From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Thu, 24 Apr 2025 12:57:34 +0000 (+0200)
Subject: dnsdist: Fix a confusion about contexts/frontends in `getDNSCryptBind`
X-Git-Tag: dnsdist-2.0.0-alpha2~41^2~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=42b477ca9e85c884ddc9e3ab8bf81d8bd133f8a7;p=thirdparty%2Fpdns.git

dnsdist: Fix a confusion about contexts/frontends in `getDNSCryptBind`

We internally keep two different frontends (UDP and TCP) for DNSCrypt
configuration binds, but the frontends should not be exposed to the user.
`getDNSCryptBind` should return distinct DNSCrypt contexts, one per
DNSCrypt configuration bind. This was broken during the refactoring
of how frontends are internally kept.
---

diff --git a/pdns/dnsdistdist/dnsdist-frontend.cc b/pdns/dnsdistdist/dnsdist-frontend.cc
index 8e75ee396f..faf8226322 100644
--- a/pdns/dnsdistdist/dnsdist-frontend.cc
+++ b/pdns/dnsdistdist/dnsdist-frontend.cc
@@ -32,11 +32,11 @@ const std::vector<std::shared_ptr<ClientState>>& getFrontends()
   return dnsdist::configuration::getImmutableConfiguration().d_frontends;
 }
 
-std::vector<std::shared_ptr<DNSCryptContext>> getDNSCryptFrontends()
+std::vector<std::shared_ptr<DNSCryptContext>> getDNSCryptFrontends(bool udpOnly)
 {
   std::vector<std::shared_ptr<DNSCryptContext>> results;
   for (const auto& frontend : getFrontends()) {
-    if (frontend->getProtocol() == dnsdist::Protocol::DNSCryptUDP || frontend->getProtocol() == dnsdist::Protocol::DNSCryptTCP) {
+    if (frontend->getProtocol() == dnsdist::Protocol::DNSCryptUDP || (!udpOnly && frontend->getProtocol() == dnsdist::Protocol::DNSCryptTCP)) {
       results.push_back(frontend->dnscryptCtx);
     }
   }
diff --git a/pdns/dnsdistdist/dnsdist-frontend.hh b/pdns/dnsdistdist/dnsdist-frontend.hh
index fe7f1c2a92..4724c104aa 100644
--- a/pdns/dnsdistdist/dnsdist-frontend.hh
+++ b/pdns/dnsdistdist/dnsdist-frontend.hh
@@ -34,7 +34,7 @@ struct DOH3Frontend;
 namespace dnsdist
 {
 const std::vector<std::shared_ptr<ClientState>>& getFrontends();
-std::vector<std::shared_ptr<DNSCryptContext>> getDNSCryptFrontends();
+std::vector<std::shared_ptr<DNSCryptContext>> getDNSCryptFrontends(bool udpOnly);
 std::vector<std::shared_ptr<TLSFrontend>> getDoTFrontends();
 std::vector<std::shared_ptr<DOHFrontend>> getDoHFrontends();
 std::vector<std::shared_ptr<DOQFrontend>> getDoQFrontends();
diff --git a/pdns/dnsdistdist/dnsdist-lua.cc b/pdns/dnsdistdist/dnsdist-lua.cc
index f52ae0cfe2..9d2d77c4f0 100644
--- a/pdns/dnsdistdist/dnsdist-lua.cc
+++ b/pdns/dnsdistdist/dnsdist-lua.cc
@@ -1594,7 +1594,11 @@ static void setupLuaConfig(LuaContext& luaCtx, bool client, bool configCheck)
   luaCtx.writeFunction("getDNSCryptBind", [](uint64_t idx) {
     setLuaNoSideEffect();
     std::shared_ptr<DNSCryptContext> ret = nullptr;
-    auto frontends = dnsdist::getDNSCryptFrontends();
+    /* we are only interested in distinct DNSCrypt binds,
+       and we have two frontends (UDP and TCP) per bind
+       sharing the same context so we need to retrieve
+       the UDP ones only . */
+    auto frontends = dnsdist::getDNSCryptFrontends(true);
     if (idx < frontends.size()) {
       ret = frontends.at(idx);
     }
@@ -1603,7 +1607,11 @@ static void setupLuaConfig(LuaContext& luaCtx, bool client, bool configCheck)
 
   luaCtx.writeFunction("getDNSCryptBindCount", []() {
     setLuaNoSideEffect();
-    return dnsdist::getDNSCryptFrontends().size();
+    /* we are only interested in distinct DNSCrypt binds,
+       and we have two frontends (UDP and TCP) per bind
+       sharing the same context so we need to retrieve
+       the UDP ones only . */
+    return dnsdist::getDNSCryptFrontends(true).size();
   });
 #endif /* HAVE_DNSCRYPT */