Skip to content

Remove FAKE_DNS #16

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
npurtova wants to merge 23 commits into
base: main
Choose a base branch
from
Open

Remove FAKE_DNS #16

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
23 commits
Select commit Hold shift + click to select a range
fcb2612
Remove FAKE_DNS
Nov 27, 2025
7395e18
update dns
Nov 27, 2025
96b50eb
make consul the server
Nov 27, 2025
8aa62e6
get -dev back
Nov 27, 2025
4fdb45e
change 8.8.8.8 to 10.77.77.10(consul IP)
Nov 27, 2025
410735d
Update Doh > DNS
Nov 27, 2025
71f3d7f
Adjust dnsTimeout
Nov 27, 2025
e0cd91f
Replace dnsProvider with dnsStaticResolvers
Nov 27, 2025
ad99fa0
Increase loglevel
Nov 27, 2025
c964a70
Increase loglevel
Nov 27, 2025
eb594bb
turn off DOH
Nov 27, 2025
2140732
Set dnsStaticResolvers to 127.0.0.1:53 and enable
Nov 27, 2025
8e8de34
Introduce DoH proxy container
Nov 27, 2025
5f4c2cc
Roll back changes
Nov 28, 2025
4a309d4
roll back changes 2
Nov 28, 2025
6824a6b
Real DNS forwarder
Nov 30, 2025
fcdec16
Increase log level
Nov 30, 2025
7cf3c63
Enable USE_REAL_DNS
Nov 30, 2025
bc5132c
Add logging
Nov 30, 2025
e2b4f70
fix resolving consul domains
Nov 30, 2025
19fedf1
start startChallSrv
Nov 30, 2025
c307ae6
enable startChallSrv
Nov 30, 2025
f4be58a
enable startChallSrv
Nov 30, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
62 changes: 62 additions & 0 deletions consul_domain_fix.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
diff --git a/vendor/github.com/letsencrypt/challtestsrv/dns.go b/vendor/github.com/letsencrypt/challtestsrv/dns.go
index 98be04251..818aa35f6 100644
--- a/vendor/github.com/letsencrypt/challtestsrv/dns.go
+++ b/vendor/github.com/letsencrypt/challtestsrv/dns.go
@@ -5,6 +5,7 @@ import (
"io"
"net"
"net/http"
+ "strings"

"github.com/miekg/dns"
)
@@ -53,7 +54,8 @@ func (s *ChallSrv) cnameAnswers(q dns.Question) []dns.RR {
}

// No mock data - check if we should forward to real DNS
- if s.useRealDNS && s.realDNSForwarder != nil {
+ // Skip forwarding for internal domains like .consul
+ if s.useRealDNS && s.realDNSForwarder != nil && !strings.HasSuffix(strings.ToLower(q.Name), ".consul.") {
s.log.Printf("CNAME query for %s: no mock data, forwarding to real DNS", q.Name)
realAnswers := s.realDNSForwarder.ForwardQuery(q)
if len(realAnswers) > 0 {
@@ -92,7 +94,8 @@ func (s *ChallSrv) txtAnswers(q dns.Question) []dns.RR {
}

// No mock data - check if we should forward to real DNS
- if s.useRealDNS && s.realDNSForwarder != nil {
+ // Skip forwarding for internal domains like .consul
+ if s.useRealDNS && s.realDNSForwarder != nil && !strings.HasSuffix(strings.ToLower(q.Name), ".consul.") {
s.log.Printf("TXT query for %s: no mock data, forwarding to real DNS", q.Name)
realAnswers := s.realDNSForwarder.ForwardQuery(q)
if len(realAnswers) > 0 {
@@ -142,7 +145,8 @@ func (s *ChallSrv) aAnswers(q dns.Question) []dns.RR {
}

// No mock data - check if we should forward to real DNS
- if s.useRealDNS && s.realDNSForwarder != nil {
+ // Skip forwarding for internal domains like .consul
+ if s.useRealDNS && s.realDNSForwarder != nil && !strings.HasSuffix(strings.ToLower(q.Name), ".consul.") {
s.log.Printf("A query for %s: no mock data, forwarding to real DNS", q.Name)
realAnswers := s.realDNSForwarder.ForwardQuery(q)
if len(realAnswers) > 0 {
@@ -208,7 +212,8 @@ func (s *ChallSrv) aaaaAnswers(q dns.Question) []dns.RR {
}

// No mock data - check if we should forward to real DNS
- if s.useRealDNS && s.realDNSForwarder != nil {
+ // Skip forwarding for internal domains like .consul
+ if s.useRealDNS && s.realDNSForwarder != nil && !strings.HasSuffix(strings.ToLower(q.Name), ".consul.") {
s.log.Printf("AAAA query for %s: no mock data, forwarding to real DNS", q.Name)
realAnswers := s.realDNSForwarder.ForwardQuery(q)
if len(realAnswers) > 0 {
@@ -269,7 +274,8 @@ func (s *ChallSrv) caaAnswers(q dns.Question) []dns.RR {
}

