feat(dns): replace unbound with qdm12/dns@v2.0.0-beta-rc6 (#1742)

- Faster start up - Clearer error messages - Allow for more Gluetun-specific customization - DNSSEC validation is dropped for now (it's sort of unneeded) - Fix #137
2024-08-21 14:35:41 +02:00
parent 3f130931d2
commit 4d60b71583
30 changed files with 387 additions and 762 deletions
--- a/internal/configuration/settings/deprecated.go
+++ b/internal/configuration/settings/deprecated.go
@@ -0,0 +1,25 @@
+package settings
+
+import (
+	"slices"
+
+	"github.com/qdm12/gosettings/reader"
+	"golang.org/x/exp/maps"
+)
+
+func readObsolete(r *reader.Reader) (warnings []string) {
+	keyToMessage := map[string]string{
+		"DOT_VERBOSITY":           "DOT_VERBOSITY is obsolete, use LOG_LEVEL instead.",
+		"DOT_VERBOSITY_DETAILS":   "DOT_VERBOSITY_DETAILS is obsolete because it was specific to Unbound.",
+		"DOT_VALIDATION_LOGLEVEL": "DOT_VALIDATION_LOGLEVEL is obsolete because DNSSEC validation is not implemented.",
+	}
+	sortedKeys := maps.Keys(keyToMessage)
+	slices.Sort(sortedKeys)
+	warnings = make([]string, 0, len(keyToMessage))
+	for _, key := range sortedKeys {
+		if r.Get(key) != nil {
+			warnings = append(warnings, keyToMessage[key])
+		}
+	}
+	return warnings
+}
--- a/internal/configuration/settings/dnsblacklist.go
+++ b/internal/configuration/settings/dnsblacklist.go
@@ -3,10 +3,11 @@ package settings
 import (
 	"errors"
 	"fmt"
+	"net/http"
 	"net/netip"
 	"regexp"

-	"github.com/qdm12/dns/pkg/blacklist"
+	"github.com/qdm12/dns/v2/pkg/blockbuilder"
 	"github.com/qdm12/gosettings"
 	"github.com/qdm12/gosettings/reader"
 	"github.com/qdm12/gotree"
@@ -74,16 +75,18 @@ func (b *DNSBlacklist) overrideWith(other DNSBlacklist) {
 	b.AddBlockedIPPrefixes = gosettings.OverrideWithSlice(b.AddBlockedIPPrefixes, other.AddBlockedIPPrefixes)
 }

-func (b DNSBlacklist) ToBlacklistFormat() (settings blacklist.BuilderSettings, err error) {
-	return blacklist.BuilderSettings{
-		BlockMalicious:       *b.BlockMalicious,
-		BlockAds:             *b.BlockAds,
-		BlockSurveillance:    *b.BlockSurveillance,
+func (b DNSBlacklist) ToBlockBuilderSettings(client *http.Client) (
+	settings blockbuilder.Settings) {
+	return blockbuilder.Settings{
+		Client:               client,
+		BlockMalicious:       b.BlockMalicious,
+		BlockAds:             b.BlockAds,
+		BlockSurveillance:    b.BlockSurveillance,
 		AllowedHosts:         b.AllowedHosts,
 		AddBlockedHosts:      b.AddBlockedHosts,
-		AddBlockedIPs:        netipAddressesToNetaddrIPs(b.AddBlockedIPs),
-		AddBlockedIPPrefixes: netipPrefixesToNetaddrIPPrefixes(b.AddBlockedIPPrefixes),
-	}, nil
+		AddBlockedIPs:        b.AddBlockedIPs,
+		AddBlockedIPPrefixes: b.AddBlockedIPPrefixes,
+	}
 }

 func (b DNSBlacklist) String() string {
--- a/internal/configuration/settings/dot.go
+++ b/internal/configuration/settings/dot.go
@@ -3,8 +3,10 @@ package settings
 import (
 	"errors"
 	"fmt"
+	"net/netip"
 	"time"

