[thirdparty/pdns.git] / pdns / dnsdistdist / dnsdist-discovery.cc

/*
 * This file is part of PowerDNS or dnsdist.
 * Copyright -- PowerDNS.COM B.V. and its contributors
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of version 2 of the GNU General Public License as
 * published by the Free Software Foundation.
 *
 * In addition, for the avoidance of any doubt, permission is granted to
 * link this program with OpenSSL and to (re)distribute the binaries
 * produced as the result of such linking.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */

#include "config.h"
#include "dnsdist-discovery.hh"
#include "dnsdist.hh"
#include "dnsdist-random.hh"
#include "dnsparser.hh"
#include "dolog.hh"
#include "sstuff.hh"

namespace dnsdist
{

const DNSName ServiceDiscovery::s_discoveryDomain{"_dns.resolver.arpa."};
const QType ServiceDiscovery::s_discoveryType{QType::SVCB};
const uint16_t ServiceDiscovery::s_defaultDoHSVCKey{7};

bool ServiceDiscovery::addUpgradeableServer(std::shared_ptr<DownstreamState>& server, uint32_t interval, std::string poolAfterUpgrade, uint16_t dohSVCKey, bool keepAfterUpgrade)
{
  s_upgradeableBackends.lock()->emplace_back(UpgradeableBackend{server, poolAfterUpgrade, 0, interval, dohSVCKey, keepAfterUpgrade});
  return true;
}

struct DesignatedResolvers
{
  DNSName target;
  std::set<SvcParam> params;
  std::vector<ComboAddress> hints;
};

static bool parseSVCParams(const PacketBuffer& answer, std::map<uint16_t, DesignatedResolvers>& resolvers)
{
  if (answer.size() <= sizeof(struct dnsheader)) {
    throw std::runtime_error("Looking for SVC records in a packet smaller than a DNS header");
  }

  std::map<DNSName, std::vector<ComboAddress>> hints;
  const struct dnsheader* dh = reinterpret_cast<const struct dnsheader*>(answer.data());
  PacketReader pr(pdns_string_view(reinterpret_cast<const char*>(answer.data()), answer.size()));
  uint16_t qdcount = ntohs(dh->qdcount);
  uint16_t ancount = ntohs(dh->ancount);
  uint16_t nscount = ntohs(dh->nscount);
  uint16_t arcount = ntohs(dh->arcount);

  DNSName rrname;
  uint16_t rrtype;
  uint16_t rrclass;

  size_t idx = 0;
  /* consume qd */
  for (; idx < qdcount; idx++) {
    rrname = pr.getName();
    rrtype = pr.get16BitInt();
    rrclass = pr.get16BitInt();
    (void)rrtype;
    (void)rrclass;
  }

  /* parse AN */
  for (idx = 0; idx < ancount; idx++) {
    string blob;
    struct dnsrecordheader ah;
    rrname = pr.getName();
    pr.getDnsrecordheader(ah);

    if (ah.d_type == QType::SVCB) {
      auto prio = pr.get16BitInt();
      auto target = pr.getName();
      std::set<SvcParam> params;

      if (prio != 0) {
        pr.xfrSvcParamKeyVals(params);
      }

      resolvers[prio] = {std::move(target), std::move(params), {}};
    }
    else {
      pr.xfrBlob(blob);
    }
  }

  /* parse NS */
  for (idx = 0; idx < nscount; idx++) {
    string blob;
    struct dnsrecordheader ah;
    rrname = pr.getName();
    pr.getDnsrecordheader(ah);

    pr.xfrBlob(blob);
  }

  /* parse additional for hints */
  for (idx = 0; idx < arcount; idx++) {
    string blob;
    struct dnsrecordheader ah;
    rrname = pr.getName();
    pr.getDnsrecordheader(ah);

    if (ah.d_type == QType::A) {
      ComboAddress addr;
      pr.xfrCAWithoutPort(4, addr);
      hints[rrname].push_back(addr);
    }
    else if (ah.d_type == QType::AAAA) {
      ComboAddress addr;
      pr.xfrCAWithoutPort(6, addr);
      hints[rrname].push_back(addr);
    }
    else {
      pr.xfrBlob(blob);
    }
  }

  for (auto& resolver : resolvers) {
    auto hint = hints.find(resolver.second.target);
    if (hint != hints.end()) {
      resolver.second.hints = hint->second;
    }
  }

  return !resolvers.empty();
}

static bool handleSVCResult(const PacketBuffer& answer, const ComboAddress& existingAddr, uint16_t dohSVCKey, ServiceDiscovery::DiscoveredResolverConfig& config)
{
  std::map<uint16_t, DesignatedResolvers> resolvers;
  if (!parseSVCParams(answer, resolvers)) {
    return false;
  }

