Create proper support for DNS cookies

[pemensik]

What would you like to be added:

• https://www.rfc-editor.org/rfc/rfc7873.html
• https://www.rfc-editor.org/rfc/rfc9018

Why is this needed:

• Current implementation just echoes blindly DNS cookie back. It should omit it from EDNS header if it is unsupported or support it properly
• Removing cookies is not possible now
• It might help to recognize genuine queries from DDoS traffic.
• It would be nice if queries forwarded could be added cookie, even if the original query had not that.

$ dig @localhost -p 3053 example.org

; <<>> DiG 9.18.16 <<>> @localhost -p 3053 example.org
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16131
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: bea8a078ee01bbbb (echoed)
;; QUESTION SECTION:
;example.org.			IN	A

;; ANSWER SECTION:
example.org.		65	IN	A	93.184.216.34

;; Query time: 7 msec
;; SERVER: ::1#3053(localhost) (UDP)
;; WHEN: Sat Jul 01 12:23:23 CEST 2023
;; MSG SIZE  rcvd: 79

• ; COOKIE: bea8a078ee01bbbb (echoed) - means that is not correct.
• ; COOKIE: 898840cdd4e68ec47225edce649fff45d88a9e10f0963a82 (good) - shows correct cookie in dig

[pemensik]

Rate limiting plugin might use different limits for correct cookie responses.

[Mo-Fatah]

Hi! Can this ticket be proposed as LFX mentorship project for term3 under CNCF ? I am interested in CoreDNS and I would love to participate if the team is interested in offering a mentorship opportunity. The deadline for the proposals is July 27, 2023. cncf/mentoring#1032

[ChinmayaSharma-hue]

Hi! I would like to work on this issue. Is this feature still needed?