interesting
/
getdns
mirror of https://github.com/getdnsapi/getdns.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
3,263 Commits 58 Branches 69 Tags 14 MiB
Commit Graph

353 Commits

Author SHA1 Message Date
Willem Toorop 2a0114591a Resolve compile warnings 
Thanks Andreas!
 2021-06-03 20:45:55 +02:00
Willem Toorop 624f688967 Honour the claim from documentation: When not set (the default), the system default is left alone. 2021-05-26 15:57:52 +02:00
Maciej S. Szmigiero 606a88f9aa
Add "tcp_send_timeout" option to set a TCP send data timeout 
When using Stubby as a system DNS over TLS resolver with a Internet
connection that disconnects and reconnects from time to time there is often
a long waiting time (~20 minutes) after the connection reconnects before
DNS queries start to work again.

This is because in this particular case all the upstream TLS TCP
connections in Stubby are stuck waiting for upstream server response.
Which will never arrive since the host external IP address might have
changed and / or NAT router connection tracking entries for these TCP
connections might have been removed when the Internet connection
reconnected.

By default Linux tries to retransmit data on a TCP connection 15 times
before finally terminating it.
This takes 16 - 20 minutes, which is obviously a very long time to wait for
system DNS resolving to work again.
This is a real problem on weak mobile connections.

Thankfully, there is a "TCP_USER_TIMEOUT" per-socket option that allows
explicitly setting how long the network stack will wait in such cases.

Let's add a matching "tcp_send_timeout" option to getdns that allows
setting this option on outgoing TCP sockets.
For backward compatibility the code won't try to set it by default.

With this option set to, for example, 15 seconds Stubby recovers pretty
much instantly in such cases.

Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
 2020-07-13 00:21:16 +02:00
Willem Toorop 9ecd3fde1c Privacy aware DNS Cookies 
Track source IP address in an efficient manner to make sure the same cookie will not be sent from different source IP addresses.
 2020-04-09 16:24:34 +02:00
Willem Toorop de13a0c32d Better retry on badcookie flooding prevention 2020-04-08 19:16:51 +02:00
Willem Toorop 8b62970e0c Response to BADCOOKIE extended rcode 2020-04-08 16:08:56 +02:00
Willem Toorop 73cee29f55 Make TLS Handshake timeout max 4/5th of timeout 
for the query, just like connection setup timeout was, so fallback transport have a chance too when TCP connection setup is less well detectable (as with TCP_FASTOPEN on MacOS).
 2020-03-16 14:50:59 +01:00
Willem Toorop e7d435e426 Name only authentication with GNUTLS 2020-03-03 13:04:27 +00:00
Willem Toorop af46e20721 Fix reporting authentication failure 2020-03-02 15:51:46 +00:00
Willem Toorop d7099f6e30 Deal with DoT servers that take long to connect to 
(because they might be under attack)
 2020-02-21 14:17:00 +01:00
Willem Toorop 33633ea239 One more scan with extra argument 2019-12-20 10:46:59 +00:00
Willem Toorop 651e5f7c3f Work around FreeBSD12 FAST OPEN issue 
Before (FreeBSD 11), poll could be used to wait for the socket to
be writeable immediately. Now (since FreeBSD 12) this results in
infinite wait, so we just have to write immediately to work around
this.
 2019-12-19 15:00:53 +00:00
Willem Toorop 0fbe0dccc3 Debugging server capability testing 2019-12-16 11:47:40 +01:00
Willem Toorop b22768709a Runtime fallback and FreeBSD compatible TFO 2019-04-03 12:24:09 +02:00
Willem Toorop b6e290f42a Fix compiling for debugging 2019-04-03 11:51:35 +02:00
Willem Toorop 342b1090f8 Declarations are always defined 2019-03-15 17:22:31 +01:00
Willem Toorop 7438de712a Issue #422: Update server & client TFO 
Seems to work for TLS now too.
At least on Linux.
Thanks Craig Andrews
 2019-03-15 12:13:38 +01:00
Jim Hague cdc0d43315 Correct auth state thinko. Spotter credit to Willem. 2019-01-23 11:34:02 +00:00
Jim Hague 9024fd7736 Fix build with INTERCEPT_COM_DS defined. 
Decide that layout of handling write results is more readable, and use with read too.
 2019-01-15 15:34:33 +00:00
Jim Hague 24774fefd6 Remove 'upstream' association with connection, now unused. 2019-01-15 11:01:58 +00:00
Jim Hague 3fe0c94357 Merge branch 'develop' into feature/abstract-tls 2019-01-14 19:09:20 +00:00
Willem Toorop 309db67f8b RFE getdnsapi/stubby#121 log re-instantiating TLS ... 
... upstreams (because they reached tls_backoff_time) at log level 4 (WARNING)
 2018-12-21 16:30:46 +01:00
Willem Toorop ff1cdce6f8 s/explicitely/explicitly/g 
Thanks Andreas Schulze
 2018-12-20 15:06:01 +01:00
Jim Hague 2759d727e5 Minor speeling fix. 2018-12-13 11:54:41 +00:00
Jim Hague 0dec4a6f21 Correct format string, fixing type error in specifier. 
I was wondering why the error output did appear.
 2018-12-12 14:59:13 +00:00
Jim Hague aa49a935c7 Fixed error detection in certificate verification. 2018-12-11 17:59:44 +00:00
Jim Hague fee864c25c Implement setting cipher/curve lists. 
Set the priority string to a concatenation of the connection cipher and curve strings, falling back to the context ones if the connection value isn't specified. Also get context.c to specify NULL for default context list and the opportunistic list for the connection, moving these library-specific quantities into the specific implementation.
 2018-12-07 16:55:17 +00:00
Willem Toorop 8a7226baee Move from debugging to logging for 
- upstream_stats & stub system
 2018-12-07 14:02:17 +01:00
Jim Hague 64f0d6aaa8 Rename _getdns_tls_connection_verify() to _getdns_tls_connection_certificate_verify(). 
I managed to mislead myself about what it did, which suggests the name should be clearer.
 2018-12-07 11:09:20 +00:00
Jim Hague 91764fb6b0 Correct checking of connection validation result. 2018-12-06 11:04:00 +00:00
Jim Hague 26bcddd029 Abstract cookie SHA256 calculation. 2018-11-27 15:31:33 +00:00
Jim Hague 5e390a4b23 Revise all TLS interfaces to pass in GetDNS memory functions where necessary. 
This means we can remove OpenSSL_free() calls from request-internal.c and util-internal.c.
 2018-11-27 14:41:46 +00:00
Willem Toorop b90ba236ae tls_ciphersuites, tls_cipher_list, tls_curve_list, 
tls_min_version & tls_max_version settings must cause
	failure when not supported by the TLS library.  Not during
	configure time, but during connection setup so it doesn't
	hamper alternative transports.
 2018-11-22 11:37:28 +01:00
Willem Toorop 73868643d2 Fix compile warnings 2018-11-21 16:07:47 +01:00
Willem Toorop 1904ee7318 Enhancement getdnsapi/stubby#56 & getdnsapi/stubby#130 
Configurable TLS version
 2018-11-21 15:02:28 +01:00
Jim Hague ff9cde2087 Remove SSL type from pubkey-pinning interface. 2018-11-20 15:49:26 +00:00
Willem Toorop 6a5e96d4e1 tls_ciphersuites + bugfix in strdup2!! 2018-11-20 16:13:57 +01:00
Jim Hague 1b0a09a23f Wrap hostname/certificate verification. 
This removes the last OpenSSL items from stub.c.
 2018-11-20 14:53:31 +00:00
Jim Hague 5d353d9efb To aid proof-of-concept work, insist on OpenSSL 1.1.1 or later. 
Remove ssl_dane as now surplus to requirements.
 2018-11-16 17:58:29 +00:00
Jim Hague 0fd6fd4c5c Replace (one instance of) SSL_get_peer_certificate(). 2018-11-16 17:09:26 +00:00
Jim Hague 4b8c9d1bd7 Replace SSL_get_version(). 2018-11-15 17:53:37 +00:00
Jim Hague 09019bee75 Replace SSL_write(). 2018-11-15 17:53:29 +00:00
Jim Hague e7453522d5 Replace SSL_read(). 2018-11-15 17:51:52 +00:00
Jim Hague e22c01e212 tls_do_handshake: move handshake and check for new session into abstraction layer. 2018-11-15 14:28:04 +00:00
Jim Hague ffd1136e94 tls_create_object(): Move setting client state and auto-retry into connection_new and add setting connection session. 2018-11-15 13:23:00 +00:00
Jim Hague d9fdd4c10d Abstracting TLS; let's start with context only. 
Change data types in context.h and fix up context.c. Do minimal fixups to stub.c.
 2018-11-15 11:01:13 +00:00
Willem Toorop e481273ff4 Last minute update 2018-05-11 13:20:08 +02:00
Emery Hemingway a6ec2b2449 No TCP sendto without TCP_FASTOPEN 2018-05-08 14:58:17 +02:00
Willem Toorop 8a2fc5f5a9 max_udp_backoff should not be public 
At least, not with this point release
 2018-03-05 12:42:27 +01:00
Robert Groenenberg eec6ec29dd [UDP] try upstreams in round-robin fashion when all yupstreams have failed 2018-03-05 12:03:20 +01:00