  for (const auto& [priority, resolver] : resolvers) {
    /* do not compare the ports */
    std::set<ComboAddress, ComboAddress::addressOnlyLessThan> tentativeAddresses;
    ServiceDiscovery::DiscoveredResolverConfig tempConfig;
    tempConfig.d_addr.sin4.sin_family = 0;

    for (const auto& param : resolver.params) {
      if (param.getKey() == SvcParam::alpn) {
        auto alpns = param.getALPN();
        for (const auto& alpn : alpns) {
          if (alpn == "dot") {
            tempConfig.d_protocol = dnsdist::Protocol::DoT;
            if (tempConfig.d_port == 0) {
              tempConfig.d_port = 853;
            }
          }
          else if (alpn == "h2") {
            tempConfig.d_protocol = dnsdist::Protocol::DoH;
            if (tempConfig.d_port == 0) {
              tempConfig.d_port = 443;
            }
          }
        }
      }
      else if (param.getKey() == SvcParam::port) {
        tempConfig.d_port = param.getPort();
      }
      else if (param.getKey() == SvcParam::ipv4hint || param.getKey() == SvcParam::ipv6hint) {
        if (tempConfig.d_addr.sin4.sin_family == 0) {
          auto hints = param.getIPHints();
          for (const auto& hint : hints) {
            tentativeAddresses.insert(hint);
          }
        }
      }
      else if (dohSVCKey != 0 && param.getKey() == dohSVCKey) {
        tempConfig.d_dohPath = param.getValue();
        auto expression = tempConfig.d_dohPath.find('{');
        if (expression != std::string::npos) {
          /* nuke the {?dns} expression, if any, as we only support POST anyway */
          tempConfig.d_dohPath.resize(expression);
        }
      }
    }

    if (tempConfig.d_protocol == dnsdist::Protocol::DoH) {
#ifndef HAVE_DNS_OVER_HTTPS
      continue;
#endif
      if (tempConfig.d_dohPath.empty()) {
        continue;
      }
    }
    else if (tempConfig.d_protocol == dnsdist::Protocol::DoT) {
#ifndef HAVE_DNS_OVER_TLS
      continue;
#endif
    }
    else {
      continue;
    }

    /* we have a config that we can use! */

    for (const auto& hint : resolver.hints) {
      tentativeAddresses.insert(hint);
    }

    /* we prefer the address we already know, whenever possible */
    if (tentativeAddresses.count(existingAddr) != 0) {
      tempConfig.d_addr = existingAddr;
    }
    else {
      tempConfig.d_addr = *tentativeAddresses.begin();
    }

    tempConfig.d_subjectName = resolver.target.toStringNoDot();
    tempConfig.d_addr.sin4.sin_port = tempConfig.d_port;

    config = tempConfig;
    return true;
  }

  return false;
}

bool ServiceDiscovery::getDiscoveredConfig(const UpgradeableBackend& upgradeableBackend, ServiceDiscovery::DiscoveredResolverConfig& config)
{
  const auto& backend = upgradeableBackend.d_ds;
  const auto& addr = backend->d_config.remote;
  try {
    auto id = dnsdist::getRandomDNSID();
    PacketBuffer packet;
    GenericDNSPacketWriter pw(packet, s_discoveryDomain, s_discoveryType);
    pw.getHeader()->id = id;
    pw.getHeader()->rd = 1;
    pw.addOpt(4096, 0, 0);

    uint16_t querySize = static_cast<uint16_t>(packet.size());
    const uint8_t sizeBytes[] = {static_cast<uint8_t>(querySize / 256), static_cast<uint8_t>(querySize % 256)};
    packet.insert(packet.begin(), sizeBytes, sizeBytes + 2);

    Socket sock(addr.sin4.sin_family, SOCK_STREAM);
    sock.setNonBlocking();
    if (!IsAnyAddress(backend->d_config.sourceAddr)) {
      sock.setReuseAddr();
#ifdef IP_BIND_ADDRESS_NO_PORT
      if (backend->d_config.ipBindAddrNoPort) {
        SSetsockopt(sock.getHandle(), SOL_IP, IP_BIND_ADDRESS_NO_PORT, 1);
      }
#endif

      if (!backend->d_config.sourceItfName.empty()) {
#ifdef SO_BINDTODEVICE
        setsockopt(sock.getHandle(), SOL_SOCKET, SO_BINDTODEVICE, backend->d_config.sourceItfName.c_str(), backend->d_config.sourceItfName.length());
#endif
      }
      sock.bind(backend->d_config.sourceAddr);
    }
    sock.connect(addr, backend->d_config.tcpConnectTimeout);

    sock.writenWithTimeout(reinterpret_cast<const char*>(packet.data()), packet.size(), backend->d_config.tcpSendTimeout);

