2020-01-12 18:23:35 +01:00
|
|
|
package server
|
|
|
|
|
|
|
|
|
|
import (
|
2022-05-27 22:20:44 +02:00
|
|
|
"bytes"
|
2023-10-07 22:21:40 +02:00
|
|
|
"context"
|
2022-09-03 22:24:29 +02:00
|
|
|
"crypto/ecdsa"
|
|
|
|
|
"crypto/elliptic"
|
2022-05-27 22:20:44 +02:00
|
|
|
"crypto/rand"
|
2021-10-02 22:54:56 +02:00
|
|
|
"crypto/tls"
|
2022-05-27 22:20:44 +02:00
|
|
|
"crypto/x509"
|
|
|
|
|
"encoding/pem"
|
2024-01-24 00:48:29 +01:00
|
|
|
"errors"
|
2021-08-25 22:06:34 +02:00
|
|
|
"fmt"
|
2022-09-03 22:24:29 +02:00
|
|
|
"math"
|
2022-05-27 22:20:44 +02:00
|
|
|
"math/big"
|
|
|
|
|
mrand "math/rand"
|
2021-08-25 22:06:34 +02:00
|
|
|
"net"
|
2020-03-06 23:00:14 +01:00
|
|
|
"net/http"
|
2020-02-10 16:12:01 +01:00
|
|
|
"runtime"
|
|
|
|
|
"runtime/debug"
|
2020-12-27 22:04:01 +01:00
|
|
|
"strings"
|
2020-03-06 23:00:14 +01:00
|
|
|
"time"
|
2020-01-12 18:23:35 +01:00
|
|
|
|
2021-08-25 22:06:34 +02:00
|
|
|
"github.com/0xERR0R/blocky/config"
|
|
|
|
|
"github.com/0xERR0R/blocky/log"
|
|
|
|
|
"github.com/0xERR0R/blocky/metrics"
|
2021-08-29 21:51:24 +02:00
|
|
|
"github.com/0xERR0R/blocky/model"
|
2021-12-21 17:06:16 +01:00
|
|
|
"github.com/0xERR0R/blocky/redis"
|
2021-08-25 22:06:34 +02:00
|
|
|
"github.com/0xERR0R/blocky/resolver"
|
|
|
|
|
"github.com/0xERR0R/blocky/util"
|
2022-04-22 22:12:35 +02:00
|
|
|
"github.com/hashicorp/go-multierror"
|
2020-01-12 18:23:35 +01:00
|
|
|
|
2021-12-24 22:56:41 +01:00
|
|
|
"github.com/go-chi/chi/v5"
|
2020-01-12 18:23:35 +01:00
|
|
|
"github.com/miekg/dns"
|
|
|
|
|
"github.com/sirupsen/logrus"
|
|
|
|
|
)
|
|
|
|
|
|
2022-05-10 09:09:50 +02:00
|
|
|
const (
|
|
|
|
|
maxUDPBufferSize = 65535
|
2022-05-27 22:20:44 +02:00
|
|
|
caExpiryYears = 10
|
|
|
|
|
certExpiryYears = 5
|
2022-05-10 09:09:50 +02:00
|
|
|
)
|
|
|
|
|
|
2021-02-26 13:45:57 +01:00
|
|
|
// Server controls the endpoints for DNS and HTTP
|
2020-01-12 18:23:35 +01:00
|
|
|
type Server struct {
|
2021-12-20 22:13:07 +01:00
|
|
|
dnsServers []*dns.Server
|
|
|
|
|
httpListeners []net.Listener
|
|
|
|
|
httpsListeners []net.Listener
|
2023-09-09 19:30:55 +02:00
|
|
|
queryResolver resolver.ChainedResolver
|
2021-12-20 22:13:07 +01:00
|
|
|
cfg *config.Config
|
|
|
|
|
httpMux *chi.Mux
|
2022-06-02 16:42:23 +02:00
|
|
|
httpsMux *chi.Mux
|
2022-05-27 22:20:44 +02:00
|
|
|
cert tls.Certificate
|
2020-01-12 18:23:35 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func logger() *logrus.Entry {
|
2021-02-25 23:36:39 +01:00
|
|
|
return log.PrefixedLog("server")
|
2020-01-12 18:23:35 +01:00
|
|
|
}
|
|
|
|
|
|
2022-05-18 08:10:18 +02:00
|
|
|
func tlsCipherSuites() []uint16 {
|
|
|
|
|
tlsCipherSuites := []uint16{
|
|
|
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
|
|
|
|
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
|
|
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
|
|
|
|
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
|
|
|
|
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
|
|
|
|
|
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return tlsCipherSuites
|
|
|
|
|
}
|
|
|
|
|
|
2021-06-28 07:51:46 +02:00
|
|
|
func getServerAddress(addr string) string {
|
|
|
|
|
if !strings.Contains(addr, ":") {
|
2021-12-20 22:13:07 +01:00
|
|
|
addr = fmt.Sprintf(":%s", addr)
|
2020-12-27 22:04:01 +01:00
|
|
|
}
|
|
|
|
|
|
2021-12-20 22:13:07 +01:00
|
|
|
return addr
|
2020-12-27 22:04:01 +01:00
|
|
|
}
|
|
|
|
|
|
2022-05-06 22:34:08 +02:00
|
|
|
type NewServerFunc func(address string) (*dns.Server, error)
|
2021-12-21 22:02:15 +01:00
|
|
|
|
2022-06-04 13:41:09 +02:00
|
|
|
func retrieveCertificate(cfg *config.Config) (cert tls.Certificate, err error) {
|
2022-05-27 22:20:44 +02:00
|
|
|
if cfg.CertFile == "" && cfg.KeyFile == "" {
|
|
|
|
|
cert, err = createSelfSignedCert()
|
|
|
|
|
if err != nil {
|
2022-06-04 13:41:09 +02:00
|
|
|
return tls.Certificate{}, fmt.Errorf("unable to generate self-signed certificate: %w", err)
