mirror of
https://github.com/safing/portmaster
synced 2025-09-01 10:09:11 +00:00
237 lines
8.8 KiB
Go
237 lines
8.8 KiB
Go
package resolver
|
|
|
|
import (
|
|
"fmt"
|
|
"strings"
|
|
|
|
"github.com/safing/portbase/config"
|
|
"github.com/safing/portmaster/status"
|
|
)
|
|
|
|
// Configuration Keys
|
|
var (
|
|
defaultNameServers = []string{
|
|
// Collection of default DNS Servers
|
|
|
|
// Default servers should be:
|
|
// Anycast:
|
|
// - Servers should be reachable from anywhere with reasonable latency.
|
|
// - Servers should be near to the user for geo-content to work correctly.
|
|
// Private:
|
|
// - Servers should not do any or only minimal logging.
|
|
// - Available logging data may not be used against the user, ie. unethically.
|
|
|
|
// Sadly, only a few services come close to fulfilling these requirements.
|
|
// For now, we have settled for two bigger and well known services: Quad9 and Cloudflare.
|
|
// TODO: monitor situation and re-evaluate when new services become available
|
|
// TODO: explore other methods of making queries more private
|
|
|
|
// We encourage everyone who has the technical abilities to set their own preferred servers.
|
|
|
|
// Default 1: Quad9
|
|
"dot://9.9.9.9:853?verify=dns.quad9.net&name=Quad9&blockedif=empty", // Quad9
|
|
"dot://149.112.112.112:853?verify=dns.quad9.net&name=Quad9&blockedif=empty", // Quad9
|
|
|
|
// Default 2: Cloudflare
|
|
"dot://1.1.1.2:853?verify=cloudflare-dns.com&name=Cloudflare&blockedif=zeroip", // Cloudflare
|
|
"dot://1.0.0.2:853?verify=cloudflare-dns.com&name=Cloudflare&blockedif=zeroip", // Cloudflare
|
|
|
|
// Fallback 1: Quad9
|
|
"dns://9.9.9.9:53?name=Quad9&blockedif=empty", // Quad9
|
|
"dns://149.112.112.112:53?name=Quad9&blockedif=empty", // Quad9
|
|
|
|
// Fallback 2: Cloudflare
|
|
"dns://1.1.1.2:53?name=Cloudflare&blockedif=zeroip", // Cloudflare
|
|
"dns://1.0.0.2:53?name=Cloudflare&blockedif=zeroip", // Cloudflare
|
|
|
|
// supported parameters
|
|
// - `verify=domain`: verify domain (dot only)
|
|
// future parameters:
|
|
//
|
|
// - `name=name`: human readable name for resolver
|
|
// - `blockedif=empty`: how to detect if the dns service blocked something
|
|
// - `empty`: NXDomain result, but without any other record in any section
|
|
// - `refused`: Request was refused
|
|
// - `zeroip`: Answer only contains zeroip
|
|
}
|
|
|
|
CfgOptionNameServersKey = "dns/nameservers"
|
|
configuredNameServers config.StringArrayOption
|
|
cfgOptionNameServersOrder = 0
|
|
|
|
CfgOptionNoAssignedNameserversKey = "dns/noAssignedNameservers"
|
|
noAssignedNameservers status.SecurityLevelOption
|
|
cfgOptionNoAssignedNameserversOrder = 1
|
|
|
|
CfgOptionNoMulticastDNSKey = "dns/noMulticastDNS"
|
|
noMulticastDNS status.SecurityLevelOption
|
|
cfgOptionNoMulticastDNSOrder = 2
|
|
|
|
CfgOptionNoInsecureProtocolsKey = "dns/noInsecureProtocols"
|
|
noInsecureProtocols status.SecurityLevelOption
|
|
cfgOptionNoInsecureProtocolsOrder = 3
|
|
|
|
CfgOptionDontResolveSpecialDomainsKey = "dns/dontResolveSpecialDomains"
|
|
