Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add downstream DNS-over-HTTPS support to Unbound #255

Merged
merged 20 commits into from Sep 18, 2020
Merged

Add downstream DNS-over-HTTPS support to Unbound #255

merged 20 commits into from Sep 18, 2020

Conversation

ralphdolmans
Copy link
Contributor

@ralphdolmans ralphdolmans commented Jun 24, 2020

In order to use the DoH feature, Unbound needs to be compiled with the nghttp2 library (./configure --with-libnghttp2) and requires an OpenSSL version that supports ALPN for the HTTP/2 support negotiation (starting from OpenSSL 1.0.2).

The DoH implementation requires an encrypted connection, and only works over HTTP/2 as query pipelining and out-of-order processing using HTTP/2 streams is needed to be able to provide performance that is on par with DNS-over-TLS.

To enable DoH in Unbound the certificate and corresponding key to use need to be configured, and Unbound needs to listen on the HTTPS port:

server:
   interface: 127.0.0.1@443
   tls-service-key "key.pem"
   tls-service-pem: "cert.pem"

The HTTPS port (default 443) can be changed using the 'https-port' configuration option.

The DoH endpoint (default /dns-query) can be changed using the 'http-endpoint' configuration option.

The maximum number of streams (default 100, as per HTTP/2 RFC) can be adjusted using the 'http-max-streams' configuration option.

In order to prevent abuse of Unbound servers running DoH, this PR adds counters to limit the total size of buffers used to store (partial) DNS queries and responses. The size of these limits can be adjusted using the 'http-query-buffer-size' and 'http-response-buffer-size' configuration options.

In order to provide a well-performing HTTP/2 service is might be good to set the TCP_NODELAY socket option. This PR will, by default, set this option for the sockets used for the HTTP/2 connection. Setting this option can be disabled using the 'http-nodelay' configuration option.

Three DoH stats are added to Unbound; 'num.query.https' keeps statistics for the number of queries that are serviced using DoH. The 'mem.http.query_buffer', and 'mem.http.response_buffer' stats keep track of the memory used for the query and response buffers used for DoH.

Makefile.in Outdated Show resolved Hide resolved
services/listen_dnsport.c Outdated Show resolved Hide resolved
services/listen_dnsport.c Outdated Show resolved Hide resolved
services/listen_dnsport.c Outdated Show resolved Hide resolved
services/listen_dnsport.c Outdated Show resolved Hide resolved
services/listen_dnsport.c Outdated Show resolved Hide resolved
services/listen_dnsport.c Outdated Show resolved Hide resolved
services/listen_dnsport.c Outdated Show resolved Hide resolved
smallapp/unbound-control.c Outdated Show resolved Hide resolved
testcode/dohclient.c Outdated Show resolved Hide resolved
util/configparser.y Outdated Show resolved Hide resolved
util/netevent.c Outdated Show resolved Hide resolved
util/netevent.h Outdated Show resolved Hide resolved
Copy link
Member

@wcawijngaards wcawijngaards left a comment

Nice code! Review completed and approved. I am fine with merging this branch.

@Jakker
Copy link
Contributor

Jakker commented Sep 10, 2020

@ralphdolmans
Copy link
Contributor Author

ralphdolmans commented Sep 10, 2020

@Jakker , correct sizeof is the size needed to store the string literal, so including null byte. Hence the -1 in the code.

@ralphdolmans ralphdolmans merged commit 8678868 into master Sep 18, 2020
@gthess gthess deleted the doh branch Nov 30, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants