all: sync with master; upd chlog

internal/dnsforward/config.go

@@ -12,10 +12,12 @@ import (
 
 	"github.com/AdguardTeam/AdGuardHome/internal/aghalg"
 	"github.com/AdguardTeam/AdGuardHome/internal/aghhttp"
+	"github.com/AdguardTeam/AdGuardHome/internal/aghnet"
 	"github.com/AdguardTeam/AdGuardHome/internal/aghtls"
 	"github.com/AdguardTeam/AdGuardHome/internal/client"
 	"github.com/AdguardTeam/AdGuardHome/internal/filtering"
 	"github.com/AdguardTeam/dnsproxy/proxy"
+	"github.com/AdguardTeam/dnsproxy/upstream"
 	"github.com/AdguardTeam/golibs/errors"
 	"github.com/AdguardTeam/golibs/log"
 	"github.com/AdguardTeam/golibs/netutil"
@@ -392,6 +394,122 @@ func (s *Server) prepareIpsetListSettings() (err error) {
 	return s.ipset.init(ipsets)
 }
 
+// collectListenAddr adds addrPort to addrs.  It also adds its port to
+// unspecPorts if its address is unspecified.
+func collectListenAddr(
+	addrPort netip.AddrPort,
+	addrs map[netip.AddrPort]unit,
+	unspecPorts map[uint16]unit,
+) {
+	if addrPort == (netip.AddrPort{}) {
+		return
+	}
+
+	addrs[addrPort] = unit{}
+	if addrPort.Addr().IsUnspecified() {
+		unspecPorts[addrPort.Port()] = unit{}
+	}
+}
+
+// collectDNSAddrs returns configured set of listening addresses.  It also
+// returns a set of ports of each unspecified listening address.
+func (conf *ServerConfig) collectDNSAddrs() (
+	addrs map[netip.AddrPort]unit,
+	unspecPorts map[uint16]unit,
+) {
+	// TODO(e.burkov):  Perhaps, we shouldn't allocate as much memory, since the
+	// TCP and UDP listening addresses are currently the same.
+	addrs = make(map[netip.AddrPort]unit, len(conf.TCPListenAddrs)+len(conf.UDPListenAddrs))
+	unspecPorts = map[uint16]unit{}
+
+	for _, laddr := range conf.TCPListenAddrs {
+		collectListenAddr(laddr.AddrPort(), addrs, unspecPorts)
+	}
+
+	for _, laddr := range conf.UDPListenAddrs {
+		collectListenAddr(laddr.AddrPort(), addrs, unspecPorts)
+	}
+
+	return addrs, unspecPorts
+}
+
+// defaultPlainDNSPort is the default port for plain DNS.
+const defaultPlainDNSPort uint16 = 53
+
+// addrPortMatcher is a function that matches an IP address with port.
+type addrPortMatcher func(addr netip.AddrPort) (ok bool)
+
+// filterOut filters out all the upstreams that match um.  It returns all the
+// closing errors joined.
+func (m addrPortMatcher) filterOut(upsConf *proxy.UpstreamConfig) (err error) {
+	var errs []error
+	delFunc := func(u upstream.Upstream) (ok bool) {
+		// TODO(e.burkov):  We should probably consider the protocol of u to
+		// only filter out the listening addresses of the same protocol.
+		addr, parseErr := aghnet.ParseAddrPort(u.Address(), defaultPlainDNSPort)
+		if parseErr != nil || !m(addr) {
+			// Don't filter out the upstream if it either cannot be parsed, or
+			// does not match um.
+			return false
+		}
+
+		errs = append(errs, u.Close())
+
+		return true
+	}
+
+	upsConf.Upstreams = slices.DeleteFunc(upsConf.Upstreams, delFunc)
+	for d, ups := range upsConf.DomainReservedUpstreams {
+		upsConf.DomainReservedUpstreams[d] = slices.DeleteFunc(ups, delFunc)
+	}
+	for d, ups := range upsConf.SpecifiedDomainUpstreams {
+		upsConf.SpecifiedDomainUpstreams[d] = slices.DeleteFunc(ups, delFunc)
+	}
+
+	return errors.Join(errs...)
+}
+
+// ourAddrsMatcher returns a matcher that matches all the configured listening
+// addresses.
+func (conf *ServerConfig) ourAddrsMatcher() (m addrPortMatcher, err error) {
+	addrs, unspecPorts := conf.collectDNSAddrs()
+	if len(addrs) == 0 {
+		log.Debug("dnsforward: no listen addresses")
+
+		// Match no addresses.
+		return func(_ netip.AddrPort) (ok bool) { return false }, nil
+	}
+
+	if len(unspecPorts) == 0 {
+		log.Debug("dnsforward: filtering out addresses %s", addrs)
+
+		m = func(a netip.AddrPort) (ok bool) {
+			_, ok = addrs[a]
+
+			return ok
+		}
+	} else {
+		var ifaceAddrs []netip.Addr
+		ifaceAddrs, err = aghnet.CollectAllIfacesAddrs()
+		if err != nil {
+			// Don't wrap the error since it's informative enough as is.
+			return nil, err
+		}
+
+		log.Debug("dnsforward: filtering out addresses %s on ports %d", ifaceAddrs, unspecPorts)
+
+		m = func(a netip.AddrPort) (ok bool) {
+			if _, ok = unspecPorts[a.Port()]; ok {
+				return slices.Contains(ifaceAddrs, a.Addr())
+			}
+
+			return false
+		}
+	}
+
+	return m, nil
+}
+
 // prepareTLS - prepares TLS configuration for the DNS proxy
 func (s *Server) prepareTLS(proxyConfig *proxy.Config) (err error) {
 	if len(s.conf.CertificateChainData) == 0 || len(s.conf.PrivateKeyData) == 0 {

