Remove network rating / security level system, add migrations
This commit is contained in:
Daniel
@@ -58,7 +58,7 @@ var (
|
||||
cfgOptionNameServersOrder = 0
|
||||
|
||||
CfgOptionNoAssignedNameserversKey = "dns/noAssignedNameservers"
|
||||
noAssignedNameservers status.SecurityLevelOptionFunc
|
||||
noAssignedNameservers config.BoolOption
|
||||
cfgOptionNoAssignedNameserversOrder = 1
|
||||
|
||||
CfgOptionUseStaleCacheKey = "dns/useStaleCache"
|
||||
@@ -67,15 +67,15 @@ var (
|
||||
cfgOptionUseStaleCacheOrder = 2
|
||||
|
||||
CfgOptionNoMulticastDNSKey = "dns/noMulticastDNS"
|
||||
noMulticastDNS status.SecurityLevelOptionFunc
|
||||
noMulticastDNS config.BoolOption
|
||||
cfgOptionNoMulticastDNSOrder = 3
|
||||
|
||||
CfgOptionNoInsecureProtocolsKey = "dns/noInsecureProtocols"
|
||||
noInsecureProtocols status.SecurityLevelOptionFunc
|
||||
noInsecureProtocols config.BoolOption
|
||||
cfgOptionNoInsecureProtocolsOrder = 4
|
||||
|
||||
CfgOptionDontResolveSpecialDomainsKey = "dns/dontResolveSpecialDomains"
|
||||
dontResolveSpecialDomains status.SecurityLevelOptionFunc
|
||||
dontResolveSpecialDomains config.BoolOption
|
||||
cfgOptionDontResolveSpecialDomainsOrder = 16
|
||||
|
||||
CfgOptionNameserverRetryRateKey = "dns/nameserverRetryRate"
|
||||
@@ -201,22 +201,21 @@ When referring to the DNS server using a domain name, as with DoH, it is highly
|
||||
Name: "Ignore System/Network Servers",
|
||||
Key: CfgOptionNoAssignedNameserversKey,
|
||||
Description: "Ignore DNS servers configured in your system or network. This may break domains from your local network.",
|
||||
OptType: config.OptTypeInt,
|
||||
OptType: config.OptTypeBool,
|
||||
ExpertiseLevel: config.ExpertiseLevelExpert,
|
||||
ReleaseLevel: config.ReleaseLevelStable,
|
||||
DefaultValue: status.SecurityLevelsHighAndExtreme,
|
||||
PossibleValues: status.SecurityLevelValues,
|
||||
DefaultValue: false,
|
||||
Annotations: config.Annotations{
|
||||
config.DisplayOrderAnnotation: cfgOptionNoAssignedNameserversOrder,
|
||||
config.DisplayHintAnnotation: status.DisplayHintSecurityLevel,
|
||||
config.CategoryAnnotation: "Servers",
|
||||
"self:detail:specialUseDomains": specialUseDomains,
|
||||
},
|
||||
Migrations: []config.MigrationFunc{status.MigrateSecurityLevelToBoolean},
|
||||
})
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
noAssignedNameservers = status.SecurityLevelOption(CfgOptionNoAssignedNameserversKey)
|
||||
noAssignedNameservers = config.Concurrent.GetAsBool(CfgOptionNoAssignedNameserversKey, false)
|
||||
|
||||
useStaleCacheConfigOption = &config.Option{
|
||||
Name: "Always Use DNS Cache",
|
||||
@@ -241,42 +240,40 @@ When referring to the DNS server using a domain name, as with DoH, it is highly
|
||||
Name: "Ignore Multicast DNS",
|
||||
Key: CfgOptionNoMulticastDNSKey,
|
||||
Description: "Do not resolve using Multicast DNS. This may break certain Plug and Play devices and services.",
|
||||
OptType: config.OptTypeInt,
|
||||
OptType: config.OptTypeBool,
|
||||
ExpertiseLevel: config.ExpertiseLevelExpert,
|
||||
ReleaseLevel: config.ReleaseLevelStable,
|
||||
DefaultValue: status.SecurityLevelsHighAndExtreme,
|
||||
PossibleValues: status.SecurityLevelValues,
|
||||
DefaultValue: false,
|
||||
Annotations: config.Annotations{
|
||||
config.DisplayOrderAnnotation: cfgOptionNoMulticastDNSOrder,
|
||||
config.DisplayHintAnnotation: status.DisplayHintSecurityLevel,
