2 * This file is part of PowerDNS or dnsdist.
3 * Copyright -- PowerDNS.COM B.V. and its contributors
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of version 2 of the GNU General Public License as
7 * published by the Free Software Foundation.
9 * In addition, for the avoidance of any doubt, permission is granted to
10 * link this program with OpenSSL and to (re)distribute the binaries
11 * produced as the result of such linking.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 #include "ext/luawrapper/include/LuaContext.hpp"
32 #include <unordered_map>
34 #include <boost/variant.hpp>
36 #include "capabilities.hh"
37 #include "circular_buffer.hh"
38 #include "dnscrypt.hh"
39 #include "dnsdist-cache.hh"
40 #include "dnsdist-dynbpf.hh"
41 #include "dnsdist-lbpolicies.hh"
44 #include "ednsoptions.hh"
50 #include "tcpiohandler.hh"
51 #include "uuid-utils.hh"
52 #include "proxy-protocol.hh"
54 void carbonDumpThread();
55 uint64_t uptimeOfProcess(const std::string& str);
57 extern uint16_t g_ECSSourcePrefixV4;
58 extern uint16_t g_ECSSourcePrefixV6;
59 extern bool g_ECSOverride;
61 typedef std::unordered_map<string, string> QTag;
65 DNSQuestion(const DNSName* name, uint16_t type, uint16_t class_, unsigned int consumed_, const ComboAddress* lc, const ComboAddress* rem, struct dnsheader* header, size_t bufferSize, uint16_t queryLen, bool isTcp, const struct timespec* queryTime_):
66 qname(name), local(lc), remote(rem), dh(header), queryTime(queryTime_), size(bufferSize), consumed(consumed_), tempFailureTTL(boost::none), qtype(type), qclass(class_), len(queryLen), ecsPrefixLength(rem->sin4.sin_family == AF_INET ? g_ECSSourcePrefixV4 : g_ECSSourcePrefixV6), tcp(isTcp), ecsOverride(g_ECSOverride) {
67 const uint16_t* flags = getFlagsFromDNSHeader(dh);
70 DNSQuestion(const DNSQuestion&) = delete;
71 DNSQuestion& operator=(const DNSQuestion&) = delete;
72 DNSQuestion(DNSQuestion&&) = default;
74 std::string getTrailingData() const;
75 bool setTrailingData(const std::string&);
78 boost::optional<boost::uuids::uuid> uniqueId;
81 boost::optional<Netmask> subnet;
82 std::string sni; /* Server Name Indication, if any (DoT or DoH) */
84 const DNSName* qname{nullptr};
85 const ComboAddress* local{nullptr};
86 const ComboAddress* remote{nullptr};
87 std::shared_ptr<QTag> qTag{nullptr};
88 std::unique_ptr<std::vector<ProxyProtocolValue>> proxyProtocolValues{nullptr};
89 std::shared_ptr<std::map<uint16_t, EDNSOptionView> > ednsOptions;
90 std::shared_ptr<DNSCryptQuery> dnsCryptQuery{nullptr};
91 std::shared_ptr<DNSDistPacketCache> packetCache{nullptr};
92 struct dnsheader* dh{nullptr};
93 const struct timespec* queryTime{nullptr};
94 struct DOHUnit* du{nullptr};
96 unsigned int consumed{0};
98 boost::optional<uint32_t> tempFailureTTL;
99 uint32_t cacheKeyNoECS;
101 const uint16_t qtype;
102 const uint16_t qclass;
104 uint16_t ecsPrefixLength;
106 uint8_t ednsRCode{0};
108 bool skipCache{false};
112 bool addProxyProtocol{true};
114 bool ecsAdded{false};
115 bool ednsAdded{false};
116 bool useZeroScope{false};
117 bool dnssecOK{false};
120 struct DNSResponse : DNSQuestion
122 DNSResponse(const DNSName* name, uint16_t type, uint16_t class_, unsigned int consumed_, const ComboAddress* lc, const ComboAddress* rem, struct dnsheader* header, size_t bufferSize, uint16_t responseLen, bool isTcp, const struct timespec* queryTime_):
123 DNSQuestion(name, type, class_, consumed_, lc, rem, header, bufferSize, responseLen, isTcp, queryTime_) { }
124 DNSResponse(const DNSResponse&) = delete;
125 DNSResponse& operator=(const DNSResponse&) = delete;
126 DNSResponse(DNSResponse&&) = default;
129 /* so what could you do:
132 provide actual answer,
133 allow & and stop processing,
135 modify header: (servfail|refused|notimp), set TC=1,
141 enum class Action { Drop, Nxdomain, Refused, Spoof, Allow, HeaderModify, Pool, Delay, Truncate, ServFail, None, NoOp, NoRecurse, SpoofRaw };
142 static std::string typeToString(const Action& action)
147 case Action::Nxdomain:
148 return "Send NXDomain";
149 case Action::Refused:
150 return "Send Refused";
