[thirdparty/systemd.git] / src / shared / resolve-util.h

/* SPDX-License-Identifier: LGPL-2.1-or-later */
#pragma once

#include "conf-parser-forward.h"
#include "forward.h"

/* 127.0.0.53 in native endian (The IP address we listen on with the full DNS stub, i.e. that does LLMNR/mDNS, and stuff) */
#define INADDR_DNS_STUB ((in_addr_t) 0x7f000035U)

/* 127.0.0.54 in native endian (The IP address we listen on we only implement "proxy" mode) */
#define INADDR_DNS_PROXY_STUB ((in_addr_t) 0x7f000036U)

/* 127.0.0.2 is an address we always map to the local hostname. This is different from 127.0.0.1 which maps to "localhost" */
#define INADDR_LOCALADDRESS ((in_addr_t) 0x7f000002U)

typedef enum DnsCacheMode {
        DNS_CACHE_MODE_NO,
        DNS_CACHE_MODE_YES,
        DNS_CACHE_MODE_NO_NEGATIVE,
        _DNS_CACHE_MODE_MAX,
        _DNS_CACHE_MODE_INVALID = -EINVAL,
} DnsCacheMode;

/* Do not change the order, see link_get_llmnr_support() or link_get_mdns_support(). */
typedef enum ResolveSupport {
        RESOLVE_SUPPORT_NO,
        RESOLVE_SUPPORT_RESOLVE,
        RESOLVE_SUPPORT_YES,
        _RESOLVE_SUPPORT_MAX,
        _RESOLVE_SUPPORT_INVALID = -EINVAL,
} ResolveSupport;

typedef enum DnssecMode {
        /* No DNSSEC validation is done */
        DNSSEC_NO,

        /* Validate locally, if the server knows DO, but if not,
         * don't. Don't trust the AD bit. If the server doesn't do
         * DNSSEC properly, downgrade to non-DNSSEC operation. Of
         * course, we then are vulnerable to a downgrade attack, but
         * that's life and what is configured. */
        DNSSEC_ALLOW_DOWNGRADE,

        /* Insist on DNSSEC server support, and rather fail than downgrading. */
        DNSSEC_YES,

        _DNSSEC_MODE_MAX,
        _DNSSEC_MODE_INVALID = -EINVAL,
} DnssecMode;

typedef enum DnsOverTlsMode {
        /* No connection is made for DNS-over-TLS */
        DNS_OVER_TLS_NO,

        /* Try to connect using DNS-over-TLS, but if connection fails,
         * fall back to using an unencrypted connection */
        DNS_OVER_TLS_OPPORTUNISTIC,

        /* Enforce DNS-over-TLS and require valid server certificates */
        DNS_OVER_TLS_YES,

        _DNS_OVER_TLS_MODE_MAX,
        _DNS_OVER_TLS_MODE_INVALID = -EINVAL,
} DnsOverTlsMode;

CONFIG_PARSER_PROTOTYPE(config_parse_resolve_support);
CONFIG_PARSER_PROTOTYPE(config_parse_dnssec_mode);
CONFIG_PARSER_PROTOTYPE(config_parse_dns_over_tls_mode);
CONFIG_PARSER_PROTOTYPE(config_parse_dns_cache_mode);

const char* resolve_support_to_string(ResolveSupport p) _const_;
ResolveSupport resolve_support_from_string(const char *s) _pure_;

const char* dnssec_mode_to_string(DnssecMode p) _const_;
DnssecMode dnssec_mode_from_string(const char *s) _pure_;

const char* dns_over_tls_mode_to_string(DnsOverTlsMode p) _const_;
DnsOverTlsMode dns_over_tls_mode_from_string(const char *s) _pure_;

bool dns_server_address_valid(int family, const union in_addr_union *sa);

const char* dns_cache_mode_to_string(DnsCacheMode p) _const_;
DnsCacheMode dns_cache_mode_from_string(const char *s) _pure_;

/* A resolv.conf file containing the DNS server and domain data we learnt from uplink, i.e. the full uplink data */
#define PRIVATE_UPLINK_RESOLV_CONF "/run/systemd/resolve/resolv.conf"

/* A resolv.conf file containing the domain data we learnt from uplink, but our own DNS server address. */
#define PRIVATE_STUB_RESOLV_CONF "/run/systemd/resolve/stub-resolv.conf"