+	"github.com/qdm12/dns/v2/pkg/provider"
 	"github.com/qdm12/gosettings"
 	"github.com/qdm12/gosettings/reader"
 	"github.com/qdm12/gotree"
@@ -16,14 +18,18 @@ type DoT struct {
 	// and used. It defaults to true, and cannot be nil
 	// in the internal state.
 	Enabled *bool
-	// UpdatePeriod is the period to update DNS block
-	// lists and cryptographic files for DNSSEC validation.
+	// UpdatePeriod is the period to update DNS block lists.
 	// It can be set to 0 to disable the update.
 	// It defaults to 24h and cannot be nil in
 	// the internal state.
 	UpdatePeriod *time.Duration
-	// Unbound contains settings to configure Unbound.
-	Unbound Unbound
+	// Providers is a list of DNS over TLS providers
+	Providers []string `json:"providers"`
+	// Caching is true if the DoT server should cache
+	// DNS responses.
+	Caching *bool `json:"caching"`
+	// IPv6 is true if the DoT server should connect over IPv6.
+	IPv6 *bool `json:"ipv6"`
 	// Blacklist contains settings to configure the filter
 	// block lists.
 	Blacklist DNSBlacklist
@@ -40,9 +46,12 @@ func (d DoT) validate() (err error) {
 			ErrDoTUpdatePeriodTooShort, *d.UpdatePeriod, minUpdatePeriod)
 	}

-	err = d.Unbound.validate()
-	if err != nil {
-		return err
+	providers := provider.NewProviders()
+	for _, providerName := range d.Providers {
+		_, err := providers.Get(providerName)
+		if err != nil {
+			return err
+		}
 	}

 	err = d.Blacklist.validate()
@@ -57,7 +66,9 @@ func (d *DoT) copy() (copied DoT) {
 	return DoT{
 		Enabled:      gosettings.CopyPointer(d.Enabled),
 		UpdatePeriod: gosettings.CopyPointer(d.UpdatePeriod),
-		Unbound:      d.Unbound.copy(),
+		Providers:    gosettings.CopySlice(d.Providers),
+		Caching:      gosettings.CopyPointer(d.Caching),
+		IPv6:         gosettings.CopyPointer(d.IPv6),
 		Blacklist:    d.Blacklist.copy(),
 	}
 }
@@ -68,7 +79,9 @@ func (d *DoT) copy() (copied DoT) {
 func (d *DoT) overrideWith(other DoT) {
 	d.Enabled = gosettings.OverrideWithPointer(d.Enabled, other.Enabled)
 	d.UpdatePeriod = gosettings.OverrideWithPointer(d.UpdatePeriod, other.UpdatePeriod)
-	d.Unbound.overrideWith(other.Unbound)
+	d.Providers = gosettings.OverrideWithSlice(d.Providers, other.Providers)
+	d.Caching = gosettings.OverrideWithPointer(d.Caching, other.Caching)
+	d.IPv6 = gosettings.OverrideWithPointer(d.IPv6, other.IPv6)
 	d.Blacklist.overrideWith(other.Blacklist)
 }

@@ -76,10 +89,26 @@ func (d *DoT) setDefaults() {
 	d.Enabled = gosettings.DefaultPointer(d.Enabled, true)
 	const defaultUpdatePeriod = 24 * time.Hour
 	d.UpdatePeriod = gosettings.DefaultPointer(d.UpdatePeriod, defaultUpdatePeriod)
-	d.Unbound.setDefaults()
+	d.Providers = gosettings.DefaultSlice(d.Providers, []string{
+		provider.Cloudflare().Name,
+	})
+	d.Caching = gosettings.DefaultPointer(d.Caching, true)
+	d.IPv6 = gosettings.DefaultPointer(d.IPv6, false)
 	d.Blacklist.setDefaults()
 }

