Home Explore Help
Sign In
SMusatov
/
TechnitiumSoftware-DnsServer
mirror of https://github.com/TechnitiumSoftware/DnsServer.git
1
0
Fork 0
Files
Tree: f7582faab9
Branches Tags
TechnitiumSoftw...
/
DnsServerCore
/
Dns
/
DnsServer.cs

DnsServer.cs 222 KB
History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021202220232024202520262027202820292030203120322033203420352036203720382039204020412042204320442045204620472048204920502051205220532054205520562057205820592060206120622063206420652066206720682069207020712072207320742075207620772078207920802081208220832084208520862087208820892090209120922093209420952096209720982099210021012102210321042105210621072108210921102111211221132114211521162117211821192120212121222123212421252126212721282129213021312132213321342135213621372138213921402141214221432144214521462147214821492150215121522153215421552156215721582159216021612162216321642165216621672168216921702171217221732174217521762177217821792180218121822183218421852186218721882189219021912192219321942195219621972198219922002201220222032204220522062207220822092210221122122213221422152216221722182219222022212222222322242225222622272228222922302231223222332234223522362237223822392240224122422243224422452246224722482249225022512252225322542255225622572258225922602261226222632264226522662267226822692270227122722273227422752276227722782279228022812282228322842285228622872288228922902291229222932294229522962297229822992300230123022303230423052306230723082309231023112312231323142315231623172318231923202321232223232324232523262327232823292330233123322333233423352336233723382339234023412342234323442345234623472348234923502351235223532354235523562357235823592360236123622363236423652366236723682369237023712372237323742375237623772378237923802381238223832384238523862387238823892390239123922393239423952396239723982399240024012402240324042405240624072408240924102411241224132414241524162417241824192420242124222423242424252426242724282429243024312432243324342435243624372438243924402441244224432444244524462447244824492450245124522453245424552456245724582459246024612462246324642465246624672468246924702471247224732474247524762477247824792480248124822483248424852486248724882489249024912492249324942495249624972498249925002501250225032504250525062507250825092510251125122513251425152516251725182519252025212522252325242525252625272528252925302531253225332534253525362537253825392540254125422543254425452546254725482549255025512552255325542555255625572558255925602561256225632564256525662567256825692570257125722573257425752576257725782579258025812582258325842585258625872588258925902591259225932594259525962597259825992600260126022603260426052606260726082609261026112612261326142615261626172618261926202621262226232624262526262627262826292630263126322633263426352636263726382639264026412642264326442645264626472648264926502651265226532654265526562657265826592660266126622663266426652666266726682669267026712672267326742675267626772678267926802681268226832684268526862687268826892690269126922693269426952696269726982699270027012702270327042705270627072708270927102711271227132714271527162717271827192720272127222723272427252726272727282729273027312732273327342735273627372738273927402741274227432744274527462747274827492750275127522753275427552756275727582759276027612762276327642765276627672768276927702771277227732774277527762777277827792780278127822783278427852786278727882789279027912792279327942795279627972798279928002801280228032804280528062807280828092810281128122813281428152816281728182819282028212822282328242825282628272828282928302831283228332834283528362837283828392840284128422843284428452846284728482849285028512852285328542855285628572858285928602861286228632864286528662867286828692870287128722873287428752876287728782879288028812882288328842885288628872888288928902891289228932894289528962897289828992900290129022903290429052906290729082909291029112912291329142915291629172918291929202921292229232924292529262927292829292930293129322933293429352936293729382939294029412942294329442945294629472948294929502951295229532954295529562957295829592960296129622963296429652966296729682969297029712972297329742975297629772978297929802981298229832984298529862987298829892990299129922993299429952996299729982999300030013002300330043005300630073008300930103011301230133014301530163017301830193020302130223023302430253026302730283029303030313032303330343035303630373038303930403041304230433044304530463047304830493050305130523053305430553056305730583059306030613062306330643065306630673068306930703071307230733074307530763077307830793080308130823083308430853086308730883089309030913092309330943095309630973098309931003101310231033104310531063107310831093110311131123113311431153116311731183119312031213122312331243125312631273128312931303131313231333134313531363137313831393140314131423143314431453146314731483149315031513152315331543155315631573158315931603161316231633164316531663167316831693170317131723173317431753176317731783179318031813182318331843185318631873188318931903191319231933194319531963197319831993200320132023203320432053206320732083209321032113212321332143215321632173218321932203221322232233224322532263227322832293230323132323233323432353236323732383239324032413242324332443245324632473248324932503251325232533254325532563257325832593260326132623263326432653266326732683269327032713272327332743275327632773278327932803281328232833284328532863287328832893290329132923293329432953296329732983299330033013302330333043305330633073308330933103311331233133314331533163317331833193320332133223323332433253326332733283329333033313332333333343335333633373338333933403341334233433344334533463347334833493350335133523353335433553356335733583359336033613362336333643365336633673368336933703371337233733374337533763377337833793380338133823383338433853386338733883389339033913392339333943395339633973398339