From e0875ebcf1cf553543dab6ff965c8957f3a81596 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Andr=C3=A9=20Cruz?= Date: Thu, 18 Jun 2020 09:54:54 +0100 Subject: [PATCH] Add option to disable TLS certificate check in DoT (#644) MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Signed-off-by: André Cruz --- CONFIGURATION.md | 4 ++++ config/config.go | 25 +++++++++++++------------ prober/dns.go | 47 +++++++++++++++++++++++++++++++---------------- 3 files changed, 48 insertions(+), 28 deletions(-) diff --git a/CONFIGURATION.md b/CONFIGURATION.md index 2d7fe5f..dbb852a 100644 --- a/CONFIGURATION.md +++ b/CONFIGURATION.md @@ -156,6 +156,10 @@ tls_config: # Whether to use DNS over TLS. This only works with TCP. [ dns_over_tls: ] +# Configuration for TLS protocol of DNS over TLS probe. +tls_config: + [ ] + query_name: [ query_type: | default = "ANY" ] diff --git a/config/config.go b/config/config.go index a134680..5309b0e 100644 --- a/config/config.go +++ b/config/config.go @@ -172,18 +172,19 @@ type ICMPProbe struct { } type DNSProbe struct { - IPProtocol string `yaml:"preferred_ip_protocol,omitempty"` - IPProtocolFallback bool `yaml:"ip_protocol_fallback,omitempty"` - DNSOverTLS bool `yaml:"dns_over_tls,omitempty"` - SourceIPAddress string `yaml:"source_ip_address,omitempty"` - TransportProtocol string `yaml:"transport_protocol,omitempty"` - QueryClass string `yaml:"query_class,omitempty"` // Defaults to IN. - QueryName string `yaml:"query_name,omitempty"` - QueryType string `yaml:"query_type,omitempty"` // Defaults to ANY. - ValidRcodes []string `yaml:"valid_rcodes,omitempty"` // Defaults to NOERROR. - ValidateAnswer DNSRRValidator `yaml:"validate_answer_rrs,omitempty"` - ValidateAuthority DNSRRValidator `yaml:"validate_authority_rrs,omitempty"` - ValidateAdditional DNSRRValidator `yaml:"validate_additional_rrs,omitempty"` + IPProtocol string `yaml:"preferred_ip_protocol,omitempty"` + IPProtocolFallback bool `yaml:"ip_protocol_fallback,omitempty"` + DNSOverTLS bool `yaml:"dns_over_tls,omitempty"` + TLSConfig config.TLSConfig `yaml:"tls_config,omitempty"` + SourceIPAddress string `yaml:"source_ip_address,omitempty"` + TransportProtocol string `yaml:"transport_protocol,omitempty"` + QueryClass string `yaml:"query_class,omitempty"` // Defaults to IN. + QueryName string `yaml:"query_name,omitempty"` + QueryType string `yaml:"query_type,omitempty"` // Defaults to ANY. + ValidRcodes []string `yaml:"valid_rcodes,omitempty"` // Defaults to NOERROR. + ValidateAnswer DNSRRValidator `yaml:"validate_answer_rrs,omitempty"` + ValidateAuthority DNSRRValidator `yaml:"validate_authority_rrs,omitempty"` + ValidateAdditional DNSRRValidator `yaml:"validate_additional_rrs,omitempty"` } type DNSRRValidator struct { diff --git a/prober/dns.go b/prober/dns.go index a69a781..d53c795 100644 --- a/prober/dns.go +++ b/prober/dns.go @@ -23,6 +23,7 @@ import ( "github.com/go-kit/kit/log/level" "github.com/miekg/dns" "github.com/prometheus/client_golang/prometheus" + pconfig "github.com/prometheus/common/config" "github.com/prometheus/blackbox_exporter/config" ) @@ -166,24 +167,24 @@ func ProbeDNS(ctx context.Context, target string, module config.Module, registry if module.DNS.TransportProtocol == "" { module.DNS.TransportProtocol = "udp" } - if module.DNS.TransportProtocol == "udp" || module.DNS.TransportProtocol == "tcp" { - targetAddr, port, err := net.SplitHostPort(target) - if err != nil { - // Target only contains host so fallback to default port and set targetAddr as target. - port = "53" - targetAddr = target - } - ip, _, err = chooseProtocol(ctx, module.DNS.IPProtocol, module.DNS.IPProtocolFallback, targetAddr, registry, logger) - if err != nil { - level.Error(logger).Log("msg", "Error resolving address", "err", err) - return false - } - target = net.JoinHostPort(ip.String(), port) - } else { + if !(module.DNS.TransportProtocol == "udp" || module.DNS.TransportProtocol == "tcp") { level.Error(logger).Log("msg", "Configuration error: Expected transport protocol udp or tcp", "protocol", module.DNS.TransportProtocol) return false } + targetAddr, port, err := net.SplitHostPort(target) + if err != nil { + // Target only contains host so fallback to default port and set targetAddr as target. + port = "53" + targetAddr = target + } + ip, _, err = chooseProtocol(ctx, module.DNS.IPProtocol, module.DNS.IPProtocolFallback, targetAddr, registry, logger) + if err != nil { + level.Error(logger).Log("msg", "Error resolving address", "err", err) + return false + } + targetIP := net.JoinHostPort(ip.String(), port) + if ip.IP.To4() == nil { dialProtocol = module.DNS.TransportProtocol + "6" } else { @@ -202,6 +203,20 @@ func ProbeDNS(ctx context.Context, target string, module config.Module, registry client := new(dns.Client) client.Net = dialProtocol + if module.DNS.DNSOverTLS { + tlsConfig, err := pconfig.NewTLSConfig(&module.DNS.TLSConfig) + if err != nil { + level.Error(logger).Log("msg", "Failed to create TLS configuration", "err", err) + return false + } + if tlsConfig.ServerName == "" { + // Use target-hostname as default for TLS-servername. + tlsConfig.ServerName = targetAddr + } + + client.TLSConfig = tlsConfig + } + // Use configured SourceIPAddress. if len(module.DNS.SourceIPAddress) > 0 { srcIP := net.ParseIP(module.DNS.SourceIPAddress) @@ -224,10 +239,10 @@ func ProbeDNS(ctx context.Context, target string, module config.Module, registry msg.Question = make([]dns.Question, 1) msg.Question[0] = dns.Question{dns.Fqdn(module.DNS.QueryName), qt, qc} - level.Info(logger).Log("msg", "Making DNS query", "target", target, "dial_protocol", dialProtocol, "query", module.DNS.QueryName, "type", qt, "class", qc) + level.Info(logger).Log("msg", "Making DNS query", "target", targetIP, "dial_protocol", dialProtocol, "query", module.DNS.QueryName, "type", qt, "class", qc) timeoutDeadline, _ := ctx.Deadline() client.Timeout = time.Until(timeoutDeadline) - response, _, err := client.Exchange(msg, target) + response, _, err := client.Exchange(msg, targetIP) if err != nil { level.Error(logger).Log("msg", "Error while sending a DNS query", "err", err) return false -- 2.25.1