{ "SetECSPrefixLengthAction", true, "v4, v6", "Set the ECS prefix length. Subsequent rules are processed after this action" },
{ "SetMacAddrAction", true, "option", "Add the source MAC address to the query as EDNS0 option option. This action is currently only supported on Linux. Subsequent rules are processed after this action" },
{ "SetNoRecurseAction", true, "", "strip RD bit from the question, let it go through" },
+ { "setOutgoingDoHWorkerThreads", true, "n", "Number of outgoing DoH worker threads" },
{ "SetProxyProtocolValuesAction", true, "values", "Set the Proxy-Protocol values for this queries to 'values'" },
{ "SetSkipCacheAction", true, "", "Don’t lookup the cache for this query, don’t store the answer" },
{ "SetSkipCacheResponseAction", true, "", "Don’t store this response into the cache" },
if (ret->d_tlsCtx) {
setupDoHClientProtocolNegotiation(ret->d_tlsCtx);
}
+ if (g_outgoingDoHWorkerThreads == 0) {
+ g_outgoingDoHWorkerThreads = 1;
+ }
if (vars.count("addXForwardedHeaders")) {
ret->d_addXForwardedHeaders = boost::get<bool>(vars.at("addXForwardedHeaders"));
setMaxCachedTCPConnectionsPerDownstream(max);
});
+ luaCtx.writeFunction("setOutgoingDoHWorkerThreads", [](uint64_t workers) {
+ if (!g_configurationDone) {
+ g_outgoingDoHWorkerThreads = workers;
+ } else {
+ g_outputBuffer="The amount of outgoing DoH worker threads cannot be altered at runtime!\n";
+ }
+ });
+
luaCtx.writeFunction("setOutgoingTLSSessionsCacheMaxTicketsPerBackend", [](uint16_t max) {
if (g_configurationDone) {
g_outputBuffer = "setOutgoingTLSSessionsCacheMaxTicketsPerBackend() cannot be called at runtime!\n";
std::atomic<uint64_t> g_dohStatesDumpRequested{0};
std::unique_ptr<DoHClientCollection> g_dohClientThreads{nullptr};
+uint16_t g_outgoingDoHWorkerThreads{0};
#ifdef HAVE_NGHTTP2
class DoHConnectionToBackend : public TCPConnectionToBackend
int d_crossProtocolQueryPipe{-1};
};
-DoHClientCollection::DoHClientCollection(size_t maxThreads) :
- d_clientThreads(maxThreads), d_maxThreads(maxThreads)
+DoHClientCollection::DoHClientCollection(size_t numberOfThreads) :
+ d_clientThreads(numberOfThreads)
{
}
std::lock_guard<std::mutex> lock(d_mutex);
if (d_numberOfThreads >= d_clientThreads.size()) {
- vinfolog("Adding a new DoH client thread would exceed the vector size (%d/%d), skipping. Consider increasing the maximum amount of DoH client threads with setMaxDoHClientThreads() in the configuration.", d_numberOfThreads.load(), d_clientThreads.size());
+ vinfolog("Adding a new DoH client thread would exceed the vector size (%d/%d), skipping. Consider increasing the maximum amount of DoH client threads with setMaxDoHClientThreads() in the configuration.", d_numberOfThreads, d_clientThreads.size());
close(crossProtocolFDs[0]);
close(crossProtocolFDs[1]);
return;
bool initDoHWorkers()
{
#ifdef HAVE_NGHTTP2
-#warning FIXME: number of DoH threads
- g_dohClientThreads = std::make_unique<DoHClientCollection>(4);
+ g_dohClientThreads = std::make_unique<DoHClientCollection>(g_outgoingDoHWorkerThreads);
g_dohClientThreads->addThread();
return true;
#else
class DoHClientCollection
{
public:
- DoHClientCollection(size_t maxThreads);
-
- bool hasReachedMaxThreads() const
- {
- return d_numberOfThreads >= d_maxThreads;
- }
+ DoHClientCollection(size_t numberOfThreads);
uint64_t getThreadsCount() const
{
std::mutex d_mutex;
std::vector<DoHWorkerThread> d_clientThreads;
- pdns::stat_t d_numberOfThreads{0};
pdns::stat_t d_pos{0};
- const uint64_t d_maxThreads{0};
+ uint64_t d_numberOfThreads{0};
};
extern std::unique_ptr<DoHClientCollection> g_dohClientThreads;
extern std::atomic<uint64_t> g_dohStatesDumpRequested;
+extern uint16_t g_outgoingDoHWorkerThreads;
class TLSCtx;
When dealing with a large traffic load, it might happen that the internal pipe used to pass queries between the threads handling the incoming connections and the one getting a response from the backend become full too quickly, degrading performance and causing timeouts. This can be prevented by increasing the size of the internal pipe buffer, via the `internalPipeBufferSize` option of :func:`addDOHLocal`. Setting a value of `1048576` is known to yield good results on Linux.
