- Added nolint to plugin/auto/walk.go to avoid a symlink/TOCTOU
warning, as it needs to follow symlink.
- Replaced a few flagged integer conversions with safe equivalents in
cache hashing, reuseport socket setup, and TLS arg handling
- Preallocated response rule slices in plugin/rewrite/name.go
- Replaced WriteString(fmt.Sprintf/Sprintln(...)) with direct
fmt.Fprint* calls
- Removed stale nolint directives from code and tests that are no
longer needed
Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
Add configurable resource limits to prevent potential DoS vectors
via connection/stream exhaustion on gRPC, HTTPS, and HTTPS/3 servers.
New configuration plugins:
- grpc_server: configure max_streams, max_connections
- https: configure max_connections
- https3: configure max_streams
Changes:
- Use netutil.LimitListener for connection limiting
- Use gRPC MaxConcurrentStreams and message size limits
- Add QUIC MaxIncomingStreams for HTTPS/3 stream limiting
- Set secure defaults: 256 max streams, 200 max connections
- Setting any limit to 0 means unbounded/fallback to previous impl
Defaults are applied automatically when plugins are omitted from
config.
Includes tests and integration tests.
Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
* fix: prevent QUIC reload panic by lazily initializing the listener
ServePacket on reload receives the reused PacketConn before the new
ServerQUIC has recreated its quic.Listener, so quicListener is nil and
the process panics. Lazily initialise quicListener from the provided
PacketConn when it’s nil and then proceed with ServeQUIC.
fixes: #7679
Signed-off-by: Nico Berlee <nico.berlee@on2it.net>
* test: add regression test for QUIC reload panic
Signed-off-by: Nico Berlee <nico.berlee@on2it.net>
---------
Signed-off-by: Nico Berlee <nico.berlee@on2it.net>
* perf: avoid string concatenation in loops
Apply perfpsrint linter
Signed-off-by: Philippe Antoine <contact@catenacyber.fr>
* ci: enable perfsprint
Signed-off-by: Philippe Antoine <contact@catenacyber.fr>
---------
Signed-off-by: Philippe Antoine <contact@catenacyber.fr>
Enable protogetter in golangci config and update all protobuf field
access to use getter methods instead of direct field access.
Getter methods provide safer nil pointer handling and return
appropriate default values, following protobuf best practices.
Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
Enable intrange linter to enforce modern Go range syntax over
traditional for loops, by converting:
for i := 0; i < n; i++
to:
for i := range n
Adding type conversions where needed for compatibility
with existing uint64 parameters.
Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
Add comprehensive unit test coverage for DNS-over-gRPC and
DNS-over-QUIC server implementations:
- server_grpc_test.go: Tests gRPC server creation, TLS config,
lifecycle methods, Query handling, and response writer
- server_quic_test.go: Tests QUIC server creation, custom limits,
message validation, DOQ message parsing, and writer interface
Tests focus on component-level validation with mocks,
complementing existing integration tests without overlap.
Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
Add comprehensive tests for multiple components including server blocks
inspection, configuration handling, DoH/DoQ writers, and server startup
functions. Increases overall test coverage from 27% to 38.4% with
particular focus on register.go, https.go, quic.go, and config.go.
Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
* introduce new interface "dnsserver.Viewer", that allows a plugin implementing it to decide if a query should be routed into its server block.
* add new plugin "view", that uses the new interface to enable a user to define expression based conditions that must be met for a query to be routed to its server block.
Signed-off-by: Chris O'Haver <cohaver@infoblox.com>
