summaryrefslogtreecommitdiff
path: root/interface-definitions/dns-forwarding.xml.in
blob: d7ef3274544673b69d7e85d794241b8df6b35fc3 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
<?xml version="1.0"?>
<!-- DNS forwarder configuration -->
<interfaceDefinition>
  <node name="service">
    <children>
      <node name="dns">
        <properties>
          <help>Domain Name System related services</help>
        </properties>
        <children>
          <node name="forwarding" owner="${vyos_conf_scripts_dir}/dns_forwarding.py">
            <properties>
              <help>DNS forwarding</help>
              <priority>918</priority>
            </properties>
            <children>
              <leafNode name="cache-size">
                <properties>
                  <help>DNS forwarding cache size</help>
                  <valueHelp>
                    <format>u32:0-2147483647</format>
                    <description>DNS forwarding cache size</description>
                  </valueHelp>
                  <constraint>
                    <validator name="numeric" argument="--range 0-2147483647"/>
                  </constraint>
                </properties>
                <defaultValue>10000</defaultValue>
              </leafNode>
              <leafNode name="dhcp">
                <properties>
                  <help>Interfaces whose DHCP client nameservers to forward requests to</help>
                  <completionHelp>
                    <script>${vyos_completion_dir}/list_interfaces.py</script>
                  </completionHelp>
                  <multi/>
                </properties>
              </leafNode>
              <leafNode name="dns64-prefix">
                <properties>
                  <help>Help to communicate between IPv6-only client and IPv4-only server</help>
                  <valueHelp>
                    <format>ipv6net</format>
                    <description>IPv6 address and /96 only prefix length</description>
                  </valueHelp>
                  <constraint>
                    <validator name="ipv6-prefix"/>
                  </constraint>
                </properties>
              </leafNode>
              <leafNode name="dnssec">
                <properties>
                  <help>DNSSEC mode</help>
                  <completionHelp>
                    <list>off process-no-validate process log-fail validate</list>
                  </completionHelp>
                  <valueHelp>
                    <format>off</format>
                    <description>No DNSSEC processing whatsoever!</description>
                  </valueHelp>
                  <valueHelp>
                    <format>process-no-validate</format>
                    <description>Respond with DNSSEC records to clients that ask for it. No validation done at all!</description>
                  </valueHelp>
                  <valueHelp>
                    <format>process</format>
                    <description>Respond with DNSSEC records to clients that ask for it. Validation for clients that request it.</description>
                  </valueHelp>
                  <valueHelp>
                    <format>log-fail</format>
                    <description>Similar behaviour to process, but validate RRSIGs on responses and log bogus responses.</description>
                  </valueHelp>
                  <valueHelp>
                    <format>validate</format>
                    <description>Full blown DNSSEC validation. Send SERVFAIL to clients on bogus responses.</description>
                  </valueHelp>
                  <constraint>
                    <regex>^(off|process-no-validate|process|log-fail|validate)$</regex>
                  </constraint>
                </properties>
                <defaultValue>process-no-validate</defaultValue>
              </leafNode>
              <tagNode name="domain">
                <properties>
                  <help>Domain to forward to a custom DNS server</help>
                </properties>
                <children>
                  <leafNode name="server">
                    <properties>
                      <help>Domain Name Server (DNS) to forward queries to</help>
                      <valueHelp>
                        <format>ipv4</format>
                        <description>Domain Name Server (DNS) IPv4 address</description>
                      </valueHelp>
                      <valueHelp>
                        <format>ipv6</format>
                        <description>Domain Name Server (DNS) IPv6 address</description>
                      </valueHelp>
                      <multi/>
                      <constraint>
                        <validator name="ipv4-address"/>
                        <validator name="ipv6-address"/>
                      </constraint>
                    </properties>
                  </leafNode>
                  <leafNode name="addnta">
                    <properties>
                      <help>Add NTA (negative trust anchor) for this domain (must be set if the domain does not support DNSSEC)</help>
                      <valueless/>
                    </properties>
                  </leafNode>
                  <leafNode name="recursion-desired">
                    <properties>
                      <help>Set the "recursion desired" bit in requests to the upstream nameserver</help>
                      <valueless/>
                    </properties>
                  </leafNode>
                </children>
              </tagNode>
              <leafNode name="ignore-hosts-file">
                <properties>
                  <help>Do not use local /etc/hosts file in name resolution</help>
                  <valueless/>
                </properties>
              </leafNode>
              <leafNode name="no-serve-rfc1918">
                <properties>
                  <help>Makes the server authoritatively not aware of RFC1918 addresses</help>
		  <valueless/>
                </properties>
              </leafNode>
              <leafNode name="allow-from">
                <properties>
                  <help>Networks allowed to query this server</help>
                  <valueHelp>
                    <format>ipv4net</format>
                    <description>IP address and prefix length</description>
                  </valueHelp>
                  <valueHelp>
                    <format>ipv6net</format>
                    <description>IPv6 address and prefix length</description>
                  </valueHelp>
                  <multi/>
                  <constraint>
                    <validator name="ip-prefix"/>
                  </constraint>
                </properties>
              </leafNode>
              #include <include/listen-address.xml.i>
              #include <include/port-number.xml.i>
              <leafNode name="port">
                <defaultValue>53</defaultValue>
              </leafNode>
              <leafNode name="negative-ttl">
                <properties>
                  <help>Maximum amount of time negative entries are cached</help>
                  <valueHelp>
                    <format>u32:0-7200</format>
                    <description>Seconds to cache NXDOMAIN entries</description>
                  </valueHelp>
                  <constraint>
                    <validator name="numeric" argument="--range 0-7200"/>
                  </constraint>
                </properties>
                <defaultValue>3600</defaultValue>
              </leafNode>
              #include <include/name-server-ipv4-ipv6.xml.i>
              <leafNode name="source-address">
                <properties>
                  <help>Local addresses from which to send DNS queries</help>
                  <completionHelp>
                    <script>${vyos_completion_dir}/list_local_ips.sh --both</script>
                  </completionHelp>
                  <valueHelp>
                    <format>ipv4</format>
                    <description>IPv4 address from which to send traffic</description>
                  </valueHelp>
                  <valueHelp>
                    <format>ipv6</format>
                    <description>IPv6 address from which to send traffic</description>
                  </valueHelp>
                  <multi/>
                  <constraint>
                    <validator name="ipv4-address"/>
                    <validator name="ipv6-address"/>
                  </constraint>
                </properties>
                <defaultValue>0.0.0.0 ::</defaultValue>
              </leafNode>
              <leafNode name="system">
                <properties>
                  <help>Use system name servers</help>
                  <valueless/>
                </properties>
              </leafNode>
            </children>
          </node>
        </children>
      </node>
    </children>
  </node>
</interfaceDefinition>