TrueCloudLab/coredns
16
0
Fork 2
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

Fork TLSConfig for each encrypted connection (#5710)

Browse source 
* Fork TLSConfig for each encrypted connection

Signed-off-by: sanyo <sanyo0714@163.com>
Co-authored-by: sanyo <yeshengan.ysa@alibaba-inc.com>
This commit is contained in:
sanyo0714 2022-10-29 00:55:41 +08:00 committed by GitHub
parent 575825a156
commit 9497644505
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 52 additions and 29 deletions
Download patch file Download diff file Expand all files Collapse all files

4
core/dnsserver/register.go
View file

@ -147,7 +147,9 @@ func (h *dnsContext) MakeServers() ([]caddy.Server, error) {
c.ListenHosts = c.firstConfigInBlock.ListenHosts c.ListenHosts = c.firstConfigInBlock.ListenHosts
c.Debug = c.firstConfigInBlock.Debug c.Debug = c.firstConfigInBlock.Debug
c.Stacktrace = c.firstConfigInBlock.Stacktrace c.Stacktrace = c.firstConfigInBlock.Stacktrace
c.TLSConfig = c.firstConfigInBlock.TLSConfig
// Fork TLSConfig for each encrypted connection
c.TLSConfig = c.firstConfigInBlock.TLSConfig.Clone()
c.TsigSecret = c.firstConfigInBlock.TsigSecret c.TsigSecret = c.firstConfigInBlock.TsigSecret
} }

77
test/tls_test.go
View file

@ -2,45 +2,66 @@ package test
import ( import (
"crypto/tls" "crypto/tls"
"fmt"
"testing" "testing"
"github.com/miekg/dns" "github.com/miekg/dns"
) )
func TestDNSoverTLS(t *testing.T) { func TestTLS(t *testing.T) {
corefile := `tls://.:1053 { tempCorefile := `%s {
tls ../plugin/tls/test_cert.pem ../plugin/tls/test_key.pem tls ../plugin/tls/test_cert.pem ../plugin/tls/test_key.pem
whoami whoami
}` }`
qname := "example.com."
qtype := dns.TypeA dot, doh := ":1053", ":8443"
m := new(dns.Msg)
m.SetQuestion("example.com.", dns.TypeA)
answerLength := 0 answerLength := 0
ex, _, tcp, err := CoreDNSServerAndPorts(corefile) tests := []struct {
if err != nil { server string
t.Fatalf("Could not get CoreDNS serving instance: %s", err) tlsConfig *tls.Config
} }{
defer ex.Stop() {fmt.Sprintf("tls://.%s", dot),
&tls.Config{InsecureSkipVerify: true},
m := new(dns.Msg) },
m.SetQuestion(qname, qtype) {fmt.Sprintf("tls://.%s", dot),
client := dns.Client{ &tls.Config{InsecureSkipVerify: true, NextProtos: []string{"dot"}},
Net: "tcp-tls", },
TLSConfig: &tls.Config{InsecureSkipVerify: true}, {fmt.Sprintf("tls://.%s https://.%s", dot, doh),
} &tls.Config{InsecureSkipVerify: true},
r, _, err := client.Exchange(m, tcp) },
{fmt.Sprintf("tls://.%s https://.%s", dot, doh),
if err != nil { &tls.Config{InsecureSkipVerify: true, NextProtos: []string{"dot"}},
t.Fatalf("Could not exchange msg: %s", err) },
} }
if n := len(r.Answer); n != answerLength { for _, tc := range tests {
t.Fatalf("Expected %v answers, got %v", answerLength, n) ex, _, _, err := CoreDNSServerAndPorts(fmt.Sprintf(tempCorefile, tc.server))
} if err != nil {
if n := len(r.Extra); n != 2 { t.Fatalf("Could not get CoreDNS serving instance: %s", err)
t.Errorf("Expected 2 RRs in additional section, but got %d", n) }
}
if r.Rcode != dns.RcodeSuccess { client := dns.Client{
t.Errorf("Expected success but got %d", r.Rcode) Net: "tcp-tls",
TLSConfig: tc.tlsConfig,
}
r, _, err := client.Exchange(m, dot)
if err != nil {
t.Fatalf("Could not exchange msg: %s", err)
}
if n := len(r.Answer); n != answerLength {
t.Fatalf("Expected %v answers, got %v", answerLength, n)
}
if n := len(r.Extra); n != 2 {
t.Errorf("Expected 2 RRs in additional section, but got %d", n)
}
if r.Rcode != dns.RcodeSuccess {
t.Errorf("Expected success but got %d", r.Rcode)
}
ex.Stop()
} }
} }