From 0c48d2d5a086de2fb7e57c007f6f1c7efbdb2435 Mon Sep 17 00:00:00 2001 From: "Quentin McGaw (desktop)" Date: Thu, 5 Mar 2020 00:51:04 +0000 Subject: [PATCH] DOT_IPV6 environment variable added, refers to #88 --- Dockerfile | 1 + README.md | 1 + docker-compose.yml | 1 + internal/dns/conf.go | 6 +++++- internal/dns/conf_test.go | 1 + internal/params/dns.go | 6 ++++++ internal/params/params.go | 1 + internal/settings/dns.go | 11 ++++++++++- 8 files changed, 26 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 32b0641e..14a8be98 100644 --- a/Dockerfile +++ b/Dockerfile @@ -53,6 +53,7 @@ ENV VPNSP=pia \ DOT_VERBOSITY_DETAILS=0 \ DOT_VALIDATION_LOGLEVEL=0 \ DOT_CACHING=on \ + DOT_IPV6=on \ BLOCK_MALICIOUS=on \ BLOCK_SURVEILLANCE=off \ BLOCK_ADS=off \ diff --git a/README.md b/README.md index a48f7e07..3cbb8522 100644 --- a/README.md +++ b/README.md @@ -139,6 +139,7 @@ docker run --rm --network=container:pia alpine:3.11 wget -qO- https://ipinfo.io | `DOT` | `on` | `on` or `off`, to activate DNS over TLS to 1.1.1.1 | | `DOT_PROVIDERS` | `cloudflare` | Comma delimited list of DNS over TLS providers from `cloudflare`, `google`, `quad9`, `quadrant`, `cleanbrowsing`, `securedns`, `libredns` | | `DOT_CACHING` | `on` | Unbound caching feature, `on` or `off` | +| `DOT_IPV6` | `on` | Unbound will resolve domain names using IPv6 as well as IPv4 | | `DOT_PRIVATE_ADDRESS` | All IPv4 and IPv6 CIDRs private ranges | Comma separated list of CIDRs or single IP addresses. Note that the default setting prevents DNS rebinding | | `DOT_VERBOSITY` | `1` | Unbound verbosity level from `0` to `5` (full debug) | | `DOT_VERBOSITY_DETAILS` | `0` | Unbound details verbosity level from `0` to `4` | diff --git a/docker-compose.yml b/docker-compose.yml index a27c9275..2fde9a30 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -35,6 +35,7 @@ services: # DNS over TLS - DOT=on - DOT_PROVIDERS=cloudflare + - DOT_IPV6=on - DOT_VERBOSITY=1 - BLOCK_MALICIOUS=on - BLOCK_SURVEILLANCE=off diff --git a/internal/dns/conf.go b/internal/dns/conf.go index 5a896878..dacb2ade 100644 --- a/internal/dns/conf.go +++ b/internal/dns/conf.go @@ -30,6 +30,10 @@ func (c *configurator) MakeUnboundConf(settings settings.DNS, uid, gid int) (err // MakeUnboundConf generates an Unbound configuration from the user provided settings func generateUnboundConf(settings settings.DNS, client network.Client, logger logging.Logger) (lines []string, warnings []error, err error) { + doIPv6 := "no" + if settings.IPv6 { + doIPv6 = "yes" + } serverSection := map[string]string{ // Logging "verbosity": fmt.Sprintf("%d", settings.VerbosityLevel), @@ -60,7 +64,7 @@ func generateUnboundConf(settings settings.DNS, client network.Client, logger lo "harden-algo-downgrade": "yes", // Network "do-ip4": "yes", - "do-ip6": "yes", + "do-ip6": doIPv6, "interface": "127.0.0.1", "port": "53", // Other diff --git a/internal/dns/conf_test.go b/internal/dns/conf_test.go index 90176ac3..7b88adb3 100644 --- a/internal/dns/conf_test.go +++ b/internal/dns/conf_test.go @@ -26,6 +26,7 @@ func Test_generateUnboundConf(t *testing.T) { VerbosityLevel: 2, ValidationLogLevel: 3, Caching: true, + IPv6: true, } client := &mocks.Client{} client.On("GetContent", string(constants.MaliciousBlockListHostnamesURL)). diff --git a/internal/params/dns.go b/internal/params/dns.go index ccde7bc9..4fd74d2b 100644 --- a/internal/params/dns.go +++ b/internal/params/dns.go @@ -116,3 +116,9 @@ func (p *paramsReader) GetDNSOverTLSPrivateAddresses() (privateAddresses []strin } return privateAddresses } + +// GetDNSOverTLSIPv6 obtains if Unbound should resolve ipv6 addresses using ipv6 DNS over TLS +// servers from the environment variable DOT_IPV6 +func (p *paramsReader) GetDNSOverTLSIPv6() (ipv6 bool, err error) { + return p.envParams.GetOnOff("DOT_IPV6") +} diff --git a/internal/params/params.go b/internal/params/params.go index 59dab4c5..23b5989e 100644 --- a/internal/params/params.go +++ b/internal/params/params.go @@ -26,6 +26,7 @@ type ParamsReader interface { GetDNSAdsBlocking() (blocking bool, err error) GetDNSUnblockedHostnames() (hostnames []string, err error) GetDNSOverTLSPrivateAddresses() (privateAddresses []string) + GetDNSOverTLSIPv6() (ipv6 bool, err error) // Firewall getters GetExtraSubnets() (extraSubnets []net.IPNet, err error) diff --git a/internal/settings/dns.go b/internal/settings/dns.go index f0e68db1..35455a3b 100644 --- a/internal/settings/dns.go +++ b/internal/settings/dns.go @@ -21,13 +21,14 @@ type DNS struct { VerbosityLevel uint8 VerbosityDetailsLevel uint8 ValidationLogLevel uint8 + IPv6 bool } func (d *DNS) String() string { if !d.Enabled { return "DNS over TLS settings: disabled" } - caching, blockMalicious, blockSurveillance, blockAds := "disabled", "disabed", "disabed", "disabed" + caching, blockMalicious, blockSurveillance, blockAds, ipv6 := "disabled", "disabed", "disabed", "disabed", "disabed" if d.Caching { caching = "enabled" } @@ -40,6 +41,9 @@ func (d *DNS) String() string { if d.BlockAds { blockAds = "enabled" } + if d.IPv6 { + ipv6 = "enabled" + } var providersStr []string for _, provider := range d.Providers { providersStr = append(providersStr, string(provider)) @@ -56,6 +60,7 @@ func (d *DNS) String() string { "Verbosity level: " + fmt.Sprintf("%d/5", d.VerbosityLevel), "Verbosity details level: " + fmt.Sprintf("%d/4", d.VerbosityDetailsLevel), "Validation log level: " + fmt.Sprintf("%d/2", d.ValidationLogLevel), + "IPv6 resolution: " + ipv6, } return strings.Join(settingsList, "\n |--") } @@ -103,5 +108,9 @@ func GetDNSSettings(params params.ParamsReader) (settings DNS, err error) { return settings, err } settings.PrivateAddresses = params.GetDNSOverTLSPrivateAddresses() + settings.IPv6, err = params.GetDNSOverTLSIPv6() + if err != nil { + return settings, err + } return settings, nil }