PowerDNS / pdns / 12268421405

/*

 * This file is part of PowerDNS or dnsdist.

 * Copyright -- PowerDNS.COM B.V. and its contributors

 *

 * This program is free software; you can redistribute it and/or modify

 * it under the terms of version 2 of the GNU General Public License as

 * published by the Free Software Foundation.

 *

 * In addition, for the avoidance of any doubt, permission is granted to

 * link this program with OpenSSL and to (re)distribute the binaries

 * produced as the result of such linking.

 *

 * This program is distributed in the hope that it will be useful,

 * but WITHOUT ANY WARRANTY; without even the implied warranty of

 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

 * GNU General Public License for more details.

 *

 * You should have received a copy of the GNU General Public License

 * along with this program; if not, write to the Free Software

 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.

 */

#pragma once

#include "config.h"

#include <condition_variable>

#include <memory>

#include <mutex>

#include <string>

#include <thread>

#include <time.h>

#include <unistd.h>

#include <unordered_map>

#include "bpf-filter.hh"

#include "circular_buffer.hh"

#include "dnsdist-idstate.hh"

#include "dnsdist-lbpolicies.hh"

#include "dnsdist-protocols.hh"

#include "dnsname.hh"

#include "dnsdist-doh-common.hh"

#include "doq.hh"

#include "doh3.hh"

#include "ednsoptions.hh"

#include "iputils.hh"

#include "misc.hh"

#include "mplexer.hh"

#include "noinitvector.hh"

#include "uuid-utils.hh"

#include "proxy-protocol.hh"

#include "stat_t.hh"

uint64_t uptimeOfProcess(const std::string& str);

using QTag = std::unordered_map<string, string>;

class IncomingTCPConnectionState;

struct ClientState;

struct DNSQuestion

{

  DNSQuestion(InternalQueryState& ids_, PacketBuffer& data_);

  DNSQuestion(const DNSQuestion&) = delete;

  DNSQuestion& operator=(const DNSQuestion&) = delete;

  std::string getTrailingData() const;

  bool setTrailingData(const std::string&);

  const PacketBuffer& getData() const

  PacketBuffer& getMutableData()

  bool editHeader(const std::function<bool(dnsheader&)>& editFunction);

  const dnsheader_aligned getHeader() const

  /* this function is not safe against unaligned access, you should

     use editHeader() instead, but we need it for the Lua bindings */

  dnsheader* getMutableHeader() const

    // NOLINTNEXTLINE(cppcoreguidelines-pro-type-reinterpret-cast)

  bool hasRoomFor(size_t more) const

  size_t getMaximumSize() const

  dnsdist::Protocol getProtocol() const

  bool overTCP() const

  void setTag(std::string&& key, std::string&& value)

  void setTag(const std::string& key, const std::string& value)

  void setTag(const std::string& key, std::string&& value)

  const struct timespec& getQueryRealTime() const

  bool isAsynchronous() const

  std::shared_ptr<IncomingTCPConnectionState> getIncomingTCPState() const

  ClientState* getFrontend() const

protected:

  PacketBuffer& data;

public:

  InternalQueryState& ids;

  std::unique_ptr<Netmask> ecs{nullptr};

  std::string sni; /* Server Name Indication, if any (DoT or DoH) */

  mutable std::unique_ptr<EDNSOptionViewMap> ednsOptions; /* this needs to be mutable because it is parsed just in time, when DNSQuestion is read-only */

  std::shared_ptr<IncomingTCPConnectionState> d_incomingTCPState{nullptr};

  std::unique_ptr<std::vector<ProxyProtocolValue>> proxyProtocolValues{nullptr};

  uint16_t ecsPrefixLength;

  uint8_t ednsRCode{0};

  bool ecsOverride;

  bool useECS{true};

  bool asynchronous{false};

};

struct DownstreamState;

struct DNSResponse : DNSQuestion

{

  DNSResponse(InternalQueryState& ids_, PacketBuffer& data_, const std::shared_ptr<DownstreamState>& downstream) :

