Documentation
¶
Overview ¶
Package util provides DNS protocol utilities for SDNS.
Package util provides DNS protocol utilities for SDNS.
Package util provides DNS protocol utilities for SDNS.
Package util provides DNS protocol utilities for SDNS.
Index ¶
- Constants
- func CalculateCacheTTL(msg *dns.Msg, respType ResponseType) time.Duration
- func CheckReverseName(name string) int
- func ClearDNSSEC(msg *dns.Msg) *dns.Msg
- func ClearOPT(msg *dns.Msg) *dns.Msg
- func DnameTarget(msg *dns.Msg) string
- func ErrorToEDE(err error) (uint16, string)
- func Exchange(ctx context.Context, req *dns.Msg, addr string, net string, client *dns.Client) (*dns.Msg, error)
- func ExtractRRSet(in []dns.RR, name string, t ...uint16) []dns.RR
- func FilterRRsToZone(rrs []dns.RR, zone string) []dns.RR
- func GenerateServerCookie(secret, remoteip, cookie string) string
- func GetEDE(msg *dns.Msg) *dns.EDNS0_EDE
- func IPFromReverseName(name string) string
- func NameInZone(name, zone string) bool
- func NotSupported(w dns.ResponseWriter, req *dns.Msg) error
- func SetEDE(msg *dns.Msg, code uint16, extraText string)
- func SetEdns0(req *dns.Msg) (*dns.OPT, int, string, bool, bool)
- func SetRcode(req *dns.Msg, rcode int, do bool) *dns.Msg
- func SetRcodeWithEDE(req *dns.Msg, rcode int, do bool, edeCode uint16, extraText string) *dns.Msg
- type EDEError
- type ResponseType
Constants ¶
const ( // MinCacheTTL is the minimum time to cache any response. MinCacheTTL = 5 * time.Second // MaxCacheTTL is the maximum time to cache any response. MaxCacheTTL = 24 * time.Hour )
const ( // ReverseDomainV4 is the reverse DNS domain for IPv4 addresses. ReverseDomainV4 = ".in-addr.arpa." // ReverseDomainV6 is the reverse DNS domain for IPv6 addresses. ReverseDomainV6 = ".ip6.arpa." )
const (
// DefaultMsgSize EDNS0 message size.
DefaultMsgSize = 1232
)
Variables ¶
This section is empty.
Functions ¶
func CalculateCacheTTL ¶
func CalculateCacheTTL(msg *dns.Msg, respType ResponseType) time.Duration
CalculateCacheTTL determines the appropriate cache duration for a DNS response. It scans all resource records and returns the minimum TTL found, with bounds checking. For DNSSEC-signed responses, it also considers RRSIG expiration times.
func CheckReverseName ¶
CheckReverseName checks if a domain name is in a reverse DNS zone. Returns: - 0: not a reverse domain - 1: IPv4 reverse domain (.in-addr.arpa.) - 2: IPv6 reverse domain (.ip6.arpa.)
func ClearDNSSEC ¶
ClearDNSSEC removes RRSIG, NSEC and NSEC3 records from Answer and Ns sections in place. Short-circuits when the sections already hold nothing to strip (typical for non-DNSSEC responses), and reuses the slice backing array when a filter is actually needed.
func ClearOPT ¶
ClearOPT removes every OPT record from msg.Extra in place. No copy is made when the Extra section has no OPT (the common case for responses synthesised without EDNS).
func DnameTarget ¶ added in v1.6.6
DnameTarget returns the synthesized CNAME target for the question given a DNAME in msg.Answer, or "" if no redirect applies. Per RFC 6672 §2.3 the DNAME owner itself is *not* redirected, and only names strictly below the owner are substituted.
dns.CompareDomainName counts matching trailing labels regardless of whether one name is actually an ancestor of the other, so a DNAME at sub.example.com. and a query for other.example.com. both share the two-label suffix example.com. — but sub.example.com. is a *sibling* of other.example.com., not an ancestor, and must not rewrite the query. Require the shared count to exactly equal the DNAME owner's label count (i.e. owner is a proper suffix sequence of qname), and that qname has strictly more labels (rules out exact match), before synthesizing.
