1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
|
-- SPDX-License-Identifier: GPL-3.0-or-later
local basexx = require('basexx')
local ffi = require('ffi')
local condition = require('cqueues.condition')
local function get_http_ttl(pkt)
local an_records = pkt:section(kres.section.ANSWER)
local is_negative = #an_records <= 0
return ffi.C.packet_ttl(pkt, is_negative)
end
-- Trace execution of DNS queries
local function serve_doh(h, stream)
local input
local method = h:get(':method')
if method == 'POST' then
input = stream:get_body_chars(1025, 2) -- read timeout = KR_CONN_RTT_MAX
elseif method == 'GET' then
local input_b64 = string.match(h:get(':path'), '^/[^?]*%?dns=([a-zA-Z0-9_-]+)$') or
string.match(h:get(':path'), '^/[^?]*%?dns=([a-zA-Z0-9_-]+)&') or
string.match(h:get(':path'), '^/[^?]*%?.*&dns=([a-zA-Z0-9_-]+)$') or
string.match(h:get(':path'), '^/[^?]*%?.*&dns=([a-zA-Z0-9_-]+)&')
if not input_b64 then
return 400, 'base64url query not found'
end
if #input_b64 > 1368 then -- base64url encode 1024
return 414, 'query parameter in URI too long'
end
input = basexx.from_url64(input_b64)
if not input then
return 400, 'invalid base64url'
end
else
return 405, 'only HTTP POST and GET are supported'
end
if not input or #input < 12 then
return 400, 'input too short'
elseif #input > 1024 then
return 413, 'input too long'
end
local content_type = h:get('content-type') or 'application/dns-message'
if content_type ~= 'application/dns-message' then
return 415, 'only Content-Type: application/dns-message is supported'
end
-- RFC 8484 section-4.1 allows us to ignore Accept header
-- local accept = h:get('accept') or 'application/dns-message'
-- if accept ~= 'application/dns-message' then
-- return 406, 'only Accept: application/dns-message is supported'
-- end
-- We get these values beforehand, because it's easier to handle errors now.
local _, peer_addr, peer_port = stream:peername()
local _, dst_addr, dst_port = stream:localname()
if not (peer_addr and peer_port and dst_addr and dst_port) then
-- The connection probably died in the meantime or something.
return 504, 'failed to determine your address'
end
-- Output buffer
local output
local output_ttl
-- Wait for the result of the query
-- Note: We can't do non-blocking write to stream directly from resolve callbacks
-- because they don't run inside cqueue.
local cond = condition.new()
local waiting, done = false, false
local finish_cb = function (answer, _)
output_ttl = get_http_ttl(answer)
-- binary output
output = ffi.string(answer.wire, answer.size)
if waiting then
cond:signal()
end
done = true
end
-- convert query to knot_pkt_t
local wire = ffi.cast("void *", input)
local pkt = ffi.gc(ffi.C.knot_pkt_new(wire, #input, nil), ffi.C.knot_pkt_free)
if not pkt then
return 500, 'internal server error'
end
local result = ffi.C.knot_pkt_parse(pkt, 0)
if result ~= 0 then
return 400, 'unparseable DNS message'
end
-- set source address so filters can work
local function init_cb(req)
req.qsource.addr = ffi.C.kr_straddr_socket(peer_addr, peer_port, req.pool)
req.qsource.dst_addr = ffi.C.kr_straddr_socket(dst_addr, dst_port, req.pool)
assert(req.qsource.addr ~= nil and req.qsource.dst_addr ~= nil)
req.qsource.flags.tcp = true
req.qsource.flags.tls = (stream.connection:checktls() ~= nil)
req.qsource.flags.http = true
end
-- resolve query
worker.resolve_pkt(pkt, {}, finish_cb, init_cb)
if not done then
waiting = true
cond:wait()
end
-- Return buffered data
if not done then
return 504, 'huh?' -- FIXME
end
return output, nil, 'application/dns-message', output_ttl
end
-- Export endpoints
return {
endpoints = {
['/doh'] = {'text/plain', serve_doh, nil, nil, true},
['/dns-query'] = {'text/plain', serve_doh, nil, nil, true},
}
}
|
