Mirrors/coredns
1
0
Fork 0
mirror of https://github.com/coredns/coredns.git synced 2026-06-02 07:10:24 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
84af2a7a3fb48ffcf9bf0d7c468af97e098dc4aa
coredns/request/writer.go
Nicholas Amorim 6b93363b94 feat(core): expose TLS ConnectionState (SNI) for DoQ (#8129) 
DoQWriter previously stored only the QUIC stream, so plugins reading
TLS state via dns.ConnectionStater (e.g. for SNI-based routing or
auditing) could not see anything for DoQ connections, even
though the underlying QUIC connection carries a full tls.ConnectionState.

This change adds a *quic.Conn reference to DoQWriter and wires it in serveQUICStream.

It implements dns.ConnectionStater on *DoQWriter, returning the TLS
state from the underlying QUIC connection (mirrors the DoT behavior
that miekg/dns already provides for *tls.Conn)

Forwards ConnectionState through request.ScrubWriter, which wraps
every response writer before the plugin chain runs; the embedded
dns.ResponseWriter interface does not promote ConnectionState (it
belongs to a separate interface), so without this plugins would
still see nil for both DoQ and DoT

Signed-off-by: Nicholas Amorim <nicholas@santos.ee>
2026-05-28 15:45:48 -07:00

39 lines
1.3 KiB
Go
Raw Blame History

package request
import (
"crypto/tls"
"github.com/miekg/dns"
)
// ScrubWriter will, when writing the message, call scrub to make it fit the client's buffer.
type ScrubWriter struct {
dns.ResponseWriter
req *dns.Msg // original request
}
// NewScrubWriter returns a new and initialized ScrubWriter.
func NewScrubWriter(req *dns.Msg, w dns.ResponseWriter) *ScrubWriter { return &ScrubWriter{w, req} }
// WriteMsg overrides the default implementation of the underlying dns.ResponseWriter and calls
// scrub on the message m and will then write it to the client.
func (s *ScrubWriter) WriteMsg(m *dns.Msg) error {
state := Request{Req: s.req, W: s.ResponseWriter}
state.SizeAndDo(m)
state.Scrub(m)
return s.ResponseWriter.WriteMsg(m)
}
// ConnectionState forwards the TLS connection state from the wrapped
// dns.ResponseWriter, if any. Method-set promotion through the embedded
// dns.ResponseWriter does not surface ConnectionState because it belongs to
// the separate dns.ConnectionStater interface, so plugins that need TLS state
// (e.g. SNI) would otherwise lose access to it once ScrubWriter wraps the
// underlying writer.
func (s *ScrubWriter) ConnectionState() *tls.ConnectionState {
if cs, ok := s.ResponseWriter.(dns.ConnectionStater); ok {
return cs.ConnectionState()
}
return nil
}
Reference in New Issue View Git Blame Copy Permalink