Support connecting to IPv6 servers via IP Address. PHP doesn't validate IPv6 addresses in subjectAlternateNames in certificates, so we must do it manually.

Author: lucasnetau

composer.json

@@ -13,7 +13,8 @@
   "require": {
     "php": "^8.0",
     "react/http": "^1.6",
-    "react/dns": "*"
+    "react/dns": "*",
+    "ext-openssl": "*"
   },
   "require-dev": {
     "phpunit/phpunit": "^9.5"

src/DohExecutor.php

@@ -2,6 +2,8 @@
 
 namespace EdgeTelemetrics\React\Dns;
 
+use Exception;
+use InvalidArgumentException;
 use Psr\Http\Message\ResponseInterface;
 use React\Dns\Model\Message;
 use React\Dns\Protocol\BinaryDumper;
@@ -12,8 +14,14 @@
 use React\EventLoop\LoopInterface;
 use React\Http\Browser;
 use React\Promise;
+use React\Promise\Deferred;
+use React\Socket\ConnectionInterface;
 use React\Socket\Connector;
 use RuntimeException;
+use function parse_url;
+use function strlen;
+use function strtolower;
+use function substr_count;
 
 class DohExecutor implements ExecutorInterface {
 
@@ -24,11 +32,15 @@ class DohExecutor implements ExecutorInterface {
 
     private string $method;
 
-    private Browser $browser;
+    private bool $ipv6address = false;
+
+    private Promise\PromiseInterface $browserResolution;
 
     const METHOD_GET = 'get';
     const METHOD_POST = 'post';
 
+    const FINGERPRINT_HASH_METHOD = 'sha256';
+
     /**
      * @param string $nameserver
      * @param ?LoopInterface $loop
@@ -40,58 +52,67 @@ public function __construct(string $nameserver, LoopInterface $loop = null, stri
             throw new RuntimeException('DNS over HTTPS support requires reactphp/http library'); //@codeCoverageIgnore
         }
 
-        if (!str_contains($nameserver, '[') && \substr_count($nameserver, ':') >= 2 && !str_contains($nameserver, '://')) {
+        if (!str_contains($nameserver, '[') && substr_count($nameserver, ':') >= 2 && !str_contains($nameserver, '://')) {
             // several colons, but not enclosed in square brackets => enclose IPv6 address in square brackets
             $nameserver = '[' . $nameserver . ']';
         }
 
-        $parts = \parse_url((!str_contains($nameserver, '://') ? 'https://' : '') . $nameserver);
-        if (!isset($parts['scheme'], $parts['host']) || $parts['scheme'] !== 'https' || @\inet_pton(\trim($parts['host'], '[]')) === false) {
-            throw new \InvalidArgumentException('Invalid nameserver address given');
+        $parts = parse_url((!str_contains($nameserver, '://') ? 'https://' : '') . $nameserver);
+        if (!isset($parts['scheme'], $parts['host']) || $parts['scheme'] !== 'https') {
+            throw new InvalidArgumentException('Invalid nameserver address given');
+        }
+
+        if (filter_var(trim($parts['host'], '[]'), FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) {
+            $this->ipv6address = true;
         }
 
-        $method = \strtolower($method);
+        $method = strtolower($method);
         if (!in_array($method, [self::METHOD_GET, self::METHOD_POST], true)) {
-            throw new \InvalidArgumentException('Invalid HTTP request method given');
+            throw new InvalidArgumentException('Invalid HTTP request method given');
         }
 
         $this->nameserver = 'https://' . $parts['host'] . ':' . ($parts['port'] ?? 443 . '/dns-query');
         $this->loop = $loop ?: Loop::get();
         $this->parser = new Parser();
         $this->dumper = new BinaryDumper();
         $this->method = $method;
-        $this->browser = (new Browser(new Connector(['tcp_nodelay' => true,]), $this->loop));
     }
 
