignore-hosts-file">
<properties>
<help>Do not use local /etc/hosts file in name resolution</help>
<valueless/>
</properties>
</leafNode>
<leafNode name="no-serve-rfc1918">
<properties>
<help>Makes the server authoritatively not aware of RFC1918 addresses</help>
<valueless/>
</properties>
</leafNode>
<leafNode name="allow-from">
<properties>
<help>Networks allowed to query this server</help>
<valueHelp>
<format>ipv4net</format>
<description>IP address and prefix length</description>
</valueHelp>
<valueHelp>
<format>ipv6net</format>
<description>IPv6 address and prefix length</description>
</valueHelp>
<multi/>
<constraint>
<validator name="ip-prefix"/>
</constraint>
</properties>
</leafNode>
#include <include/listen-address.xml.i>
#include <include/port-number.xml.i>
<leafNode name="port">
<defaultValue>53</defaultValue>
</leafNode>
<leafNode name="negative-ttl">
<properties>
<help>Maximum amount of time negative entries are cached</help>
<valueHelp>
<format>u32:0-7200</format>
<description>Seconds to cache NXDOMAIN entries</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 0-7200"/>
</constraint>
</properties>
<defaultValue>3600</defaultValue>
</leafNode>
<leafNode name="serve-stale-extension">
<properties>
<help>Number of times the expired TTL of a record is extended by 30 seconds when serving stale</help>
<valueHelp>
<format>u32:0-65535</format>
<description>Number of times to extend the TTL</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 0-65535"/>
</constraint>
</properties>
<defaultValue>0</defaultValue>
</leafNode>
<leafNode name="timeout">
<properties>
<help>Number of milliseconds to wait for a remote authoritative server to respond</help>
<valueHelp>
<format>u32:10-60000</format>
<description>Network timeout in milliseconds</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 10-60000"/>
</constraint>
</properties>
<defaultValue>1500</defaultValue>
</leafNode>
#include <include/name-server-ipv4-ipv6-port.xml.i>
#include <include/source-address-ipv4-ipv6-multi.xml.i>
<leafNode name="source-address">
<defaultValue>0.0.0.0 ::</defaultValue>
</leafNode>
<leafNode name="system">
<properties>
<help>Use system name servers</help>
<valueless/>
</properties>
</leafNode>
<leafNode name="exclude-throttle-address">
<properties>
<help>IP address or subnet</help>
<valueHelp>
<format>ipv4</format>
<description>IPv4 address to match</description>
</valueHelp>
<valueHelp>
<format>ipv4net</format>
<description>IPv4 prefix to match</description>
</valueHelp>
<valueHelp>
<format>ipv6</format>
<description>IPv6 address</description>
</valueHelp>
<valueHelp>
<format>ipv6net</format>
<description>IPv6 address</description>
</valueHelp>
<multi/>
<constraint>
<validator name="ipv4-address"/>
<validator name="ipv4-prefix"/>
<validator name="ipv6-address"/>
<validator name="ipv6-prefix"/>
</constraint>
</properties>
</leafNode>
+ <node name="options">
+ <properties>
+ <help>DNS server options</help>
+ </properties>
+ <children>
+ <leafNode name="ecs-add-for">
+ <properties>
+ <help>Client netmask for which EDNS Client Subnet will be added</help>
+ <valueHelp>
+ <format>ipv4net</format>
+ <description>IPv4 prefix to match</description>
+ </valueHelp>
+ <valueHelp>
+ <format>!ipv4net</format>
+ <description>Match everything except the specified IPv4 prefix</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ipv6net</format>
+ <description>IPv6 prefix to match</description>
+ </valueHelp>
+ <valueHelp>
+ <format>!ipv6net</format>
+ <description>Match everything except the specified IPv6 prefix</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ipv4-prefix"/>
+ <validator name="ipv4-prefix-exclude"/>
+ <validator name="ipv6-prefix"/>
