From patchwork Fri Sep 22 10:43:34 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Frank Lichtenheld <frank@lichtenheld.com>
X-Patchwork-Id: 3360
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7301:2697:b0:d7:3b0f:3938 with SMTP id
 ha23csp3649645dyb;
        Fri, 22 Sep 2023 03:44:45 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IHeiCPLFCd6hKUYTKsZVBTpiTQjTM1jXpqRtfMyTI/wUs3cQk5qCpNMXE6jgD7daOc1/RHc
X-Received: by 2002:a05:6a20:3941:b0:14d:4ab5:5e3c with SMTP id
 r1-20020a056a20394100b0014d4ab55e3cmr8719069pzg.1.1695379485463;
        Fri, 22 Sep 2023 03:44:45 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1695379485; cv=none;
        d=google.com; s=arc-20160816;
        b=e5LHylWF8C3RiO+hjseY17lMSC4GwBYasDiV3qn5sp9nEom7tnpC+4JO48u8pjaLt/
         +Tv6EfCX4Jc7WGuWJeDO8REa4HYgF12mk99LY00ghpUCslP2FwbSwUViXdcaL5gTNfzJ
         TXW9wEejGPyoYqjoGHIayPQMOa0lAwldlVPgdRKfCH8yDBWVlJ9m26eYYzZDw4dYzhMO
         eAd360jwaTcnCTs1ckCyt2HhQ/ofpDESj5GiLgx74R/5vt6nSHh5zJoNATrGWwYXAmfe
         OOegCNk2RWzOQbVYDvKEWTjqA1FuQzi3E70b3OZLj9x8PEtXTsAA3GGrSz/22mXG21MO
         oCKA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=errors-to:content-transfer-encoding:list-subscribe:list-help
         :list-post:list-archive:list-unsubscribe:list-id:precedence:subject
         :mime-version:references:in-reply-to:message-id:date:to:from
         :dkim-signature:dkim-signature:dkim-signature;
        bh=72FhLLBUsM+LZjF/FyxEa5sCGOd3/LA639zbLIjikQk=;
        fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=;
        b=hX8RZDcshkRkcnrhvKMev+CzeGQ5kfr9izSm80fCc+YM4RDk+/yJ+6Ml2kmZZtuM1t
         AXw1S6Jd9gCQzX31ZjcbxA5fd+97Cu+Fket/lLY9tlj/Zfk5c9J3nLq8eueGLjJXsplL
         EUJcXweMTGMqL41iHy3m770eCGE9GvBrFLUjN7PNpUF1sQ22WHt242535gZFwheRDXYp
         hx1uCnNqffgbc9JVDRypIP914ZBzhxOT4upaVCOFP0QLIAWEOsBv5Unm8m2jx7RqLBp/
         uYgcO+dYs3dPtyPTAWXMd5nd9vFW3fkCgfZIVzeCMAcKz8Z/Q1S0dY15aWmInfPtARpi
         meNg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=P0OTxq6H;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=ZH+snmjm;
       dkim=neutral (body hash did not verify) header.i=@lichtenheld.com
 header.s=MBO0001 header.b=UgvZGUD8;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
        by mx.google.com with ESMTPS id
 x4-20020a170902ec8400b001c5f0fd51bfsi203881plg.100.2023.09.22.03.44.45
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 22 Sep 2023 03:44:45 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=P0OTxq6H;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=ZH+snmjm;
       dkim=neutral (body hash did not verify) header.i=@lichtenheld.com
 header.s=MBO0001 header.b=UgvZGUD8;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net
Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com)
	by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1qjddd-0001yf-Ne;
	Fri, 22 Sep 2023 10:43:58 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
 by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
 (envelope-from <frank@lichtenheld.com>) id 1qjddc-0001yY-H5
 for openvpn-devel@lists.sourceforge.net;
 Fri, 22 Sep 2023 10:43:57 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References:
 In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=4qqs5M9+vC1IGnwR6pgQXg/e5D8uWV8LNWHYg+pbQ+0=; b=P0OTxq6H4GBna5w/Ufo3UPr8YO
 LyEfbToGPYW2wzXgOHKYlgyf0/XA4gWidzMxsaf5jNLFeN0MQBjMgvK0QGzTyE4lpdsneOGR1v1nj
 okMDq2/WQXrDQLVDfvkhZx2/D+OWXMpZnFkTM4hom4HuBW0X4d96m55Mmd+4+gr1FlqQ=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id:
 Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=4qqs5M9+vC1IGnwR6pgQXg/e5D8uWV8LNWHYg+pbQ+0=; b=ZH+snmjmE8IjTJZZTRfb/T/cD1
 zOxrvmxDwfFSlkMtZGo3XqqAzLvxLUlIZheKKu6ch7tVIcBOV8C2VsF0liq0inhuXB+qjtNN2sJm4
 L1hyYyNQRxdoUJBt72IzuMTiqd/rYsZrSrKr4HPCMopt0MxnYp/y4nSLNme1AKSg8oyw=;
Received: from mout-p-101.mailbox.org ([80.241.56.151])
 by sfi-mx-1.v28.lw.sourceforge.com with esmtps
 (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95)
 id 1qjddT-0022K1-Kt for openvpn-devel@lists.sourceforge.net;
 Fri, 22 Sep 2023 10:43:56 +0000
Received: from smtp102.mailbox.org (smtp102.mailbox.org
 [IPv6:2001:67c:2050:b231:465::102])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest
 SHA256) (No client certificate requested)
 by mout-p-101.mailbox.org (Postfix) with ESMTPS id 4RsTQH6kWHz9sjv;
 Fri, 22 Sep 2023 12:43:35 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lichtenheld.com;
 s=MBO0001; t=1695379415;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=4qqs5M9+vC1IGnwR6pgQXg/e5D8uWV8LNWHYg+pbQ+0=;
 b=UgvZGUD8ccjyTP1W6TqyxtrUeHYmIpC20z2RkZokYU7e7Q1QQhLn2jI79qDKVdVxF2FaGV
 BuPZgkNy7oZrQhoZ4paUVJUN5iDNTYkkRqhR0W/sOPlzoYUnEiHkO39f6kP+pCATLgSl/6
 XNzuOwZAAHLRVGBYzh1k+o5obmz+liAokLYQ/iITgY/+ZAJTcnqr/xfJKS/GMMPE3rrJTv
 pTAg+uu/CpANhVBmi9kzRi+SUNbNzqESYLAM4TUUb/gRcu7rAyDzrBT4dmtx8pSAYnREAs
 7U8FzR27lJx5qQ7kby3/ZQ2WjQF0oLfbJyDWb2BtFKjraowp9S898mBZEnyvtg==
From: Frank Lichtenheld <frank@lichtenheld.com>
To: openvpn-devel@lists.sourceforge.net
Date: Fri, 22 Sep 2023 12:43:34 +0200
Message-Id: <20230922104334.37619-1-frank@lichtenheld.com>
In-Reply-To: 
 <gerrit.1677684971000.I7f422add22f3f01e9f47985065782dd67bca46eb@gerrit.openvpn.net>
References: 
 <gerrit.1677684971000.I7f422add22f3f01e9f47985065782dd67bca46eb@gerrit.openvpn.net>
MIME-Version: 1.0
X-Rspamd-Queue-Id: 4RsTQH6kWHz9sjv
X-Spam-Score: -0.9 (/)
X-Spam-Report: Spam detection software,
 running on the system "util-spamd-2.v13.lw.sourceforge.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview: From: Heiko Hund <heiko@ist.eigentlich.net> No DNS resolver
 currently supports this and it is not possible to emulate the behavior
 without
 the chance of errors. Finding the effective default system DNS server(s)
 to specify the exclude DNS route [...]
 Content analysis details:   (-0.9 points, 6.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 -0.7 RCVD_IN_DNSWL_LOW      RBL: Sender listed at https://www.dnswl.org/,
 low trust [80.241.56.151 listed in list.dnswl.org]
 -0.0 SPF_PASS               SPF: sender matches SPF record
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from
 envelope-from domain
 -0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from
 author's domain
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
 not necessarily
 valid
 -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-Headers-End: 1qjddT-0022K1-Kt
Subject: [Openvpn-devel] [PATCH] dns option: remove support for
 exclude-domains
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1777734239081024226?=
X-GMAIL-MSGID: =?utf-8?q?1777734239081024226?=