152 return "Spoof an answer";
153 case Action::SpoofRaw:
154 return "Spoof an answer from raw bytes";
157 case Action::HeaderModify:
158 return "Modify the header";
160 return "Route to a pool";
163 case Action::Truncate:
164 return "Truncate over UDP";
165 case Action::ServFail:
166 return "Send ServFail";
170 case Action::NoRecurse:
177 virtual Action operator()(DNSQuestion*, string* ruleresult) const =0;
181 virtual string toString() const = 0;
182 virtual std::map<string, double> getStats() const
188 class DNSResponseAction
191 enum class Action { Allow, Delay, Drop, HeaderModify, ServFail, None };
192 virtual Action operator()(DNSResponse*, string* ruleresult) const =0;
193 virtual ~DNSResponseAction()
196 virtual string toString() const = 0;
201 DynBlock(): action(DNSAction::Action::None), warning(false)
205 DynBlock(const std::string& reason_, const struct timespec& until_, const DNSName& domain_, DNSAction::Action action_): reason(reason_), until(until_), domain(domain_), action(action_), warning(false)
209 DynBlock(const DynBlock& rhs): reason(rhs.reason), until(rhs.until), domain(rhs.domain), action(rhs.action), warning(rhs.warning)
211 blocks.store(rhs.blocks);
214 DynBlock& operator=(const DynBlock& rhs)
220 blocks.store(rhs.blocks);
226 struct timespec until;
228 DNSAction::Action action;
229 mutable std::atomic<unsigned int> blocks;
233 extern GlobalStateHolder<NetmaskTree<DynBlock>> g_dynblockNMG;
235 extern vector<pair<struct timeval, std::string> > g_confDelta;
237 extern uint64_t getLatencyCount(const std::string&);
241 using stat_t=std::atomic<uint64_t>; // aww yiss ;-)
243 stat_t servfailResponses{0};
245 stat_t frontendNXDomain{0};
246 stat_t frontendServFail{0};
247 stat_t frontendNoError{0};
248 stat_t nonCompliantQueries{0};
249 stat_t nonCompliantResponses{0};
251 stat_t emptyQueries{0};
253 stat_t dynBlocked{0};
255 stat_t ruleNXDomain{0};
256 stat_t ruleRefused{0};
257 stat_t ruleServFail{0};
258 stat_t selfAnswered{0};
259 stat_t downstreamTimeouts{0};
260 stat_t downstreamSendErrors{0};
264 stat_t cacheMisses{0};
265 stat_t latency0_1{0}, latency1_10{0}, latency10_50{0}, latency50_100{0}, latency100_1000{0}, latencySlow{0}, latencySum{0};
266 stat_t securityStatus{0};
268 double latencyAvg100{0}, latencyAvg1000{0}, latencyAvg10000{0}, latencyAvg1000000{0};
269 typedef std::function<uint64_t(const std::string&)> statfunction_t;
270 typedef boost::variant<stat_t*, double*, statfunction_t> entry_t;
271 std::vector<std::pair<std::string, entry_t>> entries{
272 {"responses", &responses},
273 {"servfail-responses", &servfailResponses},
274 {"queries", &queries},
275 {"frontend-nxdomain", &frontendNXDomain},
276 {"frontend-servfail", &frontendServFail},
277 {"frontend-noerror", &frontendNoError},
278 {"acl-drops", &aclDrops},
279 {"rule-drop", &ruleDrop},
280 {"rule-nxdomain", &ruleNXDomain},
281 {"rule-refused", &ruleRefused},
282 {"rule-servfail", &ruleServFail},
283 {"self-answered", &selfAnswered},
284 {"downstream-timeouts", &downstreamTimeouts},
285 {"downstream-send-errors", &downstreamSendErrors},
286 {"trunc-failures", &truncFail},
287 {"no-policy", &noPolicy},
288 {"latency0-1", &latency0_1},
289 {"latency1-10", &latency1_10},
290 {"latency10-50", &latency10_50},
291 {"latency50-100", &latency50_100},
292 {"latency100-1000", &latency100_1000},
293 {"latency-slow", &latencySlow},
294 {"latency-avg100", &latencyAvg100},
295 {"latency-avg1000", &latencyAvg1000},
296 {"latency-avg10000", &latencyAvg10000},
297 {"latency-avg1000000", &latencyAvg1000000},
298 {"uptime", uptimeOfProcess},
299 {"real-memory-usage", getRealMemoryUsage},
300 {"special-memory-usage", getSpecialMemoryUsage},
301 {"udp-in-errors", boost::bind(udpErrorStats, "udp-in-errors")},
302 {"udp-noport-errors", boost::bind(udpErrorStats, "udp-noport-errors")},
303 {"udp-recvbuf-errors", boost::bind(udpErrorStats, "udp-recvbuf-errors")},
304 {"udp-sndbuf-errors", boost::bind(udpErrorStats, "udp-sndbuf-errors")},
305 {"noncompliant-queries", &nonCompliantQueries},
306 {"noncompliant-responses", &nonCompliantResponses},