934003401340234033404340534063407340834093410341134123413341434153416341734183419342034213422342334243425342634273428342934303431343234333434343534363437343834393440344134423443344434453446344734483449345034513452345334543455345634573458345934603461346234633464346534663467346834693470347134723473347434753476347734783479348034813482348334843485348634873488348934903491349234933494349534963497349834993500350135023503350435053506350735083509351035113512351335143515351635173518351935203521352235233524352535263527352835293530353135323533353435353536353735383539354035413542354335443545354635473548354935503551355235533554355535563557355835593560356135623563356435653566356735683569357035713572357335743575357635773578357935803581358235833584358535863587358835893590359135923593359435953596359735983599360036013602360336043605360636073608360936103611361236133614361536163617361836193620362136223623362436253626362736283629363036313632363336343635363636373638363936403641364236433644364536463647364836493650365136523653365436553656365736583659366036613662366336643665366636673668366936703671367236733674367536763677367836793680368136823683368436853686368736883689369036913692369336943695369636973698369937003701370237033704370537063707370837093710371137123713371437153716371737183719372037213722372337243725372637273728372937303731373237333734373537363737373837393740374137423743374437453746374737483749375037513752375337543755375637573758375937603761376237633764376537663767376837693770377137723773377437753776377737783779378037813782378337843785378637873788378937903791379237933794379537963797379837993800380138023803380438053806380738083809381038113812381338143815381638173818381938203821382238233824382538263827382838293830383138323833383438353836383738383839384038413842384338443845384638473848384938503851385238533854385538563857385838593860386138623863386438653866386738683869387038713872387338743875387638773878387938803881388238833884388538863887388838893890389138923893389438953896389738983899390039013902390339043905390639073908390939103911391239133914391539163917391839193920392139223923392439253926392739283929393039313932393339343935393639373938393939403941394239433944394539463947394839493950395139523953395439553956395739583959396039613962396339643965396639673968396939703971397239733974397539763977397839793980398139823983398439853986398739883989399039913992399339943995399639973998399940004001400240034004400540064007400840094010401140124013401440154016401740184019402040214022402340244025402640274028402940304031403240334034403540364037403840394040404140424043404440454046404740484049405040514052405340544055405640574058405940604061406240634064406540664067406840694070407140724073407440754076407740784079408040814082408340844085408640874088408940904091409240934094409540964097409840994100410141024103410441054106410741084109411041114112411341144115411641174118411941204121412241234124412541264127412841294130413141324133413441354136413741384139414041414142414341444145414641474148414941504151415241534154415541564157415841594160416141624163416441654166416741684169417041714172417341744175417641774178417941804181418241834184418541864187418841894190419141924193419441954196419741984199420042014202420342044205420642074208420942104211421242134214421542164217421842194220422142224223422442254226422742284229423042314232423342344235423642374238423942404241424242434244424542464247424842494250425142524253425442554256425742584259426042614262426342644265426642674268426942704271427242734274427542764277427842794280428142824283428442854286428742884289429042914292429342944295429642974298429943004301430243034304430543064307430843094310431143124313431443154316431743184319432043214322432343244325432643274328432943304331433243334334433543364337433843394340434143424343434443454346434743484349435043514352435343544355435643574358435943604361436243634364436543664367436843694370437143724373437443754376437743784379438043814382438343844385438643874388438943904391439243934394439543964397439843994400440144024403440444054406440744084409441044114412441344144415441644174418441944204421442244234424442544264427442844294430443144324433443444354436443744384439444044414442444344444445444644474448444944504451445244534454445544564457445844594460446144624463446444654466446744684469447044714472447344744475447644774478447944804481448244834484448544864487448844894490449144924493449444954496449744984499450045014502450345044505450645074508450945104511451245134514451545164517451845194520452145224523452445254526452745284529453045314532453345344535453645374538453945404541454245434544454545464547454845494550455145524553455445554556455745584559456045614562456345644565456645674568456945704571457245734574457545764577457845794580458145824583458445854586458745884589459045914592459345944595459645974598459946004601460246034604460546064607460846094610461146124613461446154616461746184619462046214622462346244625462646274628462946304631463246334634463546364637463846394640464146424643464446454646464746484649465046514652465346544655465646574658465946604661466246634664466546664667466846694670467146724673467446754676467746784679468046814682468346844685468646874688468946904691469246934694469546964697469846994700470147024703470447054706470747084709471047114712471347144715471647174718471947204721472247234724472547264727472847294730473147324733473447354736473747384739474047414742474347444745474647474748474947504751475247534754475547564757475847594760476147624763476447654766476747684769477047714772477347744775477647774778477947804781478247834784478547864787478847894790479147924793479447954796479747984799480048014802480348044805480648074808480948104811481248134814481548164817481848194820482148224823482448254826482748284829483048314832483348344835483648374838483948404841484248434844484548464847484848494850 
  1. /*
    2. 

