-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New Plugin: QUIC proxy [RFC9250] #6245
base: master
Are you sure you want to change the base?
Conversation
78c08a5
to
588da60
Compare
plugin/quic/quic.go
Outdated
// reached the end of list without any answer | ||
if ret != nil { | ||
// write empty response and finish | ||
w.WriteMsg(ret) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that writing an empty dns message to client would result in client-side parsing/validation errors. I think the proper response id with a SERVFAIL response code, with question correctly set. Returning a servfail and error instead of writing a response would work too (base server code writes an error response to client when ServeDNS returns a SERVFAIL code).
w.WriteMsg(ret) | |
return dns.RcodeServerFailure, <some-error> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed and fixed. I got this code from the grpc
plugin, should we port this fix there too?
Lines 51 to 54 in b5e6291
// reached the end of list without any answer | |
if ret != nil { | |
// write empty response and finish | |
w.WriteMsg(ret) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should we port this fix there too?
Probably, but not in this PR.
@@ -0,0 +1,68 @@ | |||
package quic |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This policy selection code has been repeated across several plugins now (forward
, grpc
, quic
). Should we unify it? If so, where should it be? plugin/pkg
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That would be a good place. Thanks!
@@ -117,6 +121,38 @@ func TestQUICProtocolError(t *testing.T) { | |||
} | |||
} | |||
|
|||
func TestQUICPlugin(t *testing.T) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The plugin integration test ended up in the test
folder. Unlike forward
, setting up a mock quic
server to answer a simple DNS query is not easy because you need not only to create a listener but also accept connections, streams, write, and close to the stream, all manually.
The best way I found to make it work and avoid flakiness was to use the CoreDNSServerAndPorts
function to spin up a CoreDNS QUIC server and test the plugin against it.
Signed-off-by: João Henri <joao.rocha@suse.com>
Also add relevant documentation to QUIC proxy.go Signed-off-by: João Henri <joao.rocha@suse.com>
Signed-off-by: João Henri <joao.rocha@suse.com>
Signed-off-by: João Henri <joao.rocha@suse.com>
Signed-off-by: jaehnri <joao.henri.cr@gmail.com>
Signed-off-by: jaehnri <joao.henri.cr@gmail.com>
Signed-off-by: jaehnri <joao.henri.cr@gmail.com>
Signed-off-by: jaehnri <joao.henri.cr@gmail.com>
Signed-off-by: jaehnri <joao.henri.cr@gmail.com>
262007b
to
3fa11dc
Compare
if q.tlsServerName != "" { | ||
q.tlsConfig.ServerName = q.tlsServerName | ||
} else { | ||
q.tlsConfig.InsecureSkipVerify = true |
Check failure
Code scanning / CodeQL
Disabled TLS certificate check High
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll have to find a way to circumvent this. quic-go
doesn't work without tls.Config
and I couldn't set the tls_servername
using plugin/tls
test certificates.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jaehnri the plugin/dns test certs common name is empty, therefore the hostname cannot match. My suggestion would be to drop the tls_servername option, because it should never be needed (the tls package checks if the common name, subject alternative names or ip addresses contains the hosts name) and instead introduce the option tls_skip_verify. For test cases u can set the common name manually via the tlsConfig
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #6245 +/- ##
==========================================
+ Coverage 55.70% 57.96% +2.26%
==========================================
Files 224 256 +32
Lines 10016 16868 +6852
==========================================
+ Hits 5579 9777 +4198
- Misses 3978 6494 +2516
- Partials 459 597 +138 ☔ View full report in Codecov by Sentry. |
@jaehnri, What is the state of this PR. Is it pending a final review, or are there parts yet to complete? |
1. Why is this pull request needed and what does it do?
This PR adds support for QUIC proxying in CoreDNS
2. Which issues (if any) are related?
Closes #5583
3. Which documentation changes (if any) need to be made?
README documentation for the plugin was added, but it is possible that there are more places to update.
4. Does this introduce a backward incompatible change or deprecation?
No.