307 {"rdqueries", &rdQueries},
308 {"empty-queries", &emptyQueries},
309 {"cache-hits", &cacheHits},
310 {"cache-misses", &cacheMisses},
311 {"cpu-iowait", getCPUIOWait},
312 {"cpu-steal", getCPUSteal},
313 {"cpu-sys-msec", getCPUTimeSystem},
314 {"cpu-user-msec", getCPUTimeUser},
315 {"fd-usage", getOpenFileDescriptors},
316 {"dyn-blocked", &dynBlocked},
317 {"dyn-block-nmg-size", [](const std::string&) { return g_dynblockNMG.getLocal()->size(); }},
318 {"security-status", &securityStatus},
320 {"latency-sum", &latencySum},
321 {"latency-count", getLatencyCount},
325 extern struct DNSDistStats g_stats;
326 void doLatencyStats(double udiff);
331 StopWatch(bool realTime=false): d_needRealTime(realTime)
334 struct timespec d_start{0,0};
335 bool d_needRealTime{false};
338 if(gettime(&d_start, d_needRealTime) < 0)
339 unixDie("Getting timestamp");
343 void set(const struct timespec& from) {
347 double udiff() const {
349 if(gettime(&now, d_needRealTime) < 0)
350 unixDie("Getting timestamp");
352 return 1000000.0*(now.tv_sec - d_start.tv_sec) + (now.tv_nsec - d_start.tv_nsec)/1000.0;
355 double udiffAndSet() {
357 if(gettime(&now, d_needRealTime) < 0)
358 unixDie("Getting timestamp");
360 auto ret= 1000000.0*(now.tv_sec - d_start.tv_sec) + (now.tv_nsec - d_start.tv_nsec)/1000.0;
367 class BasicQPSLimiter
374 BasicQPSLimiter(unsigned int burst): d_tokens(burst)
379 bool check(unsigned int rate, unsigned int burst) const // this is not quite fair
381 auto delta = d_prev.udiffAndSet();
383 if(delta > 0.0) // time, frequently, does go backwards..
384 d_tokens += 1.0 * rate * (delta/1000000.0);
386 if(d_tokens > burst) {
391 if(d_tokens >= 1.0) { // we need this because burst=1 is weird otherwise
399 bool seenSince(const struct timespec& cutOff) const
401 return cutOff < d_prev.d_start;
405 mutable StopWatch d_prev;
406 mutable double d_tokens;
409 class QPSLimiter : public BasicQPSLimiter
412 QPSLimiter(): BasicQPSLimiter()
416 QPSLimiter(unsigned int rate, unsigned int burst): BasicQPSLimiter(burst), d_rate(rate), d_burst(burst), d_passthrough(false)
421 unsigned int getRate() const
423 return d_passthrough ? 0 : d_rate;
426 int getPassed() const
431 int getBlocked() const
436 bool check() const // this is not quite fair
442 bool ret = BasicQPSLimiter::check(d_rate, d_burst);
453 mutable unsigned int d_passed{0};
454 mutable unsigned int d_blocked{0};
456 unsigned int d_burst;
457 bool d_passthrough{true};
464 IDState(): sentTime(true), delayMsec(0), tempFailureTTL(boost::none) { origDest.sin4.sin_family = 0;}
465 IDState(const IDState& orig): origRemote(orig.origRemote), origDest(orig.origDest), age(orig.age)
467 usageIndicator.store(orig.usageIndicator.load());
468 origFD = orig.origFD;
469 origID = orig.origID;
470 delayMsec = orig.delayMsec;
471 tempFailureTTL = orig.tempFailureTTL;
474 static const int64_t unusedIndicator = -1;
476 static bool isInUse(int64_t usageIndicator)
478 return usageIndicator != unusedIndicator;
483 return usageIndicator != unusedIndicator;
486 /* return true if the value has been successfully replaced meaning that
487 no-one updated the usage indicator in the meantime */
488 bool tryMarkUnused(int64_t expectedUsageIndicator)
490 return usageIndicator.compare_exchange_strong(expectedUsageIndicator, unusedIndicator);
493 /* mark as unused no matter what, return true if the state was in use before */
496 auto currentGeneration = generation++;
497 return markAsUsed(currentGeneration);
500 /* mark as unused no matter what, return true if the state was in use before */
501 bool markAsUsed(int64_t currentGeneration)
503 int64_t oldUsage = usageIndicator.exchange(currentGeneration);
504 return oldUsage != unusedIndicator;
507 /* We use this value to detect whether this state is in use.
508 For performance reasons we don't want to use a lock here, but that means
509 we need to be very careful when modifying this value. Modifications happen
511 - one of the UDP or DoH 'client' threads receiving a query, selecting a backend
512 then picking one of the states associated to this backend (via the idOffset).