internal/dnsforward/dnsforward.go

@@ -25,8 +25,10 @@ import (
 	"github.com/AdguardTeam/golibs/errors"
 	"github.com/AdguardTeam/golibs/log"
 	"github.com/AdguardTeam/golibs/netutil"
+	"github.com/AdguardTeam/golibs/netutil/sysresolv"
 	"github.com/AdguardTeam/golibs/stringutil"
 	"github.com/miekg/dns"
+	"golang.org/x/exp/slices"
 )
 
 // DefaultTimeout is the default upstream timeout
@@ -72,6 +74,11 @@ type DHCP interface {
 	Enabled() (ok bool)
 }
 
+type SystemResolvers interface {
+	// Addrs returns the list of system resolvers' addresses.
+	Addrs() (addrs []netip.AddrPort)
+}
+
 // Server is the main way to start a DNS server.
 //
 // Example:
@@ -126,7 +133,7 @@ type Server struct {
 
 	// sysResolvers used to fetch system resolvers to use by default for private
 	// PTR resolving.
-	sysResolvers aghnet.SystemResolvers
+	sysResolvers SystemResolvers
 
 	// recDetector is a cache for recursive requests.  It is used to detect
 	// and prevent recursive requests only for private upstreams.
@@ -225,9 +232,7 @@ func NewServer(p DNSCreateParams) (s *Server, err error) {
 		anonymizer: p.Anonymizer,
 	}
 
-	// TODO(e.burkov): Enable the refresher after the actual implementation
-	// passes the public testing.
-	s.sysResolvers, err = aghnet.NewSystemResolvers(nil)
+	s.sysResolvers, err = sysresolv.NewSystemResolvers(nil, defaultPlainDNSPort)
 	if err != nil {
 		return nil, fmt.Errorf("initializing system resolvers: %w", err)
 	}
@@ -439,73 +444,28 @@ func (s *Server) startLocked() error {
 // faster than ordinary upstreams.
 const defaultLocalTimeout = 1 * time.Second
 