dontResolveSpecialDomains status.SecurityLevelOption
|
|
cfgOptionDontResolveSpecialDomainsOrder = 16
|
|
|
|
CfgOptionDontResolveTestDomainsKey = "dns/dontResolveTestDomains"
|
|
dontResolveTestDomains status.SecurityLevelOption
|
|
cfgOptionDontResolveTestDomainsOrder = 17
|
|
|
|
CfgOptionNameserverRetryRateKey = "dns/nameserverRetryRate"
|
|
nameserverRetryRate config.IntOption
|
|
cfgOptionNameserverRetryRateOrder = 32
|
|
)
|
|
|
|
func prepConfig() error {
|
|
err := config.Register(&config.Option{
|
|
Name: "DNS Servers",
|
|
Key: CfgOptionNameServersKey,
|
|
Description: "DNS Servers to use for resolving DNS requests.",
|
|
Help: `Format:
|
|
|
|
DNS Servers are configured in a URL format. This allows you to specify special settings for a resolver. If you just want to use a resolver at IP 10.2.3.4, please enter: dns://10.2.3.4:53
|
|
The format is: protocol://ip:port?parameter=value¶meter=value
|
|
|
|
Protocols:
|
|
dot: DNS-over-TLS (recommended)
|
|
dns: plain old DNS
|
|
tcp: plain old DNS over TCP
|
|
|
|
IP:
|
|
always use the IP address and _not_ the domain name!
|
|
|
|
Port:
|
|
always add the port!
|
|
|
|
Parameters:
|
|
name: give your DNS Server a name that is used for messages and logs
|
|
verify: domain name to verify for "dot", required and only valid for "dot"
|
|
blockedif: detect if the name server blocks a query, options:
|
|
empty: server replies with NXDomain status, but without any other record in any section
|
|
refused: server replies with Refused status
|
|
zeroip: server replies with an IP address, but it is zero
|
|
`,
|
|
Order: cfgOptionNameServersOrder,
|
|
OptType: config.OptTypeStringArray,
|
|
ExpertiseLevel: config.ExpertiseLevelExpert,
|
|
ReleaseLevel: config.ReleaseLevelStable,
|
|
DefaultValue: defaultNameServers,
|
|
ValidationRegex: fmt.Sprintf("^(%s|%s|%s)://.*", ServerTypeDoT, ServerTypeDNS, ServerTypeTCP),
|
|
})
|
|
if err != nil {
|
|
return err
|
|
}
|
|
configuredNameServers = config.Concurrent.GetAsStringArray(CfgOptionNameServersKey, defaultNameServers)
|
|
|
|
err = config.Register(&config.Option{
|
|
Name: "DNS Server Retry Rate",
|
|
Key: CfgOptionNameserverRetryRateKey,
|
|
Description: "Rate at which to retry failed DNS Servers, in seconds.",
|
|
Order: cfgOptionNameserverRetryRateOrder,
|
|
OptType: config.OptTypeInt,
|
|
ExpertiseLevel: config.ExpertiseLevelExpert,
|
|
ReleaseLevel: config.ReleaseLevelStable,
|
|
DefaultValue: 600,
|
|
})
|
|
if err != nil {
|
|
return err
|
|
}
|
|
nameserverRetryRate = config.Concurrent.GetAsInt(CfgOptionNameserverRetryRateKey, 600)
|
|
|
|
err = config.Register(&config.Option{
|
|
Name: "Do not use Multicast DNS",
|
|
Key: CfgOptionNoMulticastDNSKey,
|
|
Description: "Multicast DNS queries other devices in the local network",
|
|
Order: cfgOptionNoMulticastDNSOrder,
|
|
OptType: config.OptTypeInt,
|
|
ExpertiseLevel: config.ExpertiseLevelExpert,
|
|
ReleaseLevel: config.ReleaseLevelStable,
|
|
ExternalOptType: "security level",
|
|
DefaultValue: status.SecurityLevelsHighAndExtreme,
|
|
ValidationRegex: "^(4|6|7)$",
|
|
})
|
|
if err != nil {
|
