Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

EDNS0 padding support in auth #15009

Open
wants to merge 5 commits into
base: master
Choose a base branch
from

Conversation

miodvallat
Copy link
Contributor

@miodvallat miodvallat commented Jan 3, 2025

Short description

Even though the auth<->recursor communication can probably be considered trustworthy, the auth server should nevertheless respond to queries containing the EDNS0 padding option with a similarly padded response. This PR achieves this.

(still marked as draft as I need to work on tests - I only checked the output of simple dig queries with and without +padding=128)

Checklist

I have:

  • read the CONTRIBUTING.md document
  • compiled this code
  • tested this code
  • included documentation (including possible behaviour changes)
  • documented the code
  • added or modified regression test(s)
  • added or modified unit test(s)

@miodvallat miodvallat added the auth label Jan 3, 2025
@coveralls
Copy link

coveralls commented Jan 3, 2025

Pull Request Test Coverage Report for Build 12667063404

Details

  • 9 of 21 (42.86%) changed or added relevant lines in 3 files are covered.
  • 37 unchanged lines in 11 files lost coverage.
  • Overall coverage decreased (-0.01%) to 64.815%

Changes Missing Coverage Covered Lines Changed/Added Lines %
pdns/dnspacket.cc 5 17 29.41%
Files with Coverage Reduction New Missed Lines %
modules/godbcbackend/sodbc.cc 2 70.8%
ext/json11/json11.cpp 2 62.72%
pdns/sstuff.hh 2 56.83%
pdns/backends/gsql/gsqlbackend.hh 2 97.71%
pdns/recursordist/test-syncres_cc2.cc 3 88.85%
pdns/stubresolver.cc 3 77.58%
pdns/misc.cc 3 64.57%
pdns/iputils.cc 3 54.99%
pdns/recursordist/recpacketcache.hh 3 89.55%
pdns/recursordist/test-syncres_cc1.cc 7 89.26%
Totals Coverage Status
Change from base Build 12652818968: -0.01%
Covered Lines: 126128
Relevant Lines: 163823

💛 - Coveralls

pdns/ednspadding.hh Fixed Show fixed Hide fixed
@miodvallat miodvallat marked this pull request as ready for review January 8, 2025 08:07
Note that the typoed number (8647) was never issued as an RFC, so we
might want to pretend it was our doing, so as not to make these comments
too wrong.
When constructing the response to a query with EDNS0 padding set, keep
this in mind and build proper EDNS0 padding in the response packet.
Copy link
Member

@Habbie Habbie left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

seems to work, including packet cache handling! However, this needs configurability. I think allowing it by default on TCP is fine, but for UDP users should have control in some way.

@miodvallat
Copy link
Contributor Author

Recursor uses a edns-padding-out option. How about edns-padding-udp? Note that this will have no effect if incoming queries are not sent with EDNS padding enabled.

@Habbie
Copy link
Member

Habbie commented Jan 13, 2025

Recursor uses a edns-padding-out option. How about edns-padding-udp? Note that this will have no effect if incoming queries are not sent with EDNS padding enabled.

Recursor's edns-padding-from seems like an important inspiration, because it would allow a user to (with some care) separate "traffic that is going over an encrypted channel via dnsdist" from "actual UDP packets from the Internet".

The problem we're solving, I think, is that we don't want spoofed UDP queries to be able to get padded responses.

# for free to join this conversation on GitHub. Already have an account? # to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants