<?xml version="1.0"?> <!-- DNS forwarder configuration --> <interfaceDefinition> <node name="service"> <children> <node name="dns"> <properties> <help>Domain Name System related services</help> </properties> <children> <node name="forwarding" owner="${vyos_conf_scripts_dir}/dns_forwarding.py"> <properties> <help>DNS forwarding</help> <priority>918</priority> </properties> <children> <leafNode name="cache-size"> <properties> <help>DNS forwarding cache size</help> <valueHelp> <format>u32:0-2147483647</format> <description>DNS forwarding cache size</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 0-2147483647"/> </constraint> </properties> <defaultValue>10000</defaultValue> </leafNode> <leafNode name="dhcp"> <properties> <help>Interfaces whose DHCP client nameservers to forward requests to</help> <completionHelp> <script>${vyos_completion_dir}/list_interfaces.py</script> </completionHelp> <multi/> </properties> </leafNode> <leafNode name="dnssec"> <properties> <help>DNSSEC mode</help> <completionHelp> <list>off process-no-validate process log-fail validate</list> </completionHelp> <valueHelp> <format>off</format> <description>No DNSSEC processing whatsoever!</description> </valueHelp> <valueHelp> <format>process-no-validate</format> <description>Respond with DNSSEC records to clients that ask for it. No validation done at all!</description> </valueHelp> <valueHelp> <format>process</format> <description>Respond with DNSSEC records to clients that ask for it. Validation for clients that request it.</description> </valueHelp> <valueHelp> <format>log-fail</format> <description>Similar behaviour to process, but validate RRSIGs on responses and log bogus responses.</description> </valueHelp> <valueHelp> <format>validate</format> <description>Full blown DNSSEC validation. Send SERVFAIL to clients on bogus responses.</description> </valueHelp> <constraint> <regex>(off|process-no-validate|process|log-fail|validate)</regex> </constraint> </properties> <defaultValue>process-no-validate</defaultValue> </leafNode> <tagNode name="domain"> <properties> <help>Domain to forward to a custom DNS server</help> </properties> <children> <leafNode name="server"> <properties> <help>Domain Name Server (DNS) to forward queries to</help> <valueHelp> <format>ipv4</format> <description>Domain Name Server (DNS) IPv4 address</description> </valueHelp> <valueHelp> <format>ipv6</format> <description>Domain Name Server (DNS) IPv6 address</description> </valueHelp> <multi/> <constraint> <validator name="ipv4-address"/> <validator name="ipv6-address"/> </constraint> </properties> </leafNode> <leafNode name="addnta"> <properties> <help>Add NTA (negative trust anchor) for this domain (must be set if the domain does not support DNSSEC)</help> <valueless/> </properties> </leafNode> <leafNode name="recursion-desired"> <properties> <help>Set the "recursion desired" bit in requests to the upstream nameserver</help> <valueless/> </properties> </leafNode> </children> </tagNode> <tagNode name="authoritative-domain"> <properties> <help>Domain to host authoritative records for</help> <valueHelp> <format>text</format> <description>An absolute DNS name</description> </valueHelp> <constraint> <regex>[-_a-zA-Z0-9.]{1,63}</regex> </constraint> </properties> <children> <node name="records"> <properties> <help>DNS zone records</help> </properties> <children> <tagNode name="a"> <properties> <help>"A" record</help> <valueHelp> <format>text</format> <description>A DNS name relative to the root record</description> </valueHelp> <valueHelp> <format>@</format> <description>Root record</description> </valueHelp> <constraint> <regex>([-_a-zA-Z0-9.]{1,63}|@)(?<!\.)</regex> </constraint> </properties> <children> <leafNode name="address"> <properties> <help>IPv4 address [REQUIRED]</help> <valueHelp> <format>ipv4</format> <description>IPv4 address</description> </valueHelp> <multi/> <constraint> <validator name="ipv4-address"/> </constraint> </properties> </leafNode> #include <include/dns/time-to-live.xml.i> #include <include/generic-disable-node.xml.i> </children> </tagNode> <tagNode name="aaaa"> <properties> <help>"AAAA" record</help> <valueHelp> <format>text</format> <description>A DNS name relative to the root record</description> </valueHelp> <valueHelp> <format>@</format> <description>Root record</description> </valueHelp> <constraint> <regex>([-_a-zA-Z0-9.]{1,63}|@)(?<!\.)</regex> </constraint> </properties> <children> <leafNode name="address"> <properties> <help>IPv6 address [REQUIRED]</help> <valueHelp> <format>ipv6</format> <description>IPv6 address</description> </valueHelp> <multi/> <constraint> <validator name="ipv6-address"/> </constraint> </properties> </leafNode> #include <include/dns/time-to-live.xml.i> #include <include/generic-disable-node.xml.i> </children> </tagNode> <tagNode name="cname"> <properties> <help>"CNAME" record</help> <valueHelp> <format>text</format> <description>A DNS name relative to the root record</description> </valueHelp> <valueHelp> <format>@</format> <description>Root record</description> </valueHelp> <constraint> <regex>([-_a-zA-Z0-9.]