|
2022-05-27 22:20:44 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
log.Log().Info("using self-signed certificate")
|
|
|
|
|
} else {
|
|
|
|
|
cert, err = tls.LoadX509KeyPair(cfg.CertFile, cfg.KeyFile)
|
|
|
|
|
if err != nil {
|
2022-06-04 13:41:09 +02:00
|
|
|
return tls.Certificate{}, fmt.Errorf("can't load certificate files: %w", err)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// NewServer creates new server instance with passed config
|
2022-11-29 21:58:26 +01:00
|
|
|
//
|
|
|
|
|
//nolint:funlen
|
2023-10-07 22:21:40 +02:00
|
|
|
func NewServer(ctx context.Context, cfg *config.Config) (server *Server, err error) {
|
2022-06-04 13:41:09 +02:00
|
|
|
var cert tls.Certificate
|
|
|
|
|
|
2022-12-02 21:55:40 +01:00
|
|
|
if len(cfg.Ports.HTTPS) > 0 || len(cfg.Ports.TLS) > 0 {
|
2022-06-04 13:41:09 +02:00
|
|
|
cert, err = retrieveCertificate(cfg)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, fmt.Errorf("can't retrieve cert: %w", err)
|
2022-05-27 22:20:44 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
dnsServers, err := createServers(cfg, cert)
|
2022-05-06 22:34:08 +02:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, fmt.Errorf("server creation failed: %w", err)
|
|
|
|
|
}
|
2020-04-08 23:03:07 +02:00
|
|
|
|
2023-09-09 19:30:55 +02:00
|
|
|
httpRouter := createHTTPRouter(cfg)
|
2022-06-02 16:42:23 +02:00
|
|
|
httpsRouter := createHTTPSRouter(cfg)
|
2020-03-07 16:59:04 +01:00
|
|
|
|
2021-12-21 22:02:15 +01:00
|
|
|
httpListeners, httpsListeners, err := createHTTPListeners(cfg)
|
2021-12-20 22:13:07 +01:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2020-05-23 22:54:51 +02:00
|
|
|
|
2021-12-20 22:13:07 +01:00
|
|
|
if len(httpListeners) != 0 || len(httpsListeners) != 0 {
|
2022-06-02 16:42:23 +02:00
|
|
|
metrics.Start(httpRouter, cfg.Prometheus)
|
|
|
|
|
metrics.Start(httpsRouter, cfg.Prometheus)
|
2020-05-23 22:54:51 +02:00
|
|
|
}
|
|
|
|
|
|
2021-01-19 21:52:24 +01:00
|
|
|
metrics.RegisterEventListeners()
|
|
|
|
|
|
2023-10-07 22:21:40 +02:00
|
|
|
bootstrap, err := resolver.NewBootstrap(ctx, cfg)
|
2022-04-22 22:12:35 +02:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
2023-11-27 18:08:31 +01:00
|
|
|
var redisClient *redis.Client
|
|
|
|
|
if cfg.Redis.IsEnabled() {
|
|
|
|
|
redisClient, err = redis.New(ctx, &cfg.Redis)
|
|
|
|
|
if err != nil && cfg.Redis.Required {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2021-12-21 17:06:16 +01:00
|
|
|
}
|
|
|
|
|
|
2023-10-07 22:21:40 +02:00
|
|
|
queryResolver, queryError := createQueryResolver(ctx, cfg, bootstrap, redisClient)
|
2021-10-13 22:45:32 +02:00
|
|
|
if queryError != nil {
|
|
|
|
|
return nil, queryError
|
2021-10-13 21:40:18 +02:00
|
|
|
}
|
2020-01-12 18:23:35 +01:00
|
|
|
|
2021-10-13 21:40:18 +02:00
|
|
|
server = &Server{
|
2021-12-20 22:13:07 +01:00
|
|
|
dnsServers: dnsServers,
|
|
|
|
|
queryResolver: queryResolver,
|
|
|
|
|
cfg: cfg,
|
|
|
|
|
httpListeners: httpListeners,
|
|
|
|
|
httpsListeners: httpsListeners,
|
2022-06-02 16:42:23 +02:00
|
|
|
httpMux: httpRouter,
|
|
|
|
|
httpsMux: httpsRouter,
|
2022-05-27 22:20:44 +02:00
|
|
|
cert: cert,
|
2021-10-13 21:40:18 +02:00
|
|
|
}
|
2020-01-12 18:23:35 +01:00
|
|
|
|
2021-10-13 21:40:18 +02:00
|
|
|
server.printConfiguration()
|
2020-01-12 18:23:35 +01:00
|
|
|
|
2023-11-28 07:02:51 +01:00
|
|
|
server.registerDNSHandlers(ctx)
|
2023-09-09 19:30:55 +02:00
|
|
|
err = server.registerAPIEndpoints(httpRouter)
|
2021-02-04 21:59:41 +01:00
|
|
|
|
2023-09-09 19:30:55 +02:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
err = server.registerAPIEndpoints(httpsRouter)
|
|
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2021-10-13 21:40:18 +02:00
|
|
|
|
2021-10-13 22:45:32 +02:00
|
|
|
return server, err
|
2020-01-12 18:23:35 +01:00
|
|
|
}
|
|
|
|
|
|
2022-05-27 22:20:44 +02:00
|
|
|
func createServers(cfg *config.Config, cert tls.Certificate) ([]*dns.Server, error) {
|