/* A static resolv.conf file containing no domains, but only our own DNS server address */
#define PRIVATE_STATIC_RESOLV_CONF LIBEXECDIR "/resolv.conf"
Commit	Line	Data
db9ecf05	1	/* SPDX-License-Identifier: LGPL-2.1-or-later */
af49ca27 LP	2	#pragma once
af49ca27 LP	3
69a283c5 DDM	4	#include "conf-parser-forward.h"
69a283c5 DDM	5	#include "forward.h"
af49ca27	6
a8d09063	7	/* 127.0.0.53 in native endian (The IP address we listen on with the full DNS stub, i.e. that does LLMNR/mDNS, and stuff) */
00d28db3 YW	8	#define INADDR_DNS_STUB ((in_addr_t) 0x7f000035U)
00d28db3 YW	9
a8d09063 LP	10	/* 127.0.0.54 in native endian (The IP address we listen on we only implement "proxy" mode) */
	11	#define INADDR_DNS_PROXY_STUB ((in_addr_t) 0x7f000036U)
	12
056c398b LP	13	/* 127.0.0.2 is an address we always map to the local hostname. This is different from 127.0.0.1 which maps to "localhost" */
	14	#define INADDR_LOCALADDRESS ((in_addr_t) 0x7f000002U)
	15
69a283c5	16	typedef enum DnsCacheMode {
37d7a7d9 JN	17	DNS_CACHE_MODE_NO,
	18	DNS_CACHE_MODE_YES,
	19	DNS_CACHE_MODE_NO_NEGATIVE,
	20	_DNS_CACHE_MODE_MAX,
bbb697fe	21	_DNS_CACHE_MODE_INVALID = -EINVAL,
69a283c5	22	} DnsCacheMode;
af49ca27	23
bce459e3	24	/* Do not change the order, see link_get_llmnr_support() or link_get_mdns_support(). */
69a283c5	25	typedef enum ResolveSupport {
af49ca27	26	RESOLVE_SUPPORT_NO,
af49ca27	27	RESOLVE_SUPPORT_RESOLVE,
bce459e3	28	RESOLVE_SUPPORT_YES,
af49ca27	29	_RESOLVE_SUPPORT_MAX,
2d93c20e	30	_RESOLVE_SUPPORT_INVALID = -EINVAL,
69a283c5	31	} ResolveSupport;
af49ca27	32
69a283c5	33	typedef enum DnssecMode {
ad6c0475 LP	34	/* No DNSSEC validation is done */
	35	DNSSEC_NO,
	36
	37	/* Validate locally, if the server knows DO, but if not,
	38	* don't. Don't trust the AD bit. If the server doesn't do
	39	* DNSSEC properly, downgrade to non-DNSSEC operation. Of
	40	* course, we then are vulnerable to a downgrade attack, but
	41	* that's life and what is configured. */
	42	DNSSEC_ALLOW_DOWNGRADE,
	43
	44	/* Insist on DNSSEC server support, and rather fail than downgrading. */
	45	DNSSEC_YES,
	46
	47	_DNSSEC_MODE_MAX,
2d93c20e	48	_DNSSEC_MODE_INVALID = -EINVAL,
69a283c5	49	} DnssecMode;
ad6c0475	50
69a283c5	51	typedef enum DnsOverTlsMode {
5d67a7ae	52	/* No connection is made for DNS-over-TLS */
c9299be2	53	DNS_OVER_TLS_NO,
5d67a7ae IT	54
5d67a7ae IT	55	/* Try to connect using DNS-over-TLS, but if connection fails,
2aed63f4	56	* fall back to using an unencrypted connection */
c9299be2	57	DNS_OVER_TLS_OPPORTUNISTIC,
5d67a7ae	58
4310bfc2 IT	59	/* Enforce DNS-over-TLS and require valid server certificates */
	60	DNS_OVER_TLS_YES,
	61
c9299be2	62	_DNS_OVER_TLS_MODE_MAX,
2d93c20e	63	_DNS_OVER_TLS_MODE_INVALID = -EINVAL,
69a283c5	64	} DnsOverTlsMode;
5d67a7ae	65
a2106925 LP	66	CONFIG_PARSER_PROTOTYPE(config_parse_resolve_support);
a2106925 LP	67	CONFIG_PARSER_PROTOTYPE(config_parse_dnssec_mode);
c9299be2	68	CONFIG_PARSER_PROTOTYPE(config_parse_dns_over_tls_mode);
37d7a7d9	69	CONFIG_PARSER_PROTOTYPE(config_parse_dns_cache_mode);
af49ca27 LP	70
	71	const char* resolve_support_to_string(ResolveSupport p) _const_;
	72	ResolveSupport resolve_support_from_string(const char *s) _pure_;
ad6c0475 LP	73
	74	const char* dnssec_mode_to_string(DnssecMode p) _const_;
	75	DnssecMode dnssec_mode_from_string(const char *s) _pure_;
5d67a7ae	76
c9299be2 IT	77	const char* dns_over_tls_mode_to_string(DnsOverTlsMode p) _const_;
c9299be2 IT	78	DnsOverTlsMode dns_over_tls_mode_from_string(const char *s) _pure_;
00d28db3 YW	79
00d28db3 YW	80	bool dns_server_address_valid(int family, const union in_addr_union *sa);
37d7a7d9 JN	81
	82	const char* dns_cache_mode_to_string(DnsCacheMode p) _const_;
	83	DnsCacheMode dns_cache_mode_from_string(const char *s) _pure_;
08281474 LP	84
	85	/* A resolv.conf file containing the DNS server and domain data we learnt from uplink, i.e. the full uplink data */
	86	#define PRIVATE_UPLINK_RESOLV_CONF "/run/systemd/resolve/resolv.conf"
	87
	88	/* A resolv.conf file containing the domain data we learnt from uplink, but our own DNS server address. */
	89	#define PRIVATE_STUB_RESOLV_CONF "/run/systemd/resolve/stub-resolv.conf"
	90
	91	/* A static resolv.conf file containing no domains, but only our own DNS server address */
b0d3095f	92	#define PRIVATE_STATIC_RESOLV_CONF LIBEXECDIR "/resolv.conf"