{1,63}|@)(?<!\.)</regex> </constraint> </properties> <children> <leafNode name="target"> <properties> <help>Target DNS name [REQUIRED]</help> <valueHelp> <format>name.example.com</format> <description>An absolute DNS name</description> </valueHelp> <constraint> <regex>[-_a-zA-Z0-9.]{1,63}(?<!\.)</regex> </constraint> </properties> </leafNode> #include <include/dns/time-to-live.xml.i> #include <include/generic-disable-node.xml.i> </children> </tagNode> <tagNode name="mx"> <properties> <help>"MX" record</help> <valueHelp> <format>text</format> <description>A DNS name relative to the root record</description> </valueHelp> <valueHelp> <format>@</format> <description>Root record</description> </valueHelp> <constraint> <regex>([-_a-zA-Z0-9.]{1,63}|@)(?<!\.)</regex> </constraint> </properties> <children> <tagNode name="server"> <properties> <help>Mail server [REQUIRED]</help> <valueHelp> <format>name.example.com</format> <description>An absolute DNS name</description> </valueHelp> <constraint> <regex>[-_a-zA-Z0-9.]{1,63}(?<!\.)</regex> </constraint> </properties> <children> <leafNode name="priority"> <properties> <help>Server priority</help> <valueHelp> <format>u32:1-999</format> <description>Server priority (lower numbers are higher priority)</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 1-999"/> </constraint> </properties> <defaultValue>10</defaultValue> </leafNode> </children> </tagNode> #include <include/dns/time-to-live.xml.i> #include <include/generic-disable-node.xml.i> </children> </tagNode> <tagNode name="ptr"> <properties> <help>"PTR" record</help> <valueHelp> <format>text</format> <description>A DNS name relative to the root record</description> </valueHelp> <valueHelp> <format>@</format> <description>Root record</description> </valueHelp> <constraint> <regex>([-_a-zA-Z0-9.]{1,63}|@)(?<!\.)</regex> </constraint> </properties> <children> <leafNode name="target"> <properties> <help>Target DNS name [REQUIRED]</help> <valueHelp> <format>name.example.com</format> <description>An absolute DNS name</description> </valueHelp> <constraint> <regex>[-_a-zA-Z0-9.]{1,63}(?<!\.)</regex> </constraint> </properties> </leafNode> #include <include/dns/time-to-live.xml.i> #include <include/generic-disable-node.xml.i> </children> </tagNode> <tagNode name="txt"> <properties> <help>"TXT" record</help> <valueHelp> <format>text</format> <description>A DNS name relative to the root record</description> </valueHelp> <valueHelp> <format>@</format> <description>Root record</description> </valueHelp> <constraint> <regex>([-_a-zA-Z0-9.]{1,63}|@)(?<!\.)</regex> </constraint> </properties> <children> <leafNode name="value"> <properties> <help>Record contents [REQUIRED]</help> <valueHelp> <format>text</format> <description>Record contents</description> </valueHelp> <multi/> </properties> </leafNode> #include <include/dns/time-to-live.xml.i> #include <include/generic-disable-node.xml.i> </children> </tagNode> <tagNode name="spf"> <properties> <help>"SPF" record (type=SPF)</help> <valueHelp> <format>text</format> <description>A DNS name relative to the root record</description> </valueHelp> <valueHelp> <format>@</format> <description>Root record</description> </valueHelp> <constraint> <regex>([-_a-zA-Z0-9.]{1,63}|@)(?<!\.)</regex> </constraint> </properties> <children> <leafNode name="value"> <properties> <help>Record contents [REQUIRED]</help> <valueHelp> <format>text</format> <description>Record contents</description> </valueHelp> </properties> </leafNode> #include <include/dns/time-to-live.xml.i> #include <include/generic-disable-node.xml.i> </children> </tagNode> <tagNode name="srv"> <properties> <help>"SRV" record</help> <valueHelp> <format>text</format> <description>A DNS name relative to the root record</description> </valueHelp> <valueHelp> <format>@</format> <description>Root record</description> </valueHelp> <constraint> <regex>([-_a-zA-Z0-9.]{1,63}|@)(?<!\.)</regex> </constraint> </properties> <children> <tagNode name="entry"> <properties> <help>Service entry [REQUIRED]</help> <valueHelp> <format>u32:0-65535</format> <description>Entry number</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 0-65535"/> </constraint> </properties> <children> <leafNode name="hostname"> <properties> <help>Server hostname [REQUIRED]</help> <valueHelp> <format>name.example.com</format> <description>An absolute DNS name</description> </valueHelp> <constraint> <regex>[-_a-zA-Z0-9.]{1,63}(?<!\.)