src/shared/resolve-util.h

   1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
   2 #pragma once
   3
   4 #include "conf-parser-forward.h"
   5 #include "forward.h"
   6
   7 /* 127.0.0.53 in native endian (The IP address we listen on with the full DNS stub, i.e. that does LLMNR/mDNS, and stuff) */
   8 #define INADDR_DNS_STUB ((in_addr_t) 0x7f000035U)
   9
  10 /* 127.0.0.54 in native endian (The IP address we listen on we only implement "proxy" mode) */
  11 #define INADDR_DNS_PROXY_STUB ((in_addr_t) 0x7f000036U)
  12
  13 /* 127.0.0.2 is an address we always map to the local hostname. This is different from 127.0.0.1 which maps to "localhost" */
  14 #define INADDR_LOCALADDRESS ((in_addr_t) 0x7f000002U)
  15
  16 typedef enum DnsCacheMode {
  17         DNS_CACHE_MODE_NO,
  18         DNS_CACHE_MODE_YES,
  19         DNS_CACHE_MODE_NO_NEGATIVE,
  20         _DNS_CACHE_MODE_MAX,
  21         _DNS_CACHE_MODE_INVALID = -EINVAL,
  22 } DnsCacheMode;
  23
  24 /* Do not change the order, see link_get_llmnr_support() or link_get_mdns_support(). */
  25 typedef enum ResolveSupport {
  26         RESOLVE_SUPPORT_NO,
  27         RESOLVE_SUPPORT_RESOLVE,
  28         RESOLVE_SUPPORT_YES,
  29         _RESOLVE_SUPPORT_MAX,
  30         _RESOLVE_SUPPORT_INVALID = -EINVAL,
  31 } ResolveSupport;
  32
  33 typedef enum DnssecMode {
  34         /* No DNSSEC validation is done */
  35         DNSSEC_NO,
  36
  37         /* Validate locally, if the server knows DO, but if not,
  38          * don't. Don't trust the AD bit. If the server doesn't do
  39          * DNSSEC properly, downgrade to non-DNSSEC operation. Of
  40          * course, we then are vulnerable to a downgrade attack, but
  41          * that's life and what is configured. */
  42         DNSSEC_ALLOW_DOWNGRADE,
  43
  44         /* Insist on DNSSEC server support, and rather fail than downgrading. */
  45         DNSSEC_YES,
  46
  47         _DNSSEC_MODE_MAX,
  48         _DNSSEC_MODE_INVALID = -EINVAL,
  49 } DnssecMode;
  50
  51 typedef enum DnsOverTlsMode {
  52         /* No connection is made for DNS-over-TLS */
  53         DNS_OVER_TLS_NO,
  54
  55         /* Try to connect using DNS-over-TLS, but if connection fails,
  56          * fall back to using an unencrypted connection */
  57         DNS_OVER_TLS_OPPORTUNISTIC,
  58
  59         /* Enforce DNS-over-TLS and require valid server certificates */
  60         DNS_OVER_TLS_YES,
  61
  62         _DNS_OVER_TLS_MODE_MAX,
  63         _DNS_OVER_TLS_MODE_INVALID = -EINVAL,
  64 } DnsOverTlsMode;
  65
  66 CONFIG_PARSER_PROTOTYPE(config_parse_resolve_support);
  67 CONFIG_PARSER_PROTOTYPE(config_parse_dnssec_mode);
  68 CONFIG_PARSER_PROTOTYPE(config_parse_dns_over_tls_mode);
  69 CONFIG_PARSER_PROTOTYPE(config_parse_dns_cache_mode);
  70
  71 const char* resolve_support_to_string(ResolveSupport p) _const_;
  72 ResolveSupport resolve_support_from_string(const char *s) _pure_;
  73
  74 const char* dnssec_mode_to_string(DnssecMode p) _const_;
  75 DnssecMode dnssec_mode_from_string(const char *s) _pure_;
  76
  77 const char* dns_over_tls_mode_to_string(DnsOverTlsMode p) _const_;
  78 DnsOverTlsMode dns_over_tls_mode_from_string(const char *s) _pure_;
  79
  80 bool dns_server_address_valid(int family, const union in_addr_union *sa);
  81
  82 const char* dns_cache_mode_to_string(DnsCacheMode p) _const_;
  83 DnsCacheMode dns_cache_mode_from_string(const char *s) _pure_;
  84
  85 /* A resolv.conf file containing the DNS server and domain data we learnt from uplink, i.e. the full uplink data */
  86 #define PRIVATE_UPLINK_RESOLV_CONF "/run/systemd/resolve/resolv.conf"
  87
  88 /* A resolv.conf file containing the domain data we learnt from uplink, but our own DNS server address. */
  89 #define PRIVATE_STUB_RESOLV_CONF "/run/systemd/resolve/stub-resolv.conf"
  90
  91 /* A static resolv.conf file containing no domains, but only our own DNS server address */
  92 #define PRIVATE_STATIC_RESOLV_CONF LIBEXECDIR "/resolv.conf"