-// collectDNSIPAddrs returns IP addresses the server is listening on without
-// port numbers.  For internal use only.
-func (s *Server) collectDNSIPAddrs() (addrs []string, err error) {
-	addrs = make([]string, len(s.conf.TCPListenAddrs)+len(s.conf.UDPListenAddrs))
-	var i int
-	var ip net.IP
-	for _, addr := range s.conf.TCPListenAddrs {
-		if addr == nil {
-			continue
-		}
-
-		if ip = addr.IP; ip.IsUnspecified() {
-			return aghnet.CollectAllIfacesAddrs()
-		}
-
-		addrs[i] = ip.String()
-		i++
-	}
-	for _, addr := range s.conf.UDPListenAddrs {
-		if addr == nil {
-			continue
-		}
-
-		if ip = addr.IP; ip.IsUnspecified() {
-			return aghnet.CollectAllIfacesAddrs()
-		}
-
-		addrs[i] = ip.String()
-		i++
-	}
-
-	return addrs[:i], nil
-}
-
-func (s *Server) filterOurDNSAddrs(addrs []string) (filtered []string, err error) {
-	var ourAddrs []string
-	ourAddrs, err = s.collectDNSIPAddrs()
-	if err != nil {
-		return nil, err
-	}
-
-	ourAddrsSet := stringutil.NewSet(ourAddrs...)
-	log.Debug("dnsforward: filtering out %s", ourAddrsSet.String())
-
-	// TODO(e.burkov): The approach of subtracting sets of strings is not
-	// really applicable here since in case of listening on all network
-	// interfaces we should check the whole interface's network to cut off
-	// all the loopback addresses as well.
-	return stringutil.FilterOut(addrs, ourAddrsSet.Has), nil
-}
-
 // setupLocalResolvers initializes the resolvers for local addresses.  For
 // internal use only.
 func (s *Server) setupLocalResolvers() (err error) {
-	bootstraps := s.conf.BootstrapDNS
-	resolvers := s.conf.LocalPTRResolvers
-
-	if len(resolvers) == 0 {
-		resolvers = s.sysResolvers.Get()
-		bootstraps = nil
-	} else {
-		resolvers = stringutil.FilterOut(resolvers, IsCommentOrEmpty)
+	matcher, err := s.conf.ourAddrsMatcher()
+	if err != nil {
+		// Don't wrap the error because it's informative enough as is.
+		return err
 	}
 
-	resolvers, err = s.filterOurDNSAddrs(resolvers)
-	if err != nil {
-		return err
+	bootstraps := s.conf.BootstrapDNS
+	resolvers := s.conf.LocalPTRResolvers
+	filterConfig := false
+
+	if len(resolvers) == 0 {
+		sysResolvers := slices.DeleteFunc(s.sysResolvers.Addrs(), matcher)
+		resolvers = make([]string, 0, len(sysResolvers))
+		for _, r := range sysResolvers {
+			resolvers = append(resolvers, r.String())
+		}
+	} else {
+		resolvers = stringutil.FilterOut(resolvers, IsCommentOrEmpty)
+		filterConfig = true
 	}
 
 	log.Debug("dnsforward: upstreams to resolve ptr for local addresses: %v", resolvers)
@@ -514,13 +474,18 @@ func (s *Server) setupLocalResolvers() (err error) {
 		Bootstrap: bootstraps,
 		Timeout:   defaultLocalTimeout,
 		// TODO(e.burkov): Should we verify server's certificates?
-
 		PreferIPv6: s.conf.BootstrapPreferIPv6,
 	})
 	if err != nil {
 		return fmt.Errorf("preparing private upstreams: %w", err)
 	}
 
+	if filterConfig {
+		if err = matcher.filterOut(uc); err != nil {
+			return fmt.Errorf("filtering private upstreams: %w", err)
+		}
+	}
+
 	s.localResolvers = &proxy.Proxy{
 		Config: proxy.Config{
 			UpstreamConfig: uc,

internal/dnsforward/http.go

@@ -65,6 +65,9 @@ type jsonDNSConfig struct {
 	// UpstreamMode defines the way DNS requests are constructed.
 	UpstreamMode *string `json:"upstream_mode"`
 
