2 ###############################################################################
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2020 IPFire Development Team #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
20 ###############################################################################
25 # enable only the following on debugging purpose
27 #use CGI::Carp 'fatalsToBrowser';
29 require '/var/ipfire/general-functions.pl';
30 require "${General::swroot}/geoip-functions.pl";
31 require "${General::swroot}/lang.pl";
32 require "${General::swroot}/header.pl";
34 #workaround to suppress a warning when a variable is used only once
35 my @dummy = ( ${Header
::colouryellow
} );
41 my $errormessage = '';
43 # Config file which stores the DNS settings.
44 my $settings_file = "${General::swroot}/dns/settings";
46 # File which stores the configured DNS-Servers.
47 my $servers_file = "${General::swroot}/dns/servers";
49 # Create files if the does not exist.
50 unless (-f
$settings_file) { system("touch $settings_file") };
51 unless (-f
$servers_file) { system("touch $servers_file") };
53 # File which stores the ISP assigned DNS servers.
54 my @ISP_nameserver_files = ( "/var/run/dns1", "/var/run/dns2" );
56 # File which contains the ca-certificates.
57 my $ca_certs_file = "/etc/ssl/certs/ca-bundle.crt";
60 my %mainsettings = ();
61 &General
::readhash
("${General::swroot}/main/settings", \
%mainsettings);
62 &General
::readhash
("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \
%color);
64 &Header
::showhttpheaders
();
65 &Header
::getcgihash
(\
%cgiparams);
68 # Save general settings.
70 if ($cgiparams{'GENERAL'} eq $Lang::tr
{'save'}) {
71 # Prevent form name from been stored in conf file.
72 delete $cgiparams{'GENERAL'};
74 # Add value for non-checked checkbox.
75 if ($cgiparams{'USE_ISP_NAMESERVERS'} ne "on") {
76 $cgiparams{'USE_ISP_NAMESERVERS'} = "off";
79 # Add value for non-checked checkbox.
80 if ($cgiparams{'ENABLE_SAFE_SEARCH'} ne "on") {
81 $cgiparams{'ENABLE_SAFE_SEARCH'} = "off";
84 # Store settings into settings file.
85 &General
::writehash
("$settings_file", \
%cgiparams);
91 if (($cgiparams{'SERVERS'} eq $Lang::tr
{'save'}) || ($cgiparams{'SERVERS'} eq $Lang::tr
{'update'})) {
92 # Hash to store the generic DNS settings.
95 # Read-in generic settings.
96 &General
::readhash
("$settings_file", \
%settings);
98 # Check if the given DNS server is valid.
99 if(!&General
::validip
($cgiparams{"NAMESERVER"})) {
100 $errormessage = "$Lang::tr{'invalid ip'}: $cgiparams{'NAMESERVER'}";
103 # Check if a TLS is enabled and no TLS_HOSTNAME has benn specified.
104 elsif($settings{'PROTO'} eq "TLS") {
105 unless($cgiparams{"TLS_HOSTNAME"}) {
106 $errormessage = "$Lang::tr{'dns no tls hostname given'}";
108 # Check if the provided domain is valid.
109 unless(&General
::validfqdn
($cgiparams{"TLS_HOSTNAME"})) {
110 $errormessage = "$Lang::tr{'invalid ip or hostname'}: $cgiparams{'TLS_HOSTNAME'}";
115 # Check the nameserver.
116 my $status = &check_nameserver
("$cgiparams{'NAMESERVER'}", "ping.ipfire.org", "$settings{'PROTO'}", "$cgiparams{'TLS_HOSTNAME'}");
118 # Assign errormessage, if the nameserver does not support dnssec or any other kind of error happened.
119 if ($status eq "0") {
120 $errormessage = "$Lang::tr{'dns could not add server'} $Lang::tr{'dnssec not supported'}";
121 } elsif (($status ne "1") && ($status ne "2")) {
122 $errormessage = "$Lang::tr{'dns could not add server'} $status";
125 # Go further if there was no error.
