From: Oto Šťáva Date: Thu, 23 May 2024 16:03:02 +0000 (+0200) Subject: daemon: insecure DNS-over-HTTP X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fheads%2Fnaked-http;p=thirdparty%2Fknot-resolver.git daemon: insecure DNS-over-HTTP Adds a special insecure protocol layer sequence for querying DNS over plain cleartext HTTP/2. --- diff --git a/daemon/bindings/net.c b/daemon/bindings/net.c index aaeef2387..b4f139874 100644 --- a/daemon/bindings/net.c +++ b/daemon/bindings/net.c @@ -26,8 +26,12 @@ static int net_list_add(const char *b_key, uint32_t key_len, trie_val_t *val, vo if (ep->flags.kind) { lua_pushstring(L, ep->flags.kind); - } else if (ep->flags.http && ep->flags.tls) { - lua_pushliteral(L, "doh2"); + } else if (ep->flags.http) { + if (ep->flags.tls) { + lua_pushliteral(L, "doh2"); + } else { + lua_pushliteral(L, "doh2-insecure"); + } } else if (ep->flags.tls) { lua_pushliteral(L, "tls"); } else if (ep->flags.xdp) { @@ -255,6 +259,9 @@ static int net_listen(lua_State *L) flags.http = false; } else if (k && strcasecmp(k, "doh2") == 0) { flags.tls = flags.http = true; + } else if (k && strcasecmp(k, "doh2-insecure") == 0) { + flags.tls = false; + flags.http = true; } else if (k) { flags.kind = k; if (strcasecmp(k, "doh") == 0) { diff --git a/daemon/io.c b/daemon/io.c index b6b289aea..462435db8 100644 --- a/daemon/io.c +++ b/daemon/io.c @@ -406,6 +406,11 @@ static void https_accept(uv_stream_t *master, int status) { tcp_accept_internal(master, status, KR_PROTO_DOH); } + +static void http_insecure_accept(uv_stream_t *master, int status) +{ + tcp_accept_internal(master, status, KR_PROTO_DOH_INSECURE); +} #endif int io_listen_tcp(uv_loop_t *loop, uv_tcp_t *handle, int fd, int tcp_backlog, bool has_tls, bool has_http) @@ -428,7 +433,12 @@ int io_listen_tcp(uv_loop_t *loop, uv_tcp_t *handle, int fd, int tcp_backlog, bo } else if (has_tls) { connection = tls_accept; } else if (has_http) { - return kr_error(EPROTONOSUPPORT); +#if ENABLE_DOH2 + connection = http_insecure_accept; +#else + kr_log_error(IO, "kresd was compiled without libnghttp2 support\n"); + return kr_error(ENOPROTOOPT); +#endif } else { connection = tcp_accept; } diff --git a/daemon/session2.c b/daemon/session2.c index 19ea42dc3..c451ef4a7 100644 --- a/daemon/session2.c +++ b/daemon/session2.c @@ -60,6 +60,13 @@ static const enum protolayer_type protolayer_grp_doh[] = { PROTOLAYER_TYPE_DNS_UNSIZED_STREAM, }; +static const enum protolayer_type protolayer_grp_doh_insecure[] = { + PROTOLAYER_TYPE_TCP, + PROTOLAYER_TYPE_PROXYV2_STREAM, + PROTOLAYER_TYPE_HTTP, + PROTOLAYER_TYPE_DNS_UNSIZED_STREAM, +}; + static const enum protolayer_type protolayer_grp_doq[] = { // not yet used PROTOLAYER_TYPE_NULL, diff --git a/lib/proto.h b/lib/proto.h index 875fe8e30..415effe0f 100644 --- a/lib/proto.h +++ b/lib/proto.h @@ -26,6 +26,7 @@ XX(TCP53, tcp53, "DNS TCP") \ XX(DOT, dot, "DNS-over-TLS") \ XX(DOH, doh, "DNS-over-HTTPS") \ + XX(DOH_INSECURE, doh_insecure, "Insecure DNS-over-HTTP") \ XX(DOQ, doq, "DNS-over-QUIC") /* unused for now */ \ // diff --git a/manager/knot_resolver_manager/datamodel/network_schema.py b/manager/knot_resolver_manager/datamodel/network_schema.py index 289104b82..b5c635b48 100644 --- a/manager/knot_resolver_manager/datamodel/network_schema.py +++ b/manager/knot_resolver_manager/datamodel/network_schema.py @@ -20,7 +20,7 @@ from knot_resolver_manager.datamodel.types import ( ) from knot_resolver_manager.utils.modeling import ConfigSchema -KindEnum = Literal["dns", "xdp", "dot", "doh-legacy", "doh2"] +KindEnum = Literal["dns", "xdp", "dot", "doh-legacy", "doh2", "doh2-insecure"] class EdnsBufferSizeSchema(ConfigSchema): @@ -123,6 +123,8 @@ class ListenSchema(ConfigSchema): return PortNumber(853) elif origin.kind in ["doh-legacy", "doh2"]: return PortNumber(443) + elif origin.kind == "doh2-insecure": + return PortNumber(80) return PortNumber(53) return None