ProfessionalUwU/echoip-slatecave
1
0
Fork 0
mirror of https://codeberg.org/slatian/service.echoip-slatecave.git synced 2025-07-17 14:33:27 +02:00
Code Issues Packages Projects Releases Wiki Activity

Upgrade to hickory 0.25

Browse Source 
This also solves a security advisory that could have lead to a denail of service via the ring crate.
This commit is contained in:
Slatian
2025-03-19 21:19:05 +01:00
parent 7130c0d94a
commit e81ce74a2f
5 changed files with 707 additions and 210 deletions
Download Patch File Download Diff File Expand all files Collapse all files

794
Cargo.lock generated
View File

File diff suppressed because it is too large Load Diff

4
Cargo.toml
View File

@ -15,8 +15,8 @@ axum = { version = "0.8", features = ["macros"] }
clap = { version = "4.5", features = ["derive"] } clap = { version = "4.5", features = ["derive"] }
env_logger = "0.11" env_logger = "0.11"
governor = "0.8" governor = "0.8"
hickory-proto = "0.24" hickory-proto = "0.25"
hickory-resolver = { version = "0.24", features = ["dns-over-rustls","dns-over-https","dns-over-quic","native-certs"] } hickory-resolver = { version = "0.25", features = ["tls-ring","https-ring","quic-ring","rustls-platform-verifier","system-config"] }
http = "1.2" http = "1.2"
idna = "1.0" idna = "1.0"
log = "0.4" log = "0.4"

5
src/config/dns.rs
View File

@ -1,5 +1,5 @@
use serde::{Deserialize,Serialize}; use serde::{Deserialize,Serialize};
use hickory_resolver::config::Protocol; use hickory_proto::xfer::Protocol;
use hickory_resolver::config::ResolverConfig as HickoryResolverConfig; use hickory_resolver::config::ResolverConfig as HickoryResolverConfig;
use hickory_resolver::config::NameServerConfig; use hickory_resolver::config::NameServerConfig;
@ -43,6 +43,7 @@ pub struct DnsResolverConfig {
pub servers: Vec<SocketAddr>, pub servers: Vec<SocketAddr>,
pub protocol: DnsProtocol, pub protocol: DnsProtocol,
pub tls_dns_name: Option<Arc<str>>, pub tls_dns_name: Option<Arc<str>>,
pub http_endpoint: Option<Arc<str>>,
#[serde(skip_serializing)] //Don't leak our bind address to the outside #[serde(skip_serializing)] //Don't leak our bind address to the outside
pub bind_address: Option<SocketAddr>, pub bind_address: Option<SocketAddr>,
#[serde(default="default_true", alias="trust_nx_responses")] #[serde(default="default_true", alias="trust_nx_responses")]
@ -95,8 +96,8 @@ impl DnsResolverConfig {
socket_addr: *server, socket_addr: *server,
protocol: self.protocol.clone().into(), protocol: self.protocol.clone().into(),
tls_dns_name: self.tls_dns_name.clone().map(|s| s.to_string()), tls_dns_name: self.tls_dns_name.clone().map(|s| s.to_string()),
http_endpoint: self.http_endpoint.as_deref().map(ToString::to_string),
trust_negative_responses: self.trust_negative_responses, trust_negative_responses: self.trust_negative_responses,
tls_config: None,
bind_addr: self.bind_address, bind_addr: self.bind_address,
}); });
} }

