• Home
Name Date Size #Lines LOC

..--

aidl_api/dnsresolver_aidl_interface/03-May-2024-1,744827

apex/03-May-2024-194154

binder/android/net/03-May-2024-671133

include/03-May-2024-16142

tests/03-May-2024-18,07513,581

.clang-formatD03-May-2024291

.editorconfigD03-May-2024238 1410

Android.bpD03-May-202410.2 KiB378354

Dns64Configuration.cppD03-May-20249.8 KiB280181

Dns64Configuration.hD03-May-20244.9 KiB13471

DnsProxyListener.cppD03-May-202450.4 KiB1,3381,041

DnsProxyListener.hD03-May-20245.2 KiB171114

DnsQueryLog.cppD03-May-20242.4 KiB7241

DnsQueryLog.hD03-May-20242.3 KiB7238

DnsQueryLogTest.cppD03-May-20245.5 KiB165111

DnsResolver.cppD03-May-20243.5 KiB10975

DnsResolver.hD03-May-20241.5 KiB5830

DnsResolverService.cppD03-May-202411.8 KiB321206

DnsResolverService.hD03-May-20243.2 KiB8246

DnsStats.cppD03-May-20249.5 KiB296210

DnsStats.hD03-May-20244.5 KiB14063

DnsStatsTest.cppD03-May-202423.6 KiB541402

DnsTlsDispatcher.cppD03-May-202413.8 KiB360253

DnsTlsDispatcher.hD03-May-20247.9 KiB18075

DnsTlsQueryMap.cppD03-May-20244.4 KiB159117

DnsTlsQueryMap.hD03-May-20243.5 KiB11453

DnsTlsServer.cppD03-May-20244.7 KiB13590

DnsTlsServer.hD03-May-20243.4 KiB10241

DnsTlsSessionCache.cppD03-May-20242.3 KiB7748

DnsTlsSessionCache.hD03-May-20242 KiB6123

DnsTlsSocket.cppD03-May-202422.6 KiB660515

DnsTlsSocket.hD03-May-20248.8 KiB20969

DnsTlsSocketFactory.hD03-May-20241.6 KiB5025

DnsTlsTransport.cppD03-May-202413.1 KiB373271

DnsTlsTransport.hD03-May-20243.2 KiB9948

Experiments.cppD03-May-20242.1 KiB7546

Experiments.hD03-May-20242.6 KiB7343

ExperimentsTest.cppD03-May-20244.8 KiB153116

IDnsTlsSocket.hD03-May-20241.7 KiB5118

IDnsTlsSocketFactory.hD03-May-20241.3 KiB4318

IDnsTlsSocketObserver.hD03-May-20241.2 KiB3913

IPrivateDnsServer.hD03-May-20241.7 KiB6121

LockedQueue.hD03-May-20241.8 KiB7746

NOTICED03-May-202421.6 KiB419349

OWNERSD03-May-202437 21

OperationLimiter.hD03-May-20243.6 KiB12157

OperationLimiterTest.cppD03-May-20242.2 KiB7637

PREUPLOAD.cfgD03-May-2024224 97

PrivateDnsCommon.hD03-May-20242 KiB7448

PrivateDnsConfiguration.cppD03-May-202416.3 KiB416291

PrivateDnsConfiguration.hD03-May-20246.3 KiB16593

PrivateDnsConfigurationTest.cppD03-May-202416.7 KiB387254

PrivateDnsValidationObserver.hD03-May-20241.4 KiB3610

README-DoT.mdD03-May-20246.3 KiB12899

README.mdD03-May-2024436 1411

ResolverController.cppD03-May-202415.5 KiB365285

ResolverController.hD03-May-20242.5 KiB7538

ResolverEventReporter.cppD03-May-20248.6 KiB209120

ResolverEventReporter.hD03-May-20243.8 KiB9351

ResolverStats.hD03-May-20244.3 KiB12279

TEST_MAPPINGD03-May-20241,007 1817

cbindgen.tomlD03-May-2024797 3729

doh.hD03-May-20241.4 KiB4811

doh.rsD03-May-202420 KiB589485

getaddrinfo.cppD03-May-202462.6 KiB1,9551,407

getaddrinfo.hD03-May-20241.3 KiB3210

gethnamaddr.cppD03-May-202427.1 KiB793611

gethnamaddr.hD03-May-20241.7 KiB3911

hostent.hD03-May-20242.9 KiB7231

libnetd_resolv.map.txtD03-May-2024889 2926

params.hD03-May-20241.5 KiB3614

res_cache.cppD03-May-202468.1 KiB2,0471,325

res_comp.cppD03-May-20246.7 KiB17251

res_comp.hD03-May-2024969 277

res_debug.cppD03-May-202421 KiB513331

res_debug.hD03-May-20241 KiB328

res_mkquery.cppD03-May-20249.6 KiB248140

res_query.cppD03-May-202414.3 KiB367184

res_send.cppD03-May-202449 KiB1,305937

res_send.hD03-May-2024982 266

res_stats.cppD03-May-20246.5 KiB165118

resolv_cache.hD03-May-20246 KiB13450

resolv_private.hD03-May-20248.6 KiB214113

resolv_rust_test_config_template.xmlD03-May-20241.2 KiB2712

resolv_test_config_template.xmlD03-May-20242.1 KiB3918

rustfmt.tomlD03-May-202493

sethostent.cppD03-May-20246.8 KiB207127

