1 // DNS server implementation.
17 // Default maximum number of TCP queries before we close the socket.
18 const maxTCPQueries = 128
20 // aLongTimeAgo is a non-zero time, far in the past, used for
21 // immediate cancelation of network operations.
22 var aLongTimeAgo = time.Unix(1, 0)
24 // Handler is implemented by any value that implements ServeDNS.
25 type Handler interface {
26 ServeDNS(w ResponseWriter, r *Msg)
29 // The HandlerFunc type is an adapter to allow the use of
30 // ordinary functions as DNS handlers. If f is a function
31 // with the appropriate signature, HandlerFunc(f) is a
32 // Handler object that calls f.
33 type HandlerFunc func(ResponseWriter, *Msg)
35 // ServeDNS calls f(w, r).
36 func (f HandlerFunc) ServeDNS(w ResponseWriter, r *Msg) {
40 // A ResponseWriter interface is used by an DNS handler to
41 // construct an DNS response.
42 type ResponseWriter interface {
43 // LocalAddr returns the net.Addr of the server
45 // RemoteAddr returns the net.Addr of the client that sent the current request.
47 // WriteMsg writes a reply back to the client.
49 // Write writes a raw buffer back to the client.
50 Write([]byte) (int, error)
51 // Close closes the connection.
53 // TsigStatus returns the status of the Tsig.
55 // TsigTimersOnly sets the tsig timers only boolean.
57 // Hijack lets the caller take over the connection.
58 // After a call to Hijack(), the DNS package will not do anything with the connection.
62 // A ConnectionStater interface is used by a DNS Handler to access TLS connection state
64 type ConnectionStater interface {
65 ConnectionState() *tls.ConnectionState
68 type response struct {
69 closed bool // connection has been closed
70 hijacked bool // connection has been hijacked by handler
74 tsigSecret map[string]string // the tsig secrets
75 udp *net.UDPConn // i/o connection if UDP was used
76 tcp net.Conn // i/o connection if TCP was used
77 udpSession *SessionUDP // oob data to get egress interface right
78 writer Writer // writer to output the raw DNS bits
81 // HandleFailed returns a HandlerFunc that returns SERVFAIL for every request it gets.
82 func HandleFailed(w ResponseWriter, r *Msg) {
84 m.SetRcode(r, RcodeServerFailure)
85 // does not matter if this write fails
89 // ListenAndServe Starts a server on address and network specified Invoke handler
90 // for incoming queries.
91 func ListenAndServe(addr string, network string, handler Handler) error {
92 server := &Server{Addr: addr, Net: network, Handler: handler}
93 return server.ListenAndServe()
96 // ListenAndServeTLS acts like http.ListenAndServeTLS, more information in
97 // http://golang.org/pkg/net/http/#ListenAndServeTLS
98 func ListenAndServeTLS(addr, certFile, keyFile string, handler Handler) error {
99 cert, err := tls.LoadX509KeyPair(certFile, keyFile)
104 config := tls.Config{
105 Certificates: []tls.Certificate{cert},
115 return server.ListenAndServe()
118 // ActivateAndServe activates a server with a listener from systemd,
119 // l and p should not both be non-nil.
120 // If both l and p are not nil only p will be used.
121 // Invoke handler for incoming queries.
122 func ActivateAndServe(l net.Listener, p net.PacketConn, handler Handler) error {
123 server := &Server{Listener: l, PacketConn: p, Handler: handler}
124 return server.ActivateAndServe()
127 // Writer writes raw DNS messages; each call to Write should send an entire message.
128 type Writer interface {
132 // Reader reads raw DNS messages; each call to ReadTCP or ReadUDP should return an entire message.
133 type Reader interface {
134 // ReadTCP reads a raw message from a TCP connection. Implementations may alter
135 // connection properties, for example the read-deadline.
136 ReadTCP(conn net.Conn, timeout time.Duration) ([]byte, error)
137 // ReadUDP reads a raw message from a UDP connection. Implementations may alter
138 // connection properties, for example the read-deadline.
139 ReadUDP(conn *net.UDPConn, timeout time.Duration) ([]byte, *SessionUDP, error)
142 // defaultReader is an adapter for the Server struct that implements the Reader interface
143 // using the readTCP and readUDP func of the embedded Server.
144 type defaultReader struct {
148 func (dr defaultReader) ReadTCP(conn net.Conn, timeout time.Duration) ([]byte, error) {
149 return dr.readTCP(conn, timeout)
152 func (dr defaultReader) ReadUDP(conn *net.UDPConn, timeout time.Duration) ([]byte, *SessionUDP, error) {
153 return dr.readUDP(conn, timeout)
156 // DecorateReader is a decorator hook for extending or supplanting the functionality of a Reader.
157 // Implementations should never return a nil Reader.
