dns/bind: Fixup and feature expansion

a) Fixes zone_test
b) Fixes command truncation in grid-primary-domains
c) General tab help expansion and formatting
d) General tab option grouping
e) Converts NetworkType to ACLs where BIND uses Address Match Lists
f) Reformats named.conf (spacing and layout)
g) Adds listen-on-v6 { none; } when IPv6 is disabled (likely superflous)
h) Adds other rate-limiting options
i) Adds recursion no; option for authoritative servers
j) Adds allow-query-cache option as this also controls recursion

Signed-off-by: benyamin-codez <[email protected]>

Author: benyamin-codez

dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml

@@ -9,29 +9,31 @@
         <id>general.disablev6</id>
         <label>Disable IPv6</label>
         <type>checkbox</type>
-        <help>This will run BIND in IPv4-only mode.</help>
+        <help>This will cause BIND to run in IPv4-only mode.</help>
     </field>
     <field>
         <id>general.listenv4</id>
-        <label>Listen IPs</label>
-        <style>tokenize</style>
+        <label>Listener IP Addresses (IPv4)</label>
         <type>select_multiple</type>
-        <allownew>true</allownew>
-        <help>Set the IPv4 addresses the service should listen to.</help>
+        <help><![CDATA[
+              Set ACLs defining IPv4 addresses the BIND service should listen on.
+              <br/>The default is all IPv4 addresses on the host, i.e. { any; }.
+              ]]></help>
     </field>
     <field>
         <id>general.listenv6</id>
-        <label>Listen IPv6</label>
-        <style>tokenize</style>
+        <label>Listener IP Addresses (IPv6)</label>
         <type>select_multiple</type>
-        <allownew>true</allownew>
-        <help>Set the IPv6 addresses the service should listen to.</help>
+        <help><![CDATA[
+              Set ACLs defining IPv6 addresses the BIND service should listen on.
+              <br/>The default is all IPv6 addresses on the host, i.e. { any; } except when IPv6 is disabled which uses { none; }.
+              ]]></help>
     </field>
     <field>
         <id>general.port</id>
-        <label>Listen Port</label>
+        <label>Listen on Port</label>
         <type>text</type>
-        <help>Set the port the service should listen to.</help>
+        <help>Set the port the BIND service should listen on.</help>
     </field>
     <field>
         <id>general.querysource</id>
@@ -67,70 +69,71 @@
         <style>tokenize</style>
         <type>select_multiple</type>
         <allownew>true</allownew>
-        <help>Set one or more hosts to send your DNS queries if the request is unknown.</help>
+        <help>Set one or more hosts to send your DNS queries to if the request is unknown.</help>
     </field>
     <field>
         <id>general.filteraaaav4</id>
         <label>Enable filter-aaaa on IPv4 Clients</label>
         <type>checkbox</type>
-        <help>This will filter AAAA records on IPv4 Clients. Set "DNSSEC Validation" to "No" and AAAA records will be omitted even if they are signed.</help>
+        <help><![CDATA[
+              This will filter AAAA records on IPv4 Clients.
+              <br/>Set "DNSSEC Validation" to "No" and AAAA records will be omitted even if they are signed.
+              ]]></help>
     </field>
     <field>
         <id>general.filteraaaav6</id>
         <label>Enable filter-aaaa on IPv6 Clients</label>
         <type>checkbox</type>
-        <help>This will filter AAAA records on IPv6 Clients. Set "DNSSEC Validation" to "No" and AAAA records will be omitted even if they are signed.</help>
+        <help><![CDATA[
+              This will filter AAAA records on IPv6 Clients.
+              <br/>Set "DNSSEC Validation" to "No" and AAAA records will be omitted even if they are signed.
+              ]]></help>
     </field>
     <field>
         <id>general.filteraaaaacl</id>
-        <label>ACL for filter-aaaa</label>
-        <style>tokenize</style>
+        <label>ACLs for filter-aaaa</label>
         <type>select_multiple</type>
-        <allownew>true</allownew>
-        <help>Specifies a list of client addresses for which AAAA filtering is to be applied.</help>
+        <help>Set ACLs for which AAAA filtering is to be applied. The default is { any; }.</help>
     </field>
     <field>
         <id>general.logsize</id>
         <label>Logsize in MB</label>
         <type>text</type>
-        <help>Set the amount how big a logfile can growth. For Query and Blocked logs.</help>
+        <help>Set the amount how big a logfile can grow. For Query and Blocked logs.</help>
     </field>
     <field>
         <id>general.general_log_level</id>
         <label>General Log level</label>
         <style>selectpicker</style>
         <type>dropdown</type>