stats.hD03-May-20242.5 KiB6429

stats.protoD03-May-202416.3 KiB415384

util.cppD03-May-20241.9 KiB5934

util.hD03-May-20242.5 KiB5920

README-DoT.md

1# DNS-over-TLS query forwarder design
2
3## Overview
4
5The DNS-over-TLS query forwarder consists of five classes:
6 * `DnsTlsDispatcher`
7 * `DnsTlsTransport`
8 * `DnsTlsQueryMap`
9 * `DnsTlsSessionCache`
10 * `DnsTlsSocket`
11
12`DnsTlsDispatcher` is a singleton class whose `query` method is the DnsTls's
13only public interface.  `DnsTlsDispatcher` is just a table holding the
14`DnsTlsTransport` for each server (represented by a `DnsTlsServer` struct) and
15network.  `DnsTlsDispatcher` also blocks each query thread, waiting on a
16`std::future` returned by `DnsTlsTransport` that represents the response.
17
18`DnsTlsTransport` sends each query over a `DnsTlsSocket`, opening a
19new one if necessary.  It also has to listen for responses from the
20`DnsTlsSocket`, which happen on a different thread.
21`IDnsTlsSocketObserver` is an interface defining how `DnsTlsSocket` returns
22responses to `DnsTlsTransport`.
23
24`DnsTlsQueryMap` and `DnsTlsSessionCache` are helper classes owned by `DnsTlsTransport`.
25`DnsTlsQueryMap` handles ID renumbering and query-response pairing.
26`DnsTlsSessionCache` allows TLS session resumption.
27
28`DnsTlsSocket` interleaves all queries onto a single socket, and reports all
29responses to `DnsTlsTransport` (through the `IDnsTlsObserver` interface).  It doesn't
30know anything about which queries correspond to which responses, and does not retain
31state to indicate whether there is an outstanding query.
32
33## Threading
34
35### Overall patterns
36
37For clarity, each of the five classes in this design is thread-safe and holds one lock.
38Classes that spawn a helper thread call `thread::join()` in their destructor to ensure
39that it is cleaned up appropriately.
40
41All the classes here make full use of Clang thread annotations (and also null-pointer
42annotations) to minimize the likelihood of a latent threading bug.  The unit tests are
43also heavily threaded to exercise this functionality.
44
45This code creates O(1) threads per socket, and does not create a new thread for each
46query or response.  However, DnsProxyListener does create a thread for each query.
47
48### Threading in `DnsTlsSocket`
49
50`DnsTlsSocket` can receive queries on any thread, and send them over a
51"reliable datagram pipe" (`socketpair()` in `SOCK_SEQPACKET` mode).
52The query method writes a struct (containing a pointer to the query) to the pipe
53from its thread, and the loop thread (which owns the SSL socket)
54reads off the other end of the pipe.  The pipe doesn't actually have a queue "inside";
55instead, any queueing happens by blocking the query thread until the
56socket thread can read the datagram off the other end.
57
58We need to pass messages between threads using a pipe, and not a condition variable
59or a thread-safe queue, because the socket thread has to be blocked
60in `poll()` waiting for data from the server, but also has to be woken
61up on inputs from the query threads.  Therefore, inputs from the query
62threads have to arrive on a socket, so that `poll()` can listen for them.
63(There can only be a single thread because [you can't use different threads
64to read and write in OpenSSL](https://www.openssl.org/blog/blog/2017/02/21/threads/)).
65
66## ID renumbering
67
68`DnsTlsDispatcher` accepts queries that have colliding ID numbers and still sends them on
69a single socket.  To avoid confusion at the server, `DnsTlsQueryMap` assigns each
70query a new ID for transmission, records the mapping from input IDs to sent IDs, and
