@ -24,6 +24,7 @@ import (
dns "golang.org/x/net/dns/dnsmessage"
dns "golang.org/x/net/dns/dnsmessage"
"inet.af/netaddr"
"inet.af/netaddr"
"tailscale.com/net/netns"
"tailscale.com/net/netns"
"tailscale.com/types/dnstype"
"tailscale.com/types/logger"
"tailscale.com/types/logger"
"tailscale.com/util/dnsname"
"tailscale.com/util/dnsname"
"tailscale.com/wgengine/monitor"
"tailscale.com/wgengine/monitor"
@ -133,8 +134,8 @@ type route struct {
// resolverAndDelay is an upstream DNS resolver and a delay for how
// resolverAndDelay is an upstream DNS resolver and a delay for how
// long to wait before querying it.
// long to wait before querying it.
type resolverAndDelay struct {
type resolverAndDelay struct {
// ipp is the upstream resolver.
// name is the upstream resolver.
ipp netaddr . IPPort
name dnstype . Resolver
// startDelay is an amount to delay this resolver at
// startDelay is an amount to delay this resolver at
// start. It's used when, say, there are four Google or
// start. It's used when, say, there are four Google or
@ -158,7 +159,7 @@ type forwarder struct {
mu sync . Mutex // guards following
mu sync . Mutex // guards following
dohClient map [ netaddr . IP ] * http . Client
dohClient map [ string ] * http . Client // urlBase -> client
// routes are per-suffix resolvers to use, with
// routes are per-suffix resolvers to use, with
// the most specific routes first.
// the most specific routes first.
@ -192,11 +193,11 @@ func (f *forwarder) Close() error {
return nil
return nil
}
}
// resolversWithDelays maps from a set of DNS server ip:ports (currently
// resolversWithDelays maps from a set of DNS server names to a slice of
// the port is always 53) to a slice of a type that included a
// a type that included a startDelay. So if resolvers contains e.g. four
// startDelay. So if ipps contains e.g. four Google DNS IPs (two IPv4
// Google DNS IPs (two IPv4 + twoIPv6), this function partition adds
// + twoIPv6), this function partition adds delays to some.
// delays to some.
func resolversWithDelays ( ipps [ ] netaddr . IPPort ) [ ] resolverAndDelay {
func resolversWithDelays ( resolvers [ ] dnstype . Resolver ) [ ] resolverAndDelay {
type hostAndFam struct {
type hostAndFam struct {
host string // some arbitrary string representing DNS host (currently the DoH base)
host string // some arbitrary string representing DNS host (currently the DoH base)
bits uint8 // either 32 or 128 for IPv4 vs IPv6s address family
bits uint8 // either 32 or 128 for IPv4 vs IPv6s address family
@ -206,47 +207,49 @@ func resolversWithDelays(ipps []netaddr.IPPort) []resolverAndDelay {
// per address family.
// per address family.
total := map [ hostAndFam ] int { }
total := map [ hostAndFam ] int { }
rr := make ( [ ] resolverAndDelay , len ( ipps ) )
rr := make ( [ ] resolverAndDelay , len ( resolvers ) )
for _ , ipp := range ipps {
for _ , r := range resolvers {
ip := ipp . IP ( )
if ip , err := netaddr . ParseIP ( r . Addr ) ; err == nil {
if host , ok := knownDoH [ ip ] ; ok {
if host , ok := knownDoH [ ip ] ; ok {
total [ hostAndFam { host , ip . BitLen ( ) } ] ++
total [ hostAndFam { host , ip . BitLen ( ) } ] ++
}
}
}
}
}
done := map [ hostAndFam ] int { }
done := map [ hostAndFam ] int { }
for i , ipp := range ipps {
for i , r := range resolvers {
ip := ipp . IP ( )
var startDelay time . Duration
var startDelay time . Duration
if host , ok := knownDoH [ ip ] ; ok {
if ip , err := netaddr . ParseIP ( r . Addr ) ; err == nil {
key4 := hostAndFam { host , 32 }
if host , ok := knownDoH [ ip ] ; ok {
key6 := hostAndFam { host , 128 }
key4 := hostAndFam { host , 32 }
switch {
key6 := hostAndFam { host , 128 }
case ip . Is4 ( ) :
switch {
if done [ key4 ] > 0 {
case ip . Is4 ( ) :
startDelay += wellKnownHostBackupDelay
if done [ key4 ] > 0 {
}
startDelay += wellKnownHostBackupDelay
case ip . Is6 ( ) :
}
total4 := total [ key4 ]
case ip . Is6 ( ) :
if total4 >= 2 {
total4 := total [ key4 ]
// If we have two IPv4 IPs of the same provider
if total4 >= 2 {
// already in the set, delay the IPv6 queries
// If we have two IPv4 IPs of the same provider
// until halfway through the timeout (so wait
// already in the set, delay the IPv6 queries
// 2.5 seconds). Even the network is IPv6-only,
// until halfway through the timeout (so wait
// the DoH dialer will fallback to IPv6
// 2.5 seconds). Even the network is IPv6-only,
// immediately anyway.
