// LookupCAA uses a DNSSEC-enabled query to find all CAA records associated with // the provided hostname. If the query fails due to DNSSEC, error will be // set to ErrorDNSSEC. func (dnsResolver *DNSResolver) LookupCAA(domain string, alias bool) ([]*dns.CAA, error) { if alias { // Check if there is a CNAME record for domain canonName, err := dnsResolver.LookupCNAME(domain) if err != nil { return nil, err } if canonName == "" || canonName == domain { return []*dns.CAA{}, nil } domain = canonName } m := new(dns.Msg) m.SetQuestion(dns.Fqdn(domain), dns.TypeCAA) r, _, err := dnsResolver.LookupDNSSEC(m) if err != nil { return nil, err } var CAAs []*dns.CAA for _, answer := range r.Answer { if answer.Header().Rrtype == dns.TypeCAA { caaR, ok := answer.(*dns.CAA) if !ok { err = errors.New("Badly formatted record") return nil, err } CAAs = append(CAAs, caaR) } } return CAAs, nil }
// LookupHost uses a DNSSEC-enabled query to find all A/AAAA records associated with // the provided hostname. If the query fails due to DNSSEC, error will be // set to ErrorDNSSEC. func (dnsResolver *DNSResolver) LookupHost(hostname string) ([]net.IP, time.Duration, error) { var addrs []net.IP var answers []dns.RR m := new(dns.Msg) m.SetQuestion(dns.Fqdn(hostname), dns.TypeA) r, aRtt, err := dnsResolver.LookupDNSSEC(m) if err != nil { return addrs, aRtt, err } answers = append(answers, r.Answer...) m.SetQuestion(dns.Fqdn(hostname), dns.TypeAAAA) r, aaaaRtt, err := dnsResolver.LookupDNSSEC(m) if err != nil { return addrs, aRtt + aaaaRtt, err } answers = append(answers, r.Answer...) for _, answer := range answers { if answer.Header().Rrtype == dns.TypeA { a := answer.(*dns.A) addrs = append(addrs, a.A) } else if answer.Header().Rrtype == dns.TypeAAAA { aaaa := answer.(*dns.AAAA) addrs = append(addrs, aaaa.AAAA) } } return addrs, aRtt + aaaaRtt, nil }
// exchangeOne performs a single DNS exchange with a randomly chosen server // out of the server list, returning the response, time, and error (if any). // This method sets the DNSSEC OK bit on the message to true before sending // it to the resolver in case validation isn't the resolvers default behaviour. func (dnsResolver *DNSResolverImpl) exchangeOne(hostname string, qtype uint16, msgStats metrics.Scope) (rsp *dns.Msg, err error) { m := new(dns.Msg) // Set question type m.SetQuestion(dns.Fqdn(hostname), qtype) // Set DNSSEC OK bit for resolver m.SetEdns0(4096, true) if len(dnsResolver.Servers) < 1 { err = fmt.Errorf("Not configured with at least one DNS Server") return } dnsResolver.stats.Inc("Rate", 1) // Randomly pick a server chosenServer := dnsResolver.Servers[rand.Intn(len(dnsResolver.Servers))] msg, rtt, err := dnsResolver.DNSClient.Exchange(m, chosenServer) msgStats.TimingDuration("RTT", rtt) if err == nil { msgStats.Inc("Successes", 1) } else { msgStats.Inc("Errors", 1) } return msg, err }
func TestDNSDuplicateServers(t *testing.T) { obj := NewDNSResolver(time.Second*10, []string{"8.8.8.8:53", "8.8.8.8:53"}) m := new(dns.Msg) m.SetQuestion("letsencrypt.org.", dns.TypeSOA) _, _, err := obj.ExchangeOne(m) test.AssertNotError(t, err, "No message") }
// exchangeOne performs a single DNS exchange with a randomly chosen server // out of the server list, returning the response, time, and error (if any). // This method sets the DNSSEC OK bit on the message to true before sending // it to the resolver in case validation isn't the resolvers default behaviour. func (dnsResolver *DNSResolverImpl) exchangeOne(ctx context.Context, hostname string, qtype uint16, msgStats metrics.Scope) (*dns.Msg, error) { m := new(dns.Msg) // Set question type m.SetQuestion(dns.Fqdn(hostname), qtype) // Set DNSSEC OK bit for resolver m.SetEdns0(4096, true) if len(dnsResolver.Servers) < 1 { return nil, fmt.Errorf("Not