|
return err
|
|
}
|
|
noMulticastDNS = status.ConfigIsActiveConcurrent(CfgOptionNoMulticastDNSKey)
|
|
|
|
err = config.Register(&config.Option{
|
|
Name: "Do not use assigned Nameservers",
|
|
Key: CfgOptionNoAssignedNameserversKey,
|
|
Description: "that were acquired by the network (dhcp) or system",
|
|
Order: cfgOptionNoAssignedNameserversOrder,
|
|
OptType: config.OptTypeInt,
|
|
ExpertiseLevel: config.ExpertiseLevelExpert,
|
|
ReleaseLevel: config.ReleaseLevelStable,
|
|
ExternalOptType: "security level",
|
|
DefaultValue: status.SecurityLevelsHighAndExtreme,
|
|
ValidationRegex: "^(4|6|7)$",
|
|
})
|
|
if err != nil {
|
|
return err
|
|
}
|
|
noAssignedNameservers = status.ConfigIsActiveConcurrent(CfgOptionNoAssignedNameserversKey)
|
|
|
|
err = config.Register(&config.Option{
|
|
Name: "Do not resolve insecurely",
|
|
Key: CfgOptionNoInsecureProtocolsKey,
|
|
Description: "Do not resolve domains with insecure protocols, ie. plain DNS",
|
|
Order: cfgOptionNoInsecureProtocolsOrder,
|
|
OptType: config.OptTypeInt,
|
|
ExpertiseLevel: config.ExpertiseLevelExpert,
|
|
ReleaseLevel: config.ReleaseLevelStable,
|
|
ExternalOptType: "security level",
|
|
DefaultValue: status.SecurityLevelsHighAndExtreme,
|
|
ValidationRegex: "^(4|6|7)$",
|
|
})
|
|
if err != nil {
|
|
return err
|
|
}
|
|
noInsecureProtocols = status.ConfigIsActiveConcurrent(CfgOptionNoInsecureProtocolsKey)
|
|
|
|
err = config.Register(&config.Option{
|
|
Name: "Do not resolve special domains",
|
|
Key: CfgOptionDontResolveSpecialDomainsKey,
|
|
Description: fmt.Sprintf("Do not resolve the special top level domains %s", formatScopeList(specialServiceScopes)),
|
|
Order: cfgOptionDontResolveSpecialDomainsOrder,
|
|
OptType: config.OptTypeInt,
|
|
ExpertiseLevel: config.ExpertiseLevelExpert,
|
|
ReleaseLevel: config.ReleaseLevelStable,
|
|
ExternalOptType: "security level",
|
|
DefaultValue: status.SecurityLevelsAll,
|
|
ValidationRegex: "^(4|6|7)$",
|
|
})
|
|
if err != nil {
|
|
return err
|
|
}
|
|
dontResolveSpecialDomains = status.ConfigIsActiveConcurrent(CfgOptionDontResolveSpecialDomainsKey)
|
|
|
|
err = config.Register(&config.Option{
|
|
Name: "Do not resolve test domains",
|
|
Key: CfgOptionDontResolveTestDomainsKey,
|
|
Description: fmt.Sprintf("Do not resolve the special testing top level domains %s", formatScopeList(localTestScopes)),
|
|
Order: cfgOptionDontResolveTestDomainsOrder,
|
|
OptType: config.OptTypeInt,
|
|
ExpertiseLevel: config.ExpertiseLevelExpert,
|
|
ReleaseLevel: config.ReleaseLevelStable,
|
|
ExternalOptType: "security level",
|
|
DefaultValue: status.SecurityLevelsHighAndExtreme,
|
|
ValidationRegex: "^(4|6|7)$",
|
|
})
|
|
if err != nil {
|
|
return err
|
|
}
|
|
dontResolveTestDomains = status.ConfigIsActiveConcurrent(CfgOptionDontResolveTestDomainsKey)
|
|
|
|
return nil
|
|
}
|
|
|
|
func formatScopeList(list []string) string {
|
|
formatted := make([]string, 0, len(list))
|
|
for _, domain := range list {
|
|
formatted = append(formatted, strings.Trim(domain, "."))
|
|
}
|
|
return strings.Join(formatted, ", ")
|
|
}
|