Skip to content

Added basic DNS cookie support#1737

Open
zbalkan wants to merge 33 commits intoTechnitiumSoftware:masterfrom
zbalkan:feat/add-dns-cookie-support
Open

Added basic DNS cookie support#1737
zbalkan wants to merge 33 commits intoTechnitiumSoftware:masterfrom
zbalkan:feat/add-dns-cookie-support

Conversation

@zbalkan
Copy link
Contributor

@zbalkan zbalkan commented Feb 18, 2026
edited
Loading

Adds DNS Cookies support across DnsServer with EDNS(0) COOKIE parsing, server-side cookie generation/validation, and request/response handling per RFC 7873/9018.

  • EDNS COOKIE parsing/serialization (code 10) via EDnsCookieOptionData; 8-byte client cookie; 8–32-byte server cookie.
  • DnsCookieSecretManager for 32-byte HMAC secrets with persistence and rotation.
  • DnsCookieValidator builds v1 server cookies (version, timestamp, HMAC‑SHA256‑64) and validates within 5 minutes; server replies BADCOOKIE with TC and a fresh cookie on failure.
  • Response path echoes/attaches server cookies when absent or forced and updates OPT safely.

Relies on PR TechnitiumSoftware/TechnitiumLibrary#56

Edit: Solves #1151
Edit 2: Removed configuration for cookies for the sake of simplicity

Copilot AI review requested due to automatic review settings February 18, 2026 13:01
Copilot AI reviewed Feb 18, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request adds DNS Cookie support to the Technitium DNS Server, implementing RFC 7873 and RFC 9018 specifications. The implementation includes EDNS(0) COOKIE option parsing, server-side cookie generation and validation using HMAC-SHA256, secret management with automatic rotation, and appropriate request/response handling with BADCOOKIE responses.

Changes:

  • Added DnsCookieSecretManager class for managing 32-byte HMAC secrets with file persistence and automatic rotation
  • Added DnsCookieValidator class for generating and validating DNS cookies using RFC 9018 server cookie structure (version 1 with timestamp and HMAC-SHA256-64)
  • Integrated DNS cookie validation and response handling into DnsServer with configuration options for enabling cookies, secret file path, rotation period, TC-on-bad-cookie behavior, and always-echo mode

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 19 comments.

File Description
DnsServerCore/Dns/Security/DnsCookieSecretManager.cs Manages cryptographic secrets for DNS cookies with persistence, rotation, and thread-safe access
DnsServerCore/Dns/Security/DnsCookieValidator.cs Implements RFC 9018 server cookie generation and validation with timestamp and HMAC verification
DnsServerCore/Dns/DnsServer.cs Integrates DNS cookie support with request validation, BADCOOKIE response generation, and configuration management

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@zbalkan zbalkan requested a review from Copilot February 19, 2026 09:20
Copilot AI reviewed Feb 19, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 6 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@zbalkan zbalkan requested a review from Copilot February 19, 2026 09:56
Copilot AI reviewed Feb 19, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 6 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@zbalkan zbalkan force-pushed the feat/add-dns-cookie-support branch from 114c2df to 224475f Compare February 19, 2026 10:19
@zbalkan zbalkan requested a review from Copilot February 19, 2026 10:32
Copilot AI reviewed Feb 19, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 8 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@zbalkan zbalkan requested a review from Copilot February 19, 2026 12:13
Copilot AI reviewed Feb 19, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 7 comments.

Comments suppressed due to low confidence (1)

DnsServerCore/Dns/DnsServer.cs:593

  • DNS cookies are not initialized when LoadConfigFile encounters an exception other than FileNotFoundException (caught at line 589). This means if the config file exists but is corrupt or causes any error during ReadConfigFrom, DNS cookies will not be available. Consider calling InitDnsCookies() in the catch block at line 589 to ensure DNS cookies are initialized even when config loading fails, similar to how it's called in the FileNotFoundException handler at line 587.
            catch (Exception ex)
            {
                _log.Write("DNS Server encountered an error while loading DNS config file: " + dnsConfigFile + "\r\n" + ex.ToString());
                _log.Write("Note: You may try deleting the DNS config file to fix this issue. However, you will lose DNS settings but, other data wont be affected.");
            }

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@zbalkan
Copy link
Contributor Author

zbalkan commented Feb 19, 2026

I'll roll back last two commits. I shouldn't blindly listen to the copilot review. Original code was okay. But tomorrow.

@zbalkan zbalkan force-pushed the feat/add-dns-cookie-support branch from 6f34df8 to f5a0926 Compare February 20, 2026 07:40
@zbalkan zbalkan requested a review from Copilot February 20, 2026 10:08
@zbalkan zbalkan marked this pull request as draft February 20, 2026 10:08
Copilot AI reviewed Feb 20, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 5 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@zbalkan zbalkan requested a review from Copilot February 20, 2026 12:53
Copilot AI reviewed Feb 20, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@zbalkan zbalkan marked this pull request as ready for review February 20, 2026 13:11
@zbalkan
Copy link
Contributor Author

zbalkan commented Feb 20, 2026

Ready.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@zbalkan