1 /* SPDX-License-Identifier: LGPL-2.1+ */
4 #include "conf-parser.h"
5 #include "in-addr-util.h"
8 /* 127.0.0.53 in native endian */
9 #define INADDR_DNS_STUB ((in_addr_t) 0x7f000035U)
11 typedef enum DnsCacheMode DnsCacheMode
;
16 DNS_CACHE_MODE_NO_NEGATIVE
,
18 _DNS_CACHE_MODE_INVALID
= 1
21 typedef enum ResolveSupport ResolveSupport
;
22 typedef enum DnssecMode DnssecMode
;
23 typedef enum DnsOverTlsMode DnsOverTlsMode
;
28 RESOLVE_SUPPORT_RESOLVE
,
30 _RESOLVE_SUPPORT_INVALID
= -1
34 /* No DNSSEC validation is done */
37 /* Validate locally, if the server knows DO, but if not,
38 * don't. Don't trust the AD bit. If the server doesn't do
39 * DNSSEC properly, downgrade to non-DNSSEC operation. Of
40 * course, we then are vulnerable to a downgrade attack, but
41 * that's life and what is configured. */
42 DNSSEC_ALLOW_DOWNGRADE
,
44 /* Insist on DNSSEC server support, and rather fail than downgrading. */
48 _DNSSEC_MODE_INVALID
= -1
52 /* No connection is made for DNS-over-TLS */
55 /* Try to connect using DNS-over-TLS, but if connection fails,
56 * fallback to using an unencrypted connection */
57 DNS_OVER_TLS_OPPORTUNISTIC
,
59 /* Enforce DNS-over-TLS and require valid server certificates */
62 _DNS_OVER_TLS_MODE_MAX
,
63 _DNS_OVER_TLS_MODE_INVALID
= -1
66 CONFIG_PARSER_PROTOTYPE(config_parse_resolve_support
);
67 CONFIG_PARSER_PROTOTYPE(config_parse_dnssec_mode
);
68 CONFIG_PARSER_PROTOTYPE(config_parse_dns_over_tls_mode
);
69 CONFIG_PARSER_PROTOTYPE(config_parse_dns_cache_mode
);
71 const char* resolve_support_to_string(ResolveSupport p
) _const_
;
72 ResolveSupport
resolve_support_from_string(const char *s
) _pure_
;
74 const char* dnssec_mode_to_string(DnssecMode p
) _const_
;
75 DnssecMode
dnssec_mode_from_string(const char *s
) _pure_
;
77 const char* dns_over_tls_mode_to_string(DnsOverTlsMode p
) _const_
;
78 DnsOverTlsMode
dns_over_tls_mode_from_string(const char *s
) _pure_
;
80 bool dns_server_address_valid(int family
, const union in_addr_union
*sa
);
82 const char* dns_cache_mode_to_string(DnsCacheMode p
) _const_
;
83 DnsCacheMode
dns_cache_mode_from_string(const char *s
) _pure_
;
85 /* A resolv.conf file containing the DNS server and domain data we learnt from uplink, i.e. the full uplink data */
86 #define PRIVATE_UPLINK_RESOLV_CONF "/run/systemd/resolve/resolv.conf"
88 /* A resolv.conf file containing the domain data we learnt from uplink, but our own DNS server address. */
89 #define PRIVATE_STUB_RESOLV_CONF "/run/systemd/resolve/stub-resolv.conf"
91 /* A static resolv.conf file containing no domains, but only our own DNS server address */
92 #define PRIVATE_STATIC_RESOLV_CONF ROOTLIBEXECDIR "/resolv.conf"