// No mock data - check if we should forward to real DNS
- if s.useRealDNS && s.realDNSForwarder != nil {
+ // Skip forwarding for internal domains like .consul
+ if s.useRealDNS && s.realDNSForwarder != nil && !strings.HasSuffix(strings.ToLower(q.Name), ".consul.") {
s.log.Printf("CAA query for %s: no mock data, forwarding to real DNS", q.Name)
realAnswers := s.realDNSForwarder.ForwardQuery(q)
if len(realAnswers) > 0 {
9 changes: 7 additions & 2 deletions docker-compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,11 @@ services:
# to the IP address where your ACME client's solver is listening. This is
# pointing at the boulder service's "public" IP, where challtestsrv is.
FAKE_DNS: 64.112.117.122
# Set to "true" to forward DNS queries to real upstream DNS servers instead of fake responses
# When enabled, mock data from tests will still take precedence over real DNS
USE_REAL_DNS: "true"
# Comma-separated list of upstream DNS servers to use when USE_REAL_DNS is enabled
UPSTREAM_DNS_SERVERS: "8.8.8.8:53,1.1.1.1:53"
BOULDER_CONFIG_DIR: test/config
GOCACHE: /boulder/.gocache/go-build
volumes:
Expand Down Expand Up @@ -130,11 +135,11 @@ services:
bconsul:
image: hashicorp/consul:1.19.1
volumes:
- ./test/:/test/:cached
- ./test/:/test/:cached
networks:
bouldernet:
ipv4_address: 10.77.77.10
command: "consul agent -dev -config-format=hcl -config-file=/test/consul/config.hcl"
command: "consul agent -server -bootstrap-expect=1 -ui -config-format=hcl -config-file=/test/consul/config.hcl"

bjaeger:
image: jaegertracing/all-in-one:1.50
Expand Down
27 changes: 19 additions & 8 deletions test/chall-test-srv/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,10 @@ func main() {
"Default IPv4 address for mock DNS responses to A queries")
defaultIPv6 := flag.String("defaultIPv6", "::1",
"Default IPv6 address for mock DNS responses to AAAA queries")
useRealDNS := flag.Bool("use-real-dns", false,
"Forward DNS queries to real DNS servers instead of returning fake responses")
upstreamDNS := flag.String("upstream-dns", "8.8.8.8:53,1.1.1.1:53",
"Comma separated list of upstream DNS servers to use when use-real-dns is enabled")

flag.Parse()

Expand All @@ -89,16 +93,20 @@ func main() {

logger := log.New(os.Stdout, "chall-test-srv - ", log.Ldate|log.Ltime)

upstreamServers := filterEmpty(strings.Split(*upstreamDNS, ","))

// Create a new challenge server with the provided config
srv, err := challtestsrv.New(challtestsrv.Config{
HTTPOneAddrs: httpOneAddresses,
HTTPSOneAddrs: httpsOneAddresses,
DOHAddrs: dohAddresses,
DOHCert: *dohCert,
DOHCertKey: *dohCertKey,
DNSOneAddrs: dnsOneAddresses,
TLSALPNOneAddrs: tlsAlpnOneAddresses,
Log: logger,
HTTPOneAddrs: httpOneAddresses,
HTTPSOneAddrs: httpsOneAddresses,
DOHAddrs: dohAddresses,
DOHCert: *dohCert,
DOHCertKey: *dohCertKey,
DNSOneAddrs: dnsOneAddresses,
TLSALPNOneAddrs: tlsAlpnOneAddresses,
Log: logger,
UseRealDNS: *useRealDNS,
UpstreamDNSServers: upstreamServers,
})
cmd.FailOnError(err, "Unable to construct challenge server")

Expand Down Expand Up @@ -148,6 +156,9 @@ func main() {
logger.Printf("Answering AAAA queries with %s by default",
*defaultIPv6)
}

