diff --git a/smoketest/scripts/cli/test_service_dns_forwarding.py b/smoketest/scripts/cli/test_service_dns_forwarding.py index 079c584ba..4db1d7495 100755 --- a/smoketest/scripts/cli/test_service_dns_forwarding.py +++ b/smoketest/scripts/cli/test_service_dns_forwarding.py @@ -1,295 +1,305 @@ #!/usr/bin/env python3 # # Copyright (C) 2019-2024 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as # published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. import re import unittest from base_vyostest_shim import VyOSUnitTestSHIM from vyos.configsession import ConfigSessionError from vyos.template import bracketize_ipv6 from vyos.utils.file import read_file from vyos.utils.process import process_named_running PDNS_REC_RUN_DIR = '/run/pdns-recursor' CONFIG_FILE = f'{PDNS_REC_RUN_DIR}/recursor.conf' FORWARD_FILE = f'{PDNS_REC_RUN_DIR}/recursor.forward-zones.conf' HOSTSD_FILE = f'{PDNS_REC_RUN_DIR}/recursor.vyos-hostsd.conf.lua' PROCESS_NAME= 'pdns_recursor' base_path = ['service', 'dns', 'forwarding'] allow_from = ['192.0.2.0/24', '2001:db8::/32'] listen_adress = ['127.0.0.1', '::1'] def get_config_value(key, file=CONFIG_FILE): tmp = read_file(file) tmp = re.findall(r'\n{}=+(.*)'.format(key), tmp) return tmp[0] class TestServicePowerDNS(VyOSUnitTestSHIM.TestCase): @classmethod def setUpClass(cls): super(TestServicePowerDNS, cls).setUpClass() # ensure we can also run this test on a live system - so lets clean # out the current configuration :) cls.cli_delete(cls, base_path) def tearDown(self): # Check for running process self.assertTrue(process_named_running(PROCESS_NAME)) # Delete DNS forwarding configuration self.cli_delete(base_path) self.cli_commit() # Check for running process self.assertFalse(process_named_running(PROCESS_NAME)) def setUp(self): # forward to base class super().setUp() for network in allow_from: self.cli_set(base_path + ['allow-from', network]) for address in listen_adress: self.cli_set(base_path + ['listen-address', address]) def test_basic_forwarding(self): # Check basic DNS forwarding settings cache_size = '20' negative_ttl = '120' # remove code from setUp() as in this test-case we validate the proper # handling of assertions when specific CLI nodes are missing self.cli_delete(base_path) self.cli_set(base_path + ['cache-size', cache_size]) self.cli_set(base_path + ['negative-ttl', negative_ttl]) # check validate() - allow from must be defined with self.assertRaises(ConfigSessionError): self.cli_commit() for network in allow_from: self.cli_set(base_path + ['allow-from', network]) # check validate() - listen-address must be defined with self.assertRaises(ConfigSessionError): self.cli_commit() for address in listen_adress: self.cli_set(base_path + ['listen-address', address]) # configure DNSSEC self.cli_set(base_path + ['dnssec', 'validate']) # Do not use local /etc/hosts file in name resolution self.cli_set(base_path + ['ignore-hosts-file']) # commit changes self.cli_commit() # Check configured cache-size tmp = get_config_value('max-cache-entries') self.assertEqual(tmp, cache_size) # Networks allowed to query this server tmp = get_config_value('allow-from') self.assertEqual(tmp, ','.join(allow_from)) # Addresses to listen for DNS queries tmp = get_config_value('local-address') self.assertEqual(tmp, ','.join(listen_adress)) # Maximum amount of time negative entries are cached tmp = get_config_value('max-negative-ttl') self.assertEqual(tmp, negative_ttl) # Do not use local /etc/hosts file in name resolution tmp = get_config_value('export-etc-hosts') self.assertEqual(tmp, 'no') # RFC1918 addresses are looked up by default tmp = get_config_value('serve-rfc1918') self.assertEqual(tmp, 'yes') # verify default port configuration tmp = get_config_value('local-port') self.assertEqual(tmp, '53') def test_dnssec(self): # DNSSEC option testing options = ['off', 'process-no-validate', 'process', 'log-fail', 'validate'] for option in options: self.cli_set(base_path + ['dnssec', option]) # commit changes self.cli_commit() tmp = get_config_value('dnssec') self.assertEqual(tmp, option) def test_external_nameserver(self): # Externe Domain Name