2022-05-06 22:34:08 +02:00
|
|
|
var dnsServers []*dns.Server
|
|
|
|
|
|
|
|
|
|
var err *multierror.Error
|
|
|
|
|
|
|
|
|
|
addServers := func(newServer NewServerFunc, addresses config.ListenConfig) error {
|
2022-04-22 22:12:35 +02:00
|
|
|
for _, address := range addresses {
|
2022-05-06 22:34:08 +02:00
|
|
|
server, err := newServer(getServerAddress(address))
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
dnsServers = append(dnsServers, server)
|
2022-04-22 22:12:35 +02:00
|
|
|
}
|
|
|
|
|
|
2022-05-06 22:34:08 +02:00
|
|
|
return nil
|
|
|
|
|
}
|
2022-04-22 22:12:35 +02:00
|
|
|
|
2022-05-06 22:34:08 +02:00
|
|
|
err = multierror.Append(err,
|
2022-12-02 21:55:40 +01:00
|
|
|
addServers(createUDPServer, cfg.Ports.DNS),
|
|
|
|
|
addServers(createTCPServer, cfg.Ports.DNS),
|
2022-05-06 22:34:08 +02:00
|
|
|
addServers(func(address string) (*dns.Server, error) {
|
2023-11-22 03:03:27 +01:00
|
|
|
return createTLSServer(cfg, address, cert)
|
2022-12-02 21:55:40 +01:00
|
|
|
}, cfg.Ports.TLS))
|
2022-04-22 22:12:35 +02:00
|
|
|
|
2022-05-06 22:34:08 +02:00
|
|
|
return dnsServers, err.ErrorOrNil()
|
2022-04-22 22:12:35 +02:00
|
|
|
}
|
|
|
|
|
|
2022-12-26 22:11:45 +01:00
|
|
|
func createHTTPListeners(cfg *config.Config) (httpListeners, httpsListeners []net.Listener, err error) {
|
2022-12-02 21:55:40 +01:00
|
|
|
httpListeners, err = newListeners("http", cfg.Ports.HTTP)
|
2021-12-21 22:02:15 +01:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, nil, err
|
|
|
|
|
}
|
|
|
|
|
|
2022-12-02 21:55:40 +01:00
|
|
|
httpsListeners, err = newListeners("https", cfg.Ports.HTTPS)
|
2021-12-21 22:02:15 +01:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return httpListeners, httpsListeners, nil
|
|
|
|
|
}
|
|
|
|
|
|
2021-12-20 22:13:07 +01:00
|
|
|
func newListeners(proto string, addresses config.ListenConfig) ([]net.Listener, error) {
|
|
|
|
|
listeners := make([]net.Listener, 0, len(addresses))
|
|
|
|
|
|
|
|
|
|
for _, address := range addresses {
|
|
|
|
|
listener, err := net.Listen("tcp", getServerAddress(address))
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, fmt.Errorf("start %s listener on %s failed: %w", proto, address, err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
listeners = append(listeners, listener)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return listeners, nil
|
|
|
|
|
}
|
|
|
|
|
|
2023-11-22 03:03:27 +01:00
|
|
|
func createTLSServer(cfg *config.Config, address string, cert tls.Certificate) (*dns.Server, error) {
|
2021-10-02 22:54:56 +02:00
|
|
|
return &dns.Server{
|
|
|
|
|
Addr: address,
|
|
|
|
|
Net: "tcp-tls",
|
2022-06-04 08:23:40 +02:00
|
|
|
//nolint:gosec
|
2021-10-02 22:54:56 +02:00
|
|
|
TLSConfig: &tls.Config{
|
2022-05-27 22:20:44 +02:00
|
|
|
Certificates: []tls.Certificate{cert},
|
2023-11-23 00:02:10 +01:00
|
|
|
MinVersion: uint16(cfg.MinTLSServeVer),
|
2022-05-18 08:10:18 +02:00
|
|
|
CipherSuites: tlsCipherSuites(),
|
2021-10-02 22:54:56 +02:00
|
|
|
},
|
|
|
|
|
Handler: dns.NewServeMux(),
|
|
|
|
|
NotifyStartedFunc: func() {
|
|
|
|
|
logger().Infof("TLS server is up and running on address %s", address)
|
|
|
|
|
},
|
2022-05-06 22:34:08 +02:00
|
|
|
}, nil
|
2021-10-02 22:54:56 +02:00
|
|
|
}
|
|
|
|
|
|
2022-05-06 22:34:08 +02:00
|
|
|
func createTCPServer(address string) (*dns.Server, error) {
|
2021-02-20 22:02:24 +01:00
|
|
|
return &dns.Server{
|
2021-01-19 21:52:24 +01:00
|
|
|
Addr: address,
|
|
|
|
|
Net: "tcp",
|
|
|
|
|
Handler: dns.NewServeMux(),
|
|
|
|
|
NotifyStartedFunc: func() {
|
2021-10-02 22:54:56 +02:00
|
|
|
logger().Infof("TCP server is up and running on address %s", address)
|
2021-01-19 21:52:24 +01:00
|
|
|
},
|
2022-05-06 22:34:08 +02:00
|
|
|
}, nil
|
2021-01-19 21:52:24 +01:00
|
|
|
}
|
|
|
|
|
|
2022-05-06 22:34:08 +02:00
|
|
|
func createUDPServer(address string) (*dns.Server, error) {
|
2021-02-20 22:02:24 +01:00
|
|
|
return &dns.Server{
|