From: Heiko Hund <heiko@ist.eigentlich.net>

No DNS resolver currently supports this and it is not possible to
emulate the behavior without the chance of errors. Finding the
effective default system DNS server(s) to specify the exclude
DNS routes is not trivial and cannot be verified to be correct
without resolver internal knowledge. So, it is better to not
support this instead of supporting it, but incorrectly.

Change-Id: I7f422add22f3f01e9f47985065782dd67bca46eb
Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
---

This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.

Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/39
This mail reflects revision 6 of this Change.
Acked-by according to Gerrit (reflected above):
lstipakov <lstipakov@gmail.com>

Submitter note:
Manually removed comma in documentation according to
https://gerrit.openvpn.net/c/openvpn/+/39/comment/c2458c42_e3d89d93/

diff --git a/doc/man-sections/client-options.rst b/doc/man-sections/client-options.rst
index fe9ffa6..4555534 100644
--- a/doc/man-sections/client-options.rst
+++ b/doc/man-sections/client-options.rst
@@ -169,7 +169,7 @@
 
      dns search-domains domain [domain ...]
      dns server n address addr[:port] [addr[:port] ...]
-     dns server n resolve-domains|exclude-domains domain [domain ...]
+     dns server n resolve-domains domain [domain ...]
      dns server n dnssec yes|optional|no
      dns server n transport DoH|DoT|plain
      dns server n sni server-name
@@ -191,14 +191,10 @@
   Optionally a port can be appended after a colon. IPv6 addresses need to
   be enclosed in brackets if a port is appended.
 