    uint16_t responseSize = 0;
    auto got = sock.readWithTimeout(reinterpret_cast<char*>(&responseSize), sizeof(responseSize), backend->d_config.tcpRecvTimeout);
    if (got < 0 || static_cast<size_t>(got) != sizeof(responseSize)) {
      if (g_verbose) {
        warnlog("Error while waiting for the ADD upgrade response from backend %s: %d", addr.toString(), got);
      }
      return false;
    }

    packet.resize(ntohs(responseSize));

    got = sock.readWithTimeout(reinterpret_cast<char*>(packet.data()), packet.size(), backend->d_config.tcpRecvTimeout);
    if (got < 0 || static_cast<size_t>(got) != packet.size()) {
      if (g_verbose) {
        warnlog("Error while waiting for the ADD upgrade response from backend %s: %d", addr.toString(), got);
      }
      return false;
    }

    if (packet.size() <= sizeof(struct dnsheader)) {
      if (g_verbose) {
        warnlog("Too short answer of size %d received from the backend %s", packet.size(), addr.toString());
      }
      return false;
    }

    struct dnsheader d;
    memcpy(&d, packet.data(), sizeof(d));
    if (d.id != id) {
      if (g_verbose) {
        warnlog("Invalid ID (%d / %d) received from the backend %s", d.id, id, addr.toString());
      }
      return false;
    }

    if (d.rcode != RCode::NoError) {
      if (g_verbose) {
        warnlog("Response code '%s' received from the backend %s for '%s'", RCode::to_s(d.rcode), addr.toString(), s_discoveryDomain);
      }

      return false;
    }

    if (ntohs(d.qdcount) != 1) {
      if (g_verbose) {
        warnlog("Invalid answer (qdcount %d) received from the backend %s", ntohs(d.qdcount), addr.toString());
      }
      return false;
    }

    uint16_t receivedType;
    uint16_t receivedClass;
    DNSName receivedName(reinterpret_cast<const char*>(packet.data()), packet.size(), sizeof(dnsheader), false, &receivedType, &receivedClass);

    if (receivedName != s_discoveryDomain || receivedType != s_discoveryType || receivedClass != QClass::IN) {
      if (g_verbose) {
        warnlog("Invalid answer, either the qname (%s / %s), qtype (%s / %s) or qclass (%s / %s) does not match, received from the backend %s", receivedName, s_discoveryDomain, QType(receivedType).toString(), s_discoveryType.toString(), QClass(receivedClass).toString(), QClass::IN.toString(), addr.toString());
      }
      return false;
    }

    return handleSVCResult(packet, addr, upgradeableBackend.d_dohKey, config);
  }
  catch (const std::exception& e) {
    errlog("Error while trying to discover backend upgrade for %s: %s", addr.toStringWithPort(), e.what());
  }
  catch (...) {
    errlog("Error while trying to discover backend upgrade for %s", addr.toStringWithPort());
  }

  return false;
}

bool ServiceDiscovery::tryToUpgradeBackend(const UpgradeableBackend& backend)
{
  ServiceDiscovery::DiscoveredResolverConfig discoveredConfig;

  if (!ServiceDiscovery::getDiscoveredConfig(backend, discoveredConfig)) {
    return false;
  }

  if (discoveredConfig.d_protocol != dnsdist::Protocol::DoT && discoveredConfig.d_protocol != dnsdist::Protocol::DoH) {
    return false;
  }

  DownstreamState::Config config(backend.d_ds->d_config);
  config.remote = discoveredConfig.d_addr;
  if (discoveredConfig.d_port != 0) {
    config.remote.setPort(discoveredConfig.d_port);
  }
  else {
    if (discoveredConfig.d_protocol == dnsdist::Protocol::DoT) {
      config.remote.setPort(853);
    }
    else if (discoveredConfig.d_protocol == dnsdist::Protocol::DoH) {
      config.remote.setPort(443);
    }
  }

  ComboAddress::addressOnlyEqual comparator;
  config.d_dohPath = discoveredConfig.d_dohPath;
  if (comparator(config.remote, backend.d_ds->d_config.remote)) {
    /* same address, we can used the supplied name for validation */
    config.d_tlsSubjectName = discoveredConfig.d_subjectName;
  }
  else {
    /* different name, and draft-ietf-add-ddr-04 states that:
       "In order to be considered a verified Designated Resolver, the TLS
       certificate presented by the Designated Resolver MUST contain the IP
       address of the designating Unencrypted Resolver in a subjectAltName
       extension."
    */
    config.d_tlsSubjectName = backend.d_ds->d_config.remote.toString();
  }

  if (!backend.d_poolAfterUpgrade.empty()) {
    config.pools.clear();
    config.pools.insert(backend.d_poolAfterUpgrade);
  }

