From: Otto Moerbeek <otto.moerbeek@open-xchange.com>
Date: Mon, 31 Jan 2022 15:35:32 +0000 (+0100)
Subject: Add SNI to DoT if available
X-Git-Tag: auth-4.7.0-alpha1~10^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F11307%2Fhead;p=thirdparty%2Fpdns.git

Add SNI to DoT if available

In the forwarding case, it is not available until we have a better config language)
---

diff --git a/pdns/lwres.cc b/pdns/lwres.cc
index 90f1c84d4d..0e42dc1dc3 100644
--- a/pdns/lwres.cc
+++ b/pdns/lwres.cc
@@ -248,7 +248,7 @@ static void logIncomingResponse(const std::shared_ptr<std::vector<std::unique_pt
   }
 }
 
-static bool tcpconnect(const struct timeval& now, const ComboAddress& ip, TCPOutConnectionManager::Connection& connection, bool& dnsOverTLS)
+static bool tcpconnect(const struct timeval& now, const ComboAddress& ip, TCPOutConnectionManager::Connection& connection, bool& dnsOverTLS, const std::string& nsName)
 {
   dnsOverTLS = SyncRes::s_dot_to_port_853 && ip.getPort() == 853;
 
@@ -275,7 +275,7 @@ static bool tcpconnect(const struct timeval& now, const ComboAddress& ip, TCPOut
       dnsOverTLS = false;
     }
   }
-  connection.d_handler = std::make_shared<TCPIOHandler>("", s.releaseHandle(), timeout, tlsCtx, now.tv_sec);
+  connection.d_handler = std::make_shared<TCPIOHandler>(nsName, s.releaseHandle(), timeout, tlsCtx, now.tv_sec);
   // Returned state ignored
   // This can throw an exception, retry will need to happen at higher level
   connection.d_handler->tryConnect(SyncRes::s_tcp_fast_open_connect, ip);
@@ -442,7 +442,11 @@ static LWResult::Result asyncresolve(const ComboAddress& ip, const DNSName& doma
         // peer has closed it on error, so we retry. At some point we
         // *will* get a new connection, so this loop is not endless.
         isNew = true; // tcpconnect() might throw for new connections. In that case, we want to break the loop
-        isNew = tcpconnect(*now, ip, connection, dnsOverTLS);
+        std::string nsName;
+        if (context && !context->d_nsName.empty()) {
+          nsName = context->d_nsName.toStringNoDot();
+        }
+        isNew = tcpconnect(*now, ip, connection, dnsOverTLS, nsName);
         ret = tcpsendrecv(ip, connection, localip, vpacket, len, buf);
 #ifdef HAVE_FSTRM
         if (fstrmQEnabled) {
diff --git a/pdns/resolve-context.hh b/pdns/resolve-context.hh
index 5782961249..ccac550532 100644
--- a/pdns/resolve-context.hh
+++ b/pdns/resolve-context.hh
@@ -14,6 +14,7 @@ struct ResolveContext {
   ResolveContext & operator=(const ResolveContext&) = delete;
   
   boost::optional<const boost::uuids::uuid&> d_initialRequestId;
+  DNSName d_nsName;
 #ifdef HAVE_FSTRM
   boost::optional<const DNSName&> d_auth;
 #endif
diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index 00544f84d7..94771719e6 100644
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -597,7 +597,7 @@ uint64_t SyncRes::doDumpNonResolvingNS(int fd)
    For now this means we can't be clever, but will turn off DNSSEC if you reply with FormError or gibberish.
 */
 
-LWResult::Result SyncRes::asyncresolveWrapper(const ComboAddress& ip, bool ednsMANDATORY, const DNSName& domain, const DNSName& auth, int type, bool doTCP, bool sendRDQuery, struct timeval* now, boost::optional<Netmask>& srcmask, LWResult* res, bool* chained) const
+LWResult::Result SyncRes::asyncresolveWrapper(const ComboAddress& ip, bool ednsMANDATORY, const DNSName& domain, const DNSName& auth, int type, bool doTCP, bool sendRDQuery, struct timeval* now, boost::optional<Netmask>& srcmask, LWResult* res, bool* chained, const DNSName& nsName) const
 {
   /* what is your QUEST?
      the goal is to get as many remotes as possible on the highest level of EDNS support
@@ -632,6 +632,7 @@ LWResult::Result SyncRes::asyncresolveWrapper(const ComboAddress& ip, bool ednsM
   auto luaconfsLocal = g_luaconfs.getLocal();
   ResolveContext ctx;
   ctx.d_initialRequestId = d_initialRequestId;
+  ctx.d_nsName = nsName;
 #ifdef HAVE_FSTRM
   ctx.d_auth = auth;
 #endif
@@ -943,7 +944,8 @@ int SyncRes::doResolveNoQNameMinimization(const DNSName &qname, const QType qtyp
 
           boost::optional<Netmask> nm;
           bool chained = false;
-          auto resolveRet = asyncresolveWrapper(remoteIP, d_doDNSSEC, qname, authname, qtype.getCode(), false, false, &d_now, nm, &lwr, &chained);
+          // forwardes are "anonymous", so plug in an empty name; some day we might have a fancier config language...
+          auto resolveRet = asyncresolveWrapper(remoteIP, d_doDNSSEC, qname, authname, qtype.getCode(), false, false, &d_now, nm, &lwr, &chained, DNSName());
 
           d_totUsec += lwr.d_usec;
           accountAuthLatency(lwr.d_usec, remoteIP.sin4.sin_family);
@@ -3997,7 +3999,7 @@ bool SyncRes::doResolveAtThisIP(const std::string& prefix, const DNSName& qname,
       s_ecsqueries++;
     }
     resolveret = asyncresolveWrapper(remoteIP, d_doDNSSEC, qname, auth, qtype.getCode(),
-                                     doTCP, sendRDQuery, &d_now, ednsmask, &lwr, &chained);    // <- we go out on the wire!
+                                     doTCP, sendRDQuery, &d_now, ednsmask, &lwr, &chained, nsName);    // <- we go out on the wire!
     if(ednsmask) {
       s_ecsresponses++;
       LOG(prefix<<qname<<": Received EDNS Client Subnet Mask "<<ednsmask->toString()<<" on response"<<endl);
diff --git a/pdns/syncres.hh b/pdns/syncres.hh
index dd777e00f9..d9817bf0cc 100644
--- a/pdns/syncres.hh
+++ b/pdns/syncres.hh
@@ -878,7 +878,7 @@ private:
 
   bool doSpecialNamesResolve(const DNSName &qname, QType qtype, const QClass qclass, vector<DNSRecord> &ret);
 
-  LWResult::Result asyncresolveWrapper(const ComboAddress& ip, bool ednsMANDATORY, const DNSName& domain, const DNSName& auth, int type, bool doTCP, bool sendRDQuery, struct timeval* now, boost::optional<Netmask>& srcmask, LWResult* res, bool* chained) const;
+  LWResult::Result asyncresolveWrapper(const ComboAddress& ip, bool ednsMANDATORY, const DNSName& domain, const DNSName& auth, int type, bool doTCP, bool sendRDQuery, struct timeval* now, boost::optional<Netmask>& srcmask, LWResult* res, bool* chained, const DNSName& nsName) const;
 
   boost::optional<Netmask> getEDNSSubnetMask(const DNSName&dn, const ComboAddress& rem);