dns forwarding: T5687: Implement ECS settings for PowerDNS recursor

3 files changed, 105 insertions, 0 deletions

diff --git a/data/templates/dns-forwarding/recursor.conf.j2 b/data/templates/dns-forwarding/recursor.conf.j2
index e4e8e7044..5ac872f19 100644
--- a/data/templates/dns-forwarding/recursor.conf.j2
+++ b/data/templates/dns-forwarding/recursor.conf.j2
@@ -57,3 +57,17 @@ serve-rfc1918={{ 'no' if no_serve_rfc1918 is vyos_defined else 'yes' }}
 auth-zones={% for z in authoritative_zones %}{{ z.name }}={{ z.file }}{{- "," if not loop.last -}}{% endfor %}
 
 forward-zones-file={{ config_dir }}/recursor.forward-zones.conf
+
+#ecs
+{% if options.ecs_add_for is vyos_defined %}
+ecs-add-for={{ options.ecs_add_for | join(',') }}
+{% endif %}
+
+{% if options.ecs_ipv4_bits is vyos_defined %}
+ecs-ipv4-bits={{ options.ecs_ipv4_bits }}
+{% endif %}
+
+{% if options.edns_subnet_allow_list is vyos_defined %}
+edns-subnet-allow-list={{ options.edns_subnet_allow_list | join(',') }}
+{% endif %}
+
diff --git a/interface-definitions/service_dns_forwarding.xml.in b/interface-definitions/service_dns_forwarding.xml.in
index 0f8863438..b520af44d 100644
--- a/interface-definitions/service_dns_forwarding.xml.in
+++ b/interface-definitions/service_dns_forwarding.xml.in
@@ -735,6 +735,49 @@
                   </constraint>
                 </properties>
               </leafNode>
+              <node name="options">
+                <properties>
+                  <help>DNS server options</help>
+                </properties>
+                <children>
+                  <leafNode name="ecs-add-for">
+                    <properties>
+                      <help>List of client netmasks for which EDNS Client Subnet will be added</help>
+                      <valueHelp>
+                        <format>ipv4net</format>
+                        <description>IP addresses or subnets, negation supported</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>ipv6net</format>
+                        <description>IPv6 addresses or subnets, negation supported</description>
+                      </valueHelp>
+                      <multi/>
+                    </properties>
+                  </leafNode>
+                  <leafNode name="ecs-ipv4-bits">
+                    <properties>
+                      <help>Number of bits of IPv4 address to pass for EDNS Client Subnet</help>
+                      <valueHelp>
+                        <format>u32:0-32</format>
+                        <description>Number of bits of IPv4 address</description>
+                      </valueHelp>
+                      <constraint>
+                        <validator name="numeric" argument="--range 0-32"/>
+                      </constraint>
+                    </properties>
+                  </leafNode>
+                  <leafNode name="edns-subnet-allow-list">
+                    <properties>
+                      <help>List of netmasks and domains that we should enable EDNS subnet for</help>
+                      <valueHelp>
+                        <format>txt</format>
+                        <description>Netmask or domain</description>
+                      </valueHelp>
+                      <multi/>
+                    </properties>
+                  </leafNode>
+                </children>
+              </node>
             </children>
           </node>
         </children>
diff --git a/smoketest/scripts/cli/test_service_dns_forwarding.py b/smoketest/scripts/cli/test_service_dns_forwarding.py
index 652c4fa7b..2a32fa292 100755
--- a/smoketest/scripts/cli/test_service_dns_forwarding.py
+++ b/smoketest/scripts/cli/test_service_dns_forwarding.py
@@ -59,6 +59,12 @@ class TestServicePowerDNS(VyOSUnitTestSHIM.TestCase):
         # Check for running process
         self.assertFalse(process_named_running(PROCESS_NAME))
 
+    def _set_required_options(self):
+        for network in allow_from:
+            self.cli_set(base_path + ['allow-from', network])
+        for address in listen_adress:
+            self.cli_set(base_path + ['listen-address', address])
+
     def test_basic_forwarding(self):
         # Check basic DNS forwarding settings
         cache_size = '20'
@@ -294,5 +300,47 @@ class TestServicePowerDNS(VyOSUnitTestSHIM.TestCase):
             tmp = get_config_value('local-port')
             self.assertEqual(tmp, port)
 
+    def test_ecs_add_for(self):
+        self._set_required_options()
+
+        options = ['0.0.0.0/0', '!10.0.0.0/8', 'fc00::/7', '!fe80::/10']
+        for param in options:
+            self.cli_set(base_path + ['options', 'ecs-add-for', param])
+
+        # commit changes
+        self.cli_commit()
+
+        # verify ecs_add_for configuration
+        tmp = get_config_value('ecs-add-for')
+        self.assertEqual(tmp, ','.join(options))
+
+    def test_ecs_ipv4_bits(self):
+        self._set_required_options()
+
+        option_value = '24'
+        self.cli_set(base_path + ['options', 'ecs-ipv4-bits', option_value])
+
+        # commit changes
+        self.cli_commit()
+
+        # verify ecs_ipv4_bits configuration
+        tmp = get_config_value('ecs-ipv4-bits')
+        self.assertEqual(tmp, option_value)
+
+    def test_edns_subnet_allow_list(self):
+        self._set_required_options()
+
+        options = ['192.0.2.1/32', 'example.com', 'fe80::/10']
+        for param in options:
+            self.cli_set(base_path + ['options', 'edns-subnet-allow-list', param])
+
+        # commit changes
+        self.cli_commit()
+
+        # verify edns_subnet_allow_list configuration
+        tmp = get_config_value('edns-subnet-allow-list')
+        self.assertEqual(tmp, ','.join(options))
+
+
 if __name__ == '__main__':
     unittest.main(verbosity=2)