dnsdist: add a Rule Selector to match DoT rules

[franklouwers]

• Program: dnsdist
• Issue type: Feature request

Short description

A selector which matches DoT (and DoT only) packets should exist, so I can do the following:

addAction(DOTRule('.*'), LuaAction(dot_handling))

Usecase

A single dnsdist instance can handle multiple "transport mechanisms" of the DNS protocol: udp/53, tcp/53, DoH, DoQ, DoT, some of these wrapped in Proxy Protocol capsules.

As a dns operator, I might want to handle some of those transport mechanisms differently than others on the same node.

For most of those, I can use a proper Selection Rule in combination with an addAction() to apply a certain function or behaviour.

Selectors exist for DoH (-variants) using HTTPHeaderRule(), for EDNS options, for the Proxy Protocol etc.

However, there is currently no way to select only DoT traffic.

Description

The closest thing would be SNIRule(), but that matches both DoT and DoH.

We would use DSTPortRule() to target only the DoT pool, but properly selecting DoT would of course be better.

Alternative would be to send all traffic to a rule, and use dq:getProtocol() and string-matching to branch out to different functions.

[rgacogne]

I agree a rule to match on the incoming protocol would be useful, perhaps something like: IncomingProtocolRule(protocol), with the protocol as a (case-insensitive) string.

I'm not sure I understand what .* represents in your example?

[franklouwers]

Could be regexp match on the SNI, but just on the protocol would be enough...

[rgacogne]

Understood, thanks!