126 if ( ! $errormessage) {
127 # Check if a remark has been entered.
128 $cgiparams{'REMARK'} = &Header
::cleanhtml
($cgiparams{'REMARK'});
130 my %dns_servers = ();
134 # Read-in configfile.
135 &General
::readhasharray
($servers_file, \
%dns_servers);
137 # Check if we should edit an existing entry and got an ID.
138 if (($cgiparams{'SERVERS'} eq $Lang::tr
{'update'}) && ($cgiparams{'ID'})) {
139 # Assin the provided id.
140 $id = $cgiparams{'ID'};
142 # Undef the given ID.
143 undef($cgiparams{'ID'});
145 # Grab the configured status of the corresponding entry.
146 $status = $dns_servers{$id}[2];
148 # Each newly added entry automatically should be enabled.
151 # Generate the ID for the new entry.
153 # Sort the keys by their ID and store them in an array.
154 my @keys = sort { $a <=> $b } keys %dns_servers;
156 # Reverse the key array.
157 my @reversed = reverse(@keys);
159 # Obtain the last used id.
160 my $last_id = @reversed[0];
162 # Increase the last id by one and use it as id for the new entry.
165 # The first allowed id is 3 to keep space for
166 # possible ISP assigned DNS servers.
172 # Add/Modify the entry to/in the dns_servers hash.
173 $dns_servers{$id} = ["$cgiparams{'NAMESERVER'}", "$cgiparams{'TLS_HOSTNAME'}", "$status", "$cgiparams{'REMARK'}"];
175 # Write the changed hash to the config file.
176 &General
::writehasharray
($servers_file, \
%dns_servers);
178 # Switch back to previous mode.
179 $cgiparams{'SERVERS'} = $cgiparams{'MODE'};
182 # Toggle enable / disable.
184 } elsif ($cgiparams{'SERVERS'} eq $Lang::tr
{'toggle enable disable'}) {
185 my %dns_servers = ();
187 # Only go further, if an ID has been passed.
188 if ($cgiparams{'ID'}) {
189 # Assign the given ID.
190 my $id = $cgiparams{'ID'};
192 # Undef the given ID.
193 undef($cgiparams{'ID'});
195 # Read-in configfile.
196 &General
::readhasharray
($servers_file, \
%dns_servers);
198 # Grab the configured status of the corresponding entry.
199 my $status = $dns_servers{$id}[2];
202 if ($status eq "disabled") {
205 $status = "disabled";
208 # Modify the status of the existing entry.
209 $dns_servers{$id} = ["$dns_servers{$id}[0]", "$dns_servers{$id}[1]", "$status", "$dns_servers{$id}[3]"];
211 # Write the changed hash back to the config file.
212 &General
::writehasharray
($servers_file, \
%dns_servers);
215 ## Remove entry from DNS servers list.
217 } elsif ($cgiparams{'SERVERS'} eq $Lang::tr
{'remove'}) {
218 my %dns_servers = ();
220 # Read-in configfile.
221 &General
::readhasharray
($servers_file, \
%dns_servers);
223 # Drop entry from the hash.
224 delete($dns_servers{$cgiparams{'ID'}});
226 # Undef the given ID.
227 undef($cgiparams{'ID'});
229 # Write the changed hash to the config file.
230 &General
::writehasharray
($servers_file, \
%dns_servers);
233 # Hash to store the generic DNS settings.
236 # Read-in general DNS settings.
237 &General
::readhash
("$settings_file", \
%settings);
239 # Hash which contains the configured DNS servers.
240 my %dns_servers = ();
242 # Read-in config file.
243 &General
::readhasharray
("$servers_file", \
%dns_servers);
245 &Header
::openpage
($Lang::tr
{'dns'}, 1, '');
247 &Header
::openbigbox
('100%', 'left', '', $errormessage);
250 # Error messages layout.