  try {
    /* create new backend, put it into the right pool(s) */
    TLSContextParameters tlsParams;
    auto tlsCtx = getTLSContext(tlsParams);
    auto newServer = std::make_shared<DownstreamState>(std::move(config), std::move(tlsCtx), true);

    infolog("Added automatically upgraded server %s", newServer->getNameWithAddr());

    auto localPools = g_pools.getCopy();
    if (!newServer->d_config.pools.empty()) {
      for (const auto& poolName : newServer->d_config.pools) {
        addServerToPool(localPools, poolName, newServer);
      }
    }
    else {
      addServerToPool(localPools, "", newServer);
    }
    g_pools.setState(localPools);

    newServer->start();

    auto states = g_dstates.getCopy();
    states.push_back(newServer);
    /* remove the existing backend if needed */
    if (!backend.keepAfterUpgrade) {
      for (auto it = states.begin(); it != states.end(); ++it) {
        if (*it == backend.d_ds) {
          states.erase(it);
          break;
        }
      }
    }

    std::stable_sort(states.begin(), states.end(), [](const decltype(newServer)& a, const decltype(newServer)& b) {
      return a->d_config.order < b->d_config.order;
    });
    g_dstates.setState(states);

    return true;
  }
  catch (const std::exception& e) {
    warnlog("Error when trying to upgrade a discovered backend: %s", e.what());
  }

  return false;
}

void ServiceDiscovery::worker()
{
  while (true) {
    time_t now = time(nullptr);

    auto upgradeables = *(s_upgradeableBackends.lock());
    std::set<std::shared_ptr<DownstreamState>> upgradedBackends;

    for (auto backendIt = upgradeables.begin(); backendIt != upgradeables.end();) {
      try {
        auto& backend = *backendIt;
        if (backend.d_nextCheck > now) {
          ++backendIt;
          continue;
        }

        auto upgraded = tryToUpgradeBackend(backend);
        if (upgraded) {
          upgradedBackends.insert(backend.d_ds);
          backendIt = upgradeables.erase(backendIt);
        }
        else {
          backend.d_nextCheck = now + backend.d_interval;
          ++backendIt;
        }
      }
      catch (const std::exception& e) {
        vinfolog("Exception in the Service Discovery thread: %s", e.what());
      }
      catch (...) {
        vinfolog("Exception in the Service Discovery thread");
      }
    }

    {
      auto backends = s_upgradeableBackends.lock();
      for (auto it = backends->begin(); it != backends->end();) {
        if (upgradedBackends.count(it->d_ds) != 0) {
          it = backends->erase(it);
        }
        else {
          ++it;
        }
      }
    }

    /* we could sleep until the next check but a new backend
       could be added in the meantime, so let's just check every
       minute if we have something to do */
    sleep(60);
  }
}

bool ServiceDiscovery::run()
{
  s_thread = std::thread(&ServiceDiscovery::worker);
  s_thread.detach();

