feat:(dns): dns over h3 server (#611)

ibigbug · web-flow · commit 44d299f44d41 · 2024-09-29T13:29:22.000+10:00
* dns server support user provided cert

* clippy

* read me

* doh3 server

---------

Signed-off-by: Yuwei Ba &lt;dev@watfaq.com&gt;
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/clash/tests/data/config/rules.yaml b/clash/tests/data/config/rules.yaml
@@ -23,14 +23,19 @@ dns:
     tcp: 127.0.0.1:53553
     dot:
       addr: 127.0.0.1:53554
-      hostname: dns.example.com
       ca-cert: dns.crt
       ca-key: dns.key
     doh:
       addr: 127.0.0.1:53555
       ca-cert: dns.crt
       ca-key: dns.key
-
+      hostname: dns.example.com
+    doh3:
+      addr: 127.0.0.1:53555
+      ca-cert: dns.crt
+      ca-key: dns.key
+      hostname: dns.example.com
+        
   # ipv6: false # when the false, response to AAAA questions will be empty
 
   # These nameservers are used to resolve the DNS nameserver hostnames below.
diff --git a/clash_lib/Cargo.toml b/clash_lib/Cargo.toml
@@ -100,8 +100,8 @@ erased-serde = "0.4"
 # DNS
 hickory-client = "0.25.0-alpha.2"
 hickory-resolver = "0.25.0-alpha.2"
-hickory-server = { version = "0.25.0-alpha.2", features = ["dns-over-rustls", "dns-over-https-rustls"] }
-hickory-proto = { version = "0.25.0-alpha.2", features = ["dns-over-rustls", "dns-over-https-rustls"]}
+hickory-server = { version = "0.25.0-alpha.2", features = ["dns-over-rustls", "dns-over-https-rustls", "dns-over-h3"] }
+hickory-proto = { version = "0.25.0-alpha.2", features = ["dns-over-rustls", "dns-over-https-rustls", "dns-over-h3"]}
 
 dhcproto = "0.12"
 ring-compat = { version = "0.8", features = ["aead"] }
diff --git a/clash_lib/src/app/dns/config.rs b/clash_lib/src/app/dns/config.rs
@@ -54,6 +54,15 @@ pub struct DoHConfig {
     pub hostname: Option<String>,
 }
 
+#[derive(Debug, Deserialize)]
+#[serde(rename_all = "kebab-case")]
+pub struct DoH3Config {
+    pub addr: SocketAddr,
+    pub ca_cert: DnsServerCert,
+    pub ca_key: DnsServerKey,
+    pub hostname: Option<String>,
+}
+
 #[derive(Debug, Deserialize)]
 #[serde(rename_all = "kebab-case")]
 pub struct DoTConfig {
@@ -71,6 +80,7 @@ pub struct DNSListenAddr {
     pub tcp: Option<SocketAddr>,
     pub doh: Option<DoHConfig>,
     pub dot: Option<DoTConfig>,
+    pub doh3: Option<DoH3Config>,
 }
 
 #[derive(Default)]
@@ -280,6 +290,7 @@ impl TryFrom<&crate::config::def::Config> for Config {
                         let mut udp = None;
                         let mut tcp = None;
                         let mut doh = None;
+                        let mut doh3 = None;
                         let mut dot = None;
 
                         for (k, v) in map {
@@ -341,6 +352,18 @@ impl TryFrom<&crate::config::def::Config> for Config {
                                         })?;
                                     dot = Some(c)
                                 }
+                                "doh3" => {
+                                    let c =
+                                        DoH3Config::deserialize(v).map_err(|x| {
+                                            Error::InvalidConfig(format!(
+                                                "invalid doh3 dns listen config: \
+                                                 {:?}",
+                                                x
+                                            ))
+                                        })?;
+
+                                    doh3 = Some(c)
+                                }
                                 _ => {
                                     return Err(Error::InvalidConfig(format!(
                                         "invalid dns listen address: {}",
@@ -350,7 +373,13 @@ impl TryFrom<&crate::config::def::Config> for Config {
                             }
                         }
 
-                        Ok(DNSListenAddr { udp, tcp, doh, dot })
+                        Ok(DNSListenAddr {
+                            udp,
+                            tcp,
+                            doh,
+                            dot,
+                            doh3,
+                        })
                     }
                 })
                 .transpose()?
diff --git a/clash_lib/src/app/dns/server/mod.rs b/clash_lib/src/app/dns/server/mod.rs
@@ -294,6 +294,37 @@ pub async fn get_dns_listener(
             .ok()?;
     }
 
+    if let Some(c) = listen.doh3 {
+        has_server = true;
+        UdpSocket::bind(c.addr)
+            .await
+            .and_then(|x| {
+                info!("DoT3 dns server listening on: {}", c.addr);
+                if let (Some(k), Some(c)) = (&c.ca_key, &c.ca_cert) {
+                    debug!("using custom key and cert for dot: {}/{}", k, c);
+                }
+
+                let server_key = c
+                    .ca_key
+                    .map(|x| utils::load_priv_key(&cwd.join(x)))
+                    .transpose()?
+                    .unwrap_or(load_default_key());
+                let server_cert = c
+                    .ca_cert
+                    .map(|x| utils::load_cert_chain(&cwd.join(x)))
+                    .transpose()?
+                    .unwrap_or(load_default_cert());
+                s.register_h3_listener(
+                    x,
+                    DEFAULT_DNS_SERVER_TIMEOUT,
+                    (server_cert, server_key),
+                    c.hostname,
+                )?;
+                Ok(())
+            })
+            .ok()?;
+    }
+
     if !has_server {
         return None;
     }
@@ -318,6 +349,7 @@ mod tests {
     };
     use hickory_proto::{
         h2::HttpsClientStreamBuilder,
+        h3::H3ClientStreamBuilder,
         rr::{rdata::A, DNSClass, Name, RData, RecordType},
         rustls::tls_client_connect,
         tcp::TcpClientStream,
@@ -395,6 +427,12 @@ mod tests {
                 ca_key: None,
                 ca_cert: None,
             }),
+            doh3: Some(crate::app::dns::config::DoH3Config {
+                addr: "127.0.0.1:53556".parse().unwrap(),
+                hostname: Some("dns.example.com".to_string()),
+                ca_key: None,
+                ca_cert: None,
+            }),
         };
         let listener = super::get_dns_listener(
             cfg,
@@ -477,6 +515,27 @@ mod tests {
 
         send_query(&mut client).await;
 
-        tokio::time::sleep(Duration::from_secs(1)).await;
+        let mut tls_config = ClientConfig::builder()
+            .with_root_certificates(GLOBAL_ROOT_STORE.clone())
+            .with_no_client_auth();
+        tls_config.alpn_protocols = vec!["h3".into()];
+
+        tls_config
+            .dangerous()
+            .set_certificate_verifier(Arc::new(tls::DummyTlsVerifier::new()));
+
+        let stream = H3ClientStreamBuilder::default()
+            .crypto_config(tls_config)
+            .clone()
+            .build(
+                "127.0.0.1:53556".parse().unwrap(),
+                "dns.example.com".to_owned(),
+            );
+
+        let (mut client, handle) =
+            client::AsyncClient::connect(stream).await.unwrap();
+        tokio::spawn(handle);
+
+        send_query(&mut client).await;
     }
 }