513 Most of the time this state should not be in use and usageIndicator is -1, but we
514 might not yet have received a response for the query previously associated to this
515 state, meaning that we will 'reuse' this state and erase the existing state.
516 If we ever receive a response for this state, it will be discarded. This is
517 mostly fine for UDP except that we still need to be careful in order to miss
518 the 'outstanding' counters, which should only be increased when we are picking
519 an empty state, and not when reusing ;
520 For DoH, though, we have dynamically allocated a DOHUnit object that needs to
521 be freed, as well as internal objects internals to libh2o.
522 - one of the UDP receiver threads receiving a response from a backend, picking
523 the corresponding state and sending the response to the client ;
524 - the 'healthcheck' thread scanning the states to actively discover timeouts,
525 mostly to keep some counters like the 'outstanding' one sane.
526 We previously based that logic on the origFD (FD on which the query was received,
527 and therefore from where the response should be sent) but this suffered from an
528 ABA problem since it was quite likely that a UDP 'client thread' would reset it to the
529 same value since we only have so much incoming sockets:
530 - 1/ 'client' thread gets a query and set origFD to its FD, say 5 ;
531 - 2/ 'receiver' thread gets a response, read the value of origFD to 5, check that the qname,
532 qtype and qclass match
533 - 3/ during that time the 'client' thread reuses the state, setting again origFD to 5 ;
534 - 4/ the 'receiver' thread uses compare_exchange_strong() to only replace the value if it's still
535 5, except it's not the same 5 anymore and it overrides a fresh state.
536 We now use a 32-bit unsigned counter instead, which is incremented every time the state is set,
537 wrapping around if necessary, and we set an atomic signed 64-bit value, so that we still have -1
538 when the state is unused and the value of our counter otherwise.
540 std::atomic<int64_t> usageIndicator{unusedIndicator}; // set to unusedIndicator to indicate this state is empty // 8
541 std::atomic<uint32_t> generation{0}; // increased every time a state is used, to be able to detect an ABA issue // 4
542 ComboAddress origRemote; // 28
543 ComboAddress origDest; // 28
544 StopWatch sentTime; // 16
546 std::shared_ptr<DNSCryptQuery> dnsCryptQuery{nullptr};
548 boost::optional<boost::uuids::uuid> uniqueId;
550 boost::optional<Netmask> subnet{boost::none};
551 std::shared_ptr<DNSDistPacketCache> packetCache{nullptr};
552 std::shared_ptr<QTag> qTag{nullptr};
553 const ClientState* cs{nullptr};
554 DOHUnit* du{nullptr};
555 uint32_t cacheKey; // 4
556 uint32_t cacheKeyNoECS; // 4
559 uint16_t qclass; // 2
560 uint16_t origID; // 2
561 uint16_t origFlags; // 2
564 boost::optional<uint32_t> tempFailureTTL;
565 bool ednsAdded{false};
566 bool ecsAdded{false};
567 bool skipCache{false};
568 bool destHarvested{false}; // if true, origDest holds the original dest addr, otherwise the listening addr
569 bool dnssecOK{false};
573 typedef std::unordered_map<string, unsigned int> QueryCountRecords;
574 typedef std::function<std::tuple<bool, string>(const DNSQuestion* dq)> QueryCountFilter;
578 pthread_rwlock_init(&queryLock, nullptr);
582 pthread_rwlock_destroy(&queryLock);
584 QueryCountRecords records;
585 QueryCountFilter filter;
586 pthread_rwlock_t queryLock;
590 extern QueryCount g_qcount;
594 ClientState(const ComboAddress& local_, bool isTCP_, bool doReusePort, int fastOpenQueue, const std::string& itfName, const std::set<int>& cpus_): cpus(cpus_), local(local_), interface(itfName), fastOpenQueueSize(fastOpenQueue), tcp(isTCP_), reuseport(doReusePort)
600 std::shared_ptr<DNSCryptContext> dnscryptCtx{nullptr};
601 std::shared_ptr<TLSFrontend> tlsFrontend{nullptr};
602 std::shared_ptr<DOHFrontend> dohFrontend{nullptr};
603 std::string interface;
604 std::atomic<uint64_t> queries{0};
605 mutable std::atomic<uint64_t> responses{0};
606 std::atomic<uint64_t> tcpDiedReadingQuery{0};
