274da7d3ef
* Improve ParseZone tests
* Add new ZoneParser API
* Use the ZoneParser API directly in ReadRR
* Merge parseZoneHelper into ParseZone
* Make generate string building slightly more efficient
* Add SetDefaultTTL method to ZoneParser
This makes it possible for external consumers to implement ReadRR.
* Make $INCLUDE directive opt-in
The $INCLUDE directive opens a user controlled file and parses it as
a DNS zone file. The error messages may reveal portions of sensitive
files, such as:
/etc/passwd: dns: not a TTL: "root❌0:0:root:/root:/bin/bash" at line: 1:31
/etc/shadow: dns: not a TTL: "root:$6$<redacted>::0:99999:7:::" at line: 1:125
Both ParseZone and ReadRR are currently opt-in for backward
compatibility.
* Disable $INCLUDE support in ReadRR
ReadRR and NewRR are often passed untrusted input. At the same time,
$INCLUDE isn't really useful for ReadRR as it only ever returns the
first record.
This is a breaking change, but it currently represents a slight
security risk.
* Document the need to drain the ParseZone chan
* Cleanup the documentation of NewRR, ReadRR and ParseZone
* Document the ZoneParser API
* Deprecated the ParseZone function
* Add whitespace to ZoneParser.Next
* Remove prevName field from ZoneParser
This doesn't track anything meaningful as both zp.prevName and h.Name
are only ever set at the same point and to the same value.
* Use uint8 for ZoneParser.include field
It has a maximum value of 7 which easily fits within uint8.
This reduces the size of ZoneParser from 160 bytes to 152 bytes.
* Add setParseError helper to ZoneParser
* Surface $INCLUDE os.Open error in error message
* Rename ZoneParser.include field to includeDepth
* Make maximum $INCLUDE depth a const
* Add ParseZone and ZoneParser benchmarks
* Parse $GENERATE directive with a single ZoneParser
This should be more efficient than calling NewRR for each generated
record.
* Run go fmt on generate_test.go
* Add a benchmark for $GENERATE directives
* Use a custom reader for generate
This avoids the overhead and memory usage of building the zone string.
name old time/op new time/op delta
Generate-12 165µs ± 4% 157µs ± 2% -5.06% (p=0.000 n=25+25)
name old alloc/op new alloc/op delta
Generate-12 42.1kB ± 0% 31.8kB ± 0% -24.42% (p=0.000 n=20+23)
name old allocs/op new allocs/op delta
Generate-12 1.56k ± 0% 1.55k ± 0% -0.38% (p=0.000 n=25+25)
* Return correct ParseError from generateReader
The last commit made these regular errors while they had been
ParseErrors before.
* Return error message as string from modToPrintf
This is slightly simpler and they don't need to be errors.
* Skip setting includeDepth in generate
This sub parser isn't allowed to use $INCLUDE directives anyway.
Note: If generate is ever changed to allow $INCLUDE directives, then
this line must be added back. Without doing that, it would be
be possible to exceed maxIncludeDepth.
* Make generateReader errors sticky
ReadByte should not be called after an error has been returned, but
this is cheap insurance.
* Move file and lex fields to end of generateReader
These are only used for creating a ParseError and so are unlikely to be
accessed.
* Don't return offset with error in modToPrintf
Along for the ride, are some whitespace and style changes.
* Add whitespace to generate and simplify step
* Use a for loop instead of goto in generate
* Support $INCLUDE directives inside $GENERATE directives
This was previously supported and may be useful. This is now more
rigorous as the maximum include depth is respected and relative
$INCLUDE directives are now supported from within $GENERATE.
* Don't return any lexer tokens after read error
Without this, read errors are likely to be lost and become parse errors
of the remaining str. The $GENERATE code relies on surfacing errors from
the reader.
* Support $INCLUDE in NewRR and ReadRR
Removing $INCLUDE support from these is a breaking change and should
not be included in this pull request.
* Add test to ensure $GENERATE respects $INCLUDE support
* Unify TestZoneParserIncludeDisallowed with other tests
* Remove stray whitespace from TestGenerateSurfacesErrors
* Move ZoneParser SetX methods above Err method
* $GENERATE should not accept step of 0
If step is allowed to be 0, then generateReader (and the code it
replaced) will get stuck in an infinite loop.
This is a potential DOS vulnerability.
* Fix ReadRR comment for file argument
I missed this previosuly. The file argument is also used to
resolve relative $INCLUDE directives.