+	// BlockedResponseTTL is the TTL for blocked responses.
+	BlockedResponseTTL *uint32 `json:"blocked_response_ttl"`
+
 	// CacheSize in bytes.
 	CacheSize *uint32 `json:"cache_size"`
 
@@ -115,6 +118,7 @@ func (s *Server) getDNSConfig() (c *jsonDNSConfig) {
 	bootstraps := stringutil.CloneSliceOrEmpty(s.conf.BootstrapDNS)
 	fallbacks := stringutil.CloneSliceOrEmpty(s.conf.FallbackDNS)
 	blockingMode, blockingIPv4, blockingIPv6 := s.dnsFilter.BlockingMode()
+	blockedResponseTTL := s.dnsFilter.BlockedResponseTTL()
 	ratelimit := s.conf.Ratelimit
 
 	customIP := s.conf.EDNSClientSubnet.CustomIP
@@ -138,9 +142,9 @@ func (s *Server) getDNSConfig() (c *jsonDNSConfig) {
 		upstreamMode = "parallel"
 	}
 
-	defLocalPTRUps, err := s.filterOurDNSAddrs(s.sysResolvers.Get())
+	defPTRUps, err := s.defaultLocalPTRUpstreams()
 	if err != nil {
-		log.Debug("getting dns configuration: %s", err)
+		log.Error("dnsforward: %s", err)
 	}
 
 	return &jsonDNSConfig{
@@ -158,6 +162,7 @@ func (s *Server) getDNSConfig() (c *jsonDNSConfig) {
 		EDNSCSUseCustom:          &useCustom,
 		DNSSECEnabled:            &enableDNSSEC,
 		DisableIPv6:              &aaaaDisabled,
+		BlockedResponseTTL:       &blockedResponseTTL,
 		CacheSize:                &cacheSize,
 		CacheMinTTL:              &cacheMinTTL,
 		CacheMaxTTL:              &cacheMaxTTL,
@@ -166,11 +171,29 @@ func (s *Server) getDNSConfig() (c *jsonDNSConfig) {
 		ResolveClients:           &resolveClients,
 		UsePrivateRDNS:           &usePrivateRDNS,
 		LocalPTRUpstreams:        &localPTRUpstreams,
-		DefaultLocalPTRUpstreams: defLocalPTRUps,
+		DefaultLocalPTRUpstreams: defPTRUps,
 		DisabledUntil:            protectionDisabledUntil,
 	}
 }
 
+// defaultLocalPTRUpstreams returns the list of default local PTR resolvers
+// filtered of AdGuard Home's own DNS server addresses.  It may appear empty.
+func (s *Server) defaultLocalPTRUpstreams() (ups []string, err error) {
+	matcher, err := s.conf.ourAddrsMatcher()
+	if err != nil {
+		// Don't wrap the error because it's informative enough as is.
+		return nil, err
+	}
+
+	sysResolvers := slices.DeleteFunc(s.sysResolvers.Addrs(), matcher)
+	ups = make([]string, 0, len(sysResolvers))
+	for _, r := range sysResolvers {
+		ups = append(ups, r.String())
+	}
+
+	return ups, nil
+}
+
 // handleGetConfig handles requests to the GET /control/dns_info endpoint.
 func (s *Server) handleGetConfig(w http.ResponseWriter, r *http.Request) {
 	resp := s.getDNSConfig()
@@ -204,7 +227,7 @@ func (req *jsonDNSConfig) checkBootstrap() (err error) {
 			return errors.Error("empty")
 		}
 
-		if _, err = upstream.NewResolver(b, nil); err != nil {
+		if _, err = upstream.NewUpstreamResolver(b, nil); err != nil {
 			return err
 		}
 	}
@@ -321,6 +344,10 @@ func (s *Server) setConfig(dc *jsonDNSConfig) (shouldRestart bool) {
 		s.dnsFilter.SetBlockingMode(*dc.BlockingMode, dc.BlockingIPv4, dc.BlockingIPv6)
 	}
 