     public function query(Query $query)
     {
-        $request = Message::createRequestForQuery($query);
-
-        $queryData = $this->dumper->toBinary($request);
-        $length = \strlen($queryData);
-
-        if ($length > 0xffff) {
-            return Promise\reject(new \RuntimeException(
-                'DNS query for ' . $query->describe() . ' failed: Query too large for HTTPS transport'
-            ));
-        }
-
-        if ($this->method === self::METHOD_GET) {
-            $requestUrl = $this->nameserver . '?' . http_build_query(['dns' => $this->urlsafeBase64($queryData)]);
-            $request = $this->browser->get($requestUrl);
-        } else {
-            $requestUrl = $this->nameserver;
-            $request = $this->browser->post($requestUrl, [
-                'accept' => 'application/dns-message',
-                'content-type' => 'application/dns-message'
-            ], $queryData);
-        }
-
-        return $request->then(function (ResponseInterface $response) {
-            $response = $this->parser->parseMessage((string)$response->getBody());
-            return Promise\resolve($response);
-        }, function (\Exception $e) use ($query) {
-            return Promise\reject(new \RuntimeException(
+        return $this->getBrowser()->then(function($browser) use ($query) {
+            $request = Message::createRequestForQuery($query);
+
+            $queryData = $this->dumper->toBinary($request);
+            $length = strlen($queryData);
+
+            if ($length > 0xffff) {
+                return Promise\reject(new RuntimeException(
+                    'DNS query for ' . $query->describe() . ' failed: Query too large for HTTPS transport'
+                ));
+            }
+
+            if ($this->method === self::METHOD_GET) {
+                $requestUrl = $this->nameserver . '?' . http_build_query(['dns' => $this->urlsafeBase64($queryData)]);
+                $request = $browser->get($requestUrl);
+            } else {
+                $requestUrl = $this->nameserver;
+                $request = $browser->post($requestUrl, [
+                    'accept' => 'application/dns-message',
+                    'content-type' => 'application/dns-message'
+                ], $queryData);
+            }
+
+            return $request->then(function (ResponseInterface $response) {
+                $response = $this->parser->parseMessage((string)$response->getBody());
+                return Promise\resolve($response);
+            }, function (Exception $e) use ($query) {
+                return Promise\reject(new RuntimeException(
+                    'DNS query for ' . $query->describe() . ' failed: ' . $e->getMessage()
+                ));
+            });
+        }, function($e) use ($query) {
+            return Promise\reject(new RuntimeException(
                 'DNS query for ' . $query->describe() . ' failed: ' . $e->getMessage()
             ));
         });
@@ -104,10 +125,82 @@ public function query(Query $query)
     private function urlsafeBase64(string $data) : string {
         // @codeCoverageIgnoreStart
         if (function_exists('sodium_bin2base64')) {
-            return sodium_bin2base64($data, SODIUM_BASE64_VARIANT_URLSAFE_NO_PADDING);
-        } else {
-            return rtrim( strtr( base64_encode( $data ), '+/', '-_'), '=');
+            try {
+                return sodium_bin2base64($data, SODIUM_BASE64_VARIANT_URLSAFE_NO_PADDING);
+            } catch (\SodiumException $ex) { /* Allow fallthrough to non sodium method */}
         }
+        return rtrim( strtr( base64_encode( $data ), '+/', '-_'), '=');
         //@codeCoverageIgnoreEnd
     }
+
+    private function getBrowser() : Promise\PromiseInterface {
+        if (!isset($this->browserResolution)) {
+            $deferred = new Deferred();
+            $this->browserResolution = $deferred->promise();
+            if ($this->ipv6address) {
+                // PHP does not validate IPv6 addresses contained in the SAN fields of a certificate
+                // To support IPv6 we download the certificate on the first connect and manually verify our nameserver IPv6 IP
+                // is listed in the SAN fields. We then construct a Browser instance with verify_peer_name set to false but with the peer_fingerprint set to our verified certificate.
+                // This doesn't always work because the server may use different front end certificates (SIGH!)
+                $address = str_replace('https://', 'tls://', $this->nameserver);
+                $connector = new Connector([
+                    'tcp' => [
+                        'tcp_nodelay' => true,
+                        ],
+                    'tls' => [
+                        'verify_peer_name' => false,
+                        'capture_peer_cert' => true
+                    ],
+                    'dns' => false,
+                ], $this->loop);
+                $connector->connect($address)->then(function (ConnectionInterface $connection) use ($deferred) {
+                    $response = stream_context_get_params($connection->stream); //Using @internal stream
+                    $connection->end();
+                    $certificatePem = $response['options']['ssl']['peer_certificate'];
+
+                    $certificateFields = openssl_x509_parse($certificatePem);
+                    $additionalDomains = explode(', ', $certificateFields['extensions']['subjectAltName'] ?? '');
+
+                    $ip = inet_pton(trim(parse_url($this->nameserver, PHP_URL_HOST), '[]'));
+                    if ($ip !== false) {
+                        foreach ($additionalDomains as $subAltName) {
+                            $subAltName = trim(strtolower($subAltName));
+                            if (str_starts_with($subAltName, 'ip address:')) {
+                                $compare = inet_pton(str_replace('ip address:', '', $subAltName));
+                                if ($compare === $ip) {
+                                    $fingerprint = openssl_x509_fingerprint($certificatePem, self::FINGERPRINT_HASH_METHOD);
+                                    $browser = (new Browser(new Connector([
+                                        'tcp' => [
+                                            'tcp_nodelay' => true,
+                                            ],
+                                        'tls' => [
+                                            'verify_peer_name' => false,
+                                            'peer_fingerprint'=>[
+                                                self::FINGERPRINT_HASH_METHOD => $fingerprint,
+                                            ],
+                                        ],
+                                    ], $this->loop), $this->loop));
+                                    $deferred->resolve($browser);
+                                    return;
+                                }
+                            }
+                        }
+                    }
+                    $deferred->reject(new RuntimeException('IPv6 IP Address Connection Failed. Unable to Validate Peer Certificate'));
+
+                }, function($ex) use ($deferred) {
+                    $deferred->reject(new RuntimeException('IPv6 IP Address Connection Failed. ' . $ex->getMessage()));
+                });
+            } else {
+                $browser = (new Browser(new Connector([
+                    'tcp' => [
+                        'tcp_nodelay' => true,
+                        ],
+                    ]
+                ), $this->loop));
+                $deferred->resolve($browser);
+            }
+        }
+        return $this->browserResolution;
+    }
 }

