From patchwork Fri Mar 10 05:08:13 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Heiko Hund <heiko@ist.eigentlich.net>
X-Patchwork-Id: 3122
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7300:2310:b0:9f:bfa4:120f with SMTP id r16csp874583dye;
        Thu, 9 Mar 2023 21:09:29 -0800 (PST)
X-Google-Smtp-Source: 
 AK7set/KOpN81FMAkuhDrXHMMreGOYNdxeQOj03J+ue7imUJ/rtBRFZphN7D1buCsWRe3tBeoeLw
X-Received: by 2002:a17:90a:188:b0:237:9a37:d86f with SMTP id
 8-20020a17090a018800b002379a37d86fmr26736734pjc.36.1678424969803;
        Thu, 09 Mar 2023 21:09:29 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1678424969; cv=none;
        d=google.com; s=arc-20160816;
        b=aEp40c3zMSI+4tY9i/BsOA5MV5oe2+aJ2I7ay9g7imUwTy0PhW74KE9JHS49FISxWc
         HLb+vzWPWjyObP8kwvhY1T1q2cmtjPtR8pYQrpI9maprfwB/eX5kCGad9E00Hr3c+aHV
         6oodsr7hGeBxerswxzal4uCQ8VTEo6ehNtJGClCUK2M/BM3GokHywEJqJX9BpZOiJ7D7
         /FEjHd3Qqot+XAUgVFDyKM+Q9ZQD5N/O3HcEp6ZQ3/ZSNPZ0U7s3ngaxcQziPAlAmtQZ
         C82K8L8Rvb61mPHRuXP6fcZpmnHHig8p6MyCXJZEPHtSOuIiNS0COFMYYstUI80u0CbP
         bwgg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=errors-to:content-transfer-encoding:list-subscribe:list-help
         :list-post:list-archive:list-unsubscribe:list-id:precedence:subject
         :mime-version:references:in-reply-to:message-id:date:to:from
         :dkim-signature:dkim-signature;
        bh=Rwbb56jxG0NO3ZJFGF167pYPT3eu6nniVvcCgU9KmP4=;
        b=CeRavaCPJeaK3tEZzirqG+34rjWe4Obk/CTJCDkcJXcYSGqwFTuqV93Y7zoJTw7jTo
         shfUKGiI8m8LbPKyKDzks87PoOc608V9yBmeJwuCQPmSeeBbtA2DVN/hBkxwpmQrgpzT
         r/DkGCRruIIC7OH1BPkrliK/v4/MDnRQ8i4o6AlMXXPCY0FXTFnZwmJhWogo5yBwtC10
         UzJOCv5HkfCiPFeM6fskLkcZb4HLSNdyPGhKGpMAbT59f4ucjSPkSx90/fM+UC8YyHDm
         j3UqirIw4QZvH0B32+14c4yRqAMLpboWef4TsM6yXpvBe+Nh+eLtpigHmQW7JOYrHMU4
         nTVQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=Q4FMAbqP;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=NKGYDTY7;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
        by mx.google.com with ESMTPS id
 28-20020a17090a005c00b002352eb7b6ecsi1687602pjb.80.2023.03.09.21.09.29
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 09 Mar 2023 21:09:29 -0800 (PST)
Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=Q4FMAbqP;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=NKGYDTY7;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net
Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com)
	by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1paUzf-0006hq-CT;
	Fri, 10 Mar 2023 05:08:39 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
 by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
 (envelope-from <SRS0=DDKq=7C=ist.eigentlich.net=heiko@exit0.net>)
 id 1paUzc-0006hf-Sq for openvpn-devel@lists.sourceforge.net;
 Fri, 10 Mar 2023 05:08:37 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References:
 In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=79DoqxQLvTLDgJ/oV1omln+nzD0lRvL1aZdadaftvG4=; b=Q4FMAbqPUOZm4bffMJgLTEEjXi
 2D1hZrtF4e+AZmLxN/RSqCqPTJHVnjsdvC0oz1I788hI/22RtEuSi5Aie7BPtvZCNM/RWXIPAt4NP
 vcJ/ougBpBZjaJpMEy7qLlFs/7XlbFrjOHTKLnpl9tv0ZirdIhOrQV0PfTSKHAn65FIw=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id:
 Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=79DoqxQLvTLDgJ/oV1omln+nzD0lRvL1aZdadaftvG4=; b=NKGYDTY7EnbI04Nckp3FztL2QR
 p+GCqifmpaVvHCpbnIedPBdor4WrLw/ZcJbkFgIaJlICaWJiaqQATUXSAAYg2a0MyrAcEoPn/Umd4
 5XBw2B7/AnW0aYPS2Bdgwa8Ip82rPvzio7FOGPTFZostAPwzPZO7MWXJUfg7vmePZhH4=;
Received: from exit0.net ([85.25.119.185])
 by sfi-mx-2.v28.lw.sourceforge.com with esmtps
 (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95)
 id 1paUzY-0001Ly-QQ for openvpn-devel@lists.sourceforge.net;
 Fri, 10 Mar 2023 05:08:36 +0000
Received: from coruscant.fritz.box (i577BF783.versanet.de [87.123.247.131])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by exit0.net (Postfix) with ESMTPSA id 863DC648038D
 for <openvpn-devel@lists.sourceforge.net>;
 Fri, 10 Mar 2023 06:08:19 +0100 (CET)
From: Heiko Hund <heiko@ist.eigentlich.net>
To: openvpn-devel@lists.sourceforge.net
Date: Fri, 10 Mar 2023 06:08:13 +0100
Message-Id: <20230310050814.67246-2-heiko@ist.eigentlich.net>
X-Mailer: git-send-email 2.37.2
In-Reply-To: <20230310050814.67246-1-heiko@ist.eigentlich.net>
References: <20230310050814.67246-1-heiko@ist.eigentlich.net>
MIME-Version: 1.0
X-Spam-Score: 0.2 (/)
X-Spam-Report: Spam detection software,
 running on the system "util-spamd-2.v13.lw.sourceforge.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview: No DNS resolver currently supports this and it is not
 possible
 to emulate the behavior without the chance of errors. Finding the effective
 default system DNS server(s) to specify the exclude DNS route [...]
 Content analysis details:   (0.2 points, 6.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 -0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
 -0.0 SPF_PASS               SPF: sender matches SPF record
 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
 mail domains are different
X-Headers-End: 1paUzY-0001Ly-QQ
Subject: [Openvpn-devel] [PATCH 2/3] dns option: remove support for
 exclude-domains
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1759956141568142965?=
X-GMAIL-MSGID: =?utf-8?q?1759956141568142965?=