srv.SetDefaultDNSIPv4(*defaultIPv4)
srv.SetDefaultDNSIPv6(*defaultIPv6)
}
if *tlsAlpnOneBind != "" {
http.HandleFunc("/add-tlsalpn01", oobSrv.addTLSALPN01)
Expand Down
100 changes: 47 additions & 53 deletions test/config/remoteva-a.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,55 +1,49 @@
{
"rva": {
"userAgent": "remoteva-a",
"debugAddr": ":8211",
"dnsTries": 3,
"dnsProvider": {
"dnsAuthority": "consul.service.consul",
"srvLookup": {
"service": "doh",
"domain": "service.consul"
}
},
"dnsTimeout": "1s",
"issuerDomain": "happy-hacker-ca.invalid",
"tls": {
"caCertfile": "test/certs/ipki/minica.pem",
"certFile": "test/certs/ipki/rva.boulder/cert.pem",
"keyFile": "test/certs/ipki/rva.boulder/key.pem"
},
"grpc": {
"maxConnectionAge": "30s",
"address": ":9897",
"services": {
"va.VA": {
"clientNames": [
"va.boulder"
]
},
"va.CAA": {
"clientNames": [
"va.boulder"
]
},
"grpc.health.v1.Health": {
"clientNames": [
"health-checker.boulder"
]
}
}
},
"features": {
"DOH": true
},
"accountURIPrefixes": [
"http://boulder.service.consul:4000/acme/reg/",
"http://boulder.service.consul:4001/acme/acct/"
],
"perspective": "dadaist",
"rir": "ARIN"
},
"syslog": {
"stdoutlevel": 4,
"sysloglevel": 4
}
"rva": {
"userAgent": "remoteva-a",
"debugAddr": ":8211",
"dnsTries": 3,
"dnsProvider": {
"dnsAuthority": "consul.service.consul",
"srvLookup": {
"service": "doh",
"domain": "service.consul"
}
},
"dnsTimeout": "1s",
"issuerDomain": "happy-hacker-ca.invalid",
"tls": {
"caCertfile": "test/certs/ipki/minica.pem",
"certFile": "test/certs/ipki/rva.boulder/cert.pem",
"keyFile": "test/certs/ipki/rva.boulder/key.pem"
},
"grpc": {
"maxConnectionAge": "30s",
"address": ":9897",
"services": {
"va.VA": {
"clientNames": ["va.boulder"]
},
"va.CAA": {
"clientNames": ["va.boulder"]
},
"grpc.health.v1.Health": {
"clientNames": ["health-checker.boulder"]
}
}
},
"features": {
"DOH": true
},
"accountURIPrefixes": [
"http://boulder.service.consul:4000/acme/reg/",
"http://boulder.service.consul:4001/acme/acct/"
],
"perspective": "dadaist",
"rir": "ARIN"
},
"syslog": {
"stdoutlevel": 7,
"sysloglevel": 7
}
}
100 changes: 47 additions & 53 deletions test/config/remoteva-b.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,55 +1,49 @@
{
"rva": {
"userAgent": "remoteva-b",
"debugAddr": ":8212",
"dnsTries": 3,
"dnsProvider": {
"dnsAuthority": "consul.service.consul",
"srvLookup": {
"service": "doh",
"domain": "service.consul"
}
},
"dnsTimeout": "1s",
"issuerDomain": "happy-hacker-ca.invalid",
"tls": {
"caCertfile": "test/certs/ipki/minica.pem",
"certFile": "test/certs/ipki/rva.boulder/cert.pem",
"keyFile": "test/certs/ipki/rva.boulder/key.pem"
},
"grpc": {
"maxConnectionAge": "30s",
"address": ":9998",
"services": {
"va.VA": {
"clientNames": [
"va.boulder"
]
},
"va.CAA": {
"clientNames": [
"va.boulder"
]
},
"grpc.health.v1.Health": {
"clientNames": [
"health-checker.boulder"
]
}
}
},
"features": {
"DOH": true
},
"accountURIPrefixes": [
"http://boulder.service.consul:4000/acme/reg/",
"http://boulder.service.consul:4001/acme/acct/"
],
"perspective": "surrealist",
"rir": "RIPE"
},
"syslog": {
"stdoutlevel": 4,
"sysloglevel": 4
}
"rva": {
"userAgent": "remoteva-b",
"debugAddr": ":8212",
"dnsTries": 3,
"dnsProvider": {
"dnsAuthority": "consul.service.consul",
"srvLookup": {
"service": "doh",
"domain": "service.consul"
}
},
"dnsTimeout": "1s",
"issuerDomain": "happy-hacker-ca.invalid",
"tls": {
"caCertfile": "test/certs/ipki/minica.pem",
"certFile": "test/certs/ipki/rva.boulder/cert.pem",
"keyFile": "test/certs/ipki/rva.boulder/key.pem"
},
"grpc": {
"maxConnectionAge": "30s",
"address": ":9998",
"services": {
"va.VA": {
"clientNames": ["va.boulder"]
},
"va.CAA": {
"clientNames": ["va.boulder"]
},
"grpc.health.v1.Health": {
"clientNames": ["health-checker.boulder"]
}
}
},
"features": {
"DOH": true
},
"accountURIPrefixes": [
"http://boulder.service.consul:4000/acme/reg/",
"http://boulder.service.consul:4001/acme/acct/"
],
"perspective": "surrealist",
"rir": "RIPE"
},
"syslog": {
"stdoutlevel": 7,
"sysloglevel": 7
}
}
Loading
Loading