-        <help>Select General Log level. Log levels are listed in the order of increasing verbosity. Setting a certain log level will cause all messages of the specified and more severe log levels to be logged.</help>
+        <help><![CDATA[
+              Select General Log level. Log levels are listed in the order of increasing verbosity.
+              <br/>Setting a certain log level will cause all messages of the specified and more severe log levels to be logged.
+              ]]></help>
     </field>
     <field>
         <id>general.maxcachesize</id>
         <label>Maximum Cache Size</label>
         <type>text</type>
-        <help>How much memory in percent the cache can use from the system. Default is 80%.</help>
-    </field>
-    <field>
-        <id>general.recursion</id>
-        <label>Recursion</label>
-        <type>select_multiple</type>
-        <help>Define an ACL where you allow which clients can resolve via this service. Usually use your local LAN.</help>
+        <help>How much memory in percent the cache can use from the system. The default is 80%.</help>
     </field>
     <field>
         <id>general.allowtransfer</id>
         <label>Allow Transfer</label>
         <type>select_multiple</type>
-        <help>Define the ACLs where you allow which server can retrieve zones.</help>
+        <help>Set the ACLs to include hosts allowed to perform zones transfers.</help>
     </field>
     <field>
         <id>general.allowquery</id>
         <label>Allow Query</label>
         <type>select_multiple</type>
-        <help>Define the ACLs where you allow which client are allowed to query this server.</help>
+        <help>Set the ACLs from which you allow clients to query this server.</help>
     </field>
     <field>
         <id>general.dnssecvalidation</id>
         <label>DNSSEC Validation</label>
         <type>dropdown</type>
-        <help>Default is "No". Set to "Auto" to use the static trust anchor configuration by the system.</help>
+        <help>Default is "No". Set to "Auto" to use the system static trust anchor configuration.</help>
     </field>
     <field>
         <id>general.hidehostname</id>
@@ -153,28 +156,158 @@
         <advanced>true</advanced>
         <help>This will disable prefetching of domains before they time out.</help>
     </field>
+    <field>
+        <type>header</type>
+        <label>Recursive Resolution</label>
+    </field>
+    <field>
+        <id>general.enablerecursion</id>
+        <label>Enable Recursive Resolution</label>
+        <type>checkbox</type>
+        <help>This will enable recursive resolution (default). Disable for public authoritative DNS servers.</help>
+    </field>
+    <field>
+        <id>general.recursionallowedacls</id>
+        <label>Recursion ACLs</label>
+        <type>select_multiple</type>
+        <help><![CDATA[
+              Select ACLs for which you wish to enable recursive resolution.
+              <br/>For public authoritative DNS servers, recursion should be disabled and this field left empty.
+              <br/>For private recursive DNS servers, this is usually an ACL representing your local LAN.
+              <br/>When recursion is enabled and no ACL is defined here or for allow-query-cache or allow-query, the
+              <br/>builtin { localnets; localhost; } address list is used. Otherwise this field will default to the value
+              <br/>found in allow-query-cache, or failing that, allow-query.
+              ]]></help>
+    </field>
+    <field>
+        <id>general.allowcachequeries</id>
+        <label>Cache Query ACLs</label>
+        <advanced>true</advanced>
+        <type>select_multiple</type>
+        <help><![CDATA[
+              Select ACLs for which you wish to enable cache access. This effectively controls recursion.
+              <br/>For public authoritative DNS servers, recursion should be disabled, and this field defaults to using {none;}.
+              <br/>For private recursive DNS servers, use this field to override the defaults.
+              <br/>When recursion is enabled and allow-recursion has an ACL set, the default will be the same ACL.
+              <br/>Otherwise if allow-recursion has no ACL set, the default will be the { localnets; localhost; } address list.
+              ]]></help>
+    </field>
+    <field>
+        <type>header</type>
+        <label>Rate Limiting</label>
+        <advanced>true</advanced>
+    </field>
     <field>
         <id>general.enableratelimiting</id>
         <label>Enable Rate Limiting</label>
         <type>checkbox</type>
         <advanced>true</advanced>
-        <help>This will enable rate-limiting for DNS replies.</help>
+        <help>This will enable rate-limiting for DNS responses.</help>
     </field>
     <field>
-        <id>general.ratelimitcount</id>
-        <label>Rate Limit Replies</label>
+        <id>general.ratelimitrespps</id>
