Pull request 2382: AGDNS-2714-tls-config

Merge in DNS/adguard-home from AGDNS-2714-tls-config to master Squashed commit of the following: commit 073e5ec367db02690e9527602a1da6bfd29321a0 Merge: 18f38c9d4 4d258972d Author: Stanislav Chzhen <s.chzhen@adguard.com> Date: Wed Apr 16 18:25:23 2025 +0300 Merge branch 'master' into AGDNS-2714-tls-config commit 18f38c9d44337752c6d0f09142658f374de0979f Author: Stanislav Chzhen <s.chzhen@adguard.com> Date: Fri Apr 11 15:02:00 2025 +0300 dnsforward: imp docs commit ed56d3c2bc239bdc9af000d847721c4c43d173a3 Merge: 3ef281ea2 1cc6c00e4 Author: Stanislav Chzhen <s.chzhen@adguard.com> Date: Thu Apr 10 17:25:08 2025 +0300 Merge branch 'master' into AGDNS-2714-tls-config commit 3ef281ea28dc1fcab0a1291fb3221e6324077a10 Author: Stanislav Chzhen <s.chzhen@adguard.com> Date: Thu Apr 10 17:24:29 2025 +0300 all: imp docs commit b75f2874a816d4814d218c3b062d532f02e26ca5 Author: Stanislav Chzhen <s.chzhen@adguard.com> Date: Mon Apr 7 17:16:59 2025 +0300 dnsforward: imp code commit 8ab17b96bca957a172062faaa23b72d5c7ed4d0d Author: Stanislav Chzhen <s.chzhen@adguard.com> Date: Fri Apr 4 21:26:37 2025 +0300 all: imp code commit 1abce97b50fe0406dd1ec85b96a0f99b633325cc Author: Stanislav Chzhen <s.chzhen@adguard.com> Date: Wed Apr 2 18:22:15 2025 +0300 home: imp code commit debf710f4ebbdfe3e4d2f15b1adcf6b86f8dfc0d Author: Stanislav Chzhen <s.chzhen@adguard.com> Date: Tue Apr 1 14:52:21 2025 +0300 home: imp code commit 4aa26f15b721f2a3f32da29b3f664a02bc5a8608 Author: Stanislav Chzhen <s.chzhen@adguard.com> Date: Tue Apr 1 14:16:16 2025 +0300 all: imp code commit 1a3e72f7a1276f9f797caf9b615f8a552cc9e988 Author: Stanislav Chzhen <s.chzhen@adguard.com> Date: Mon Mar 31 21:22:40 2025 +0300 all: imp code commit 776ab824aef18ea27b59c02ebfc8620c715a867e Author: Stanislav Chzhen <s.chzhen@adguard.com> Date: Thu Mar 27 14:00:33 2025 +0300 home: tls config mu commit 9ebf912f530181043df5c583e82291484996429a Author: Stanislav Chzhen <s.chzhen@adguard.com> Date: Wed Mar 26 18:58:47 2025 +0300 all: tls config
2025-04-16 18:57:04 +03:00
parent 4d258972d1
commit 3521e8ed9f
21 changed files with 412 additions and 293 deletions
--- a/internal/dnsforward/dnsforward.go
+++ b/internal/dnsforward/dnsforward.go
@@ -103,16 +103,26 @@ type SystemResolvers interface {
 //
 // The zero Server is empty and ready for use.
 type Server struct {
-	// dnsProxy is the DNS proxy for forwarding client's DNS requests.
-	dnsProxy *proxy.Proxy
+	// addrProc, if not nil, is used to process clients' IP addresses with rDNS,
+	// WHOIS, etc.
+	addrProc client.AddressProcessor

-	// dnsFilter is the DNS filter for filtering client's DNS requests and
-	// responses.
-	dnsFilter *filtering.DNSFilter
+	// bootstrap is the resolver for upstreams' hostnames.
+	bootstrap upstream.Resolver
+
+	// clientIDCache is a temporary storage for ClientIDs that were extracted
+	// during the BeforeRequestHandler stage.
+	clientIDCache cache.Cache

 	// dhcpServer is the DHCP server for accessing lease data.
 	dhcpServer DHCP

+	// etcHosts contains the current data from the system's hosts files.
+	etcHosts upstream.Resolver
+
+	// privateNets is the configured set of IP networks considered private.
+	privateNets netutil.SubnetSet
+
 	// queryLog is the query log for client's DNS requests, responses and
 	// filtering results.
 	queryLog querylog.QueryLog
@@ -120,37 +130,43 @@ type Server struct {
 	// stats is the statistics collector for client's DNS usage data.
 	stats stats.Interface

