DNS over HTTPS (#670)

Author: mageddo

RELEASE-NOTES.md

@@ -1,3 +1,6 @@
+## 5.7.0 Alpha
+* DNS over HTTPS, see #138
+
 ## 5.6.2
 * Fixing Getting Non-authoritative answer when unexpected, see #608.
 * Fixing Getting NXDOMAIN when not expected, see #668.

docs/content/3-configuration/_index.en.md

@@ -24,6 +24,14 @@ Current Version: `3`. See [how to set the configurations][5].
 
 ---
 
+### DoH Server
+
+| Name              | Description                                     | Default Value |
+|-------------------|-------------------------------------------------|---------------|
+| `server.doh.port` | When set, will activate doh server on that port | ``            |
+
+---
+
 ### WEB Server
 
 | Name              | Description   | Default Value |

doh/README.md

@@ -0,0 +1,129 @@
+## Configure Doh on firefox
+
+* https://gemini.google.com/app/28a3034438bb1b72
+* about:networking#dns
+* about:preferences#privacy -> dns over https -> Increased Protection = `https://localhost:8443/dns-query`
+
+Restrictions
+
+* Import ca.crt on firefox under `about:preferences#privacy` -> Certificates -> Authorities to make the DPS doh server
+  be accepted.
+* Activate `network.trr.allow-rfc1918` on `about:config` to make it work with private ip addresses;
+* Some real domains like `.dev` won't work depending on the combination of private ip + default port (80, 443), so evict
+  them, .com seems to work
+
+## Generate Certificates for DOH Server
+
+### 1 - Criar uma CA local (uma vez só)
+
+```bash
+openssl genrsa -out ca.key 4096
+```
+
+```bash
+openssl req -x509 -new -nodes \
+  -key ca.key \
+  -sha256 \
+  -days 36500 \
+  -out ca.crt \
+  -subj "/C=BR/ST=SP/L=SaoPaulo/O=Local Dev CA/CN=Local Dev Root CA"
+```
+
+✔ Esse **é o certificado que você importa no Firefox**
+✔ Ele já vem com `CA:TRUE`
+
+### 2 - Criar chave do servidor DoH
+
+```bash
+openssl genrsa -out doh.key 2048
+```
+
+### 3 - Criar CSR do servidor DoH
+
+```bash
+openssl req -new \
+  -key doh.key \
+  -out doh.csr \
+  -subj "/C=BR/ST=SP/L=SaoPaulo/O=Local Dev/CN=localhost"
+```
+
+---
+
+## 4 - Criar arquivo de extensões
+
+Crie `doh.ext`:
+
+```ini
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:FALSE
+keyUsage = digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = localhost
+IP.1 = 127.0.0.1
+```
+
+## 5 - Assinar o certificado do servidor com a CA
+
+```bash
+openssl x509 -req \
+  -in doh.csr \
+  -CA ca.crt \
+  -CAkey ca.key \
+  -CAcreateserial \
+  -out doh.crt \
+  -days 36500 \
+  -sha256 \
+  -extfile doh.ext
+```
+
+Agora você tem:
+
+* `ca.crt` → **Autoridade**
+* `doh.crt` → **Servidor**
+* `doh.key` → **Chave do servidor**
+
+---
+
+### 6 - Importar a CA no Firefox
+
+1. `about:preferences#privacy`
+2. **Certificados → Ver certificados**
+3. Aba **Autoridades**
+4. **Importar `ca.crt`**
+5. Marcar:
+
+* ✅ *Confiar nesta CA para identificar sites*
+
+⚠️ **NÃO importe o `doh.crt` no Firefox**
+
+### 7 - Gerar `server.p12` a partir de PEM (OpenSSL) para usar no DohServer no DPS
+
+```bash
+# Opcional: cria fullchain (server + CA) (bom pra browsers)
+cat doh.crt ca.crt > fullchain.crt
+
+# cria PKCS12 com private key + cert chain
+openssl pkcs12 -export \
+  -inkey doh.key \
+  -in doh.crt \
+  -certfile ca.crt \
+  -name local \
+  -out server.p12 \
+  -passout pass:changeit
+```
+
+Isso cria um keystore `server.p12` contendo:
+
+* **PrivateKey**: `doh.key`
+* **Cert**: `doh.crt`
+* **Chain**: `ca.crt`
+
+Use o arquivo `server.p12`  no server no DPS.
+
+[[ref][1]]
+
+[1]: https://chatgpt.com/c/694d8e4e-13c8-8325-bef7-25fb4240b6c9