* Prevent test panics on nil error
* Rework ZoneParser.subNext
This is slightly cleaner and will close the underlying *os.File even
if an error occurs.
* Make ZoneParser.generate call subNext
This also moves the calls to setParseError into generate.
* Report errors when parsing rest of $GENERATE directive
* Report proper error location in $GENERATE directive
This makes error messages much clearer.
* Simplify modToPrintf func
Note: When width is 0, the leading 0 of the fmt string is now excluded.
This should not alter the formatting of numbers in anyway.
* Add comment explaining sub field
* Remove outdated error comment from generate
|
||
---|---|---|
dnsutil | ||
vendor/golang.org/x | ||
.codecov.yml | ||
.gitignore | ||
.travis.yml | ||
AUTHORS | ||
CONTRIBUTORS | ||
COPYRIGHT | ||
Gopkg.lock | ||
Gopkg.toml | ||
LICENSE | ||
Makefile.fuzz | ||
Makefile.release | ||
README.md | ||
client.go | ||
client_test.go | ||
clientconfig.go | ||
clientconfig_test.go | ||
compress_generate.go | ||
dane.go | ||
defaults.go | ||
dns.go | ||
dns_bench_test.go | ||
dns_test.go | ||
dnssec.go | ||
dnssec_keygen.go | ||
dnssec_keyscan.go | ||
dnssec_privkey.go | ||
dnssec_test.go | ||
doc.go | ||
duplicate.go | ||
duplicate_generate.go | ||
duplicate_test.go | ||
dyn_test.go | ||
edns.go | ||
edns_test.go | ||
example_test.go | ||
format.go | ||
fuzz.go | ||
generate.go | ||
generate_test.go | ||
issue_test.go | ||
labels.go | ||
labels_test.go | ||
leak_test.go | ||
length_test.go | ||
listen_go111.go | ||
listen_go_not111.go | ||
msg.go | ||
msg_generate.go | ||
msg_helpers.go | ||
msg_helpers_test.go | ||
msg_test.go | ||
nsecx.go | ||
nsecx_test.go | ||
parse_test.go | ||
privaterr.go | ||
privaterr_test.go | ||
rawmsg.go | ||
remote_test.go | ||
reverse.go | ||
rr_test.go | ||
sanitize.go | ||
sanitize_test.go | ||
scan.go | ||
scan_rr.go | ||
scan_test.go | ||
serve_mux.go | ||
serve_mux_test.go | ||
server.go | ||
server_test.go | ||
sig0.go | ||
sig0_test.go | ||
singleinflight.go | ||
smimea.go | ||
tlsa.go | ||
tsig.go | ||
tsig_test.go | ||
types.go | ||
types_generate.go | ||
types_test.go | ||
udp.go | ||
udp_test.go | ||
udp_windows.go | ||
update.go | ||
update_test.go | ||
version.go | ||
version_test.go | ||
xfr.go | ||
zcompress.go | ||
zduplicate.go | ||
zmsg.go | ||
ztypes.go |
README.md
Alternative (more granular) approach to a DNS library
Less is more.
Complete and usable DNS library. All widely used Resource Records are supported, including the DNSSEC types. It follows a lean and mean philosophy. If there is stuff you should know as a DNS programmer there isn't a convenience function for it. Server side and client side programming is supported, i.e. you can build servers and resolvers with it.
We try to keep the "master" branch as sane as possible and at the bleeding edge of standards, avoiding breaking changes wherever reasonable. We support the last two versions of Go.
Goals
- KISS;
- Fast;
- Small API. If it's easy to code in Go, don't make a function for it.
