Documentation ¶
Overview ¶
Package dnsforward contains a DNS forwarding server.
Index ¶
- Constants
- func IsCommentOrEmpty(s string) (ok bool)
- func ValidateClientID(id string) (err error)
- func ValidateUpstreams(upstreams []string) (err error)
- type BlockingMode
- type DNSCreateParams
- type DNSCryptConfig
- type FilteringConfig
- type RDNSExchanger
- type Server
- func (s *Server) Close()
- func (s *Server) Exchange(ip net.IP) (host string, err error)
- func (s *Server) IsBlockedClient(ip net.IP, clientID string) (blocked bool, rule string)
- func (s *Server) IsRunning() bool
- func (s *Server) Prepare(config *ServerConfig) error
- func (s *Server) RDNSSettings() (localPTRResolvers []string, resolveClients, resolvePTR bool)
- func (s *Server) Reconfigure(config *ServerConfig) error
- func (s *Server) Resolve(host string) ([]net.IPAddr, error)
- func (s *Server) ResolvesPrivatePTR() (ok bool)
- func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request)
- func (s *Server) Start() error
- func (s *Server) Stop() error
- func (s *Server) WriteDiskConfig(c *FilteringConfig)
- type ServerConfig
- type TLSConfig
Constants ¶
const DefaultTimeout = 10 * time.Second
DefaultTimeout is the default upstream timeout
Variables ¶
This section is empty.
Functions ¶
func IsCommentOrEmpty ¶ added in v0.107.0
IsCommentOrEmpty returns true of the string starts with a "#" character or is an empty string. This function is useful for filtering out non-upstream lines from upstream configs.
func ValidateClientID ¶ added in v0.105.0
ValidateClientID returns an error if id is not a valid ClientID.
func ValidateUpstreams ¶
ValidateUpstreams validates each upstream and returns an error if any upstream is invalid or if there are no default upstreams specified.
TODO(e.burkov): Move into aghnet or even into dnsproxy.
Types ¶
type BlockingMode ¶ added in v0.107.0
type BlockingMode string
BlockingMode is an enum of all allowed blocking modes.
const ( // BlockingModeCustomIP means respond with a custom IP address. BlockingModeCustomIP BlockingMode = "custom_ip" // BlockingModeDefault is the same as BlockingModeNullIP for // Adblock-style rules, but responds with the IP address specified in // the rule when blocked by an `/etc/hosts`-style rule. BlockingModeDefault BlockingMode = "default" // BlockingModeNullIP means respond with a zero IP address: "0.0.0.0" // for A requests and "::" for AAAA ones. BlockingModeNullIP BlockingMode = "null_ip" // BlockingModeNXDOMAIN means respond with the NXDOMAIN code. BlockingModeNXDOMAIN BlockingMode = "nxdomain" // BlockingModeREFUSED means respond with the REFUSED code. BlockingModeREFUSED BlockingMode = "refused" )
Allowed blocking modes.
type DNSCreateParams ¶
type DNSCreateParams struct { DNSFilter *filtering.DNSFilter Stats stats.Stats QueryLog querylog.QueryLog DHCPServer dhcpd.ServerInterface SubnetDetector *aghnet.SubnetDetector Anonymizer *aghnet.IPMut LocalDomain string }
DNSCreateParams are parameters to create a new server.
type DNSCryptConfig ¶ added in v0.105.0
type DNSCryptConfig struct { UDPListenAddrs []*net.UDPAddr TCPListenAddrs []*net.TCPAddr ProviderName string ResolverCert *dnscrypt.Cert Enabled bool }
DNSCryptConfig is the DNSCrypt server configuration struct.
