Merge branch 'master' into 1914-refused-blocking-mode

dnsforward/config.go

@@ -9,12 +9,11 @@ import (
 	"net/http"
 	"sort"
 
-	"github.com/AdguardTeam/golibs/log"
-	"github.com/joomcode/errorx"
-
 	"github.com/AdguardTeam/AdGuardHome/dnsfilter"
 	"github.com/AdguardTeam/dnsproxy/proxy"
 	"github.com/AdguardTeam/dnsproxy/upstream"
+	"github.com/AdguardTeam/golibs/log"
+	"github.com/joomcode/errorx"
 )
 
 // FilteringConfig represents the DNS filtering configuration of AdGuard Home
@@ -92,6 +91,7 @@ type FilteringConfig struct {
 // TLSConfig is the TLS configuration for HTTPS, DNS-over-HTTPS, and DNS-over-TLS
 type TLSConfig struct {
 	TLSListenAddr  *net.TCPAddr `yaml:"-" json:"-"`
+	QUICListenAddr *net.UDPAddr `yaml:"-" json:"-"`
 	StrictSNICheck bool         `yaml:"strict_sni_check" json:"-"` // Reject connection if the client uses server name (in SNI) that doesn't match the certificate
 
 	CertificateChain string `yaml:"certificate_chain" json:"certificate_chain"` // PEM-encoded certificates chain
@@ -215,6 +215,18 @@ func (s *Server) initDefaultSettings() {
 
 // prepareUpstreamSettings - prepares upstream DNS server settings
 func (s *Server) prepareUpstreamSettings() error {
+	// We're setting a customized set of RootCAs
+	// The reason is that Go default mechanism of loading TLS roots
+	// does not always work properly on some routers so we're
+	// loading roots manually and pass it here.
+	// See "util.LoadSystemRootCAs"
+	upstream.RootCAs = s.conf.TLSv12Roots
+
+	// See util.InitTLSCiphers -- removed unsafe ciphers
+	if len(s.conf.TLSCiphers) > 0 {
+		upstream.CipherSuites = s.conf.TLSCiphers
+	}
+
 	upstreamConfig, err := proxy.ParseUpstreamsConfig(s.conf.UpstreamDNS, s.conf.BootstrapDNS, DefaultTimeout)
 	if err != nil {
 		return fmt.Errorf("DNS: proxy.ParseUpstreamsConfig: %s", err)
@@ -235,36 +247,49 @@ func (s *Server) prepareIntlProxy() {
 
 // prepareTLS - prepares TLS configuration for the DNS proxy
 func (s *Server) prepareTLS(proxyConfig *proxy.Config) error {
-	if s.conf.TLSListenAddr != nil && len(s.conf.CertificateChainData) != 0 && len(s.conf.PrivateKeyData) != 0 {
+	if len(s.conf.CertificateChainData) == 0 || len(s.conf.PrivateKeyData) == 0 {
+		return nil
+	}
+
+	if s.conf.TLSListenAddr == nil &&
+		s.conf.QUICListenAddr == nil {
+		return nil
+	}
+
+	if s.conf.TLSListenAddr != nil {
 		proxyConfig.TLSListenAddr = []*net.TCPAddr{s.conf.TLSListenAddr}
-		var err error
-		s.conf.cert, err = tls.X509KeyPair(s.conf.CertificateChainData, s.conf.PrivateKeyData)
+	}
+
+	if s.conf.QUICListenAddr != nil {
+		proxyConfig.QUICListenAddr = []*net.UDPAddr{s.conf.QUICListenAddr}
+	}
+
+	var err error
+	s.conf.cert, err = tls.X509KeyPair(s.conf.CertificateChainData, s.conf.PrivateKeyData)
+	if err != nil {
+		return errorx.Decorate(err, "Failed to parse TLS keypair")
+	}
+
+	if s.conf.StrictSNICheck {
+		x, err := x509.ParseCertificate(s.conf.cert.Certificate[0])
 		if err != nil {
-			return errorx.Decorate(err, "Failed to parse TLS keypair")
+			return errorx.Decorate(err, "x509.ParseCertificate(): %s", err)
 		}
-
-		if s.conf.StrictSNICheck {
-			x, err := x509.ParseCertificate(s.conf.cert.Certificate[0])
-			if err != nil {
-				return errorx.Decorate(err, "x509.ParseCertificate(): %s", err)
-			}
-			if len(x.DNSNames) != 0 {
-				s.conf.dnsNames = x.DNSNames
-				log.Debug("DNS: using DNS names from certificate's SAN: %v", x.DNSNames)
-				sort.Strings(s.conf.dnsNames)
-			} else {
-				s.conf.dnsNames = append(s.conf.dnsNames, x.Subject.CommonName)
-				log.Debug("DNS: using DNS name from certificate's CN: %s", x.Subject.CommonName)
-			}
-		}
-
-		proxyConfig.TLSConfig = &tls.Config{
-			GetCertificate: s.onGetCertificate,
-			MinVersion:     tls.VersionTLS12,
+		if len(x.DNSNames) != 0 {
+			s.conf.dnsNames = x.DNSNames
+			log.Debug("DNS: using DNS names from certificate's SAN: %v", x.DNSNames)
+			sort.Strings(s.conf.dnsNames)
+		} else {
+			s.conf.dnsNames = append(s.conf.dnsNames, x.Subject.CommonName)
+			log.Debug("DNS: using DNS name from certificate's CN: %s", x.Subject.CommonName)
 		}
 	}
-	upstream.RootCAs = s.conf.TLSv12Roots
-	upstream.CipherSuites = s.conf.TLSCiphers
+
+	proxyConfig.TLSConfig = &tls.Config{
+		GetCertificate: s.onGetCertificate,
+		MinVersion:     tls.VersionTLS12,
+	}
+
 	return nil
 }
 

dnsforward/dnsforward_http.go

@@ -270,7 +270,7 @@ func ValidateUpstreams(upstreams []string) error {
 	return nil
 }
 
-var protocols = []string{"tls://", "https://", "tcp://", "sdns://"}
+var protocols = []string{"tls://", "https://", "tcp://", "sdns://", "quic://"}
 
 func validateUpstream(u string) (bool, error) {
 	// Check if user tries to specify upstream for domain

dnsforward/dnsforward_test.go

@@ -8,6 +8,7 @@ import (
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/pem"
+	"fmt"
 	"math/big"
 	"net"
 	"sort"
@@ -128,6 +129,41 @@ func TestDotServer(t *testing.T) {
 	}
 }
 
+func TestDoqServer(t *testing.T) {
+	// Prepare the proxy server
+	_, certPem, keyPem := createServerTLSConfig(t)
+	s := createTestServer(t)
+
+	s.conf.TLSConfig = TLSConfig{
+		QUICListenAddr:       &net.UDPAddr{Port: 0},
+		CertificateChainData: certPem,
+		PrivateKeyData:       keyPem,
+	}
+
+	_ = s.Prepare(nil)
+	// Starting the server
+	err := s.Start()
+	assert.Nil(t, err)
+
+	// Create a DNS-over-QUIC upstream
+	addr := s.dnsProxy.Addr(proxy.ProtoQUIC)
+	opts := upstream.Options{InsecureSkipVerify: true}
+	u, err := upstream.AddressToUpstream(fmt.Sprintf("quic://%s", addr), opts)
+	assert.Nil(t, err)
+
+	// Send the test message
+	req := createGoogleATestMessage()
+	res, err := u.Exchange(req)
+	assert.Nil(t, err)
+	assertGoogleAResponse(t, res)
+
+	// Stop the proxy
+	err = s.Stop()
+	if err != nil {
+		t.Fatalf("DNS server failed to stop: %s", err)
+	}
+}
+
 func TestServerRace(t *testing.T) {
 	s := createTestServer(t)
 	err := s.Start()