From 65b10d581d204ec0eb143ad3f41e86d4e709bcc9 Mon Sep 17 00:00:00 2001
From: Thomas Eizinger <thomas@eizinger.io>
Date: Tue, 25 Jun 2024 09:38:25 +1000
Subject: [PATCH] fix(connlib): allow larger DNS responses (#5507)

Many name servers apply a limit as to how big a DNS response is allowed
to be to protect themselves against DoS attacks. Querying a domain with
large records can thus fail if all we have available is UDP. To mitigate
this, we configure every upstream / system DNS server to use UDP and TCP
and let hickory decide, when to use what.

In addition, we enable EDNS(0), an extension to the original DNS spec
that lifts several limits in terms of record sizes.
---
 rust/connlib/tunnel/src/io.rs | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/rust/connlib/tunnel/src/io.rs b/rust/connlib/tunnel/src/io.rs
index 78881079f..88e06c15b 100644
--- a/rust/connlib/tunnel/src/io.rs
+++ b/rust/connlib/tunnel/src/io.rs
@@ -8,7 +8,7 @@ use connlib_shared::messages::DnsServer;
 use futures_bounded::FuturesTupleSet;
 use futures_util::FutureExt as _;
 use hickory_resolver::{
-    config::{NameServerConfig, Protocol, ResolverConfig},
+    config::{NameServerConfig, Protocol, ResolverConfig, ResolverOpts},
     TokioAsyncResolver,
 };
 use ip_packet::{IpPacket, MutableIpPacket};
@@ -198,9 +198,14 @@ fn create_resolvers(
         .map(|(sentinel, srv)| {
             let mut resolver_config = ResolverConfig::new();
             resolver_config.add_name_server(NameServerConfig::new(srv.address(), Protocol::Udp));
+            resolver_config.add_name_server(NameServerConfig::new(srv.address(), Protocol::Tcp));
+
+            let mut resolver_opts = ResolverOpts::default();
+            resolver_opts.edns0 = true;
+
             (
                 sentinel,
-                TokioAsyncResolver::tokio(resolver_config, Default::default()),
+                TokioAsyncResolver::tokio(resolver_config, resolver_opts),
             )
         })
         .collect()