  DNSResponse(const DNSResponse&) = delete;

  DNSResponse& operator=(const DNSResponse&) = delete;

  DNSResponse(DNSResponse&&) = default;

  const std::shared_ptr<DownstreamState>& d_downstream;

};

using pdns::stat_t;

class BasicQPSLimiter

{

public:

  BasicQPSLimiter()

  BasicQPSLimiter(unsigned int burst) :

    d_tokens(burst)

  virtual ~BasicQPSLimiter()

  bool check(unsigned int rate, unsigned int burst) const // this is not quite fair

  bool checkOnly(unsigned int rate, unsigned int burst) const // this is not quite fair

  virtual void addHit() const

  bool seenSince(const struct timespec& cutOff) const

protected:

  mutable StopWatch d_prev;

  mutable double d_tokens{0.0};

};

class QPSLimiter : public BasicQPSLimiter

{

public:

  QPSLimiter() :

    BasicQPSLimiter()

  QPSLimiter(unsigned int rate, unsigned int burst) :

    BasicQPSLimiter(burst), d_rate(rate), d_burst(burst), d_passthrough(false)

  unsigned int getRate() const

  bool check() const // this is not quite fair

  bool checkOnly() const

  void addHit() const override

private:

  unsigned int d_rate{0};

  unsigned int d_burst{0};

  bool d_passthrough{true};

};

class XskPacket;

class XskSocket;

class XskWorker;

class DNSCryptContext;

struct ClientState

{

  ClientState(const ComboAddress& local_, bool isTCP_, bool doReusePort, int fastOpenQueue, const std::string& itfName, const std::set<int>& cpus_, bool enableProxyProtocol) :

    cpus(cpus_), interface(itfName), local(local_), fastOpenQueueSize(fastOpenQueue), tcp(isTCP_), reuseport(doReusePort), d_enableProxyProtocol(enableProxyProtocol)

  stat_t queries{0};

  stat_t nonCompliantQueries{0};

  mutable stat_t responses{0};

  mutable stat_t tcpDiedReadingQuery{0};

  mutable stat_t tcpDiedSendingResponse{0};

  mutable stat_t tcpGaveUp{0};

  mutable stat_t tcpClientTimeouts{0};

  mutable stat_t tcpDownstreamTimeouts{0};

  /* current number of connections to this frontend */

  mutable stat_t tcpCurrentConnections{0};

  /* maximum number of concurrent connections to this frontend reached */

  mutable stat_t tcpMaxConcurrentConnections{0};

  stat_t tlsNewSessions{0}; // A new TLS session has been negotiated, no resumption

  stat_t tlsResumptions{0}; // A TLS session has been resumed, either via session id or via a TLS ticket

  stat_t tlsUnknownTicketKey{0}; // A TLS ticket has been presented but we don't have the associated key (might have expired)

  stat_t tlsInactiveTicketKey{0}; // A TLS ticket has been successfully resumed but the key is no longer active, we should issue a new one

  stat_t tls10queries{0}; // valid DNS queries received via TLSv1.0

  stat_t tls11queries{0}; // valid DNS queries received via TLSv1.1

  stat_t tls12queries{0}; // valid DNS queries received via TLSv1.2

  stat_t tls13queries{0}; // valid DNS queries received via TLSv1.3

  stat_t tlsUnknownqueries{0}; // valid DNS queries received via unknown TLS version

  pdns::stat_double_t tcpAvgQueriesPerConnection{0.0};

  /* in ms */

  pdns::stat_double_t tcpAvgConnectionDuration{0.0};

  std::set<int> cpus;

  std::string interface;