// the DoH dialer will fallback to IPv6
startDelay = responseTimeout / 2
// immediately anyway.
} else if total4 == 1 {
startDelay = responseTimeout / 2
startDelay += wellKnownHostBackupDelay
} else if total4 == 1 {
}
startDelay += wellKnownHostBackupDelay
if done [ key6 ] > 0 {
}
startDelay += wellKnownHostBackupDelay
if done [ key6 ] > 0 {
startDelay += wellKnownHostBackupDelay
}
}
}
done [ hostAndFam { host , ip . BitLen ( ) } ] ++
}
}
done [ hostAndFam { host , ip . BitLen ( ) } ] ++
}
}
rr [ i ] = resolverAndDelay {
rr [ i ] = resolverAndDelay {
ipp: ipp ,
name: r ,
startDelay : startDelay ,
startDelay : startDelay ,
}
}
}
}
@ -257,12 +260,12 @@ func resolversWithDelays(ipps []netaddr.IPPort) []resolverAndDelay {
// Resolver.SetConfig on reconfig.
// Resolver.SetConfig on reconfig.
//
//
// The memory referenced by routesBySuffix should not be modified.
// The memory referenced by routesBySuffix should not be modified.
func ( f * forwarder ) setRoutes ( routesBySuffix map [ dnsname . FQDN ] [ ] netaddr. IPPort ) {
func ( f * forwarder ) setRoutes ( routesBySuffix map [ dnsname . FQDN ] [ ] dnstype. Resolver ) {
routes := make ( [ ] route , 0 , len ( routesBySuffix ) )
routes := make ( [ ] route , 0 , len ( routesBySuffix ) )
for suffix , ipp s := range routesBySuffix {
for suffix , r s := range routesBySuffix {
routes = append ( routes , route {
routes = append ( routes , route {
Suffix : suffix ,
Suffix : suffix ,
Resolvers : resolversWithDelays ( ipp s) ,
Resolvers : resolversWithDelays ( r s) ,
} )
} )
}
}
// Sort from longest prefix to shortest.
// Sort from longest prefix to shortest.
@ -296,18 +299,19 @@ func (f *forwarder) packetListener(ip netaddr.IP) (packetListener, error) {
return lc , nil
return lc , nil
}
}
func ( f * forwarder ) get DoHClient( ip netaddr . IP ) ( urlBase string , c * http . Client , ok bool ) {
func ( f * forwarder ) get Known DoHClient( ip netaddr . IP ) ( urlBase string , c * http . Client , ok bool ) {
urlBase , ok = knownDoH [ ip ]
urlBase , ok = knownDoH [ ip ]
if ! ok {
if ! ok {
return
return
}
}
f . mu . Lock ( )
f . mu . Lock ( )
defer f . mu . Unlock ( )
defer f . mu . Unlock ( )
if c , ok := f . dohClient [ ip ] ; ok {
if c , ok := f . dohClient [ urlBase ] ; ok {
return urlBase , c , true
return urlBase , c , true
}
}
if f . dohClient == nil {
if f . dohClient == nil {
f . dohClient = map [ netaddr . IP ] * http . Client { }
f . dohClient = map [ string ] * http . Client { }
}
}
nsDialer := netns . NewDialer ( )
nsDialer := netns . NewDialer ( )
c = & http . Client {
c = & http . Client {
@ -330,7 +334,7 @@ func (f *forwarder) getDoHClient(ip netaddr.IP) (urlBase string, c *http.Client,
} ,
} ,
} ,
} ,
}
}
f . dohClient [ ip ] = c
f . dohClient [ urlBase ] = c
return urlBase , c , true
return urlBase , c , true
}
}
@ -380,20 +384,32 @@ func (f *forwarder) sendDoH(ctx context.Context, urlBase string, c *http.Client,
// send sends packet to dst. It is best effort.
