Pull request 395: AG-38975 Rebirth attack mitigation

Merge in GO/dnsproxy from AG-38975-rebirth-attack to master

Squashed commit of the following:

commit 715cfb8
Merge: 6ca2379 8f7a66d
Author: Eugene Burkov <E.Burkov@AdGuard.COM>
Date:   Thu Apr 17 20:03:33 2025 +0300

    Merge branch 'master' into AG-38975-rebirth-attack

commit 6ca2379
Author: Eugene Burkov <E.Burkov@AdGuard.COM>
Date:   Thu Apr 17 19:45:54 2025 +0300

    proxy: fix typo

commit c1b3f4a
Author: Eugene Burkov <E.Burkov@AdGuard.COM>
Date:   Mon Apr 14 15:50:33 2025 +0300

    all: imp code

commit 96f975a
Author: Eugene Burkov <E.Burkov@AdGuard.COM>
Date:   Fri Apr 11 18:05:41 2025 +0300

    all: imp code

commit 6deeaa8
Author: Eugene Burkov <E.Burkov@AdGuard.COM>
Date:   Thu Apr 10 17:24:31 2025 +0300

    all: imp code, add arg

commit aee70c9
Merge: 8e220ae 970056b
Author: Eugene Burkov <E.Burkov@AdGuard.COM>
Date:   Thu Apr 10 17:24:04 2025 +0300

    Merge branch 'master' into AG-38975-rebirth-attack

commit 8e220ae
Author: Eugene Burkov <E.Burkov@AdGuard.COM>
Date:   Fri Apr 4 19:24:04 2025 +0300