Servers (DNS) addresses nameservers = {'192.0.2.1': {}, '192.0.2.2': {'port': '53'}, '2001:db8::1': {'port': '853'}} for h,p in nameservers.items(): if 'port' in p: self.cli_set(base_path + ['name-server', h, 'port', p['port']]) else: self.cli_set(base_path + ['name-server', h]) # commit changes self.cli_commit() tmp = get_config_value(r'\+.', file=FORWARD_FILE) canonical_entries = [(lambda h, p: f"{bracketize_ipv6(h)}:{p['port'] if 'port' in p else 53}")(h, p) for (h, p) in nameservers.items()] self.assertEqual(tmp, ', '.join(canonical_entries)) # Do not use local /etc/hosts file in name resolution # default: yes tmp = get_config_value('export-etc-hosts') self.assertEqual(tmp, 'yes') def test_domain_forwarding(self): domains = ['vyos.io', 'vyos.net', 'vyos.com'] nameservers = {'192.0.2.1': {}, '192.0.2.2': {'port': '53'}, '2001:db8::1': {'port': '853'}} for domain in domains: for h,p in nameservers.items(): if 'port' in p: self.cli_set(base_path + ['domain', domain, 'name-server', h, 'port', p['port']]) else: self.cli_set(base_path + ['domain', domain, 'name-server', h]) # Test 'recursion-desired' flag for only one domain if domain == domains[0]: self.cli_set(base_path + ['domain', domain, 'recursion-desired']) # Test 'negative trust anchor' flag for the second domain only if domain == domains[1]: self.cli_set(base_path + ['domain', domain, 'addnta']) # commit changes self.cli_commit() # Test configured name-servers hosts_conf = read_file(HOSTSD_FILE) for domain in domains: # Test 'recursion-desired' flag for the first domain only if domain == domains[0]: key =f'\+{domain}' else: key =f'{domain}' tmp = get_config_value(key, file=FORWARD_FILE) canonical_entries = [(lambda h, p: f"{bracketize_ipv6(h)}:{p['port'] if 'port' in p else 53}")(h, p) for (h, p) in nameservers.items()] self.assertEqual(tmp, ', '.join(canonical_entries)) # Test 'negative trust anchor' flag for the second domain only if domain == domains[1]: self.assertIn(f'addNTA("{domain}", "static")', hosts_conf) def test_no_rfc1918_forwarding(self): self.cli_set(base_path + ['no-serve-rfc1918']) # commit changes self.cli_commit() # verify configuration tmp = get_config_value('serve-rfc1918') self.assertEqual(tmp, 'no') def test_dns64(self): dns_prefix = '64:ff9b::/96' # Check dns64-prefix - must be prefix /96 self.cli_set(base_path + ['dns64-prefix', '2001:db8:aabb::/64']) with self.assertRaises(ConfigSessionError): self.cli_commit() self.cli_set(base_path + ['dns64-prefix', dns_prefix]) # commit changes self.cli_commit() # verify dns64-prefix configuration tmp = get_config_value('dns64-prefix') self.assertEqual(tmp, dns_prefix) def test_exclude_throttle_adress(self): exclude_throttle_adress_examples = [ '192.168.128.255', '10.0.0.0/25', '2001:db8:85a3:8d3:1319:8a2e:370:7348', '64:ff9b::/96' ] for exclude_throttle_adress in exclude_throttle_adress_examples: self.cli_set(base_path + ['exclude-throttle-address', exclude_throttle_adress]) # commit changes self.cli_commit() # verify dont-throttle-netmasks configuration tmp = get_config_value('dont-throttle-netmasks') self.assertEqual(tmp, ','.join(exclude_throttle_adress_examples)) def test_serve_stale_extension(self): server_stale = '20' self.cli_set(base_path + ['serve-stale-extension', server_stale]) # commit changes self.cli_commit() # verify configuration tmp = get_config_value('serve-stale-extensions') self.assertEqual(tmp, server_stale) def test_listening_port(self): # We can listen on a different port compared to '53' but only one at a time for port in ['10053', '10054']: self.cli_set(base_path + ['port', port]) # commit changes self.cli_commit() # verify local-port configuration tmp = get_config_value('local-port') self.assertEqual(tmp, port) def test_ecs_add_for(self): options = ['0.0.0.0/0', '!10.0.0.0/8', 'fc00::/7', '!fe80::/10'] for param in options: self.cli_set(base_path + ['options', 'ecs-add-for', param]) # commit changes self.cli_commit() # verify ecs_add_for configuration tmp = get_config_value('ecs-add-for') self.assertEqual(tmp, ','.join(options)) def test_ecs_ipv4_bits(self): option_value = '24' self.cli_set(base_path + ['options', 'ecs-ipv4-bits', option_value]) # commit changes self.cli_commit() # verify ecs_ipv4_bits configuration tmp = get_config_value('ecs-ipv4-bits') self.assertEqual(tmp, option_value) def test_edns_subnet_allow_list(self): options = ['192.0.2.1/32', 'example.com', 'fe80::/10'] for param in options: self.cli_set(base_path + ['options', 'edns-subnet-allow-list', param]) # commit changes self.cli_commit() # verify edns_subnet_allow_list configuration tmp = get_config_value('edns-subnet-allow-list') self.assertEqual(tmp, ','.join(options)) + def test_multiple_ns_records(self): + test_zone = 'example.com' + self.cli_set(base_path + ['authoritative-domain', test_zone, 'records', 'ns', 'test', 'target', f'ns1.{test_zone}']) + self.cli_set(base_path + ['authoritative-domain', test_zone, 'records', 'ns', 'test', 'target', f'ns2.{test_zone}']) + self.cli_commit() + zone_config = read_file(f'{PDNS_REC_RUN_DIR}/zone.{test_zone}.conf') + self.assertRegex(zone_config, fr'test\s+\d+\s+NS\s+ns1\.{test_zone}\.') + self.assertRegex(zone_config, fr'test\s+\d+\s+NS\s+ns2\.{test_zone}\.') + + if __name__ == '__main__': unittest.main(verbosity=2) diff --git a/src/conf_mode/service_dns_forwarding.py b/src/conf_mode/service_dns_forwarding.py index e8318a83e..70686534f 100755 --- a/src/conf_mode/service_dns_forwarding.py +++ b/src/conf_mode/service_dns_forwarding.py @@ -1,382 +1,382 @@ #!/usr/bin/env python3 # # Copyright (C) 2018-2024 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as # published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. import os from sys import exit from glob import glob from vyos.config import Config from vyos.hostsd_client import Client as hostsd_client from vyos.template import render from vyos.template import bracketize_ipv6 from vyos.utils.network import interface_exists from vyos.utils.process import call from vyos.utils.permission import chown from vyos import ConfigError from vyos import airbag airbag.enable() pdns_rec_user_group = 'pdns' pdns_rec_run_dir = '/run/pdns-recursor' pdns_rec_lua_conf_file = f'{pdns_rec_run_dir}/recursor.conf.lua' pdns_rec_hostsd_lua_conf_file = f'{pdns_rec_run_dir}/recursor.vyos-hostsd.conf.lua' pdns_rec_hostsd_zones_file = f'{pdns_rec_run_dir}/recursor.forward-zones.conf' pdns_rec_config_file = f'{pdns_rec_run_dir}/recursor.conf' pdns_rec_systemd_override = '/run/systemd/system/pdns-recursor.service.d/override.conf' hostsd_tag = 'static' def get_config(config=None): if config: conf = config else: conf = Config() base = ['service', 'dns', 'forwarding'] if not conf.exists(base): return None dns = conf.get_config_dict(base, key_mangling=('-', '_'), no_tag_node_value_mangle=True, get_first_key=True, with_recursive_defaults=True) dns['config_file'] = pdns_rec_config_file dns['config_dir'] = os.path.dirname(pdns_rec_config_file) # some additions to the default dictionary if 'system' in dns: base_nameservers = ['system', 'name-server'] if conf.exists(base_nameservers): dns.update({'system_name_server': conf.return_values(base_nameservers)}) if 'authoritative_domain' in dns: dns['authoritative_zones'] = [] dns['authoritative_zone_errors'] = [] for node in dns['authoritative_domain']: zonedata = dns['authoritative_domain'][node] if ('disable' in zonedata) or (not 'records' in zonedata): continue zone = { 'name': node, 'file': "{}/zone.{}.conf".format(pdns_rec_run_dir, node), 'records': [], } recorddata = zonedata['records'] for rtype in [ 'a', 'aaaa', 'cname', 'mx', 'ns', 'ptr', 'txt', 'spf', 'srv', 'naptr' ]: if rtype not in recorddata: continue for subnode in recorddata[rtype]: if 'disable' in recorddata[rtype][subnode]: continue rdata = recorddata[rtype][subnode] if rtype in [ 'a', 'aaaa' ]: if not 'address' in rdata: dns['authoritative_zone_errors'].append(f'{subnode}.{node}: at least one address is required') continue if subnode == 'any': subnode = '*' for address in rdata['address']: zone['records'].append({ 'name': subnode, 'type': rtype.upper(), 'ttl': rdata['ttl'], 'value': address }) elif rtype in ['cname', 'ptr']: if not 'target' in rdata: dns['authoritative_zone_errors'].append(f'{subnode}.