+Outgoing DoH
+------------
+
+Starting with 1.7.0, dnsdist supports communicating with the backend using DNS over HTTPS. The incoming queries, after the processing of rules if any, are passed to one of the DoH workers over a pipe. The DoH worker handles the communication with the backend, retrieves the response, and either responds directly to the client (queries coming over UDP) or pass it back over a pipe to the initial thread (queries coming over TCP, DoT or DoH).
+The number of outgoing DoH worker threads can be configured using :func:`setOutgoingDoHWorkerThreads`.
+
+
TCP and DNS over TLS
--------------------
* :func:`showTCPStats` will display a lot of information about current and passed connections
* :func:`showTLSErrorCounters` some metrics about why TLS sessions failed to establish
* :func:`showDOHResponseCodes` returns metrics about HTTP response codes sent by dnsdist
+
+Outgoing
+--------
+
+Support for securing the exchanges between dnsdist and the backend will be implemented in 1.7.0, and will lead to all queries, regardless of whether they were initially received by dnsdist over UDP, TCP, DoT or DoH, being forwarded over a secure DNS over HTTPS channel.
+That support can be enabled via the ``dohPath`` parameter of the :func:`newServer` command. Additional parameters control the TLS provider used (``tls``), the validation of the certificate presented by the backend (``caStore``, ``validateCertificates``), the actual TLS ciphers used (``ciphers``, ``ciphersTLS13``) and the SNI value sent (``subjectName``).
Added ``maxInFlight`` to server_table.
.. versionchanged:: 1.7.0
- Added ``caStore``, ``checkTCP``, ``ciphers``, ``ciphers13``, ``subjectName``, ``tcpOnly``, ``tls`` and ``validateCertificates`` to server_table.
+ Added ``caStore``, ``checkTCP``, ``ciphers``, ``ciphers13``, ``dohPath``, ``subjectName``, ``tcpOnly``, ``tls`` and ``validateCertificates`` to server_table.
Add a new backend server. Call this function with either a string::
maxInFlight=NUM, -- Maximum number of in-flight queries. The default is 0, which disables out-of-order processing. It should only be enabled if the backend does support out-of-order processing. As of 1.6.0, out-of-order processing needs to be enabled on the frontend as well, via :func:`addLocal` and/or :func:`addTLSLocal`. Note that out-of-order is always enabled on DoH frontends.
tcpOnly=BOOL, -- Always forward queries to that backend over TCP, never over UDP. Always enabled for TLS backends. Default is false.
checkTCP=BOOL, -- Whether to do healthcheck queries over TCP, instead of UDP. Always enabled for DNS over TLS backend. Default is false.
- tls=STRING, -- Enable DNS over TLS communications for this backend, using the TLS provider ("openssl" or "gnutls") passed in parameter. Default is an empty string, which means this backend is used for plain UDP and TCP.
+ tls=STRING, -- Enable DNS over TLS communications for this backend, or DNS over HTTPS if ``dohPath`` is set, using the TLS provider ("openssl" or "gnutls") passed in parameter. Default is an empty string, which means this backend is used for plain UDP and TCP.
caStore=STRING, -- Specifies the path to the CA certificate file, in PEM format, to use to check the certificate presented by the backend. Default is an empty string, which means to use the system CA store. Note that this directive is only used if ``validateCertificates`` is set.
ciphers=STRING, -- The TLS ciphers to use. The exact format depends on the provider used. When the OpenSSL provider is used, ciphers for TLS 1.3 must be specified via ``ciphersTLS13``.
ciphersTLS13=STRING, -- The ciphers to use for TLS 1.3, when the OpenSSL provider is used. When the GnuTLS provider is used, ``ciphers`` applies regardless of the TLS protocol and this setting is not used.
subjectName=STRING, -- The subject name passed in the SNI value of the TLS handshake, and against which to validate the certificate presented by the backend. Default is empty.
- validateCertificates=BOOL -- Whether the certificate presented by the backend should be validated against the CA store (see ``caStore``). Default is true.
+ validateCertificates=BOOL,-- Whether the certificate presented by the backend should be validated against the CA store (see ``caStore``). Default is true.
+ dohPath=STRING -- Enable DNS over HTTPS communication for this backend, using POST queries to the HTTP host supplied as ``subjectName`` and the HTTP path supplied in this parameter.
})
:param str server_string: A simple IP:PORT string.
:param int num:
+.. function:: setOutgoingDoHWorkerThreads(num)
+
+ .. versionadded:: 1.7.0
+
+ Set the number of worker threads to use for outgoing DoH. That number defaults to 0 but is automatically raised to 1 when DoH is enabled on at least one backend.
+
.. function:: setStaleCacheEntriesTTL(num)
Allows using cache entries expired for at most n seconds when no backend available to answer for a query
projects / thirdparty / pdns.git / commitdiff
