* perf: avoid string concatenation in loops
Apply perfpsrint linter
Signed-off-by: Philippe Antoine <contact@catenacyber.fr>
* ci: enable perfsprint
Signed-off-by: Philippe Antoine <contact@catenacyber.fr>
---------
Signed-off-by: Philippe Antoine <contact@catenacyber.fr>
Enable intrange linter to enforce modern Go range syntax over
traditional for loops, by converting:
for i := 0; i < n; i++
to:
for i := range n
Adding type conversions where needed for compatibility
with existing uint64 parameters.
Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
Enable canonicalheader linter to enforce proper HTTP header casing.
This ensures headers use Go's canonical format (e.g., "Content-Type"
instead of "content-type") for consistency.
Fixes header casing in DoH implementation.
Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
Ensure Dial exits early or returns error when Transport has been
stopped, instead of blocking on the dial or ret channels. This removes
a potential goroutine leak where callers could pile up waiting
forever under heavy load.
Add select guards before send and receive, and propagate clear error
values so callers can handle shutdown gracefully.
Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
Add test suite covering thread-safe random number generator with
tests for:
- Constructor with various seed values (positive, zero, negative)
- Deterministic behavior verification with same seeds
- Permutation generation and validation
- Concurrent access safety with multiple goroutines
- Mixed operations under concurrent load
Also clarify package documentation to explicitly state this is
for load balancing and server selection, not cryptographic use.
The math/rand usage is intentional for performance in non-security
contexts like upstream server selection and DNS record shuffling.
Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
Enable the usetesting linter in golangci.yml configuration to
enforce proper testing practices. Replace manual temporary
directory and file creation with t.TempDir() in test files.
This improves test reliability by ensuring proper cleanup and
follows Go testing best practices.
Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
Add a NativeHistogramBucketFactor parameter to the use of
`NewHistogramVec` in order to enable use of Prometheus Native
Histograms.
This will store automatically computed sparse buckets in CoreDNS.
If a compatible Prometeus requests native histograms this data will
returned instead of the static buckets.
The default factor of 1.05 should provide high quality resolution data.
Signed-off-by: SuperQ <superq@gmail.com>
When packing the empty domain name, miekg/dns can end up creating
corrupt DNS messages. With some planned unpacking changes, this now
trips an error condition and causes these tests to fail. Correct this
by using the root domain explicitly as this gets correctly encoded on
the wire.
Signed-off-by: Tom Thorogood <me+github@tomthorogood.net>
* plugin/forward: Move Proxy into pkg/plugin/proxy, to allow forward.Proxy to be used outside of forward plugin.
Signed-off-by: Patrick Downey <patrick.downey@dioadconsulting.com>
* plugin/edns: remove truncating of question section on bad EDNS version
EDNS requests of "Unknown Version" removed the query section altogether.
Not sure why since this is not require (see [link](https://kb.isc.org/docs/edns-compatibility-dig-queries)
This cause issues with DNS solutions that uses this information (initial queried name, type and class) in order to route the response to the right client (e.g. PDNS).
The change here is to keep the inital query section as is.
Signed-off-by: Ben Kaplan <ben.kaplan@redis.com>
* adding tests for edns0 version check
Signed-off-by: Ben Kaplan <ben.kaplan@redis.com>
* adding tests for non-edns0 version check
Signed-off-by: Ben Kaplan <ben.kaplan@redis.com>
Signed-off-by: Ben Kaplan <ben.kaplan@redis.com>
* introduce new interface "dnsserver.Viewer", that allows a plugin implementing it to decide if a query should be routed into its server block.
* add new plugin "view", that uses the new interface to enable a user to define expression based conditions that must be met for a query to be routed to its server block.
Signed-off-by: Chris O'Haver <cohaver@infoblox.com>
Previously we use io.LimitReader to limit the number of bytes
from http request. However, there is a subtle difference between
io.LimitReader and io.ReadAll as io.LimitReader will return
a Reader, not a ReadCloser. As such the behavior will actually
be difference in case of error handling (and when to close).
This PR changes io.LimitReader to http.MaxBytesReader
so that the behavior can be preserved (except the number of bytes).
See https://stackoverflow.com/a/52699702
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This PR adds limit to ioutil.ReadAll for DoH request body
so that it will not be subject to large requests.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
PR 2938 hardens tls though there are other places that uses TLS
as well and setTLSDefaults are not invoked in other paths.
This PR hardens tls on all places.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
While performing security scans there were several
issue raised as G304 (CWE-22): Potential file inclusion via variable.
As some files path are taken from user input, it is possible the
filepath passed by user may have unintended effect if not properly formed.
This fix add Clean to remove the security warning and address some
potential issue.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