158 type DecorateReader func(Reader) Reader
160 // DecorateWriter is a decorator hook for extending or supplanting the functionality of a Writer.
161 // Implementations should never return a nil Writer.
162 type DecorateWriter func(Writer) Writer
164 // A Server defines parameters for running an DNS server.
166 // Address to listen on, ":dns" if empty.
168 // if "tcp" or "tcp-tls" (DNS over TLS) it will invoke a TCP listener, otherwise an UDP one
170 // TCP Listener to use, this is to aid in systemd's socket activation.
171 Listener net.Listener
172 // TLS connection configuration
173 TLSConfig *tls.Config
174 // UDP "Listener" to use, this is to aid in systemd's socket activation.
175 PacketConn net.PacketConn
176 // Handler to invoke, dns.DefaultServeMux if nil.
178 // Default buffer size to use to read incoming UDP messages. If not set
179 // it defaults to MinMsgSize (512 B).
181 // The net.Conn.SetReadTimeout value for new connections, defaults to 2 * time.Second.
182 ReadTimeout time.Duration
183 // The net.Conn.SetWriteTimeout value for new connections, defaults to 2 * time.Second.
184 WriteTimeout time.Duration
185 // TCP idle timeout for multiple queries, if nil, defaults to 8 * time.Second (RFC 5966).
186 IdleTimeout func() time.Duration
187 // Secret(s) for Tsig map[<zonename>]<base64 secret>. The zonename must be in canonical form (lowercase, fqdn, see RFC 4034 Section 6.2).
188 TsigSecret map[string]string
189 // If NotifyStartedFunc is set it is called once the server has started listening.
190 NotifyStartedFunc func()
191 // DecorateReader is optional, allows customization of the process that reads raw DNS messages.
192 DecorateReader DecorateReader
193 // DecorateWriter is optional, allows customization of the process that writes raw DNS messages.
194 DecorateWriter DecorateWriter
195 // Maximum number of TCP queries before we close the socket. Default is maxTCPQueries (unlimited if -1).
197 // Whether to set the SO_REUSEPORT socket option, allowing multiple listeners to be bound to a single address.
198 // It is only supported on go1.11+ and when using ListenAndServe.
200 // AcceptMsgFunc will check the incoming message and will reject it early in the process.
201 // By default DefaultMsgAcceptFunc will be used.
202 MsgAcceptFunc MsgAcceptFunc
207 shutdown chan struct{}
208 conns map[net.Conn]struct{}
210 // A pool for UDP message buffers.
214 func (srv *Server) isStarted() bool {
216 started := srv.started
221 func makeUDPBuffer(size int) func() interface{} {
222 return func() interface{} {
223 return make([]byte, size)
227 func (srv *Server) init() {
228 srv.shutdown = make(chan struct{})
229 srv.conns = make(map[net.Conn]struct{})
231 if srv.UDPSize == 0 {
232 srv.UDPSize = MinMsgSize
234 if srv.MsgAcceptFunc == nil {
235 srv.MsgAcceptFunc = DefaultMsgAcceptFunc
237 if srv.Handler == nil {
238 srv.Handler = DefaultServeMux
241 srv.udpPool.New = makeUDPBuffer(srv.UDPSize)
244 func unlockOnce(l sync.Locker) func() {
246 return func() { once.Do(l.Unlock) }
249 // ListenAndServe starts a nameserver on the configured address in *Server.
250 func (srv *Server) ListenAndServe() error {
251 unlock := unlockOnce(&srv.lock)
256 return &Error{err: "server already started"}
267 case "tcp", "tcp4", "tcp6":
268 l, err := listenTCP(srv.Net, addr, srv.ReusePort)
275 return srv.serveTCP(l)
276 case "tcp-tls", "tcp4-tls", "tcp6-tls":
277 if srv.TLSConfig == nil || (len(srv.TLSConfig.Certificates) == 0 && srv.TLSConfig.GetCertificate == nil) {
278 return errors.New("dns: neither Certificates nor GetCertificate set in Config")
280 network := strings.TrimSuffix(srv.Net, "-tls")
281 l, err := listenTCP(network, addr, srv.ReusePort)
285 l = tls.NewListener(l, srv.TLSConfig)
289 return srv.serveTCP(l)
290 case "udp", "udp4", "udp6":
291 l, err := listenUDP(srv.Net, addr, srv.ReusePort)
295 u := l.(*net.UDPConn)
296 if e := setUDPSocketOptions(u); e != nil {
302 return srv.serveUDP(u)
304 return &Error{err: "bad network"}
307 // ActivateAndServe starts a nameserver with the PacketConn or Listener
308 // configured in *Server. Its main use is to start a server from systemd.
