The sub-domains are matched using wildcard domain rule, but this rule
won't match top level domain, causing requests are forwarded to ControlD
upstreams.
To fix this, add the split route for top level domain explicitly.
With new leaking queries features, the initialization of OS resolver can
now lead to data race if queries are resolving while re-initialization
happens.
To fix it, using an atomic pointer to store list of nameservers which
were initialized, making read/write to the list concurrently safe.
So it would work in more general case than just captive portal network,
which ctrld have supported recently.
Uses who may want no leaking behavior can use a config to turn off this
feature.
So it can be run regardless of ctrld current status. This prevents a
racy behavior when reset DNS task restores DNS settings of the system,
but current running ctrld process may revert it immediately.
For query domain that matches "uid.verify.controld.com" in cd mode, and
the uid has the same value with "--cd" flag, ctrld will fetch uid config
from ControlD API, using this config if valid.
This is useful for force syncing API without waiting until the API
reload ticker fire.
ControlD have global list of known captive portals that user can augment
with proper setup. However, this requires manual actions, and involving
restart ctrld for taking effects.
By allowing ctrld "leaks" DNS queries to OS resolver, this process
becomes automatically, the captive portal could intercept these queries,
and as long as it was passed, ctrld will resume normal operation.
Using netsh command will emit unexpected SOA queries, do not use it.
While at it, also ensure that local ipv6 will be added to nameservers
list on systems that require ipv6 local listener.
There are several issues with OS resolver right now:
- The list of nameservers are obtained un-conditionally from all
running interfaces.
- ControlD public DNS query is always be used if response ok.
This could lead to slow query time, and also incorrect result if a
domain is resolved differently between internal DNS and ControlD public
DNS.
To fix these problems:
- While initializing OS resolver, sending a test query to the
nameserver to ensure it will response. Unreachable nameserver will
not be used.
- Only use ControlD public DNS success response as last one, preferring
ok response from internal DNS servers.
While at it, also using standard package slices, since ctrld now
requires go1.21 as the minimum version.
