unbound: implement custom forwarders over current dot setup (#5606)

This PR pulls query forwarding over the current dot setup, so visually nothing changes.

All API calls are redirected to new Forward functions, which slightly modifies what is returned based on whether "Query Forwarding" or "DNS over TLS" is selected from the menu. This way backwards compatibility is preserved.

As an addition, a user is now able to specify a specific domain for a forward zone as well. Meaning that queries for this specific domain will skip a catch-all (".") domain (if specified), and instead use the server specified for this domain.

Entering a forward zone with a catch-all domain (".") in both Query Forwading and DNS over TLS is considered a duplicate by Unbound, so a static warning for this has been attached in the grid - however, it might be possible for a user to be warned dynamically over this.

plist

@@ -574,6 +574,7 @@
 /usr/local/opnsense/mvc/app/models/OPNsense/Unbound/Menu/Menu.xml
 /usr/local/opnsense/mvc/app/models/OPNsense/Unbound/Migrations/M1_0_0.php
 /usr/local/opnsense/mvc/app/models/OPNsense/Unbound/Migrations/M1_0_1.php
+/usr/local/opnsense/mvc/app/models/OPNsense/Unbound/Migrations/M1_0_2.php
 /usr/local/opnsense/mvc/app/models/OPNsense/Unbound/Unbound.php
 /usr/local/opnsense/mvc/app/models/OPNsense/Unbound/Unbound.xml
 /usr/local/opnsense/mvc/app/views/OPNsense/CaptivePortal/clients.volt

src/opnsense/mvc/app/controllers/OPNsense/Unbound/Api/SettingsController.php

@@ -30,38 +30,126 @@
 namespace OPNsense\Unbound\Api;
 
 use OPNsense\Base\ApiMutableModelControllerBase;
+use OPNsense\Core\Backend;
+use OPNsense\Core\Config;
 
 class SettingsController extends ApiMutableModelControllerBase
 {
     protected static $internalModelClass = '\OPNsense\Unbound\Unbound';
     protected static $internalModelName = 'unbound';
 
-    public function searchDotAction()
+    private string $type = "dot";
+
+    public function toggleSystemForwardAction() {
+        if ($this->request->isPost() && $this->request->hasPost('forwarding')) {
+            $this->sessionClose();
+            Config::getInstance()->lock();
+            $config = Config::getInstance()->object();
+
+            $val = $this->request->getPost('forwarding')['enabled'];
+
+            /* Write to config exactly as legacy would */
+            $config->unbound->forwarding = !empty($val);
+            if ($val != "1") {
+                /* legacy uses isset() */
+                unset($config->unbound->forwarding);
+            }
+
+            /* save and release lock */
+            Config::getInstance()->save();
+        }
+
+    }
+
+    public function getSystemForwardAction() {
+        $config = Config::getInstance()->object();
+        return array("forwarding" =>
+            array( "enabled" =>
+                empty($config->unbound->forwarding) ? 0 : 1
+            )
+        );
+    }
+
+    public function getNameserversAction() {
+        if ($this->request->isGet()) {
+            $backend = new Backend();
+            $nameservers = json_decode(trim($backend->configdRun("system list nameservers")));
+
+            if ($nameservers !== null) {
+                $result = array();
+                $config = Config::getInstance()->object();
+                if (isset($config->system->dnsallowoverride)) {
+                    foreach ($nameservers->dynamic as $dynamic) {
+                        $result[] = $dynamic;
+                    }
+                }
+                foreach ($nameservers->static as $static) {
+                    $result[] = $static;
+                }
+
+                return $result;
+            }
+        }
+        return array("message" => "Unable to run configd action");
+    }
+
+    /*
+     * Catch all Dot API endpoints and redirect them to Forward for
+     * backwards compatibility and infer the type from the request.
+     * If no type is provided, default to dot.
+     */
+    public function __call($method, $args)
     {
-        return $this->searchBase('dots.dot', array('enabled', 'server', 'port', 'verify'));
+        if (substr($method, -6) == 'Action') {
+            $fn = preg_replace('/Dot/', 'Forward', $method);
+            if (method_exists(get_class($this), $fn)) {
+                if (preg_match("/forward/i", $this->request->getHTTPReferer())) {
+                    $this->type = "forward";
+                }
+                return $this->$fn(...$args);
+            }
+        }
     }
 
-    public function getDotAction($uuid = null)
+    public function searchForwardAction()
+    {
+        $filter_fn = function ($record) {
+            return $record->type == $this->type;
+        };
+
+        return $this->searchBase(
+            'dots.dot',
+            array('enabled', 'server', 'port', 'verify', 'type', 'domain'),
+            null,
+            $filter_fn
+        );
+    }
+
+    public function getForwardAction($uuid = null)
     {
         return $this->getBase('dot', 'dots.dot', $uuid);
     }
 
-    public function addDotAction()
+    public function addForwardAction()
     {
-        return $this->addBase('dot', 'dots.dot');
+        return $this->addBase('dot', 'dots.dot',
+            [ "type" => $this->type ]
+        );
     }
 
-    public function delDotAction($uuid)
+    public function delForwardAction($uuid)
     {
         return $this->delBase('dots.dot', $uuid);
     }
 
-    public function setDotAction($uuid)
+    public function setForwardAction($uuid)
     {
-        return $this->setBase('dot', 'dots.dot', $uuid);
+        return $this->setBase('dot', 'dots.dot', $uuid,
+            [ "type" => $this->type ]
+        );
     }
 
