feat(core): expose TLS ConnectionState (SNI) for DoQ (#8129)

DoQWriter previously stored only the QUIC stream, so plugins reading TLS state via dns.ConnectionStater (e.g. for SNI-based routing or auditing) could not see anything for DoQ connections, even though the underlying QUIC connection carries a full tls.ConnectionState. This change adds a *quic.Conn reference to DoQWriter and wires it in serveQUICStream. It implements dns.ConnectionStater on *DoQWriter, returning the TLS state from the underlying QUIC connection (mirrors the DoT behavior that miekg/dns already provides for *tls.Conn) Forwards ConnectionState through request.ScrubWriter, which wraps every response writer before the plugin chain runs; the embedded dns.ResponseWriter interface does not promote ConnectionState (it belongs to a separate interface), so without this plugins would still see nil for both DoQ and DoT Signed-off-by: Nicholas Amorim <nicholas@santos.ee>
2026-06-01 23:00:23 -04:00 · 2026-05-29 01:45:48 +03:00
parent 0bcb17df06
commit 6b93363b94
6 changed files with 196 additions and 1 deletions
--- a/request/writer.go
+++ b/request/writer.go
@@ -1,6 +1,10 @@
 package request

-import "github.com/miekg/dns"
+import (
+	"crypto/tls"
+
+	"github.com/miekg/dns"
+)

 // ScrubWriter will, when writing the message, call scrub to make it fit the client's buffer.
 type ScrubWriter struct {
@@ -19,3 +23,16 @@ func (s *ScrubWriter) WriteMsg(m *dns.Msg) error {
 	state.Scrub(m)
 	return s.ResponseWriter.WriteMsg(m)
 }
+
+// ConnectionState forwards the TLS connection state from the wrapped
+// dns.ResponseWriter, if any. Method-set promotion through the embedded
+// dns.ResponseWriter does not surface ConnectionState because it belongs to
+// the separate dns.ConnectionStater interface, so plugins that need TLS state
+// (e.g. SNI) would otherwise lose access to it once ScrubWriter wraps the
+// underlying writer.
+func (s *ScrubWriter) ConnectionState() *tls.ConnectionState {
+	if cs, ok := s.ResponseWriter.(dns.ConnectionStater); ok {
+		return cs.ConnectionState()
+	}
+	return nil
+}
--- a/request/writer_test.go
+++ b/request/writer_test.go
@@ -1,6 +1,7 @@
 package request

 import (
+	"crypto/tls"
 	"fmt"
 	"testing"

@@ -20,6 +21,15 @@ func (m *mockResponseWriter) WriteMsg(msg *dns.Msg) error {
 	return nil
 }

+// connStateResponseWriter implements both dns.ResponseWriter and
+// dns.ConnectionStater for testing forwarding through ScrubWriter.
+type connStateResponseWriter struct {
+	test.ResponseWriter
+	state *tls.ConnectionState
+}
+
+func (c *connStateResponseWriter) ConnectionState() *tls.ConnectionState { return c.state }
+
 func TestScrubWriter(t *testing.T) {
 	req := new(dns.Msg)
 	req.SetQuestion("example.com.", dns.TypeA)
@@ -49,3 +59,26 @@ func TestScrubWriter(t *testing.T) {
 		t.Fatalf("Expected WriteMsg to be called with a message")
 	}
 }
+
+func TestScrubWriterConnectionStateForwarded(t *testing.T) {
+	want := &tls.ConnectionState{ServerName: "example.test"}
+	inner := &connStateResponseWriter{state: want}
+
+	sw := NewScrubWriter(new(dns.Msg), inner)
+
+	cs, ok := dns.ResponseWriter(sw).(dns.ConnectionStater)
+	if !ok {
+		t.Fatal("ScrubWriter does not satisfy dns.ConnectionStater")
+	}
+	if got := cs.ConnectionState(); got != want {
+		t.Errorf("ConnectionState() = %v, want %v", got, want)
+	}
+}
+
+func TestScrubWriterConnectionStateNilWhenUnsupported(t *testing.T) {
+	sw := NewScrubWriter(new(dns.Msg), &mockResponseWriter{})
+
+	if got := sw.ConnectionState(); got != nil {
+		t.Errorf("ConnectionState() = %v, want nil when wrapped writer is not a ConnectionStater", got)
+	}
+}