  return true;
}

LockGuarded<std::vector<ServiceDiscovery::UpgradeableBackend>> ServiceDiscovery::s_upgradeableBackends;
std::thread ServiceDiscovery::s_thread;
}
Commit	Line	Data
09708c45 RG	1	/*
	2	* This file is part of PowerDNS or dnsdist.
	3	* Copyright -- PowerDNS.COM B.V. and its contributors
	4	*
	5	* This program is free software; you can redistribute it and/or modify
	6	* it under the terms of version 2 of the GNU General Public License as
	7	* published by the Free Software Foundation.
	8	*
	9	* In addition, for the avoidance of any doubt, permission is granted to
	10	* link this program with OpenSSL and to (re)distribute the binaries
	11	* produced as the result of such linking.
	12	*
	13	* This program is distributed in the hope that it will be useful,
	14	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	15	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	16	* GNU General Public License for more details.
	17	*
	18	* You should have received a copy of the GNU General Public License
	19	* along with this program; if not, write to the Free Software
	20	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
	21	*/
	22
	23	#include "config.h"
	24	#include "dnsdist-discovery.hh"
	25	#include "dnsdist.hh"
	26	#include "dnsdist-random.hh"
	27	#include "dnsparser.hh"
	28	#include "dolog.hh"
	29	#include "sstuff.hh"
	30
f468a7fe RG	31	namespace dnsdist
f468a7fe RG	32	{
09708c45 RG	33
	34	const DNSName ServiceDiscovery::s_discoveryDomain{"_dns.resolver.arpa."};
	35	const QType ServiceDiscovery::s_discoveryType{QType::SVCB};
	36	const uint16_t ServiceDiscovery::s_defaultDoHSVCKey{7};
	37
	38	bool ServiceDiscovery::addUpgradeableServer(std::shared_ptr<DownstreamState>& server, uint32_t interval, std::string poolAfterUpgrade, uint16_t dohSVCKey, bool keepAfterUpgrade)
	39	{
	40	s_upgradeableBackends.lock()->emplace_back(UpgradeableBackend{server, poolAfterUpgrade, 0, interval, dohSVCKey, keepAfterUpgrade});
	41	return true;
	42	}
	43
	44	struct DesignatedResolvers
	45	{
	46	DNSName target;
	47	std::set<SvcParam> params;
	48	std::vector<ComboAddress> hints;
	49	};
	50
	51	static bool parseSVCParams(const PacketBuffer& answer, std::map<uint16_t, DesignatedResolvers>& resolvers)
	52	{
	53	if (answer.size() <= sizeof(struct dnsheader)) {
	54	throw std::runtime_error("Looking for SVC records in a packet smaller than a DNS header");
	55	}
	56
	57	std::map<DNSName, std::vector<ComboAddress>> hints;
	58	const struct dnsheader* dh = reinterpret_cast<const struct dnsheader*>(answer.data());
	59	PacketReader pr(pdns_string_view(reinterpret_cast<const char*>(answer.data()), answer.size()));
	60	uint16_t qdcount = ntohs(dh->qdcount);
	61	uint16_t ancount = ntohs(dh->ancount);
	62	uint16_t nscount = ntohs(dh->nscount);
	63	uint16_t arcount = ntohs(dh->arcount);
	64
	65	DNSName rrname;
	66	uint16_t rrtype;
	67	uint16_t rrclass;
	68
	69	size_t idx = 0;
	70	/* consume qd */
f468a7fe	71	for (; idx < qdcount; idx++) {
09708c45 RG	72	rrname = pr.getName();
	73	rrtype = pr.get16BitInt();
	74	rrclass = pr.get16BitInt();
f468a7fe RG	75	(void)rrtype;
f468a7fe RG	76	(void)rrclass;
09708c45 RG	77	}
	78
	79	/* parse AN */
	80	for (idx = 0; idx < ancount; idx++) {
	81	string blob;
	82	struct dnsrecordheader ah;
	83	rrname = pr.getName();
	84	pr.getDnsrecordheader(ah);
	85
	86	if (ah.d_type == QType::SVCB) {
	87	auto prio = pr.get16BitInt();
	88	auto target = pr.getName();
	89	std::set<SvcParam> params;
	90
	91	if (prio != 0) {
	92	pr.xfrSvcParamKeyVals(params);
	93	}
	94
f468a7fe	95	resolvers[prio] = {std::move(target), std::move(params), {}};
09708c45 RG	96	}
	97	else {
	98	pr.xfrBlob(blob);
	99	}
	100	}
	101
	102	/* parse NS */
	103	for (idx = 0; idx < nscount; idx++) {
	104	string blob;
	105	struct dnsrecordheader ah;
	106	rrname = pr.getName();
	107	pr.getDnsrecordheader(ah);
	108
	109	pr.xfrBlob(blob);
	110	}
	111
	112	/* parse additional for hints */
	113	for (idx = 0; idx < arcount; idx++) {
	114	string blob;
	115	struct dnsrecordheader ah;
	116	rrname = pr.getName();
	117	pr.getDnsrecordheader(ah);
	118
	119	if (ah.d_type == QType::A) {
	120	ComboAddress addr;
	121	pr.xfrCAWithoutPort(4, addr);