+	if dc.BlockedResponseTTL != nil {
+		s.dnsFilter.SetBlockedResponseTTL(*dc.BlockedResponseTTL)
+	}
+
 	if dc.ProtectionEnabled != nil {
 		s.dnsFilter.SetProtectionEnabled(*dc.ProtectionEnabled)
 	}

internal/dnsforward/http_test.go

@@ -28,17 +28,12 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
-// fakeSystemResolvers is a mock aghnet.SystemResolvers implementation for
-// tests.
-type fakeSystemResolvers struct {
-	// SystemResolvers is embedded here simply to make *fakeSystemResolvers
-	// an aghnet.SystemResolvers without actually implementing all methods.
-	aghnet.SystemResolvers
-}
+// emptySysResolvers is an empty [SystemResolvers] implementation that always
+// returns nil.
+type emptySysResolvers struct{}
 
-// Get implements the aghnet.SystemResolvers interface for *fakeSystemResolvers.
-// It always returns nil.
-func (fsr *fakeSystemResolvers) Get() (rs []string) {
+// Addrs implements the aghnet.SystemResolvers interface for emptySysResolvers.
+func (emptySysResolvers) Addrs() (addrs []netip.AddrPort) {
 	return nil
 }
 
@@ -60,6 +55,7 @@ func TestDNSForwardHTTP_handleGetConfig(t *testing.T) {
 	filterConf := &filtering.Config{
 		ProtectionEnabled:     true,
 		BlockingMode:          filtering.BlockingModeDefault,
+		BlockedResponseTTL:    10,
 		SafeBrowsingEnabled:   true,
 		SafeBrowsingCacheSize: 1000,
 		SafeSearchConf:        filtering.SafeSearchConfig{Enabled: true},
@@ -78,7 +74,7 @@ func TestDNSForwardHTTP_handleGetConfig(t *testing.T) {
 		ConfigModified: func() {},
 	}
 	s := createTestServer(t, filterConf, forwardConf, nil)
-	s.sysResolvers = &fakeSystemResolvers{}
+	s.sysResolvers = &emptySysResolvers{}
 
 	require.NoError(t, s.Start())
 	testutil.CleanupAndRequireSuccess(t, s.Stop)
@@ -137,6 +133,7 @@ func TestDNSForwardHTTP_handleSetConfig(t *testing.T) {
 	filterConf := &filtering.Config{
 		ProtectionEnabled:     true,
 		BlockingMode:          filtering.BlockingModeDefault,
+		BlockedResponseTTL:    10,
 		SafeBrowsingEnabled:   true,
 		SafeBrowsingCacheSize: 1000,
 		SafeSearchConf:        filtering.SafeSearchConfig{Enabled: true},
@@ -154,7 +151,7 @@ func TestDNSForwardHTTP_handleSetConfig(t *testing.T) {
 		ConfigModified: func() {},
 	}
 	s := createTestServer(t, filterConf, forwardConf, nil)
-	s.sysResolvers = &fakeSystemResolvers{}
+	s.sysResolvers = &emptySysResolvers{}
 
 	defaultConf := s.conf
 
@@ -229,6 +226,9 @@ func TestDNSForwardHTTP_handleSetConfig(t *testing.T) {
 	}, {
 		name:    "fallbacks",
 		wantSet: "",
+	}, {
+		name:    "blocked_response_ttl",
+		wantSet: "",
 	}}
 
 	var data map[string]struct {
@@ -480,7 +480,7 @@ func TestServer_HandleTestUpstreamDNS(t *testing.T) {
 	hostsListener := newLocalUpstreamListener(t, 0, goodHandler)
 	hostsUps := (&url.URL{
 		Scheme: "tcp",
-		Host:   netutil.JoinHostPort(upstreamHost, int(hostsListener.Port())),
+		Host:   netutil.JoinHostPort(upstreamHost, hostsListener.Port()),
 	}).String()
 
 	hc, err := aghnet.NewHostsContainer(

internal/dnsforward/ipset.go

@@ -6,8 +6,8 @@ import (
 	"os"
 	"strings"
 