-    public function toggleDotAction($uuid, $enabled = null)
+    public function toggleForwardAction($uuid, $enabled = null)
     {
         return $this->toggleBase('dots.dot', $uuid, $enabled);
     }

src/opnsense/mvc/app/controllers/OPNsense/Unbound/DotController.php

@@ -34,6 +34,8 @@ class DotController extends IndexController
 {
     public function indexAction()
     {
+        $this->view->selected_forward = "";
+        $this->view->forwardingForm = $this->getForm('forwarding');
         $this->view->formDialogEdit = $this->getForm('dialogDot');
         $this->view->pick('OPNsense/Unbound/dot');
     }

src/opnsense/mvc/app/controllers/OPNsense/Unbound/ForwardController.php

@@ -0,0 +1,42 @@
+<?php
+
+/*
+ * Copyright (C) 2022 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Unbound;
+
+use OPNsense\Base\IndexController;
+
+class ForwardController extends IndexController
+{
+    public function indexAction()
+    {
+        $this->view->selected_forward = "forward";
+        $this->view->forwardingForm = $this->getForm('forwarding');
+        $this->view->formDialogEdit = $this->getForm('dialogDot');
+        $this->view->pick('OPNsense/Unbound/dot');
+    }
+}

src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/dialogDot.xml

@@ -5,6 +5,15 @@
         <type>checkbox</type>
         <help>Enable or disable this server.</help>
     </field>
+    <field>
+        <id>dot.domain</id>
+        <label>Domain</label>
+        <type>text</type>
+        <help>
+            If a domain is entered here, queries for this specific domain will be forwarded to the specified server.
+            Leave blank to forward all queries to the specified server (default).
+        </help>
+    </field>
     <field>
         <id>dot.server</id>
         <label>Server IP</label>
@@ -21,6 +30,9 @@
         <id>dot.verify</id>
         <label>Verify CN</label>
         <type>text</type>
-        <help>Verify if CN in certificate matches this value.</help>
+        <help>
+            Verify if CN in certificate matches this value. Please note that if this field is omitted,
+            Unbound will not perform any certificate verification. Therefore, man-in-the-middle attacks are still possible.
+        </help>
     </field>
 </form>

src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/forwarding.xml

@@ -0,0 +1,17 @@
+<form>
+    <field>
+        <id>forwarding.enabled</id>
+        <label>Use System Nameservers</label>
+        <type>checkbox</type>
+        <style>forwarding-enabled</style>
+        <help>
+            The configured system nameservers will be used to forward queries to.
+            This will override any entry in the grid below.
+        </help>
+    </field>
+    <field>
+        <id>forwarding.info</id>
+        <type>info</type>
+        <label></label>
+    </field>
+</form>

src/opnsense/mvc/app/models/OPNsense/Unbound/Menu/Menu.xml

@@ -8,7 +8,8 @@
                 <All url="/services_unbound_acls.php*" visibility="hidden"/>
             </ACL>
             <Blocklist order="50" url="/ui/unbound/dnsbl/index"/>
-            <Dot VisibleName="DNS over TLS" order="60" url="/ui/unbound/dot/index"/>
+            <Forward VisibleName="Query Forwarding" order="60" url="/ui/unbound/forward"/>
+            <Dot VisibleName="DNS over TLS" order="70" url="/ui/unbound/dot"/>
             <Statistics order="90" url="/ui/unbound/stats"/>
             <LogFile VisibleName="Log File" order="100" url="/ui/diagnostics/log/core/resolver"/>
         </Unbound>

src/opnsense/mvc/app/models/OPNsense/Unbound/Migrations/M1_0_2.php

@@ -0,0 +1,55 @@
+<?php
+
+/*
+ * Copyright (C) 2022 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Unbound\Migrations;
+
+use OPNsense\Base\BaseModelMigration;
+use OPNsense\Base\FieldTypes\BooleanField;
+use OPNsense\Base\FieldTypes\NetworkField;
+use OPNsense\Base\FieldTypes\PortField;
+use OPNsense\Core\Config;
+
+class M1_0_2 extends BaseModelMigration
+{
+    /**
+     * Migrate older models into shared model
+     * @param $model
+     */
+    public function run($model)
+    {
+        $config = Config::getInstance()->object();
+
+        $node = $config->OPNsense->unboundplus;
+
+        if (!empty($node->dots) && !empty($node->dots->dot)) {
+            foreach ($model->dots->dot->iterateItems() as $dot) {
+                $dot->type = "dot";
+            }
+        }
+    }
+}

src/opnsense/mvc/app/models/OPNsense/Unbound/Unbound.xml

@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/unboundplus</mount>
     <description>Unbound configuration</description>
-    <version>1.0.1</version>
+    <version>1.0.2</version>
     <items>
         <service_enabled type="LegacyLinkField">
             <Source>unbound.enable</Source>
@@ -56,12 +56,30 @@
                 <Required>N</Required>
             </whitelists>
         </dnsbl>
+        <forwarding>
+            <enabled type="LegacyLinkField">
+                <Source>unbound.forwarding</Source>
+            </enabled>
+        </forwarding>
         <dots>
             <dot type="ArrayField">
                 <enabled type="BooleanField">
                     <Required>Y</Required>
                     <default>1</default>
                 </enabled>
+                <type type="OptionField">
+                    <Required>Y</Required>
+                    <default>dot</default>
+                    <OptionValues>
+                        <dot>DNS over TLS</dot>
+                        <forward>Forward</forward>
+                    </OptionValues>
+                </type>
+                <domain type="TextField">
+                    <Required>N</Required>
+                    <mask>/^(?:(?:[a-z0-9]|[a-z0-9][a-z0-9\-]*[a-z0-9])\.)*(?:[a-z0-9]|[a-z0-9][a-z0-9\-]*[a-z0-9])$/i</mask>
+                    <ValidationMessage>A valid domain must be specified.</ValidationMessage>
+                </domain>
                 <server type="NetworkField">
                     <Required>Y</Required>
                 </server>