+func (d DoT) GetFirstPlaintextIPv4() (ipv4 netip.Addr) {
+	providers := provider.NewProviders()
+	provider, err := providers.Get(d.Providers[0])
+	if err != nil {
+		// Settings should be validated before calling this function,
+		// so an error happening here is a programming error.
+		panic(err)
+	}
+
+	return provider.DoT.IPv4[0].Addr()
+}
+
 func (d DoT) String() string {
 	return d.toLinesNode().String()
 }
@@ -98,7 +127,14 @@ func (d DoT) toLinesNode() (node *gotree.Node) {
 	}
 	node.Appendf("Update period: %s", update)

-	node.AppendNode(d.Unbound.toLinesNode())
+	upstreamResolvers := node.Appendf("Upstream resolvers:")
+	for _, provider := range d.Providers {
+		upstreamResolvers.Appendf(provider)
+	}
+
+	node.Appendf("Caching: %s", gosettings.BoolToYesNo(d.Caching))
+	node.Appendf("IPv6: %s", gosettings.BoolToYesNo(d.IPv6))
+
 	node.AppendNode(d.Blacklist.toLinesNode())

 	return node
@@ -115,7 +151,14 @@ func (d *DoT) read(reader *reader.Reader) (err error) {
 		return err
 	}

-	err = d.Unbound.read(reader)
+	d.Providers = reader.CSV("DOT_PROVIDERS")
+
+	d.Caching, err = reader.BoolPtr("DOT_CACHING")
+	if err != nil {
+		return err
+	}
+
+	d.IPv6, err = reader.BoolPtr("DOT_IPV6")
 	if err != nil {
 		return err
 	}
--- a/internal/configuration/settings/helpers_test.go
+++ b/internal/configuration/settings/helpers_test.go
@@ -1,4 +1,3 @@
 package settings

-func boolPtr(b bool) *bool    { return &b }
-func uint8Ptr(n uint8) *uint8 { return &n }
+func boolPtr(b bool) *bool { return &b }
--- a/internal/configuration/settings/netaddr.go
+++ b/internal/configuration/settings/netaddr.go
@@ -1,36 +0,0 @@
-package settings
-
-import (
-	"net/netip"
-
-	"inet.af/netaddr"
-)
-
-func netipAddressToNetaddrIP(address netip.Addr) (ip netaddr.IP) {
-	if address.Is4() {
-		return netaddr.IPFrom4(address.As4())
-	}
-	return netaddr.IPFrom16(address.As16())
-}
-
-func netipAddressesToNetaddrIPs(addresses []netip.Addr) (ips []netaddr.IP) {
-	ips = make([]netaddr.IP, len(addresses))
-	for i := range addresses {
-		ips[i] = netipAddressToNetaddrIP(addresses[i])
-	}
-	return ips
-}
-
-func netipPrefixToNetaddrIPPrefix(prefix netip.Prefix) (ipPrefix netaddr.IPPrefix) {
-	netaddrIP := netipAddressToNetaddrIP(prefix.Addr())
-	bits := prefix.Bits()
-	return netaddr.IPPrefixFrom(netaddrIP, uint8(bits))
-}
-
-func netipPrefixesToNetaddrIPPrefixes(prefixes []netip.Prefix) (ipPrefixes []netaddr.IPPrefix) {
-	ipPrefixes = make([]netaddr.IPPrefix, len(prefixes))
-	for i := range ipPrefixes {
-		ipPrefixes[i] = netipPrefixToNetaddrIPPrefix(prefixes[i])
-	}
-	return ipPrefixes
-}
--- a/internal/configuration/settings/settings.go
+++ b/internal/configuration/settings/settings.go
@@ -184,7 +184,12 @@ func (s Settings) Warnings() (warnings []string) {
 	return warnings
 }