-	"github.com/AdguardTeam/AdGuardHome/internal/aghnet"
 	"github.com/AdguardTeam/AdGuardHome/internal/aghos"
+	"github.com/AdguardTeam/AdGuardHome/internal/ipset"
 	"github.com/AdguardTeam/golibs/errors"
 	"github.com/AdguardTeam/golibs/log"
 	"github.com/miekg/dns"
@@ -15,14 +15,14 @@ import (
 
 // ipsetCtx is the ipset context.  ipsetMgr can be nil.
 type ipsetCtx struct {
-	ipsetMgr aghnet.IpsetManager
+	ipsetMgr ipset.Manager
 }
 
 // init initializes the ipset context.  It is not safe for concurrent use.
 //
 // TODO(a.garipov): Rewrite into a simple constructor?
 func (c *ipsetCtx) init(ipsetConf []string) (err error) {
-	c.ipsetMgr, err = aghnet.NewIpsetManager(ipsetConf)
+	c.ipsetMgr, err = ipset.NewManager(ipsetConf)
 	if errors.Is(err, os.ErrInvalid) || errors.Is(err, os.ErrPermission) {
 		// ipset cannot currently be initialized if the server was installed
 		// from Snap or when the user or the binary doesn't have the required

internal/dnsforward/ipset_internal_test.go

@@ -114,3 +114,74 @@ func TestIpsetCtx_process(t *testing.T) {
 		assert.NoError(t, err)
 	})
 }
+
+func TestIpsetCtx_SkipIpsetProcessing(t *testing.T) {
+	req4 := createTestMessage("example.com")
+	resp4 := &dns.Msg{
+		Answer: []dns.RR{&dns.A{
+			A: net.IP{1, 2, 3, 4},
+		}},
+	}
+
+	m := &fakeIpsetMgr{}
+	ictx := &ipsetCtx{
+		ipsetMgr: m,
+	}
+
+	testCases := []struct {
+		dctx *dnsContext
+		name string
+		want bool
+	}{{
+		name: "basic",
+		want: false,
+		dctx: &dnsContext{
+			proxyCtx: &proxy.DNSContext{
+				Req: req4,
+				Res: resp4,
+			},
+
+			responseFromUpstream: true,
+		},
+	}, {
+		name: "rewrite",
+		want: true,
+		dctx: &dnsContext{
+			proxyCtx: &proxy.DNSContext{
+				Req: req4,
+				Res: resp4,
+			},
+
+			responseFromUpstream: false,
+		},
+	}, {
+		name: "empty_req",
+		want: true,
+		dctx: &dnsContext{
+			proxyCtx: &proxy.DNSContext{
+				Req: nil,
+				Res: resp4,
+			},
+
+			responseFromUpstream: true,
+		},
+	}, {
+		name: "empty_res",
+		want: true,
+		dctx: &dnsContext{
+			proxyCtx: &proxy.DNSContext{
+				Req: req4,
+				Res: nil,
+			},
+
+			responseFromUpstream: true,
+		},
+	}}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			got := ictx.skipIpsetProcessing(tc.dctx)
+			assert.Equal(t, tc.want, got)
+		})
+	}
+}

internal/dnsforward/testdata/TestDNSForwardHTTP_handleGetConfig.json

@@ -20,6 +20,7 @@
     "blocking_mode": "default",
     "blocking_ipv4": "",
     "blocking_ipv6": "",
+    "blocked_response_ttl": 10,
     "edns_cs_enabled": false,
     "dnssec_enabled": false,
     "disable_ipv6": false,
@@ -55,6 +56,7 @@
     "blocking_mode": "default",
     "blocking_ipv4": "",
     "blocking_ipv6": "",
+    "blocked_response_ttl": 10,
     "edns_cs_enabled": false,
     "dnssec_enabled": false,
     "disable_ipv6": false,
@@ -90,6 +92,7 @@
     "blocking_mode": "default",
     "blocking_ipv4": "",
     "blocking_ipv6": "",
+    "blocked_response_ttl": 10,
     "edns_cs_enabled": false,
     "dnssec_enabled": false,
     "disable_ipv6": false,