  2. Technitium DNS Server
    3. 

  3. Copyright (C) 2023  Shreyas Zare (shreyas@technitium.com)
    4. 

  4. 

  5. This program is free software: you can redistribute it and/or modify
    6. 

  6. it under the terms of the GNU General Public License as published by
    7. 

  7. the Free Software Foundation, either version 3 of the License, or
    8. 

  8. (at your option) any later version.
    9. 

  9. 

  10. This program is distributed in the hope that it will be useful,
    11. 

  11. but WITHOUT ANY WARRANTY; without even the implied warranty of
    12. 

  12. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    13. 

  13. GNU General Public License for more details.
    14. 

  14. 

  15. You should have received a copy of the GNU General Public License
    16. 

  16. along with this program.  If not, see <http://www.gnu.org/licenses/>.
    17. 

  17. 

  18. */
    19. 

  19. 

  20. using DnsServerCore.ApplicationCommon;
    21. 

  21. using DnsServerCore.Dns.Applications;
    22. 

  22. using DnsServerCore.Dns.ResourceRecords;
    23. 

  23. using DnsServerCore.Dns.Trees;
    24. 

  24. using DnsServerCore.Dns.ZoneManagers;
    25. 

  25. using DnsServerCore.Dns.Zones;
    26. 

  26. using Microsoft.AspNetCore.Builder;
    27. 

  27. using Microsoft.AspNetCore.Connections;
    28. 

  28. using Microsoft.AspNetCore.Hosting;
    29. 

  29. using Microsoft.AspNetCore.Http;
    30. 

  30. using Microsoft.AspNetCore.Server.Kestrel.Core;
    31. 

  31. using Microsoft.AspNetCore.Server.Kestrel.Https;
    32. 

  32. using Microsoft.AspNetCore.StaticFiles;
    33. 

  33. using Microsoft.Extensions.FileProviders;
    34. 

  34. using Microsoft.Extensions.Logging;
    35. 

  35. using System;
    36. 

  36. using System.Collections.Concurrent;
    37. 

  37. using System.Collections.Generic;
    38. 

  38. using System.IO;
    39. 

  39. using System.Net;
    40. 

  40. using System.Net.Quic;
    41. 

  41. using System.Net.Security;
    42. 

  42. using System.Net.Sockets;
    43. 

  43. using System.Runtime.ExceptionServices;
    44. 

  44. using System.Security.Cryptography.X509Certificates;
    45. 

  45. using System.Threading;
    46. 

  46. using System.Threading.Tasks;
    47. 

  47. using TechnitiumLibrary;
    48. 

  48. using TechnitiumLibrary.Net;
    49. 

  49. using TechnitiumLibrary.Net.Dns;
    50. 

  50. using TechnitiumLibrary.Net.Dns.ClientConnection;
    51. 

  51. using TechnitiumLibrary.Net.Dns.EDnsOptions;
    52. 

  52. using TechnitiumLibrary.Net.Dns.ResourceRecords;
    53. 