type FilteringConfig ¶
type FilteringConfig struct { // FilterHandler is an optional additional filtering callback. FilterHandler func(clientAddr net.IP, clientID string, settings *filtering.Settings) `yaml:"-"` // GetCustomUpstreamByClient is a callback that returns upstreams // configuration based on the client IP address or ClientID. It returns // nil if there are no custom upstreams for the client. GetCustomUpstreamByClient func(id string) (conf *proxy.UpstreamConfig, err error) `yaml:"-"` ProtectionEnabled bool `yaml:"protection_enabled"` // whether or not use any of filtering features BlockingMode BlockingMode `yaml:"blocking_mode"` // mode how to answer filtered requests BlockingIPv4 net.IP `yaml:"blocking_ipv4"` // IP address to be returned for a blocked A request BlockingIPv6 net.IP `yaml:"blocking_ipv6"` // IP address to be returned for a blocked AAAA request BlockedResponseTTL uint32 `yaml:"blocked_response_ttl"` // if 0, then default is used (3600) // IP (or domain name) which is used to respond to DNS requests blocked by parental control or safe-browsing ParentalBlockHost string `yaml:"parental_block_host"` SafeBrowsingBlockHost string `yaml:"safebrowsing_block_host"` Ratelimit uint32 `yaml:"ratelimit"` // max number of requests per second from a given IP (0 to disable) RatelimitWhitelist []string `yaml:"ratelimit_whitelist"` // a list of whitelisted client IP addresses RefuseAny bool `yaml:"refuse_any"` // if true, refuse ANY requests UpstreamDNS []string `yaml:"upstream_dns"` UpstreamDNSFileName string `yaml:"upstream_dns_file"` BootstrapDNS []string `yaml:"bootstrap_dns"` // a list of bootstrap DNS for DoH and DoT (plain DNS only) AllServers bool `yaml:"all_servers"` // if true, parallel queries to all configured upstream servers are enabled FastestAddr bool `yaml:"fastest_addr"` // use Fastest Address algorithm // FastestTimeout replaces the default timeout for dialing IP addresses // when FastestAddr is true. FastestTimeout timeutil.Duration `yaml:"fastest_timeout"` AllowedClients []string `yaml:"allowed_clients"` // IP addresses of whitelist clients DisallowedClients []string `yaml:"disallowed_clients"` // IP addresses of clients that should be blocked BlockedHosts []string `yaml:"blocked_hosts"` // hosts that should be blocked // TrustedProxies is the list of IP addresses and CIDR networks to detect // proxy servers addresses the DoH requests from which should be handled. // The value of nil or an empty slice for this field makes Proxy not trust // any address. TrustedProxies []string `yaml:"trusted_proxies"` CacheSize uint32 `yaml:"cache_size"` // DNS cache size (in bytes) CacheMinTTL uint32 `yaml:"cache_ttl_min"` // override TTL value (minimum) received from upstream server CacheMaxTTL uint32 `yaml:"cache_ttl_max"` // override TTL value (maximum) received from upstream server // CacheOptimistic defines if optimistic cache mechanism should be used. CacheOptimistic bool `yaml:"cache_optimistic"` BogusNXDomain []string `yaml:"bogus_nxdomain"` // transform responses with these IP addresses to NXDOMAIN AAAADisabled bool `yaml:"aaaa_disabled"` // Respond with an empty answer to all AAAA requests EnableDNSSEC bool `yaml:"enable_dnssec"` // Set AD flag in outcoming DNS request EnableEDNSClientSubnet bool `yaml:"edns_client_subnet"` // Enable EDNS Client Subnet option MaxGoroutines uint32 `yaml:"max_goroutines"` // Max. number of parallel goroutines for processing incoming requests // IpsetList is the ipset configuration that allows AdGuard Home to add // IP addresses of the specified domain names to an ipset list. Syntax: // // DOMAIN[,DOMAIN].../IPSET_NAME // IpsetList []string `yaml:"ipset"` }
FilteringConfig represents the DNS filtering configuration of AdGuard Home The zero FilteringConfig is empty and ready for use.
type RDNSExchanger ¶ added in v0.106.0
type RDNSExchanger interface { // Exchange tries to resolve the ip in a suitable way, e.g. either as // local or as external. Exchange(ip net.IP) (host string, err error) // ResolvesPrivatePTR returns true if the RDNSExchanger is able to // resolve PTR requests for locally-served addresses. ResolvesPrivatePTR() (ok bool) }
RDNSExchanger is a resolver for clients' addresses.
type Server ¶
type Server struct {
// contains filtered or unexported fields
}
Server is the main way to start a DNS server.