internal/dnsforward/testdata/TestDNSForwardHTTP_handleSetConfig.json

@@ -25,6 +25,7 @@
       "blocking_mode": "default",
       "blocking_ipv4": "",
       "blocking_ipv6": "",
+      "blocked_response_ttl": 10,
       "edns_cs_enabled": false,
       "dnssec_enabled": false,
       "disable_ipv6": false,
@@ -62,6 +63,7 @@
       "blocking_mode": "default",
       "blocking_ipv4": "",
       "blocking_ipv6": "",
+      "blocked_response_ttl": 10,
       "edns_cs_enabled": false,
       "dnssec_enabled": false,
       "disable_ipv6": false,
@@ -100,6 +102,7 @@
       "blocking_mode": "refused",
       "blocking_ipv4": "",
       "blocking_ipv6": "",
+      "blocked_response_ttl": 10,
       "edns_cs_enabled": false,
       "dnssec_enabled": false,
       "disable_ipv6": false,
@@ -138,6 +141,7 @@
       "blocking_mode": "default",
       "blocking_ipv4": "",
       "blocking_ipv6": "",
+      "blocked_response_ttl": 10,
       "edns_cs_enabled": false,
       "dnssec_enabled": false,
       "disable_ipv6": false,
@@ -176,6 +180,7 @@
       "blocking_mode": "default",
       "blocking_ipv4": "",
       "blocking_ipv6": "",
+      "blocked_response_ttl": 10,
       "edns_cs_enabled": false,
       "dnssec_enabled": false,
       "disable_ipv6": false,
@@ -214,6 +219,7 @@
       "blocking_mode": "default",
       "blocking_ipv4": "",
       "blocking_ipv6": "",
+      "blocked_response_ttl": 10,
       "edns_cs_enabled": true,
       "dnssec_enabled": false,
       "disable_ipv6": false,
@@ -254,6 +260,7 @@
       "blocking_mode": "default",
       "blocking_ipv4": "",
       "blocking_ipv6": "",
+      "blocked_response_ttl": 10,
       "edns_cs_enabled": true,
       "dnssec_enabled": false,
       "disable_ipv6": false,
@@ -294,6 +301,7 @@
       "blocking_mode": "default",
       "blocking_ipv4": "",
       "blocking_ipv6": "",
+      "blocked_response_ttl": 10,
       "edns_cs_enabled": false,
       "dnssec_enabled": false,
       "disable_ipv6": false,
@@ -332,6 +340,7 @@
       "blocking_mode": "default",
       "blocking_ipv4": "",
       "blocking_ipv6": "",
+      "blocked_response_ttl": 10,
       "edns_cs_enabled": false,
       "dnssec_enabled": true,
       "disable_ipv6": false,
@@ -370,6 +379,7 @@
       "blocking_mode": "default",
       "blocking_ipv4": "",
       "blocking_ipv6": "",
+      "blocked_response_ttl": 10,
       "edns_cs_enabled": false,
       "dnssec_enabled": false,
       "disable_ipv6": false,
@@ -408,6 +418,7 @@
       "blocking_mode": "default",
       "blocking_ipv4": "",
       "blocking_ipv6": "",
+      "blocked_response_ttl": 10,
       "edns_cs_enabled": false,
       "dnssec_enabled": false,
       "disable_ipv6": false,
@@ -446,6 +457,7 @@
       "blocking_mode": "default",
       "blocking_ipv4": "",
       "blocking_ipv6": "",
+      "blocked_response_ttl": 10,
       "edns_cs_enabled": false,
       "dnssec_enabled": false,
       "disable_ipv6": false,
@@ -486,6 +498,7 @@
       "blocking_mode": "default",
       "blocking_ipv4": "",
       "blocking_ipv6": "",
+      "blocked_response_ttl": 10,
       "edns_cs_enabled": false,
       "dnssec_enabled": false,
