PowerDNS · zeha · Aug 27, 2024 · Aug 27, 2024 · Aug 27, 2024 · Sep 7, 2024
diff --git a/docs/settings.rst b/docs/settings.rst
@@ -634,20 +634,6 @@ approximately doubles query load.
 If this is turned off, DNAME records are treated as any other and served
 only when queried explicitly.
 
-.. _setting-dnsproxy-udp-port-range:
-
-``dnsproxy-udp-port-range``
----------------------------
-
--  String
--  Default: `10000 60000`
-
-If :ref:`setting-resolver` enables the DNS Proxy, this setting limits the
-port range the DNS Proxy's UDP port is chosen from.
-
-Default should be fine on most installs, but if you have conflicting local
-services, you may choose to limit the range.
-
 .. _setting-dnssec-key-cache-ttl:
 
 ``dnssec-key-cache-ttl``

diff --git a/meson.build b/meson.build
@@ -533,8 +533,6 @@ common_sources += files(
   src_dir / 'dnspacket.hh',
   src_dir / 'dnsparser.cc',
   src_dir / 'dnsparser.hh',
-  src_dir / 'dnsproxy.cc',
-  src_dir / 'dnsproxy.hh',
   src_dir / 'dnsrecords.cc',
   src_dir / 'dnsrecords.hh',
   src_dir / 'dnssecinfra.cc',

diff --git a/pdns/Makefile.am b/pdns/Makefile.am
@@ -225,7 +225,6 @@ pdns_server_SOURCES = \
 	dnsname.cc dnsname.hh \
 	dnspacket.cc dnspacket.hh \
 	dnsparser.cc \
-	dnsproxy.cc dnsproxy.hh \
 	dnsrecords.cc dnsrecords.hh \
 	dnssecinfra.cc dnssecinfra.hh \
 	dnsseckeeper.hh \
@@ -595,7 +594,7 @@ sdig_LDADD += $(LIBSSL_LIBS)
 endif
 
 if LIBSODIUM
-sdig_CPPFLAGS +=$(LIBSODIUM_CFLAGS)
+sdig_CPPFLAGS += $(LIBSODIUM_CFLAGS)
 sdig_LDADD += $(LIBSODIUM_LIBS)
 endif
 
@@ -656,28 +655,49 @@ stubquery_SOURCES = \
 	arguments.cc arguments.hh \
 	base32.cc \
 	base64.cc \
+	dns.cc dns.hh \
 	dnslabeltext.cc \
 	dnsname.cc \
+	dnspacket.cc \
 	dnsparser.cc \
 	dnsrecords.cc \
+	dnssecinfra.cc dnssecinfra.hh \
 	dnswriter.cc \
+	ednscookies.cc ednscookies.hh \
 	ednsoptions.cc ednsoptions.hh \
 	ednssubnet.cc ednssubnet.hh \
+	gss_context.cc gss_context.hh \
 	iputils.cc \
 	logger.cc \
 	misc.cc \
 	nsecrecords.cc \
 	qtype.cc \
 	rcpgenerator.cc \
+	shuffle.cc shuffle.hh \
 	sillyrecords.cc \
 	statbag.cc \
 	stubquery.cc \
 	stubresolver.cc stubresolver.hh \
 	svc-records.cc svc-records.hh \
+	tsigverifier.cc tsigverifier.hh \
 	unix_utility.cc
 
+stubquery_CPPFLAGS = $(AM_CPPFLAGS)
 stubquery_LDADD = $(LIBCRYPTO_LIBS)
 stubquery_LDFLAGS = $(AM_LDFLAGS) $(LIBCRYPTO_LDFLAGS)
+if GSS_TSIG
+stubquery_LDADD += $(GSS_LIBS)
+endif
+
+if PKCS11
+stubquery_SOURCES += pkcs11signers.cc pkcs11signers.hh
+stubquery_LDADD += $(P11KIT1_LIBS)
+endif
+
+if LIBSODIUM
+stubquery_CPPFLAGS += $(LIBSODIUM_CFLAGS)
+stubquery_LDADD += $(LIBSODIUM_LIBS)
+endif
 