  ComboAddress local;

  std::vector<std::pair<ComboAddress, int>> d_additionalAddresses;

  std::shared_ptr<DNSCryptContext> dnscryptCtx{nullptr};

  std::shared_ptr<TLSFrontend> tlsFrontend{nullptr};

  std::shared_ptr<DOHFrontend> dohFrontend{nullptr};

  std::shared_ptr<DOQFrontend> doqFrontend{nullptr};

  std::shared_ptr<DOH3Frontend> doh3Frontend{nullptr};

  std::shared_ptr<BPFFilter> d_filter{nullptr};

  std::shared_ptr<XskWorker> xskInfo{nullptr};

  std::shared_ptr<XskWorker> xskInfoResponder{nullptr};

  size_t d_maxInFlightQueriesPerConn{1};

  size_t d_tcpConcurrentConnectionsLimit{0};

  int udpFD{-1};

  int tcpFD{-1};

  int tcpListenQueueSize{SOMAXCONN};

  int fastOpenQueueSize{0};

  bool muted{false};

  bool tcp;

  bool reuseport;

  bool d_enableProxyProtocol{true}; // the global proxy protocol ACL still applies

  bool ready{false};

  int getSocket() const

  bool isUDP() const

  bool isTCP() const

  bool isDoH() const

  bool hasTLS() const

  const TLSFrontend& getTLSFrontend() const

  dnsdist::Protocol getProtocol() const

  std::string getType() const

  void detachFilter(int socket)

  void attachFilter(shared_ptr<BPFFilter>& bpf, int socket)

  void detachFilter()

  void attachFilter(shared_ptr<BPFFilter>& bpf)

  void updateTCPMetrics(size_t nbQueries, uint64_t durationMs)

};

struct CrossProtocolQuery;

class FDMultiplexer;

struct DownstreamState : public std::enable_shared_from_this<DownstreamState>

{

  DownstreamState(const DownstreamState&) = delete;

  DownstreamState(DownstreamState&&) = delete;

  DownstreamState& operator=(const DownstreamState&) = delete;

  DownstreamState& operator=(DownstreamState&&) = delete;

  typedef std::function<std::tuple<DNSName, uint16_t, uint16_t>(const DNSName&, uint16_t, uint16_t, dnsheader*)> checkfunc_t;

  enum class Availability : uint8_t

  {

    Up,

    Down,

    Auto,

    Lazy

  };

  enum class LazyHealthCheckMode : uint8_t

  {

    TimeoutOnly,

    TimeoutOrServFail

  };

  struct Config

  {

    Config()

    Config(const ComboAddress& remote_) :

      remote(remote_)

    TLSContextParameters d_tlsParams;

    set<string> pools;

    std::set<int> d_cpus;

    checkfunc_t checkFunction;

    std::optional<boost::uuids::uuid> id;

    DNSName checkName{"a.root-servers.net."};

    ComboAddress remote;

    ComboAddress sourceAddr;

    std::string sourceItfName;

    std::string d_tlsSubjectName;

    std::string d_dohPath;

    std::string name;

    std::string nameWithAddr;

#ifdef HAVE_XSK

    std::array<uint8_t, 6> sourceMACAddr;

    std::array<uint8_t, 6> destMACAddr;

#endif /* HAVE_XSK */

    size_t d_numberOfSockets{1};

    size_t d_maxInFlightQueriesPerConn{1};

    size_t d_tcpConcurrentConnectionsLimit{0};

    int order{1};

    int d_weight{1};

    int tcpConnectTimeout{5};

    int tcpRecvTimeout{30};

    int tcpSendTimeout{30};

    int d_qpsLimit{0};

    unsigned int checkInterval{1};

    unsigned int sourceItf{0};

    QType checkType{QType::A};

    uint16_t checkClass{QClass::IN};

    uint16_t d_retries{5};

    uint16_t checkTimeout{1000}; /* in milliseconds */

    uint16_t d_lazyHealthCheckSampleSize{100};

    uint16_t d_lazyHealthCheckMinSampleCount{1};

    uint16_t d_lazyHealthCheckFailedInterval{30};

    uint16_t d_lazyHealthCheckMaxBackOff{3600};

    uint8_t d_lazyHealthCheckThreshold{20};

    LazyHealthCheckMode d_lazyHealthCheckMode{LazyHealthCheckMode::TimeoutOrServFail};

    uint8_t maxCheckFailures{1};

    uint8_t minRiseSuccesses{1};

