LLT-7052: DNS packet codec

[tomasz-grz]

Problem

We want to get rid of all hickory_server dependencies, because it set's up a full blown DNS server, we maintain our own (outdated) fork of, and it was source of a lot of bugs.

As a first step we need to decide if DNS requests are related to .nord zone.
If they are, they should handled by our local resolver, and we need to serve the response packet back.
If not, the request is forwarded and resolved by the upstream nameservers.

Solution

This module incorporates:

• a lightweight decoder, that converts DNS request bytes into a DnsPacket<'_> struct, and exposes a helper functions like parse_dns_packet(), find_nord_query() and normalize_qname() to simplify with the correct request handling.
• A packet builder specific for the local resolver use case, that converts a ResponseKind enum into appropriate DNS response bytes.

☑️ Definition of Done checklist

• Commit history is clean (requirements)
• README.md is updated
• Functionality is covered by unit or integration tests

[stalowyjez]

I have mixed feeling for this PR, reducing dependencies is always nice, but it feels a bit like reinventing the wheel. We also have some code in libfirewall which does some DNS parsing, maybe we should create some public DNS helper crate for pnet which would address our needs?

[stalowyjez]

This struct feels more like ttl_to_nord_soa_bytes function with everything written 3 times instead of just once ^^'

[tomasz-grz]

Could you elaborate a little bit more?

In essence I wanted all of it to be static, but we do have configurable TTL..

[stalowyjez]

I guess having a const array (created in compile time with come const stuff) and just changing the ttl byte would be fastest, but I guess sth like:

fn create_nord_soa_with_ttl(ttl: u32) -> Result<Vec<u8>, DnsBuildError> {
        let mut bytes = Vec::new();
        encode_name(&mut bytes, "mesh.nordsec.com.");
        encode_name(&mut bytes, "support.nordsec.com.");
        bytes.extend_from_slice(&2015082403.to_be_bytes());
        bytes.extend_from_slice(&7200.to_be_bytes());
        bytes.extend_from_slice([&self.retry.to_be_bytes()](i32::try_from(ttl).map_err(|_| DnsBuildError::SoaTtlOutOfRange)?));
        bytes.extend_from_slice(&1209600.to_be_bytes());
        bytes.extend_from_slice(&ttl);
        bytes
}

makes sense here. But probably reusing https://docs.rs/domain/0.11.1/domain/rdata/rfc1035/struct.Soa.html#impl-Soa%3CN%3E would also be nice? This would add a dependency on domain, but I think it is also a nice option to use instead of pnet dns stuff?

[stalowyjez]

Ofc, we could add some comments, or wrap stuff in come constants to make it clearer

[tomasz-grz]

I wanted to use domain in the beginning but was asked not to add any additional dependencies since we have pnet..

I'll try to see how can I make this part "nicer"

[tomasz-grz]

Removed the struct and converted to create_nord_soa_bytes

[stalowyjez]

Looks good enough, +1

[stalowyjez]

Hmm, do we need it as a separate function? And should it be public?

[tomasz-grz]

It's necessary for populating or searching the local "nord" records zone.

[stalowyjez]

I guess having a const array (created in compile time with come const stuff) and just changing the ttl byte would be fastest, but I guess sth like:

fn create_nord_soa_with_ttl(ttl: u32) -> Result<Vec<u8>, DnsBuildError> {
        let mut bytes = Vec::new();
        encode_name(&mut bytes, "mesh.nordsec.com.");
        encode_name(&mut bytes, "support.nordsec.com.");
        bytes.extend_from_slice(&2015082403.to_be_bytes());
        bytes.extend_from_slice(&7200.to_be_bytes());
        bytes.extend_from_slice([&self.retry.to_be_bytes()](i32::try_from(ttl).map_err(|_| DnsBuildError::SoaTtlOutOfRange)?));
        bytes.extend_from_slice(&1209600.to_be_bytes());
        bytes.extend_from_slice(&ttl);
        bytes
}

makes sense here. But probably reusing https://docs.rs/domain/0.11.1/domain/rdata/rfc1035/struct.Soa.html#impl-Soa%3CN%3E would also be nice? This would add a dependency on domain, but I think it is also a nice option to use instead of pnet dns stuff?

[stalowyjez]

Ofc, we could add some comments, or wrap stuff in come constants to make it clearer

[tomaszklak]

I have mixed feeling for this PR, reducing dependencies is always nice, but it feels a bit like reinventing the wheel.

I have the same feeling, and I'm also missing explanation why we want to "get rid of all hickory_server dependencies."

[tomaszklak]

If they are, they should handled by our local resolver, and we need to serve the response packet back.

And what if they are not?

[tomaszklak]

I feel like there should be our rfc that describes what behavior do we want from magic dns.

[tomaszklak]

Please, remember to cleanup (squash?) commits.

[tomaszklak]

+1

[Jauler]

Next time: It would be really nice to include ticket number in the branch name 🙏 🙏 🙏

[Jauler]

why the trailing dot trimming? 🤔 maybe it would be nice to operate with FQDNs?

[tomasz-grz]

So that we can operate on domains with trailing dot and or without eg :test.nord and test.nord.

We either need to trim the trailing dot, or append the trailing dot if it's not present.

[tomasz-grz]

Updated to operate on FQDNs with trailing dot

[Jauler]

while maybe it is not the most important part, but we probably should bump the serial number.

[tomasz-grz]

Good idea

[tomasz-grz]

Bumped

[Jauler]

I would recommend to operate on FQDNs internally always, this would not require us to trim the trailing '.' and would reduce the amount of domain representations to support.

[Jauler]

I believe this is incorrect constant being used. I mean, the value of it is correct, but it is coincidental, but my understanding was the this constnat is meant to represent for DNS packet header length, and here we are calculated fixed-data size for resource-record.

[tomasz-grz]

Hmm yeah semantically you're right, though are both the same size. I will introduce a separate constant.

[tomasz-grz]

Added a separate const

[Jauler]

+1.0

[mathiaspeters]

+1