1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
2 #pragma once
3 
4 #include "conf-parser.h"
5 #include "in-addr-util.h"
6 #include "macro.h"
7 
8 /* 127.0.0.53 in native endian (The IP address we listen on with the full DNS stub, i.e. that does LLMNR/mDNS, and stuff) */
9 #define INADDR_DNS_STUB ((in_addr_t) 0x7f000035U)
10 
11 /* 127.0.0.54 in native endian (The IP address we listen on we only implement "proxy" mode) */
12 #define INADDR_DNS_PROXY_STUB ((in_addr_t) 0x7f000036U)
13 
14 typedef enum DnsCacheMode DnsCacheMode;
15 
16 enum DnsCacheMode {
17         DNS_CACHE_MODE_NO,
18         DNS_CACHE_MODE_YES,
19         DNS_CACHE_MODE_NO_NEGATIVE,
20         _DNS_CACHE_MODE_MAX,
21         _DNS_CACHE_MODE_INVALID = -EINVAL,
22 };
23 
24 typedef enum ResolveSupport ResolveSupport;
25 typedef enum DnssecMode DnssecMode;
26 typedef enum DnsOverTlsMode DnsOverTlsMode;
27 
28 enum ResolveSupport {
29         RESOLVE_SUPPORT_NO,
30         RESOLVE_SUPPORT_YES,
31         RESOLVE_SUPPORT_RESOLVE,
32         _RESOLVE_SUPPORT_MAX,
33         _RESOLVE_SUPPORT_INVALID = -EINVAL,
34 };
35 
36 enum DnssecMode {
37         /* No DNSSEC validation is done */
38         DNSSEC_NO,
39 
40         /* Validate locally, if the server knows DO, but if not,
41          * don't. Don't trust the AD bit. If the server doesn't do
42          * DNSSEC properly, downgrade to non-DNSSEC operation. Of
43          * course, we then are vulnerable to a downgrade attack, but
44          * that's life and what is configured. */
45         DNSSEC_ALLOW_DOWNGRADE,
46 
47         /* Insist on DNSSEC server support, and rather fail than downgrading. */
48         DNSSEC_YES,
49 
50         _DNSSEC_MODE_MAX,
51         _DNSSEC_MODE_INVALID = -EINVAL,
52 };
53 
54 enum DnsOverTlsMode {
55         /* No connection is made for DNS-over-TLS */
56         DNS_OVER_TLS_NO,
57 
58         /* Try to connect using DNS-over-TLS, but if connection fails,
59          * fall back to using an unencrypted connection */
60         DNS_OVER_TLS_OPPORTUNISTIC,
61 
62         /* Enforce DNS-over-TLS and require valid server certificates */
63         DNS_OVER_TLS_YES,
64 
65         _DNS_OVER_TLS_MODE_MAX,
66         _DNS_OVER_TLS_MODE_INVALID = -EINVAL,
67 };
68 
69 CONFIG_PARSER_PROTOTYPE(config_parse_resolve_support);
70 CONFIG_PARSER_PROTOTYPE(config_parse_dnssec_mode);
71 CONFIG_PARSER_PROTOTYPE(config_parse_dns_over_tls_mode);
72 CONFIG_PARSER_PROTOTYPE(config_parse_dns_cache_mode);
73 
74 const char* resolve_support_to_string(ResolveSupport p) _const_;
75 ResolveSupport resolve_support_from_string(const char *s) _pure_;
76 
77 const char* dnssec_mode_to_string(DnssecMode p) _const_;
78 DnssecMode dnssec_mode_from_string(const char *s) _pure_;
79 
80 const char* dns_over_tls_mode_to_string(DnsOverTlsMode p) _const_;
81 DnsOverTlsMode dns_over_tls_mode_from_string(const char *s) _pure_;
82 
83 bool dns_server_address_valid(int family, const union in_addr_union *sa);
84 
85 const char* dns_cache_mode_to_string(DnsCacheMode p) _const_;
86 DnsCacheMode dns_cache_mode_from_string(const char *s) _pure_;
87 
88 /* A resolv.conf file containing the DNS server and domain data we learnt from uplink, i.e. the full uplink data */
89 #define PRIVATE_UPLINK_RESOLV_CONF "/run/systemd/resolve/resolv.conf"
90 
91 /* A resolv.conf file containing the domain data we learnt from uplink, but our own DNS server address. */
92 #define PRIVATE_STUB_RESOLV_CONF "/run/systemd/resolve/stub-resolv.conf"
93 
94 /* A static resolv.conf file containing no domains, but only our own DNS server address */
95 #define PRIVATE_STATIC_RESOLV_CONF ROOTLIBEXECDIR "/resolv.conf"
96