doh/ca.crt

@@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIIFozCCA4ugAwIBAgIUKMSurPHPQpHDqy4kRkot13SC5qswDQYJKoZIhvcNAQEL
+BQAwYDELMAkGA1UEBhMCQlIxCzAJBgNVBAgMAlNQMREwDwYDVQQHDAhTYW9QYXVs
+bzEVMBMGA1UECgwMTG9jYWwgRGV2IENBMRowGAYDVQQDDBFMb2NhbCBEZXYgUm9v
+dCBDQTAgFw0yNTEyMjUxOTU5NDFaGA8yMTI0MTIwMTE5NTk0MVowYDELMAkGA1UE
+BhMCQlIxCzAJBgNVBAgMAlNQMREwDwYDVQQHDAhTYW9QYXVsbzEVMBMGA1UECgwM
+TG9jYWwgRGV2IENBMRowGAYDVQQDDBFMb2NhbCBEZXYgUm9vdCBDQTCCAiIwDQYJ
+KoZIhvcNAQEBBQADggIPADCCAgoCggIBAKIW8eqtyTj99csIi/ySHtjhHC5G4MQL
+h15Xav+Rj84VzV7pU9lGl+1jSxmWQqync3Vq96Sc92Q2QgXnP3qQ9uFGkCbqlJn9
+NaQTPG2wW+qUix+XHi+a3p2WtBb9BoakTCD4OzLTGAKYY+0jdOzA1uDuxKqmK07h
+5Ep87JyUDWeYzutU3MQ0I/DlZ1rJRB8E1b22R/dou4mIp0BIokjX7A+PhvDqBRsu
+RBVZTBwclXAHe4/yEslwsg8m4EONAthZGUMtZUTNCqSk4Re56bj1rGuMHH5Fi3MV
+NSds23vXSR1TBIb5w1cnIHD4utsIB7JOoA6RypIsJsPy5VeiPTQ0XPaFOzYvMTJ7
+V1hEZHfHX1GtWPOJCJNmgkDO0H/SE3MQ6v82ZP9GGE1eqx6LUEkhG7TZJxz0qihQ
+nf88tykPc1id51puELxm8Hd9Z4iWusmw/SnDKdJ4K+DhkPkvbdJYmtjylV86jgo8
+Knsm9tMNpooxD6tzG491t2dtr0PBZf+ly2qMzcAzyJuUJTOHzANQY4XoJaHQvjnc
+f8/NBqyrOxFRMYVwE6CtOsuz9kB5Bcc7Lwl2MPh442dAXuZZkfcagDlm8Nb/hrBd
+wu0QukNe3u7QPk0irYOZK3IFCMVisUJ7y0QnTIqaNkKDoG90poO5pGkeSAMV2byQ
+WIVdZc0TjClDAgMBAAGjUzBRMB0GA1UdDgQWBBTmzWkjt8RypXpvbaB73V4DLIy8
+zTAfBgNVHSMEGDAWgBTmzWkjt8RypXpvbaB73V4DLIy8zTAPBgNVHRMBAf8EBTAD
+AQH/MA0GCSqGSIb3DQEBCwUAA4ICAQBe6kTdzPlu7/ZQmYY8vUd9CfAJ0M5s7dez
+oD+VOTokN4B6VaPqjNkwDn1NKwkvrs/wmo5njUXzEjdLSPyYdPi3Nc3ej9CvyiFX
+vmjYSaAVUSx9uaI9ZXav9wxccrpn7eB17kSN10MvVX7PiTmlgGeATiTUDLTtZKnK
+s38wpgiPWK1oDBNaItTLae9/mGp3wqNzopxB+48jfWTvid3ksijHdMqlOB/JDBzV
+6HnWRmCVuyFqi20wBwxwX6XgrKC3MOngG0JHnhlY0pMh07xqAIz0h5lqgCzsuV6V
+y19TpEEARKD/WMxEgr10A8k9K2rbgeByaXSzlbJ3ToTiUb6pxldziDAtPW5yJUpz
+LmYC4AeMM85wQg6Hu8FtOcUljGOMykiis8UTqOBV1A5/P4sr/IorbBuPCZMAZAw5
+eZWxO6DdLY7MGK55m3BMOCQuClsoVH9EsSgMnwhXNyfK+Y3G4zFG9iNpsUGqNfxM
+/lWJn7x17LYLemCAnDqA55t9mtX1pshk+AEPcPBXuS5EGvhoXuZz5ETAs00a8j/Y
+vQ2sOc0HVGCXJ6OukjctTeSFpjZAuLPRVCxi9EVaZi9gRDPBSAS8KVMFXrvyv3cq
+yIYU5DgA2Oia0c0MWhb3VWkdeu1cQzlbSfhXqJrDrtAOQVgX2pHyDTzA/Xm2MDSq
+xQptjCQeTw==
+-----END CERTIFICATE-----

doh/ssl.zip

@@ -1,6 +1,9 @@
 package com.mageddo.dns.utils;
 
