Skip to content

Commit

Permalink
dns option: remove support for exclude-domains
Browse files Browse the repository at this point in the history
No DNS resolver currently supports this and it is not possible to
emulate the behavior without the chance of errors. Finding the
effective default system DNS server(s) to specify the exclude
DNS routes is not trivial and cannot be verified to be correct
without resolver internal knowledge. So, it is better to not
support this instead of supporting it, but incorrectly.

Change-Id: I7f422add22f3f01e9f47985065782dd67bca46eb
Signed-off-by: Heiko Hund <[email protected]>
Acked-by: Lev Stipakov <[email protected]>
Message-Id: <[email protected]>
URL: https://www.mail-archive.com/[email protected]/msg27008.html
Signed-off-by: Gert Doering <[email protected]>
  • Loading branch information
d12fk authored and cron2 committed Sep 22, 2023
1 parent 6d76218 commit b7eea48
Show file tree
Hide file tree
Showing 5 changed files with 7 additions and 45 deletions.
14 changes: 5 additions & 9 deletions doc/man-sections/client-options.rst
Original file line number Diff line number Diff line change
Expand Up @@ -169,7 +169,7 @@ configuration.

dns search-domains domain [domain ...]
dns server n address addr[:port] [addr[:port] ...]
dns server n resolve-domains|exclude-domains domain [domain ...]
dns server n resolve-domains domain [domain ...]
dns server n dnssec yes|optional|no
dns server n transport DoH|DoT|plain
dns server n sni server-name
Expand All @@ -191,14 +191,10 @@ configuration.
Optionally a port can be appended after a colon. IPv6 addresses need to
be enclosed in brackets if a port is appended.

The ``resolve-domains`` and ``exclude-domains`` options take one or
more DNS domains which are explicitly resolved or explicitly not resolved
by a server. Only one of the options can be configured for a server.
``resolve-domains`` is used to define a split-dns setup, where only
given domains are resolved by a server. ``exclude-domains`` is used to
define domains which will never be resolved by a server (e.g. domains
which can only be resolved locally). Systems which do not support fine
grained DNS domain configuration, will ignore these settings.
The ``resolve-domains`` option takes one or more DNS domains used to define
a split-dns or dns-routing setup, where only the given domains are resolved
by the server. Systems which do not support fine grained DNS domain
configuration will ignore this setting.

The ``dnssec`` option is used to configure validation of DNSSEC records.
While the exact semantics may differ for resolvers on different systems,
Expand Down
1 change: 0 additions & 1 deletion doc/man-sections/script-options.rst
Original file line number Diff line number Diff line change
Expand Up @@ -663,7 +663,6 @@ instances.
dns_server_{n}_address_{m}
dns_server_{n}_port_{m}
dns_server_{n}_resolve_domain_{m}
dns_server_{n}_exclude_domain_{m}
dns_server_{n}_dnssec
dns_server_{n}_transport
dns_server_{n}_sni
Expand Down
13 changes: 2 additions & 11 deletions src/openvpn/dns.c
Original file line number Diff line number Diff line change
Expand Up @@ -400,11 +400,9 @@ setenv_dns_options(const struct dns_options *o, struct env_set *es)

if (s->domains)
{
const char *format = s->domain_type == DNS_RESOLVE_DOMAINS ?
"dns_server_%d_resolve_domain_%d" : "dns_server_%d_exclude_domain_%d";
for (j = 1, d = s->domains; d != NULL; j++, d = d->next)
{
setenv_dns_option(es, format, i, j, d->name);
setenv_dns_option(es, "dns_server_%d_resolve_domain_%d", i, j, d->name);
}
}

Expand Down Expand Up @@ -482,14 +480,7 @@ show_dns_options(const struct dns_options *o)
struct dns_domain *domain = server->domains;
if (domain)
{
if (server->domain_type == DNS_RESOLVE_DOMAINS)
{
msg(D_SHOW_PARMS, " resolve domains:");
}
else
{
msg(D_SHOW_PARMS, " exclude domains:");
}
msg(D_SHOW_PARMS, " resolve domains:");
while (domain)
{
msg(D_SHOW_PARMS, " %s", domain->name);
Expand Down
7 changes: 0 additions & 7 deletions src/openvpn/dns.h
Original file line number Diff line number Diff line change
Expand Up @@ -27,12 +27,6 @@
#include "buffer.h"
#include "env_set.h"

enum dns_domain_type {
DNS_DOMAINS_UNSET,
DNS_RESOLVE_DOMAINS,
DNS_EXCLUDE_DOMAINS
};

enum dns_security {
DNS_SECURITY_UNSET,
DNS_SECURITY_NO,
Expand Down Expand Up @@ -68,7 +62,6 @@ struct dns_server {
size_t addr_count;
struct dns_server_addr addr[8];
struct dns_domain *domains;
enum dns_domain_type domain_type;
enum dns_security dnssec;
enum dns_server_transport transport;
const char *sni;
Expand Down
17 changes: 0 additions & 17 deletions src/openvpn/options.c
Original file line number Diff line number Diff line change
Expand Up @@ -512,7 +512,6 @@ static const char usage_message[] =
" Valid options are :\n"
" address <addr[:port]> [addr[:port] ...] : server addresses 4/6\n"
" resolve-domains <domain> [domain ...] : split domains\n"
" exclude-domains <domain> [domain ...] : domains not to resolve\n"
" dnssec <yes|no|optional> : option to use DNSSEC\n"
" type <DoH|DoT> : query server over HTTPS / TLS\n"
" sni <domain> : DNS server name indication\n"
Expand Down Expand Up @@ -8022,22 +8021,6 @@ add_option(struct options *options,
}
else if (streq(p[3], "resolve-domains"))
{
if (server->domain_type == DNS_EXCLUDE_DOMAINS)
{
msg(msglevel, "--dns server %ld: cannot use resolve-domains and exclude-domains", priority);
goto err;
}
server->domain_type = DNS_RESOLVE_DOMAINS;
dns_domain_list_append(&server->domains, &p[4], &options->dns_options.gc);
}
else if (streq(p[3], "exclude-domains"))
{
if (server->domain_type == DNS_RESOLVE_DOMAINS)
{
msg(msglevel, "--dns server %ld: cannot use exclude-domains and resolve-domains", priority);
goto err;
}
server->domain_type = DNS_EXCLUDE_DOMAINS;
dns_domain_list_append(&server->domains, &p[4], &options->dns_options.gc);
}
else if (streq(p[3], "dnssec") && !p[5])
Expand Down

0 comments on commit b7eea48

Please sign in to comment.