tls protocol for DoT added, minor refactoring

2025-09-01 18:19:12 +00:00 · 2022-07-21 11:07:44 +02:00 · 2022-07-21 11:07:44 +02:00 · efd33c223f
commit efd33c223f
parent 598dc9d254
5 changed files with 35 additions and 42 deletions
--- a/resolver/config.go
+++ b/resolver/config.go
@ -111,7 +111,7 @@ The format is: "protocol://ip:port?parameter=value&parameter=value"
 		ExpertiseLevel:  config.ExpertiseLevelExpert,
 		ReleaseLevel:    config.ReleaseLevelStable,
 		DefaultValue:    defaultNameServers,
-		ValidationRegex: fmt.Sprintf("^(%s|%s|%s|%s|%s)://.*", ServerTypeDoT, ServerTypeDoH, ServerTypeDNS, ServerTypeTCP, HttpsProtocol),
+		ValidationRegex: fmt.Sprintf("^(%s|%s|%s|%s|%s|%s)://.*", ServerTypeDoT, ServerTypeDoH, ServerTypeDNS, ServerTypeTCP, HttpsProtocol, TlsProtocol),
 		ValidationFunc:  validateNameservers,
 		Annotations: config.Annotations{
 			config.DisplayHintAnnotation:  config.DisplayHintOrdered,
--- a/resolver/resolver-https.go
+++ b/resolver/resolver-https.go
@ -6,10 +6,8 @@ import (
 	"encoding/base64"
 	"fmt"
 	"io/ioutil"
-	"net"
 	"net/http"
 	"net/url"
-	"strconv"

 	"github.com/miekg/dns"
 )
@ -43,11 +41,11 @@ func (tq *HttpsQuery) MakeCacheRecord(reply *dns.Msg, resolverInfo *ResolverInfo
 func NewHTTPSResolver(resolver *Resolver) *HttpsResolver {
 	tr := &http.Transport{}

-	if resolver.ServerAddress != "" {
+	if resolver.Info.IP != nil {
 		tr = &http.Transport{
 			TLSClientConfig: &tls.Config{
 				MinVersion: tls.VersionTLS12,
-				ServerName: resolver.VerifyDomain,
+				ServerName: resolver.Info.Domain,
 				// TODO: use portbase rng
 			},
 		}
@ -70,7 +68,7 @@ func (hr *HttpsResolver) Query(ctx context.Context, q *Query) (*RRCache, error)

 	// Do not resolve domain names that are needed to initialize a resolver
 	if hr.resolver.Info.IP == nil {
-		if _, ok := resolverInitDomains[q.FQDN[:len(q.FQDN)-1]]; ok {
+		if _, ok := resolverInitDomains[q.FQDN]; ok {
 			return nil, ErrContinue
 		}
 	}
@ -85,16 +83,10 @@ func (hr *HttpsResolver) Query(ctx context.Context, q *Query) (*RRCache, error)
 	}
 	b64dns := base64.RawStdEncoding.EncodeToString(buf)

-	// Set the host, if we dont have IP address just use the domain
-	host := hr.resolver.ServerAddress
-	if host == "" {
-		host = net.JoinHostPort(hr.resolver.VerifyDomain, strconv.Itoa(int(hr.resolver.Info.Port)))
-	}
-
 	// Build and execute http reuqest
 	url := &url.URL{
 		Scheme:     "https",
-		Host:       host,
+		Host:       hr.resolver.ServerAddress,
 		Path:       hr.resolver.Path,
 		ForceQuery: true,
 		RawQuery:   fmt.Sprintf("dns=%s", b64dns),
--- a/resolver/resolver-tcp.go
+++ b/resolver/resolver-tcp.go
@ -7,7 +7,6 @@ import (
 	"fmt"
 	"io"
 	"net"
-	"strconv"
 	"time"

