-
-
Notifications
You must be signed in to change notification settings - Fork 340
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add downstream DNS-over-HTTPS support to Unbound #255
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Add configurable limits for http-query-buffer-size and http-response-buffer-size - Make http endpoint, max_streams, and TCP_NODELAY for HTTP sockets configurable.
testdata/doh_downstream_endpoint.tdir/doh_downstream_endpoint.test
Outdated
Show resolved
Hide resolved
wcawijngaards
approved these changes
Aug 14, 2020
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice code! Review completed and approved. I am fine with merging this branch.
8 tasks
Wouter Wijngaards writes:
+#define HTTP_QUERY_PARAM "?dns="
+ size_t el = strlen(h2_session->c->http_endpoint);
+ size_t qpl = sizeof(HTTP_QUERY_PARAM) - 1;
I did not know that sizeof a literal is strlen. Thanks for the education, not sure what is better code then.
Note that they are not equivalent:
cat size.c
#include <stdio.h>
#include <string.h>
int main() {
printf( "sizeof %lu\n", sizeof("hallo world"));
printf( "strlen %lu\n", strlen("hallo world"));
}
[jaap@bela /tmp]$ cc size.c
[jaap@bela /tmp]$ ./a.out
sizeof 12
strlen 11
I'm not sure what you really want here.
jaap
|
@Jakker , correct sizeof is the size needed to store the string literal, so including null byte. Hence the -1 in the code. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In order to use the DoH feature, Unbound needs to be compiled with the nghttp2 library (./configure --with-libnghttp2) and requires an OpenSSL version that supports ALPN for the HTTP/2 support negotiation (starting from OpenSSL 1.0.2).
The DoH implementation requires an encrypted connection, and only works over HTTP/2 as query pipelining and out-of-order processing using HTTP/2 streams is needed to be able to provide performance that is on par with DNS-over-TLS.
To enable DoH in Unbound the certificate and corresponding key to use need to be configured, and Unbound needs to listen on the HTTPS port:
The HTTPS port (default 443) can be changed using the 'https-port' configuration option.
The DoH endpoint (default /dns-query) can be changed using the 'http-endpoint' configuration option.
The maximum number of streams (default 100, as per HTTP/2 RFC) can be adjusted using the 'http-max-streams' configuration option.
In order to prevent abuse of Unbound servers running DoH, this PR adds counters to limit the total size of buffers used to store (partial) DNS queries and responses. The size of these limits can be adjusted using the 'http-query-buffer-size' and 'http-response-buffer-size' configuration options.
In order to provide a well-performing HTTP/2 service is might be good to set the TCP_NODELAY socket option. This PR will, by default, set this option for the sockets used for the HTTP/2 connection. Setting this option can be disabled using the 'http-nodelay' configuration option.
Three DoH stats are added to Unbound; 'num.query.https' keeps statistics for the number of queries that are serviced using DoH. The 'mem.http.query_buffer', and 'mem.http.response_buffer' stats keep track of the memory used for the query and response buffers used for DoH.