    all: add pending requests

Author: EugeneOne1

README.md

@@ -46,67 +46,105 @@ make build
 ## Usage
 
 ```none
-Usage:
-  dnsproxy [OPTIONS]
-
-Application Options:
-      --config-path=               yaml configuration file. Minimal working configuration in config.yaml.dist. Options passed through command
-                                   line will override the ones from this file.
-  -o, --output=                    Path to the log file. If not set, write to stdout.
-  -c, --tls-crt=                   Path to a file with the certificate chain
-  -k, --tls-key=                   Path to a file with the private key
-      --https-server-name=         Set the Server header for the responses from the HTTPS server. (default: dnsproxy)
-      --https-userinfo=            If set, all DoH queries are required to have this basic authentication information.
-  -g, --dnscrypt-config=           Path to a file with DNSCrypt configuration. You can generate one using https://github.com/ameshkov/dnscrypt
-      --edns-addr=                 Send EDNS Client Address
-      --upstream-mode=             Defines the upstreams logic mode, possible values: load_balance, parallel, fastest_addr (default:
-                                   load_balance)
-  -l, --listen=                    Listening addresses
-  -p, --port=                      Listening ports. Zero value disables TCP and UDP listeners
-  -s, --https-port=                Listening ports for DNS-over-HTTPS
-  -t, --tls-port=                  Listening ports for DNS-over-TLS
-  -q, --quic-port=                 Listening ports for DNS-over-QUIC
-  -y, --dnscrypt-port=             Listening ports for DNSCrypt
-  -u, --upstream=                  An upstream to be used (can be specified multiple times). You can also specify path to a file with the
-                                   list of servers
-  -b, --bootstrap=                 Bootstrap DNS for DoH and DoT, can be specified multiple times (default: use system-provided)
-  -f, --fallback=                  Fallback resolvers to use when regular ones are unavailable, can be specified multiple times. You can also
-                                   specify path to a file with the list of servers
-      --private-rdns-upstream=     Private DNS upstreams to use for reverse DNS lookups of private addresses, can be specified multiple times
-      --dns64-prefix=              Prefix used to handle DNS64. If not specified, dnsproxy uses the 'Well-Known Prefix' 64:ff9b::.  Can be
-                                   specified multiple times
-      --private-subnets=           Private subnets to use for reverse DNS lookups of private addresses
-      --bogus-nxdomain=            Transform the responses containing at least a single IP that matches specified addresses and CIDRs into
-                                   NXDOMAIN.  Can be specified multiple times.
-      --hosts-files=               List of paths to the hosts files, can be specified multiple times
-      --timeout=                   Timeout for outbound DNS queries to remote upstream servers in a human-readable form (default: 10s)
-      --cache-min-ttl=             Minimum TTL value for DNS entries, in seconds. Capped at 3600. Artificially extending TTLs should only be
-                                   done with careful consideration.
-      --cache-max-ttl=             Maximum TTL value for DNS entries, in seconds.
-      --cache-size=                Cache size (in bytes). Default: 64k
-  -r, --ratelimit=                 Ratelimit (requests per second)
-      --ratelimit-subnet-len-ipv4= Ratelimit subnet length for IPv4. (default: 24)
-      --ratelimit-subnet-len-ipv6= Ratelimit subnet length for IPv6. (default: 56)
-      --udp-buf-size=              Set the size of the UDP buffer in bytes. A value <= 0 will use the system default.
-      --max-go-routines=           Set the maximum number of go routines. A zero value will not not set a maximum.
-      --tls-min-version=           Minimum TLS version, for example 1.0
-      --tls-max-version=           Maximum TLS version, for example 1.3
-      --pprof                      If present, exposes pprof information on localhost:6060.
-      --version                    Prints the program version
-  -v, --verbose                    Verbose output (optional)
-      --insecure                   Disable secure TLS certificate validation
-      --ipv6-disabled              If specified, all AAAA requests will be replied with NoError RCode and empty answer
-      --http3                      Enable HTTP/3 support
-      --cache-optimistic           If specified, optimistic DNS cache is enabled
-      --cache                      If specified, DNS cache is enabled
-      --refuse-any                 If specified, refuse ANY requests
-      --edns                       Use EDNS Client Subnet extension
-      --dns64                      If specified, dnsproxy will act as a DNS64 server
-      --use-private-rdns           If specified, use private upstreams for reverse DNS lookups of private addresses
-      --hosts-file-enabled=        If specified, use hosts files for resolving (default: true)
-
-Help Options:
-  -h, --help                       Show this help message
+Usage of ./dnsproxy:
+  --bogus-nxdomain=subnet
+        Transform the responses containing at least a single IP that matches specified addresses and CIDRs into NXDOMAIN.  Can be specified multiple times.
+  --bootstrap/-b
+        Bootstrap DNS for DoH and DoT, can be specified multiple times (default: use system-provided).
+  --cache
+        If specified, DNS cache is enabled.
+  --cache-max-ttl=uint32
+        Maximum TTL value for DNS entries, in seconds.
+  --cache-min-ttl=uint32
+        Minimum TTL value for DNS entries, in seconds. Capped at 3600. Artificially extending TTLs should only be done with careful consideration.
+  --cache-optimistic
+        If specified, optimistic DNS cache is enabled.
+  --cache-size=int
+        Cache size (in bytes). Default: 64k.
+  --config-path=path
+        YAML configuration file. Minimal working configuration in config.yaml.dist. Options passed through command line will override the ones from this file.
+  --dns64
+        If specified, dnsproxy will act as a DNS64 server.
+  --dns64-prefix=subnet
+        Prefix used to handle DNS64. If not specified, dnsproxy uses the 'Well-Known Prefix' 64:ff9b::.  Can be specified multiple times.
+  --dnscrypt-config=path/-g path
+        Path to a file with DNSCrypt configuration. You can generate one using https://github.com/ameshkov/dnscrypt.
+  --dnscrypt-port=port/-y port
+        Listening ports for DNSCrypt.
+  --edns
+        Use EDNS Client Subnet extension.
+  --edns-addr=address
+        Send EDNS Client Address.
+  --fallback/-f
+        Fallback resolvers to use when regular ones are unavailable, can be specified multiple times. You can also specify path to a file with the list of servers.
+  --help/-h
+        Print this help message and quit.
+  --hosts-file-enabled
+        If specified, use hosts files for resolving.
+  --hosts-files=path
+        List of paths to the hosts files, can be specified multiple times.
+  --http3
+        Enable HTTP/3 support.
+  --https-port=port/-s port
+        Listening ports for DNS-over-HTTPS.
+  --https-server-name=name
+        Set the Server header for the responses from the HTTPS server.
+  --https-userinfo=name
+        If set, all DoH queries are required to have this basic authentication information.
+  --insecure
+        Disable secure TLS certificate validation.
+  --ipv6-disabled
+        If specified, all AAAA requests will be replied with NoError RCode and empty answer.
+  --listen=address/-l address
+        Listening addresses.
+  --max-go-routines=uint
+        Set the maximum number of go routines. A zero value will not not set a maximum.
+  --output=path/-o path
+        Path to the log file.
+  --pending-requests-enabled
+        If specified, the server will track duplicate queries and only send the first of them to the upstream server, propagating its result to others. Disabling it introduces a vulnerability to cache poisoning attacks.
+  --port=port/-p port
+        Listening ports. Zero value disables TCP and UDP listeners.
+  --pprof
+        If present, exposes pprof information on localhost:6060.
+  --private-rdns-upstream
+        Private DNS upstreams to use for reverse DNS lookups of private addresses, can be specified multiple times.
+  --private-subnets=subnet
+        Private subnets to use for reverse DNS lookups of private addresses.
+  --quic-port=port/-q port
+        Listening ports for DNS-over-QUIC.
+  --ratelimit=int/-r int
+        Ratelimit (requests per second).
+  --ratelimit-subnet-len-ipv4=int
+        Ratelimit subnet length for IPv4.
+  --ratelimit-subnet-len-ipv6=int
+        Ratelimit subnet length for IPv6.
+  --refuse-any
+        If specified, refuses ANY requests.
+  --timeout=duration
+        Timeout for outbound DNS queries to remote upstream servers in a human-readable form
+  --tls-crt=path/-c path
+        Path to a file with the certificate chain.
+  --tls-key=path/-k path
+        Path to a file with the private key.
+  --tls-max-version=version
+        Maximum TLS version, for example 1.3.
+  --tls-min-version=version
+        Minimum TLS version, for example 1.0.
+  --tls-port=port/-t port
+        Listening ports for DNS-over-TLS.
+  --udp-buf-size=int
+        Set the size of the UDP buffer in bytes. A value <= 0 will use the system default.
+  --upstream/-u
+        An upstream to be used (can be specified multiple times). You can also specify path to a file with the list of servers.
+  --upstream-mode=mode
+        Defines the upstreams logic mode, possible values: load_balance, parallel, fastest_addr (default: load_balance).
+  --use-private-rdns
+        If specified, use private upstreams for reverse DNS lookups of private addresses.
+  --verbose/-v
+        Verbose output.
+  --version
+        Prints the program version.
 ```
 