No DNS resolver currently supports this and it is not possible to
emulate the behavior without the chance of errors. Finding the
effective default system DNS server(s) to specify the exclude
DNS routes is not trivial and cannot be verified to be correct
without resolver internal knowledge. So, it is better to not
support this instead of supporting it, but incorrectly.

Change-Id: I7f422add22f3f01e9f47985065782dd67bca46eb
Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net>
---
 doc/man-sections/client-options.rst | 14 +++++---------
 doc/man-sections/script-options.rst |  1 -
 src/openvpn/dns.c                   | 13 ++-----------
 src/openvpn/dns.h                   |  7 -------
 src/openvpn/options.c               | 17 -----------------
 5 files changed, 7 insertions(+), 45 deletions(-)

diff --git a/doc/man-sections/client-options.rst b/doc/man-sections/client-options.rst
index fe9ffa6a..4555534e 100644
--- a/doc/man-sections/client-options.rst
+++ b/doc/man-sections/client-options.rst
@@ -169,7 +169,7 @@ configuration.
 
      dns search-domains domain [domain ...]
      dns server n address addr[:port] [addr[:port] ...]
-     dns server n resolve-domains|exclude-domains domain [domain ...]
+     dns server n resolve-domains domain [domain ...]
      dns server n dnssec yes|optional|no
      dns server n transport DoH|DoT|plain
      dns server n sni server-name
@@ -191,14 +191,10 @@ configuration.
   Optionally a port can be appended after a colon. IPv6 addresses need to
   be enclosed in brackets if a port is appended.
 
-  The ``resolve-domains`` and ``exclude-domains`` options take one or
-  more DNS domains which are explicitly resolved or explicitly not resolved
-  by a server. Only one of the options can be configured for a server.
-  ``resolve-domains`` is used to define a split-dns setup, where only
-  given domains are resolved by a server. ``exclude-domains`` is used to
-  define domains which will never be resolved by a server (e.g. domains
-  which can only be resolved locally). Systems which do not support fine
-  grained DNS domain configuration, will ignore these settings.
+  The ``resolve-domains`` option takes one or more DNS domains used to define
+  a split-dns or dns-routing setup, where only the given domains are resolved
+  by the server. Systems which do not support fine grained DNS domain
+  configuration, will ignore this setting.
 
