]>
Commit | Line | Data |
---|---|---|
db9ecf05 | 1 | /* SPDX-License-Identifier: LGPL-2.1-or-later */ |
af49ca27 LP |
2 | #pragma once |
3 | ||
69a283c5 DDM |
4 | #include "conf-parser-forward.h" |
5 | #include "forward.h" | |
af49ca27 | 6 | |
a8d09063 | 7 | /* 127.0.0.53 in native endian (The IP address we listen on with the full DNS stub, i.e. that does LLMNR/mDNS, and stuff) */ |
00d28db3 YW |
8 | #define INADDR_DNS_STUB ((in_addr_t) 0x7f000035U) |
9 | ||
a8d09063 LP |
10 | /* 127.0.0.54 in native endian (The IP address we listen on we only implement "proxy" mode) */ |
11 | #define INADDR_DNS_PROXY_STUB ((in_addr_t) 0x7f000036U) | |
12 | ||
056c398b LP |
13 | /* 127.0.0.2 is an address we always map to the local hostname. This is different from 127.0.0.1 which maps to "localhost" */ |
14 | #define INADDR_LOCALADDRESS ((in_addr_t) 0x7f000002U) | |
15 | ||
69a283c5 | 16 | typedef enum DnsCacheMode { |
37d7a7d9 JN |
17 | DNS_CACHE_MODE_NO, |
18 | DNS_CACHE_MODE_YES, | |
19 | DNS_CACHE_MODE_NO_NEGATIVE, | |
20 | _DNS_CACHE_MODE_MAX, | |
bbb697fe | 21 | _DNS_CACHE_MODE_INVALID = -EINVAL, |
69a283c5 | 22 | } DnsCacheMode; |
af49ca27 | 23 | |
bce459e3 | 24 | /* Do not change the order, see link_get_llmnr_support() or link_get_mdns_support(). */ |
69a283c5 | 25 | typedef enum ResolveSupport { |
af49ca27 | 26 | RESOLVE_SUPPORT_NO, |
af49ca27 | 27 | RESOLVE_SUPPORT_RESOLVE, |
bce459e3 | 28 | RESOLVE_SUPPORT_YES, |
af49ca27 | 29 | _RESOLVE_SUPPORT_MAX, |
2d93c20e | 30 | _RESOLVE_SUPPORT_INVALID = -EINVAL, |
69a283c5 | 31 | } ResolveSupport; |
af49ca27 | 32 | |
69a283c5 | 33 | typedef enum DnssecMode { |
ad6c0475 LP |
34 | /* No DNSSEC validation is done */ |
35 | DNSSEC_NO, | |
36 | ||
37 | /* Validate locally, if the server knows DO, but if not, | |
38 | * don't. Don't trust the AD bit. If the server doesn't do | |
39 | * DNSSEC properly, downgrade to non-DNSSEC operation. Of | |
40 | * course, we then are vulnerable to a downgrade attack, but | |
41 | * that's life and what is configured. */ | |
42 | DNSSEC_ALLOW_DOWNGRADE, | |
43 | ||
44 | /* Insist on DNSSEC server support, and rather fail than downgrading. */ | |
45 | DNSSEC_YES, | |
46 | ||
47 | _DNSSEC_MODE_MAX, | |
2d93c20e | 48 | _DNSSEC_MODE_INVALID = -EINVAL, |
69a283c5 | 49 | } DnssecMode; |
ad6c0475 | 50 | |
69a283c5 | 51 | typedef enum DnsOverTlsMode { |
5d67a7ae | 52 | /* No connection is made for DNS-over-TLS */ |
c9299be2 | 53 | DNS_OVER_TLS_NO, |
5d67a7ae IT |
54 | |
55 | /* Try to connect using DNS-over-TLS, but if connection fails, | |
2aed63f4 | 56 | * fall back to using an unencrypted connection */ |
c9299be2 | 57 | DNS_OVER_TLS_OPPORTUNISTIC, |
5d67a7ae | 58 | |
4310bfc2 IT |
59 | /* Enforce DNS-over-TLS and require valid server certificates */ |
60 | DNS_OVER_TLS_YES, | |
61 | ||
c9299be2 | 62 | _DNS_OVER_TLS_MODE_MAX, |
2d93c20e | 63 | _DNS_OVER_TLS_MODE_INVALID = -EINVAL, |
69a283c5 | 64 | } DnsOverTlsMode; |
5d67a7ae | 65 | |
a2106925 LP |
66 | CONFIG_PARSER_PROTOTYPE(config_parse_resolve_support); |
67 | CONFIG_PARSER_PROTOTYPE(config_parse_dnssec_mode); | |
c9299be2 | 68 | CONFIG_PARSER_PROTOTYPE(config_parse_dns_over_tls_mode); |
37d7a7d9 | 69 | CONFIG_PARSER_PROTOTYPE(config_parse_dns_cache_mode); |
af49ca27 LP |
70 | |
71 | const char* resolve_support_to_string(ResolveSupport p) _const_; | |
72 | ResolveSupport resolve_support_from_string(const char *s) _pure_; | |
ad6c0475 LP |
73 | |
74 | const char* dnssec_mode_to_string(DnssecMode p) _const_; | |
75 | DnssecMode dnssec_mode_from_string(const char *s) _pure_; | |
5d67a7ae | 76 | |
c9299be2 IT |
77 | const char* dns_over_tls_mode_to_string(DnsOverTlsMode p) _const_; |
78 | DnsOverTlsMode dns_over_tls_mode_from_string(const char *s) _pure_; | |
00d28db3 YW |
79 | |
80 | bool dns_server_address_valid(int family, const union in_addr_union *sa); | |
37d7a7d9 JN |
81 | |
82 | const char* dns_cache_mode_to_string(DnsCacheMode p) _const_; | |
83 | DnsCacheMode dns_cache_mode_from_string(const char *s) _pure_; | |
08281474 LP |
84 | |
85 | /* A resolv.conf file containing the DNS server and domain data we learnt from uplink, i.e. the full uplink data */ | |
86 | #define PRIVATE_UPLINK_RESOLV_CONF "/run/systemd/resolve/resolv.conf" | |
87 | ||
88 | /* A resolv.conf file containing the domain data we learnt from uplink, but our own DNS server address. */ | |
89 | #define PRIVATE_STUB_RESOLV_CONF "/run/systemd/resolve/stub-resolv.conf" | |
90 | ||
91 | /* A static resolv.conf file containing no domains, but only our own DNS server address */ | |
b0d3095f | 92 | #define PRIVATE_STATIC_RESOLV_CONF LIBEXECDIR "/resolv.conf" |