	122	hints[rrname].push_back(addr);
	123	}
	124	else if (ah.d_type == QType::AAAA) {
	125	ComboAddress addr;
	126	pr.xfrCAWithoutPort(6, addr);
	127	hints[rrname].push_back(addr);
	128	}
	129	else {
	130	pr.xfrBlob(blob);
	131	}
	132	}
	133
	134	for (auto& resolver : resolvers) {
	135	auto hint = hints.find(resolver.second.target);
	136	if (hint != hints.end()) {
	137	resolver.second.hints = hint->second;
	138	}
	139	}
	140
	141	return !resolvers.empty();
	142	}
	143
	144	static bool handleSVCResult(const PacketBuffer& answer, const ComboAddress& existingAddr, uint16_t dohSVCKey, ServiceDiscovery::DiscoveredResolverConfig& config)
	145	{
	146	std::map<uint16_t, DesignatedResolvers> resolvers;
	147	if (!parseSVCParams(answer, resolvers)) {
	148	return false;
	149	}
	150
	151	for (const auto& [priority, resolver] : resolvers) {
	152	/* do not compare the ports */
	153	std::set<ComboAddress, ComboAddress::addressOnlyLessThan> tentativeAddresses;
	154	ServiceDiscovery::DiscoveredResolverConfig tempConfig;
	155	tempConfig.d_addr.sin4.sin_family = 0;
	156
	157	for (const auto& param : resolver.params) {
	158	if (param.getKey() == SvcParam::alpn) {
	159	auto alpns = param.getALPN();
160	for (const auto& alpn : alpns) {
161	if (alpn == "dot") {
162	tempConfig.d_protocol = dnsdist::Protocol::DoT;
163	if (tempConfig.d_port == 0) {
164	tempConfig.d_port = 853;
165	}
166	}
167	else if (alpn == "h2") {
168	tempConfig.d_protocol = dnsdist::Protocol::DoH;
169	if (tempConfig.d_port == 0) {
170	tempConfig.d_port = 443;
171	}
172	}
173	}
174	}
175	else if (param.getKey() == SvcParam::port) {
176	tempConfig.d_port = param.getPort();
177	}
178	else if (param.getKey() == SvcParam::ipv4hint \|\| param.getKey() == SvcParam::ipv6hint) {
179	if (tempConfig.d_addr.sin4.sin_family == 0) {
180	auto hints = param.getIPHints();
181	for (const auto& hint : hints) {
182	tentativeAddresses.insert(hint);
183	}
184	}
185	}
186	else if (dohSVCKey != 0 && param.getKey() == dohSVCKey) {
187	tempConfig.d_dohPath = param.getValue();
188	auto expression = tempConfig.d_dohPath.find('{');
189	if (expression != std::string::npos) {
190	/* nuke the {?dns} expression, if any, as we only support POST anyway */
191	tempConfig.d_dohPath.resize(expression);
192	}
193	}
194	}
195
f468a7fe	196	if (tempConfig.d_protocol == dnsdist::Protocol::DoH) {
09708c45 RG	197	#ifndef HAVE_DNS_OVER_HTTPS
	198	continue;
	199	#endif
	200	if (tempConfig.d_dohPath.empty()) {
	201	continue;
	202	}
	203	}
	204	else if (tempConfig.d_protocol == dnsdist::Protocol::DoT) {
	205	#ifndef HAVE_DNS_OVER_TLS
	206	continue;
	207	#endif
	208	}
	209	else {
	210	continue;
	211	}
	212
	213	/* we have a config that we can use! */
	214
	215	for (const auto& hint : resolver.hints) {
	216	tentativeAddresses.insert(hint);
	217	}
	218
	219	/* we prefer the address we already know, whenever possible */
	220	if (tentativeAddresses.count(existingAddr) != 0) {
	221	tempConfig.d_addr = existingAddr;
	222	}
	223	else {
	224	tempConfig.d_addr = *tentativeAddresses.begin();
	225	}
	226
	227	tempConfig.d_subjectName = resolver.target.toStringNoDot();
	228	tempConfig.d_addr.sin4.sin_port = tempConfig.d_port;
	229
	230	config = tempConfig;
	231	return true;
	232	}
	233
	234	return false;
	235	}
	236
	237	bool ServiceDiscovery::getDiscoveredConfig(const UpgradeableBackend& upgradeableBackend, ServiceDiscovery::DiscoveredResolverConfig& config)
	238	{
	239	const auto& backend = upgradeableBackend.d_ds;
	240	const auto& addr = backend->d_config.remote;
	241	try {
	242	auto id = dnsdist::getRandomDNSID();
	243	PacketBuffer packet;
	244	GenericDNSPacketWriter pw(packet, s_discoveryDomain, s_discoveryType);
	245	pw.getHeader()->id = id;
	246	pw.getHeader()->rd = 1;
	247	pw.addOpt(4096, 0, 0);
	248
	249	uint16_t querySize = static_cast<uint16_t>(packet.size());
f468a7fe	250	const uint8_t sizeBytes[] = {static_cast<uint8_t>(querySize / 256), static_cast<uint8_t>(querySize % 256)};
09708c45 RG	251	packet.insert(packet.begin(), sizeBytes, sizeBytes + 2);
	252
	253	Socket sock(addr.sin4.sin_family, SOCK_STREAM);
	254	sock.setNonBlocking();
	255	if (!IsAnyAddress(backend->d_config.sourceAddr)) {
	256	sock.setReuseAddr();
