Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support additional systemd-resolved options / org.freedesktop.resolve1 DBUS endpoints #110

Merged
merged 21 commits into from
Aug 4, 2023
Merged

Support additional systemd-resolved options / org.freedesktop.resolve1 DBUS endpoints #110

merged 21 commits into from
Aug 4, 2023

Conversation

tomeon
Copy link
Collaborator

@tomeon tomeon commented Dec 10, 2022
edited
Loading

Addresses #60; covers/obviates #92 and #99.

Marked as a draft because it is based on #100 (and also because it is not finished :).

The idea is to support additional systemd-resolved options by exposing new dhcp-option types that trigger org.freedesktop.resolve1 DBUS calls.

New dhcp-option types:

FLUSH-CACHES

Takes no argument.

Replaces the use of resolvectl flush-caches, and allows the user to control whether caches are flushed (current behavior is to flush unconditionally).

RESET-SERVER-FEATURES

Takes no argument.

resolvectl --help:

Forget learnt DNS server feature levels

RESET-STATISTICS

Takes no argument.

resolvectl --help:

Reset resolver statistics

DEFAULT-ROUTE

Takes a boolean argument.

man systemd.network, section on DNSDefaultRoute:

If true, this link's configured DNS servers are used for resolving domain names that do not match any link's configured Domains= setting. If false, this link's configured DNS servers are never used for such domains, and are exclusively used for resolving names that match at least one of the domains configured on this link.

DNS-OVER-TLS

Takes a boolean argument, or "opportunistic".

man resolved.conf:

If true all connections to the server will be encrypted. Note that this mode requires a DNS server that supports DNS-over-TLS and has a valid certificate. If the hostname was specified in DNS= by using the format "address#server_name" it is used to validate its certificate and also to enable Server Name Indication (SNI) when opening a TLS connection. Otherwise the certificate is checked against the server's IP. If the DNS server does not support DNS-over-TLS all DNS requests will fail.

When set to "opportunistic" DNS request are attempted to send encrypted with DNS-over-TLS. If the DNS server does not support TLS, DNS-over-TLS is disabled. Note that this mode makes DNS-over-TLS vulnerable to "downgrade" attacks, where an attacker might be able to trigger a downgrade to non-encrypted mode by synthesizing a response that suggests DNS-over-TLS was not supported. If set to false, DNS lookups are send over UDP.

LLMNR

Takes a boolean argument, or "resolve".

man resolved.conf:

Takes a boolean or "resolve". When true, enables Link-Local Multicast Name Resolution[1] on the link. When set to "resolve", only resolution is enabled, but not host registration and announcement. Defaults to true.

MULTICAST-DNS

Takes a boolean argument, or "resolve".

When true, enables Multicast DNS support on the link. When set to "resolve", only resolution is enabled, but not host or service
registration and announcement. Defaults to false.

DNSSEC-NEGATIVE-TRUST-ANCHORS

Takes a single domain. May be specified multiple times in order to add multiple domains as negative trust anchors.

man resolved.conf:

If specified and DNSSEC is enabled, look-ups done via the interface's DNS server will be subject to the list of negative trust anchors, and not require authentication for the specified domains, or anything below it. Use this to disable DNSSEC authentication for specific private domains, that cannot be proven valid using the Internet DNS hierarchy. Defaults to the empty list.

Needs Feedback

dhcp-option names

Perhaps update-systemd-resolved-specific options should be flagged as such with (say) a special prefix? For instance, instead of just LLMNR, what about SYSTEMD-RESOLVED-LLMNR or RESOLVE1-LLMNR, or similar?

Argument validation

This changeset includes some light validation of arguments supplied to the various dhcp-options. Maybe it would be better to just punt to org.freedesktop.resolve1 to raise errors when appropriate?

TODO

  1. Figure out how to test DNSSEC negative trust anchors.
  2. Document the available options.

@tomeon tomeon force-pushed the support-additional-dbus-calls branch 3 times, most recently from fd66867 to 1fa7301 Compare December 11, 2022 01:19
@worldowner
Copy link

Ping. Also it would be nice if DOMAIN accepted ip#domain format. That would enable full DNS-over-TLS support. At least for systemd-resolved users.