+ <validator name="ipv6-prefix-exclude"/>
+ </constraint>
+ <multi/>
+ </properties>
+ </leafNode>
+ <leafNode name="ecs-ipv4-bits">
+ <properties>
+ <help>Number of bits of IPv4 address to pass for EDNS Client Subnet</help>
+ <valueHelp>
+ <format>u32:0-32</format>
+ <description>Number of bits of IPv4 address</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 0-32"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="edns-subnet-allow-list">
+ <properties>
+ <help>Netmask or domain that we should enable EDNS subnet for</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>Netmask or domain</description>
+ </valueHelp>
+ <multi/>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
</children>
</node>
</children>
</node>
</children>
</node>
</interfaceDefinition>
diff --git a/smoketest/scripts/cli/test_service_dns_forwarding.py b/smoketest/scripts/cli/test_service_dns_forwarding.py
index 652c4fa7b..079c584ba 100755
--- a/smoketest/scripts/cli/test_service_dns_forwarding.py
+++ b/smoketest/scripts/cli/test_service_dns_forwarding.py
@@ -1,298 +1,295 @@
#!/usr/bin/env python3
#
# Copyright (C) 2019-2024 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import re
import unittest
from base_vyostest_shim import VyOSUnitTestSHIM
from vyos.configsession import ConfigSessionError
from vyos.template import bracketize_ipv6
from vyos.utils.file import read_file
from vyos.utils.process import process_named_running
PDNS_REC_RUN_DIR = '/run/pdns-recursor'
CONFIG_FILE = f'{PDNS_REC_RUN_DIR}/recursor.conf'
FORWARD_FILE = f'{PDNS_REC_RUN_DIR}/recursor.forward-zones.conf'
HOSTSD_FILE = f'{PDNS_REC_RUN_DIR}/recursor.vyos-hostsd.conf.lua'
PROCESS_NAME= 'pdns_recursor'
base_path = ['service', 'dns', 'forwarding']
allow_from = ['192.0.2.0/24', '2001:db8::/32']
listen_adress = ['127.0.0.1', '::1']
def get_config_value(key, file=CONFIG_FILE):
tmp = read_file(file)
tmp = re.findall(r'\n{}=+(.*)'.format(key), tmp)
return tmp[0]
class TestServicePowerDNS(VyOSUnitTestSHIM.TestCase):
@classmethod
def setUpClass(cls):
super(TestServicePowerDNS, cls).setUpClass()
# ensure we can also run this test on a live system - so lets clean
# out the current configuration :)
cls.cli_delete(cls, base_path)
def tearDown(self):
# Check for running process
self.assertTrue(process_named_running(PROCESS_NAME))
# Delete DNS forwarding configuration
self.cli_delete(base_path)
self.cli_commit()
# Check for running process
self.assertFalse(process_named_running(PROCESS_NAME))
+ def setUp(self):
+ # forward to base class
+ super().setUp()
+ for network in allow_from:
+ self.cli_set(base_path + ['allow-from', network])
+ for address in listen_adress:
+ self.cli_set(base_path + ['listen-address', address])
+
def test_basic_forwarding(self):
# Check basic DNS forwarding settings
cache_size = '20'
negative_ttl = '120'
+ # remove code from setUp() as in this test-case we validate the proper
+ # handling of assertions when specific CLI nodes are missing
+ self.cli_delete(base_path)
+
self.cli_set(base_path + ['cache-size', cache_size])
self.cli_set(base_path + ['negative-ttl', negative_ttl])
# check validate() - allow from must be defined
with self.assertRaises(ConfigSessionError):
self.cli_commit()
for network in allow_from:
self.cli_set(base_path + ['allow-from', network])
# check validate() - listen-address must be defined
with self.assertRaises(ConfigSessionError):
self.cli_commit()
for address in listen_adress:
self.cli_set(base_path + ['listen-address', address])
# configure DNSSEC
self.cli_set(base_path + ['dnssec', 'validate'])
# Do not use local /etc/hosts file in name resolution
self.cli_set(base_path + ['ignore-hosts-file'])