-func (s *Settings) Read(r *reader.Reader) (err error) {
+func (s *Settings) Read(r *reader.Reader, warner Warner) (err error) {
+	warnings := readObsolete(r)
+	for _, warning := range warnings {
+		warner.Warn(warning)
+	}
+
 	readFunctions := map[string]func(r *reader.Reader) error{
 		"control server": s.ControlServer.read,
 		"DNS":            s.DNS.read,
--- a/internal/configuration/settings/settings_test.go
+++ b/internal/configuration/settings/settings_test.go
@@ -43,18 +43,10 @@ func Test_Settings_String(t *testing.T) {
 |   └── DNS over TLS settings:
 |       ├── Enabled: yes
 |       ├── Update period: every 24h0m0s
-|       ├── Unbound settings:
-|       |   ├── Authoritative servers:
-|       |   |   └── Cloudflare
-|       |   ├── Caching: yes
-|       |   ├── IPv6: no
-|       |   ├── Verbosity level: 1
-|       |   ├── Verbosity details level: 0
-|       |   ├── Validation log level: 0
-|       |   ├── System user: root
-|       |   └── Allowed networks:
-|       |       ├── 0.0.0.0/0
-|       |       └── ::/0
+|       ├── Upstream resolvers:
+|       |   └── Cloudflare
+|       ├── Caching: yes
+|       ├── IPv6: no
 |       └── DNS filtering settings:
 |           ├── Block malicious: yes
 |           ├── Block ads: no
--- a/internal/configuration/settings/unbound.go
+++ b/internal/configuration/settings/unbound.go
@@ -1,223 +0,0 @@
-package settings
-
-import (
-	"errors"
-	"fmt"
-	"net/netip"
-
-	"github.com/qdm12/dns/pkg/provider"
-	"github.com/qdm12/dns/pkg/unbound"
-	"github.com/qdm12/gosettings"
-	"github.com/qdm12/gosettings/reader"
-	"github.com/qdm12/gotree"
-)
-
-// Unbound is settings for the Unbound program.
-type Unbound struct {
-	Providers             []string       `json:"providers"`
-	Caching               *bool          `json:"caching"`
-	IPv6                  *bool          `json:"ipv6"`
-	VerbosityLevel        *uint8         `json:"verbosity_level"`
-	VerbosityDetailsLevel *uint8         `json:"verbosity_details_level"`
-	ValidationLogLevel    *uint8         `json:"validation_log_level"`
-	Username              string         `json:"username"`
-	Allowed               []netip.Prefix `json:"allowed"`
-}
-
-func (u *Unbound) setDefaults() {
-	if len(u.Providers) == 0 {
-		u.Providers = []string{
-			provider.Cloudflare().String(),
-		}
-	}
-
-	u.Caching = gosettings.DefaultPointer(u.Caching, true)
-	u.IPv6 = gosettings.DefaultPointer(u.IPv6, false)
-
-	const defaultVerbosityLevel = 1
-	u.VerbosityLevel = gosettings.DefaultPointer(u.VerbosityLevel, defaultVerbosityLevel)
-
-	const defaultVerbosityDetailsLevel = 0
-	u.VerbosityDetailsLevel = gosettings.DefaultPointer(u.VerbosityDetailsLevel, defaultVerbosityDetailsLevel)
-
-	const defaultValidationLogLevel = 0
-	u.ValidationLogLevel = gosettings.DefaultPointer(u.ValidationLogLevel, defaultValidationLogLevel)
-
-	if u.Allowed == nil {
-		u.Allowed = []netip.Prefix{
-			netip.PrefixFrom(netip.AddrFrom4([4]byte{}), 0),
-			netip.PrefixFrom(netip.AddrFrom16([16]byte{}), 0),
-		}
-	}
-
-	u.Username = gosettings.DefaultComparable(u.Username, "root")
-}
-
-var (
-	ErrUnboundVerbosityLevelNotValid        = errors.New("Unbound verbosity level is not valid")