253 &Header
::openbox
('100%', 'left', $Lang::tr
{'error messages'});
254 print "<class name='base'>$errormessage\n";
255 print " </class>\n";
259 # Handle if a nameserver should be added or edited.
260 if (($cgiparams{'SERVERS'} eq "$Lang::tr{'add'}") || ($cgiparams{'SERVERS'} eq "$Lang::tr{'edit'}")) {
261 # Display the sub page.
262 &show_add_edit_nameserver
();
265 &Header
::closebigbox
();
266 &Header
::closepage
();
268 # Finished here for the moment.
272 $cgiparams{'GENERAL'} = '';
273 $cgiparams{'SERVERS'} = '';
274 $cgiparams{'NAMESERVER'} = '';
275 $cgiparams{'TLS_HOSTNAME'} = '';
276 $cgiparams{'REMARK'} ='';
278 $checked{'USE_ISP_NAMESERVERS'}{'off'} = '';
279 $checked{'USE_ISP_NAMESERVERS'}{'on'} = '';
280 $checked{'USE_ISP_NAMESERVERS'}{$settings{'USE_ISP_NAMESERVERS'}} = "checked='checked'";
282 $checked{'ENABLE_SAFE_SEARCH'}{'off'} = '';
283 $checked{'ENABLE_SAFE_SEARCH'}{'on'} = '';
284 $checked{'ENABLE_SAFE_SEARCH'}{$settings{'ENABLE_SAFE_SEARCH'}} = "checked='checked'";
286 $selected{'PROTO'}{'UDP'} = '';
287 $selected{'PROTO'}{'TLS'} = '';
288 $selected{'PROTO'}{'TCP'} = '';
289 $selected{'PROTO'}{$settings{'PROTO'}} = "selected='selected'";
291 $selected{'QNAME_MIN'}{'standard'} = '';
292 $selected{'QNAME_MIN'}{'strict'} = '';
293 $selected{'QNAME_MIN'}{$settings{'QNAME_MIN'}} = "selected='selected'";
295 # Display nameserver and configuration sections.
297 &show_general_dns_configuration
();
299 &Header
::closebigbox
();
300 &Header
::closepage
();
303 # General DNS-Servers sektion.
305 sub show_general_dns_configuration
() {
306 &Header
::openbox
('100%', 'center', "$Lang::tr{'dns configuration'}");
309 <form method='post' action='$ENV{'SCRIPT_NAME'}'>
313 $Lang::tr{'dns use isp assigned nameservers'}
317 <input type="checkbox" name="USE_ISP_NAMESERVERS" $checked{'USE_ISP_NAMESERVERS'}{'on'}>
329 $Lang::tr{'dns use protocol for dns queries'}
333 <select name="PROTO">
334 <option value="UDP" $selected{'PROTO'}{'UDP'}>UDP</option>
335 <option value="TLS" $selected{'PROTO'}{'TLS'}>TLS</option>
336 <option value="TCP" $selected{'PROTO'}{'TCP'}>TCP</option>
349 $Lang::tr{'dns enable safe-search'}
353 <input type="checkbox" name="ENABLE_SAFE_SEARCH" $checked{'ENABLE_SAFE_SEARCH'}{'on'}>
365 $Lang::tr{'dns mode for qname minimisation'}
369 <select name="QNAME_MIN">
370 <option value="standard" $selected{'QNAME_MIN'}{'standard'}>$Lang::tr{'standard'}</option>
371 <option value="strict" $selected{'QNAME_MIN'}{'strict'}>$Lang::tr{'strict'}</option>
377 <td colspan="2" align="right">
378 <input type="submit" name="GENERAL" value="$Lang::tr{'save'}">
389 # Section to display the configured and used DNS servers.