 saxfr_SOURCES = \
 	base32.cc \
@@ -800,14 +820,16 @@ ixplore_SOURCES = \
 	axfr-retriever.cc \
 	base32.cc \
 	base64.cc base64.hh \
-	dns.cc \
+	dns.cc dns.hh \
 	dns_random.hh \
 	dnslabeltext.cc \
 	dnsname.cc dnsname.hh \
+	dnspacket.cc dnspacket.hh \
 	dnsparser.cc dnsparser.hh \
 	dnsrecords.cc \
-	dnssecinfra.cc \
+	dnssecinfra.cc dnssecinfra.hh \
 	dnswriter.cc dnswriter.hh \
+	ednscookies.cc ednscookies.hh \
 	ednsoptions.cc ednsoptions.hh \
 	ednssubnet.cc ednssubnet.hh \
 	gss_context.cc gss_context.hh  \
@@ -822,13 +844,15 @@ ixplore_SOURCES = \
 	query-local-address.hh query-local-address.cc \
 	rcpgenerator.cc rcpgenerator.hh \
 	resolver.cc \
+	shuffle.cc shuffle.hh \
 	sillyrecords.cc \
 	sstuff.hh \
 	statbag.cc \
 	svc-records.cc svc-records.hh \
 	tsigverifier.cc tsigverifier.hh \
 	unix_utility.cc zoneparser-tng.cc
 
+ixplore_CPPFLAGS = $(AM_CPPFLAGS)
 ixplore_LDADD = $(LIBCRYPTO_LIBS)
 ixplore_LDFLAGS = $(AM_LDFLAGS) $(LIBCRYPTO_LDFLAGS)
 if GSS_TSIG
@@ -840,6 +864,11 @@ ixplore_SOURCES += pkcs11signers.cc pkcs11signers.hh
 ixplore_LDADD += $(P11KIT1_LIBS)
 endif
 
+if LIBSODIUM
+ixplore_CPPFLAGS += $(LIBSODIUM_CFLAGS)
+ixplore_LDADD += $(LIBSODIUM_LIBS)
+endif
+
 dnstcpbench_SOURCES = \
 	base32.cc \
 	base64.cc base64.hh \

diff --git a/pdns/auth-main.cc b/pdns/auth-main.cc
@@ -79,7 +79,6 @@
 #include "dynlistener.hh"
 #include "dynhandler.hh"
 #include "communicator.hh"
-#include "dnsproxy.hh"
 #include "utility.hh"
 #include "dnsrecords.hh"
 #include "version.hh"
@@ -123,7 +122,6 @@ StatBag S; //!< Statistics are gathered across PDNS via the StatBag class S
 AuthPacketCache PC; //!< This is the main PacketCache, shared across all threads
 AuthQueryCache QC;
 AuthZoneCache g_zoneCache;
-std::unique_ptr<DNSProxy> DP{nullptr};
 static std::unique_ptr<DynListener> s_dynListener{nullptr};
 CommunicatorClass Communicator;
 static double avg_latency{0.0}, receive_latency{0.0}, cache_latency{0.0}, backend_latency{0.0}, send_latency{0.0};
@@ -786,11 +784,6 @@ static void mainthread()
   AuthWebServer webserver;
   Utility::dropUserPrivs(newuid);
 
-  if (::arg().mustDo("resolver")) {
-    DP = std::make_unique<DNSProxy>(::arg()["resolver"], ::arg()["dnsproxy-udp-port-range"]);
-    DP->go();
-  }
-
   try {
     doSecPoll(true);
   }

diff --git a/pdns/auth-main.hh b/pdns/auth-main.hh
@@ -28,7 +28,6 @@
 #include "communicator.hh"
 #include "distributor.hh"
 #include "dnspacket.hh"
-#include "dnsproxy.hh"
 #include "dynlistener.hh"
 #include "nameserver.hh"
 #include "statbag.hh"
@@ -40,7 +39,6 @@ extern ArgvMap theArg;
 extern StatBag S; //!< Statistics are gathered across PDNS via the StatBag class S
 extern AuthPacketCache PC; //!< This is the main PacketCache, shared across all threads
 extern AuthQueryCache QC;
-extern std::unique_ptr<DNSProxy> DP;
 extern CommunicatorClass Communicator;
 void carbonDumpThread(); // Implemented in auth-carbon.cc. Avoids having an auth-carbon.hh declaring exactly one function.
 extern bool g_anyToTcp;

diff --git a/pdns/dnspacket.cc b/pdns/dnspacket.cc
@@ -535,6 +535,17 @@ bool DNSPacket::getTSIGDetails(TSIGRecordContent* trc, DNSName* keyname, uint16_
   return true;
 }
 