       "disable_ipv6": false,
@@ -526,6 +539,7 @@
       "blocking_mode": "default",
       "blocking_ipv4": "",
       "blocking_ipv6": "",
+      "blocked_response_ttl": 10,
       "edns_cs_enabled": false,
       "dnssec_enabled": false,
       "disable_ipv6": false,
@@ -565,6 +579,7 @@
       "blocking_mode": "default",
       "blocking_ipv4": "",
       "blocking_ipv6": "",
+      "blocked_response_ttl": 10,
       "edns_cs_enabled": false,
       "dnssec_enabled": false,
       "disable_ipv6": false,
@@ -603,6 +618,7 @@
       "blocking_mode": "default",
       "blocking_ipv4": "",
       "blocking_ipv6": "",
+      "blocked_response_ttl": 10,
       "edns_cs_enabled": false,
       "dnssec_enabled": false,
       "disable_ipv6": false,
@@ -643,6 +659,7 @@
       "blocking_mode": "default",
       "blocking_ipv4": "",
       "blocking_ipv6": "",
+      "blocked_response_ttl": 10,
       "edns_cs_enabled": false,
       "dnssec_enabled": false,
       "disable_ipv6": false,
@@ -686,6 +703,7 @@
       "blocking_mode": "default",
       "blocking_ipv4": "",
       "blocking_ipv6": "",
+      "blocked_response_ttl": 10,
       "edns_cs_enabled": false,
       "dnssec_enabled": false,
       "disable_ipv6": false,
@@ -724,6 +742,7 @@
       "blocking_mode": "default",
       "blocking_ipv4": "",
       "blocking_ipv6": "",
+      "blocked_response_ttl": 10,
       "edns_cs_enabled": false,
       "dnssec_enabled": false,
       "disable_ipv6": false,
@@ -766,6 +785,46 @@
       "blocking_mode": "default",
       "blocking_ipv4": "",
       "blocking_ipv6": "",
+      "blocked_response_ttl": 10,
+      "edns_cs_enabled": false,
+      "dnssec_enabled": false,
+      "disable_ipv6": false,
+      "upstream_mode": "",
+      "cache_size": 0,
+      "cache_ttl_min": 0,
+      "cache_ttl_max": 0,
+      "cache_optimistic": false,
+      "resolve_clients": false,
+      "use_private_ptr_resolvers": false,
+      "local_ptr_upstreams": [],
+      "edns_cs_use_custom": false,
+      "edns_cs_custom_ip": ""
+    }
+  },
+  "blocked_response_ttl": {
+    "req": {
+      "blocked_response_ttl": 11
+    },
+    "want": {
+      "upstream_dns": [
+        "8.8.8.8:53",
+        "8.8.4.4:53"
+      ],
+      "upstream_dns_file": "",
+      "bootstrap_dns": [
+        "9.9.9.10",
+        "149.112.112.10",
+        "2620:fe::10",
+        "2620:fe::fe:10"
+      ],
+      "fallback_dns": [],
+      "protection_enabled": true,
+      "protection_disabled_until": null,
+      "ratelimit": 0,
+      "blocking_mode": "default",
+      "blocking_ipv4": "",
+      "blocking_ipv6": "",
+      "blocked_response_ttl": 11,
       "edns_cs_enabled": false,
       "dnssec_enabled": false,
       "disable_ipv6": false,

internal/dnsforward/upstreams.go

@@ -69,8 +69,8 @@ func (s *Server) prepareUpstreamSettings() (err error) {
 	return nil
 }
 
-// prepareUpstreamConfig sets upstream configuration based on upstreams and
-// configuration of s.
+// prepareUpstreamConfig returns the upstream configuration based on upstreams
+// and configuration of s.
 func (s *Server) prepareUpstreamConfig(
 	upstreams []string,
 	defaultUpstreams []string,