-	ErrUnboundVerbosityDetailsLevelNotValid = errors.New("Unbound verbosity details level is not valid")
-	ErrUnboundValidationLogLevelNotValid    = errors.New("Unbound validation log level is not valid")
-)
-
-func (u Unbound) validate() (err error) {
-	for _, s := range u.Providers {
-		_, err := provider.Parse(s)
-		if err != nil {
-			return err
-		}
-	}
-
-	const maxVerbosityLevel = 5
-	if *u.VerbosityLevel > maxVerbosityLevel {
-		return fmt.Errorf("%w: %d must be between 0 and %d",
-			ErrUnboundVerbosityLevelNotValid,
-			*u.VerbosityLevel,
-			maxVerbosityLevel)
-	}
-
-	const maxVerbosityDetailsLevel = 4
-	if *u.VerbosityDetailsLevel > maxVerbosityDetailsLevel {
-		return fmt.Errorf("%w: %d must be between 0 and %d",
-			ErrUnboundVerbosityDetailsLevelNotValid,
-			*u.VerbosityDetailsLevel,
-			maxVerbosityDetailsLevel)
-	}
-
-	const maxValidationLogLevel = 2
-	if *u.ValidationLogLevel > maxValidationLogLevel {
-		return fmt.Errorf("%w: %d must be between 0 and %d",
-			ErrUnboundValidationLogLevelNotValid,
-			*u.ValidationLogLevel, maxValidationLogLevel)
-	}
-
-	return nil
-}
-
-func (u Unbound) copy() (copied Unbound) {
-	return Unbound{
-		Providers:             gosettings.CopySlice(u.Providers),
-		Caching:               gosettings.CopyPointer(u.Caching),
-		IPv6:                  gosettings.CopyPointer(u.IPv6),
-		VerbosityLevel:        gosettings.CopyPointer(u.VerbosityLevel),
-		VerbosityDetailsLevel: gosettings.CopyPointer(u.VerbosityDetailsLevel),
-		ValidationLogLevel:    gosettings.CopyPointer(u.ValidationLogLevel),
-		Username:              u.Username,
-		Allowed:               gosettings.CopySlice(u.Allowed),
-	}
-}
-
-func (u *Unbound) overrideWith(other Unbound) {
-	u.Providers = gosettings.OverrideWithSlice(u.Providers, other.Providers)
-	u.Caching = gosettings.OverrideWithPointer(u.Caching, other.Caching)
-	u.IPv6 = gosettings.OverrideWithPointer(u.IPv6, other.IPv6)
-	u.VerbosityLevel = gosettings.OverrideWithPointer(u.VerbosityLevel, other.VerbosityLevel)
-	u.VerbosityDetailsLevel = gosettings.OverrideWithPointer(u.VerbosityDetailsLevel, other.VerbosityDetailsLevel)
-	u.ValidationLogLevel = gosettings.OverrideWithPointer(u.ValidationLogLevel, other.ValidationLogLevel)
-	u.Username = gosettings.OverrideWithComparable(u.Username, other.Username)
-	u.Allowed = gosettings.OverrideWithSlice(u.Allowed, other.Allowed)
-}
-
-func (u Unbound) ToUnboundFormat() (settings unbound.Settings, err error) {
-	providers := make([]provider.Provider, len(u.Providers))
-	for i := range providers {
-		providers[i], err = provider.Parse(u.Providers[i])
-		if err != nil {
-			return settings, err
-		}
-	}
-
-	const port = 53
-
-	return unbound.Settings{
-		ListeningPort:         port,
-		IPv4:                  true,
-		Providers:             providers,
-		Caching:               *u.Caching,
-		IPv6:                  *u.IPv6,
-		VerbosityLevel:        *u.VerbosityLevel,
-		VerbosityDetailsLevel: *u.VerbosityDetailsLevel,
-		ValidationLogLevel:    *u.ValidationLogLevel,
-		AccessControl: unbound.AccessControlSettings{
-			Allowed: netipPrefixesToNetaddrIPPrefixes(u.Allowed),
-		},