Example:
s := dnsforward.Server{} err := s.Start(nil) // will start a DNS server listening on default port 53, in a goroutine err := s.Reconfigure(ServerConfig{UDPListenAddr: &net.UDPAddr{Port: 53535}}) // will reconfigure running DNS server to listen on UDP port 53535 err := s.Stop() // will stop listening on port 53535 and cancel all goroutines err := s.Start(nil) // will start listening again, on port 53535, in a goroutine
The zero Server is empty and ready for use.
func NewCustomServer ¶ added in v0.105.0
NewCustomServer creates a new instance of *Server with custom internal proxy.
func NewServer ¶
func NewServer(p DNSCreateParams) (s *Server, err error)
NewServer creates a new instance of the dnsforward.Server Note: this function must be called only once
func (*Server) Close ¶
func (s *Server) Close()
Close gracefully closes the server. It is safe for concurrent use.
TODO(e.burkov): A better approach would be making Stop method waiting for all its workers finished. But it would require the upstream.Upstream to have the Close method to prevent from hanging while waiting for unresponsive server to respond.
func (*Server) IsBlockedClient ¶ added in v0.107.0
IsBlockedClient returns true if the client is blocked by the current access settings.
func (*Server) RDNSSettings ¶ added in v0.106.0
RDNSSettings returns the copy of actual RDNS configuration.
func (*Server) Reconfigure ¶
func (s *Server) Reconfigure(config *ServerConfig) error
Reconfigure applies the new configuration to the DNS server.
func (*Server) Resolve ¶
Resolve - get IP addresses by host name from an upstream server. No request/response filtering is performed. Query log and Stats are not updated. This method may be called before Start().
func (*Server) ResolvesPrivatePTR ¶ added in v0.107.0
ResolvesPrivatePTR implements the RDNSExchanger interface for *Server.
func (*Server) ServeHTTP ¶
func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request)
ServeHTTP is a HTTP handler method we use to provide DNS-over-HTTPS.
func (*Server) WriteDiskConfig ¶
func (s *Server) WriteDiskConfig(c *FilteringConfig)
WriteDiskConfig - write configuration
type ServerConfig ¶
type ServerConfig struct { UDPListenAddrs []*net.UDPAddr // UDP listen address TCPListenAddrs []*net.TCPAddr // TCP listen address UpstreamConfig *proxy.UpstreamConfig // Upstream DNS servers config OnDNSRequest func(d *proxy.DNSContext) FilteringConfig TLSConfig DNSCryptConfig TLSAllowUnencryptedDoH bool // UpstreamTimeout is the timeout for querying upstream servers. UpstreamTimeout time.Duration TLSv12Roots *x509.CertPool // list of root CAs for TLSv1.2 TLSCiphers []uint16 // list of TLS ciphers to use // Called when the configuration is changed by HTTP request ConfigModified func() // Register an HTTP handler HTTPRegister func(string, string, func(http.ResponseWriter, *http.Request)) // ResolveClients signals if the RDNS should resolve clients' addresses. ResolveClients bool // UsePrivateRDNS defines if the PTR requests for unknown addresses from // locally-served networks should be resolved via private PTR resolvers. UsePrivateRDNS bool // LocalPTRResolvers is a slice of addresses to be used as upstreams for // resolving PTR queries for local addresses. LocalPTRResolvers []string }
ServerConfig represents server configuration. The zero ServerConfig is empty and ready for use.
type TLSConfig ¶
type TLSConfig struct { TLSListenAddrs []*net.TCPAddr `yaml:"-" json:"-"` QUICListenAddrs []*net.UDPAddr `yaml:"-" json:"-"` // Reject connection if the client uses server name (in SNI) that doesn't match the certificate StrictSNICheck bool `yaml:"strict_sni_check" json:"-"` // PEM-encoded certificates chain CertificateChain string `yaml:"certificate_chain" json:"certificate_chain"` // PEM-encoded private key PrivateKey string `yaml:"private_key" json:"private_key"` CertificatePath string `yaml:"certificate_path" json:"certificate_path"` PrivateKeyPath string `yaml:"private_key_path" json:"private_key_path"` CertificateChainData []byte `yaml:"-" json:"-"` PrivateKeyData []byte `yaml:"-" json:"-"` // ServerName is the hostname of the server. Currently, it is only being // used for ClientID checking. ServerName string `yaml:"-" json:"-"` // contains filtered or unexported fields }
TLSConfig is the TLS configuration for HTTPS, DNS-over-HTTPS, and DNS-over-TLS