Added basic DNS cookie support with rate limiting#1737
Added basic DNS cookie support with rate limiting#1737zbalkan wants to merge 35 commits intoTechnitiumSoftware:masterfrom
Conversation
There was a problem hiding this comment.
Pull request overview
This pull request adds DNS Cookie support to the Technitium DNS Server, implementing RFC 7873 and RFC 9018 specifications. The implementation includes EDNS(0) COOKIE option parsing, server-side cookie generation and validation using HMAC-SHA256, secret management with automatic rotation, and appropriate request/response handling with BADCOOKIE responses.
Changes:
- Added
DnsCookieSecretManagerclass for managing 32-byte HMAC secrets with file persistence and automatic rotation - Added
DnsCookieValidatorclass for generating and validating DNS cookies using RFC 9018 server cookie structure (version 1 with timestamp and HMAC-SHA256-64) - Integrated DNS cookie validation and response handling into
DnsServerwith configuration options for enabling cookies, secret file path, rotation period, TC-on-bad-cookie behavior, and always-echo mode
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 19 comments.
| File | Description |
|---|---|
| DnsServerCore/Dns/Security/DnsCookieSecretManager.cs | Manages cryptographic secrets for DNS cookies with persistence, rotation, and thread-safe access |
| DnsServerCore/Dns/Security/DnsCookieValidator.cs | Implements RFC 9018 server cookie generation and validation with timestamp and HMAC verification |
| DnsServerCore/Dns/DnsServer.cs | Integrates DNS cookie support with request validation, BADCOOKIE response generation, and configuration management |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 3 changed files in this pull request and generated 6 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 3 changed files in this pull request and generated 6 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
zbalkan
force-pushed
the
feat/add-dns-cookie-support
branch
from
114c2df to
224475f
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 3 changed files in this pull request and generated 8 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
I'll roll back last two commits. I shouldn't blindly listen to the copilot review. Original code was okay. But tomorrow. |
zbalkan
force-pushed
the
feat/add-dns-cookie-support
branch
from
6f34df8 to
f5a0926
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 3 changed files in this pull request and generated 5 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
Ready. |
|
BTW, this is the first iteration of the progress. The next step is to add another rate-limiter making use of DNS cookies. The flow would be:
|
… response attach, malformed FORMERR, abuse throttling, and runtime toggle)
…e. drop without responding beyond a threshold
zbalkan
changed the title
|
After 2 months, I finally found time to work on where I've left. Now, blocking traffic based on DNS query |
Adds DNS Cookies support across DnsServer with EDNS(0) COOKIE parsing, server-side cookie generation/validation, and request/response handling per RFC 7873/9018.
Relies on PR TechnitiumSoftware/TechnitiumLibrary#56
Edit: Solves #1151
Edit 2: Removed configuration for cookies for the sake of simplicity