   The ``dnssec`` option is used to configure validation of DNSSEC records.
   While the exact semantics may differ for resolvers on different systems,
diff --git a/doc/man-sections/script-options.rst b/doc/man-sections/script-options.rst
index d73231ed..8c0be0cd 100644
--- a/doc/man-sections/script-options.rst
+++ b/doc/man-sections/script-options.rst
@@ -663,7 +663,6 @@ instances.
        dns_server_{n}_address_{m}
        dns_server_{n}_port_{m}
        dns_server_{n}_resolve_domain_{m}
-       dns_server_{n}_exclude_domain_{m}
        dns_server_{n}_dnssec
        dns_server_{n}_transport
        dns_server_{n}_sni
diff --git a/src/openvpn/dns.c b/src/openvpn/dns.c
index b7808db1..51fca2fb 100644
--- a/src/openvpn/dns.c
+++ b/src/openvpn/dns.c
@@ -402,11 +402,9 @@ setenv_dns_options(const struct dns_options *o, struct env_set *es)
 
         if (s->domains)
         {
-            const char *format = s->domain_type == DNS_RESOLVE_DOMAINS ?
-                                 "dns_server_%d_resolve_domain_%d" : "dns_server_%d_exclude_domain_%d";
             for (j = 1, d = s->domains; d != NULL; j++, d = d->next)
             {
-                setenv_dns_option(es, format, i, j, d->name);
+                setenv_dns_option(es, "dns_server_%d_resolve_domain_%d", i, j, d->name);
             }
         }
 
@@ -484,14 +482,7 @@ show_dns_options(const struct dns_options *o)
         struct dns_domain *domain = server->domains;
         if (domain)
         {
-            if (server->domain_type == DNS_RESOLVE_DOMAINS)
-            {
-                msg(D_SHOW_PARMS, "    resolve domains:");
-            }
-            else
-            {
-                msg(D_SHOW_PARMS, "    exclude domains:");
-            }
+            msg(D_SHOW_PARMS, "    resolve domains:");
             while (domain)
             {
                 msg(D_SHOW_PARMS, "      %s", domain->name);
diff --git a/src/openvpn/dns.h b/src/openvpn/dns.h
index 162dec12..e4978579 100644
--- a/src/openvpn/dns.h
+++ b/src/openvpn/dns.h
@@ -27,12 +27,6 @@
 #include "buffer.h"
 #include "env_set.h"
 
-enum dns_domain_type {
-    DNS_DOMAINS_UNSET,
-    DNS_RESOLVE_DOMAINS,
-    DNS_EXCLUDE_DOMAINS
-};
-
 enum dns_security {
     DNS_SECURITY_UNSET,
     DNS_SECURITY_NO,
@@ -68,7 +62,6 @@ struct dns_server {
     size_t addr_count;
     struct dns_server_addr addr[8];
     struct dns_domain *domains;
-    enum dns_domain_type domain_type;
     enum dns_security dnssec;
     enum dns_server_transport transport;
     const char *sni;
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 17ce2b05..3e0cb62b 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -514,7 +514,6 @@ static const char usage_message[] =
     "                  Valid options are :\n"
     "                  address <addr[:port]> [addr[:port] ...] : server addresses 4/6\n"
     "                  resolve-domains <domain> [domain ...] : split domains\n"
-    "                  exclude-domains <domain> [domain ...] : domains not to resolve\n"
     "                  dnssec <yes|no|optional> : option to use DNSSEC\n"
     "                  type <DoH|DoT> : query server over HTTPS / TLS\n"
     "                  sni <domain> : DNS server name indication\n"
@@ -8022,22 +8021,6 @@ add_option(struct options *options,
             }
             else if (streq(p[3], "resolve-domains"))
             {
-                if (server->domain_type == DNS_EXCLUDE_DOMAINS)
-                {
-                    msg(msglevel, "--dns server %ld: cannot use resolve-domains and exclude-domains", priority);
-                    goto err;
-                }
-                server->domain_type = DNS_RESOLVE_DOMAINS;
-                dns_domain_list_append(&server->domains, &p[4], &options->dns_options.gc);
-            }
-            else if (streq(p[3], "exclude-domains"))
-            {
-                if (server->domain_type == DNS_RESOLVE_DOMAINS)
-                {
-                    msg(msglevel, "--dns server %ld: cannot use exclude-domains and resolve-domains", priority);
-                    goto err;
-                }
-                server->domain_type = DNS_EXCLUDE_DOMAINS;
                 dns_domain_list_append(&server->domains, &p[4], &options->dns_options.gc);
             }
             else if (streq(p[3], "dnssec") && !p[5])