607 std::atomic<uint64_t> tcpDiedSendingResponse{0};
608 std::atomic<uint64_t> tcpGaveUp{0};
609 std::atomic<uint64_t> tcpClientTimeouts{0};
610 std::atomic<uint64_t> tcpDownstreamTimeouts{0};
611 std::atomic<uint64_t> tcpCurrentConnections{0};
612 std::atomic<uint64_t> tlsNewSessions{0}; // A new TLS session has been negotiated, no resumption
613 std::atomic<uint64_t> tlsResumptions{0}; // A TLS session has been resumed, either via session id or via a TLS ticket
614 std::atomic<uint64_t> tlsUnknownTicketKey{0}; // A TLS ticket has been presented but we don't have the associated key (might have expired)
615 std::atomic<uint64_t> tlsInactiveTicketKey{0}; // A TLS ticket has been successfully resumed but the key is no longer active, we should issue a new one
616 std::atomic<uint64_t> tls10queries{0}; // valid DNS queries received via TLSv1.0
617 std::atomic<uint64_t> tls11queries{0}; // valid DNS queries received via TLSv1.1
618 std::atomic<uint64_t> tls12queries{0}; // valid DNS queries received via TLSv1.2
619 std::atomic<uint64_t> tls13queries{0}; // valid DNS queries received via TLSv1.3
620 std::atomic<uint64_t> tlsUnknownqueries{0}; // valid DNS queries received via unknown TLS version
621 std::atomic<double> tcpAvgQueriesPerConnection{0.0};
623 std::atomic<double> tcpAvgConnectionDuration{0.0};
626 int fastOpenQueueSize{0};
632 int getSocket() const
634 return udpFD != -1 ? udpFD : tcpFD;
649 return tlsFrontend != nullptr || dohFrontend != nullptr;
652 std::string getType() const
654 std::string result = udpFD != -1 ? "UDP" : "TCP";
657 result += " (DNS over HTTPS)";
659 else if (tlsFrontend) {
660 result += " (DNS over TLS)";
662 else if (dnscryptCtx) {
663 result += " (DNSCrypt)";
670 shared_ptr<BPFFilter> d_filter;
675 d_filter->removeSocket(getSocket());
680 void attachFilter(shared_ptr<BPFFilter> bpf)
684 bpf->addSocket(getSocket());
687 #endif /* HAVE_EBPF */
689 void updateTCPMetrics(size_t nbQueries, uint64_t durationMs)
691 tcpAvgQueriesPerConnection = (99.0 * tcpAvgQueriesPerConnection / 100.0) + (nbQueries / 100.0);
692 tcpAvgConnectionDuration = (99.0 * tcpAvgConnectionDuration / 100.0) + (durationMs / 100.0);
696 class TCPClientCollection {
697 std::vector<int> d_tcpclientthreads;
698 std::atomic<uint64_t> d_numthreads{0};
699 std::atomic<uint64_t> d_pos{0};
700 std::atomic<uint64_t> d_queued{0};
701 const uint64_t d_maxthreads{0};
704 const bool d_useSinglePipe;
707 TCPClientCollection(size_t maxThreads, bool useSinglePipe=false): d_maxthreads(maxThreads), d_singlePipe{-1,-1}, d_useSinglePipe(useSinglePipe)
710 d_tcpclientthreads.reserve(maxThreads);
712 if (d_useSinglePipe) {
713 if (pipe(d_singlePipe) < 0) {
715 throw std::runtime_error("Error creating the TCP single communication pipe: " + stringerror(err));
718 if (!setNonBlocking(d_singlePipe[0])) {
720 close(d_singlePipe[0]);
721 close(d_singlePipe[1]);
722 throw std::runtime_error("Error setting the TCP single communication pipe non-blocking: " + stringerror(err));
725 if (!setNonBlocking(d_singlePipe[1])) {
727 close(d_singlePipe[0]);
728 close(d_singlePipe[1]);
729 throw std::runtime_error("Error setting the TCP single communication pipe non-blocking: " + stringerror(err));
735 uint64_t pos = d_pos++;
737 return d_tcpclientthreads[pos % d_numthreads];
739 bool hasReachedMaxThreads() const
741 return d_numthreads >= d_maxthreads;
743 uint64_t getThreadsCount() const
747 uint64_t getQueuedCount() const
751 void decrementQueuedCount()
755 void addTCPClientThread();
758 extern std::unique_ptr<TCPClientCollection> g_tcpclientthreads;
760 struct DownstreamState
762 typedef std::function<std::tuple<DNSName, uint16_t, uint16_t>(const DNSName&, uint16_t, uint16_t, dnsheader*)> checkfunc_t;
764 DownstreamState(const ComboAddress& remote_, const ComboAddress& sourceAddr_, unsigned int sourceItf, const std::string& sourceItfName, size_t numberOfSockets, bool connect);
765 DownstreamState(const ComboAddress& remote_): DownstreamState(remote_, ComboAddress(), 0, std::string(), 1, true) {}
768 for (auto& fd : sockets) {
774 pthread_rwlock_destroy(&d_lock);