|
||||
config.CategoryAnnotation: "Resolving",
|
||||
"self:detail:multicastDomains": multicastDomains,
|
||||
},
|
||||
Migrations: []config.MigrationFunc{status.MigrateSecurityLevelToBoolean},
|
||||
})
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
noMulticastDNS = status.SecurityLevelOption(CfgOptionNoMulticastDNSKey)
|
||||
noMulticastDNS = config.Concurrent.GetAsBool(CfgOptionNoMulticastDNSKey, false)
|
||||
|
||||
err = config.Register(&config.Option{
|
||||
Name: "Use Secure Protocols Only",
|
||||
Key: CfgOptionNoInsecureProtocolsKey,
|
||||
Description: "Never resolve using insecure protocols, ie. plain DNS. This may break certain local DNS services, which always use plain DNS.",
|
||||
OptType: config.OptTypeInt,
|
||||
OptType: config.OptTypeBool,
|
||||
ExpertiseLevel: config.ExpertiseLevelExpert,
|
||||
ReleaseLevel: config.ReleaseLevelStable,
|
||||
DefaultValue: status.SecurityLevelsHighAndExtreme,
|
||||
PossibleValues: status.SecurityLevelValues,
|
||||
DefaultValue: false,
|
||||
Annotations: config.Annotations{
|
||||
config.DisplayOrderAnnotation: cfgOptionNoInsecureProtocolsOrder,
|
||||
config.DisplayHintAnnotation: status.DisplayHintSecurityLevel,
|
||||
config.CategoryAnnotation: "Resolving",
|
||||
},
|
||||
Migrations: []config.MigrationFunc{status.MigrateSecurityLevelToBoolean},
|
||||
})
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
noInsecureProtocols = status.SecurityLevelOption(CfgOptionNoInsecureProtocolsKey)
|
||||
noInsecureProtocols = config.Concurrent.GetAsBool(CfgOptionNoInsecureProtocolsKey, false)
|
||||
|
||||
err = config.Register(&config.Option{
|
||||
Name: "Block Unofficial TLDs",
|
||||
@@ -285,22 +282,21 @@ When referring to the DNS server using a domain name, as with DoH, it is highly
|
||||
"Block %s. Unofficial domains may pose a security risk. This setting does not affect .onion domains in the Tor Browser.",
|
||||
formatScopeList(specialServiceDomains),
|
||||
),
|
||||
OptType: config.OptTypeInt,
|
||||
OptType: config.OptTypeBool,
|
||||
ExpertiseLevel: config.ExpertiseLevelExpert,
|
||||
ReleaseLevel: config.ReleaseLevelStable,
|
||||
DefaultValue: status.SecurityLevelsAll,
|
||||
PossibleValues: status.AllSecurityLevelValues,
|
||||
DefaultValue: true,
|
||||
Annotations: config.Annotations{
|
||||
config.DisplayOrderAnnotation: cfgOptionDontResolveSpecialDomainsOrder,
|
||||
config.DisplayHintAnnotation: status.DisplayHintSecurityLevel,
|
||||
config.CategoryAnnotation: "Resolving",
|
||||
"self:detail:specialServiceDomains": specialServiceDomains,
|
||||
},
|
||||
Migrations: []config.MigrationFunc{status.MigrateSecurityLevelToBoolean},
|
||||
})
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
dontResolveSpecialDomains = status.SecurityLevelOption(CfgOptionDontResolveSpecialDomainsKey)
|
||||
dontResolveSpecialDomains = config.Concurrent.GetAsBool(CfgOptionDontResolveSpecialDomainsKey, false)
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
@@ -87,7 +87,6 @@ func (blocked *BlockedUpstreamError) Unwrap() error {
|
||||
type Query struct {
|
||||
FQDN string
|
||||
QType dns.Type
|
||||
SecurityLevel uint8
|
||||
NoCaching bool
|
||||
IgnoreFailing bool
|
||||
LocalResolversOnly bool
|
||||
|
||||
@@ -11,7 +11,7 @@ import (
|
||||
)
|
||||
|
||||
// ResolveIPAndValidate finds (reverse DNS), validates (forward DNS) and returns the domain name assigned to the given IP.
