On Mon, Aug 19, 2024 at 3:43 AM <imn...@gmail.com> wrote:
>
> On Sun, 18 Aug 2024 23:25:02 -0500
> Corey Minyard <co...@minyard.net> wrote:
>
> > ...
> > I have dnsmasq mostly working, but I'm having one big problem. It seems
> > that requests received from UDP are only forwarded to UDP, they cannot
> > be forwarded to TCP. I'm running DNS over TLS on the server, so I have
> > to be able to do TCP, but requests come in from clients on UDP and TCP.
> > What can I do about this?
>
> TCP and UDP are different protocols; they cannot talk to each other.
What does that have to do with anything? dnsmasq receives a request
on a socket, and it forwards the request on a socket. There's nothing
that says the two sockets have to run the same protocol. bind can do
this.
I've looked at the code some, and there seems to be a ton of
duplication between the UDP and TCP receive paths. They do a lot of
the same things, but in different orders, and there are some things
that are unique to each path. Why can't the code be something like:
forward_request()
{
/* Do a bunch of processing */
if (server is UDP)
forward_to_udp()
else
forward_to_tcp()
}
handle_udp_request()
{
receive_udp_request()
forward_request();
}
handle_tcp_request()
{
receive_tcp_request()
forward_request();
}
Is there something that prevents this sort of thing?
>
>
> Some possible solutions:
> 1. You could configure/program a proxy that 'bridges' incoming UDP requests
> to an always-open TCP connection to the server's resolver. But this
> leaves
> UDP requests and responses unencrypted.
> 2. You could configure/program clients and server to send requests over
> DTLS (Datagram TLS). This may be more trouble than it's worth.
> 3. You could configure clients and server to use DNSSEC. I've never used it
> and don't know how steep its learning curve is.
> 4. You could configure clients and server to use OE (Opportunistic
> Encryption). But OE is point-to-point; a gateway/router in the middle
> would complicate things.
> 5. You could configure clients to use only TCP for DNS.
#1 is the only viable option; you could create a program that takes
UDP requests, forwards them over TCP, and then returns the responses.
There are a couple that exist that do this, but they are less than
optimal. And if I'm going to do this, why not fix dnsmasq so it's not
necessary?
-corey
_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
