New Plugin: QUIC proxy [RFC9250]

[jaehnri]

1. Why is this pull request needed and what does it do?

This PR adds support for QUIC proxying in CoreDNS

2. Which issues (if any) are related?

Closes #5583

3. Which documentation changes (if any) need to be made?

README documentation for the plugin was added, but it is possible that there are more places to update.

4. Does this introduce a backward incompatible change or deprecation?

No.

[chrisohaver]

I think that writing an empty dns message to client would result in client-side parsing/validation errors. I think the proper response id with a SERVFAIL response code, with question correctly set. Returning a servfail and error instead of writing a response would work too (base server code writes an error response to client when ServeDNS returns a SERVFAIL code).

Suggested change

	w.WriteMsg(ret)
	return dns.RcodeServerFailure, <some-error>

[jaehnri]

Agreed and fixed. I got this code from the grpc plugin, should we port this fix there too?

coredns/plugin/grpc/grpc.go

Lines 51 to 54 in b5e6291

	// reached the end of list without any answer
	if ret != nil {
	// write empty response and finish
	w.WriteMsg(ret)

[chrisohaver]

should we port this fix there too?

Probably, but not in this PR.

[jaehnri]

This policy selection code has been repeated across several plugins now (forward, grpc, quic). Should we unify it? If so, where should it be? plugin/pkg?

[chrisohaver]

That would be a good place. Thanks!

[jaehnri]

The plugin integration test ended up in the test folder. Unlike forward, setting up a mock quic server to answer a simple DNS query is not easy because you need not only to create a listener but also accept connections, streams, write, and close to the stream, all manually.

The best way I found to make it work and avoid flakiness was to use the CoreDNSServerAndPorts function to spin up a CoreDNS QUIC server and test the plugin against it.

[jaehnri]

I'll have to find a way to circumvent this. quic-go doesn't work without tls.Config and I couldn't set the tls_servername using plugin/tls test certificates.

[iFrozenPhoenix]

@jaehnri the plugin/dns test certs common name is empty, therefore the hostname cannot match. My suggestion would be to drop the tls_servername option, because it should never be needed (the tls package checks if the common name, subject alternative names or ip addresses contains the hosts name) and instead introduce the option tls_skip_verify. For test cases u can set the common name manually via the tlsConfig

[codecov]

Codecov Report

Attention: Patch coverage is 32.13213% with 226 lines in your changes are missing coverage. Please review.

Project coverage is 57.96%. Comparing base (93c57b6) to head (3fa11dc).
Report is 1152 commits behind head on master.

Files	Patch %	Lines
plugin/quic/proxy.go	12.82%	102 Missing ⚠️
plugin/quic/quic.go	6.94%	67 Missing ⚠️
plugin/quic/setup.go	66.96%	29 Missing and 8 partials ⚠️
plugin/quic/policy.go	40.00%	18 Missing ⚠️
core/dnsserver/server_quic.go	0.00%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #6245      +/-   ##
==========================================
+ Coverage   55.70%   57.96%   +2.26%     
==========================================
  Files         224      256      +32     
  Lines       10016    16868    +6852     
==========================================
+ Hits         5579     9777    +4198     
- Misses       3978     6494    +2516     
- Partials      459      597     +138     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[chrisohaver]

@jaehnri, What is the state of this PR. Is it pending a final review, or are there parts yet to complete?