func ErrorToEDE ¶
ErrorToEDE maps errors to Extended DNS Error codes efficiently.
func Exchange ¶
func Exchange(ctx context.Context, req *dns.Msg, addr string, net string, client *dns.Client) (*dns.Msg, error)
Exchange exchange dns request with TCP fallback.
func ExtractRRSet ¶ added in v1.6.6
ExtractRRSet returns every RR in `in` whose owner equals `name` (case-insensitive; pass "" to skip the name match) and whose Rrtype is one of `t`. The returned slice is a fresh copy and shares no storage with the input.
func FilterRRsToZone ¶ added in v1.6.6
FilterRRsToZone returns the subset of rrs whose owner is in zone. For NSEC records the NextDomain field is also checked: a legitimate NSEC's NextDomain is always another owner in the same zone (the last NSEC wraps back to the zone apex), so an in-zone owner paired with an out-of-zone NextDomain is either a broken zone or an attacker-crafted record and must be discarded. Without this the structural coverage helpers would accept a forged NSEC whose NextDomain is picked to canonically straddle the qname.
func GenerateServerCookie ¶
GenerateServerCookie return generated edns server cookie.
func IPFromReverseName ¶
IPFromReverseName extracts an IP address from a PTR record name. For example: - "54.119.58.176.in-addr.arpa." returns "176.58.119.54" - "b.a.9.8.7.6.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa." returns "2001:db8::567:89ab" Returns empty string if the name is not a valid PTR record.
func NameInZone ¶ added in v1.6.6
NameInZone reports whether name is the zone apex or a descendant of zone. Both arguments are expected to be lowercase FQDNs.
func NotSupported ¶
func NotSupported(w dns.ResponseWriter, req *dns.Msg) error
NotSupported response to writer an empty notimplemented message.
func SetEdns0 ¶
SetEdns0 returns replaced or new opt rr and if request has do.
The function inspects the client's OPT record to harvest NSID / COOKIE signalling, strips every option before forwarding (ECS in particular, per RFC 7871 privacy guidance), and normalises the UDP size. Inspection uses typed pointer assertions so we avoid the allocating option.String() path, and the stripping reuses opt.Option's backing storage via opt.Option = nil rather than allocating an empty slice.
Types ¶
type EDEError ¶ added in v1.6.6
EDEError is an error that carries an Extended DNS Error code (RFC 8914). Network and DNSSEC validation paths return EDEError values so that the response builder can copy the code straight into the EDE option without re-classifying string messages.
func (*EDEError) EDECode ¶ added in v1.6.6
EDECode returns the Extended DNS Error code for this error.
func (*EDEError) WithContext ¶ added in v1.6.6
WithContext returns a new EDEError whose Message is e.Message followed by the formatted context. Useful for tagging a generic sentinel with the zone or qname that triggered it without losing the code.
type ResponseType ¶
type ResponseType int
ResponseType represents the classification of a DNS response.
const ( // TypeSuccess indicates a positive response with answers. TypeSuccess ResponseType = iota // TypeNXDomain indicates the queried domain does not exist (NXDOMAIN). TypeNXDomain // TypeNoRecords indicates the domain exists but has no records of the requested type (NODATA). TypeNoRecords // TypeReferral indicates a delegation to another nameserver. TypeReferral // TypeMetaQuery indicates zone transfer or notification queries. TypeMetaQuery // TypeDynamicUpdate indicates a dynamic DNS update message. TypeDynamicUpdate // TypeServerFailure indicates a server error occurred. TypeServerFailure // TypeNotCacheable indicates responses that should not be cached. TypeNotCacheable // TypeExpiredSignature indicates DNSSEC signatures have expired. TypeExpiredSignature )
func ClassifyResponse ¶
ClassifyResponse analyzes a DNS message and determines its type. It also returns the OPT record if present for EDNS0 processing. The time parameter is used for checking DNSSEC signature expiration.
Source Files