 	"github.com/miekg/dns"
@ -100,7 +99,7 @@ func (tr *TCPResolver) UseTLS() *TCPResolver {
 	tr.dnsClient.Net = "tcp-tls"
 	tr.dnsClient.TLSConfig = &tls.Config{
 		MinVersion: tls.VersionTLS12,
-		ServerName: tr.resolver.VerifyDomain,
+		ServerName: tr.resolver.Info.Domain,
 		// TODO: use portbase rng
 	}
 	return tr
@ -143,14 +142,8 @@ func (tr *TCPResolver) getOrCreateResolverConn(ctx context.Context) (*tcpResolve
 		KeepAlive: defaultClientTTL,
 	}

-	// Set the host, if we dont have IP address just use the domain
-	host := tr.resolver.ServerAddress
-	if host == "" {
-		host = net.JoinHostPort(tr.resolver.VerifyDomain, strconv.Itoa(int(tr.resolver.Info.Port)))
-	}
-
 	// Connect to server.
-	conn, err := tr.dnsClient.Dial(host)
+	conn, err := tr.dnsClient.Dial(tr.resolver.ServerAddress)
 	if err != nil {
 		// Hint network environment at failed connection.
 		netenv.ReportFailedConnection()
@ -194,7 +187,7 @@ func (tr *TCPResolver) getOrCreateResolverConn(ctx context.Context) (*tcpResolve
 func (tr *TCPResolver) Query(ctx context.Context, q *Query) (*RRCache, error) {
 	// Do not resolve domain names that are needed to initialize a resolver
 	if tr.resolver.Info.IP == nil && tr.dnsClient.TLSConfig != nil {
-		if _, ok := resolverInitDomains[q.FQDN[:len(q.FQDN)-1]]; ok {
+		if _, ok := resolverInitDomains[q.FQDN]; ok {
 			return nil, ErrContinue
 		}
 	}
--- a/resolver/resolver.go
+++ b/resolver/resolver.go
@ -32,6 +32,7 @@ const (

 const (
 	HttpsProtocol = "https"
+	TlsProtocol   = "tls"
 )

 // FailThreshold is amount of errors a resolvers must experience in order to be regarded as failed.
@ -65,10 +66,9 @@ type Resolver struct {
 	UpstreamBlockDetection string

 	// Special Options
-	VerifyDomain string
-	Search       []string
-	SearchOnly   bool
-	Path         string
+	Search     []string
+	SearchOnly bool
+	Path       string

 	// logic interface
 	Conn ResolverConn `json:"-"`
@ -157,6 +157,12 @@ func (info *ResolverInfo) DescriptiveName() string {
 			info.Name,
 			info.ID(),
 		)
+	case info.IP == nil:
+		return fmt.Sprintf(
+			"%s (%s)",
+			info.Domain,
+			info.ID(),
+		)
 	default:
 		return fmt.Sprintf(
 			"%s (%s)",
--- a/resolver/resolvers.go
+++ b/resolver/resolvers.go
@ -11,6 +11,7 @@ import (

 	"golang.org/x/net/publicsuffix"

+	"github.com/miekg/dns"
 	"github.com/safing/portbase/log"
 	"github.com/safing/portbase/utils"
 	"github.com/safing/portmaster/netenv"
@ -41,7 +42,7 @@ var (
 	systemResolvers     []*Resolver          // all resolvers that were assigned by the system
 	localScopes         []*Scope             // list of scopes with a list of local resolvers that can resolve the scope
 	activeResolvers     map[string]*Resolver // lookup map of all resolvers
-	resolverInitDomains map[string]bool      // a set with all domains of the dns resolvers
+	resolverInitDomains map[string]struct{}  // a set with all domains of the dns resolvers
 	resolversLock       sync.RWMutex
 )

@ -97,13 +98,15 @@ func createResolver(resolverURL, source string) (*Resolver, bool, error) {
 	}

 	if resolverInitDomains == nil {
-		resolverInitDomains = make(map[string]bool)
+		resolverInitDomains = make(map[string]struct{})
 	}