-  The ``resolve-domains`` and ``exclude-domains`` options take one or
-  more DNS domains which are explicitly resolved or explicitly not resolved
-  by a server. Only one of the options can be configured for a server.
-  ``resolve-domains`` is used to define a split-dns setup, where only
-  given domains are resolved by a server. ``exclude-domains`` is used to
-  define domains which will never be resolved by a server (e.g. domains
-  which can only be resolved locally). Systems which do not support fine
-  grained DNS domain configuration, will ignore these settings.
+  The ``resolve-domains`` option takes one or more DNS domains used to define
+  a split-dns or dns-routing setup, where only the given domains are resolved
+  by the server. Systems which do not support fine grained DNS domain
+  configuration will ignore this setting.
 
   The ``dnssec`` option is used to configure validation of DNSSEC records.
   While the exact semantics may differ for resolvers on different systems,
diff --git a/doc/man-sections/script-options.rst b/doc/man-sections/script-options.rst
index d73231e..8c0be0c 100644
--- a/doc/man-sections/script-options.rst
+++ b/doc/man-sections/script-options.rst
@@ -663,7 +663,6 @@
        dns_server_{n}_address_{m}
        dns_server_{n}_port_{m}
        dns_server_{n}_resolve_domain_{m}
-       dns_server_{n}_exclude_domain_{m}
        dns_server_{n}_dnssec
        dns_server_{n}_transport
        dns_server_{n}_sni
diff --git a/src/openvpn/dns.c b/src/openvpn/dns.c
index b7808db..51fca2f 100644
--- a/src/openvpn/dns.c
+++ b/src/openvpn/dns.c
@@ -402,11 +402,9 @@
 
         if (s->domains)
         {
-            const char *format = s->domain_type == DNS_RESOLVE_DOMAINS ?
-                                 "dns_server_%d_resolve_domain_%d" : "dns_server_%d_exclude_domain_%d";
             for (j = 1, d = s->domains; d != NULL; j++, d = d->next)
             {
-                setenv_dns_option(es, format, i, j, d->name);
+                setenv_dns_option(es, "dns_server_%d_resolve_domain_%d", i, j, d->name);
             }
         }
 
@@ -484,14 +482,7 @@
         struct dns_domain *domain = server->domains;
         if (domain)
         {
-            if (server->domain_type == DNS_RESOLVE_DOMAINS)
-            {
-                msg(D_SHOW_PARMS, "    resolve domains:");
-            }
-            else
-            {
-                msg(D_SHOW_PARMS, "    exclude domains:");
-            }
+            msg(D_SHOW_PARMS, "    resolve domains:");
             while (domain)
             {
                 msg(D_SHOW_PARMS, "      %s", domain->name);
diff --git a/src/openvpn/dns.h b/src/openvpn/dns.h
index 162dec1..e497857 100644
--- a/src/openvpn/dns.h
+++ b/src/openvpn/dns.h
@@ -27,12 +27,6 @@
 #include "buffer.h"
 #include "env_set.h"
 
-enum dns_domain_type {
-    DNS_DOMAINS_UNSET,
-    DNS_RESOLVE_DOMAINS,
-    DNS_EXCLUDE_DOMAINS
-};
-
 enum dns_security {
     DNS_SECURITY_UNSET,
     DNS_SECURITY_NO,
@@ -68,7 +62,6 @@
     size_t addr_count;
     struct dns_server_addr addr[8];
     struct dns_domain *domains;
-    enum dns_domain_type domain_type;
     enum dns_security dnssec;
     enum dns_server_transport transport;
     const char *sni;
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 17ce2b0..3e0cb62 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -514,7 +514,6 @@
     "                  Valid options are :\n"
     "                  address <addr[:port]> [addr[:port] ...] : server addresses 4/6\n"
     "                  resolve-domains <domain> [domain ...] : split domains\n"
-    "                  exclude-domains <domain> [domain ...] : domains not to resolve\n"
     "                  dnssec <yes|no|optional> : option to use DNSSEC\n"
     "                  type <DoH|DoT> : query server over HTTPS / TLS\n"
     "                  sni <domain> : DNS server name indication\n"
@@ -8022,22 +8021,6 @@
             }
             else if (streq(p[3], "resolve-domains"))
             {
-                if (server->domain_type == DNS_EXCLUDE_DOMAINS)
-                {
-                    msg(msglevel, "--dns server %ld: cannot use resolve-domains and exclude-domains", priority);
-                    goto err;
-                }
-                server->domain_type = DNS_RESOLVE_DOMAINS;
-                dns_domain_list_append(&server->domains, &p[4], &options->dns_options.gc);
-            }
-            else if (streq(p[3], "exclude-domains"))
-            {
-                if (server->domain_type == DNS_RESOLVE_DOMAINS)
-                {
-                    msg(msglevel, "--dns server %ld: cannot use exclude-domains and resolve-domains", priority);
-                    goto err;
-                }
-                server->domain_type = DNS_EXCLUDE_DOMAINS;
                 dns_domain_list_append(&server->domains, &p[4], &options->dns_options.gc);
             }
             else if (streq(p[3], "dnssec") && !p[5])