First commit; Basic working setup

Author: Sehgal, Rohit

.vscode/settings.json

@@ -0,0 +1,4 @@
+{
+    "python.pythonPath": "/Users/rsehgal/Personal/DNSoverTLS/venv/bin/python3.7",
+    "python.formatting.provider": "autopep8"
+}

DNSoverTLS/__init__.py

@@ -0,0 +1,55 @@
+import logging.config
+
+from DNSoverTLS.dns_handler import DNSUDPServer, DNSTCPServer
+
+config = {
+  "logger": {
+    "version": 1,
+    "disable_existing_loggers": False,
+    "formatters": {
+      "simple": {
+        "format": "%(asctime)s [%(process)s] [%(processName)s] [%(threadName)s] %(levelname)s %(name)s:%(lineno)d - %(message)s",
+        "datefmt": "%Y-%m-%d %H:%M:%S"
+      }
+    },
+    "handlers": {
+      "console": {
+        "class": "logging.StreamHandler",
+        "formatter": "simple",
+        "stream": "ext://sys.stdout"
+      }
+    },
+    "loggers": {
+      "adal-python": {
+        "level": "DEBUG"
+      }
+    },
+    "root": {
+      "level": "INFO",
+      "handlers": [
+        "console"
+      ]
+    }
+  }
+}
+
+logging.config.dictConfig(config['logger'])
+
+
+_log = logging.getLogger(__name__)
+
+
+def start():
+    """
+    Start the proxy server.
+    """
+    _log.info('Starting proxy server ...')
+    _log.info('Starting DNS Server ...')
+
+    DNSUDPServer().start_thread()
+    DNSTCPServer().start_thread()
+
+    _log.info('Started DNS Server in threaded mode.')
+
+
+start()

DNSoverTLS/__main__.py

@@ -0,0 +1,108 @@
+import socketserver
+import threading
+import logging
+import ssl
+import socket
+import binascii
+
+_log = logging.getLogger(__name__)
+
+
+class DNSHandler(socketserver.BaseRequestHandler):
+
+    def handle(self):
+        data, connection = self.request
+        response = self.resolve(data)
+
+        _log.info('Received UDP request.')
+        connection.sendto(bytes(response), self.client_address)
+        _log.info('Response UDP sent.')
+
+    def resolve(self, query, dns_server='1.1.1.1'):
+        server = (dns_server, 853)
+        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        sock.settimeout(100)
+
+        ctx = ssl.create_default_context()
+        ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+        ctx.verify_mode = ssl.CERT_REQUIRED
+        ctx.check_hostname = ctx.load_verify_locations(
+            '/etc/ssl/certs/ca-certificates.crt')
+
+        wrapped_socket = ctx.wrap_socket(sock, server_hostname=dns_server)
+        wrapped_socket.connect(server)
+
+        tcp_msg = "\x00".encode() + chr(len(bytes(query))).encode() + query
+
+        wrapped_socket.send(tcp_msg)
+        data = wrapped_socket.recv(1024)
+
+        if data:
+            udp_result = data[2:]
+            return udp_result
+
+        _log.error('Query not supported.')
+
+
+class DNSTCPHandler(socketserver.BaseRequestHandler):
+
+    def handle(self):
+        data = self.request.recv(1024).strip()
+        response = self.resolve(data)
+
+        _log.info('Received TCP request.')
+        self.request.sendall(response)
+        _log.info('Response TCP sent.')
+
+    def resolve(self, query, dns_server='1.1.1.1'):
+        server = (dns_server, 853)
+        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        sock.settimeout(100)
+
+        ctx = ssl.create_default_context()
+        ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+        ctx.verify_mode = ssl.CERT_REQUIRED
+        ctx.check_hostname = ctx.load_verify_locations(
+            '/etc/ssl/certs/ca-certificates.crt')
+
+        wrapped_socket = ctx.wrap_socket(sock, server_hostname=dns_server)
+        wrapped_socket.connect(server)
+
+        tcp_msg = query
+
+        wrapped_socket.send(tcp_msg)
+        data = wrapped_socket.recv(1024)
+
+        if data:
+            return data
+
+        _log.error('Query not supported.')
+
+
+class DNSUDPServer():
+    """A threaded DNS proxy server."""
+
+    def __init__(self, host="0.0.0.0", udp_port=8053, tcp=False):
+        self.host = host
+        self.port = udp_port
+
+        _log.info('Listening UDP request on {}:{}'.format(host, udp_port))
+        self.server = socketserver.UDPServer((host, udp_port), DNSHandler)
+
+    def start_thread(self):
+        self.thread = threading.Thread(
+            target=self.server.serve_forever).start()
+
+class DNSTCPServer():
+    """A threaded DNS proxy server."""
+
+    def __init__(self, host="0.0.0.0", tcp_port=8853, tcp=False):
+        self.host = host
+        self.port = tcp_port
+
+        _log.info('Listening TCP request on {}:{}'.format(host, tcp_port))
+        self.server = socketserver.TCPServer((host, tcp_port), DNSTCPHandler)
+
+    def start_thread(self):
+        self.thread = threading.Thread(
+            target=self.server.serve_forever).start()