  53. using TechnitiumLibrary.Net.Proxy;
    54. 

  54. 

  55. namespace DnsServerCore.Dns
    56. 

  56. {
    57. 

  57. #pragma warning disable CA2252 // This API requires opting into preview features
    58. 

  58. #pragma warning disable CA1416 // Validate platform compatibility
    59. 

  59. 

  60.     public enum DnsServerRecursion : byte
    61. 

  61.     {
    62. 

  62.         Deny = 0,
    63. 

  63.         Allow = 1,
    64. 

  64.         AllowOnlyForPrivateNetworks = 2,
    65. 

  65.         UseSpecifiedNetworks = 3
    66. 

  66.     }
    67. 

  67. 

  68.     public enum DnsServerBlockingType : byte
    69. 

  69.     {
    70. 

  70.         AnyAddress = 0,
    71. 

  71.         NxDomain = 1,
    72. 

  72.         CustomAddress = 2
    73. 

  73.     }
    74. 

  74. 

  75.     public sealed class DnsServer : IAsyncDisposable, IDisposable, IDnsClient
    76. 

  76.     {
    77. 

  77.         #region enum
    78. 

  78. 

  79.         enum ServiceState
    80. 

  80.         {
    81. 

  81.             Stopped = 0,
    82. 

  82.             Starting = 1,
    83. 

  83.             Running = 2,
    84. 

  84.             Stopping = 3
    85. 

  85.         }
    86. 

  86. 

  87.         #endregion
    88. 

  88. 

  89.         #region variables
    90. 

  90. 

  91.         internal const int MAX_CNAME_HOPS = 16;
    92. 

  92.         const int SERVE_STALE_WAIT_TIME = 1800;
    93. 

  93. 

  94.         static readonly IPEndPoint IPENDPOINT_ANY_0 = new IPEndPoint(IPAddress.Any, 0);
    95. 

  95.         static readonly IReadOnlyCollection<DnsARecordData> _aRecords = new DnsARecordData[] { new DnsARecordData(IPAddress.Any) };
    96. 

  96.         static readonly IReadOnlyCollection<DnsAAAARecordData> _aaaaRecords = new DnsAAAARecordData[] { new DnsAAAARecordData(IPAddress.IPv6Any) };
    97. 

  97. 

  98.         string _serverDomain;
    99. 

  99.         readonly string _configFolder;
    100. 

  100.         readonly string _dohwwwFolder;
    101. 

  101.         IReadOnlyList<IPEndPoint> _localEndPoints;
    102. 

  102.         LogManager _log;
    103. 

  103. 

  104.         NameServerAddress _thisServer;
    105. 

  105. 

  106.         readonly List<Socket> _udpListeners = new List<Socket>();
    107. 

  107.         readonly List<Socket> _tcpListeners = new List<Socket>();
    108. 

  108.         readonly List<Socket> _tlsListeners = new List<Socket>();
    109. 

  109.         readonly List<QuicListener> _quicListeners = new List<QuicListener>();
    110. 

  110. 

  111.         WebApplication _dohWebService;
    112. 

  112. 

  113.         readonly AuthZoneManager _authZoneManager;
    114. 

  114.         readonly AllowedZoneManager _allowedZoneManager;
    115. 

  115.         readonly BlockedZoneManager _blockedZoneManager;
    116. 

  116.         readonly BlockListZoneManager _blockListZoneManager;
    117. 

  117.         readonly CacheZoneManager _cacheZoneManager;
    118. 

  118.         readonly DnsApplicationManager _dnsApplicationManager;
    119. 

  119. 

  120.         readonly ResolverDnsCache _dnsCache;
    121. 

  121.         readonly StatsManager _stats;
    122. 

  122. 

  123.         bool _preferIPv6;
    124. 

  124.         ushort _udpPayloadSize = DnsDatagram.EDNS_DEFAULT_UDP_PAYLOAD_SIZE;
    125. 

  125.         bool _dnssecValidation = true;
    126. 

  126. 

  127.         bool _eDnsClientSubnet;
    128. 

  128.         byte _eDnsClientSubnetIPv4PrefixLength = 24;
    129. 

  129.         byte _eDnsClientSubnetIPv6PrefixLength = 56;
    130. 

  130. 

  131.         int _qpmLimitRequests = 0;
    132. 

