DNS DoH: Use EDNS0 with 100-300 padding by default (body padding)

https://github.com/XTLS/Xray-core/pull/4516#issuecomment-2744093003
2025-04-02 21:36:16 +03:00 · 2025-03-21 20:13:09 +00:00 · 2025-03-21 20:13:09 +00:00 · 607c2a6d31
commit 607c2a6d31
parent b585b26f29
6 changed files with 51 additions and 39 deletions
--- a/app/dns/dnscommon.go
+++ b/app/dns/dnscommon.go
@ -68,49 +68,59 @@ type dnsRequest struct {
 	msg     *dnsmessage.Message
 }

-func genEDNS0Options(clientIP net.IP) *dnsmessage.Resource {
-	if len(clientIP) == 0 {
+func genEDNS0Options(clientIP net.IP, padding int) *dnsmessage.Resource {
+	if len(clientIP) == 0 && padding == 0 {
 		return nil
 	}

-	var netmask int
-	var family uint16
-
-	if len(clientIP) == 4 {
-		family = 1
-		netmask = 24 // 24 for IPV4, 96 for IPv6
-	} else {
-		family = 2
-		netmask = 96
-	}
-
-	b := make([]byte, 4)
-	binary.BigEndian.PutUint16(b[0:], family)
-	b[2] = byte(netmask)
-	b[3] = 0
-	switch family {
-	case 1:
-		ip := clientIP.To4().Mask(net.CIDRMask(netmask, net.IPv4len*8))
-		needLength := (netmask + 8 - 1) / 8 // division rounding up
-		b = append(b, ip[:needLength]...)
-	case 2:
-		ip := clientIP.Mask(net.CIDRMask(netmask, net.IPv6len*8))
-		needLength := (netmask + 8 - 1) / 8 // division rounding up
-		b = append(b, ip[:needLength]...)
-	}
-
-	const EDNS0SUBNET = 0x08
+	const EDNS0SUBNET = 0x8
+	const EDNS0PADDING = 0xc

 	opt := new(dnsmessage.Resource)
 	common.Must(opt.Header.SetEDNS0(1350, 0xfe00, true))
+	body := dnsmessage.OPTResource{}
+	opt.Body = &body

-	opt.Body = &dnsmessage.OPTResource{
-		Options: []dnsmessage.Option{
-			{
+	if len(clientIP) != 0 {
+		var netmask int
+		var family uint16
+
+		if len(clientIP) == 4 {
+			family = 1
+			netmask = 24 // 24 for IPV4, 96 for IPv6
+		} else {
+			family = 2
+			netmask = 96
+		}
+
+		b := make([]byte, 4)
+		binary.BigEndian.PutUint16(b[0:], family)
+		b[2] = byte(netmask)
+		b[3] = 0
+		switch family {
+		case 1:
+			ip := clientIP.To4().Mask(net.CIDRMask(netmask, net.IPv4len*8))
+			needLength := (netmask + 8 - 1) / 8 // division rounding up
+			b = append(b, ip[:needLength]...)
+		case 2:
+			ip := clientIP.Mask(net.CIDRMask(netmask, net.IPv6len*8))
+			needLength := (netmask + 8 - 1) / 8 // division rounding up
+			b = append(b, ip[:needLength]...)
+		}
+
+		body.Options = append(body.Options,
+			dnsmessage.Option{
 				Code: EDNS0SUBNET,
 				Data: b,
-			},
-		},
+			})
+	}
+
+	if padding != 0 {
+		body.Options = append(body.Options,
+			dnsmessage.Option{
+				Code: EDNS0PADDING,
+				Data: make([]byte, padding),
+			})
 	}

 	return opt
--- a/app/dns/dnscommon_test.go
+++ b/app/dns/dnscommon_test.go
@ -156,7 +156,7 @@ func Test_genEDNS0Options(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			if got := genEDNS0Options(tt.args.clientIP); got == nil {
+			if got := genEDNS0Options(tt.args.clientIP, 0); got == nil {
 				t.Errorf("genEDNS0Options() = %v, want %v", got, tt.want)
 			}
 		})
--- a/app/dns/nameserver_doh.go
+++ b/app/dns/nameserver_doh.go
@ -219,7 +219,9 @@ func (s *DoHNameServer) sendQuery(ctx context.Context, domain string, clientIP n
 		return
 	}

-	reqs := buildReqMsgs(domain, option, s.newReqID, genEDNS0Options(clientIP))
+	// As we don't want our traffic pattern looks like DoH, we use Random-Length Padding instead of Block-Length Padding recommended in RFC 8467
+	// Although DoH server like 1.1.1.1 will pad the response to Block-Length 468, at least it is better than no padding for response at all
+	reqs := buildReqMsgs(domain, option, s.newReqID, genEDNS0Options(clientIP, int(crypto.RandBetween(100, 300))))

 	var deadline time.Time
 	if d, ok := ctx.Deadline(); ok {
--- a/app/dns/nameserver_quic.go
+++ b/app/dns/nameserver_quic.go
@ -160,7 +160,7 @@ func (s *QUICNameServer) newReqID() uint16 {
 func (s *QUICNameServer) sendQuery(ctx context.Context, domain string, clientIP net.IP, option dns_feature.IPOption) {
 	errors.LogInfo(ctx, s.name, " querying: ", domain)

-	reqs := buildReqMsgs(domain, option, s.newReqID, genEDNS0Options(clientIP))
+	reqs := buildReqMsgs(domain, option, s.newReqID, genEDNS0Options(clientIP, 0))

 	var deadline time.Time
 	if d, ok := ctx.Deadline(); ok {
--- a/app/dns/nameserver_tcp.go
+++ b/app/dns/nameserver_tcp.go
@ -192,7 +192,7 @@ func (s *TCPNameServer) newReqID() uint16 {
 func (s *TCPNameServer) sendQuery(ctx context.Context, domain string, clientIP net.IP, option dns_feature.IPOption) {
 	errors.LogDebug(ctx, s.name, " querying DNS for: ", domain)

-	reqs := buildReqMsgs(domain, option, s.newReqID, genEDNS0Options(clientIP))
+	reqs := buildReqMsgs(domain, option, s.newReqID, genEDNS0Options(clientIP, 0))

 	var deadline time.Time
 	if d, ok := ctx.Deadline(); ok {
--- a/app/dns/nameserver_udp.go
+++ b/app/dns/nameserver_udp.go
@ -217,7 +217,7 @@ func (s *ClassicNameServer) addPendingRequest(req *udpDnsRequest) {
 func (s *ClassicNameServer) sendQuery(ctx context.Context, domain string, clientIP net.IP, option dns_feature.IPOption) {
 	errors.LogDebug(ctx, s.name, " querying DNS for: ", domain)

-	reqs := buildReqMsgs(domain, option, s.newReqID, genEDNS0Options(clientIP))
+	reqs := buildReqMsgs(domain, option, s.newReqID, genEDNS0Options(clientIP, 0))

 	for _, req := range reqs {
 		udpReq := &udpDnsRequest{