daemon: insecure DNS-over-HTTP

author Oto Šťáva <oto.stava@nic.cz>

Thu, 23 May 2024 16:03:02 +0000 (18:03 +0200)

committer Oto Šťáva <oto.stava@nic.cz>

Fri, 14 Jun 2024 08:52:35 +0000 (10:52 +0200)
author Oto Šťáva <oto.stava@nic.cz>
Thu, 23 May 2024 16:03:02 +0000 (18:03 +0200)
committer Oto Šťáva <oto.stava@nic.cz>
Fri, 14 Jun 2024 08:52:35 +0000 (10:52 +0200)
diff --git a/daemon/bindings/net.c b/daemon/bindings/net.c

index aaeef2387b94748865640ec9c467a23658664ded..b4f139874246fbc8136e6d96a05cc7b66be1257d 100644 (file)
--- a/daemon/bindings/net.c
+++ b/daemon/bindings/net.c
@@ -26,8 +26,12 @@ static int net_list_add(const char *b_key, uint32_t key_len, trie_val_t *val, vo
  
                 if (ep->flags.kind) {
                         lua_pushstring(L, ep->flags.kind);
-               } else if (ep->flags.http && ep->flags.tls) {
-                       lua_pushliteral(L, "doh2");
+               } else if (ep->flags.http) {
+                       if (ep->flags.tls) {
+                               lua_pushliteral(L, "doh2");
+                       } else {
+                               lua_pushliteral(L, "doh2-insecure");
+                       }
                 } else if (ep->flags.tls) {
                         lua_pushliteral(L, "tls");
                 } else if (ep->flags.xdp) {
@@ -255,6 +259,9 @@ static int net_listen(lua_State *L)
                         flags.http = false;
                 } else if (k && strcasecmp(k, "doh2") == 0) {
                         flags.tls = flags.http = true;
+               } else if (k && strcasecmp(k, "doh2-insecure") == 0) {
+                       flags.tls = false;
+                       flags.http = true;
                 } else if (k) {
                         flags.kind = k;
                         if (strcasecmp(k, "doh") == 0) {
diff --git a/daemon/io.c b/daemon/io.c

index b6b289aea8cc3f1c72f1fc70f90a5886e66b36a1..462435db82339f0885f9840b6253b894b82d5eb1 100644 (file)
--- a/daemon/io.c
+++ b/daemon/io.c
@@ -406,6 +406,11 @@ static void https_accept(uv_stream_t *master, int status)
  {
         tcp_accept_internal(master, status, KR_PROTO_DOH);
  }
+
+static void http_insecure_accept(uv_stream_t *master, int status)
+{
+       tcp_accept_internal(master, status, KR_PROTO_DOH_INSECURE);
+}
  #endif
  
  int io_listen_tcp(uv_loop_t *loop, uv_tcp_t *handle, int fd, int tcp_backlog, bool has_tls, bool has_http)
@@ -428,7 +433,12 @@ int io_listen_tcp(uv_loop_t *loop, uv_tcp_t *handle, int fd, int tcp_backlog, bo
         } else if (has_tls) {
                 connection = tls_accept;
         } else if (has_http) {
-               return kr_error(EPROTONOSUPPORT);
+#if ENABLE_DOH2
+               connection = http_insecure_accept;
+#else
+               kr_log_error(IO, "kresd was compiled without libnghttp2 support\n");
+               return kr_error(ENOPROTOOPT);
+#endif
         } else {
                 connection = tcp_accept;
         }
diff --git a/daemon/session2.c b/daemon/session2.c

index 19ea42dc3de0632c24d65718516da0c717fea406..c451ef4a7af008250dcb56fd1567f653213ca489 100644 (file)
--- a/daemon/session2.c
+++ b/daemon/session2.c
@@ -60,6 +60,13 @@ static const enum protolayer_type protolayer_grp_doh[] = {
         PROTOLAYER_TYPE_DNS_UNSIZED_STREAM,
  };
  
+static const enum protolayer_type protolayer_grp_doh_insecure[] = {
+       PROTOLAYER_TYPE_TCP,
+       PROTOLAYER_TYPE_PROXYV2_STREAM,
+       PROTOLAYER_TYPE_HTTP,
+       PROTOLAYER_TYPE_DNS_UNSIZED_STREAM,
+};
+
  static const enum protolayer_type protolayer_grp_doq[] = {
         // not yet used
         PROTOLAYER_TYPE_NULL,
diff --git a/lib/proto.h b/lib/proto.h

index 875fe8e309e55aa604265aef17fcc752313b6ce0..415effe0f0ffd72bc7260b53ff059f443201cfb6 100644 (file)
--- a/lib/proto.h
+++ b/lib/proto.h
@@ -26,6 +26,7 @@
      XX(TCP53, tcp53, "DNS TCP") \
      XX(DOT, dot, "DNS-over-TLS") \
      XX(DOH, doh, "DNS-over-HTTPS") \
+    XX(DOH_INSECURE, doh_insecure, "Insecure DNS-over-HTTP") \
      XX(DOQ, doq, "DNS-over-QUIC") /* unused for now */ \
      //
  
diff --git a/manager/knot_resolver_manager/datamodel/network_schema.py b/manager/knot_resolver_manager/datamodel/network_schema.py

index 289104b82dd4d069095e9556677b48e391c372af..b5c635b4881c4d2a52522e1ed20dd67b90104eab 100644 (file)
--- a/manager/knot_resolver_manager/datamodel/network_schema.py
+++ b/manager/knot_resolver_manager/datamodel/network_schema.py
@@ -20,7 +20,7 @@ from knot_resolver_manager.datamodel.types import (
  )
  from knot_resolver_manager.utils.modeling import ConfigSchema
  
-KindEnum = Literal["dns", "xdp", "dot", "doh-legacy", "doh2"]
+KindEnum = Literal["dns", "xdp", "dot", "doh-legacy", "doh2", "doh2-insecure"]
  
  
  class EdnsBufferSizeSchema(ConfigSchema):
@@ -123,6 +123,8 @@ class ListenSchema(ConfigSchema):
                  return PortNumber(853)
              elif origin.kind in ["doh-legacy", "doh2"]:
                  return PortNumber(443)
+            elif origin.kind == "doh2-insecure":
+                return PortNumber(80)
              return PortNumber(53)
          return None
author	Oto Šťáva <oto.stava@nic.cz>
	Thu, 23 May 2024 16:03:02 +0000 (18:03 +0200)
committer	Oto Šťáva <oto.stava@nic.cz>
	Fri, 14 Jun 2024 08:52:35 +0000 (10:52 +0200)
daemon/bindings/net.c		patch \| blob \| blame \| history
daemon/io.c		patch \| blob \| blame \| history
daemon/session2.c		patch \| blob \| blame \| history
lib/proto.h		patch \| blob \| blame \| history
manager/knot_resolver_manager/datamodel/network_schema.py		patch \| blob \| blame \| history