2021-01-19 21:52:24 +01:00
|
|
|
Addr: address,
|
|
|
|
|
Net: "udp",
|
|
|
|
|
Handler: dns.NewServeMux(),
|
|
|
|
|
NotifyStartedFunc: func() {
|
2021-10-02 22:54:56 +02:00
|
|
|
logger().Infof("UDP server is up and running on address %s", address)
|
2021-01-19 21:52:24 +01:00
|
|
|
},
|
2022-05-10 09:09:50 +02:00
|
|
|
UDPSize: maxUDPBufferSize,
|
2022-05-06 22:34:08 +02:00
|
|
|
}, nil
|
2021-01-19 21:52:24 +01:00
|
|
|
}
|
|
|
|
|
|
2022-11-29 21:58:26 +01:00
|
|
|
//nolint:funlen
|
2022-05-27 22:20:44 +02:00
|
|
|
func createSelfSignedCert() (tls.Certificate, error) {
|
|
|
|
|
// Create CA
|
|
|
|
|
ca := &x509.Certificate{
|
2023-03-16 07:49:09 +01:00
|
|
|
//nolint:gosec
|
2022-11-29 21:58:26 +01:00
|
|
|
SerialNumber: big.NewInt(int64(mrand.Intn(math.MaxInt))),
|
2022-05-27 22:20:44 +02:00
|
|
|
NotBefore: time.Now(),
|
|
|
|
|
NotAfter: time.Now().AddDate(caExpiryYears, 0, 0),
|
|
|
|
|
IsCA: true,
|
|
|
|
|
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageAny},
|
|
|
|
|
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
|
|
|
|
|
BasicConstraintsValid: true,
|
|
|
|
|
}
|
|
|
|
|
|
2022-09-03 22:24:29 +02:00
|
|
|
caPrivKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
|
2022-05-27 22:20:44 +02:00
|
|
|
if err != nil {
|
|
|
|
|
return tls.Certificate{}, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
caBytes, err := x509.CreateCertificate(rand.Reader, ca, ca, &caPrivKey.PublicKey, caPrivKey)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return tls.Certificate{}, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
caPEM := new(bytes.Buffer)
|
|
|
|
|
if err = pem.Encode(caPEM, &pem.Block{
|
|
|
|
|
Type: "CERTIFICATE",
|
|
|
|
|
Bytes: caBytes,
|
|
|
|
|
}); err != nil {
|
|
|
|
|
return tls.Certificate{}, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
caPrivKeyPEM := new(bytes.Buffer)
|
2022-09-03 22:24:29 +02:00
|
|
|
|
|
|
|
|
b, err := x509.MarshalECPrivateKey(caPrivKey)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return tls.Certificate{}, err
|
|
|
|
|
}
|
|
|
|
|
|
2022-05-27 22:20:44 +02:00
|
|
|
if err = pem.Encode(caPrivKeyPEM, &pem.Block{
|
2022-09-03 22:24:29 +02:00
|
|
|
Type: "EC PRIVATE KEY",
|
|
|
|
|
Bytes: b,
|
2022-05-27 22:20:44 +02:00
|
|
|
}); err != nil {
|
|
|
|
|
return tls.Certificate{}, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Create certificate
|
|
|
|
|
cert := &x509.Certificate{
|
2023-03-16 07:49:09 +01:00
|
|
|
//nolint:gosec
|
2022-11-29 21:58:26 +01:00
|
|
|
SerialNumber: big.NewInt(int64(mrand.Intn(math.MaxInt))),
|
2022-05-27 22:20:44 +02:00
|
|
|
DNSNames: []string{"*"},
|
|
|
|
|
NotBefore: time.Now(),
|
|
|
|
|
NotAfter: time.Now().AddDate(certExpiryYears, 0, 0),
|
|
|
|
|
SubjectKeyId: []byte{1, 2, 3, 4, 6},
|
|
|
|
|
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
|
|
|
|
|
KeyUsage: x509.KeyUsageDigitalSignature,
|
|
|
|
|
}
|
|
|
|
|
|
2022-09-03 22:24:29 +02:00
|
|
|
certPrivKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
|
2022-05-27 22:20:44 +02:00
|
|
|
if err != nil {
|
|
|
|
|
return tls.Certificate{}, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
certBytes, err := x509.CreateCertificate(rand.Reader, cert, ca, &certPrivKey.PublicKey, caPrivKey)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return tls.Certificate{}, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
certPEM := new(bytes.Buffer)
|
|
|
|
|
if err = pem.Encode(certPEM, &pem.Block{
|
|
|
|
|
Type: "CERTIFICATE",
|
|
|
|
|
Bytes: certBytes,
|
|
|
|
|
}); err != nil {
|
|
|
|
|
return tls.Certificate{}, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
certPrivKeyPEM := new(bytes.Buffer)
|
2022-09-03 22:24:29 +02:00
|
|
|
|
|
|
|
|
b, err = x509.MarshalECPrivateKey(certPrivKey)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return tls.Certificate{}, err
|
|
|
|
|
}
|
|
|
|
|
|
2022-05-27 22:20:44 +02:00
|
|
|
if err = pem.Encode(certPrivKeyPEM, &pem.Block{
|