  132.         int _qpmLimitErrors = 0;
    133. 

  133.         int _qpmLimitSampleMinutes = 5;
    134. 

  134.         int _qpmLimitIPv4PrefixLength = 24;
    135. 

  135.         int _qpmLimitIPv6PrefixLength = 56;
    136. 

  136. 

  137.         int _clientTimeout = 4000;
    138. 

  138.         int _tcpSendTimeout = 10000;
    139. 

  139.         int _tcpReceiveTimeout = 10000;
    140. 

  140.         int _quicIdleTimeout = 60000;
    141. 

  141.         int _quicMaxInboundStreams = 100;
    142. 

  142.         int _listenBacklog = 100;
    143. 

  143. 

  144.         bool _enableDnsOverHttp;
    145. 

  145.         bool _enableDnsOverTls;
    146. 

  146.         bool _enableDnsOverHttps;
    147. 

  147.         bool _enableDnsOverQuic;
    148. 

  148.         int _dnsOverHttpPort = 80;
    149. 

  149.         int _dnsOverTlsPort = 853;
    150. 

  150.         int _dnsOverHttpsPort = 443;
    151. 

  151.         int _dnsOverQuicPort = 853;
    152. 

  152.         X509Certificate2 _certificate;
    153. 

  153. 

  154.         IReadOnlyDictionary<string, TsigKey> _tsigKeys;
    155. 

  155. 

  156.         DnsServerRecursion _recursion;
    157. 

  157.         IReadOnlyCollection<NetworkAddress> _recursionDeniedNetworks;
    158. 

  158.         IReadOnlyCollection<NetworkAddress> _recursionAllowedNetworks;
    159. 

  159. 

  160.         bool _randomizeName;
    161. 

  161.         bool _qnameMinimization;
    162. 

  162.         bool _nsRevalidation;
    163. 

  163. 

  164.         int _resolverRetries = 2;
    165. 

  165.         int _resolverTimeout = 2000;
    166. 

  166.         int _resolverMaxStackCount = 16;
    167. 

  167. 

  168.         bool _serveStale = true;
    169. 

  169.         int _cachePrefetchEligibility = 2;
    170. 

  170.         int _cachePrefetchTrigger = 9;
    171. 

  171.         int _cachePrefetchSampleIntervalInMinutes = 5;
    172. 

  172.         int _cachePrefetchSampleEligibilityHitsPerHour = 30;
    173. 

  173. 

  174.         bool _enableBlocking = true;
    175. 

  175.         bool _allowTxtBlockingReport = true;
    176. 

  176.         DnsServerBlockingType _blockingType = DnsServerBlockingType.NxDomain;
    177. 

  177.         IReadOnlyCollection<DnsARecordData> _customBlockingARecords = Array.Empty<DnsARecordData>();
    178. 

  178.         IReadOnlyCollection<DnsAAAARecordData> _customBlockingAAAARecords = Array.Empty<DnsAAAARecordData>();
    179. 

  179. 

  180.         NetProxy _proxy;
    181. 

  181.         IReadOnlyList<NameServerAddress> _forwarders;
    182. 

  182.         int _forwarderRetries = 3;
    183. 

  183.         int _forwarderTimeout = 2000;
    184. 

  184.         int _forwarderConcurrency = 2;
    185. 

  185. 

  186.         LogManager _queryLog;
    187. 

  187. 

  188.         Timer _cachePrefetchSamplingTimer;
    189. 

  189.         readonly object _cachePrefetchSamplingTimerLock = new object();
    190. 

  190.         const int CACHE_PREFETCH_SAMPLING_TIMER_INITIAL_INTEVAL = 5000;
    191. 

  191. 

  192.         Timer _cachePrefetchRefreshTimer;
    193. 

  193.         readonly object _cachePrefetchRefreshTimerLock = new object();
    194. 

  194.         const int CACHE_PREFETCH_REFRESH_TIMER_INITIAL_INTEVAL = 10000;
    195. 

  195.         DateTime _cachePrefetchSamplingTimerTriggersOn;
    196. 

  196.         IList<CacheRefreshSample> _cacheRefreshSampleList;
    197. 

  197. 

  198.         Timer _cacheMaintenanceTimer;
    199. 

  199.         readonly object _cacheMaintenanceTimerLock = new object();
    200. 