DNSoverTLS/dns_handler.py

@@ -0,0 +1,11 @@
+FROM python:3.8-slim
+
+COPY DNSoverTLS DNSoverTLS
+RUN useradd server
+
+USER server
+
+EXPOSE 8053/udp
+EXPOSE 8853
+
+ENTRYPOINT ["python", "-m", "DNSoverTLS"]

Dockerfile

@@ -0,0 +1,130 @@
+## DNS-over-TLS proxy
+
+This is very simple and mimimilistic, DNS proxy service capable of running in multi-thread mode, handling multilpe connections in parallel and build using python.
+
+This is packaged with Docker and Dcoker-compose. Docker Compose can help deploy this in docker stack infrastructure or kubernetes.
+The module Execution starts from `DNSoverTLS.__main__:start()` method.
+
+
+```bash
++--------------+   U/T     +----------------------+     TCP   +-----------------------------+
+|              + --------> +                      + --------> +                             |
+|   DNS Req    |           |       DNS Proxy      |           |    Cloudflare - TLS - DNS   |
+|              + <-------- +                      + <-------- +                             |
++--------------+    U/T    +----------------------+     TCP   +-----------------------------+
+                             8053(UDP) - 8853(TCP)
+
+```
+
+### How to run:
+
+#### Single service
+```bash
+# Build Docker
+docker build -t dns .
+
+# Run the docker Image
+docker run -d -p 8053:8053/udp -p8853:8853 -t dns
+
+# Test the proxy
+# Handle TCP connections
+dig @127.0.0.1 -p8853 rsehgal.in +tcp
+
+# Handle UDP connections.
+dig @127.0.0.1 -p8053 rsehgal.in
+
+; <<>> DiG 9.11.3-1ubuntu1.11-Ubuntu <<>> @127.0.0.1 -p9090 rsehgal.in
+; (1 server found)
+;; global options: +cmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32042
+;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
+
+;; OPT PSEUDOSECTION:
+; EDNS: version: 0, flags:; udp: 1232
+; PAD: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 (".........................................................................................................................................................................................................................................................................................................................................................................................................")
+;; QUESTION SECTION:
+;rsehgal.in.			IN	A
+
+;; ANSWER SECTION:
+rsehgal.in.		20	IN	A	206.189.89.118
+rsehgal.in.		20	IN	A	157.230.35.153
+
+;; Query time: 589 msec
+;; SERVER: 127.0.0.1#9090(127.0.0.1)
+;; WHEN: Sat Sep 12 08:40:31 UTC 2020
+;; MSG SIZE  rcvd: 468
+```
+
+#### Build and Deploy in cluster
+```bash
+# Build docker compose
+docker-compose build .
+
+# Run compose in docker-swarm mode
+# Create master node
+docker swarm init
+
+# Join the Swarm, create multinode cluster
+docker swarm join --token <SWARMTOKEN>
+
+# Deploy proxy in swarn
+docker stack deploy  --compose-file docker-compose.yml dns-proxy
+
+# Handle TCP connections
+dig @127.0.0.1 -p8853 rsehgal.in +tcp
+
+# Handle UDP connections.
+dig @127.0.0.1 -p8053 rsehgal.in
+
+; <<>> DiG 9.11.3-1ubuntu1.11-Ubuntu <<>> @127.0.0.1 -p9090 rsehgal.in
+; (1 server found)
+;; global options: +cmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29786
+;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
+
+;; OPT PSEUDOSECTION:
+; EDNS: version: 0, flags:; udp: 1232
+; PAD: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 (".........................................................................................................................................................................................................................................................................................................................................................................................................")
