Added options for custom resolver and enforcing DNSSEC

2026-03-28 03:46:00 +01:00 · 2024-01-05 19:21:26 +01:00
parent 9f1d809c79
commit bd8fceca35
5 changed files with 77 additions and 13 deletions
--- a/app/src/main/java/eu/faircode/email/DnsHelper.java
+++ b/app/src/main/java/eu/faircode/email/DnsHelper.java
@@ -90,7 +90,7 @@ public class DnsHelper {
            String domain = UriHelper.getEmailDomain(email);
            if (domain == null)
                continue;
-            DnsRecord[] records = _lookup(context, domain, "mx", CHECK_TIMEOUT, false);
+            DnsRecord[] records = _lookup(context, domain, "mx", CHECK_TIMEOUT);
            if (records.length == 0)
                throw new UnknownHostException(domain);
        }
@@ -98,12 +98,14 @@ public class DnsHelper {

    @NonNull
    static DnsRecord[] lookup(Context context, String name, String type) {
-        return _lookup(context, name, type, LOOKUP_TIMEOUT, false);
+        return _lookup(context, name, type, LOOKUP_TIMEOUT);
    }

    @NonNull
-    private static DnsRecord[] _lookup(
-            Context context, String name, String type, int timeout, boolean require_authentic) {
+    private static DnsRecord[] _lookup(Context context, String name, String type, int timeout) {
+        SharedPreferences prefs = PreferenceManager.getDefaultSharedPreferences(context);
+        boolean dns_secure = prefs.getBoolean("dns_secure", false);
+
        String filter = null;
        int colon = type.indexOf(':');
        if (colon > 0) {
@@ -234,7 +236,7 @@ public class DnsHelper {
            data.throwIfErrorResponse();

            boolean secure = (data.getUnverifiedReasons() != null);
-            if (secure && require_authentic) {
+            if (secure && dns_secure) {
                DnssecResultNotAuthenticException ex = data.getDnssecResultNotAuthenticException();
                if (ex != null)
                    throw ex;
@@ -321,8 +323,9 @@ public class DnsHelper {

            return result.toArray(new DnsRecord[0]);
        } catch (Throwable ex) {
-            if (ex instanceof DnssecValidationFailedException ||
-                    ex instanceof MultipleIoException)
+            if (ex instanceof MultipleIoException ||
+                    ex instanceof DnssecValidationFailedException ||
+                    ex instanceof DnssecResultNotAuthenticException)
                Log.i(ex);
            else
                Log.e(ex);
@@ -332,7 +335,7 @@ public class DnsHelper {

    static InetAddress getByName(Context context, String host) throws UnknownHostException {
        SharedPreferences prefs = PreferenceManager.getDefaultSharedPreferences(context);
-        boolean dns_custom = prefs.getBoolean("dns_custom", BuildConfig.DEBUG);
+        boolean dns_custom = prefs.getBoolean("dns_custom", false);

        if (!dns_custom)
            return InetAddress.getByName(host);
@@ -341,12 +344,11 @@ public class DnsHelper {
            return InetAddress.getByName(host);

        return getAllByName(context, host)[0];
-
    }

    static InetAddress[] getAllByName(Context context, String host) throws UnknownHostException {
        SharedPreferences prefs = PreferenceManager.getDefaultSharedPreferences(context);
-        boolean dns_custom = prefs.getBoolean("dns_custom", BuildConfig.DEBUG);
+        boolean dns_custom = prefs.getBoolean("dns_custom", false);

        if (!dns_custom)
            return InetAddress.getAllByName(host);
@@ -436,6 +438,15 @@ public class DnsHelper {
        return result;
    }