  200.         const int CACHE_MAINTENANCE_TIMER_INITIAL_INTEVAL = 5 * 60 * 1000;
    201. 

  201.         const int CACHE_MAINTENANCE_TIMER_PERIODIC_INTERVAL = 5 * 60 * 1000;
    202. 

  202. 

  203.         Timer _qpmLimitSamplingTimer;
    204. 

  204.         readonly object _qpmLimitSamplingTimerLock = new object();
    205. 

  205.         const int QPM_LIMIT_SAMPLING_TIMER_INTERVAL = 10000;
    206. 

  206.         IReadOnlyDictionary<IPAddress, long> _qpmLimitClientSubnetStats;
    207. 

  207.         IReadOnlyDictionary<IPAddress, long> _qpmLimitErrorClientSubnetStats;
    208. 

  208. 

  209.         readonly IndependentTaskScheduler _queryTaskScheduler = new IndependentTaskScheduler();
    210. 

  210. 

  211.         readonly IndependentTaskScheduler _resolverTaskScheduler = new IndependentTaskScheduler(ThreadPriority.AboveNormal);
    212. 

  212.         readonly ConcurrentDictionary<string, Task<RecursiveResolveResponse>> _resolverTasks = new ConcurrentDictionary<string, Task<RecursiveResolveResponse>>();
    213. 

  213. 

  214.         volatile ServiceState _state = ServiceState.Stopped;
    215. 

  215. 

  216.         #endregion
    217. 

  217. 

  218.         #region constructor
    219. 

  219. 

  220.         static DnsServer()
    221. 

  221.         {
    222. 

  222.             //set min threads since the default value is too small
    223. 

  223.             {
    224. 

  224.                 ThreadPool.GetMinThreads(out int minWorker, out int minIOC);
    225. 

  225. 

  226.                 int minThreads = Environment.ProcessorCount * 16;
    227. 

  227. 

  228.                 if (minWorker < minThreads)
    229. 

  229.                     minWorker = minThreads;
    230. 

  230. 

  231.                 if (minIOC < minThreads)
    232. 

  232.                     minIOC = minThreads;
    233. 

  233. 

  234.                 ThreadPool.SetMinThreads(minWorker, minIOC);
    235. 

  235.             }
    236. 

  236.         }
    237. 

  237. 

  238.         public DnsServer(string serverDomain, string configFolder, string dohwwwFolder, LogManager log = null)
    239. 

  239.             : this(serverDomain, configFolder, dohwwwFolder, new IPEndPoint[] { new IPEndPoint(IPAddress.Any, 53), new IPEndPoint(IPAddress.IPv6Any, 53) }, log)
    240. 

  240.         { }
    241. 

  241. 

  242.         public DnsServer(string serverDomain, string configFolder, string dohwwwFolder, IPEndPoint localEndPoint, LogManager log = null)
    243. 

  243.             : this(serverDomain, configFolder, dohwwwFolder, new IPEndPoint[] { localEndPoint }, log)
    244. 

  244.         { }
    245. 

  245. 

  246.         public DnsServer(string serverDomain, string configFolder, string dohwwwFolder, IReadOnlyList<IPEndPoint> localEndPoints, LogManager log = null)
    247. 

  247.         {
    248. 

  248.             _serverDomain = serverDomain;
    249. 

  249.             _configFolder = configFolder;
    250. 

  250.             _dohwwwFolder = dohwwwFolder;
    251. 

  251.             _localEndPoints = localEndPoints;
    252. 

  252.             _log = log;
    253. 

  253. 

  254.             _authZoneManager = new AuthZoneManager(this);
    255. 

  255.             _allowedZoneManager = new AllowedZoneManager(this);
    256. 

  256.             _blockedZoneManager = new BlockedZoneManager(this);
    257. 

  257.             _blockListZoneManager = new BlockListZoneManager(this);
    258. 

  258.             _cacheZoneManager = new CacheZoneManager(this);
    259. 

  259.             _dnsApplicationManager = new DnsApplicationManager(this);
    260. 

  260. 

  261.             _dnsCache = new ResolverDnsCache(_dnsApplicationManager, _authZoneManager, _cacheZoneManager, _log, false);
    262. 

  262. 

  263.             //init stats
    264. 

  264.             _stats = new StatsManager(this);
    265. 