776 boost::uuids::uuid id;
777 std::vector<unsigned int> hashes;
778 mutable pthread_rwlock_t d_lock;
779 std::vector<int> sockets;
780 const std::string sourceItfName;
781 std::mutex socketsLock;
782 std::mutex connectLock;
783 std::unique_ptr<FDMultiplexer> mplexer{nullptr};
785 const ComboAddress remote;
787 vector<IDState> idStates;
788 const ComboAddress sourceAddr;
789 checkfunc_t checkFunction;
790 DNSName checkName{"a.root-servers.net."};
791 QType checkType{QType::A};
792 uint16_t checkClass{QClass::IN};
793 std::atomic<uint64_t> idOffset{0};
794 std::atomic<uint64_t> sendErrors{0};
795 std::atomic<uint64_t> outstanding{0};
796 std::atomic<uint64_t> reuseds{0};
797 std::atomic<uint64_t> queries{0};
798 std::atomic<uint64_t> responses{0};
800 std::atomic<uint64_t> sendErrors{0};
801 std::atomic<uint64_t> reuseds{0};
802 std::atomic<uint64_t> queries{0};
804 std::atomic<uint64_t> tcpDiedSendingQuery{0};
805 std::atomic<uint64_t> tcpDiedReadingResponse{0};
806 std::atomic<uint64_t> tcpGaveUp{0};
807 std::atomic<uint64_t> tcpReadTimeouts{0};
808 std::atomic<uint64_t> tcpWriteTimeouts{0};
809 std::atomic<uint64_t> tcpCurrentConnections{0};
810 std::atomic<double> tcpAvgQueriesPerConnection{0.0};
812 std::atomic<double> tcpAvgConnectionDuration{0.0};
813 size_t socketsOffset{0};
814 double queryLoad{0.0};
815 double dropRate{0.0};
816 double latencyUsec{0.0};
819 int tcpConnectTimeout{5};
820 int tcpRecvTimeout{30};
821 int tcpSendTimeout{30};
822 unsigned int checkInterval{1};
823 unsigned int lastCheck{0};
824 const unsigned int sourceItf{0};
826 uint16_t xpfRRCode{0};
827 uint16_t checkTimeout{1000}; /* in milliseconds */
828 uint8_t currentCheckFailures{0};
829 uint8_t consecutiveSuccessfulChecks{0};
830 uint8_t maxCheckFailures{1};
831 uint8_t minRiseSuccesses{1};
834 enum class Availability { Up, Down, Auto} availability{Availability::Auto};
835 bool mustResolve{false};
836 bool upStatus{false};
838 bool useProxyProtocol{false};
840 bool disableZeroScope{false};
841 std::atomic<bool> connected{false};
842 std::atomic_flag threadStarted;
843 bool tcpFastOpen{false};
844 bool ipBindAddrNoPort{true};
848 if(availability == Availability::Down)
850 if(availability == Availability::Up)
854 void setUp() { availability = Availability::Up; }
855 void setDown() { availability = Availability::Down; }
856 void setAuto() { availability = Availability::Auto; }
857 const string& getName() const {
860 const string& getNameWithAddr() const {
863 void setName(const std::string& newName)
866 nameWithAddr = newName.empty() ? remote.toStringWithPort() : (name + " (" + remote.toStringWithPort()+ ")");
869 string getStatus() const
872 if(availability == DownstreamState::Availability::Up)
874 else if(availability == DownstreamState::Availability::Down)
877 status = (upStatus ? "up" : "down");
882 void setId(const boost::uuids::uuid& newId);
883 void setWeight(int newWeight);
885 void updateTCPMetrics(size_t nbQueries, uint64_t durationMs)
887 tcpAvgQueriesPerConnection = (99.0 * tcpAvgQueriesPerConnection / 100.0) + (nbQueries / 100.0);
888 tcpAvgConnectionDuration = (99.0 * tcpAvgConnectionDuration / 100.0) + (durationMs / 100.0);
892 std::string nameWithAddr;
894 using servers_t =vector<std::shared_ptr<DownstreamState>>;
896 void responderThread(std::shared_ptr<DownstreamState> state);
897 extern std::mutex g_luamutex;
898 extern LuaContext g_lua;
899 extern std::string g_outputBuffer; // locking for this is ok, as locked by g_luamutex
907 virtual bool matches(const DNSQuestion* dq) const =0;
908 virtual string toString() const = 0;
909 mutable std::atomic<uint64_t> d_matches{0};
916 pthread_rwlock_init(&d_lock, nullptr);
920 pthread_rwlock_destroy(&d_lock);
923 const std::shared_ptr<DNSDistPacketCache> getCache() const { return packetCache; };
930 void setECS(bool useECS)
935 std::shared_ptr<DNSDistPacketCache> packetCache{nullptr};
936 std::shared_ptr<ServerPolicy> policy{nullptr};
938 size_t countServers(bool upOnly)
941 ReadLock rl(&d_lock);
942 for (const auto& server : d_servers) {
943 if (!upOnly || std::get<1>(server)->isUp() ) {