+    static void clear(Context context) {
+        SharedPreferences prefs = PreferenceManager.getDefaultSharedPreferences(context);
+        SharedPreferences.Editor editor = prefs.edit();
+        for (String key : prefs.getAll().keySet())
+            if (key != null && key.startsWith("dns."))
+                editor.remove(key);
+        editor.apply();
+    }
+
    static void test(Context context) throws UnknownHostException {
        test(context, "gmail.com", "ns");
        test(context, "web.de", "mx");
--- a/app/src/main/java/eu/faircode/email/FragmentOptionsConnection.java
+++ b/app/src/main/java/eu/faircode/email/FragmentOptionsConnection.java
@@ -95,6 +95,8 @@ public class FragmentOptionsConnection extends FragmentBase implements SharedPre
    private SwitchCompat swBindSocket;
    private SwitchCompat swStandaloneVpn;
    private EditText etDns;
+    private SwitchCompat swDnsCustom;
+    private SwitchCompat swDnsSecure;
    private SwitchCompat swTcpKeepAlive;
    private SwitchCompat swSslUpdate;
    private SwitchCompat swSslHarden;
@@ -126,7 +128,9 @@ public class FragmentOptionsConnection extends FragmentBase implements SharedPre
            "metered", "download", "download_limited", "roaming", "rlah",
            "download_headers", "download_eml", "download_plain",
            "require_validated", "require_validated_captive", "vpn_only",
-            "timeout", "prefer_ip4", "bind_socket", "standalone_vpn", "dns_extra", "tcp_keep_alive",
+            "timeout", "prefer_ip4", "bind_socket", "standalone_vpn",
+            "dns_extra", "dns_custom", "dns_secure",
+            "tcp_keep_alive",
            "ssl_update", "ssl_harden", "ssl_harden_strict", "cert_strict", "cert_transparency", "check_names",
            "open_safe", "http_redirect",
            "bouncy_castle", "bc_fips"
@@ -159,6 +163,8 @@ public class FragmentOptionsConnection extends FragmentBase implements SharedPre
        swBindSocket = view.findViewById(R.id.swBindSocket);
        swStandaloneVpn = view.findViewById(R.id.swStandaloneVpn);
        etDns = view.findViewById(R.id.etDns);
+        swDnsCustom = view.findViewById(R.id.swDnsCustom);
+        swDnsSecure = view.findViewById(R.id.swDnsSecure);
        swTcpKeepAlive = view.findViewById(R.id.swTcpKeepAlive);
        swSslUpdate = view.findViewById(R.id.swSslUpdate);
        swSslHarden = view.findViewById(R.id.swSslHarden);
@@ -354,6 +360,23 @@ public class FragmentOptionsConnection extends FragmentBase implements SharedPre
            }
        });

+        swDnsCustom.setOnCheckedChangeListener(new CompoundButton.OnCheckedChangeListener() {
+            @Override
+            public void onCheckedChanged(CompoundButton buttonView, boolean checked) {
+                DnsHelper.clear(buttonView.getContext());
+                prefs.edit().putBoolean("dns_custom", checked).apply();
+                swDnsSecure.setEnabled(checked);
+            }
+        });
+
+        swDnsSecure.setOnCheckedChangeListener(new CompoundButton.OnCheckedChangeListener() {
+            @Override
+            public void onCheckedChanged(CompoundButton buttonView, boolean checked) {
+                DnsHelper.clear(buttonView.getContext());
+                prefs.edit().putBoolean("dns_secure", checked).apply();
+            }
+        });
+
        swTcpKeepAlive.setOnCheckedChangeListener(new CompoundButton.OnCheckedChangeListener() {
            @Override
            public void onCheckedChanged(CompoundButton compoundButton, boolean checked) {
@@ -736,6 +759,9 @@ public class FragmentOptionsConnection extends FragmentBase implements SharedPre
            swBindSocket.setChecked(prefs.getBoolean("bind_socket", false));
            swStandaloneVpn.setChecked(prefs.getBoolean("standalone_vpn", false));
            etDns.setText(prefs.getString("dns_extra", null));
+            swDnsCustom.setChecked(prefs.getBoolean("dns_custom", false));
+            swDnsSecure.setChecked(prefs.getBoolean("dns_secure", false));
+            swDnsSecure.setEnabled(swDnsCustom.isChecked());
            swTcpKeepAlive.setChecked(prefs.getBoolean("tcp_keep_alive", false));
            swSslUpdate.setChecked(prefs.getBoolean("ssl_update", true));
            swSslHarden.setChecked(prefs.getBoolean("ssl_harden", false));
--- a/app/src/main/java/eu/faircode/email/ServiceSynchronize.java
+++ b/app/src/main/java/eu/faircode/email/ServiceSynchronize.java
@@ -171,7 +171,9 @@ public class ServiceSynchronize extends ServiceBase implements SharedPreferences
            "sync_folders",
            "sync_shared_folders",
            "download_headers", "download_eml",
-            "prefer_ip4", "bind_socket", "standalone_vpn", "tcp_keep_alive", // force reconnect
+            "prefer_ip4", "bind_socket", "standalone_vpn", // force reconnect
+            "dns_extra", "dns_custom", "dns_secure", // force reconnect
+            "tcp_keep_alive", // force reconnect
            "ssl_harden", "ssl_harden_strict", "cert_strict", "cert_transparency", "check_names", "bouncy_castle", "bc_fips", // force reconnect
            "experiments", "debug", "protocol", // force reconnect
            "auth_plain", "auth_login", "auth_ntlm", "auth_sasl", "auth_apop", // force reconnect
--- a/app/src/main/res/layout/fragment_options_connection.xml
+++ b/app/src/main/res/layout/fragment_options_connection.xml
@@ -448,6 +448,29 @@
                    app:layout_constraintStart_toStartOf="parent"
                    app:layout_constraintTop_toBottomOf="@id/tvDns" />

