Browse code
dns option: remove support for exclude-domains
No DNS resolver currently supports this and it is not possible to
emulate the behavior without the chance of errors. Finding the
effective default system DNS server(s) to specify the exclude
DNS routes is not trivial and cannot be verified to be correct
without resolver internal knowledge. So, it is better to not
support this instead of supporting it, but incorrectly.
Change-Id: I7f422add22f3f01e9f47985065782dd67bca46eb
Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20230922104334.37619-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27008.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund authored on 2023/09/22 19:43:34Showing 5 changed files
- doc/man-sections/client-options.rst
- doc/man-sections/script-options.rst
- src/openvpn/dns.c
- src/openvpn/dns.h
- src/openvpn/options.c
| ... | ... |
@@ -169,7 +169,7 @@ configuration. |
| 169 | 169 |
|
| 170 | 170 |
dns search-domains domain [domain ...] |
| 171 | 171 |
dns server n address addr[:port] [addr[:port] ...] |
| 172 |
- dns server n resolve-domains|exclude-domains domain [domain ...] |
|
| 172 |
+ dns server n resolve-domains domain [domain ...] |
|
| 173 | 173 |
dns server n dnssec yes|optional|no |
| 174 | 174 |
dns server n transport DoH|DoT|plain |
| 175 | 175 |
dns server n sni server-name |
| ... | ... |
@@ -191,14 +191,10 @@ configuration. |
| 191 | 191 |
Optionally a port can be appended after a colon. IPv6 addresses need to |
| 192 | 192 |
be enclosed in brackets if a port is appended. |
| 193 | 193 |
|
| 194 |
- The ``resolve-domains`` and ``exclude-domains`` options take one or |
|
| 195 |
- more DNS domains which are explicitly resolved or explicitly not resolved |
|
| 196 |
- by a server. Only one of the options can be configured for a server. |
|
| 197 |
- ``resolve-domains`` is used to define a split-dns setup, where only |
|
| 198 |
- given domains are resolved by a server. ``exclude-domains`` is used to |
|
| 199 |
- define domains which will never be resolved by a server (e.g. domains |
|
| 200 |
- which can only be resolved locally). Systems which do not support fine |
|
| 201 |
- grained DNS domain configuration, will ignore these settings. |
|
| 194 |
+ The ``resolve-domains`` option takes one or more DNS domains used to define |
|
| 195 |
+ a split-dns or dns-routing setup, where only the given domains are resolved |
|
| 196 |
+ by the server. Systems which do not support fine grained DNS domain |
|
| 197 |
+ configuration will ignore this setting. |
|
| 202 | 198 |
|
| 203 | 199 |
The ``dnssec`` option is used to configure validation of DNSSEC records. |
| 204 | 200 |
While the exact semantics may differ for resolvers on different systems, |
| ... | ... |
@@ -400,11 +400,9 @@ setenv_dns_options(const struct dns_options *o, struct env_set *es) |
| 400 | 400 |
|
| 401 | 401 |
if (s->domains) |
| 402 | 402 |
{
|
| 403 |
- const char *format = s->domain_type == DNS_RESOLVE_DOMAINS ? |
|
| 404 |
- "dns_server_%d_resolve_domain_%d" : "dns_server_%d_exclude_domain_%d"; |
|
| 405 | 403 |
for (j = 1, d = s->domains; d != NULL; j++, d = d->next) |
| 406 | 404 |
{
|
| 407 |