309 func (srv *Server) ActivateAndServe() error {
310 unlock := unlockOnce(&srv.lock)
315 return &Error{err: "server already started"}
320 pConn := srv.PacketConn
323 // Check PacketConn interface's type is valid and value
325 if t, ok := pConn.(*net.UDPConn); ok && t != nil {
326 if e := setUDPSocketOptions(t); e != nil {
331 return srv.serveUDP(t)
337 return srv.serveTCP(l)
339 return &Error{err: "bad listeners"}
342 // Shutdown shuts down a server. After a call to Shutdown, ListenAndServe and
343 // ActivateAndServe will return.
344 func (srv *Server) Shutdown() error {
345 return srv.ShutdownContext(context.Background())
348 // ShutdownContext shuts down a server. After a call to ShutdownContext,
349 // ListenAndServe and ActivateAndServe will return.
351 // A context.Context may be passed to limit how long to wait for connections
353 func (srv *Server) ShutdownContext(ctx context.Context) error {
357 return &Error{err: "server not started"}
362 if srv.PacketConn != nil {
363 srv.PacketConn.SetReadDeadline(aLongTimeAgo) // Unblock reads
366 if srv.Listener != nil {
370 for rw := range srv.conns {
371 rw.SetReadDeadline(aLongTimeAgo) // Unblock reads
376 if testShutdownNotify != nil {
377 testShutdownNotify.Broadcast()
387 if srv.PacketConn != nil {
388 srv.PacketConn.Close()
394 var testShutdownNotify *sync.Cond
396 // getReadTimeout is a helper func to use system timeout if server did not intend to change it.
397 func (srv *Server) getReadTimeout() time.Duration {
398 if srv.ReadTimeout != 0 {
399 return srv.ReadTimeout
404 // serveTCP starts a TCP listener for the server.
405 func (srv *Server) serveTCP(l net.Listener) error {
408 if srv.NotifyStartedFunc != nil {
409 srv.NotifyStartedFunc()
412 var wg sync.WaitGroup
418 for srv.isStarted() {
419 rw, err := l.Accept()
421 if !srv.isStarted() {
424 if neterr, ok := err.(net.Error); ok && neterr.Temporary() {
430 // Track the connection to allow unblocking reads on shutdown.
431 srv.conns[rw] = struct{}{}
434 go srv.serveTCPConn(&wg, rw)
440 // serveUDP starts a UDP listener for the server.
441 func (srv *Server) serveUDP(l *net.UDPConn) error {
444 if srv.NotifyStartedFunc != nil {
445 srv.NotifyStartedFunc()
448 reader := Reader(defaultReader{srv})
449 if srv.DecorateReader != nil {
450 reader = srv.DecorateReader(reader)
453 var wg sync.WaitGroup
459 rtimeout := srv.getReadTimeout()
460 // deadline is not used here
461 for srv.isStarted() {
462 m, s, err := reader.ReadUDP(l, rtimeout)
464 if !srv.isStarted() {
467 if netErr, ok := err.(net.Error); ok && netErr.Temporary() {
472 if len(m) < headerSize {
473 if cap(m) == srv.UDPSize {
474 srv.udpPool.Put(m[:srv.UDPSize])
479 go srv.serveUDPPacket(&wg, m, l, s)
485 // Serve a new TCP connection.
486 func (srv *Server) serveTCPConn(wg *sync.WaitGroup, rw net.Conn) {
487 w := &response{tsigSecret: srv.TsigSecret, tcp: rw}
488 if srv.DecorateWriter != nil {
489 w.writer = srv.DecorateWriter(w)
494 reader := Reader(defaultReader{srv})
495 if srv.DecorateReader != nil {
496 reader = srv.DecorateReader(reader)
499 idleTimeout := tcpIdleTimeout
500 if srv.IdleTimeout != nil {
501 idleTimeout = srv.IdleTimeout()
504 timeout := srv.getReadTimeout()
506 limit := srv.MaxTCPQueries
508 limit = maxTCPQueries
511 for q := 0; (q < limit || limit == -1) && srv.isStarted(); q++ {
512 m, err := reader.ReadTCP(w.tcp, timeout)
514 // TODO(tmthrgd): handle error
519 break // Close() was called
522 break // client will call Close() themselves
524 // The first read uses the read timeout, the rest use the
526 timeout = idleTimeout
534 delete(srv.conns, w.tcp)
540 // Serve a new UDP request.
541 func (srv *Server) serveUDPPacket(wg *sync.WaitGroup, m []byte, u *net.UDPConn, s *SessionUDP) {
542 w := &response{tsigSecret: srv.TsigSecret, udp: u, udpSession: s}
543 if srv.DecorateWriter != nil {
544 w.writer = srv.DecorateWriter(w)
553 func (srv *Server) serveDNS(m []byte, w *response) {
554 dh, off, err := unpackMsgHdr(m, 0)
556 // Let client hang, they are sending crap; any reply can be used to amplify.