391 sub show_nameservers
() {
392 &Header
::openbox
('100%', 'center', "DNS-Servers");
395 <table class="tbl" width='100%'>
398 <strong>$Lang::tr{'nameserver'}</strong>
402 <strong>$Lang::tr{'country'}</strong>
406 <strong>$Lang::tr{'rdns'}</strong>
410 <strong>$Lang::tr{'remark'}</strong>
414 <strong>$Lang::tr{'status'}</strong>
417 <td align="center" colspan="3">
418 <strong>$Lang::tr{'action'}</strong>
423 # Check the usage of ISP assigned nameservers is enabled.
426 # Loop through the array which stores the files.
427 foreach my $file (@ISP_nameserver_files) {
428 # Grab the address of the nameserver.
429 my $address = &grab_address_from_file
($file);
431 # Check if we got an address.
433 # Add the address to the hash of nameservers.
434 $dns_servers{$id} = [ "$address", "none",
435 ($settings{'USE_ISP_NAMESERVERS'} eq "on") ?
"enabled" : "disabled",
436 "$Lang::tr{'dns isp assigned nameserver'}" ];
438 # Increase id by one.
443 # Check some DNS servers have been configured. In this case
444 # the hash contains at least one key.
446 if (keys %dns_servers) {
447 # Sort the keys by their ID and store them in an array.
448 my @keys = sort { $a <=> $b } keys %dns_servers;
450 # Loop through all entries of the array/hash.
451 foreach my $id (@keys) {
452 # Inrease server_amount.
455 # Assign data array positions to some nice variable names.
456 my $nameserver = $dns_servers{$id}[0];
457 my $tls_hostname = $dns_servers{$id}[1];
458 my $enabled = $dns_servers{$id}[2];
459 my $remark = $dns_servers{$id}[3];
468 if ($server_amount % 2) {
469 $col="bgcolor='$color{'color22'}'"; }
471 $col="bgcolor='$color{'color20'}'";
474 if ($enabled eq 'enabled') {
475 $gif='on.gif'; $toggle='off'; $gdesc=$Lang::tr
{'click to disable'};
477 $gif='off.gif'; $toggle='on'; $gdesc=$Lang::tr
{'click to enable'};
485 # Only grab the status if the nameserver is enabled.
486 if ($enabled eq "enabled") {
487 $status = &check_nameserver
("$nameserver", "ping.ipfire.org", "$settings{'PROTO'}", "$tls_hostname");
491 $status_short = "$Lang::tr{'disabled'}";
493 # DNSSEC Not supported
494 } elsif ($status eq 0) {
495 $status_short = "$Lang::tr{'broken'}";
496 $status_message = $Lang::tr
{'dnssec not supported'};
497 $status_colour = ${Header
::colourred
};
500 } elsif ($status eq 1) {
501 $status_short = "$Lang::tr{'not validating'}";
502 $status_message = $Lang::tr
{'dnssec aware'};
503 $status_colour = ${Header
::colourblack
};
506 } elsif ($status eq 2) {
507 $status_short = "$Lang::tr{'ok'}";
508 $status_message = $Lang::tr
{'dnssec validating'};
509 $status_colour = ${Header
::colourgreen
};
513 $status_short = "$Lang::tr{'error'}";
514 $status_message = $status;
515 $status_colour = ${Header
::colourred
};
518 # collect more information about name server (rDNS, GeoIP country code)
519 my $ccode = &GeoIP
::lookup
($nameserver);
520 my $flag_icon = &GeoIP
::get_flag_icon
($ccode);
524 # Only do the reverse lookup if the system is online.
525 if ( -f
"/var/ipfire/red/active") {
526 my $iaddr = inet_aton
($nameserver);
527 $rdns = gethostbyaddr($iaddr, AF_INET
);
530 if (!$rdns) { $rdns = $Lang::tr
{'lookup failed'}; }
532 # Mark ISP name servers as disabled
533 if ($id <= 2 && $enabled eq "disabled") {
534 $nameserver = "<del>$nameserver</del>";
539 <td align="center" $col>
543 <td align="center" $col>
544 <a href='country.cgi#$ccode'><img src="$flag_icon" border="0" alt="$ccode" title="$ccode" /></a>
547 <td align="center" $col>
551 <td align="center" $col>
555 <td align="center" $col>
556 <strong><font color="$status_colour"><abbr title="$status_message">$status_short</abbr></font></strong>
560 # Check if the id is greater than "2".