+                <androidx.appcompat.widget.SwitchCompat
+                    android:id="@+id/swDnsCustom"
+                    android:layout_width="0dp"
+                    android:layout_height="wrap_content"
+                    android:layout_marginTop="12dp"
+                    android:text="@string/title_advanced_dns_custom"
+                    app:layout_constraintEnd_toEndOf="parent"
+                    app:layout_constraintStart_toStartOf="parent"
+                    app:layout_constraintTop_toBottomOf="@id/etDns"
+                    app:switchPadding="12dp" />
+
+                <androidx.appcompat.widget.SwitchCompat
+                    android:id="@+id/swDnsSecure"
+                    android:layout_width="0dp"
+                    android:layout_height="wrap_content"
+                    android:layout_marginStart="12dp"
+                    android:layout_marginTop="12dp"
+                    android:text="@string/title_advanced_dns_secure"
+                    app:layout_constraintEnd_toEndOf="parent"
+                    app:layout_constraintStart_toStartOf="parent"
+                    app:layout_constraintTop_toBottomOf="@id/swDnsCustom"
+                    app:switchPadding="12dp" />
+
                <androidx.appcompat.widget.SwitchCompat
                    android:id="@+id/swTcpKeepAlive"
                    android:layout_width="0dp"
@@ -457,7 +480,7 @@
                    android:text="@string/title_advanced_tcp_keep_alive"
                    app:layout_constraintEnd_toEndOf="parent"
                    app:layout_constraintStart_toStartOf="parent"
-                    app:layout_constraintTop_toBottomOf="@id/etDns"
+                    app:layout_constraintTop_toBottomOf="@id/swDnsSecure"
                    app:switchPadding="12dp" />

                <TextView
--- a/app/src/main/res/values/strings.xml
+++ b/app/src/main/res/values/strings.xml
@@ -518,6 +518,8 @@
    <string name="title_advanced_bind_socket" translatable="false">Bind sockets to the active network</string>
    <string name="title_advanced_standalone_vpn" translatable="false">Standalone VPN</string>
    <string name="title_advanced_dns">Additional DNS server addresses (comma separated)</string>
+    <string name="title_advanced_dns_custom">Use custom DNS resolver</string>
+    <string name="title_advanced_dns_secure">Enforce DNSSEC</string>
    <string name="title_advanced_tcp_keep_alive" translatable="false">TCP keep alive</string>
    <string name="title_advanced_ssl_update">Use updated SSL provider</string>
    <string name="title_advanced_ssl_harden">Harden SSL connections</string>