+        <label>Responses Per Second</label>
         <type>text</type>
         <advanced>true</advanced>
-        <help>Set how many replies per second are allowed.</help>
+        <help><![CDATA[Set how many non-empty responses are allowed per second for valid domain names and record types.<br/>The default is 0 or no limit.]]></help>
     </field>
     <field>
-        <id>general.ratelimitexcept</id>
-        <label>Rate Limit Exceptions</label>
-        <style>tokenize</style>
+        <id>general.ratelimitwindow</id>
+        <label>Window</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help>Set the number of second during which responses are tracked. The default is 15 seconds.</help>
+    </field>
+    <field>
+        <id>general.ratelimitexempt</id>
+        <label>Exempt Clients</label>
         <type>select_multiple</type>
-        <allownew>true</allownew>
         <advanced>true</advanced>
-        <help>Except a list of IPs from rate-limiting like ::1</help>
+        <help>Set ACLs where rate-limiting should not apply.</help>
+    </field>
+    <field>
+        <id>general.ratelimitipv4prefixlength</id>
+        <label>IPv4 Prefix Length</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help>Set the number of bits of the address block. Used to distinquish clients into a rate-limited group. The default is 24.</help>
+    </field>
+    <field>
+        <id>general.ratelimitipv6prefixlength</id>
+        <label>IPv6 Prefix Length</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help>Set the number of bits of the address block. Used to distinquish clients into a rate-limited group. The default is 56.</help>
+    </field>
+    <field>
+        <id>general.ratelimitnodataps</id>
+        <label>NODATA Responses Per Second</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help><![CDATA[Set how many empty (NODATA) responses are allowed per second for valid domain names.<br/>The default is equal to the Responses Per Second value.]]></help>
+    </field>
+    <field>
+        <id>general.ratelimitnxdomsps</id>
+        <label>NXDOMAIN Responses Per Second</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help><![CDATA[Set how many NXDOMAIN errors are allowed per second for undefined subdomains for valid domain names.<br/>The default is equal to the Responses Per Second value.]]></help>
+    </field>
+    <field>
+        <id>general.ratelimitrefsps</id>
+        <label>Referrals Per Second</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help><![CDATA[Set how many referrals or delegations are allowed per second to a server for a given domain.<br/>The default is equal to the Responses Per Second value.]]></help>
+    </field>
+    <field>
+        <id>general.ratelimiterrsps</id>
+        <label>Errors Per Second</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help><![CDATA[Set how many errors are allowed per second for valid domain names and record types.<br/>The default is equal to the Responses Per Second value.]]></help>
+    </field>
+    <field>
+        <id>general.ratelimitallps</id>
+        <label>All Per Second</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help><![CDATA[Set how many UDP responses of all types are allowed per second.<br/>If used, this should be set to 4 times the size of other per second limits.]]></help>
+    </field>
+    <field>
+        <id>general.ratelimitslip</id>
+        <label>Slip</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help>Set how many responses to "slip", reducing the use of forged source addresses in attacks. The default is 2.</help>
+    </field>
+    <field>
+        <id>general.ratelimitscale</id>
+        <label>QPS Scale</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help><![CDATA[Set the ratio by which to scale back the Responses Per Second value during attacks.<br/>The formula is (qps-scale/total-query-rate)*responses-per-second to produce the new value.]]></help>
+    </field>
+    <field>
+        <id>general.ratelimitmaxtbl</id>
+        <label>Maximum Table Size</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help>Set the maximum number of table entries used to track requests and rate-limit responses. The default is 20,000.</help>
+    </field>
+    <field>
+        <id>general.ratelimitmintbl</id>
+        <label>Minimum Table Size</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help>Set the minimum number of table entries used to track requests and rate-limit responses. The default is 500.</help>
+    </field>
+    <field>
+        <id>general.ratelimittry</id>
+        <label>Trial Rate Limiting</label>
+        <type>checkbox</type>
+        <advanced>true</advanced>
+        <help>Enable to test rate-limiting parameters without actually dropping any requests.</help>
     </field>
     <field>
         <type>header</type>