[Dnsmasq-discuss] Forwarding UDP requests to TCP, some other concerns

Corey Minyard corey at minyard.net
Mon Aug 19 12:44:30 UTC 2024 

On Mon, Aug 19, 2024 at 3:43 AM <imnozi at gmail.com> wrote:
>
> On Sun, 18 Aug 2024 23:25:02 -0500
> Corey Minyard <corey at minyard.net> wrote:
>
> > ...
> > I have dnsmasq mostly working, but I'm having one big problem.  It seems
> > that requests received from UDP are only forwarded to UDP, they cannot
> > be forwarded to TCP.  I'm running DNS over TLS on the server, so I have
> > to be able to do TCP, but requests come in from clients on UDP and TCP.
> > What can I do about this?
>
> TCP and UDP are different protocols; they cannot talk to each other.


What does that have to do with anything?  dnsmasq receives a request
on a socket, and it forwards the request on a socket.  There's nothing
that says the two sockets have to run the same protocol.  bind can do
this.

I've looked at the code some, and there seems to be a ton of
duplication between the UDP and TCP receive paths.  They do a lot of
the same things, but in different orders, and there are some things
that are unique to each path.  Why can't the code be something like:

forward_request()
{
    /* Do a bunch of processing */
    if (server is UDP)
       forward_to_udp()
    else
      forward_to_tcp()
}

handle_udp_request()
{
    receive_udp_request()
    forward_request();
}

handle_tcp_request()
{
    receive_tcp_request()
    forward_request();
}

Is there something that prevents this sort of thing?

>
>
> Some possible solutions:
>   1. You could configure/program a proxy that 'bridges' incoming UDP requests
>      to an always-open TCP connection to the server's resolver. But this leaves
>      UDP requests and responses unencrypted.
>   2. You could configure/program clients and server to send requests over
>      DTLS (Datagram TLS). This may be more trouble than it's worth.
>   3. You could configure clients and server to use DNSSEC. I've never used it
>      and don't know how steep its learning curve is.
>   4. You could configure clients and server to use OE (Opportunistic
>      Encryption). But OE is point-to-point; a gateway/router in the middle
>      would complicate things.
>   5. You could configure clients to use only TCP for DNS.


#1 is the only viable option; you could create a program that takes
UDP requests, forwards them over TCP, and then returns the responses.
There are a couple that exist that do this, but they are less than
optimal.  And if I'm going to do this, why not fix dnsmasq so it's not
necessary?

-corey

More information about the Dnsmasq-discuss mailing list