From 9ac2a115a2289fc15af05b729596a6ad449c1727 Mon Sep 17 00:00:00 2001 From: khramshinr Date: Tue, 30 Jan 2024 14:12:01 +0700 Subject: dns forwarding: T5687: Implement ECS settings for PowerDNS recursor (cherry picked from commit eb76729d63245e2e8f06f4d6d52d2fd4aab4fb1f) --- data/templates/dns-forwarding/recursor.conf.j2 | 14 +++++++ .../service_dns_forwarding.xml.in | 43 +++++++++++++++++++ .../scripts/cli/test_service_dns_forwarding.py | 48 ++++++++++++++++++++++ 3 files changed, 105 insertions(+) diff --git a/data/templates/dns-forwarding/recursor.conf.j2 b/data/templates/dns-forwarding/recursor.conf.j2 index e4e8e7044..5ac872f19 100644 --- a/data/templates/dns-forwarding/recursor.conf.j2 +++ b/data/templates/dns-forwarding/recursor.conf.j2 @@ -57,3 +57,17 @@ serve-rfc1918={{ 'no' if no_serve_rfc1918 is vyos_defined else 'yes' }} auth-zones={% for z in authoritative_zones %}{{ z.name }}={{ z.file }}{{- "," if not loop.last -}}{% endfor %} forward-zones-file={{ config_dir }}/recursor.forward-zones.conf + +#ecs +{% if options.ecs_add_for is vyos_defined %} +ecs-add-for={{ options.ecs_add_for | join(',') }} +{% endif %} + +{% if options.ecs_ipv4_bits is vyos_defined %} +ecs-ipv4-bits={{ options.ecs_ipv4_bits }} +{% endif %} + +{% if options.edns_subnet_allow_list is vyos_defined %} +edns-subnet-allow-list={{ options.edns_subnet_allow_list | join(',') }} +{% endif %} + diff --git a/interface-definitions/service_dns_forwarding.xml.in b/interface-definitions/service_dns_forwarding.xml.in index 0f8863438..b520af44d 100644 --- a/interface-definitions/service_dns_forwarding.xml.in +++ b/interface-definitions/service_dns_forwarding.xml.in @@ -735,6 +735,49 @@ + + + DNS server options + + + + + List of client netmasks for which EDNS Client Subnet will be added + + ipv4net + IP addresses or subnets, negation supported + + + ipv6net + IPv6 addresses or subnets, negation supported + + + + + + + Number of bits of IPv4 address to pass for EDNS Client Subnet + + u32:0-32 + Number of bits of IPv4 address + + + + + + + + + List of netmasks and domains that we should enable EDNS subnet for + + txt + Netmask or domain + + + + + + diff --git a/smoketest/scripts/cli/test_service_dns_forwarding.py b/smoketest/scripts/cli/test_service_dns_forwarding.py index 652c4fa7b..2a32fa292 100755 --- a/smoketest/scripts/cli/test_service_dns_forwarding.py +++ b/smoketest/scripts/cli/test_service_dns_forwarding.py @@ -59,6 +59,12 @@ class TestServicePowerDNS(VyOSUnitTestSHIM.TestCase): # Check for running process self.assertFalse(process_named_running(PROCESS_NAME)) + def _set_required_options(self): + for network in allow_from: + self.cli_set(base_path + ['allow-from', network]) + for address in listen_adress: + self.cli_set(base_path + ['listen-address', address]) + def test_basic_forwarding(self): # Check basic DNS forwarding settings cache_size = '20' @@ -294,5 +300,47 @@ class TestServicePowerDNS(VyOSUnitTestSHIM.TestCase): tmp = get_config_value('local-port') self.assertEqual(tmp, port) + def test_ecs_add_for(self): + self._set_required_options() + + options = ['0.0.0.0/0', '!10.0.0.0/8', 'fc00::/7', '!fe80::/10'] + for param in options: + self.cli_set(base_path + ['options', 'ecs-add-for', param]) + + # commit changes + self.cli_commit() + + # verify ecs_add_for configuration + tmp = get_config_value('ecs-add-for') + self.assertEqual(tmp, ','.join(options)) + + def test_ecs_ipv4_bits(self): + self._set_required_options() + + option_value = '24' + self.cli_set(base_path + ['options', 'ecs-ipv4-bits', option_value]) + + # commit changes + self.cli_commit() + + # verify ecs_ipv4_bits configuration + tmp = get_config_value('ecs-ipv4-bits') + self.assertEqual(tmp, option_value) + + def test_edns_subnet_allow_list(self): + self._set_required_options() + + options = ['192.0.2.1/32', 'example.com', 'fe80::/10'] + for param in options: + self.cli_set(base_path + ['options', 'edns-subnet-allow-list', param]) + + # commit changes + self.cli_commit() + + # verify edns_subnet_allow_list configuration + tmp = get_config_value('edns-subnet-allow-list') + self.assertEqual(tmp, ','.join(options)) + + if __name__ == '__main__': unittest.main(verbosity=2) -- cgit v1.2.3