diff options
| author |  sanyo0714 <sanyo0714@163.com>
| 2022-10-29 00:55:41 +0800 |
|---|---|---|
| committer |  GitHub <noreply@github.com>
| 2022-10-28 12:55:41 -0400 |
| commit | 94976445051b44721f95b09e47ea01128181c9d3 (patch) | |
| tree | 16768bfa728bcf0d53ebfee8641f2bad109b0cef | |
| parent | 575825a156da24bf86e100176ff245e7e9585ff5 (diff) | |
| download | coredns-94976445051b44721f95b09e47ea01128181c9d3.tar.gz coredns-94976445051b44721f95b09e47ea01128181c9d3.tar.zst coredns-94976445051b44721f95b09e47ea01128181c9d3.zip | |
Fork TLSConfig for each encrypted connection (#5710)
* Fork TLSConfig for each encrypted connection
Signed-off-by: sanyo <sanyo0714@163.com>
Co-authored-by: sanyo <yeshengan.ysa@alibaba-inc.com>
| -rw-r--r-- | core/dnsserver/register.go | 4 | ||||
| -rw-r--r-- | test/tls_test.go | 73 |
2 files changed, 50 insertions, 27 deletions
diff --git a/core/dnsserver/register.go b/core/dnsserver/register.go index e94accc22..176be49b8 100644 --- a/core/dnsserver/register.go +++ b/core/dnsserver/register.go @@ -147,7 +147,9 @@ func (h *dnsContext) MakeServers() ([]caddy.Server, error) { c.ListenHosts = c.firstConfigInBlock.ListenHosts c.Debug = c.firstConfigInBlock.Debug c.Stacktrace = c.firstConfigInBlock.Stacktrace - c.TLSConfig = c.firstConfigInBlock.TLSConfig + + // Fork TLSConfig for each encrypted connection + c.TLSConfig = c.firstConfigInBlock.TLSConfig.Clone() c.TsigSecret = c.firstConfigInBlock.TsigSecret } diff --git a/test/tls_test.go b/test/tls_test.go index f302d5105..a493d983d 100644 --- a/test/tls_test.go +++ b/test/tls_test.go @@ -2,45 +2,66 @@ package test import ( "crypto/tls" + "fmt" "testing" "github.com/miekg/dns" ) -func TestDNSoverTLS(t *testing.T) { - corefile := `tls://.:1053 { +func TestTLS(t *testing.T) { + tempCorefile := `%s { tls ../plugin/tls/test_cert.pem ../plugin/tls/test_key.pem whoami }` - qname := "example.com." - qtype := dns.TypeA + + dot, doh := ":1053", ":8443" + m := new(dns.Msg) + m.SetQuestion("example.com.", dns.TypeA) answerLength := 0 - ex, _, tcp, err := CoreDNSServerAndPorts(corefile) - if err != nil { - t.Fatalf("Could not get CoreDNS serving instance: %s", err) + tests := []struct { + server string + tlsConfig *tls.Config + }{ + {fmt.Sprintf("tls://.%s", dot), + &tls.Config{InsecureSkipVerify: true}, + }, + {fmt.Sprintf("tls://.%s", dot), + &tls.Config{InsecureSkipVerify: true, NextProtos: []string{"dot"}}, + }, + {fmt.Sprintf("tls://.%s https://.%s", dot, doh), + &tls.Config{InsecureSkipVerify: true}, + }, + {fmt.Sprintf("tls://.%s https://.%s", dot, doh), + &tls.Config{InsecureSkipVerify: true, NextProtos: []string{"dot"}}, + }, } - defer ex.Stop() - m := new(dns.Msg) - m.SetQuestion(qname, qtype) - client := dns.Client{ - Net: "tcp-tls", - TLSConfig: &tls.Config{InsecureSkipVerify: true}, - } - r, _, err := client.Exchange(m, tcp) + for _, tc := range tests { + ex, _, _, err := CoreDNSServerAndPorts(fmt.Sprintf(tempCorefile, tc.server)) + if err != nil { + t.Fatalf("Could not get CoreDNS serving instance: %s", err) + } - if err != nil { - t.Fatalf("Could not exchange msg: %s", err) - } + client := dns.Client{ + Net: "tcp-tls", + TLSConfig: tc.tlsConfig, + } + r, _, err := client.Exchange(m, dot) - if n := len(r.Answer); n != answerLength { - t.Fatalf("Expected %v answers, got %v", answerLength, n) - } - if n := len(r.Extra); n != 2 { - t.Errorf("Expected 2 RRs in additional section, but got %d", n) - } - if r.Rcode != dns.RcodeSuccess { - t.Errorf("Expected success but got %d", r.Rcode) + if err != nil { + t.Fatalf("Could not exchange msg: %s", err) + } + + if n := len(r.Answer); n != answerLength { + t.Fatalf("Expected %v answers, got %v", answerLength, n) + } + if n := len(r.Extra); n != 2 { + t.Errorf("Expected 2 RRs in additional section, but got %d", n) + } + if r.Rcode != dns.RcodeSuccess { + t.Errorf("Expected success but got %d", r.Rcode) + } + ex.Stop() } } |