2022-09-03 22:24:29 +02:00
|
|
|
Type: "EC PRIVATE KEY",
|
|
|
|
|
Bytes: b,
|
2022-05-27 22:20:44 +02:00
|
|
|
}); err != nil {
|
|
|
|
|
return tls.Certificate{}, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
keyPair, err := tls.X509KeyPair(certPEM.Bytes(), certPrivKeyPEM.Bytes())
|
|
|
|
|
if err != nil {
|
|
|
|
|
return tls.Certificate{}, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return keyPair, nil
|
|
|
|
|
}
|
|
|
|
|
|
2022-04-22 22:12:35 +02:00
|
|
|
func createQueryResolver(
|
2023-10-07 22:21:40 +02:00
|
|
|
ctx context.Context,
|
2022-04-22 22:12:35 +02:00
|
|
|
cfg *config.Config,
|
|
|
|
|
bootstrap *resolver.Bootstrap,
|
|
|
|
|
redisClient *redis.Client,
|
2023-11-22 04:18:08 +01:00
|
|
|
) (resolver.ChainedResolver, error) {
|
|
|
|
|
upstreamTree, utErr := resolver.NewUpstreamTreeResolver(ctx, cfg.Upstreams, bootstrap)
|
2023-10-07 22:21:40 +02:00
|
|
|
blocking, blErr := resolver.NewBlockingResolver(ctx, cfg.Blocking, redisClient, bootstrap)
|
2023-11-22 04:18:08 +01:00
|
|
|
clientNames, cnErr := resolver.NewClientNamesResolver(ctx, cfg.ClientLookup, cfg.Upstreams, bootstrap)
|
|
|
|
|
condUpstream, cuErr := resolver.NewConditionalUpstreamResolver(ctx, cfg.Conditional, cfg.Upstreams, bootstrap)
|
2023-10-07 22:21:40 +02:00
|
|
|
hostsFile, hfErr := resolver.NewHostsFileResolver(ctx, cfg.HostsFile, bootstrap)
|
2022-04-22 22:12:35 +02:00
|
|
|
|
2023-11-22 04:18:08 +01:00
|
|
|
err := multierror.Append(
|
2023-08-21 09:50:23 +02:00
|
|
|
multierror.Prefix(utErr, "upstream tree resolver: "),
|
2022-04-22 22:12:35 +02:00
|
|
|
multierror.Prefix(blErr, "blocking resolver: "),
|
|
|
|
|
multierror.Prefix(cnErr, "client names resolver: "),
|
|
|
|
|
multierror.Prefix(cuErr, "conditional upstream resolver: "),
|
2023-04-17 18:21:56 +02:00
|
|
|
multierror.Prefix(hfErr, "hosts file resolver: "),
|
|
|
|
|
).ErrorOrNil()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
2022-04-22 22:12:35 +02:00
|
|
|
}
|
2021-10-13 21:40:18 +02:00
|
|
|
|
2023-11-22 04:18:08 +01:00
|
|
|
r := resolver.Chain(
|
2022-04-01 08:58:09 +02:00
|
|
|
resolver.NewFilteringResolver(cfg.Filtering),
|
2023-11-21 06:33:38 +01:00
|
|
|
resolver.NewFQDNOnlyResolver(cfg.FQDNOnly),
|
2023-11-20 16:56:56 +01:00
|
|
|
resolver.NewECSResolver(cfg.ECS),
|
2022-11-29 18:55:12 +01:00
|
|
|
clientNames,
|
2023-11-21 06:33:38 +01:00
|
|
|
resolver.NewEDEResolver(cfg.EDE),
|
2023-10-07 22:21:40 +02:00
|
|
|
resolver.NewQueryLoggingResolver(ctx, cfg.QueryLog),
|
2020-05-23 22:54:51 +02:00
|
|
|
resolver.NewMetricsResolver(cfg.Prometheus),
|
2023-03-12 22:14:10 +01:00
|
|
|
resolver.NewRewriterResolver(cfg.CustomDNS.RewriterConfig, resolver.NewCustomDNSResolver(cfg.CustomDNS)),
|
2023-04-17 18:21:56 +02:00
|
|
|
hostsFile,
|
2022-11-29 18:55:12 +01:00
|
|
|
blocking,
|
2023-10-07 22:21:40 +02:00
|
|
|
resolver.NewCachingResolver(ctx, cfg.Caching, redisClient),
|
2023-03-12 22:14:10 +01:00
|
|
|
resolver.NewRewriterResolver(cfg.Conditional.RewriterConfig, condUpstream),
|
2023-05-20 05:10:40 +02:00
|
|
|
resolver.NewSpecialUseDomainNamesResolver(cfg.SUDN),
|
2023-08-21 09:50:23 +02:00
|
|
|
upstreamTree,
|
2022-04-22 22:12:35 +02:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
return r, nil
|
2020-04-08 23:03:07 +02:00
|
|
|
}
|
|
|
|
|
|
2023-11-28 07:02:51 +01:00
|
|
|
func (s *Server) registerDNSHandlers(ctx context.Context) {
|
|
|
|
|
wrappedOnRequest := func(w dns.ResponseWriter, request *dns.Msg) {
|
2023-12-20 01:40:34 +01:00
|
|
|
ip, proto := resolveClientIPAndProtocol(w.RemoteAddr())
|
|
|
|
|
|
|
|
|
|
s.OnRequest(ctx, w, ip, proto, request)
|
2023-11-28 07:02:51 +01:00
|
|
|
}
|
|
|
|
|
|
2021-10-02 22:54:56 +02:00
|
|
|
for _, server := range s.dnsServers {
|
|
|
|
|
handler := server.Handler.(*dns.ServeMux)
|
2023-11-28 07:02:51 +01:00
|
|
|
handler.HandleFunc(".", wrappedOnRequest)
|
2021-10-02 22:54:56 +02:00
|
|
|
handler.HandleFunc("healthcheck.blocky", s.OnHealthCheck)
