dnsdist: Backend DoQ and PROXYv2 support

[edmonds]

Hi,

I see in #13933 (comment):

And do you plan to support downstream newServer()'s QUIC?

If there is actual interest, yes. We have not seen a lot of interest so far, and if I have to guess I suspect people will be more interested in support for outgoing DoH3 than for outgoing DoQ, but I might very well be wrong.

Let me register my interest in having support for outgoing DoQ :-)

More specifically, I'd like to describe a use case that I don't think can currently be supported.

I am interested in the possibility of using dnsdist as a frontend for Knot DNS, over the Internet, and passing the source addresses of UDP/TCP clients to the backend Knot DNS server via the PROXYv2 header.

According to the dnsdist documentation, there are four supported protocols for reaching the backend ("downstream") server according to https://dnsdist.org/guides/downstreams.html#securing-the-path-to-the-backend:

• Low security UDP (reuses UDP socket, low entropy DNS IDs)
• DNS-over-TCP
• DNS-over-TLS
• DNS-over-HTTPS

Low security UDP should not be used over the Internet:

If dnsdist is instead intended to be deployed in such a way that the path to its backend is not secure, the UDP protocol should not be used, and ‘TCP-only’, DNS over TLS and DNS over HTTPS protocols used instead, as supported since 1.7.0.

According to https://dnsdist.org/advanced/passing-source-address.html, PROXYv2 is per-connection (not per-message) for DNS-over-TCP and DNS-over-TLS, so those backend protocols cannot be used for multiplexing queries from frontend UDP/TCP clients with many different source addresses.

That apparently leaves DNS-over-HTTPS as a backend protocol which may support PROXYv2 (I could not find documentation that says dnsdist doesn't support DoH + PROXYv2). However, Knot DNS does not have support for DNS-over-HTTPS in the server.

Knot DNS does have support for DNS-over-QUIC, but dnsdist does not (on the backend side). Moreover, even if dnsdist supported DoQ to backends, Knot DNS only supports PROXYv2 on UDP queries:

https://github.com/CZ-NIC/knot/blob/55ce3c48434cb44fdb4447cbe8ffdf765e4b06f5/src/knot/server/handler.c#L32-L41

	int ret = knot_pkt_parse(query, 0);
	if (ret != KNOT_EOK && query->parsed > 0) { // parsing failed (e.g. 2x OPT)
		if (params->proto == KNOTD_QUERY_PROTO_UDP &&
		    proxyv2_header_strip(&query, params->remote, proxied_remote) == KNOT_EOK) {
			assert(proxied_remote);
			params->remote = proxied_remote;
		} else {
			query->parsed--; // artificially decreasing "parsed" leads to FORMERR
		}
	}

If dnsdist had support for DoQ to backends, that would leave the question of how to combine DoQ + PROXYv2. The behavior with UDP could be emulated (just prepend the PROXYv2 header to the front of the query message), but maybe the better option would be to register a new TLS ALPN ID like doq+proxy or something like that and use the ALPN ID to cleanly distinguish between wire format DNS and wire format DNS with a PROXYv2 header prepended.

[sohojmanush]

dnsdist listed DoQ as listening. But, so far scracthing my head over this :

-- DoQ Servers
servers.nextdns_doq = newServer({
    address = '45.90.28.30:853',
    protocol = 'DoQ',
    verify = true,
    pool = 'doq',
    name = 'nextdns-doq',
    subjectName = 'ae914b.dns.nextdns.io',
    rise = 2,
    checkInterval = 60,
    checkTimeout = 2,
    maxCheckFailures = 3,
    lazyHealthCheckFailedInterval = 30,
    lazyHealthCheckThreshold = 30,
    lazyHealthCheckSampleSize = 100,
    lazyHealthCheckMinSampleCount = 10,
    lazyHealthCheckMode = "TimeoutOnly"
})

result being server down.

[omoerbeek]

Please do not hijack topics. This topic is about proxy protocol, not general debugging of a config.