 ## Examples

internal/cmd/args.go

@@ -62,6 +62,7 @@ const (
 	cacheIdx
 	refuseAnyIdx
 	enableEDNSSubnetIdx
+	pendingRequestsEnabledIdx
 	dns64Idx
 	usePrivateRDNSIdx
 )
@@ -369,6 +370,14 @@ var commandLineOptions = []*commandLineOption{
 		short:       "",
 		valueType:   "",
 	},
+	pendingRequestsEnabledIdx: {
+		description: "If specified, the server will track duplicate queries and only send the " +
+			"first of them to the upstream server, propagating its result to others. " +
+			"Disabling it introduces a vulnerability to cache poisoning attacks.",
+		long:      "pending-requests-enabled",
+		short:     "",
+		valueType: "",
+	},
 	dns64Idx: {
 		description: "If specified, dnsproxy will act as a DNS64 server.",
 		long:        "dns64",
@@ -436,6 +445,7 @@ func parseCmdLineOptions(conf *configuration) (err error) {
 		cacheIdx:                  &conf.Cache,
 		refuseAnyIdx:              &conf.RefuseAny,
 		enableEDNSSubnetIdx:       &conf.EnableEDNSSubnet,
+		pendingRequestsEnabledIdx: &conf.PendingRequestsEnabled,
 		dns64Idx:                  &conf.DNS64,
 		usePrivateRDNSIdx:         &conf.UsePrivateRDNS,
 	} {

internal/cmd/config.go

@@ -180,6 +180,11 @@ type configuration struct {
 	// EnableEDNSSubnet uses EDNS Client Subnet extension.
 	EnableEDNSSubnet bool `yaml:"edns"`
 
