Merge branch 'dnsproxy_non_fallback' into 'master'

dnsproxy: add non-fallback mode

See merge request !667

doc/man/knot.conf.5in

@@ -1314,6 +1314,7 @@ mod\-dnsproxy:
   \- id: STR
     remote: remote_id
     timeout: INT
+    fallback: BOOL
     catch\-nxdomain: BOOL
 .ft P
 .fi
@@ -1333,10 +1334,17 @@ forwarded to.
 A remote response timeout in milliseconds.
 .sp
 \fIDefault:\fP 500
+.SS fallback
+.sp
+If enabled, localy unsatisfied queries leading to REFUSED (no zone) are forwarded.
+If disabled, all queries are directly forwarded without any local attempts
+to resolve them.
+.sp
+\fIDefault:\fP on
 .SS catch\-nxdomain
 .sp
-If enabled, all unsatisfied queries (also applies to local zone lookups)
-are forwarded.
+If enabled, localy unsatisfied queries leading to NXDOMAIN are forwarded.
+This option is only relevant in the fallback mode.
 .sp
 \fIDefault:\fP off
 .SH MODULE ROSEDB

doc/modules.rst

@@ -177,9 +177,10 @@ Result:
 ``dnsproxy`` – Tiny DNS proxy
 -----------------------------
 
-The module catches all unsatisfied queries and forwards them to the
-indicated server for resolution, i.e. a tiny DNS proxy. There are several
-uses of this feature:
+The module forwards all queries, or all specific zone queries if configured
+per zone, to the indicated server for resolution. If configured in the fallback
+mode, only localy unsatisfied queries are forwarded. I.e. a tiny DNS proxy.
+There are several uses of this feature:
 
 * A substitute public-facing server in front of the real one
 * Local zones (poor man's "views"), rest is forwarded to the public-facing server
@@ -199,6 +200,7 @@ required::
    mod-dnsproxy:
      - id: default
        remote: hidden
+       fallback: on
 
    template:
      - id: default

doc/reference.rst

@@ -1541,6 +1541,7 @@ server for resolution.
    - id: STR
      remote: remote_id
      timeout: INT
+     fallback: BOOL
      catch-nxdomain: BOOL
 
 .. _mod-dnsproxy_id:
@@ -1569,13 +1570,24 @@ A remote response timeout in milliseconds.
 
 *Default:* 500
 
+.. _mod-dnsproxy_fallback:
+
+fallback
+--------
+
+If enabled, localy unsatisfied queries leading to REFUSED (no zone) are forwarded.
+If disabled, all queries are directly forwarded without any local attempts
+to resolve them.
+
+*Default:* on
+
 .. _mod-dnsproxy_catch-nxdomain:
 
 catch-nxdomain
 --------------
 
-If enabled, all unsatisfied queries (also applies to local zone lookups)
-are forwarded.
+If enabled, localy unsatisfied queries leading to NXDOMAIN are forwarded.
+This option is only relevant in the fallback mode.
 
 *Default:* off
 

src/knot/modules/dnsproxy/dnsproxy.c

-/*  Copyright (C) 2016 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+/*  Copyright (C) 2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
 
     This program is free software: you can redistribute it and/or modify
     it under the terms of the GNU General Public License as published by
@@ -23,12 +23,14 @@
 /* Module configuration scheme. */
 #define MOD_REMOTE		"\x06""remote"
 #define MOD_TIMEOUT		"\x07""timeout"
+#define MOD_FALLBACK		"\x08""fallback"
 #define MOD_CATCH_NXDOMAIN	"\x0E""catch-nxdomain"
 
 const yp_item_t scheme_mod_dnsproxy[] = {
 	{ C_ID,               YP_TSTR,  YP_VNONE },
 	{ MOD_REMOTE,         YP_TREF,  YP_VREF = { C_RMT }, YP_FNONE, { check_ref } },
 	{ MOD_TIMEOUT,        YP_TINT,  YP_VINT = { 0, INT32_MAX, 500 } },
+	{ MOD_FALLBACK,       YP_TBOOL, YP_VBOOL = { true } },
 	{ MOD_CATCH_NXDOMAIN, YP_TBOOL, YP_VNONE },
 	{ C_COMMENT,          YP_TSTR,  YP_VNONE },
 	{ NULL }
@@ -48,6 +50,7 @@ int check_mod_dnsproxy(conf_check_t *args)
 
 typedef struct {
 	conf_remote_t remote;
+	bool fallback;
 	bool catch_nxdomain;
 	int timeout;
 } dnsproxy_t;
@@ -56,9 +59,10 @@ static int dnsproxy_fwd(int state, knot_pkt_t *pkt, struct query_data *qdata, vo
 {
 	assert(pkt && qdata && ctx);
 