	257	#ifdef IP_BIND_ADDRESS_NO_PORT
	258	if (backend->d_config.ipBindAddrNoPort) {
	259	SSetsockopt(sock.getHandle(), SOL_IP, IP_BIND_ADDRESS_NO_PORT, 1);
	260	}
	261	#endif
	262
	263	if (!backend->d_config.sourceItfName.empty()) {
	264	#ifdef SO_BINDTODEVICE
	265	setsockopt(sock.getHandle(), SOL_SOCKET, SO_BINDTODEVICE, backend->d_config.sourceItfName.c_str(), backend->d_config.sourceItfName.length());
	266	#endif
	267	}
	268	sock.bind(backend->d_config.sourceAddr);
	269	}
	270	sock.connect(addr, backend->d_config.tcpConnectTimeout);
	271
	272	sock.writenWithTimeout(reinterpret_cast<const char*>(packet.data()), packet.size(), backend->d_config.tcpSendTimeout);
	273
	274	uint16_t responseSize = 0;
	275	auto got = sock.readWithTimeout(reinterpret_cast<char*>(&responseSize), sizeof(responseSize), backend->d_config.tcpRecvTimeout);
	276	if (got < 0 \|\| static_cast<size_t>(got) != sizeof(responseSize)) {
	277	if (g_verbose) {
	278	warnlog("Error while waiting for the ADD upgrade response from backend %s: %d", addr.toString(), got);
	279	}
	280	return false;
	281	}
	282
	283	packet.resize(ntohs(responseSize));
	284
f468a7fe	285	got = sock.readWithTimeout(reinterpret_cast<char*>(packet.data()), packet.size(), backend->d_config.tcpRecvTimeout);
09708c45 RG	286	if (got < 0 \|\| static_cast<size_t>(got) != packet.size()) {
	287	if (g_verbose) {
	288	warnlog("Error while waiting for the ADD upgrade response from backend %s: %d", addr.toString(), got);
	289	}
	290	return false;
	291	}
	292
	293	if (packet.size() <= sizeof(struct dnsheader)) {
	294	if (g_verbose) {
	295	warnlog("Too short answer of size %d received from the backend %s", packet.size(), addr.toString());
	296	}
	297	return false;
	298	}
	299
	300	struct dnsheader d;
	301	memcpy(&d, packet.data(), sizeof(d));
	302	if (d.id != id) {
	303	if (g_verbose) {
	304	warnlog("Invalid ID (%d / %d) received from the backend %s", d.id, id, addr.toString());
	305	}
	306	return false;
	307	}
	308
	309	if (d.rcode != RCode::NoError) {
	310	if (g_verbose) {
	311	warnlog("Response code '%s' received from the backend %s for '%s'", RCode::to_s(d.rcode), addr.toString(), s_discoveryDomain);
	312	}
	313
	314	return false;
	315	}
	316
	317	if (ntohs(d.qdcount) != 1) {
	318	if (g_verbose) {
	319	warnlog("Invalid answer (qdcount %d) received from the backend %s", ntohs(d.qdcount), addr.toString());
	320	}
	321	return false;
	322	}
	323
	324	uint16_t receivedType;
	325	uint16_t receivedClass;
	326	DNSName receivedName(reinterpret_cast<const char*>(packet.data()), packet.size(), sizeof(dnsheader), false, &receivedType, &receivedClass);
	327
	328	if (receivedName != s_discoveryDomain \|\| receivedType != s_discoveryType \|\| receivedClass != QClass::IN) {
	329	if (g_verbose) {
	330	warnlog("Invalid answer, either the qname (%s / %s), qtype (%s / %s) or qclass (%s / %s) does not match, received from the backend %s", receivedName, s_discoveryDomain, QType(receivedType).toString(), s_discoveryType.toString(), QClass(receivedClass).toString(), QClass::IN.toString(), addr.toString());
	331	}
	332	return false;
	333	}
	334
	335	return handleSVCResult(packet, addr, upgradeableBackend.d_dohKey, config);
	336	}
	337	catch (const std::exception& e) {
	338	errlog("Error while trying to discover backend upgrade for %s: %s", addr.toStringWithPort(), e.what());
	339	}
	340	catch (...) {
	341	errlog("Error while trying to discover backend upgrade for %s", addr.toStringWithPort());
	342	}
	343
	344	return false;
	345	}
	346
	347	bool ServiceDiscovery::tryToUpgradeBackend(const UpgradeableBackend& backend)
	348	{
	349	ServiceDiscovery::DiscoveredResolverConfig discoveredConfig;
350
351	if (!ServiceDiscovery::getDiscoveredConfig(backend, discoveredConfig)) {
352	return false;
353	}
354
355	if (discoveredConfig.d_protocol != dnsdist::Protocol::DoT && discoveredConfig.d_protocol != dnsdist::Protocol::DoH) {
356	return false;
357	}
358
359	DownstreamState::Config config(backend.d_ds->d_config);
360	config.remote = discoveredConfig.d_addr;
361	if (discoveredConfig.d_port != 0) {
362	config.remote.setPort(discoveredConfig.d_port);
363	}
364	else {