This was referenced Jul 13, 2023
Closed
Open
@tomeon tomeon force-pushed the support-additional-dbus-calls branch from 1fa7301 to a90c52a Compare July 18, 2023 15:27
@tomeon tomeon linked an issue Jul 19, 2023 that may be closed by this pull request
Support new "DNSDefaultRoute" option? #60
Closed
@tomeon tomeon force-pushed the support-additional-dbus-calls branch 2 times, most recently from 954ef98 to e698f76 Compare July 26, 2023 21:02
@tomeon tomeon marked this pull request as ready for review July 26, 2023 21:04
@tomeon tomeon force-pushed the support-additional-dbus-calls branch 5 times, most recently from a29064e to e0cfd0a Compare August 4, 2023 14:59
@tomeon
fix(tests): use non-newline garbage in IPv6 addr
ab0d644 
to prevent breaking `dhcp-option` parsing logic.
@tomeon
fix: handle empty dhcp-option values
42960ed 
BREAKING CHANGE: we now convert the string  "dhcp-option OPT-NAME
OPT-VALUE" into the three-tuple `("dhcp-option", "OPT-NAME",
"OPT-VALUE")` by splitting on whitespace; previously, we split on single
space characters.

BREAKING CHANGE: we now treat the directive "dhcp-option OPT-NAME" (i.e.
no OPT-VALUE) as signifying `OPT-VALUE == ""` (that is, the option value
is the empty string).  Previously, we set `OPT-VALUE` to the same value
as `OPT-NAME`.
@tomeon
chore: simplify DNSSEC setting processing
5fa0a62 
by (a) merely declaring `dns_sec` in main, but not setting `dns_sec=""`,
and (b) setting `dns_sec=""` in `process_dnssec` when we see
`dhcp-option DNSSEC default`.
@tomeon
chore: dynamically clear foreign option vars
a4ff64d 
instead of clearing a hardcoded list of six vars.
@tomeon
fix(run-tests): handle RevertLink call
12bbd84
@tomeon
chore: simplify DOMAIN{,-{SEARCH,ROUTE}} handling
67b4e0e 
by not doing separate bookkeeping on the number of specifications versus
the list of DBus arguments.
@tomeon
feat: support additional DBus methods
d5873ac 
Namely, these:

    1. SetLinkDefaultRoute
    2. SetLinkLLMNR
    3. SetLinkMulticastDNS
    4. SetLinkDNSOverTLS
    5. SetLinkDNSSECNegativeTrustAnchors
@tomeon
feat: add tests of more custom foreign options
e561504
@tomeon
feat: add custom foreign options system test cases
73e7304
@tomeon
feat: support SetLinkDNSEx
99dbb27 
which facilitates better support for DNS-over-TLS.
@tomeon
feat: test DNS-over-TLS
80b0d74
@tomeon
feat: add mkdotcert devshell command
7f1c49f 
for generating DNS-over-TLS PKI assets
@tomeon
feat: test DNSSEC in NixOS system test
2e083f8
@tomeon
feat: add mkanchor devshell command
e6a5b2a 
for regenerating the DNSSEC root anchors specification.
@tomeon
docs: document DoT and DNSSEC in system test
6f709b5
@tomeon
docs: document how to maintain testing assets
902928f
@tomeon
docs: cover new custom foreign options
259b143
@tomeon
docs: document extended DNS server specs
6f015ef
@tomeon
feat(tests): additional diagnostics
e7e7cd1 
around (a) the results of queries made with `dig` and (b) the state of
systemd-resolved before and after attempting to resolve names over the
VPN link.
@tomeon
docs: restructure options descriptions
5f3b240 
as the text was getting too large to fit comfortably in a table.
@tomeon
docs: note introduction of additional DBus calls
97304f8 
[skipci]
@tomeon tomeon force-pushed the support-additional-dbus-calls branch from e0cfd0a to 97304f8 Compare August 4, 2023 15:14
@tomeon tomeon merged commit 7d650ae into jonathanio:master Aug 4, 2023
4 checks passed
@tomeon tomeon deleted the support-additional-dbus-calls branch August 4, 2023 15:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support new "DNSDefaultRoute" option?
2 participants
@tomeon @worldowner