|
||||
func ResolveIPAndValidate(ctx context.Context, ip string, securityLevel uint8) (domain string, err error) {
|
||||
func ResolveIPAndValidate(ctx context.Context, ip string) (domain string, err error) {
|
||||
// get reversed DNS address
|
||||
reverseIP, err := dns.ReverseAddr(ip)
|
||||
if err != nil {
|
||||
@@ -21,9 +21,8 @@ func ResolveIPAndValidate(ctx context.Context, ip string, securityLevel uint8) (
|
||||
|
||||
// get PTR record
|
||||
q := &Query{
|
||||
FQDN: reverseIP,
|
||||
QType: dns.Type(dns.TypePTR),
|
||||
SecurityLevel: securityLevel,
|
||||
FQDN: reverseIP,
|
||||
QType: dns.Type(dns.TypePTR),
|
||||
}
|
||||
rrCache, err := Resolve(ctx, q)
|
||||
if err != nil || rrCache == nil {
|
||||
@@ -47,8 +46,7 @@ func ResolveIPAndValidate(ctx context.Context, ip string, securityLevel uint8) (
|
||||
|
||||
// get forward record
|
||||
q = &Query{
|
||||
FQDN: ptrName,
|
||||
SecurityLevel: securityLevel,
|
||||
FQDN: ptrName,
|
||||
}
|
||||
// IPv4/6 switch
|
||||
if strings.Contains(ip, ":") {
|
||||
|
||||
@@ -13,7 +13,7 @@ func testReverse(t *testing.T, ip, result, expectedErr string) {
|
||||
ctx, tracer := log.AddTracer(context.Background())
|
||||
defer tracer.Submit()
|
||||
|
||||
domain, err := ResolveIPAndValidate(ctx, ip, 0)
|
||||
domain, err := ResolveIPAndValidate(ctx, ip)
|
||||
if err != nil {
|
||||
tracer.Warning(err.Error())
|
||||
if expectedErr == "" || err.Error() != expectedErr {
|
||||
|
||||
@@ -259,7 +259,7 @@ func (q *Query) checkCompliance() error {
|
||||
}
|
||||
|
||||
// special TLDs
|
||||
if dontResolveSpecialDomains(q.SecurityLevel) &&
|
||||
if dontResolveSpecialDomains() &&
|
||||
domainInScope(q.dotPrefixedFQDN, specialServiceDomains) {
|
||||
return ErrSpecialDomainsDisabled
|
||||
}
|
||||
@@ -268,7 +268,7 @@ func (q *Query) checkCompliance() error {
|
||||
}
|
||||
|
||||
func (resolver *Resolver) checkCompliance(_ context.Context, q *Query) error {
|
||||
if noInsecureProtocols(q.SecurityLevel) {
|
||||
if noInsecureProtocols() {
|
||||
switch resolver.Info.Type {
|
||||
case ServerTypeDNS:
|
||||
return errInsecureProtocol
|
||||
@@ -285,13 +285,13 @@ func (resolver *Resolver) checkCompliance(_ context.Context, q *Query) error {
|
||||
}
|
||||
}
|
||||
|
||||
if noAssignedNameservers(q.SecurityLevel) {
|
||||
if noAssignedNameservers() {
|
||||
if resolver.Info.Source == ServerSourceOperatingSystem {
|
||||
return errAssignedServer
|
||||
}
|
||||
}
|
||||
|
||||
if noMulticastDNS(q.SecurityLevel) {
|
||||
if noMulticastDNS() {
|
||||
if resolver.Info.Source == ServerSourceMDNS {
|
||||
return errMulticastDNS
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user