| Age | Commit message (Collapse) | Author |
|---|
|
This would allow using custom ports in name server operating on non-
default port for forwarding zones.
This is a follow-up to T5113 for sake of completeness and having
consistent treatment of all name servers configured in PowerDNS recursor.
Additionally, migrate `service dns forwarding domain example.com server`
to `service dns forwarding domain foo3.com name-server` for consistency
and reusability.
|
|
Support custom port for name-server forwarders that would allow using
custom ports in name server forwarders to enable forwarding to
alternative name servers (unbound, stubby, dnscrypt-proxy etc.)
operating on non-default port.
This would also allow using DNS Over TLS in PowerDNS Recursor 4.6 onwards
(pdns doesn't support certificate check for validity yet) by enabling
'dot-to-port-853'. This is set by default if compiled in with DoT support.
See: https://doc.powerdns.com/recursor/settings.html#dot-to-port-853
This also partially implements T921, T2195 (DoT without certificate check).
Implementation details:
- In 'dns/forwarding' configuration, 'name-server' now allows optional
'port' (defaults to 53).
- Instead of modifying 'name-server-ipv4-ipv6.xml.i' to add optional
'port', a new file 'name-server-ipv4-ipv6-port.xml.i' has been used
to avoid impacting other places where it is reused because not all of
them honor ports (mostly VPN related).
- The `host:port` entries to be used by PowerDNS recursor config are
normalized eagerly at the point of loading VyOS `Config` instead of
doing them lazily while rendering the Jinja2 template to keep the
implementation less intrusive. The alternative would entail making
quite a bit of change in how 'vyos-hostsd' processes 'static'
'name_servers' entries or persists their runtime states.
|
|
|
|
rfc6147: DNS Extensions for Network Address Translation
from IPv6 Clients to IPv4 Servers
set service dns forwarding dns64-prefix 2001:db8:aabb::/96
|
|
Ability to set wildcard record for authoritative-domain
set authoritative-domain example.com records a any address 192.0.2.11
cat /run/powerdns/zone.example.com.conf
* 300 A 192.0.2.11
|
|
|
|
|
|
Commit 2ecf7a9f9c ('name-server: T3804: merge "system name-servers-dhcp" into
"system name-server"') missed out an old dictionary key "system_name_server_dhcp"
and thus system nameservers configured via DHCP did not get used for the DNS
forwar recursor.
|
|
|
|
|
|
|
|
|
|
(cherry picked from commit 8e6c48563d1612916bd7fcc665d70bfa77ec5667)
|
|
|
|
We had two places were the is_ip, is_ipv4 and is_ipv6 helpers had been defined.
All places now have been converged into vyos.template as they are used both
in the Jinja2 templates and also in our scripts.
|
|
Renamed using snippet below:
----------------------------
for file in $(find . -name "*.py")
do
sed -i "s/vyos_dict_search/dict_search/" $file
done
|
|
In certain split DNS configurations, there is a need for more
fine-grained control over the local address DNS forwarding uses to
issue queries. The current pdns_recursor configuration allows the
recursor to send queries from any available address on the interface
the OS selects for the query, with no option to limit queries to a
particular address or set of addresses.
This commit exposes the `query-local-address` option in
`recursor.conf` to users via the `service` `dns` `forwarding`
`source-address` config node.
If the parameter is unspecified, the default value of 0.0.0.0 (any
IPv4 address) and :: (any IPv6 address) are used to match current
behavior.
Users who want more control can specify one or more IPv4 and IPv6
addresses to issue queries from. Per pdns_recursor docs, the recursor
will load balance queries between any available addresses in the
pools. Since IPv4 and IPv6 are different pools, note that specifying
only one type of address will disable issuing queries for the other
address family.
|
|
|
|
|
|
Despite the fact that running verify on Config() is "bad" and "not as intended"
the level of the configuration must match the keys that are checked by exits().
Re-set proper Config() level before querying the system nodes.
|
|
Removes and adds all required settings.
|
|
- generate recursor.conf, recursor.conf.lua
- if recursor.vyos-hostsd.conf.lua and recursor.forward-zones.conf don't exist,
create empty ones (they are/will be generated by vyos-hostsd)
|
|
Add warning that forwarding will operate as a recursor in case there are no
nameservers configured.
|
|
Remove the old solution that retrieved dhcp tagged nameservers from hostsd
and added it to nameservers, as it didn't work anyway (only once during
configuration but it didn't update them later). This is now handled by
vyos-hostsd, just retrieve the configured interfaces and send it the list
of tags to use.
|
|
Remove manual retrieval of 'system name-server' from config and adding it to
the name servers list, as this is now handled by simply adding a 'system' tag
in vyos-hostsd.
|
|
|
|
Change internal representation to the new one expected by vyos-hostsd.
|
|
As Config is required in both get_config and verify, init it once
and pass it to both functions.
|
|
The functionality was moved to vyos-hostsd.
|
|
|
|
As part of T1595 listen-on was removed and migrated to listen-address,
but some references to it stayed in the variable names and validator
error message.
|
|
airbag must now be explicitly installed.
the patch also allow to fully disables the installation of the logging
code at setup (and not just installing and doing nothing)
|
|
PowerDNS recursor 4.3 now uns as user pdns and group pdns, thus the
generated configuration file and directory need to have the appropriate
permissions set.
|
|
|
|
|
|
|
|
convert all call to jinja to use template.render
|
|
os.system does print the ouput of the command, run() does not.
A new function called call() does the printing and return the error code.
|
|
As little change a possible but the function call
The behaviour should be totally unchanged.
|
|
|
|
|
|
|
|
Netmasks (both IPv4 and IPv6) that are allowed to use the server. The default
allows access only from RFC 1918 private IP addresses. Due to the aggressive
nature of the internet these days, it is highly recommended to not open up the
recursor for the entire internet. Questions from IP addresses not listed here
are ignored and do not get an answer.
https://docs.powerdns.com/recursor/settings.html#allow-from
Imagine an ISP network with non RFC1918 IP adresses - they can't make
use of PowerDNS recursor.
As of now VyOS hat allow-from set to 0.0.0.0/0 and ::/0 which created an open
resolver. If there is no allow-from statement a config-migrator will add
the appropriate nodes to the configuration, resulting in:
service {
dns {
forwarding {
allow-from 0.0.0.0/0
allow-from ::/0
cache-size 0
ignore-hosts-file
listen-address 192.0.2.1
}
}
}
|
|
configuration line
In the past we used the PowerDNS cofniguration option forward-zones and
forward-zones-recurse, but only the latter one sets the recursion bit in
the DNS query.
Thus all recursions have been moved to this config statement.
|
|
[pdns-recursor] T1469 - specified dns forwarding not work
|
|
of CLI mode.
|
|
when conflict exists between forward-zone-recurse entry,
the lower one hides the upper one, which leads to inactive dns forwarding configuration
|
|
forward-zones-recurse behaves identically to dnsmasq server option
in legacy vyos 1.1.8, while forward-zones option disallow recursive
name resolving, which leads to dns lookup failure
|
|
|
|
The name-server option under "service dns-forwarding" was never mandatory so
users never needed to specify an upstream server. With the recent switch to
PowerDNS recursor in VyOS 1.2.0 we will act as a full DNS recursor when
there is no upstream DNS server configured.
|
