auto& holders = dsc->holders;
ClientState& clientState = *dsc->clientState;
+ if (!holders.acl->match(remote)) {
+ vinfolog("Query from %s (DoH3) dropped because of ACL", remote.toStringWithPort());
+ ++dnsdist::metrics::g_stats.aclDrops;
+ unit->response.clear();
+
+ unit->status_code = 403;
+ handleImmediateResponse(std::move(unit), "DoH3 query dropped because of ACL");
+ return;
+ }
+
if (unit->query.size() < sizeof(dnsheader)) {
++dnsdist::metrics::g_stats.nonCompliantQueries;
++clientState.nonCompliantQueries;
auto& holders = dsc->holders;
ClientState& clientState = *dsc->clientState;
+ if (!holders.acl->match(remote)) {
+ vinfolog("Query from %s (DoQ) dropped because of ACL", remote.toStringWithPort());
+ ++dnsdist::metrics::g_stats.aclDrops;
+ unit->response.clear();
+
+ handleImmediateResponse(std::move(unit), "DoQ query dropped because of ACL");
+ return;
+ }
+
if (unit->query.size() < sizeof(dnsheader)) {
++dnsdist::metrics::g_stats.nonCompliantQueries;
++clientState.nonCompliantQueries;
except StreamResetError as e :
self.assertEqual(e.error, 5);
+class QUICACLTests(object):
+
+ def testDropped(self):
+ """
+ QUIC: Dropped query because of ACL
+ """
+ name = 'acl.doq.tests.powerdns.com.'
+ query = dns.message.make_query(name, 'A', 'IN')
+ dropped = False
+ try:
+ (_, receivedResponse) = self.sendQUICQuery(query, response=None, useQueue=False)
+ self.assertTrue(False)
+ except StreamResetError as e:
+ self.assertEqual(e.error, 5);
+ dropped = True
+ self.assertTrue(dropped)
+
class QUICWithCacheTests(object):
def testCached(self):
"""
from dnsdisttests import DNSDistTest
from dnsdisttests import pickAvailablePort
-from quictests import QUICTests, QUICWithCacheTests
+from quictests import QUICTests, QUICWithCacheTests, QUICACLTests
import doh3client
class TestDOH3(QUICTests, DNSDistTest):
def sendQUICQuery(self, query, response=None, useQueue=True, connection=None):
return self.sendDOH3Query(self._doqServerPort, self._dohBaseURL, query, response=response, caFile=self._caCert, useQueue=useQueue, serverName=self._serverName, connection=connection)
+class TestDOH3ACL(QUICACLTests, DNSDistTest):
+ _serverKey = 'server.key'
+ _serverCert = 'server.chain'
+ _serverName = 'tls.tests.dnsdist.org'
+ _caCert = 'ca.pem'
+ _doqServerPort = pickAvailablePort()
+ _dohBaseURL = ("https://%s:%d/" % (_serverName, _doqServerPort))
+ _config_template = """
+ newServer{address="127.0.0.1:%d"}
+
+ setACL("192.0.2.1/32")
+ addDOH3Local("127.0.0.1:%d", "%s", "%s", {keyLogFile='/tmp/keys'})
+ """
+ _config_params = ['_testServerPort', '_doqServerPort','_serverCert', '_serverKey']
+ _verboseMode = True
+
+ def getQUICConnection(self):
+ return self.getDOQConnection(self._doqServerPort, self._caCert)
+
+ def sendQUICQuery(self, query, response=None, useQueue=True, connection=None):
+ return self.sendDOH3Query(self._doqServerPort, self._dohBaseURL, query, response=response, caFile=self._caCert, useQueue=useQueue, serverName=self._serverName, connection=connection)
+
class TestDOH3Specifics(DNSDistTest):
_serverKey = 'server.key'
_serverCert = 'server.chain'
from dnsdisttests import DNSDistTest
from dnsdisttests import pickAvailablePort
from doqclient import quic_bogus_query
-from quictests import QUICTests, QUICWithCacheTests
+from quictests import QUICTests, QUICWithCacheTests, QUICACLTests
import doqclient
class TestDOQBogus(DNSDistTest):
def sendQUICQuery(self, query, response=None, useQueue=True, connection=None):
return self.sendDOQQuery(self._doqServerPort, query, response=response, caFile=self._caCert, useQueue=useQueue, serverName=self._serverName, connection=connection)
+
+class TestDOQWithACL(QUICACLTests, DNSDistTest):
+ _serverKey = 'server.key'
+ _serverCert = 'server.chain'
+ _serverName = 'tls.tests.dnsdist.org'
+ _caCert = 'ca.pem'
+ _doqServerPort = pickAvailablePort()
+ _config_template = """
+ newServer{address="127.0.0.1:%d"}
+
+ setACL("192.0.2.1/32")
+ addDOQLocal("127.0.0.1:%d", "%s", "%s")
+ """
+ _config_params = ['_testServerPort', '_doqServerPort','_serverCert', '_serverKey']
+ _verboseMode = True
+
+ def getQUICConnection(self):
+ return self.getDOQConnection(self._doqServerPort, self._caCert)
+
+ def sendQUICQuery(self, query, response=None, useQueue=True, connection=None):
+ return self.sendDOQQuery(self._doqServerPort, query, response=response, caFile=self._caCert, useQueue=useQueue, serverName=self._serverName, connection=connection)
projects / thirdparty / pdns.git / commitdiff