38
src/main.rs
View File

@ -22,8 +22,8 @@ use axum_extra::headers;
use axum_extra::TypedHeader; use axum_extra::TypedHeader;
use clap::Parser; use clap::Parser;
use env_logger::Env; use env_logger::Env;
use hickory_resolver::Name; use hickory_resolver::{name_server::TokioConnectionProvider, system_conf::read_system_conf, Name, ResolveError, Resolver};
use hickory_resolver::TokioAsyncResolver; use hickory_resolver::TokioResolver;
use log::{info,warn,error}; use log::{info,warn,error};
use regex::Regex; use regex::Regex;
use serde::{Deserialize,Serialize}; use serde::{Deserialize,Serialize};
@ -108,7 +108,7 @@ pub struct DigResult {
struct ServiceSharedState { struct ServiceSharedState {
templating_engine: TemplatingEngine, templating_engine: TemplatingEngine,
dns_resolvers: HashMap<Arc<str>,TokioAsyncResolver>, dns_resolvers: HashMap<Arc<str>,TokioResolver>,
dns_resolver_aliases: HashMap<Arc<str>,Arc<str>>, dns_resolver_aliases: HashMap<Arc<str>,Arc<str>>,
asn_db: geoip::MMDBCarrier, asn_db: geoip::MMDBCarrier,
location_db: geoip::MMDBCarrier, location_db: geoip::MMDBCarrier,
@ -215,21 +215,24 @@ async fn main() {
info!("Initalizing dns resolvers ..."); info!("Initalizing dns resolvers ...");
let mut dns_resolver_selectables = Vec::<Selectable>::new(); let mut dns_resolver_selectables = Vec::<Selectable>::new();
let mut dns_resolver_map: HashMap<Arc<str>,TokioAsyncResolver> = HashMap::new(); let mut dns_resolver_map: HashMap<Arc<str>,TokioResolver> = HashMap::new();
let mut dns_resolver_aliases: HashMap<Arc<str>,Arc<str>> = HashMap::new(); let mut dns_resolver_aliases: HashMap<Arc<str>,Arc<str>> = HashMap::new();
if config.dns.enable_system_resolver { if config.dns.enable_system_resolver {
info!("Initalizing System resolver ..."); info!("Initalizing System resolver ...");
let res = TokioAsyncResolver::tokio_from_system_conf(); match initalize_system_resolver() {
let resolver = match res { Ok(resolver) => {
Ok(resolver) => resolver, info!("System resolver successfully Initalized.");
dns_resolver_map.insert(
config.dns.system_resolver_id.clone(),
resolver
);
},
Err(e) => { Err(e) => {
info!("Error while setting up dns resolver: {e}"); error!("Problem setting up system resolver: {e}");
::std::process::exit(1); ::std::process::exit(1);
} }
}; };
dns_resolver_map.insert(config.dns.system_resolver_id.clone(), resolver);
dns_resolver_selectables.push(Selectable { dns_resolver_selectables.push(Selectable {
id: config.dns.system_resolver_id.clone(), id: config.dns.system_resolver_id.clone(),
name: config.dns.system_resolver_name.clone(), name: config.dns.system_resolver_name.clone(),
@ -239,10 +242,10 @@ async fn main() {
for (key, resolver_config) in &config.dns.resolver { for (key, resolver_config) in &config.dns.resolver {
info!("Initalizing {} resolver ...", key); info!("Initalizing {} resolver ...", key);
let resolver = TokioAsyncResolver::tokio( let resolver = TokioResolver::builder_with_config(
resolver_config.to_hickory_resolver_config(), resolver_config.to_hickory_resolver_config(),
Default::default() Default::default()
); ).build();
dns_resolver_map.insert(key.clone(), resolver); dns_resolver_map.insert(key.clone(), resolver);
dns_resolver_selectables.push(Selectable { dns_resolver_selectables.push(Selectable {
id: key.clone(), id: key.clone(),
@ -331,6 +334,17 @@ async fn main() {
.unwrap(); .unwrap();
} }
fn initalize_system_resolver() -> Result<TokioResolver, ResolveError> {
let (system_conf, system_options) = read_system_conf()?;
let mut builder = Resolver::builder_with_config(
system_conf,
TokioConnectionProvider::default()
);
*builder.options_mut() = system_options;
return Ok(builder.build());
}
#[allow(clippy::too_many_arguments)] #[allow(clippy::too_many_arguments)]
async fn settings_query_middleware( async fn settings_query_middleware(
Query(query): Query<SettingsQuery>, Query(query): Query<SettingsQuery>,