562 # Nameservers with an ID's of one or two are ISP assigned,
563 # and we cannot perform any actions on them, so hide the tools for
568 <td align='center' width='5%' $col>
569 <form method='post' name='frma$id' action='$ENV{'SCRIPT_NAME'}'>
570 <input type='image' name='$Lang::tr{'toggle enable disable'}' src='/images/$gif' title='$gdesc' alt='$gdesc' />
571 <input type='hidden' name='ID' value='$id' />
572 <input type='hidden' name='ENABLE' value='$toggle' />
573 <input type='hidden' name='SERVERS' value='$Lang::tr{'toggle enable disable'}' />
577 <td align='center' width='5%' $col>
578 <form method='post' name='frmb$id' action='$ENV{'SCRIPT_NAME'}'>
579 <input type='image' name='$Lang::tr{'edit'}' src='/images/edit.gif' title='$Lang::tr{'edit'}' alt='$Lang::tr{'edit'}' />
580 <input type='hidden' name='ID' value='$id' />
581 <input type='hidden' name='SERVERS' value='$Lang::tr{'edit'}' />
585 <td align='center' width='5%' $col>
586 <form method='post' name='frmc$id' action='$ENV{'SCRIPT_NAME'}'>
587 <input type='image' name='$Lang::tr{'remove'}' src='/images/delete.gif' title='$Lang::tr{'remove'}' alt='$Lang::tr{'remove'}' />
588 <input type='hidden' name='ID' value='$id' />
589 <input type='hidden' name='SERVERS' value='$Lang::tr{'remove'}' />
595 print "<td colspan='3' $col> </td>\n";
605 print"<table width='100%'>\n";
607 # Check if the usage of the ISP nameservers is enabled and there are more than 2 servers.
608 if (($settings{'USE_ISP_NAMESERVERS'} eq "on") && ($server_amount gt "2")) {
611 <td class='boldbase'> <b>$Lang::tr{'legend'}:</b></td>
612 <td> <img src='/images/on.gif' alt='$Lang::tr{'click to disable'}' /></td>
613 <td class='base'>$Lang::tr{'click to disable'}</td>
614 <td> <img src='/images/off.gif' alt='$Lang::tr{'click to enable'}' /></td>
615 <td class='base'>$Lang::tr{'click to enable'}</td>
616 <td> <img src='/images/edit.gif' alt='$Lang::tr{'edit'}' /></td>
617 <td class='base'>$Lang::tr{'edit'}</td>
618 <td> <img src='/images/delete.gif' alt='$Lang::tr{'remove'}' /></td>
619 <td class='base'>$Lang::tr{'remove'}</td>
626 <form method="post" action="$ENV{'SCRIPT_NAME'}">
627 <td colspan="9" align="right"><input type="submit" name="SERVERS" value="$Lang::tr{'add'}"></td>
638 <td colspan="6" align="center">
639 <br>$Lang::tr{'guardian no entries'}<br>
644 <form method="post" action="$ENV{'SCRIPT_NAME'}">
645 <td colspan="6" align="right"><input type="submit" name="SERVERS" value="$Lang::tr{'add'}"></td>
658 # Section to display the add or edit subpage.
660 sub show_add_edit_nameserver
() {
661 print "<form method='post' action='$ENV{'SCRIPT_NAME'}'>\n";
663 my $buttontext = $Lang::tr
{'save'};
666 if ($cgiparams{'SERVERS'} eq $Lang::tr
{'edit'}) {
667 &Header
::openbox
('100%', 'left', $Lang::tr
{'dnsforward edit an entry'});
669 # Update button text for upate the existing entry.
670 $buttontext = $Lang::tr
{'update'};
672 # Add hidden input for sending ID.
