Add network selection for dns01

Author: jsumners

challenge/dns01/nameserver.go

@@ -26,6 +26,10 @@ var defaultNameservers = []string{
 // recursiveNameservers are used to pre-check DNS propagation.
 var recursiveNameservers = getNameservers(defaultResolvConf, defaultNameservers)
 
+// networkStack is used to define which IP stack will be used. The default is
+// both IPv4 and IPv6. Set to "ipv4" for IPv4 only, and "ipv6" for IPv6 only.
+var networkStack = "both"
+
 // soaCacheEntry holds a cached SOA record (only selected fields).
 type soaCacheEntry struct {
 	zone      string    // zone apex (a domain name)
@@ -67,6 +71,16 @@ func AddRecursiveNameservers(nameservers []string) ChallengeOption {
 	}
 }
 
+// SetNetworkStack defines the IP stack that will be used for DNS queries.
+// Accepts "both", "ipv4", or "ipv6".
+func SetNetworkStack(network string) {
+	if network == "ipv4" || network == "ipv6" {
+		networkStack = network
+	} else {
+		networkStack = "both"
+	}
+}
+
 // getNameservers attempts to get systems nameservers before falling back to the defaults.
 func getNameservers(path string, defaults []string) []string {
 	config, err := dns.ClientConfigFromFile(path)
@@ -249,12 +263,30 @@ func createDNSMsg(fqdn string, rtype uint16, recursive bool) *dns.Msg {
 	return m
 }
 
+// getNetwork interprets the networkStack setting in relation to the desired
+// protocol. The proto value should be either "udp" or "tcp".
+func getNetwork(proto string) string {
+	// The dns client passes whatever value is set in [dns.Client.Net] to
+	// the [net.Dialer] (https://github.com/miekg/dns/blob/fe20d5d/client.go#L119-L141).
+	// And the [net.Dialer] accepts strings such as "udp4" or "tcp6"
+	// (https://cs.opensource.google/go/go/+/refs/tags/go1.18.9:src/net/dial.go;l=167-182).
+	if networkStack == "ipv4" {
+		return proto + "4"
+	}
+	if networkStack == "ipv6" {
+		return proto + "6"
+	}
+	return proto
+}
+
 func sendDNSQuery(m *dns.Msg, ns string) (*dns.Msg, error) {
-	udp := &dns.Client{Net: "udp", Timeout: dnsTimeout}
+	network := getNetwork("udp")
+	udp := &dns.Client{Net: network, Timeout: dnsTimeout}
 	in, _, err := udp.Exchange(m, ns)
 
+	network = getNetwork("tcp")
 	if in != nil && in.Truncated {
-		tcp := &dns.Client{Net: "tcp", Timeout: dnsTimeout}
+		tcp := &dns.Client{Net: network, Timeout: dnsTimeout}
 		// If the TCP request succeeds, the err will reset to nil
 		in, _, err = tcp.Exchange(m, ns)
 	}

cmd/flags.go

@@ -8,6 +8,16 @@ import (
 
 func CreateFlags(defaultPath string) []cli.Flag {
 	return []cli.Flag{
+		&cli.BoolFlag{
+			Name: "ipv4only",
+			Aliases: []string{"4"},
+			Usage: "Use IPv4 only. This flag is ignored if ipv6only is also specified.",
+		},
+		&cli.BoolFlag{
+			Name: "ipv6only",
+			Aliases: []string{"6"},
+			Usage: "Use IPv6 only. This flag is ignored if ipv4only is also specified.",
+		},
 		&cli.StringSliceFlag{
 			Name:    "domains",
 			Aliases: []string{"d"},

cmd/setup_challenges.go

@@ -111,6 +111,16 @@ func setupDNS(ctx *cli.Context, client *lego.Client) {
 		log.Fatal(err)
 	}
 
+	if ctx.IsSet("ipv4only") && ctx.IsSet("ipv6only") {
+		// If both flags are set then it's as good as not providing either flag,
+		// so we default to the OS choice.
+		dns01.SetNetworkStack("both")
+	} else if ctx.IsSet("ipv4only") {
+		dns01.SetNetworkStack("ipv4")
+	} else if ctx.IsSet("ipv6only") {
+		dns01.SetNetworkStack("ipv6")
+	}
+
 	servers := ctx.StringSlice("dns.resolvers")
 	err = client.Challenge.SetDNS01Provider(provider,
 		dns01.CondOption(len(servers) > 0,