</regex> </constraint> </properties> </leafNode> <leafNode name="port"> <properties> <help>Port number [REQUIRED]</help> <valueHelp> <format>u32:0-65535</format> <description>TCP/UDP port number</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 0-65536"/> </constraint> </properties> </leafNode> <leafNode name="priority"> <properties> <help>Entry priority</help> <valueHelp> <format>u32:0-65535</format> <description>Entry priority (lower numbers are higher priority)</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 0-65535"/> </constraint> </properties> <defaultValue>10</defaultValue> </leafNode> <leafNode name="weight"> <properties> <help>Entry weight</help> <valueHelp> <format>u32:0-65535</format> <description>Entry weight</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 0-65535"/> </constraint> </properties> <defaultValue>0</defaultValue> </leafNode> </children> </tagNode> #include <include/dns/time-to-live.xml.i> #include <include/generic-disable-node.xml.i> </children> </tagNode> <tagNode name="naptr"> <properties> <help>"NAPTR" record</help> <valueHelp> <format>text</format> <description>A DNS name relative to the root record</description> </valueHelp> <valueHelp> <format>@</format> <description>Root record</description> </valueHelp> <constraint> <regex>([-_a-zA-Z0-9.]{1,63}|@)(?<!\.)</regex> </constraint> </properties> <children> <tagNode name="rule"> <properties> <help>NAPTR rule [REQUIRED]</help> <valueHelp> <format>u32:0-65535</format> <description>Rule number</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 0-65535"/> </constraint> </properties> <children> <leafNode name="order"> <properties> <help>Rule order</help> <valueHelp> <format>u32:0-65535</format> <description>Rule order (lower order is evaluated first)</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 0-65535"/> </constraint> </properties> </leafNode> <leafNode name="preference"> <properties> <help>Rule preference</help> <valueHelp> <format>u32:0-65535</format> <description>Rule preference</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 0-65535"/> </constraint> </properties> <defaultValue>0</defaultValue> </leafNode> <leafNode name="lookup-srv"> <properties> <help>"S" flag</help> <valueless/> </properties> </leafNode> <leafNode name="lookup-a"> <properties> <help>"A" flag</help> <valueless/> </properties> </leafNode> <leafNode name="resolve-uri"> <properties> <help>"U" flag</help> <valueless/> </properties> </leafNode> <leafNode name="protocol-specific"> <properties> <help>"P" flag</help> <valueless/> </properties> </leafNode> <leafNode name="service"> <properties> <help>Service type</help> <constraint> <regex>[a-zA-Z][a-zA-Z0-9]{0,31}(\+[a-zA-Z][a-zA-Z0-9]{0,31})?</regex> </constraint> </properties> </leafNode> <leafNode name="regexp"> <properties> <help>Regular expression</help> </properties> </leafNode> <leafNode name="replacement"> <properties> <help>Replacement DNS name</help> <valueHelp> <format>name.example.com</format> <description>An absolute DNS name</description> </valueHelp> <constraint> <regex>[-_a-zA-Z0-9.]{1,63}(?<!\.)</regex> </constraint> </properties> </leafNode> </children> </tagNode> #include <include/dns/time-to-live.xml.i> #include <include/generic-disable-node.xml.i> </children> </tagNode> </children> </node> #include <include/generic-disable-node.xml.i> </children> </tagNode> <leafNode name="ignore-hosts-file"> <properties> <help>Do not use local /etc/hosts file in name resolution</help> <valueless/> </properties> </leafNode> <leafNode name="no-serve-rfc1918"> <properties> <help>Makes the server authoritatively not aware of RFC1918 addresses</help> <valueless/> </properties> </leafNode> <leafNode name="allow-from"> <properties> <help>Networks allowed to query this server</help> <valueHelp> <format>ipv4net</format> <description>IP address and prefix length</description> </valueHelp> <valueHelp> <format>ipv6net</format> <description>IPv6 address and prefix length</description> </valueHelp> <multi/> <constraint> <validator name="ip-prefix"/> </constraint> </properties> </leafNode> #include <include/listen-address.xml.i> <leafNode name="negative-ttl"> <properties> <help>Maximum amount of time negative entries are cached</help> <valueHelp> <format>u32:0-7200</format> <description>Seconds to cache NXDOMAIN entries</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 0-7200"/> </constraint> </properties> <defaultValue>3600</defaultValue> </leafNode> <leafNode name="timeout"> <properties> <help>Number of milliseconds to wait for a remote authoritative server to respond</help> <valueHelp> <format>u32:10-60000</format> <description>Network timeout in milliseconds</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 10-60000"/> </constraint> </properties> <defaultValue>1500</defaultValue> </leafNode> #include <include/name-server-ipv4-ipv6.xml.i> <leafNode name="source-address"> <properties> <help>Local addresses from which to send DNS queries</help> <completionHelp> <script>${vyos_completion_dir}/list_local_ips.sh --both</script> </completionHelp> <valueHelp> <format>ipv4</format> <description>IPv4 address from which to send traffic</description> </valueHelp> <valueHelp> <format>ipv6</format> <description>IPv6 address from which to send traffic</description> </valueHelp> <multi/> <constraint> <validator name="ipv4-address"/> <validator name="ipv6-address"/> </constraint> </properties> <defaultValue>0.0.0.0 ::</defaultValue> </leafNode> <leafNode name="system"> <properties> <help>Use system name servers</help> <valueless/> </properties> </leafNode> </children> </node> </children> </node> </children> </node> </interfaceDefinition>