# commit changes
self.cli_commit()
# Check configured cache-size
tmp = get_config_value('max-cache-entries')
self.assertEqual(tmp, cache_size)
# Networks allowed to query this server
tmp = get_config_value('allow-from')
self.assertEqual(tmp, ','.join(allow_from))
# Addresses to listen for DNS queries
tmp = get_config_value('local-address')
self.assertEqual(tmp, ','.join(listen_adress))
# Maximum amount of time negative entries are cached
tmp = get_config_value('max-negative-ttl')
self.assertEqual(tmp, negative_ttl)
# Do not use local /etc/hosts file in name resolution
tmp = get_config_value('export-etc-hosts')
self.assertEqual(tmp, 'no')
# RFC1918 addresses are looked up by default
tmp = get_config_value('serve-rfc1918')
self.assertEqual(tmp, 'yes')
# verify default port configuration
tmp = get_config_value('local-port')
self.assertEqual(tmp, '53')
def test_dnssec(self):
# DNSSEC option testing
-
- for network in allow_from:
- self.cli_set(base_path + ['allow-from', network])
- for address in listen_adress:
- self.cli_set(base_path + ['listen-address', address])
-
options = ['off', 'process-no-validate', 'process', 'log-fail', 'validate']
for option in options:
self.cli_set(base_path + ['dnssec', option])
# commit changes
self.cli_commit()
tmp = get_config_value('dnssec')
self.assertEqual(tmp, option)
def test_external_nameserver(self):
# Externe Domain Name Servers (DNS) addresses
-
- for network in allow_from:
- self.cli_set(base_path + ['allow-from', network])
- for address in listen_adress:
- self.cli_set(base_path + ['listen-address', address])
-
nameservers = {'192.0.2.1': {}, '192.0.2.2': {'port': '53'}, '2001:db8::1': {'port': '853'}}
for h,p in nameservers.items():
if 'port' in p:
self.cli_set(base_path + ['name-server', h, 'port', p['port']])
else:
self.cli_set(base_path + ['name-server', h])
# commit changes
self.cli_commit()
tmp = get_config_value(r'\+.', file=FORWARD_FILE)
canonical_entries = [(lambda h, p: f"{bracketize_ipv6(h)}:{p['port'] if 'port' in p else 53}")(h, p)
for (h, p) in nameservers.items()]
self.assertEqual(tmp, ', '.join(canonical_entries))
# Do not use local /etc/hosts file in name resolution
# default: yes
tmp = get_config_value('export-etc-hosts')
self.assertEqual(tmp, 'yes')
def test_domain_forwarding(self):
- for network in allow_from:
- self.cli_set(base_path + ['allow-from', network])
- for address in listen_adress:
- self.cli_set(base_path + ['listen-address', address])
-
domains = ['vyos.io', 'vyos.net', 'vyos.com']
nameservers = {'192.0.2.1': {}, '192.0.2.2': {'port': '53'}, '2001:db8::1': {'port': '853'}}
for domain in domains:
for h,p in nameservers.items():
if 'port' in p:
self.cli_set(base_path + ['domain', domain, 'name-server', h, 'port', p['port']])
else:
self.cli_set(base_path + ['domain', domain, 'name-server', h])
# Test 'recursion-desired' flag for only one domain
if domain == domains[0]:
self.cli_set(base_path + ['domain', domain, 'recursion-desired'])
# Test 'negative trust anchor' flag for the second domain only
if domain == domains[1]:
self.cli_set(base_path + ['domain', domain, 'addnta'])
# commit changes
self.cli_commit()
# Test configured name-servers
hosts_conf = read_file(HOSTSD_FILE)
for domain in domains:
# Test 'recursion-desired' flag for the first domain only
if domain == domains[0]: key =f'\+{domain}'
else: key =f'{domain}'
tmp = get_config_value(key, file=FORWARD_FILE)
canonical_entries = [(lambda h, p: f"{bracketize_ipv6(h)}:{p['port'] if 'port' in p else 53}")(h, p)
for (h, p) in nameservers.items()]
self.assertEqual(tmp, ', '.join(canonical_entries))
# Test 'negative trust anchor' flag for the second domain only
if domain == domains[1]:
self.assertIn(f'addNTA("{domain}", "static")', hosts_conf)
def test_no_rfc1918_forwarding(self):
- for network in allow_from:
- self.cli_set(base_path + ['allow-from', network])
- for address in listen_adress:
- self.cli_set(base_path + ['listen-address', address])
-
self.cli_set(base_path + ['no-serve-rfc1918'])
# commit changes
self.cli_commit()
# verify configuration
tmp = get_config_value('serve-rfc1918')
self.assertEqual(tmp, 'no')
def test_dns64(self):
dns_prefix = '64:ff9b::/96'
-
- for network in allow_from:
- self.cli_set(base_path + ['allow-from', network])
- for address in listen_adress:
- self.cli_set(base_path + ['listen-address', address])
-
# Check dns64-prefix - must be prefix /96
self.cli_set(base_path + ['dns64-prefix', '2001:db8:aabb::/64'])
with self.assertRaises(ConfigSessionError):
self.cli_commit()
self.cli_set(base_path + ['dns64-prefix', dns_prefix])
# commit changes
self.cli_commit()
# verify dns64-prefix configuration
tmp = get_config_value('dns64-prefix')
self.assertEqual(tmp, dns_prefix)
def test_exclude_throttle_adress(self):
exclude_throttle_adress_examples = [
'192.168.128.255',
'10.0.0.0/25',
'2001:db8:85a3:8d3:1319:8a2e:370:7348',
'64:ff9b::/96'
]
-
- for network in allow_from:
- self.cli_set(base_path + ['allow-from', network])
- for address in listen_adress:
- self.cli_set(base_path + ['listen-address', address])
-
for exclude_throttle_adress in exclude_throttle_adress_examples:
self.cli_set(base_path + ['exclude-throttle-address', exclude_throttle_adress])
# commit changes
self.cli_commit()
# verify dont-throttle-netmasks configuration
tmp = get_config_value('dont-throttle-netmasks')
self.assertEqual(tmp, ','.join(exclude_throttle_adress_examples))
def test_serve_stale_extension(self):
server_stale = '20'
- for network in allow_from:
- self.cli_set(base_path + ['allow-from', network])
- for address in listen_adress:
- self.cli_set(base_path + ['listen-address', address])
-
self.cli_set(base_path + ['serve-stale-extension', server_stale])
-
# commit changes
self.cli_commit()
-
# verify configuration
tmp = get_config_value('serve-stale-extensions')
self.assertEqual(tmp, server_stale)
def test_listening_port(self):
# We can listen on a different port compared to '53' but only one at a time
for port in ['10053', '10054']:
self.cli_set(base_path + ['port', port])
- for network in allow_from:
- self.cli_set(base_path + ['allow-from', network])
- for address in listen_adress:
- self.cli_set(base_path + ['listen-address', address])
-
# commit changes
self.cli_commit()
-
# verify local-port configuration
tmp = get_config_value('local-port')
self.assertEqual(tmp, port)
+ def test_ecs_add_for(self):
+ options = ['0.0.0.0/0', '!10.0.0.0/8', 'fc00::/7', '!fe80::/10']
+ for param in options:
+ self.cli_set(base_path + ['options', 'ecs-add-for', param])
+
+ # commit changes
+ self.cli_commit()
+ # verify ecs_add_for configuration
+ tmp = get_config_value('ecs-add-for')
+ self.assertEqual(tmp, ','.join(options))
+
+ def test_ecs_ipv4_bits(self):
+ option_value = '24'
+ self.cli_set(base_path + ['options', 'ecs-ipv4-bits', option_value])
+ # commit changes
+ self.cli_commit()
+ # verify ecs_ipv4_bits configuration
+ tmp = get_config_value('ecs-ipv4-bits')
+ self.assertEqual(tmp, option_value)
+
+ def test_edns_subnet_allow_list(self):
+ options = ['192.0.2.1/32', 'example.com', 'fe80::/10']
+ for param in options:
+ self.cli_set(base_path + ['options', 'edns-subnet-allow-list', param])
+
+ # commit changes
+ self.cli_commit()
+
+ # verify edns_subnet_allow_list configuration
+ tmp = get_config_value('edns-subnet-allow-list')
+ self.assertEqual(tmp, ','.join(options))
+
if __name__ == '__main__':
unittest.main(verbosity=2)