950 ServerPolicy::NumberedServerVector getServers()
952 ServerPolicy::NumberedServerVector result;
954 ReadLock rl(&d_lock);
960 void addServer(shared_ptr<DownstreamState>& server)
962 WriteLock wl(&d_lock);
963 unsigned int count = (unsigned int) d_servers.size();
964 d_servers.push_back(make_pair(++count, server));
965 /* we need to reorder based on the server 'order' */
966 std::stable_sort(d_servers.begin(), d_servers.end(), [](const std::pair<unsigned int,std::shared_ptr<DownstreamState> >& a, const std::pair<unsigned int,std::shared_ptr<DownstreamState> >& b) {
967 return a.second->order < b.second->order;
969 /* and now we need to renumber for Lua (custom policies) */
971 for (auto& serv : d_servers) {
976 void removeServer(shared_ptr<DownstreamState>& server)
978 WriteLock wl(&d_lock);
981 for (auto it = d_servers.begin(); it != d_servers.end();) {
983 /* we need to renumber the servers placed
984 after the removed one, for Lua (custom policies) */
988 else if (it->second == server) {
989 it = d_servers.erase(it);
999 ServerPolicy::NumberedServerVector d_servers;
1000 pthread_rwlock_t d_lock;
1001 bool d_useECS{false};
1006 ComboAddress server;
1007 std::string namespace_name;
1008 std::string ourname;
1009 std::string instance_name;
1010 unsigned int interval;
1013 enum ednsHeaderFlags {
1014 EDNS_HEADER_FLAG_NONE = 0,
1015 EDNS_HEADER_FLAG_DO = 32768
1018 struct DNSDistRuleAction
1020 std::shared_ptr<DNSRule> d_rule;
1021 std::shared_ptr<DNSAction> d_action;
1022 boost::uuids::uuid d_id;
1023 uint64_t d_creationOrder;
1026 struct DNSDistResponseRuleAction
1028 std::shared_ptr<DNSRule> d_rule;
1029 std::shared_ptr<DNSResponseAction> d_action;
1030 boost::uuids::uuid d_id;
1031 uint64_t d_creationOrder;
1034 extern GlobalStateHolder<SuffixMatchTree<DynBlock>> g_dynblockSMT;
1035 extern DNSAction::Action g_dynBlockAction;
1037 extern GlobalStateHolder<vector<CarbonConfig> > g_carbon;
1038 extern GlobalStateHolder<ServerPolicy> g_policy;
1039 extern GlobalStateHolder<servers_t> g_dstates;
1040 extern GlobalStateHolder<pools_t> g_pools;
1041 extern GlobalStateHolder<vector<DNSDistRuleAction> > g_rulactions;
1042 extern GlobalStateHolder<vector<DNSDistResponseRuleAction> > g_resprulactions;
1043 extern GlobalStateHolder<vector<DNSDistResponseRuleAction> > g_cachehitresprulactions;
1044 extern GlobalStateHolder<vector<DNSDistResponseRuleAction> > g_selfansweredresprulactions;
1045 extern GlobalStateHolder<NetmaskGroup> g_ACL;
1047 extern ComboAddress g_serverControl; // not changed during runtime
1049 extern std::vector<shared_ptr<TLSFrontend>> g_tlslocals;
1050 extern std::vector<shared_ptr<DOHFrontend>> g_dohlocals;
1051 extern std::vector<std::unique_ptr<ClientState>> g_frontends;
1052 extern bool g_truncateTC;
1053 extern bool g_fixupCase;
1054 extern int g_tcpRecvTimeout;
1055 extern int g_tcpSendTimeout;
1056 extern int g_udpTimeout;
1057 extern uint16_t g_maxOutstanding;
1058 extern std::atomic<bool> g_configurationDone;
1059 extern uint64_t g_maxTCPClientThreads;
1060 extern uint64_t g_maxTCPQueuedConnections;
1061 extern size_t g_maxTCPQueriesPerConn;
1062 extern size_t g_maxTCPConnectionDuration;
1063 extern size_t g_maxTCPConnectionsPerClient;
1064 extern std::atomic<uint16_t> g_cacheCleaningDelay;
1065 extern std::atomic<uint16_t> g_cacheCleaningPercentage;
1066 extern uint32_t g_staleCacheEntriesTTL;
1067 extern bool g_apiReadWrite;
1068 extern std::string g_apiConfigDirectory;
1069 extern bool g_servFailOnNoPolicy;
1070 extern bool g_useTCPSinglePipe;
1071 extern uint16_t g_downstreamTCPCleanupInterval;
1072 extern size_t g_udpVectorSize;
1073 extern bool g_preserveTrailingData;
1074 extern bool g_allowEmptyResponse;
1077 extern shared_ptr<BPFFilter> g_defaultBPFFilter;
1078 extern std::vector<std::shared_ptr<DynBPFFilter> > g_dynBPFFilters;
1079 #endif /* HAVE_EBPF */
1083 LocalHolders(): acl(g_ACL.getLocal()), policy(g_policy.getLocal()), rulactions(g_rulactions.getLocal()), cacheHitRespRulactions(g_cachehitresprulactions.getLocal()), selfAnsweredRespRulactions(g_selfansweredresprulactions.getLocal()), servers(g_dstates.getLocal()), dynNMGBlock(g_dynblockNMG.getLocal()), dynSMTBlock(g_dynblockSMT.getLocal()), pools(g_pools.getLocal())