-		Username: u.Username,
-	}, nil
-}
-
-var (
-	ErrConvertingNetip = errors.New("converting net.IP to netip.Addr failed")
-)
-
-func (u Unbound) GetFirstPlaintextIPv4() (ipv4 netip.Addr, err error) {
-	s := u.Providers[0]
-	provider, err := provider.Parse(s)
-	if err != nil {
-		return ipv4, err
-	}
-
-	ip := provider.DNS().IPv4[0]
-	ipv4, ok := netip.AddrFromSlice(ip)
-	if !ok {
-		return ipv4, fmt.Errorf("%w: for ip %s (%#v)",
-			ErrConvertingNetip, ip, ip)
-	}
-	return ipv4.Unmap(), nil
-}
-
-func (u Unbound) String() string {
-	return u.toLinesNode().String()
-}
-
-func (u Unbound) toLinesNode() (node *gotree.Node) {
-	node = gotree.New("Unbound settings:")
-
-	authServers := node.Appendf("Authoritative servers:")
-	for _, provider := range u.Providers {
-		authServers.Appendf(provider)
-	}
-
-	node.Appendf("Caching: %s", gosettings.BoolToYesNo(u.Caching))
-	node.Appendf("IPv6: %s", gosettings.BoolToYesNo(u.IPv6))
-	node.Appendf("Verbosity level: %d", *u.VerbosityLevel)
-	node.Appendf("Verbosity details level: %d", *u.VerbosityDetailsLevel)
-	node.Appendf("Validation log level: %d", *u.ValidationLogLevel)
-	node.Appendf("System user: %s", u.Username)
-
-	allowedNetworks := node.Appendf("Allowed networks:")
-	for _, network := range u.Allowed {
-		allowedNetworks.Appendf(network.String())
-	}
-
-	return node
-}
-
-func (u *Unbound) read(reader *reader.Reader) (err error) {
-	u.Providers = reader.CSV("DOT_PROVIDERS")
-
-	u.Caching, err = reader.BoolPtr("DOT_CACHING")
-	if err != nil {
-		return err
-	}
-
-	u.IPv6, err = reader.BoolPtr("DOT_IPV6")
-	if err != nil {
-		return err
-	}
-
-	u.VerbosityLevel, err = reader.Uint8Ptr("DOT_VERBOSITY")
-	if err != nil {
-		return err
-	}
-
-	u.VerbosityDetailsLevel, err = reader.Uint8Ptr("DOT_VERBOSITY_DETAILS")
-	if err != nil {
-		return err
-	}
-
-	u.ValidationLogLevel, err = reader.Uint8Ptr("DOT_VALIDATION_LOGLEVEL")
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
--- a/internal/configuration/settings/unbound_test.go
+++ b/internal/configuration/settings/unbound_test.go
@@ -1,43 +0,0 @@
-package settings
-
-import (
-	"encoding/json"
-	"net/netip"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func Test_Unbound_JSON(t *testing.T) {
-	t.Parallel()
-
-	settings := Unbound{
-		Providers:             []string{"cloudflare"},
-		Caching:               boolPtr(true),
-		IPv6:                  boolPtr(false),
-		VerbosityLevel:        uint8Ptr(1),
-		VerbosityDetailsLevel: nil,
-		ValidationLogLevel:    uint8Ptr(0),
-		Username:              "user",
-		Allowed: []netip.Prefix{
-			netip.PrefixFrom(netip.AddrFrom4([4]byte{}), 0),
-			netip.PrefixFrom(netip.AddrFrom16([16]byte{}), 0),
-		},
-	}
-
-	b, err := json.Marshal(settings)
-	require.NoError(t, err)
-
-	const expected = `{"providers":["cloudflare"],"caching":true,"ipv6":false,` +
-		`"verbosity_level":1,"verbosity_details_level":null,"validation_log_level":0,` +
-		`"username":"user","allowed":["0.0.0.0/0","::/0"]}`
-
-	assert.Equal(t, expected, string(b))
-
-	var resultSettings Unbound
-	err = json.Unmarshal(b, &resultSettings)
-	require.NoError(t, err)
-
-	assert.Equal(t, settings, resultSettings)
-}