-	/* Forward only queries ending with REFUSED (no zone) or NXDOMAIN (if configured) */
 	dnsproxy_t *proxy = ctx;
-	if (!(qdata->rcode == KNOT_RCODE_REFUSED ||
+
+	/* Forward only queries ending with REFUSED (no zone) or NXDOMAIN (if configured) */
+	if (proxy->fallback && !(qdata->rcode == KNOT_RCODE_REFUSED ||
 	     (qdata->rcode == KNOT_RCODE_NXDOMAIN && proxy->catch_nxdomain))) {
 		return state;
 	}
@@ -96,6 +100,8 @@ static int dnsproxy_fwd(int state, knot_pkt_t *pkt, struct query_data *qdata, vo
 	if (ret != KNOT_EOK) {
 		qdata->rcode = KNOT_RCODE_SERVFAIL;
 		return KNOT_STATE_FAIL; /* Forwarding failed, SERVFAIL. */
+	} else {
+		qdata->rcode = knot_pkt_ext_rcode(pkt);
 	}
 
 	return KNOT_STATE_DONE;
@@ -116,12 +122,19 @@ int dnsproxy_load(struct query_module *self)
 	val = conf_mod_get(self->config, MOD_TIMEOUT, self->id);
 	proxy->timeout = conf_int(&val);
 
+	val = conf_mod_get(self->config, MOD_FALLBACK, self->id);
+	proxy->fallback = conf_bool(&val);
+
 	val = conf_mod_get(self->config, MOD_CATCH_NXDOMAIN, self->id);
 	proxy->catch_nxdomain = conf_bool(&val);
 
 	self->ctx = proxy;
 
-	return query_module_step(self, QPLAN_END, dnsproxy_fwd);
+	if (proxy->fallback) {
+		return query_module_step(self, QPLAN_END, dnsproxy_fwd);
+	} else {
+		return query_module_step(self, QPLAN_BEGIN, dnsproxy_fwd);
+	}
 }
 
 void dnsproxy_unload(struct query_module *self)

tests-extra/tests/modules/dnsproxy/data/test.local_zone

 $ORIGIN test.
 $TTL 3600
 
-@	SOA	dns1 hostmaster 2010111201 10800 3600 1209600 7200
+@	SOA	dns1 hostmaster 1 10800 3600 1209600 7200
 	NS	dns1
 
 dns1	A	192.0.2.1
+
+local	A	1.1.1.1
\ No newline at end of file

tests-extra/tests/modules/dnsproxy/data/test.remote_zone

 $ORIGIN test.
 $TTL 3600
 
-@	SOA	dns1 hostmaster 2010111201 10800 3600 1209600 7200
+@	SOA	dns1 hostmaster 2 10800 3600 1209600 7200
 	NS	dns1
 
 dns1	A	192.0.2.2
 
-extra	A	1.1.1.1
\ No newline at end of file
+remote	A	1.1.1.2
\ No newline at end of file

tests-extra/tests/modules/dnsproxy/test.py

@@ -10,72 +10,116 @@ t = Test(stress=False)
 ModDnsproxy.check()
 
 # Initialize server configuration
-local_zone = t.zone("test", storage=".", file_name="test.local_zone")
-remote_zone1 = t.zone("test", storage=".", file_name="test.remote_zone")
-remote_zone2 = t.zone("example.com.")
+zone_common1 = t.zone("test", storage=".", file_name="test.local_zone")
+zone_common2 = t.zone("test", storage=".", file_name="test.remote_zone")
+zone_local = t.zone_rnd(1)
+zone_remote = t.zone_rnd(1)
 
-local1 = t.server("knot")
-t.link(local_zone, local1)
-
-local2 = t.server("knot")
-t.link(local_zone, local2)
+local = t.server("knot")
+t.link(zone_common1, local)
+t.link(zone_local, local)
 
 remote = t.server("knot")
-t.link(remote_zone1, remote)
-t.link(remote_zone2, remote)
+t.link(zone_common2, remote)
+t.link(zone_remote, remote)
+
+def fallback_checks(server, zone_local, zone_remote):
+    # Local preferred OK.
+    resp = server.dig("dns1.test", "A")
+    resp.check(rcode="NOERROR", flags="AA", rdata="192.0.2.1", nordata="192.0.2.2")
+
+    # Local record OK.
+    resp = server.dig("local.test", "A")
+    resp.check(rcode="NOERROR", flags="AA", rdata="1.1.1.1")
+
+    # Local OK.
+    resp = server.dig(zone_local.name, "SOA")
+    resp.check(rcode="NOERROR", flags="AA")
+
+    # Remote OK.
+    resp = server.dig(zone_remote.name, "SOA")
+    resp.check(rcode="NOERROR", flags="AA")
+
+    # Remote NOK, not existing zone.
+    resp = server.dig("z-o-n-e.", "SOA")
+    resp.check(rcode="REFUSED", noflags="AA")
 
 t.start()
 
-# Only after successful start the remote address is known!
-local1.add_module(None, ModDnsproxy(remote.addr, remote.port))
-local1.gen_confile()
-local1.reload()
-local2.add_module(None, ModDnsproxy(remote.addr, remote.port, True))
-local2.gen_confile()
-local2.reload()
+### No fallback
 
-# Local1
+# Only after successful start the remote address is known!
+local.add_module(None, ModDnsproxy(remote.addr, remote.port, fallback=False))
+local.gen_confile()
+local.reload()
 