+bool DNSPacket::validateTSIG(const TSIGTriplet& tsigTriplet, const TSIGRecordContent& tsigContent, const std::string& previousMAC, const std::string& theirMAC, bool timersOnly) const
+{
+  MOADNSParser mdp(d_isQuery, d_rawpacket);
+  uint16_t tsigPos = mdp.getTSIGPos();
+  if (tsigPos == 0) {
+    return false;
+  }
+
+  return ::validateTSIG(d_rawpacket, tsigPos, tsigTriplet, tsigContent, previousMAC, theirMAC, timersOnly);
+}
+
 bool DNSPacket::getTKEYRecord(TKEYRecordContent *tr, DNSName *keyname) const
 {
   MOADNSParser mdp(d_isQuery, d_rawpacket);
@@ -724,43 +735,6 @@ void DNSPacket::commitD()
   d_rawpacket.replace(0,12,(char *)&d,12); // copy in d
 }
 
-bool DNSPacket::checkForCorrectTSIG(UeberBackend* B, DNSName* keyname, string* secret, TSIGRecordContent* trc) const
-{
-  uint16_t tsigPos;
-
-  if (!this->getTSIGDetails(trc, keyname, &tsigPos)) {
-    return false;
-  }
-
-  TSIGTriplet tt;
-  tt.name = *keyname;
-  tt.algo = trc->d_algoName;
-  if (tt.algo == DNSName("hmac-md5.sig-alg.reg.int"))
-    tt.algo = DNSName("hmac-md5");
-
-  if (tt.algo != DNSName("gss-tsig")) {
-    string secret64;
-    if(!B->getTSIGKey(*keyname, tt.algo, secret64)) {
-      g_log << Logger::Error << "Packet for domain '" << this->qdomain << "' denied: can't find TSIG key with name '" << *keyname << "' and algorithm '" << tt.algo << "'" << endl;
-      return false;
-    }
-    B64Decode(secret64, *secret);
-    tt.secret = *secret;
-  }
-
-  bool result;
-
-  try {
-    result = validateTSIG(d_rawpacket, tsigPos, tt, *trc, "", trc->d_mac, false);
-  }
-  catch(const std::runtime_error& err) {
-    g_log<<Logger::Error<<"Packet for '"<<this->qdomain<<"' denied: "<<err.what()<<endl;
-    return false;
-  }
-
-  return result;
-}
-
 const DNSName& DNSPacket::getTSIGKeyname() const {
   return d_tsigkeyname;
 }

diff --git a/pdns/dnspacket.hh b/pdns/dnspacket.hh
@@ -44,9 +44,6 @@
 #include "pdnsexception.hh"
 #include "dnsrecords.hh"
 
-class UeberBackend;
-class DNSSECKeeper;
-
 
 //! This class represents DNS packets, either received or to be sent.
 class DNSPacket
@@ -165,10 +162,10 @@ public:
 
   bool getTSIGDetails(TSIGRecordContent* tr, DNSName* keyname, uint16_t* tsigPos=nullptr) const;
   void setTSIGDetails(const TSIGRecordContent& tr, const DNSName& keyname, const string& secret, const string& previous, bool timersonly=false);
+  bool validateTSIG(const TSIGTriplet& tsigTriplet, const TSIGRecordContent& tsigContent, const std::string& previousMAC, const std::string& theirMAC, bool timersOnly) const;
   bool getTKEYRecord(TKEYRecordContent* tr, DNSName* keyname) const;
 
   vector<DNSZoneRecord>& getRRS() { return d_rrs; }
-  bool checkForCorrectTSIG(UeberBackend* B, DNSName* keyname, string* secret, TSIGRecordContent* trc) const;
 
   static uint16_t s_udpTruncationThreshold;
   static bool s_doEDNSSubnetProcessing;