Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refactor DNS resources #4994

Closed
12 of 24 tasks
Tracked by #4789
conectado opened this issue May 15, 2024 · 1 comment · Fixed by #5049
Closed
12 of 24 tasks
Tracked by #4789

Refactor DNS resources #4994

conectado opened this issue May 15, 2024 · 1 comment · Fixed by #5049
Assignees
@conectado
Labels
area/connlib Firezone's core connectivity library complexity/hard Multi-day effort or more. kind/refactor Code refactoring

Comments

@conectado
Copy link
Collaborator

conectado commented May 15, 2024
edited by thomaseizinger
Loading

This is needed to:

  • Have an stable per-resource IP and have more stability with browsers or other applications that cache IPs for a long time
  • Be able to apply filters on overlapping dns resources

The way to achieve this is:

  • Have the client generate multiple unique ips per-fqdn in queries
  • Pick the resource that will be used after we see traffic for those generated ips
  • Have the gateway mangle traffic based on the associated fqdn for that ip
  • Use source port nating to distinguish traffic in the gateway
  • Do Ipv4-in-Ipv6 and Ipv6-in-Ipv4 to be able to work for ipv4/ipv6-only resources

Tasks & follow-ups
Beta Give feedback
  2. chore(connlib): implement IP translation according to RFC6145 #5364
  3. ci: run compatibility tests between latest client and HEAD gateway #5369
  8. feat(gateway): NAT & mangling for DNS resources #5354
  10. feat(connlib): clients make use of DNS mangling on gateways #5049
    kind/refactor
  11. refactor(connlib): drop all connections when roaming #5308
    kind/refactor
  13. test(connlib): change DNS records of resource #5353
  15. connlib: replace domain library with hickory-proto #5539
    area/connlib complexity/low kind/refactor
  17. connlib: don't construct DNS responses based on existing byte-buffer #5540
    area/connlib complexity/low kind/refactor
  18. connlib: sort out "+20" byte-length weirdness #5541
    area/connlib complexity/low kind/refactor
  19. connlib: introduce DNS cache shared across all connections on gateway #5542
    area/connlib complexity/medium kind/refactor
  21. feat(gateway): resolve DNS in the background #5457
  24. refactor(connlib): tidy-up tech-debt around mangling of forwarded DNS queries #5391
    area/connlib complexity/medium kind/refactor
@conectado conectado added the area/connlib Firezone's core connectivity library label May 15, 2024
@conectado conectado self-assigned this May 15, 2024
@jamilbk
Copy link
Member

jamilbk commented May 15, 2024

refs #3369 -- we can probably close that when this is closed.

@jamilbk jamilbk added complexity/hard Multi-day effort or more. kind/refactor Code refactoring labels May 15, 2024
This was referenced May 16, 2024
Merged
Merged
github-merge-queue bot pushed a commit that referenced this issue May 17, 2024
@conectado
chore(connlib): set_payload is called for udp packets for tests (#5018)
941b18b 
came up while working on #4994
github-merge-queue bot pushed a commit that referenced this issue May 17, 2024
@conectado
chore(connlib): ensure there are client_resources before trying to sa…
e3ead8c 
…mple them in proptest (#5017)

This came up while working on #4994 while writing the proptests I
noticed that the precondition could panic since we don't have this check
there and would cause shrinking to fail.
This was referenced May 20, 2024
Merged
Open
This was referenced May 22, 2024
Closed
Closed
Open
@jamilbk jamilbk mentioned this issue Jun 3, 2024
Closed
@conectado conectado mentioned this issue Jun 7, 2024
Open
This was referenced Jun 14, 2024
Merged
Merged
github-merge-queue bot pushed a commit that referenced this issue Jun 14, 2024
@conectado
chore(connlib): implement IP translation according to RFC6145 (#5364)
8cc2849 
As part of #4994, we need to translate IP packets between IPv4 and IPv6.
This PR introduces the `ConvertiblePacket` abstraction that implements
this.
@thomaseizinger thomaseizinger mentioned this issue Jun 17, 2024
Draft
jamilbk pushed a commit that referenced this issue Jun 17, 2024
@conectado @jamilbk
chore(connlib): implement IP translation according to RFC6145 (#5364)
08756fa 
As part of #4994, we need to translate IP packets between IPv4 and IPv6.
This PR introduces the `ConvertiblePacket` abstraction that implements
this.
github-merge-queue bot pushed a commit that referenced this issue Jun 19, 2024
@conectado @thomaseizinger
feat(gateway): NAT & mangling for DNS resources (#5354)
2ea6a5d 
As part of #4994, the IP translation and mangling of packets to and from
DNS resources is moved to the gateway. This PR represents the
"gateway-half" of the required changes.

Eventually, the client will send a list of proxy IPs that it assigned
for a certain DNS resource. The gateway assigns each proxy IP to a real
IP and mangles outgoing and incoming traffic accordingly. There are a
number of things that we need to take care of as part of that:

- We need to implement NAT to correctly route traffic. Our NAT table
maps from source port* and destination IP to an assigned port* and real
IP. We say port* because that is only true for UDP and TCP. For ICMP, we
use the identifier.
- We need to translate between IPv4 and IPv6 in case a DNS resource e.g.
only resolves to IPv6 addresses but the client gave out an IPv4 proxy
address to the application. This translation is was added in #5364 and
is now being used here.

This PR is backwards-compatible because currently, clients don't send
any IPs to the gateway. No proxy IPs means we cannot do any translation
and thus, packets are simply routed through as is which is what the
current clients expect.

---------

Co-authored-by: Thomas Eizinger <thomas@eizinger.io>
@thomaseizinger thomaseizinger mentioned this issue Jun 20, 2024
Draft
github-merge-queue bot pushed a commit that referenced this issue Jun 24, 2024
@conectado @thomaseizinger
feat(connlib): clients make use of DNS mangling on gateways (#5049)
aea03a4 
This PR is the "client-side" of things for #4994. Up until now, when a
user wanted to connect to a DNS resource, we would establish a
connection to the gateway and pass along the domain we are trying to
access. The gateway would resolve that domain and send the response back
to the client, allowing them to finally send a DNS response.

Now, we instantly assign and respond with 4x A and 4x AAAA records to
any query for one of our DNS resources. Upon the first IP packet for one
of these "proxy IPs", we select a gateway, establish a connection and
send our proxy IPs along. The gateway then performs the necessary
mangling and NATing of all packets. See #5354 for details.

Resolves: #4994.
Resolves: #5491.

---------

Co-authored-by: Thomas Eizinger <thomas@eizinger.io>
This was referenced Jun 25, 2024
Closed
Open
@conectado conectado mentioned this issue Jun 28, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@conectado conectado

Labels
area/connlib Firezone's core connectivity library complexity/hard Multi-day effort or more. kind/refactor Code refactoring
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(connlib): clients make use of DNS mangling on gateways firezone/firezone
2 participants
@jamilbk @conectado