// send sends packet to dst. It is best effort.
//
//
// send expects the reply to have the same txid as txidOut.
// send expects the reply to have the same txid as txidOut.
//
func ( f * forwarder ) send ( ctx context . Context , fq * forwardQuery , rr resolverAndDelay ) ( [ ] byte , error ) {
func ( f * forwarder ) send ( ctx context . Context , fq * forwardQuery , dst netaddr . IPPort ) ( [ ] byte , error ) {
if strings . HasPrefix ( rr . name . Addr , "http://" ) {
ip := dst . IP ( )
return nil , fmt . Errorf ( "http:// resolvers not supported yet" )
}
if strings . HasPrefix ( rr . name . Addr , "https://" ) {
return nil , fmt . Errorf ( "https:// resolvers not supported yet" )
}
if strings . HasPrefix ( rr . name . Addr , "tls://" ) {
return nil , fmt . Errorf ( "tls:// resolvers not supported yet" )
}
ipp , err := netaddr . ParseIPPort ( rr . name . Addr )
if err != nil {
return nil , err
}
// Upgrade known DNS IPs to DoH (DNS-over-HTTPs).
// Upgrade known DNS IPs to DoH (DNS-over-HTTPs).
if urlBase , dc , ok := f . getDoHClient ( ip ) ; ok {
// All known DoH is over port 53.
if urlBase , dc , ok := f . getKnownDoHClient ( ipp . IP ( ) ) ; ok {
res , err := f . sendDoH ( ctx , urlBase , dc , fq . packet )
res , err := f . sendDoH ( ctx , urlBase , dc , fq . packet )
if err == nil || ctx . Err ( ) != nil {
if err == nil || ctx . Err ( ) != nil {
return res , err
return res , err
}
}
f . logf ( "DoH error from %v: %v" , ip , err )
f . logf ( "DoH error from %v: %v" , ip p. IP ( ) , err )
}
}
ln , err := f . packetListener ( ip )
ln , err := f . packetListener ( ip p. IP ( ) )
if err != nil {
if err != nil {
return nil , err
return nil , err
}
}
@ -407,7 +423,7 @@ func (f *forwarder) send(ctx context.Context, fq *forwardQuery, dst netaddr.IPPo
fq . closeOnCtxDone . Add ( conn )
fq . closeOnCtxDone . Add ( conn )
defer fq . closeOnCtxDone . Remove ( conn )
defer fq . closeOnCtxDone . Remove ( conn )
if _ , err := conn . WriteTo ( fq . packet , dst . UDPAddr ( ) ) ; err != nil {
if _ , err := conn . WriteTo ( fq . packet , ipp . UDPAddr ( ) ) ; err != nil {
if err := ctx . Err ( ) ; err != nil {
if err := ctx . Err ( ) ; err != nil {
return nil , err
return nil , err
}
}
@ -525,8 +541,8 @@ func (f *forwarder) forward(query packet) error {
firstErr error
firstErr error
)
)
for _, rr := range resolvers {
for i := range resolvers {
go func ( rr resolverAndDelay ) {
go func ( rr * resolverAndDelay ) {
if rr . startDelay > 0 {
if rr . startDelay > 0 {
timer := time . NewTimer ( rr . startDelay )
timer := time . NewTimer ( rr . startDelay )
select {
select {
@ -536,7 +552,7 @@ func (f *forwarder) forward(query packet) error {
return
return
}
}
}
}
resb , err := f . send ( ctx , fq , rr . ipp )
resb , err := f . send ( ctx , fq , * rr )
if err != nil {
if err != nil {
mu . Lock ( )
mu . Lock ( )
defer mu . Unlock ( )
defer mu . Unlock ( )
@ -549,7 +565,7 @@ func (f *forwarder) forward(query packet) error {
case resc <- resb :
case resc <- resb :
default :
default :
}
}
} ( r r)
} ( & r esolve rs[ i ] )
}
}
select {
select {
@ -638,7 +654,7 @@ func (p *closePool) Close() error {
return nil
return nil
}
}
var knownDoH = map [ netaddr . IP ] string { }
var knownDoH = map [ netaddr . IP ] string { } // 8.8.8.8 => "https://..."
var dohIPsOfBase = map [ string ] [ ] netaddr . IP { }
var dohIPsOfBase = map [ string ] [ ] netaddr . IP { }