- setenv_dns_option(es, format, i, j, d->name); |
|
| 405 |
+ setenv_dns_option(es, "dns_server_%d_resolve_domain_%d", i, j, d->name); |
|
| 408 | 406 |
} |
| 409 | 407 |
} |
| 410 | 408 |
|
| ... | ... |
@@ -482,14 +480,7 @@ show_dns_options(const struct dns_options *o) |
| 482 | 482 |
struct dns_domain *domain = server->domains; |
| 483 | 483 |
if (domain) |
| 484 | 484 |
{
|
| 485 |
- if (server->domain_type == DNS_RESOLVE_DOMAINS) |
|
| 486 |
- {
|
|
| 487 |
- msg(D_SHOW_PARMS, " resolve domains:"); |
|
| 488 |
- } |
|
| 489 |
- else |
|
| 490 |
- {
|
|
| 491 |
- msg(D_SHOW_PARMS, " exclude domains:"); |
|
| 492 |
- } |
|
| 485 |
+ msg(D_SHOW_PARMS, " resolve domains:"); |
|
| 493 | 486 |
while (domain) |
| 494 | 487 |
{
|
| 495 | 488 |
msg(D_SHOW_PARMS, " %s", domain->name); |
| ... | ... |
@@ -27,12 +27,6 @@ |
| 27 | 27 |
#include "buffer.h" |
| 28 | 28 |
#include "env_set.h" |
| 29 | 29 |
|
| 30 |
-enum dns_domain_type {
|
|
| 31 |
- DNS_DOMAINS_UNSET, |
|
| 32 |
- DNS_RESOLVE_DOMAINS, |
|
| 33 |
- DNS_EXCLUDE_DOMAINS |
|
| 34 |
-}; |
|
| 35 |
- |
|
| 36 | 30 |
enum dns_security {
|
| 37 | 31 |
DNS_SECURITY_UNSET, |
| 38 | 32 |
DNS_SECURITY_NO, |
| ... | ... |
@@ -68,7 +62,6 @@ struct dns_server {
|
| 68 | 68 |
size_t addr_count; |
| 69 | 69 |
struct dns_server_addr addr[8]; |
| 70 | 70 |
struct dns_domain *domains; |
| 71 |
- enum dns_domain_type domain_type; |
|
| 72 | 71 |
enum dns_security dnssec; |
| 73 | 72 |
enum dns_server_transport transport; |
| 74 | 73 |
const char *sni; |
| ... | ... |
@@ -512,7 +512,6 @@ static const char usage_message[] = |
| 512 | 512 |
" Valid options are :\n" |
| 513 | 513 |
" address <addr[:port]> [addr[:port] ...] : server addresses 4/6\n" |
| 514 | 514 |
" resolve-domains <domain> [domain ...] : split domains\n" |
| 515 |
- " exclude-domains <domain> [domain ...] : domains not to resolve\n" |
|
| 516 | 515 |
" dnssec <yes|no|optional> : option to use DNSSEC\n" |
| 517 | 516 |
" type <DoH|DoT> : query server over HTTPS / TLS\n" |
| 518 | 517 |
" sni <domain> : DNS server name indication\n" |
| ... | ... |
@@ -8022,22 +8021,6 @@ add_option(struct options *options, |
| 8022 | 8022 |
} |
| 8023 | 8023 |
else if (streq(p[3], "resolve-domains")) |
| 8024 | 8024 |
{
|
| 8025 |
- if (server->domain_type == DNS_EXCLUDE_DOMAINS) |
|
| 8026 |
- {
|
|
| 8027 |
- msg(msglevel, "--dns server %ld: cannot use resolve-domains and exclude-domains", priority); |
|
| 8028 |
- goto err; |
|
| 8029 |
- } |
|
| 8030 |
- server->domain_type = DNS_RESOLVE_DOMAINS; |
|
| 8031 |
- dns_domain_list_append(&server->domains, &p[4], &options->dns_options.gc); |
|
| 8032 |
- } |
|
| 8033 |
- else if (streq(p[3], "exclude-domains")) |
|
| 8034 |
- {
|
|
| 8035 |
- if (server->domain_type == DNS_RESOLVE_DOMAINS) |
|
| 8036 |
- {
|
|
| 8037 |
- msg(msglevel, "--dns server %ld: cannot use exclude-domains and resolve-domains", priority); |
|
| 8038 |
- goto err; |
|
| 8039 |
- } |
|
| 8040 |
- server->domain_type = DNS_EXCLUDE_DOMAINS; |
|
| 8041 | 8025 |
dns_domain_list_append(&server->domains, &p[4], &options->dns_options.gc); |
| 8042 | 8026 |
} |
| 8043 | 8027 |
else if (streq(p[3], "dnssec") && !p[5]) |