76
src/simple_dns.rs
View File

@ -10,12 +10,13 @@ use hickory_proto::rr::{
RData, RData,
record_type::RecordType, record_type::RecordType,
}; };
use hickory_proto::ProtoErrorKind;
use hickory_resolver::{ use hickory_resolver::{
error::ResolveError,
error::ResolveErrorKind,
lookup::Lookup, lookup::Lookup,
Name, Name,
TokioAsyncResolver, ResolveError,
ResolveErrorKind,
TokioResolver,
}; };
use log::{warn,error}; use log::{warn,error};
@ -42,6 +43,7 @@ pub struct DnsLookupResult {
pub dns_error: bool, pub dns_error: bool,
pub nxdomain: bool, pub nxdomain: bool,
pub timeout: bool, pub timeout: bool,
pub too_busy: bool,
pub invalid_name: bool, pub invalid_name: bool,
pub unkown_resolver: bool, pub unkown_resolver: bool,
} }
@ -74,7 +76,7 @@ pub struct SrvRecord {
/* Lookup Functions*/ /* Lookup Functions*/
pub async fn reverse_lookup( pub async fn reverse_lookup(
resolver: &TokioAsyncResolver, resolver: &TokioResolver,
address: &IpAddr, address: &IpAddr,
) -> Option<String> { ) -> Option<String> {
let revese_res = resolver.reverse_lookup(*address); let revese_res = resolver.reverse_lookup(*address);
@ -88,8 +90,16 @@ pub async fn reverse_lookup(
Err(e) => { Err(e) => {
let kind = e.kind(); let kind = e.kind();
match kind { match kind {
ResolveErrorKind::NoRecordsFound { .. } => { ResolveErrorKind::Proto(protocol_error) => {
//Ignore, that just happens … match protocol_error.kind() {
ProtoErrorKind::NoRecordsFound { .. } => {
//Ignore, that just happens …
// TODO: Add NSec when adding support for dnssec
}
_ => {
error!("Reverse lookup on {address} failed with protocol error: {protocol_error}");
}
}
} }
_ => { _ => {
error!("Reverse lookup on {address} failed: {kind}"); error!("Reverse lookup on {address} failed: {kind}");
@ -179,9 +189,7 @@ pub fn integrate_lookup_result(dig_result: &mut DnsLookupResult, lookup_result:
let name = lookup.query().name(); let name = lookup.query().name();
for record in lookup.record_iter() { for record in lookup.record_iter() {
if name == record.name() { if name == record.name() {
if let Some(data) = record.data() { add_record_to_lookup_result(dig_result, record.data());
add_record_to_lookup_result(dig_result, data);
}
} }
//TODO: handle additional responses //TODO: handle additional responses
} }
@ -189,27 +197,35 @@ pub fn integrate_lookup_result(dig_result: &mut DnsLookupResult, lookup_result:
Err(e) => { Err(e) => {
match e.kind() { match e.kind() {
ResolveErrorKind::Message(..) | ResolveErrorKind::Message(..) |
ResolveErrorKind::Msg(..) | ResolveErrorKind::Msg(..) => {
ResolveErrorKind::NoConnections | error!("There was an error message while doing a DNS Lookup: {e}");
ResolveErrorKind::Io(..) |
ResolveErrorKind::Proto(..) => {
dig_result.other_error = true;
error!("There was an error while doing a DNS Lookup: {e}");
},
ResolveErrorKind::Timeout => {
dig_result.timeout = true;
warn!("There was a timeout while doing a DNS Lookup.");
},
ResolveErrorKind::NoRecordsFound{response_code, ..} => {
match response_code {
ResponseCode::NXDomain => dig_result.nxdomain = true,
ResponseCode::NoError => {},
_ => {
error!("The DNS Server returned an error while doing a DNS Lookup: {response_code}");
dig_result.dns_error = true;
},
}
} }
ResolveErrorKind::Proto(protocol_error) => {
match protocol_error.kind() {
ProtoErrorKind::Busy => {
dig_result.too_busy = true;
warn!("A resource was too busy for doing a DNS Lookup.");
},
ProtoErrorKind::Timeout => {
dig_result.timeout = true;
warn!("There was a timeout while doing a DNS Lookup.");
},
ProtoErrorKind::NoRecordsFound { response_code, .. } => {
match response_code {
ResponseCode::NXDomain => dig_result.nxdomain = true,
ResponseCode::NoError => {},
_ => {
error!("The DNS Server returned an error while doing a DNS Lookup: {response_code}");
dig_result.dns_error = true;
},
}
}
_ => {
dig_result.other_error = true;
error!("There was an error while doing a DNS Lookup: {protocol_error}");
}
}
},
_ => { /*Ignore for now*/ }, _ => { /*Ignore for now*/ },
} }
} }
@ -220,7 +236,7 @@ pub fn integrate_lookup_result(dig_result: &mut DnsLookupResult, lookup_result:
// If do_full_lookup is false only the A and AAAA (CNAMEs planned for the future) // If do_full_lookup is false only the A and AAAA (CNAMEs planned for the future)
// records will be fetched. // records will be fetched.
pub async fn lookup( pub async fn lookup(
resolver: &TokioAsyncResolver, resolver: &TokioResolver,
name: &Name, name: &Name,
do_full_lookup: bool, do_full_lookup: bool,
) -> DnsLookupResult { ) -> DnsLookupResult {