673 print"<input type='hidden' name='ID' value='$cgiparams{'ID'}'>\n";
675 # Check if an ID has been given.
676 if ($cgiparams{'ID'}) {
677 # Assign cgiparams values.
678 $cgiparams{'NAMESERVER'} = $dns_servers{$cgiparams{'ID'}}[0];
679 $cgiparams{'TLS_HOSTNAME'} = $dns_servers{$cgiparams{'ID'}}[1];
680 $cgiparams{'REMARK'} = $dns_servers{$cgiparams{'ID'}}[3];
683 &Header
::openbox
('100%', 'left', $Lang::tr
{'dnsforward add a new entry'});
686 # Add hidden input to store the mode.
687 print "<input type='hidden' name='MODE' value='$cgiparams{'SERVERS'}'>\n";
692 <td width='20%' class='base'>$Lang::tr{'ip address'}: <img src='/blob.gif' alt='*' /></td>
693 <td><input type='text' name='NAMESERVER' value='$cgiparams{"NAMESERVER"}' size='24' /></td>
697 # If the protocol is TLS, display the TLS hostname input.
698 if ($settings{'PROTO'} eq "TLS") {
701 <td width='20%' class='base'>$Lang::tr{'dns tls hostname'}: <img src='/blob.gif' alt='*'></td>
702 <td><input type='text' name='TLS_HOSTNAME' value='$cgiparams{'TLS_HOSTNAME'}' size='24'></td>
711 <td width ='20%' class='base'>$Lang::tr{'remark'}:</td>
712 <td><input type='text' name='REMARK' value='$cgiparams{'REMARK'}' size='40' maxlength='50' /></td>
721 <td class='base' width='55%'><img src='/blob.gif' alt ='*' align='top' /> $Lang::tr{'required field'}</td>
722 <td width='40%' align='right'>
723 <input type="submit" name="SERVERS" value="$buttontext">
724 <input type="submit" name="SERVERS" value="$Lang::tr{'back'}">
737 # Tiny function to grab an IP-address of a given file.
738 sub grab_address_from_file
($) {
743 # Check if the given file exists.
745 # Open the file for reading.
746 open(FILE
, $file) or die "Could not read from $file. $!\n";
748 # Read the address from the file.
757 # Check if the obtained address is valid.
758 if (&General
::validip
($address)) {
759 # Return the address.
768 # Function to check a given nameserver against propper work.
769 sub check_nameserver
($$$$) {
770 my ($nameserver, $record, $proto, $tls_hostname) = @_;
773 my @command = ("kdig", "+timeout=2", "+retry=0", "+dnssec",
776 # Handle different protols.
777 if ($proto eq "TCP") {
778 # Add TCP switch to the command.
779 push(@command, "+tcp");
781 } elsif($proto eq "TLS") {
782 # Add TLS switch to the command and provide the
783 # path to our file which contains the ca certs.
784 push(@command, "+tls-ca=$ca_certs_file");
786 # Check if a TLS hostname has been provided.
788 # Add TLS hostname to the command.
789 push(@command, "+tls-hostname=$tls_hostname");
791 return "$Lang::tr{'dns no tls hostname given'}";
795 # Add record to the command array.
796 push(@command, "$record");
798 # Add nameserver to the command array.
799 push(@command, "\@$nameserver");
801 # Connect to STDOUT and STDERR.
802 push(@command, "2>&1");
804 my @output = qx(@command);
805 my $output = join("", @output);
809 if ($output =~ m/status: (\w+)/) {
810 $status = ($1 eq "NOERROR");
818 while ($output =~ m/WARNING: (.*)/g) {
819 # Add the current grabbed warning to the warning string.
823 # Return the warning string, if we grabbed at least one.
830 if ($output =~ m/Flags: (.*);/) {
831 @flags = split(/ /, $1);
834 my $aware = ($output =~ m/RRSIG/);
835 my $validating = (grep(/ad;/, @flags));
837 return $aware + $validating;