1087 LocalStateHolder<NetmaskGroup> acl;
1088 LocalStateHolder<ServerPolicy> policy;
1089 LocalStateHolder<vector<DNSDistRuleAction> > rulactions;
1090 LocalStateHolder<vector<DNSDistResponseRuleAction> > cacheHitRespRulactions;
1091 LocalStateHolder<vector<DNSDistResponseRuleAction> > selfAnsweredRespRulactions;
1092 LocalStateHolder<servers_t> servers;
1093 LocalStateHolder<NetmaskTree<DynBlock> > dynNMGBlock;
1094 LocalStateHolder<SuffixMatchTree<DynBlock> > dynSMTBlock;
1095 LocalStateHolder<pools_t> pools;
1100 void controlThread(int fd, ComboAddress local);
1101 vector<std::function<void(void)>> setupLua(bool client, const std::string& config);
1103 struct WebserverConfig
1105 std::string password;
1107 boost::optional<std::map<std::string, std::string> > customHeaders;
1111 void setWebserverAPIKey(const boost::optional<std::string> apiKey);
1112 void setWebserverPassword(const std::string& password);
1113 void setWebserverCustomHeaders(const boost::optional<std::map<std::string, std::string> > customHeaders);
1115 void dnsdistWebserverThread(int sock, const ComboAddress& local);
1116 void tcpAcceptorThread(void* p);
1117 #ifdef HAVE_DNS_OVER_HTTPS
1118 void dohThread(ClientState* cs);
1119 #endif /* HAVE_DNS_OVER_HTTPS */
1121 void setLuaNoSideEffect(); // if nothing has been declared, set that there are no side effects
1122 void setLuaSideEffect(); // set to report a side effect, cancelling all _no_ side effect calls
1123 bool getLuaNoSideEffect(); // set if there were only explicit declarations of _no_ side effect
1124 void resetLuaSideEffect(); // reset to indeterminate state
1126 bool responseContentMatches(const char* response, const uint16_t responseLen, const DNSName& qname, const uint16_t qtype, const uint16_t qclass, const ComboAddress& remote, unsigned int& consumed);
1127 bool processResponse(char** response, uint16_t* responseLen, size_t* responseSize, LocalStateHolder<vector<DNSDistResponseRuleAction> >& localRespRulactions, DNSResponse& dr, size_t addRoom, std::vector<uint8_t>& rewrittenResponse, bool muted);
1128 bool processRulesResult(const DNSAction::Action& action, DNSQuestion& dq, std::string& ruleresult, bool& drop);
1130 bool checkQueryHeaders(const struct dnsheader* dh);
1132 extern std::vector<std::shared_ptr<DNSCryptContext>> g_dnsCryptLocals;
1133 int handleDNSCryptQuery(char* packet, uint16_t len, std::shared_ptr<DNSCryptQuery> query, uint16_t* decryptedQueryLen, bool tcp, time_t now, std::vector<uint8_t>& response);
1134 boost::optional<std::vector<uint8_t>> checkDNSCryptQuery(const ClientState& cs, const char* query, uint16_t& len, std::shared_ptr<DNSCryptQuery>& dnsCryptQuery, time_t now, bool tcp);
1136 bool addXPF(DNSQuestion& dq, uint16_t optionCode);
1138 uint16_t getRandomDNSID();
1140 #include "dnsdist-snmp.hh"
1142 extern bool g_snmpEnabled;
1143 extern bool g_snmpTrapsEnabled;
1144 extern DNSDistSNMPAgent* g_snmpAgent;
1145 extern bool g_addEDNSToSelfGeneratedResponses;
1147 extern std::set<std::string> g_capabilitiesToRetain;
1148 static const uint16_t s_udpIncomingBufferSize{1500}; // don't accept UDP queries larger than this value
1149 static const size_t s_maxPacketCacheEntrySize{4096}; // don't cache responses larger than this value
1151 enum class ProcessQueryResult { Drop, SendAnswer, PassToBackend };
1152 ProcessQueryResult processQuery(DNSQuestion& dq, ClientState& cs, LocalHolders& holders, std::shared_ptr<DownstreamState>& selectedBackend);
1154 DNSResponse makeDNSResponseFromIDState(IDState& ids, struct dnsheader* dh, size_t bufferSize, uint16_t responseLen, bool isTCP);
1155 void setIDStateFromDNSQuestion(IDState& ids, DNSQuestion& dq, DNSName&& qname);
1157 int pickBackendSocketForSending(std::shared_ptr<DownstreamState>& state);
1158 ssize_t udpClientSendRequestToBackend(const std::shared_ptr<DownstreamState>& ss, const int sd, const char* request, const size_t requestLen, bool healthCheck=false);