{node}: target is required') continue zone['records'].append({ 'name': subnode, 'type': rtype.upper(), 'ttl': rdata['ttl'], 'value': '{}.'.format(rdata['target']) }) elif rtype == 'ns': if not 'target' in rdata: - dns['authoritative_zone_errors'].append(f'{subnode}.{node}: at leaast one target is required') + dns['authoritative_zone_errors'].append(f'{subnode}.{node}: at least one target is required') continue for target in rdata['target']: zone['records'].append({ 'name': subnode, 'type': rtype.upper(), 'ttl': rdata['ttl'], - 'value': '{}.'.format(target) + 'value': f'{target}.' }) elif rtype == 'mx': if not 'server' in rdata: dns['authoritative_zone_errors'].append(f'{subnode}.{node}: at least one server is required') continue for servername in rdata['server']: serverdata = rdata['server'][servername] zone['records'].append({ 'name': subnode, 'type': rtype.upper(), 'ttl': rdata['ttl'], 'value': '{} {}.'.format(serverdata['priority'], servername) }) elif rtype == 'txt': if not 'value' in rdata: dns['authoritative_zone_errors'].append(f'{subnode}.{node}: at least one value is required') continue for value in rdata['value']: zone['records'].append({ 'name': subnode, 'type': rtype.upper(), 'ttl': rdata['ttl'], 'value': "\"{}\"".format(value.replace("\"", "\\\"")) }) elif rtype == 'spf': if not 'value' in rdata: dns['authoritative_zone_errors'].append(f'{subnode}.{node}: value is required') continue zone['records'].append({ 'name': subnode, 'type': rtype.upper(), 'ttl': rdata['ttl'], 'value': '"{}"'.format(rdata['value'].replace("\"", "\\\"")) }) elif rtype == 'srv': if not 'entry' in rdata: dns['authoritative_zone_errors'].append(f'{subnode}.{node}: at least one entry is required') continue for entryno in rdata['entry']: entrydata = rdata['entry'][entryno] if not 'hostname' in entrydata: dns['authoritative_zone_errors'].append(f'{subnode}.{node}: hostname is required for entry {entryno}') continue if not 'port' in entrydata: dns['authoritative_zone_errors'].append(f'{subnode}.{node}: port is required for entry {entryno}') continue zone['records'].append({ 'name': subnode, 'type': rtype.upper(), 'ttl': rdata['ttl'], 'value': '{} {} {} {}.'.format(entrydata['priority'], entrydata['weight'], entrydata['port'], entrydata['hostname']) }) elif rtype == 'naptr': if not 'rule' in rdata: dns['authoritative_zone_errors'].append(f'{subnode}.{node}: at least one rule is required') continue for ruleno in rdata['rule']: ruledata = rdata['rule'][ruleno] flags = "" if 'lookup-srv' in ruledata: flags += "S" if 'lookup-a' in ruledata: flags += "A" if 'resolve-uri' in ruledata: flags += "U" if 'protocol-specific' in ruledata: flags += "P" if 'order' in ruledata: order = ruledata['order'] else: order = ruleno if 'regexp' in ruledata: regexp= ruledata['regexp'].replace("\"", "\\\"") else: regexp = '' if ruledata['replacement']: replacement = '{}.'.format(ruledata['replacement']) else: replacement = '' zone['records'].append({ 'name': subnode, 'type': rtype.upper(), 'ttl': rdata['ttl'], 'value': '{} {} "{}" "{}" "{}" {}'.format(order, ruledata['preference'], flags, ruledata['service'], regexp, replacement) }) dns['authoritative_zones'].append(zone) return dns def verify(dns): # bail out early - looks like removal from running config if not dns: return None if 'listen_address' not in dns: raise ConfigError('DNS forwarding requires a listen-address') if 'allow_from' not in dns: raise ConfigError('DNS forwarding requires an allow-from network') # we can not use dict_search() when testing for domain servers # as a domain will contains dot's which is out dictionary delimiter. if 'domain' in dns: for domain in dns['domain']: if 'name_server' not in dns['domain'][domain]: raise ConfigError(f'No server configured for domain {domain}!') if 'dns64_prefix' in dns: dns_prefix = dns['dns64_prefix'].split('/')[1] # RFC 6147 requires prefix /96 if int(dns_prefix) != 96: raise ConfigError('DNS 6to4 prefix must be of length /96') if ('authoritative_zone_errors' in dns) and dns['authoritative_zone_errors']: for error in dns['authoritative_zone_errors']: print(error) raise ConfigError('Invalid