Documentation ¶
Overview ¶
Package upstream implements DNS clients for all known DNS encryption protocols.
Index ¶
Constants ¶
const ( // QUICCodeNoError is used when the connection or stream needs to be closed, // but there is no error to signal. QUICCodeNoError = quic.ApplicationErrorCode(0) // QUICCodeInternalError signals that the DoQ implementation encountered // an internal error and is incapable of pursuing the transaction or the // connection. QUICCodeInternalError = quic.ApplicationErrorCode(1) // QUICKeepAlivePeriod is the value that we pass to *quic.Config and that // controls the period with with keep-alive frames are being sent to the // connection. We set it to 20s as it would be in the quic-go@v0.27.1 with // KeepAlive field set to true This value is specified in // https://pkg.go.dev/github.com/lucas-clemente/quic-go/internal/protocol#MaxKeepAliveInterval. // // TODO(ameshkov): Consider making it configurable. QUICKeepAlivePeriod = time.Second * 20 )
const ErrNoUpstreams errors.Error = "no upstream specified"
ErrNoUpstreams is returned from the methods that expect at least a single upstream to work with when no upstreams specified.
const NextProtoDQ = "doq"
NextProtoDQ is the ALPN token for DoQ. During the connection establishment, DNS/QUIC support is indicated by selecting the ALPN token "doq" in the crypto handshake. The current draft version is https://datatracker.ietf.org/doc/rfc9250/.
Variables ¶
var CipherSuites []uint16
CipherSuites is a custom list of TLSv1.2 ciphers.
var DefaultHTTPVersions = []HTTPVersion{HTTPVersion11, HTTPVersion2}
DefaultHTTPVersions is the list of HTTPVersion that we use by default in the DNS-over-HTTPS client.
var RootCAs *x509.CertPool
RootCAs is the CertPool that must be used by all upstreams. Redefining RootCAs makes sense on iOS to overcome the 15MB memory limit of the NEPacketTunnelProvider. TODO(ameshkov): remove this and replace with an upstream option.
Functions ¶
func LookupParallel ¶ added in v0.10.0
LookupParallel starts parallel lookup for host ip with many Resolvers First answer without error will be returned Return nil and error if count of errors equals count of resolvers
Types ¶
type ExchangeAllResult ¶ added in v0.24.0
ExchangeAllResult - result of ExchangeAll()
func ExchangeAll ¶ added in v0.24.0
func ExchangeAll(ups []Upstream, req *dns.Msg) (res []ExchangeAllResult, err error)
ExchangeAll receives a response from each of ups.
type HTTPVersion ¶ added in v0.45.0
type HTTPVersion string
HTTPVersion is an enumeration of the HTTP versions that we support. Values that we use in this enumeration are also used as ALPN values.
const ( // HTTPVersion11 is HTTP/1.1. HTTPVersion11 HTTPVersion = "http/1.1" // HTTPVersion2 is HTTP/2. HTTPVersion2 HTTPVersion = "h2" // HTTPVersion3 is HTTP/3. HTTPVersion3 HTTPVersion = "h3" )
type Options ¶ added in v0.11.0
type Options struct { // Bootstrap is a list of DNS servers to be used to resolve // DNS-over-HTTPS/DNS-over-TLS hostnames. Plain DNS, DNSCrypt, or // DNS-over-HTTPS/DNS-over-TLS with IP addresses (not hostnames) could be // used. Bootstrap []string // Timeout is the default upstream timeout. It's also used as a timeout for // bootstrap DNS requests. Zero value disables the timeout. Timeout time.Duration // List of IP addresses of the upstream DNS server. If not empty, bootstrap // DNS servers won't be used at all. ServerIPAddrs []net.IP // InsecureSkipVerify disables verifying the server's certificate. InsecureSkipVerify bool // HTTPVersions is a list of HTTP versions that should be supported by the // DNS-over-HTTPS client. If not set, HTTP/1.1 and HTTP/2 will be used. HTTPVersions []HTTPVersion // VerifyServerCertificate is used to set the VerifyPeerCertificate property // of the *tls.Config for DNS-over-HTTPS, DNS-over-QUIC, and DNS-over-TLS. VerifyServerCertificate func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error // VerifyConnection is used to set the VerifyConnection property // of the *tls.Config for DNS-over-HTTPS, DNS-over-QUIC, and DNS-over-TLS. VerifyConnection func(state tls.ConnectionState) error // VerifyDNSCryptCertificate is the callback the DNSCrypt server certificate // will be passed to. It's called in dnsCrypt.exchangeDNSCrypt. // Upstream.Exchange method returns any error caused by it. VerifyDNSCryptCertificate func(cert *dnscrypt.Cert) error // QUICTracer is an optional object that allows tracing every QUIC // connection and logging every packet that goes through. QUICTracer logging.Tracer }
Options for AddressToUpstream func. With these options we can configure the upstream properties.
type Resolver ¶ added in v0.10.0
type Resolver struct {
// contains filtered or unexported fields
}
Resolver is wrapper for resolver and it's address
func NewResolver ¶ added in v0.10.0
NewResolver creates an instance of a Resolver structure with defined net.Resolver and it's address resolverAddress -- is address of net.Resolver The host in the address parameter of Dial func will always be a literal IP address (from documentation) options are the upstream customization options, nil means use default options.
type TLSPool ¶
type TLSPool struct {
// contains filtered or unexported fields
}
TLSPool is a connections pool for the DNS-over-TLS Upstream.
Example:
pool := TLSPool{Address: "tls://1.1.1.1:853"} netConn, err := pool.Get() if err != nil {panic(err)} c := dns.Conn{Conn: netConn} q := dns.Msg{} q.SetQuestion("google.com.", dns.TypeA) log.Println(q) err = c.WriteMsg(&q) if err != nil {panic(err)} r, err := c.ReadMsg() if err != nil {panic(err)} log.Println(r) pool.Put(c.Conn)
func (*TLSPool) Create ¶ added in v0.9.10
Create creates a new connection for the pool (but not puts it there).
type Upstream ¶
type Upstream interface { // Exchange sends the DNS query m to this upstream and returns the response // that has been received or an error if something went wrong. Exchange(m *dns.Msg) (*dns.Msg, error) // Address returns the address of the upstream DNS resolver. Address() string io.Closer }
Upstream is an interface for a DNS resolver.
func AddressToUpstream ¶
AddressToUpstream converts addr to an Upstream instance:
- 8.8.8.8:53 or udp://dns.adguard.com for plain DNS;
- tcp://8.8.8.8:53 for plain DNS-over-TCP;
- tls://1.1.1.1 for DNS-over-TLS;
- https://dns.adguard.com/dns-query for DNS-over-HTTPS;
- h3://dns.google for DNS-over-HTTPS that only works with HTTP/3;
- sdns://... for DNS stamp, see https://dnscrypt.info/stamps-specifications.
opts are applied to the u. nil is a valid value for opts.
func ExchangeParallel ¶ added in v0.10.0
ExchangeParallel function is called to parallel exchange dns request by many upstreams First answer without error will be returned We will return nil and error if count of errors equals count of upstreams