+	// PendingRequestsEnabled controls whether the server should track duplicate
+	// queries and only send the first of them to the upstream server.  It is
+	// used to mitigate the cache poisoning attacks.
+	PendingRequestsEnabled bool `yaml:"pending-requests-enabled"`
+
 	// DNS64 defines whether DNS64 functionality is enabled or not.
 	DNS64 bool `yaml:"dns64"`
 
@@ -200,6 +205,7 @@ func parseConfig() (conf *configuration, exitCode int, err error) {
 		RatelimitSubnetLenIPv4: 24,
 		RatelimitSubnetLenIPv6: 56,
 		HostsFileEnabled:       true,
+		PendingRequestsEnabled: true,
 	}
 
 	err = parseCmdLineOptions(conf)

internal/cmd/proxy.go

@@ -80,6 +80,9 @@ func createProxyConfig(
 		UsePrivateRDNS:         conf.UsePrivateRDNS,
 		PrivateSubnets:         netutil.SubnetSetFunc(netutil.IsLocallyServed),
 		RequestHandler:         reqHdlr.HandleRequest,
+		PendingRequests: &proxy.PendingRequestsConfig{
+			Enabled: conf.PendingRequestsEnabled,
+		},
 	}
 
 	if uiStr := conf.HTTPSUserinfo; uiStr != "" {

internal/dnsproxytest/interface.go

@@ -4,7 +4,7 @@ import (
 	"github.com/miekg/dns"
 )
 
-// FakeUpstream is a fake [Upstream] implementation for tests.
+// FakeUpstream is a fake [proxy.Upstream] implementation for tests.
 //
 // TODO(e.burkov):  Move this to the golibs some time later.
 type FakeUpstream struct {
@@ -13,22 +13,22 @@ type FakeUpstream struct {
 	OnClose    func() (err error)
 }
 
-// Address implements the [Upstream] interface for *FakeUpstream.
+// Address implements the [proxy.Upstream] interface for *FakeUpstream.
 func (u *FakeUpstream) Address() (addr string) {
 	return u.OnAddress()
 }
 
-// Exchange implements the [Upstream] interface for *FakeUpstream.
+// Exchange implements the [proxy.Upstream] interface for *FakeUpstream.
 func (u *FakeUpstream) Exchange(req *dns.Msg) (resp *dns.Msg, err error) {
 	return u.OnExchange(req)
 }
 
-// Close implements the [Upstream] interface for *FakeUpstream.
+// Close implements the [proxy.Upstream] interface for *FakeUpstream.
 func (u *FakeUpstream) Close() (err error) {
 	return u.OnClose()
 }
 
-// TestMessageConstructor is a fake [dnsmsg.MessageConstructor] implementation
+// TestMessageConstructor is a fake [proxy.MessageConstructor] implementation
 // for tests.
 type TestMessageConstructor struct {
 	OnNewMsgNXDOMAIN       func(req *dns.Msg) (resp *dns.Msg)
@@ -56,19 +56,19 @@ func NewTestMessageConstructor() (c *TestMessageConstructor) {
 	}
 }
 
-// NewMsgNXDOMAIN implements the [MessageConstructor] interface for
+// NewMsgNXDOMAIN implements the [proxy.MessageConstructor] interface for
 // *TestMessageConstructor.
 func (c *TestMessageConstructor) NewMsgNXDOMAIN(req *dns.Msg) (resp *dns.Msg) {
 	return c.OnNewMsgNXDOMAIN(req)
 }
 
-// NewMsgSERVFAIL implements the [MessageConstructor] interface for
+// NewMsgSERVFAIL implements the [proxy.MessageConstructor] interface for
 // *TestMessageConstructor.
 func (c *TestMessageConstructor) NewMsgSERVFAIL(req *dns.Msg) (resp *dns.Msg) {
 	return c.OnNewMsgSERVFAIL(req)
 }
 