tests/FunctionalTests.php

@@ -13,7 +13,7 @@
  */
 class FunctionalTests extends TestCase
 {
-    public function testResolveGoogleViaPostResolves()
+    public function testResolveCloudflareViaPostResolves()
     {
         $executor = new DohExecutor('https://1.1.1.1/dns-query', null,DohExecutor::METHOD_POST);
         $query = new Query('one.one.one.one', Message::TYPE_A, Message::CLASS_IN);
@@ -30,7 +30,7 @@ public function testResolveGoogleViaPostResolves()
         $this->assertEquals(Message::RCODE_OK, $answer->rcode);
     }
 
-    public function testResolveGoogleViaGetResolves()
+    public function testResolveCloudflareViaGetResolves()
     {
         $executor = new DohExecutor('https://1.1.1.1/dns-query', null,DohExecutor::METHOD_GET);
         $query = new Query('one.one.one.one', Message::TYPE_A, Message::CLASS_IN);
@@ -47,6 +47,79 @@ public function testResolveGoogleViaGetResolves()
         $this->assertEquals(Message::RCODE_OK, $answer->rcode);
     }
 
+    public function testResolveCloudflareHostnameViaGetResolves()
+    {
+        $executor = new DohExecutor('https://one.one.one.one/dns-query', null,DohExecutor::METHOD_GET);
+        $query = new Query('one.one.one.one', Message::TYPE_A, Message::CLASS_IN);
+        $promise = $executor->query($query);
+
+        $answer = null;
+        $promise->then(function ($message) use (&$answer) {
+            $answer = $message;
+        });
+
+        Loop::run();
+
+        $this->assertNotNull($answer);
+        $this->assertEquals(Message::RCODE_OK, $answer->rcode);
+    }
+
+    public function testResolveSecondQueryReusesConnection()
+    {
+        $executor = new DohExecutor('https://one.one.one.one/dns-query', null,DohExecutor::METHOD_GET);
+        $query = new Query('one.one.one.one', Message::TYPE_A, Message::CLASS_IN);
+        $promise1 = $executor->query($query);
+        $promise2 = $executor->query($query);
+
+        $answer = null;
+        $promise1->then(function ($message) use (&$answer) {
+            $answer = $message;
+        });
+
+        $promise2->then(function ($message) use (&$answer) {
+            $answer = $message;
+        });
+
+        Loop::run();
+
+        $this->assertNotNull($answer);
+        $this->assertEquals(Message::RCODE_OK, $answer->rcode);
+    }
+
+    public function testResolveGoogleViaIPv6HostResolves()
+    {
+        $executor = new DohExecutor('https://dns64.dns.google/dns-query', null,DohExecutor::METHOD_GET);
+        $query = new Query('google.com', Message::TYPE_A, Message::CLASS_IN);
+        $promise = $executor->query($query);
+
+        $answer = null;
+        $promise->then(function ($message) use (&$answer) {
+            $answer = $message;
+        }, function($reason) { echo $reason->getMessage();});
+
+        Loop::run();
+
+        $this->assertNotNull($answer);
+        $this->assertEquals(Message::RCODE_OK, $answer->rcode);
+    }
+
+    public function testResolveGoogleViaIPv6IpResolves()
+    {
+        $executor = new DohExecutor('https://[2001:4860:4860::8888]/dns-query', null,DohExecutor::METHOD_GET);
+        $query = new Query('google.com', Message::TYPE_A, Message::CLASS_IN);
+        $promise = $executor->query($query);
+
+        $answer = null;
+        $promise->then(function ($message) use (&$answer) {
+            $answer = $message;
+        }, function($reason) { echo $reason->getMessage();});
+
+        Loop::run();
+
+        $this->assertNotNull($answer);
+        $this->assertEquals(Message::RCODE_OK, $answer->rcode);
+    }
+
     public function testResolveInvalidRejects()
     {
         $executor = new DohExecutor('https://1.1.1.1/dns-query');
@@ -84,7 +157,7 @@ public function testResolveToInvalidServerRejects()
 
     public function testQueryRejectsIfMessageExceedsMaximumMessageSize()
     {
-        $executor = $executor = new DohExecutor('https://127.0.0.1:0/dns-query');
+        $executor = new DohExecutor('https://127.0.0.1:0/dns-query');
 
         $query = new Query('google.' . str_repeat('.com', 60000), Message::TYPE_A, Message::CLASS_IN);
         $promise = $executor->query($query);
@@ -105,4 +178,11 @@ public function testResolveViaInvalidHttpMethodThrows()
 
         new DohExecutor('https://1.1.1.1/dns-query', null, 'put');
     }
+
+    public function testInvalidNameserverThrows()
+    {
+        $this->expectException(\InvalidArgumentException::class);
+
+        new DohExecutor('http://1.1.1.1/dns-query');
+    }
 }