    Availability availability{Availability::Auto};

    bool d_tlsSubjectIsAddr{false};

    bool mustResolve{false};

    bool useECS{false};

    bool useProxyProtocol{false};

    bool d_proxyProtocolAdvertiseTLS{false};

    bool setCD{false};

    bool disableZeroScope{false};

    bool tcpFastOpen{false};

    bool ipBindAddrNoPort{true};

    bool reconnectOnUp{false};

    bool d_tcpCheck{false};

    bool d_tcpOnly{false};

    bool d_addXForwardedHeaders{false}; // for DoH backends

    bool d_lazyHealthCheckUseExponentialBackOff{false};

    bool d_upgradeToLazyHealthChecks{false};

  };

  struct HealthCheckMetrics

  {

    stat_t d_failures{0};

    stat_t d_timeOuts{0};

    stat_t d_parseErrors{0};

    stat_t d_networkErrors{0};

    stat_t d_mismatchErrors{0};

    stat_t d_invalidResponseErrors{0};

  };

  DownstreamState(DownstreamState::Config&& config, std::shared_ptr<TLSCtx> tlsCtx, bool connect);

  DownstreamState(const ComboAddress& remote) :

    DownstreamState(DownstreamState::Config(remote), nullptr, false)

  ~DownstreamState();

  Config d_config;

  HealthCheckMetrics d_healthCheckMetrics;

  stat_t sendErrors{0};

  stat_t outstanding{0};

  stat_t reuseds{0};

  stat_t queries{0};

  stat_t responses{0};

  stat_t nonCompliantResponses{0};

  struct

  {

    stat_t sendErrors{0};

    stat_t reuseds{0};

    stat_t queries{0};

  } prev;

  stat_t tcpDiedSendingQuery{0};

  stat_t tcpDiedReadingResponse{0};

  stat_t tcpGaveUp{0};

  stat_t tcpReadTimeouts{0};

  stat_t tcpWriteTimeouts{0};

  stat_t tcpConnectTimeouts{0};

  /* current number of connections to this backend */

  stat_t tcpCurrentConnections{0};

  /* maximum number of concurrent connections to this backend reached */

  stat_t tcpMaxConcurrentConnections{0};

  /* number of times we had to enforce the maximum concurrent connections limit */

  stat_t tcpTooManyConcurrentConnections{0};

  stat_t tcpReusedConnections{0};

  stat_t tcpNewConnections{0};

  stat_t tlsResumptions{0};

  pdns::stat_double_t tcpAvgQueriesPerConnection{0.0};

  /* in ms */

  pdns::stat_double_t tcpAvgConnectionDuration{0.0};

  pdns::stat_double_t queryLoad{0.0};

  pdns::stat_double_t dropRate{0.0};

  SharedLockGuarded<std::vector<unsigned int>> hashes;

  LockGuarded<std::unique_ptr<FDMultiplexer>> mplexer{nullptr};

private:

  LockGuarded<std::map<uint16_t, IDState>> d_idStatesMap;

  vector<IDState> idStates;

  struct LazyHealthCheckStats

  {

    boost::circular_buffer<bool> d_lastResults;

    time_t d_nextCheck{0};

    enum class LazyStatus : uint8_t

    {

      Healthy = 0,

      PotentialFailure,

      Failed

    };

    LazyStatus d_status{LazyStatus::Healthy};

  };

  LockGuarded<LazyHealthCheckStats> d_lazyHealthCheckStats;

public:

  std::shared_ptr<TLSCtx> d_tlsCtx{nullptr};

  std::vector<int> sockets;

  StopWatch sw;

  QPSLimiter qps;

#ifdef HAVE_XSK

  std::vector<std::shared_ptr<XskWorker>> d_xskInfos;

  std::vector<std::shared_ptr<XskSocket>> d_xskSockets;