configured with at least one DNS Server") } dnsResolver.stats.Inc("Rate", 1) // Randomly pick a server chosenServer := dnsResolver.Servers[rand.Intn(len(dnsResolver.Servers))] client := dnsResolver.DNSClient tries := 1 start := dnsResolver.clk.Now() msgStats.Inc("Calls", 1) defer msgStats.TimingDuration("Latency", dnsResolver.clk.Now().Sub(start)) for { msgStats.Inc("Tries", 1) ch := make(chan dnsResp, 1) go func() { rsp, rtt, err := client.Exchange(m, chosenServer) msgStats.TimingDuration("SingleTryLatency", rtt) ch <- dnsResp{m: rsp, err: err} }() select { case <-ctx.Done(): msgStats.Inc("Cancels", 1) msgStats.Inc("Errors", 1) return nil, ctx.Err() case r := <-ch: if r.err != nil { msgStats.Inc("Errors", 1) operr, ok := r.err.(*net.OpError) isRetryable := ok && operr.Temporary() hasRetriesLeft := tries < dnsResolver.maxTries if isRetryable && hasRetriesLeft { tries++ continue } else if isRetryable && !hasRetriesLeft { msgStats.Inc("RanOutOfTries", 1) } } else { msgStats.Inc("Successes", 1) } return r.m, r.err } } }
// ExchangeOne performs a single DNS exchange with a randomly chosen server // out of the server list, returning the response, time, and error (if any). // This method sets the DNSSEC OK bit on the message to true before sending // it to the resolver in case validation isn't the resolvers default behaviour. func (dnsResolver *DNSResolverImpl) ExchangeOne(hostname string, qtype uint16) (rsp *dns.Msg, rtt time.Duration, err error) { m := new(dns.Msg) // Set question type m.SetQuestion(dns.Fqdn(hostname), qtype) // Set DNSSEC OK bit for resolver m.SetEdns0(4096, true) if len(dnsResolver.Servers) < 1 { err = fmt.Errorf("Not configured with at least one DNS Server") return } // Randomly pick a server chosenServer := dnsResolver.Servers[rand.Intn(len(dnsResolver.Servers))] return dnsResolver.DNSClient.Exchange(m, chosenServer) }
// LookupCNAME uses a DNSSEC-enabled query to records for domain and returns either // the target, "", or a if the query fails due to DNSSEC, error will be set to // ErrorDNSSEC. func (dnsResolver *DNSResolver) LookupCNAME(domain string) (string, error) { m := new(dns.Msg) m.SetQuestion(dns.Fqdn(domain), dns.TypeCNAME) r, _, err := dnsResolver.LookupDNSSEC(m) if err != nil { return "", err } for _, answer := range r.Answer { if cname, ok := answer.(*dns.CNAME); ok { return cname.Target, nil } } return "", nil }
// LookupTXT uses a DNSSEC-enabled query to find all TXT records associated with // the provided hostname. If the query fails due to DNSSEC, error will be // set to ErrorDNSSEC. func (dnsResolver *DNSResolver) LookupTXT(hostname string) ([]string, time.Duration, error) { var txt []string m := new(dns.Msg) m.SetQuestion(dns.Fqdn(hostname), dns.TypeTXT) r, rtt, err := dnsResolver.LookupDNSSEC(m) if err != nil { return nil, 0, err } for _, answer := range r.Answer { if answer.Header().Rrtype == dns.TypeTXT { txtRec := answer.(*dns.TXT) for _, field := range txtRec.Txt { txt = append(txt, field) } } } return txt, rtt, err }
func TestDNSSEC(t *testing.T) { goodServer := NewDNSResolver(time.Second*10, []string{"8.8.8.8:53"}) m := new(dns.Msg) m.SetQuestion(dns.Fqdn("sigfail.verteiltesysteme.net"), dns.TypeA) _, _, err := goodServer.LookupDNSSEC(m) test.AssertError(t, err, "DNSSEC failure") _, ok := err.(DNSSECError) test.Assert(t, ok, "Should have been a DNSSECError") m.SetQuestion(dns.Fqdn("sigok.verteiltesysteme.net"), dns.TypeA) _, _, err = goodServer.LookupDNSSEC(m) test.AssertNotError(t, err, "DNSSEC should have worked") badServer := NewDNSResolver(time.Second*10, []string{"127.0.0.1:99"}) _, _, err = badServer.LookupDNSSEC(m) test.AssertError(t, err, "Should have failed") _, ok = err.(DNSSECError) test.Assert(t, !ok, "Shouldn't have been a DNSSECError") }