mirror of
https://github.com/outbackdingo/firezone.git
synced 2026-01-27 10:18:54 +00:00
01e16e87d6
Building on top of a series of refactors and smaller features, this PR enables connlib to send DNS queries over HTTPS to one or more configured DoH providers. A DoH server itself is addressed via a domain which first needs to be resolved before it can be contacted. The RFC recommends to perform this bootstrapping using the system DNS resolvers. For connlib, this is a bit tricky because the system resolvers may already be set to connlib's sentinel servers by the time we need to bootstrap the DoH clients. Therefore, we maintain a dedicated UDP DNS client inside connlib's `Io` component which is always configured with the latest system DNS resolvers known to connlib. The actual bootstrapping of a DoH client happens in the following cases: 1. Our TUN device configuration changes and the configured DNS servers mapping contains DoH upstreams. 2. We need to make a DNS query to a DoH server but don't have a client yet. The first case ensures we bootstrap the DoH clients as early as possible. The latter case ensures we have a self-healing behaviour in case the TCP connection to the DoH server breaks (in which case the DoH client will be de-allocated). Once the DoH client is initialized, making queries with it is a trivial act of sending an HTTP request and parsing the HTTP response. Within connlib, this now requires almost no special handling apart from a new `dns::Upstream` type that differentiates between Do53 servers (addressed by a `SocketAddr`) and DoH servers (addressed by a `Url`). Related: #10764 Related: #10788 Related: #10850 Related: #10851 Related: #10856 Related: #10857 Related: #10871 Related: #10872 Related: #10875 Related: #10881 Resolves: #10790