|
|
|
|
|
}
|
2020-04-10 17:08:59 +02:00
|
|
|
}
|
|
|
|
|
|
2020-01-12 18:23:35 +01:00
|
|
|
func (s *Server) printConfiguration() {
|
|
|
|
|
logger().Info("current configuration:")
|
|
|
|
|
|
2023-11-27 18:08:31 +01:00
|
|
|
if s.cfg.Redis.IsEnabled() {
|
|
|
|
|
logger().Info("Redis:")
|
|
|
|
|
log.WithIndent(logger(), " ", s.cfg.Redis.LogConfig)
|
|
|
|
|
}
|
|
|
|
|
|
2023-03-12 22:14:10 +01:00
|
|
|
resolver.ForEach(s.queryResolver, func(res resolver.Resolver) {
|
|
|
|
|
resolver.LogResolverConfig(res, logger())
|
|
|
|
|
})
|
2020-02-10 16:12:01 +01:00
|
|
|
|
2023-03-12 22:14:10 +01:00
|
|
|
logger().Info("listeners:")
|
|
|
|
|
log.WithIndent(logger(), " ", s.cfg.Ports.LogConfig)
|
2020-03-06 23:00:14 +01:00
|
|
|
|
2020-02-10 16:12:01 +01:00
|
|
|
logger().Info("runtime information:")
|
|
|
|
|
|
|
|
|
|
// force garbage collector
|
|
|
|
|
runtime.GC()
|
|
|
|
|
debug.FreeOSMemory()
|
|
|
|
|
|
2023-03-12 22:14:10 +01:00
|
|
|
logger().Infof(" numCPU = %d", runtime.NumCPU())
|
|
|
|
|
logger().Infof(" numGoroutine = %d", runtime.NumGoroutine())
|
|
|
|
|
|
2020-02-10 16:12:01 +01:00
|
|
|
// gather memory stats
|
|
|
|
|
var m runtime.MemStats
|
|
|
|
|
|
|
|
|
|
runtime.ReadMemStats(&m)
|
|
|
|
|
|
2023-03-12 22:14:10 +01:00
|
|
|
logger().Infof(" memory:")
|
2023-11-17 15:58:35 +01:00
|
|
|
logger().Infof(" heap = %10v MB", toMB(m.HeapAlloc))
|
|
|
|
|
logger().Infof(" sys = %10v MB", toMB(m.Sys))
|
|
|
|
|
logger().Infof(" numGC = %10v", m.NumGC)
|
2020-02-10 16:12:01 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func toMB(b uint64) uint64 {
|
2022-05-10 09:09:50 +02:00
|
|
|
const bytesInKB = 1024
|
|
|
|
|
|
|
|
|
|
return b / bytesInKB / bytesInKB
|
2020-01-12 18:23:35 +01:00
|
|
|
}
|
|
|
|
|
|
2022-09-03 23:09:11 +02:00
|
|
|
const (
|
|
|
|
|
readHeaderTimeout = 20 * time.Second
|
|
|
|
|
readTimeout = 20 * time.Second
|
|
|
|
|
writeTimeout = 20 * time.Second
|
|
|
|
|
)
|
|
|
|
|
|
2021-02-26 13:45:57 +01:00
|
|
|
// Start starts the server
|
2023-10-07 22:21:40 +02:00
|
|
|
func (s *Server) Start(ctx context.Context, errCh chan<- error) {
|
2020-01-12 18:23:35 +01:00
|
|
|
logger().Info("Starting server")
|
|
|
|
|
|
2021-10-02 22:54:56 +02:00
|
|
|
for _, srv := range s.dnsServers {
|
|
|
|
|
srv := srv
|
2020-01-12 18:23:35 +01:00
|
|
|
|
2021-10-02 22:54:56 +02:00
|
|
|
go func() {
|
|
|
|
|
if err := srv.ListenAndServe(); err != nil {
|
2022-05-06 22:34:08 +02:00
|
|
|
errCh <- fmt.Errorf("start %s listener failed: %w", srv.Net, err)
|
2021-10-02 22:54:56 +02:00
|
|
|
}
|
|
|
|
|
}()
|
|
|
|
|
}
|
2020-01-12 18:23:35 +01:00
|
|
|
|
2021-12-20 22:13:07 +01:00
|
|
|
for i, listener := range s.httpListeners {
|
|
|
|
|
listener := listener
|
2022-12-02 21:55:40 +01:00
|
|
|
address := s.cfg.Ports.HTTP[i]
|
2021-12-20 22:13:07 +01:00
|
|
|
|
|
|
|
|
go func() {
|
|
|
|
|
logger().Infof("http server is up and running on addr/port %s", address)
|
2020-03-06 23:00:14 +01:00
|
|
|
|
2022-09-03 23:09:11 +02:00
|
|
|
srv := &http.Server{
|
|
|
|
|
ReadTimeout: readTimeout,
|
|
|
|
|
ReadHeaderTimeout: readHeaderTimeout,
|
|
|
|
|
WriteTimeout: writeTimeout,
|
|
|
|
|
Handler: s.httpsMux,
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if err := srv.Serve(listener); err != nil {
|
2022-05-06 22:34:08 +02:00
|
|
|
errCh <- fmt.Errorf("start http listener failed: %w", err)
|
|
|
|
|
}
|
2021-12-20 22:13:07 +01:00
|
|
|
}()
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for i, listener := range s.httpsListeners {
|
|
|
|
|
listener := listener
|
2022-12-02 21:55:40 +01:00
|
|
|
address := s.cfg.Ports.HTTPS[i]
|
2020-03-06 23:00:14 +01:00
|
|
|
|
2021-12-20 22:13:07 +01:00
|
|
|
go func() {
|
|
|
|
|
logger().Infof("https server is up and running on addr/port %s", address)
|
2020-05-23 22:54:51 +02:00
|
|
|
|
2022-05-18 08:10:18 +02:00
|
|
|
server := http.Server{
|
2022-08-01 23:19:35 +02:00
|
|
|
Handler: s.httpsMux,
|