-# Local OK response.
-resp = local1.dig("dns1.test", "A")
-resp.check(rcode="NOERROR", flags="AA", rdata="192.0.2.1")
+# Remote OK.
+resp = local.dig("dns1.test", "A")
+resp.check(rcode="NOERROR", flags="AA", rdata="192.0.2.2", nordata="192.0.2.1")
 
-# Local NOK response, not forwarded.
-resp = local1.dig("extra.test", "A")
+# Local record NOK.
+resp = local.dig("local.test", "A")
 resp.check(rcode="NXDOMAIN", flags="AA")
 
-# Remote OK response.
-resp = local1.dig("example.com", "SOA")
+# Remote record OK.
+resp = local.dig("remote.test", "A")
+resp.check(rcode="NOERROR", flags="AA", rdata="1.1.1.2")
+
+# Local NOK, unknown zone.
+resp = local.dig(zone_local[0].name, "SOA")
+resp.check(rcode="REFUSED", noflags="AA")
+
+# Remote OK.
+resp = local.dig(zone_remote[0].name, "SOA")
 resp.check(rcode="NOERROR", flags="AA")
 
-# Remote NOK response, not existing owner.
-resp = local1.dig("extra.example.com", "A")
+# Remote NOK, not existing owner.
+resp = local.dig("u-n-k-n-o-w-n." + zone_remote[0].name, "A")
 resp.check(rcode="NXDOMAIN", flags="AA")
 
-# Remote NOK response, not existing zone.
-resp = local1.dig("unknown", "SOA")
+# Remote NOK, unknown zone.
+resp = local.dig("z-o-n-e.", "SOA")
 resp.check(rcode="REFUSED", noflags="AA")
 
-# Local2
-
-# Local OK response.
-resp = local2.dig("dns1.test", "A")
-resp.check(rcode="NOERROR", flags="AA", rdata="192.0.2.1")
+### Fallback, no nxdomain
 
-# Local NOK response, but forwarded OK.
-resp = local2.dig("extra.test", "A")
-resp.check(rcode="NOERROR", flags="AA", rdata="1.1.1.1")
+local.clear_modules(None)
+local.add_module(None, ModDnsproxy(remote.addr, remote.port, fallback=True, nxdomain=False))
+local.gen_confile()
+local.reload()
 
-# Remote OK response.
-resp = local2.dig("example.com", "SOA")
-resp.check(rcode="NOERROR", flags="AA")
+fallback_checks(local, zone_local[0], zone_remote[0])
 
-# Remote NOK response, not existing owner.
-resp = local2.dig("extra.example.com", "A")
+# Local NOK, not forwarded.
+resp = local.dig("remote.test", "A")
 resp.check(rcode="NXDOMAIN", flags="AA")
 
-# Remote NOK response, not existing zone.
-resp = local2.dig("unknown", "SOA")
+### No fallback, nxdomain
+
+local.clear_modules(None)
+local.add_module(None, ModDnsproxy(remote.addr, remote.port, fallback=True, nxdomain=True))
+local.gen_confile()
+local.reload()
+
+fallback_checks(local, zone_local[0], zone_remote[0])
+
+# Local NOK, but forwarded OK.
+resp = local.dig("remote.test", "A")
+resp.check(rcode="NOERROR", flags="AA", rdata="1.1.1.2")
+
+### Per zone, fallback
+
+local.clear_modules(None)
+local.add_module(zone_common1[0], ModDnsproxy(remote.addr, remote.port, fallback=False))
+local.gen_confile()
+local.reload()
+
+# Remote OK.
+resp = local.dig("dns1.test", "A")
+resp.check(rcode="NOERROR", flags="AA", rdata="192.0.2.2", nordata="192.0.2.1")
+
+# Remote NOK, not forwarded.
+resp = local.dig(zone_remote[0].name, "SOA")
 resp.check(rcode="REFUSED", noflags="AA")
 
 t.end()

tests-extra/tools/dnstest/module.py

@@ -145,11 +145,12 @@ class ModDnsproxy(KnotModule):
     src_name = "dnsproxy_load"
     conf_name = "mod-dnsproxy"
 
-    def __init__(self, addr, port=53, catch_nxdomain=False):
+    def __init__(self, addr, port=53, nxdomain=False, fallback=True):
         super().__init__()
         self.addr = addr
         self.port = port
-        self.catch_nxdomain = catch_nxdomain
+        self.fallback = fallback
+        self.nxdomain = nxdomain
 
     def get_conf(self, conf=None):
         if not conf:
@@ -163,8 +164,8 @@ class ModDnsproxy(KnotModule):
         conf.begin(self.conf_name)
         conf.id_item("id", self.conf_id)
         conf.item_str("remote", "%s_%s" % (self.conf_name, self.conf_id))
-        if (self.catch_nxdomain):
-            conf.item_str("catch-nxdomain", "on")
+        conf.item_str("fallback", "on" if self.fallback else "off")
+        conf.item_str("catch-nxdomain", "on" if self.nxdomain else "off")
         conf.end()
 
         return conf