563 switch srv.MsgAcceptFunc(dh) {
565 if req.unpack(dh, m, off) == nil {
571 req.SetRcodeFormatError(req)
572 // Are we allowed to delete any OPT records here?
573 req.Ns, req.Answer, req.Extra = nil, nil, nil
577 if w.udp != nil && cap(m) == srv.UDPSize {
578 srv.udpPool.Put(m[:srv.UDPSize])
587 if w.tsigSecret != nil {
588 if t := req.IsTsig(); t != nil {
589 if secret, ok := w.tsigSecret[t.Hdr.Name]; ok {
590 w.tsigStatus = TsigVerify(m, secret, "", false)
592 w.tsigStatus = ErrSecret
594 w.tsigTimersOnly = false
595 w.tsigRequestMAC = req.Extra[len(req.Extra)-1].(*TSIG).MAC
599 if w.udp != nil && cap(m) == srv.UDPSize {
600 srv.udpPool.Put(m[:srv.UDPSize])
603 srv.Handler.ServeDNS(w, req) // Writes back to the client
606 func (srv *Server) readTCP(conn net.Conn, timeout time.Duration) ([]byte, error) {
607 // If we race with ShutdownContext, the read deadline may
608 // have been set in the distant past to unblock the read
609 // below. We must not override it, otherwise we may block
613 conn.SetReadDeadline(time.Now().Add(timeout))
618 if err := binary.Read(conn, binary.BigEndian, &length); err != nil {
622 m := make([]byte, length)
623 if _, err := io.ReadFull(conn, m); err != nil {
630 func (srv *Server) readUDP(conn *net.UDPConn, timeout time.Duration) ([]byte, *SessionUDP, error) {
633 // See the comment in readTCP above.
634 conn.SetReadDeadline(time.Now().Add(timeout))
638 m := srv.udpPool.Get().([]byte)
639 n, s, err := ReadFromSessionUDP(conn, m)
648 // WriteMsg implements the ResponseWriter.WriteMsg method.
649 func (w *response) WriteMsg(m *Msg) (err error) {
651 return &Error{err: "WriteMsg called after Close"}
655 if w.tsigSecret != nil { // if no secrets, dont check for the tsig (which is a longer check)
656 if t := m.IsTsig(); t != nil {
657 data, w.tsigRequestMAC, err = TsigGenerate(m, w.tsigSecret[t.Hdr.Name], w.tsigRequestMAC, w.tsigTimersOnly)
661 _, err = w.writer.Write(data)
669 _, err = w.writer.Write(data)
673 // Write implements the ResponseWriter.Write method.
674 func (w *response) Write(m []byte) (int, error) {
676 return 0, &Error{err: "Write called after Close"}
681 return WriteToSessionUDP(w.udp, m, w.udpSession)
683 if len(m) > MaxMsgSize {
684 return 0, &Error{err: "message too large"}
688 binary.BigEndian.PutUint16(l, uint16(len(m)))
690 n, err := (&net.Buffers{l, m}).WriteTo(w.tcp)
693 panic("dns: internal error: udp and tcp both nil")
697 // LocalAddr implements the ResponseWriter.LocalAddr method.
698 func (w *response) LocalAddr() net.Addr {
701 return w.udp.LocalAddr()
703 return w.tcp.LocalAddr()
705 panic("dns: internal error: udp and tcp both nil")
709 // RemoteAddr implements the ResponseWriter.RemoteAddr method.
710 func (w *response) RemoteAddr() net.Addr {
712 case w.udpSession != nil:
713 return w.udpSession.RemoteAddr()
715 return w.tcp.RemoteAddr()
717 panic("dns: internal error: udpSession and tcp both nil")
721 // TsigStatus implements the ResponseWriter.TsigStatus method.
722 func (w *response) TsigStatus() error { return w.tsigStatus }
724 // TsigTimersOnly implements the ResponseWriter.TsigTimersOnly method.
725 func (w *response) TsigTimersOnly(b bool) { w.tsigTimersOnly = b }
727 // Hijack implements the ResponseWriter.Hijack method.
728 func (w *response) Hijack() { w.hijacked = true }
730 // Close implements the ResponseWriter.Close method
731 func (w *response) Close() error {
733 return &Error{err: "connection already closed"}
739 // Can't close the udp conn, as that is actually the listener.
744 panic("dns: internal error: udp and tcp both nil")
748 // ConnectionState() implements the ConnectionStater.ConnectionState() interface.
749 func (w *response) ConnectionState() *tls.ConnectionState {
750 type tlsConnectionStater interface {
751 ConnectionState() tls.ConnectionState
753 if v, ok := w.tcp.(tlsConnectionStater); ok {
754 t := v.ConnectionState()