+;; QUESTION SECTION:
+;rsehgal.in.			IN	A
+
+;; ANSWER SECTION:
+rsehgal.in.		20	IN	A	157.230.35.153
+rsehgal.in.		20	IN	A	157.230.37.202
+
+;; Query time: 522 msec
+;; SERVER: 127.0.0.1#9090(127.0.0.1)
+;; WHEN: Sat Sep 12 08:51:22 UTC 2020
+;; MSG SIZE  rcvd: 468
+```
+
+### Proxy features
+1. Supports TCP and UDP connections with Proxy.
+1. Ready to use logging module.
+2. Threaded server.
+3. Packaged as docker.
+4. Packaged as docker-compose.
+    1. Ready to deploy in docker-swarm cluster, multinode deployment.
+5. No third party library used.
+6. No dependencies.
+7. Currently connects with Cloudflare only, but can me modified to work with any DNS-TLS providers.
+7. Server certificate verification using SSL.
+
+
+### Security consideration
+1. Imagine this proxy being deployed in an infrastructure. What would be the security concerns you would raise?
+    - The infrastructure deployment in current case is packaged with docker-swarn. The default docker-swarm deployment takes care of securing node to node communication. For load balancing, request routing etc.
+    - Loggin module is plugged in, which can help do detailed loggin with help of python's loggin module. This loggin result can be even sent to SIEM solutions like Splunk. This module is not coded yet, but the way the plugin has been written, this feature can be easily extended.
+    - Server certificate verification using CA certificates in OS.
+
+2. How would you integrate that solution in a distributed, microservices-oriented and containerized architecture?
+    - For such solutions, I prefer, docker-swarm, since the application is already packaged as container, deployment is swarm through docker-compose file make it really easy, secure and monitoring.
+    - Microservices connecting to swarm/
+
+3. What other improvements do you think would be interesting to add to the project?
+    - Logging to SIEM.
+    - Handle Zone transfer request.
+    - There is lot of biolerplate code, that can be removed. Hope fully in next REL ;)
+    - Scaleable multiprocessing instead of multithreaded, as python suffers from world famous [GIL](https://en.wikipedia.org/wiki/Global_interpreter_lock) issue.

Readme.md

@@ -0,0 +1,14 @@
+version: "3"
+
+services:
+  proxy-service:
+    image: dns-proxy
+    build: ./
+    networks:
+      - proxy-network
+    ports:
+      - "8053:8053"
+      - "8853:8853"
+
+networks:
+  proxy-network:

docker-compose.yml

@@ -0,0 +1,29 @@
+"""Setup script."""
+import DNSoverTLS
+import setuptools
+
+with open("README.md", "r") as fh:
+    long_description = fh.read()
+
+_version = DNSoverTLS.__version__
+_requires = open("requirements.txt").read().splitlines()
+
+setuptools.setup(
+    name="DockerENT",
+    version=_version,
+    description="A simple proxy server to convert DNS Requests to DNS-over-TLS using Cloudflare",
+    long_description=long_description,
+    long_description_content_type="text/markdown",
+    url="",
+    packages=setuptools.find_packages(),
+    classifiers=[
+        "Programming Language :: Python :: 3",
+        "License :: OSI Approved :: MIT License",
+        "Operating System :: OS Independent",
+    ],
+    python_requires=">=3.7",
+    install_requires=_requires,
+    entry_points={"console_scripts": {
+        "DNSoverTLS = DNSoverTLS.__main__:start"}},
+    keywords="DNS DNS-over-TLS TLS cloudflare",
+)