Users
A not-so-up-to-date-list-that-may-be-actually-current:
- https://github.com/coredns/coredns
- https://cloudflare.com
- https://github.com/abh/geodns
- http://www.statdns.com/
- http://www.dnsinspect.com/
- https://github.com/chuangbo/jianbing-dictionary-dns
- http://www.dns-lg.com/
- https://github.com/fcambus/rrda
- https://github.com/kenshinx/godns
- https://github.com/skynetservices/skydns
- https://github.com/hashicorp/consul
- https://github.com/DevelopersPL/godnsagent
- https://github.com/duedil-ltd/discodns
- https://github.com/StalkR/dns-reverse-proxy
- https://github.com/tianon/rawdns
- https://mesosphere.github.io/mesos-dns/
- https://pulse.turbobytes.com/
- https://play.google.com/store/apps/details?id=com.turbobytes.dig
- https://github.com/fcambus/statzone
- https://github.com/benschw/dns-clb-go
- https://github.com/corny/dnscheck for http://public-dns.info/
- https://namesmith.io
- https://github.com/miekg/unbound
- https://github.com/miekg/exdns
- https://dnslookup.org
- https://github.com/looterz/grimd
- https://github.com/phamhongviet/serf-dns
- https://github.com/mehrdadrad/mylg
- https://github.com/bamarni/dockness
- https://github.com/fffaraz/microdns
- http://kelda.io
- https://github.com/ipdcode/hades (JD.COM)
- https://github.com/StackExchange/dnscontrol/
- https://www.dnsperf.com/
- https://dnssectest.net/
- https://dns.apebits.com
- https://github.com/oif/apex
- https://github.com/jedisct1/dnscrypt-proxy
- https://github.com/jedisct1/rpdns
- https://github.com/xor-gate/sshfp
- https://github.com/rs/dnstrace
- https://blitiri.com.ar/p/dnss (github mirror)
- https://github.com/semihalev/sdns
Send pull request if you want to be listed here.
Features
- UDP/TCP queries, IPv4 and IPv6;
- RFC 1035 zone file parsing ($INCLUDE, $ORIGIN, $TTL and $GENERATE (for all record types) are supported;
- Fast:
- Reply speed around ~ 80K qps (faster hardware results in more qps);
- Parsing RRs ~ 100K RR/s, that's 5M records in about 50 seconds;
- Server side programming (mimicking the net/http package);
- Client side programming;
- DNSSEC: signing, validating and key generation for DSA, RSA, ECDSA and Ed25519;
- EDNS0, NSID, Cookies;
- AXFR/IXFR;
- TSIG, SIG(0);
- DNS over TLS: optional encrypted connection between client and server;
- DNS name compression;
- Depends only on the standard library.
Have fun!
Miek Gieben - 2010-2012 - miek@miek.nl
Building
Building is done with the go
tool. If you have setup your GOPATH correctly, the following should
work:
go get github.com/miekg/dns
go build github.com/miekg/dns
Examples
A short "how to use the API" is at the beginning of doc.go (this also will show
when you call godoc github.com/miekg/dns
).
Example programs can be found in the github.com/miekg/exdns
repository.
Supported RFCs
all of them
- 103{4,5} - DNS standard
- 1348 - NSAP record (removed the record)
- 1982 - Serial Arithmetic
- 1876 - LOC record
- 1995 - IXFR
- 1996 - DNS notify
- 2136 - DNS Update (dynamic updates)
- 2181 - RRset definition - there is no RRset type though, just []RR
- 2537 - RSAMD5 DNS keys
- 2065 - DNSSEC (updated in later RFCs)
- 2671 - EDNS record
- 2782 - SRV record
- 2845 - TSIG record
- 2915 - NAPTR record
- 2929 - DNS IANA Considerations
- 3110 - RSASHA1 DNS keys
- 3225 - DO bit (DNSSEC OK)
- 340{1,2,3} - NAPTR record
- 3445 - Limiting the scope of (DNS)KEY
- 3597 - Unknown RRs
- 403{3,4,5} - DNSSEC + validation functions
- 4255 - SSHFP record
- 4343 - Case insensitivity
- 4408 - SPF record
- 4509 - SHA256 Hash in DS
- 4592 - Wildcards in the DNS
- 4635 - HMAC SHA TSIG
- 4701 - DHCID
- 4892 - id.server
- 5001 - NSID
- 5155 - NSEC3 record
- 5205 - HIP record
- 5702 - SHA2 in the DNS
- 5936 - AXFR
- 5966 - TCP implementation recommendations
- 6605 - ECDSA
- 6725 - IANA Registry Update
- 6742 - ILNP DNS
- 6840 - Clarifications and Implementation Notes for DNS Security
- 6844 - CAA record
- 6891 - EDNS0 update
- 6895 - DNS IANA considerations
- 6975 - Algorithm Understanding in DNSSEC
- 7043 - EUI48/EUI64 records
- 7314 - DNS (EDNS) EXPIRE Option
- 7477 - CSYNC RR
- 7828 - edns-tcp-keepalive EDNS0 Option
- 7553 - URI record
- 7858 - DNS over TLS: Initiation and Performance Considerations
- 7871 - EDNS0 Client Subnet
- 7873 - Domain Name System (DNS) Cookies (draft-ietf-dnsop-cookies)
- 8080 - EdDSA for DNSSEC
Loosely based upon
ldns
NSD
Net::DNS
GRONG