2022-09-03 23:09:11 +02:00
|
|
|
ReadTimeout: readTimeout,
|
2022-08-01 23:19:35 +02:00
|
|
|
ReadHeaderTimeout: readHeaderTimeout,
|
2022-09-03 23:09:11 +02:00
|
|
|
WriteTimeout: writeTimeout,
|
2022-06-04 08:23:40 +02:00
|
|
|
//nolint:gosec
|
2022-05-18 08:10:18 +02:00
|
|
|
TLSConfig: &tls.Config{
|
2023-11-23 00:02:10 +01:00
|
|
|
MinVersion: uint16(s.cfg.MinTLSServeVer),
|
2022-05-18 08:10:18 +02:00
|
|
|
CipherSuites: tlsCipherSuites(),
|
2022-05-27 22:20:44 +02:00
|
|
|
Certificates: []tls.Certificate{s.cert},
|
2022-05-18 08:10:18 +02:00
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
2022-05-27 22:20:44 +02:00
|
|
|
if err := server.ServeTLS(listener, "", ""); err != nil {
|
2022-05-06 22:34:08 +02:00
|
|
|
errCh <- fmt.Errorf("start https listener failed: %w", err)
|
|
|
|
|
}
|
2021-12-20 22:13:07 +01:00
|
|
|
}()
|
|
|
|
|
}
|
2020-05-23 22:54:51 +02:00
|
|
|
|
2023-10-07 22:21:40 +02:00
|
|
|
registerPrintConfigurationTrigger(ctx, s)
|
2020-01-12 18:23:35 +01:00
|
|
|
}
|
|
|
|
|
|
2021-02-26 13:45:57 +01:00
|
|
|
// Stop stops the server
|
2023-11-28 07:02:51 +01:00
|
|
|
func (s *Server) Stop(ctx context.Context) error {
|
2020-01-12 18:23:35 +01:00
|
|
|
logger().Info("Stopping server")
|
|
|
|
|
|
2021-10-02 22:54:56 +02:00
|
|
|
for _, server := range s.dnsServers {
|
2023-11-28 07:02:51 +01:00
|
|
|
if err := server.ShutdownContext(ctx); err != nil {
|
2022-05-06 22:34:08 +02:00
|
|
|
return fmt.Errorf("stop %s listener failed: %w", server.Net, err)
|
2021-10-02 22:54:56 +02:00
|
|
|
}
|
2020-01-12 18:23:35 +01:00
|
|
|
}
|
2022-05-06 22:34:08 +02:00
|
|
|
|
|
|
|
|
return nil
|
2020-01-12 18:23:35 +01:00
|
|
|
}
|
|
|
|
|
|
2021-10-13 22:47:14 +02:00
|
|
|
func extractClientIDFromHost(hostName string) string {
|
|
|
|
|
const clientIDPrefix = "id-"
|
|
|
|
|
if strings.HasPrefix(hostName, clientIDPrefix) && strings.Contains(hostName, ".") {
|
|
|
|
|
return hostName[len(clientIDPrefix):strings.Index(hostName, ".")]
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return ""
|
|
|
|
|
}
|
|
|
|
|
|
2023-12-20 01:40:34 +01:00
|
|
|
func newRequest(
|
|
|
|
|
clientIP net.IP, clientID string,
|
|
|
|
|
protocol model.RequestProtocol, request *dns.Msg,
|
2022-12-26 22:11:45 +01:00
|
|
|
) *model.Request {
|
2021-08-29 21:51:24 +02:00
|
|
|
return &model.Request{
|
2021-10-13 22:47:14 +02:00
|
|
|
ClientIP: clientIP,
|
2023-12-20 01:40:34 +01:00
|
|
|
RequestClientID: clientID,
|
2021-10-13 22:47:14 +02:00
|
|
|
Protocol: protocol,
|
|
|
|
|
Req: request,
|
2021-02-25 23:36:39 +01:00
|
|
|
Log: log.Log().WithFields(logrus.Fields{
|
2020-01-12 18:23:35 +01:00
|
|
|
"question": util.QuestionToString(request.Question),
|
|
|
|
|
"client_ip": clientIP,
|
|
|
|
|
}),
|
2021-10-13 22:47:14 +02:00
|
|
|
RequestTS: time.Now(),
|
2020-01-12 18:23:35 +01:00
|
|
|
}
|
2020-04-10 17:08:59 +02:00
|
|
|
}
|
|
|
|
|
|
2021-02-26 13:45:57 +01:00
|
|
|
// OnRequest will be executed if a new DNS request is received
|
2023-12-20 01:40:34 +01:00
|
|
|
func (s *Server) OnRequest(
|
|
|
|
|
ctx context.Context, w dns.ResponseWriter,
|
|
|
|
|
clientIP net.IP, protocol model.RequestProtocol,
|
|
|
|
|
request *dns.Msg,
|
|
|
|
|
) {
|
2020-04-10 17:08:59 +02:00
|
|
|
logger().Debug("new request")
|
|
|
|
|
|
2023-12-20 01:40:34 +01:00
|
|
|
var hostName string
|
|
|
|
|
|
|
|
|
|
con, ok := w.(dns.ConnectionStater)
|
|
|
|
|
if ok && con.ConnectionState() != nil {
|
|
|
|
|
hostName = con.ConnectionState().ServerName
|
|
|
|
|
}
|
2020-01-12 18:23:35 +01:00
|
|
|
|
2023-12-20 01:40:34 +01:00
|
|
|
req := newRequest(clientIP, extractClientIDFromHost(hostName), protocol, request)
|
2020-01-12 18:23:35 +01:00
|
|
|
|
2023-12-20 01:40:34 +01:00
|
|
|
response, err := s.resolve(ctx, req)
|
2020-01-12 18:23:35 +01:00
|
|
|
if err != nil {
|
2022-05-16 21:42:18 +02:00
|
|
|
logger().Error("error on processing request:", err)
|
2021-03-26 22:46:58 +01:00
|
|
|
|
|
|
|
|
m := new(dns.Msg)