-// NewMsgNOTIMPLEMENTED implements the [MessageConstructor] interface for
+// NewMsgNOTIMPLEMENTED implements the [proxy.MessageConstructor] interface for
 // *TestMessageConstructor.
 func (c *TestMessageConstructor) NewMsgNOTIMPLEMENTED(req *dns.Msg) (resp *dns.Msg) {
 	return c.OnNewMsgNOTIMPLEMENTED(req)

proxy/beforerequest_internal_test.go

@@ -7,6 +7,7 @@ import (
 	"testing"
 	"time"
 
+	"github.com/AdguardTeam/dnsproxy/internal/dnsproxytest"
 	"github.com/AdguardTeam/dnsproxy/upstream"
 	"github.com/AdguardTeam/golibs/errors"
 	"github.com/AdguardTeam/golibs/logutil/slogutil"
@@ -56,12 +57,12 @@ func TestProxy_HandleDNSRequest_beforeRequestHandler(t *testing.T) {
 		Logger:        slogutil.NewDiscardLogger(),
 		TCPListenAddr: []*net.TCPAddr{net.TCPAddrFromAddrPort(localhostAnyPort)},
 		UpstreamConfig: &UpstreamConfig{
-			Upstreams: []upstream.Upstream{&fakeUpstream{
-				onExchange: func(m *dns.Msg) (resp *dns.Msg, err error) {
+			Upstreams: []upstream.Upstream{&dnsproxytest.FakeUpstream{
+				OnExchange: func(m *dns.Msg) (resp *dns.Msg, err error) {
 					return allowedResponse.Copy(), nil
 				},
-				onAddress: func() (addr string) { return "general" },
-				onClose:   func() (err error) { return nil },
+				OnAddress: func() (addr string) { return "general" },
+				OnClose:   func() (err error) { return nil },
 			}},
 		},
 		TrustedProxies: defaultTrustedProxies,

proxy/cache_internal_test.go

@@ -9,6 +9,7 @@ import (
 	"testing"
 	"time"
 
+	"github.com/AdguardTeam/dnsproxy/internal/dnsproxytest"
 	"github.com/AdguardTeam/dnsproxy/upstream"
 	"github.com/AdguardTeam/golibs/logutil/slogutil"
 	"github.com/AdguardTeam/golibs/netutil"
@@ -24,10 +25,10 @@ const testCacheSize = 4096
 
 const testUpsAddr = "https://upstream.address"
 
-var upstreamWithAddr = &fakeUpstream{
-	onExchange: func(m *dns.Msg) (resp *dns.Msg, err error) { panic("not implemented") },
-	onClose:    func() (err error) { panic("not implemented") },
-	onAddress:  func() (addr string) { return testUpsAddr },
+var upstreamWithAddr = &dnsproxytest.FakeUpstream{
+	OnExchange: func(m *dns.Msg) (resp *dns.Msg, err error) { panic("not implemented") },
+	OnClose:    func() (err error) { panic("not implemented") },
+	OnAddress:  func() (addr string) { return testUpsAddr },
 }
 
 func TestServeCached(t *testing.T) {

proxy/config.go

@@ -58,6 +58,11 @@ type Config struct {
 	// constructor will be used.
 	MessageConstructor MessageConstructor
 
+	// PendingRequests is used to mitigate the cache poisoning attacks by
+	// tracking identical requests and returning the same response for them,
+	// performing a single lookup.  If nil, it will be enabled by default.
+	PendingRequests *PendingRequestsConfig
+
 	// BeforeRequestHandler is an optional custom handler called before each DNS
 	// request is started processing, see [BeforeRequestHandler].  The default
 	// no-op implementation is used, if it's nil.
@@ -248,6 +253,12 @@ type Config struct {
 	PreferIPv6 bool
 }
 
+// PendingRequestsConfig is the configuration for tracking identical requests.
+type PendingRequestsConfig struct {
+	// Enabled defines if the duplicate requests should be tracked.
+	Enabled bool
+}
+
 // validateConfig verifies that the supplied configuration is valid and returns
 // an error if it's not.
 //