+	// sysResolvers used to fetch system resolvers to use by default for private
+	// PTR resolving.
+	sysResolvers SystemResolvers
+
 	// access drops disallowed clients.
 	access *accessManager

+	// anonymizer masks the client's IP addresses if needed.
+	anonymizer *aghnet.IPMut
+
 	// baseLogger is used to create loggers for other entities.  It should not
 	// have a prefix and must not be nil.
 	baseLogger *slog.Logger

-	// localDomainSuffix is the suffix used to detect internal hosts.  It
-	// must be a valid domain name plus dots on each side.
-	localDomainSuffix string
+	// dnsFilter is the DNS filter for filtering client's DNS requests and
+	// responses.
+	dnsFilter *filtering.DNSFilter
+
+	// dnsProxy is the DNS proxy for forwarding client's DNS requests.
+	dnsProxy *proxy.Proxy
+
+	// internalProxy resolves internal requests from the application itself.  It
+	// isn't started and so no listen ports are required.
+	internalProxy *proxy.Proxy

 	// ipset processes DNS requests using ipset data.  It must not be nil after
 	// initialization.  See [newIpsetHandler].
 	ipset *ipsetHandler

-	// privateNets is the configured set of IP networks considered private.
-	privateNets netutil.SubnetSet
+	// dns64Pref is the NAT64 prefix used for DNS64 response mapping.  The major
+	// part of DNS64 happens inside the [proxy] package, but there still are
+	// some places where response mapping is needed (e.g. DHCP).
+	dns64Pref netip.Prefix

-	// addrProc, if not nil, is used to process clients' IP addresses with rDNS,
-	// WHOIS, etc.
-	addrProc client.AddressProcessor
-
-	// sysResolvers used to fetch system resolvers to use by default for private
-	// PTR resolving.
-	sysResolvers SystemResolvers
-
-	// etcHosts contains the current data from the system's hosts files.
-	etcHosts upstream.Resolver
-
-	// bootstrap is the resolver for upstreams' hostnames.
-	bootstrap upstream.Resolver
+	// localDomainSuffix is the suffix used to detect internal hosts.  It
+	// must be a valid domain name plus dots on each side.
+	localDomainSuffix string

 	// bootResolvers are the resolvers that should be used for
 	// bootstrapping along with [etcHosts].
@@ -159,34 +175,26 @@ type Server struct {
 	// [upstream.Resolver] interface.
 	bootResolvers []*upstream.UpstreamResolver

-	// dns64Pref is the NAT64 prefix used for DNS64 response mapping.  The major
-	// part of DNS64 happens inside the [proxy] package, but there still are
-	// some places where response mapping is needed (e.g. DHCP).
-	dns64Pref netip.Prefix
-
-	// anonymizer masks the client's IP addresses if needed.
-	anonymizer *aghnet.IPMut
-
-	// clientIDCache is a temporary storage for ClientIDs that were extracted
-	// during the BeforeRequestHandler stage.
-	clientIDCache cache.Cache
-
-	// internalProxy resolves internal requests from the application itself.  It
-	// isn't started and so no listen ports are required.
-	internalProxy *proxy.Proxy
-
-	// isRunning is true if the DNS server is running.
-	isRunning bool
-
-	// protectionUpdateInProgress is used to make sure that only one goroutine
-	// updating the protection configuration after a pause is running at a time.
-	protectionUpdateInProgress atomic.Bool
+	// dnsNames are the DNS names from certificate (SAN) or CN value from
+	// Subject.
+	dnsNames []string

 	// conf is the current configuration of the server.
 	conf ServerConfig

 	// serverLock protects Server.
 	serverLock sync.RWMutex
+
+	// protectionUpdateInProgress is used to make sure that only one goroutine
+	// updating the protection configuration after a pause is running at a time.
+	protectionUpdateInProgress atomic.Bool
+
+	// isRunning is true if the DNS server is running.
+	isRunning bool
+
+	// hasIPAddrs is set during the certificate parsing and is true if the
+	// configured certificate contains at least a single IP address.
+	hasIPAddrs bool
 }

 // defaultLocalDomainSuffix is the default suffix used to detect internal hosts