365	if (discoveredConfig.d_protocol == dnsdist::Protocol::DoT) {
366	config.remote.setPort(853);
367	}
368	else if (discoveredConfig.d_protocol == dnsdist::Protocol::DoH) {
369	config.remote.setPort(443);
370	}
371	}
372
373	ComboAddress::addressOnlyEqual comparator;
374	config.d_dohPath = discoveredConfig.d_dohPath;
375	if (comparator(config.remote, backend.d_ds->d_config.remote)) {
376	/* same address, we can used the supplied name for validation */
377	config.d_tlsSubjectName = discoveredConfig.d_subjectName;
378	}
379	else {
380	/* different name, and draft-ietf-add-ddr-04 states that:
381	"In order to be considered a verified Designated Resolver, the TLS
382	certificate presented by the Designated Resolver MUST contain the IP
383	address of the designating Unencrypted Resolver in a subjectAltName
384	extension."
385	*/
386	config.d_tlsSubjectName = backend.d_ds->d_config.remote.toString();
387	}
388
389	if (!backend.d_poolAfterUpgrade.empty()) {
390	config.pools.clear();
391	config.pools.insert(backend.d_poolAfterUpgrade);
392	}
393
394	try {
395	/* create new backend, put it into the right pool(s) */
396	TLSContextParameters tlsParams;
397	auto tlsCtx = getTLSContext(tlsParams);
398	auto newServer = std::make_shared<DownstreamState>(std::move(config), std::move(tlsCtx), true);
399
400	infolog("Added automatically upgraded server %s", newServer->getNameWithAddr());
401
402	auto localPools = g_pools.getCopy();
403	if (!newServer->d_config.pools.empty()) {
404	for (const auto& poolName : newServer->d_config.pools) {
405	addServerToPool(localPools, poolName, newServer);
406	}
407	}
408	else {
409	addServerToPool(localPools, "", newServer);
410	}
411	g_pools.setState(localPools);
412
413	newServer->start();
414
415	auto states = g_dstates.getCopy();
416	states.push_back(newServer);
417	/* remove the existing backend if needed */
418	if (!backend.keepAfterUpgrade) {
419	for (auto it = states.begin(); it != states.end(); ++it) {
420	if (*it == backend.d_ds) {
421	states.erase(it);
422	break;
423	}
424	}
425	}
426
427	std::stable_sort(states.begin(), states.end(), [](const decltype(newServer)& a, const decltype(newServer)& b) {
428	return a->d_config.order < b->d_config.order;
429	});
430	g_dstates.setState(states);
431
432	return true;
433	}
434	catch (const std::exception& e) {
435	warnlog("Error when trying to upgrade a discovered backend: %s", e.what());
436	}
437
438	return false;
439	}
440
441	void ServiceDiscovery::worker()
442	{
443	while (true) {
444	time_t now = time(nullptr);
445
446	auto upgradeables = *(s_upgradeableBackends.lock());
447	std::set<std::shared_ptr<DownstreamState>> upgradedBackends;
448
f468a7fe	449	for (auto backendIt = upgradeables.begin(); backendIt != upgradeables.end();) {
09708c45 RG	450	try {
	451	auto& backend = *backendIt;
	452	if (backend.d_nextCheck > now) {
	453	++backendIt;
	454	continue;
	455	}
	456
	457	auto upgraded = tryToUpgradeBackend(backend);
	458	if (upgraded) {
	459	upgradedBackends.insert(backend.d_ds);
	460	backendIt = upgradeables.erase(backendIt);
	461	}
	462	else {
	463	backend.d_nextCheck = now + backend.d_interval;
	464	++backendIt;
	465	}
	466	}
	467	catch (const std::exception& e) {
	468	vinfolog("Exception in the Service Discovery thread: %s", e.what());
	469	}
	470	catch (...) {
	471	vinfolog("Exception in the Service Discovery thread");
	472	}
	473	}
	474
09708c45 RG	475	{
09708c45 RG	476	auto backends = s_upgradeableBackends.lock();
f468a7fe	477	for (auto it = backends->begin(); it != backends->end();) {
09708c45 RG	478	if (upgradedBackends.count(it->d_ds) != 0) {
	479	it = backends->erase(it);
	480	}
	481	else {
	482	++it;
	483	}
	484	}
	485	}
	486
	487	/* we could sleep until the next check but a new backend
	488	could be added in the meantime, so let's just check every
	489	minute if we have something to do */
	490	sleep(60);
	491	}
	492	}
	493
	494	bool ServiceDiscovery::run()
	495	{
	496	s_thread = std::thread(&ServiceDiscovery::worker);
	497	s_thread.detach();
	498
	499	return true;
	500	}
	501
	502	LockGuarded<std::vector<ServiceDiscovery::UpgradeableBackend>> ServiceDiscovery::s_upgradeableBackends;
	503	std::thread ServiceDiscovery::s_thread;
	504	}