|
|
|
|
|
m.SetRcode(request, dns.RcodeServerFailure)
|
|
|
|
|
err := w.WriteMsg(m)
|
|
|
|
|
util.LogOnError("can't write message: ", err)
|
2020-01-12 18:23:35 +01:00
|
|
|
} else {
|
2023-12-20 01:40:34 +01:00
|
|
|
err := w.WriteMsg(response.Res)
|
|
|
|
|
util.LogOnError("can't write message: ", err)
|
|
|
|
|
}
|
|
|
|
|
}
|
2020-01-12 18:23:35 +01:00
|
|
|
|
2023-12-20 01:40:34 +01:00
|
|
|
func (s *Server) resolve(ctx context.Context, request *model.Request) (*model.Response, error) {
|
|
|
|
|
var response *model.Response
|
2021-05-08 22:56:18 +02:00
|
|
|
|
2024-01-29 17:22:03 +01:00
|
|
|
contextUpstreamTimeoutMultiplier := 100
|
|
|
|
|
timeoutDuration := time.Duration(contextUpstreamTimeoutMultiplier) * s.cfg.Upstreams.Timeout.ToDuration()
|
|
|
|
|
|
|
|
|
|
ctx, cancel := context.WithTimeout(ctx, timeoutDuration)
|
|
|
|
|
|
|
|
|
|
defer cancel()
|
|
|
|
|
|
2023-12-20 01:40:34 +01:00
|
|
|
switch {
|
|
|
|
|
case len(request.Req.Question) == 0:
|
|
|
|
|
m := new(dns.Msg)
|
|
|
|
|
m.SetRcode(request.Req, dns.RcodeFormatError)
|
2021-05-08 22:56:18 +02:00
|
|
|
|
2023-12-20 01:40:34 +01:00
|
|
|
request.Log.Error("query has no questions")
|
|
|
|
|
|
|
|
|
|
response = &model.Response{Res: m, RType: model.ResponseTypeCUSTOMDNS, Reason: "CUSTOM DNS"}
|
|
|
|
|
default:
|
|
|
|
|
var err error
|
|
|
|
|
|
|
|
|
|
response, err = s.queryResolver.Resolve(ctx, request)
|
|
|
|
|
if err != nil {
|
2024-01-24 00:48:29 +01:00
|
|
|
var upstreamErr *resolver.UpstreamServerError
|
|
|
|
|
|
|
|
|
|
if errors.As(err, &upstreamErr) {
|
|
|
|
|
response = &model.Response{Res: upstreamErr.Msg, RType: model.ResponseTypeRESOLVED, Reason: upstreamErr.Error()}
|
|
|
|
|
} else {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2023-12-20 01:40:34 +01:00
|
|
|
}
|
2020-01-12 18:23:35 +01:00
|
|
|
}
|
2023-12-20 01:40:34 +01:00
|
|
|
|
|
|
|
|
response.Res.MsgHdr.RecursionAvailable = request.Req.MsgHdr.RecursionDesired
|
|
|
|
|
|
|
|
|
|
// truncate if necessary
|
|
|
|
|
response.Res.Truncate(getMaxResponseSize(request))
|
|
|
|
|
|
|
|
|
|
// enable compression
|
|
|
|
|
response.Res.Compress = true
|
|
|
|
|
|
|
|
|
|
return response, nil
|
2020-01-12 18:23:35 +01:00
|
|
|
}
|
|
|
|
|
|
2022-04-22 22:12:35 +02:00
|
|
|
// returns EDNS UDP size or if not present, 512 for UDP and 64K for TCP
|
2023-12-13 01:46:21 +01:00
|
|
|
func getMaxResponseSize(req *model.Request) int {
|
|
|
|
|
edns := req.Req.IsEdns0()
|
2021-05-08 22:56:18 +02:00
|
|
|
if edns != nil && edns.UDPSize() > 0 {
|
|
|
|
|
return int(edns.UDPSize())
|
|
|
|
|
}
|
|
|
|
|
|
2023-12-13 01:46:21 +01:00
|
|
|
if req.Protocol == model.RequestProtocolTCP {
|
2021-05-08 22:56:18 +02:00
|
|
|
return dns.MaxMsgSize
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return dns.MinMsgSize
|
|
|
|
|
}
|
|
|
|
|
|
2021-02-26 13:45:57 +01:00
|
|
|
// OnHealthCheck Handler for docker health check. Just returns OK code without delegating to resolver chain
|
2020-02-10 22:39:16 +01:00
|
|
|
func (s *Server) OnHealthCheck(w dns.ResponseWriter, request *dns.Msg) {
|
|
|
|
|
resp := new(dns.Msg)
|
|
|
|
|
resp.SetReply(request)
|
|
|
|
|
resp.Rcode = dns.RcodeSuccess
|
|
|
|
|
|
2021-01-19 21:52:24 +01:00
|
|
|
err := w.WriteMsg(resp)
|
|
|
|
|
util.LogOnError("can't write message: ", err)
|
2020-02-10 22:39:16 +01:00
|
|
|
}
|
|
|
|
|
|
2021-08-29 21:51:24 +02:00
|
|
|
func resolveClientIPAndProtocol(addr net.Addr) (ip net.IP, protocol model.RequestProtocol) {
|
2020-01-12 18:23:35 +01:00
|
|
|
if t, ok := addr.(*net.UDPAddr); ok {
|
2021-09-09 22:57:05 +02:00
|
|
|
return t.IP, model.RequestProtocolUDP
|
2020-01-12 18:23:35 +01:00
|
|
|
} else if t, ok := addr.(*net.TCPAddr); ok {
|
2021-09-09 22:57:05 +02:00
|
|
|
return t.IP, model.RequestProtocolTCP
|
2020-01-12 18:23:35 +01:00
|
|
|
}
|
|
|
|
|
|
2021-09-09 22:57:05 +02:00
|
|
|
return nil, model.RequestProtocolUDP
|
2020-01-12 18:23:35 +01:00
|
|
|
}
|