+import java.io.IOException;
+import java.io.UncheckedIOException;
 import java.time.Duration;
+import java.util.List;
 import java.util.Optional;
 
 import com.mageddo.commons.lang.Objects;
@@ -41,6 +44,11 @@ public static Message authoritative(Message m) {
     return m;
   }
 
+  private static Name findQuestionName(Message m) {
+    return m.getQuestion()
+        .getName();
+  }
+
   public static String simplePrint(Response res) {
     return simplePrint(res.getMessage());
   }
@@ -115,7 +123,7 @@ public static Message aAnswer(Message query, String ip) {
   }
 
   public static Message aAnswer(Message query, String ip, long ttl) {
-    final var res = withNoErrorResponse(query.clone());
+    final var res = withNoErrorResponse(copy(query));
     if (StringUtils.isBlank(ip)) {
       return res;
     }
@@ -182,7 +190,7 @@ public static Entry.Type findQuestionType(Message msg) {
    * @return a clone with the combination.
    */
   public static Message combine(Message source, Message target) {
-    final var clone = clone(target);
+    final var clone = copy(target);
     for (int i = 1; i < 4; i++) {
       final var section = source.getSection(i);
       for (final var record : section) {
@@ -298,7 +306,7 @@ public static Message withDefaultResponseHeaders(Message res) {
     return res;
   }
 
-  static Message clone(Message msg) {
+  public static Message copy(Message msg) {
     if (msg == null) {
       return null;
     }
@@ -311,6 +319,12 @@ public static Message setFlag(Message m, int flag) {
     return m;
   }
 
+  public static Message unsetFlag(Message m, int flag) {
+    m.getHeader()
+        .unsetFlag(flag);
+    return m;
+  }
+
   public static boolean hasFlag(Message msg, int flag) {
     return msg.getHeader()
         .getFlag(flag);
@@ -323,7 +337,6 @@ public static HostnameQuery toHostnameQuery(Message query) {
     return HostnameQuery.of(host, version);
   }
 
-
   public static boolean isSuccess(Message res) {
     return res.getRcode() == Rcode.NOERROR;
   }
@@ -340,11 +353,25 @@ public static Message noData(Message query) {
     return withResponseCode(query.clone(), Rcode.NOERROR);
   }
 
+  public static Message of(byte[] m) {
+    try {
+      return new Message(m);
+    } catch (IOException e) {
+      throw new UncheckedIOException(e);
+    }
+  }
+
+  public static Message unsetAuthoritative(Message m) {
+    return unsetFlag(m, Flags.AA);
+  }
+
   public static Message authoritativeAnswer(Message query, String ip, IP.Version version) {
     return authoritative(answer(query, ip, version));
   }
 
-  public static Message authoritativeAnswer(Message query, String ip, IP.Version version, long ttl) {
+  public static Message authoritativeAnswer(
+      Message query, String ip, IP.Version version, long ttl
+  ) {
     return authoritative(answer(query, ip, version, ttl));
   }
 
@@ -355,4 +382,17 @@ public static boolean isAuthoritative(Message m) {
   public static boolean isRecursionAvailable(Message m) {
     return hasFlag(m, Flags.RA);
   }
+
+  public static int getId(Message m) {
+    return m.getHeader()
+        .getID();
+  }
+
+  public static Message notSupportedHttps(Message m) {
+    return authoritative(withNoErrorResponse(copy(m)));
+  }
+
+  public static List<Record> getAnswers(Message m) {
+    return m.getSection(Section.ANSWER);
+  }
 }

src/main/java/com/mageddo/dns/utils/Messages.java

@@ -0,0 +1,37 @@
+package com.mageddo.dns.utils;
+
+import org.xbill.DNS.DClass;
+import org.xbill.DNS.Name;
+import org.xbill.DNS.SOARecord;
+import org.xbill.DNS.TextParseException;
+
+public class SoaRecordMapper {
+
+  public static final int SERIAL = 1;
+  public static final int REFRESH = 3600;
+  public static final int RETRY = 600;
+  public static final int EXPIRE = 86400;
+  public static final int MINIMUM = 60;
+
+  public static SOARecord of(Name zone) {
+    try {
+      final var mname = Name.fromString("ns." + zone);
+      final var rname = Name.fromString("dps." + zone);
+      return new SOARecord(
+          zone,
+          DClass.IN,
+          256,
+          mname,
+          rname,
+          SERIAL,
+          REFRESH,
+          RETRY,
+          EXPIRE,
+          MINIMUM
+      );
+    } catch (TextParseException e) {
+      throw new IllegalArgumentException(e);
+    }
+
+  }
+}