authoritative records have been defined') if 'system' in dns: if not 'system_name_server' in dns: print('Warning: No "system name-server" configured') return None def generate(dns): # bail out early - looks like removal from running config if not dns: return None render(pdns_rec_systemd_override, 'dns-forwarding/override.conf.j2', dns) render(pdns_rec_config_file, 'dns-forwarding/recursor.conf.j2', dns, user=pdns_rec_user_group, group=pdns_rec_user_group) render(pdns_rec_config_file, 'dns-forwarding/recursor.conf.j2', dns, user=pdns_rec_user_group, group=pdns_rec_user_group) render(pdns_rec_lua_conf_file, 'dns-forwarding/recursor.conf.lua.j2', dns, user=pdns_rec_user_group, group=pdns_rec_user_group) for zone_filename in glob(f'{pdns_rec_run_dir}/zone.*.conf'): os.unlink(zone_filename) if 'authoritative_zones' in dns: for zone in dns['authoritative_zones']: render(zone['file'], 'dns-forwarding/recursor.zone.conf.j2', zone, user=pdns_rec_user_group, group=pdns_rec_user_group) # if vyos-hostsd didn't create its files yet, create them (empty) for file in [pdns_rec_hostsd_lua_conf_file, pdns_rec_hostsd_zones_file]: with open(file, 'a'): pass chown(file, user=pdns_rec_user_group, group=pdns_rec_user_group) return None def apply(dns): systemd_service = 'pdns-recursor.service' # Reload systemd manager configuration call('systemctl daemon-reload') if not dns: # DNS forwarding is removed in the commit call(f'systemctl stop {systemd_service}') if os.path.isfile(pdns_rec_config_file): os.unlink(pdns_rec_config_file) for zone_filename in glob(f'{pdns_rec_run_dir}/zone.*.conf'): os.unlink(zone_filename) else: ### first apply vyos-hostsd config hc = hostsd_client() # add static nameservers to hostsd so they can be joined with other # sources hc.delete_name_servers([hostsd_tag]) if 'name_server' in dns: # 'name_server' is of the form # {'192.0.2.1': {'port': 53}, '2001:db8::1': {'port': 853}, ...} # canonicalize them as ['192.0.2.1:53', '[2001:db8::1]:853', ...] nslist = [(lambda h, p: f"{bracketize_ipv6(h)}:{p['port']}")(h, p) for (h, p) in dns['name_server'].items()] hc.add_name_servers({hostsd_tag: nslist}) # delete all nameserver tags hc.delete_name_server_tags_recursor(hc.get_name_server_tags_recursor()) ## add nameserver tags - the order determines the nameserver order! # our own tag (static) hc.add_name_server_tags_recursor([hostsd_tag]) if 'system' in dns: hc.add_name_server_tags_recursor(['system']) else: hc.delete_name_server_tags_recursor(['system']) # add dhcp nameserver tags for configured interfaces if 'system_name_server' in dns: for interface in dns['system_name_server']: # system_name_server key contains both IP addresses and interface # names (DHCP) to use DNS servers. We need to check if the # value is an interface name - only if this is the case, add the # interface based DNS forwarder. if interface_exists(interface): hc.add_name_server_tags_recursor(['dhcp-' + interface, 'dhcpv6-' + interface ]) # hostsd will generate the forward-zones file # the list and keys() are required as get returns a dict, not list hc.delete_forward_zones(list(hc.get_forward_zones().keys())) if 'domain' in dns: zones = dns['domain'] for domain in zones.keys(): # 'name_server' is of the form # {'192.0.2.1': {'port': 53}, '2001:db8::1': {'port': 853}, ...} # canonicalize them as ['192.0.2.1:53', '[2001:db8::1]:853', ...] zones[domain]['name_server'] = [(lambda h, p: f"{bracketize_ipv6(h)}:{p['port']}")(h, p) for (h, p) in zones[domain]['name_server'].items()] hc.add_forward_zones(zones) # hostsd generates NTAs for the authoritative zones # the list and keys() are required as get returns a dict, not list hc.delete_authoritative_zones(list(hc.get_authoritative_zones())) if 'authoritative_zones' in dns: hc.add_authoritative_zones(list(map(lambda zone: zone['name'], dns['authoritative_zones']))) # call hostsd to generate forward-zones and its lua-config-file hc.apply() ### finally (re)start pdns-recursor call(f'systemctl reload-or-restart {systemd_service}') if __name__ == '__main__': try: c = get_config() verify(c) generate(c) apply(c) except ConfigError as e: print(e) exit(1)