TrueCloudLab/coredns
16
0
Fork 2
Code Issues Pull requests 4 Projects Releases Packages Wiki Activity Actions

custom DoH request validation (#4329)

Browse source 
* custom DoH request validation

Signed-off-by: Johnny Bergström <johnny@klaudify.se>

* add comment and test

Signed-off-by: Johnny Bergström <johnny@klaudify.se>

* NewServerHTTPS comment typo

Signed-off-by: Johnny Bergström <johnny@klaudify.se>
This commit is contained in:
Johnny Bergström 2020-12-15 14:26:07 +01:00 committed by GitHub
parent 6af47bac39
commit be955daa37
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 90 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
core/dnsserver/config.go
View file

@ -3,6 +3,7 @@ package dnsserver
import ( import (
"crypto/tls" "crypto/tls"
"fmt" "fmt"
"net/http"
"github.com/coredns/caddy" "github.com/coredns/caddy"
"github.com/coredns/coredns/plugin" "github.com/coredns/coredns/plugin"
@ -31,6 +32,11 @@ type Config struct {
// DNS-over-TLS or DNS-over-gRPC. // DNS-over-TLS or DNS-over-gRPC.
Transport string Transport string
// If this function is not nil it will be used to inspect and validate
// HTTP requests. Although this isn't referenced in-tree, external plugins
// may depend on it.
HTTPRequestValidateFunc func(*http.Request) bool
// If this function is not nil it will be used to further filter access // If this function is not nil it will be used to further filter access
// to this handler. The primary use is to limit access to a reverse zone // to this handler. The primary use is to limit access to a reverse zone
// on a non-octet boundary, i.e. /17 // on a non-octet boundary, i.e. /17

24
core/dnsserver/server_https.go
View file

@ -20,12 +20,13 @@ import (
// ServerHTTPS represents an instance of a DNS-over-HTTPS server. // ServerHTTPS represents an instance of a DNS-over-HTTPS server.
type ServerHTTPS struct { type ServerHTTPS struct {
*Server *Server
httpsServer *http.Server httpsServer *http.Server
listenAddr net.Addr listenAddr net.Addr
tlsConfig *tls.Config tlsConfig *tls.Config
validRequest func(*http.Request) bool
} }
// NewServerHTTPS returns a new CoreDNS GRPC server and compiles all plugins in to it. // NewServerHTTPS returns a new CoreDNS HTTPS server and compiles all plugins in to it.
func NewServerHTTPS(addr string, group []*Config) (*ServerHTTPS, error) { func NewServerHTTPS(addr string, group []*Config) (*ServerHTTPS, error) {
s, err := NewServer(addr, group) s, err := NewServer(addr, group)
if err != nil { if err != nil {
@ -45,12 +46,23 @@ func NewServerHTTPS(addr string, group []*Config) (*ServerHTTPS, error) {
// or the upgrade won't happen. // or the upgrade won't happen.
tlsConfig.NextProtos = []string{"h2", "http/1.1"} tlsConfig.NextProtos = []string{"h2", "http/1.1"}
// Use a custom request validation func or use the standard DoH path check.
var validator func(*http.Request) bool
for _, conf := range s.zones {
validator = conf.HTTPRequestValidateFunc
}
if validator == nil {
validator = func(r *http.Request) bool { return r.URL.Path == doh.Path }
}
srv := &http.Server{ srv := &http.Server{
ReadTimeout: 5 * time.Second, ReadTimeout: 5 * time.Second,
WriteTimeout: 10 * time.Second, WriteTimeout: 10 * time.Second,
IdleTimeout: 120 * time.Second, IdleTimeout: 120 * time.Second,
} }
sh := &ServerHTTPS{Server: s, tlsConfig: tlsConfig, httpsServer: srv} sh := &ServerHTTPS{
Server: s, tlsConfig: tlsConfig, httpsServer: srv, validRequest: validator,
}
sh.httpsServer.Handler = sh sh.httpsServer.Handler = sh
return sh, nil return sh, nil
@ -114,7 +126,7 @@ func (s *ServerHTTPS) Stop() error {
// chain, converts it back and write it to the client. // chain, converts it back and write it to the client.
func (s *ServerHTTPS) ServeHTTP(w http.ResponseWriter, r *http.Request) { func (s *ServerHTTPS) ServeHTTP(w http.ResponseWriter, r *http.Request) {
if r.URL.Path != doh.Path { if !s.validRequest(r) {
http.Error(w, "", http.StatusNotFound) http.Error(w, "", http.StatusNotFound)
return return
} }

66
core/dnsserver/server_https_test.go Normal file
View file

@ -0,0 +1,66 @@
package dnsserver
import (
"bytes"
"crypto/tls"
"net/http"
"net/http/httptest"
"regexp"
"testing"
"github.com/miekg/dns"
)
var (
validPath = regexp.MustCompile("^/(dns-query|(?P<uuid>[0-9a-f]+))$")
validator = func(r *http.Request) bool { return validPath.MatchString(r.URL.Path) }
)
func testServerHTTPS(t *testing.T, path string, validator func(*http.Request) bool) *http.Response {
c := Config{
Zone: "example.com.",
Transport: "https",
TLSConfig: &tls.Config{},
ListenHosts: []string{"127.0.0.1"},
Port: "443",
HTTPRequestValidateFunc: validator,
}
s, err := NewServerHTTPS("127.0.0.1:443", []*Config{&c})
if err != nil {
t.Log(err)
t.Fatal("could not create HTTPS server")
}
m := new(dns.Msg)
m.SetQuestion("example.org.", dns.TypeDNSKEY)
buf, err := m.Pack()
if err != nil {
t.Fatal(err)
}
r := httptest.NewRequest(http.MethodPost, path, bytes.NewReader(buf))
w := httptest.NewRecorder()
s.ServeHTTP(w, r)
return w.Result()
}
func TestCustomHTTPRequestValidator(t *testing.T) {
testCases := map[string]struct {
path string
expected int
validator func(*http.Request) bool
}{
"default": {"/dns-query", http.StatusOK, nil},
"custom validator": {"/b10cada", http.StatusOK, validator},
"no validator set": {"/adb10c", http.StatusNotFound, nil},
"invalid path with validator": {"/helloworld", http.StatusNotFound, validator},
}
for name, tc := range testCases {
t.Run(name, func(t *testing.T) {
res := testServerHTTPS(t, tc.path, tc.validator)
if res.StatusCode != tc.expected {
t.Error("unexpected HTTP code", res.StatusCode)
}
})
}
}