#endif

  std::atomic<uint64_t> idOffset{0};

  size_t socketsOffset{0};

  double latencyUsec{0.0};

  double latencyUsecTCP{0.0};

  unsigned int d_nextCheck{0};

  uint16_t currentCheckFailures{0};

  std::atomic<bool> hashesComputed{false};

  std::atomic<bool> connected{false};

  std::atomic<bool> upStatus{false};

private:

  void handleUDPTimeout(IDState& ids);

  void updateNextLazyHealthCheck(LazyHealthCheckStats& stats, bool checkScheduled, std::optional<time_t> currentTime = std::nullopt);

  void connectUDPSockets();

#ifdef HAVE_XSK

  void addXSKDestination(int fd);

  void removeXSKDestination(int fd);

#endif /* HAVE_XSK */

  std::mutex connectLock;

  std::condition_variable d_connectedWait;

#ifdef HAVE_XSK

  SharedLockGuarded<std::vector<ComboAddress>> d_socketSourceAddresses;

#endif

  std::atomic_flag threadStarted;

  uint8_t consecutiveSuccessfulChecks{0};

  bool d_stopped{false};

public:

  void updateStatisticsInfo()

  void start();

  bool isUp() const

  void setUp()

  void setUpStatus(bool newStatus)

  void setDown()

  void setAuto()

  void setLazyAuto()

  bool healthCheckRequired(std::optional<time_t> currentTime = std::nullopt);

  const string& getName() const

  const string& getNameWithAddr() const

  void setName(const std::string& newName)

  string getStatus() const

  bool reconnect(bool initialAttempt = false);

  void waitUntilConnected();

  void hash();

  void setId(const boost::uuids::uuid& newId);

  void setWeight(int newWeight);

  void stop();

  bool isStopped() const

  const boost::uuids::uuid& getID() const

  void updateTCPMetrics(size_t nbQueries, uint64_t durationMs)

  void updateTCPLatency(double udiff)

  void incQueriesCount()

  void incCurrentConnectionsCount();

  bool doHealthcheckOverTCP() const

  bool isTCPOnly() const

  bool isDoH() const

  bool passCrossProtocolQuery(std::unique_ptr<CrossProtocolQuery>&& cpq);

  int pickSocketForSending();

  void pickSocketsReadyForReceiving(std::vector<int>& ready);

  void handleUDPTimeouts();

  void reportTimeoutOrError();

  void reportResponse(uint8_t rcode);

  void submitHealthCheckResult(bool initial, bool newResult);

  time_t getNextLazyHealthCheck();

  uint16_t saveState(InternalQueryState&&);

  void restoreState(uint16_t id, InternalQueryState&&);

  std::optional<InternalQueryState> getState(uint16_t id);

#ifdef HAVE_XSK

  void registerXsk(std::vector<std::shared_ptr<XskSocket>>& xsks);

  [[nodiscard]] ComboAddress pickSourceAddressForSending();

#endif /* HAVE_XSK */

  dnsdist::Protocol getProtocol() const

  double getRelevantLatencyUsec() const

};

void responderThread(std::shared_ptr<DownstreamState> dss);

class DNSDistPacketCache;

class DNSRule

{

public:

  virtual ~DNSRule()

  virtual bool matches(const DNSQuestion* dq) const = 0;

  virtual string toString() const = 0;

  mutable stat_t d_matches{0};

};

struct ServerPool

{

  ServerPool() :

    d_servers(std::make_shared<const ServerPolicy::NumberedServerVector>())

  ~ServerPool()

  bool getECS() const

  void setECS(bool useECS)

  std::shared_ptr<DNSDistPacketCache> packetCache{nullptr};

  std::shared_ptr<ServerPolicy> policy{nullptr};

  size_t poolLoad();

  size_t countServers(bool upOnly);

  const std::shared_ptr<const ServerPolicy::NumberedServerVector> getServers();

  void addServer(shared_ptr<DownstreamState>& server);

  void removeServer(shared_ptr<DownstreamState>& server);

private:

  SharedLockGuarded<std::shared_ptr<const ServerPolicy::NumberedServerVector>> d_servers;

  bool d_useECS{false};

};