71applies the inverse mapping to responses before returning them to the caller.
72
73`DnsTlsQueryMap` assigns each new query the ID number one greater than the largest
74ID number of an outstanding query.  This means that ID numbers are initially sequential
75and usually small.  If the largest possible ID number is already in use,
76`DnsTlsQueryMap` will scan the ID space to find an available ID, or fail the query
77if there are no available IDs.  Queries will not block waiting for an ID number to
78become available.
79
80## Time constants
81
82`DnsTlsSocket` imposes a 20-second inactivity timeout.  A socket that has been idle for
8320 seconds will be closed.  This sets the limit of tolerance for slow replies,
84which could happen as a result of malfunctioning authoritative DNS servers.
85If there are any pending queries, `DnsTlsTransport` will retry them.
86
87`DnsTlsQueryMap` imposes a retry limit of 3.  `DnsTlsTransport` will retry the query up
88to 3 times before reporting failure to `DnsTlsDispatcher`.
89This limit helps to ensure proper functioning in the case of a recursive resolver that
90is malfunctioning or is flooded with requests that are stalled due to malfunctioning
91authoritative servers.
92
93`DnsTlsDispatcher` maintains a 5-minute timeout.  Any `DnsTlsTransport` that has had no
94outstanding queries for 5 minutes will be destroyed at the next query on a different
95transport.
96This sets the limit on how long session tickets will be preserved during idle periods,
97because each `DnsTlsTransport` owns a `DnsTlsSessionCache`.  Imposing this timeout
98increases latency on the first query after an idle period, but also helps to avoid
99unbounded memory usage.
100
101`DnsTlsSessionCache` sets a limit of 5 sessions in each cache, expiring the oldest one
102when the limit is reached.  However, because the client code does not currently
103reuse sessions more than once, it should not be possible to hit this limit.
104
105## Testing
106
107Unit tests for DoT are in `resolv_tls_unit_test.cpp`. They cover all the classes except
108`DnsTlsSocket` (which requires `CAP_NET_ADMIN` because it uses `setsockopt(SO_MARK)`) and
109`DnsTlsSessionCache` (which requires integration with libssl).  These classes are
110exercised by the integration tests in `resolv_integration_test.cpp`.
111
112### Dependency Injection
113
114For unit testing, we would like to be able to mock out `DnsTlsSocket`.  This is
115particularly required for unit testing of `DnsTlsDispatcher` and `DnsTlsTransport`.
116To make these unit tests possible, this code uses a dependency injection pattern:
117`DnsTlsSocket` is produced by a `DnsTlsSocketFactory`, and both of these have a
118defined interface.
119
120`DnsTlsDispatcher`'s constructor takes an `IDnsTlsSocketFactory`,
121which in production is a `DnsTlsSocketFactory`.  However, in unit tests, we can
122substitute a test factory that returns a fake socket, so that the unit tests can
123run without actually connecting over TLS to a test server.  (The integration tests
124do actual TLS.)
125
126## Reference
127 * [BoringSSL API docs](https://commondatastorage.googleapis.com/chromium-boringssl-docs/headers.html)
128

README.md

1## Logging
2
3This code uses LOG(X) for logging. Log levels are VERBOSE,DEBUG,INFO,WARNING and ERROR.
4The default setting is WARNING and logs relate to WARNING and ERROR will be shown. If
5you want to enable the DEBUG level logs, using following command.
6adb shell service call dnsresolver 10 i32 1
7VERBOSE   0
8DEBUG     1
9INFO      2
10WARNING   3
11ERROR     4
12Verbose resolver logs could contain PII -- do NOT enable in production builds.
13
14