 	switch u.Scheme {
 	case ServerTypeDNS, ServerTypeDoT, ServerTypeDoH, ServerTypeTCP:
 	case HttpsProtocol:
 		u.Scheme = ServerTypeDoH
+	case TlsProtocol:
+		u.Scheme = ServerTypeDoT
 	default:
 		return nil, false, fmt.Errorf("DNS resolver scheme %q invalid", u.Scheme)
 	}
@ -123,7 +126,6 @@ func createResolver(resolverURL, source string) (*Resolver, bool, error) {
 			Port:    0,
 		},
 		ServerAddress:          "",
-		VerifyDomain:           "",
 		Path:                   u.Path, // Used for DoH
 		UpstreamBlockDetection: "",
 	}
@ -185,7 +187,7 @@ func checkAndSetResolverParamters(u *url.URL, resolver *Resolver) error {
 	ip := net.ParseIP(u.Hostname())
 	hostnameIsDomaion := (ip == nil)
 	if ip == nil && u.Scheme != ServerTypeDoH && u.Scheme != ServerTypeDoT {
-		return fmt.Errorf("resolver IP %q invalid", u.Hostname())
+		return fmt.Errorf("resolver IP %q is invalid", u.Hostname())
 	} else {
 		resolver.Info.IP = ip
 	}
@ -211,20 +213,20 @@ func checkAndSetResolverParamters(u *url.URL, resolver *Resolver) error {
 			// Known key, continue.
 		default:
 			// Unknown key, abort.
-			return fmt.Errorf(`unknown parameter "%s"`, key)
+			return fmt.Errorf(`unknown parameter "%q"`, key)
 		}
 	}

-	resolver.VerifyDomain = query.Get(parameterVerify)
+	resolver.Info.Domain = query.Get(parameterVerify)
 	paramterServerIP := query.Get(parameterIP)

 	if u.Scheme == ServerTypeDoT || u.Scheme == ServerTypeDoH {

 		// Check if IP and Domain are set correctly
 		switch {
-		case hostnameIsDomaion && resolver.VerifyDomain != "":
+		case hostnameIsDomaion && resolver.Info.Domain != "":
 			return fmt.Errorf("cannot set the domain name via both the hostname in the URL and the verify parameter")
-		case !hostnameIsDomaion && resolver.VerifyDomain == "":
+		case !hostnameIsDomaion && resolver.Info.Domain == "":
 			return fmt.Errorf("verify parameter must be set when using ip as domain")
 		case !hostnameIsDomaion && paramterServerIP != "":
 			return fmt.Errorf("cannot set the IP address via both the hostname in the URL and the ip parameter")
@ -235,17 +237,17 @@ func checkAndSetResolverParamters(u *url.URL, resolver *Resolver) error {
 		case hostnameIsDomaion && paramterServerIP != "": // domain and ip as parameter
 			resolver.Info.IP = net.ParseIP(paramterServerIP)
 			resolver.ServerAddress = net.JoinHostPort(paramterServerIP, strconv.Itoa(int(resolver.Info.Port)))
-			resolver.VerifyDomain = u.Hostname()
-		case !hostnameIsDomaion && resolver.VerifyDomain != "": // ip and domain as parameter
+			resolver.Info.Domain = u.Hostname()
+		case !hostnameIsDomaion && resolver.Info.Domain != "": // ip and domain as parameter
 			resolver.ServerAddress = net.JoinHostPort(ip.String(), strconv.Itoa(int(resolver.Info.Port)))
-		case hostnameIsDomaion && resolver.VerifyDomain == "" && paramterServerIP == "": // only domain
-			resolver.VerifyDomain = u.Hostname()
+		case hostnameIsDomaion && resolver.Info.Domain == "" && paramterServerIP == "": // only domain
+			resolver.Info.Domain = u.Hostname()
+			resolver.ServerAddress = net.JoinHostPort(resolver.Info.Domain, strconv.Itoa(int(port)))
 		}

-		resolver.Info.Domain = resolver.VerifyDomain
-		resolverInitDomains[resolver.Info.Domain] = true
+		resolverInitDomains[dns.Fqdn(resolver.Info.Domain)] = struct{}{}
 	} else {
-		if resolver.VerifyDomain != "" {
+		if resolver.Info.Domain != "" {
 			return fmt.Errorf("domain verification is only supported by DoT and DoH servers")
 		}
 		resolver.ServerAddress = net.JoinHostPort(ip.String(), strconv.Itoa(int(resolver.Info.Port)))