  265.         }
    266. 

  266. 

  267.         #endregion
    268. 

  268. 

  269.         #region IDisposable
    270. 

  270. 

  271.         bool _disposed;
    272. 

  272. 

  273.         public async ValueTask DisposeAsync()
    274. 

  274.         {
    275. 

  275.             if (_disposed)
    276. 

  276.                 return;
    277. 

  277. 

  278.             await StopAsync();
    279. 

  279. 

  280.             _authZoneManager?.Dispose();
    281. 

  281. 

  282.             _dnsApplicationManager?.Dispose();
    283. 

  283. 

  284.             _stats?.Dispose();
    285. 

  285. 

  286.             _disposed = true;
    287. 

  287.         }
    288. 

  288. 

  289.         public void Dispose()
    290. 

  290.         {
    291. 

  291.             DisposeAsync().Sync();
    292. 

  292.         }
    293. 

  293. 

  294.         #endregion
    295. 

  295. 

  296.         #region private
    297. 

  297. 

  298.         private async Task ReadUdpRequestAsync(Socket udpListener)
    299. 

  299.         {
    300. 

  300.             byte[] recvBuffer = new byte[DnsDatagram.EDNS_MAX_UDP_PAYLOAD_SIZE];
    301. 

  301.             using MemoryStream recvBufferStream = new MemoryStream(recvBuffer);
    302. 

  302. 

  303.             try
    304. 

  304.             {
    305. 

  305.                 EndPoint epAny;
    306. 

  306. 

  307.                 switch (udpListener.AddressFamily)
    308. 

  308.                 {
    309. 

  309.                     case AddressFamily.InterNetwork:
    310. 

  310.                         epAny = new IPEndPoint(IPAddress.Any, 0);
    311. 

  311.                         break;
    312. 

  312. 

  313.                     case AddressFamily.InterNetworkV6:
    314. 

  314.                         epAny = new IPEndPoint(IPAddress.IPv6Any, 0);
    315. 

  315.                         break;
    316. 

  316. 

  317.                     default:
    318. 

  318.                         throw new NotSupportedException("AddressFamily not supported.");
    319. 

  319.                 }
    320. 

  320. 

  321.                 SocketReceiveFromResult result;
    322. 

  322. 

  323.                 while (true)
    324. 

  324.                 {
    325. 

  325.                     recvBufferStream.SetLength(DnsDatagram.EDNS_MAX_UDP_PAYLOAD_SIZE); //resetting length before using buffer
    326. 

  326. 

  327.                     try
    328. 

  328.                     {
    329. 

  329.                         result = await udpListener.ReceiveFromAsync(recvBuffer, SocketFlags.None, epAny);
    330. 

  330.                     }
    331. 

  331.                     catch (SocketException ex)
    332. 

  332.                     {
    333. 

  333.                         switch (ex.SocketErrorCode)
    334. 

  334.                         {
    335. 

  335.                             case SocketError.ConnectionReset:
    336. 

  336.                             case SocketError.HostUnreachable:
    337. 

  337.                             case SocketError.MessageSize:
    338. 

  338.                             case SocketError.NetworkReset:
    339. 

  339.                                 result = default;
    340. 

  340.                                 break;
    341. 

  341. 

  342.                             default:
    343. 

  343.                                 throw;
    344. 

  344.                         }
    345. 

  345.                     }
    346. 

  346. 

  347.                     if (result.ReceivedBytes > 0)
    348. 

  348.                     {
    349. 

  349.                         if (result.RemoteEndPoint is not IPEndPoint remoteEP)
    350. 

  350.                             continue;
    351. 

  351. 

  352.                         if (IsQpmLimitCrossed(remoteEP.Address))
    353. 

  353.                             continue;
    354. 

  354. 

  355.                         try
    356. 

  356.                         {
    357. 

  357.                             recvBufferStream.Position = 0;
    358. 

  358.                             recvBufferStream.SetLength(result.ReceivedBytes);
    359. 

  359. 

  360.                             DnsDatagram request = DnsDatagram.ReadFrom(recvBufferStream);
    361. 

  361. 

  362.                             _ = ProcessUdpRequestAsync(udpListener, remoteEP, request);
    363. 

  363.                         }
    364. 

  364.                         catch (EndOfStreamException)
    365. 

  365.                         {
    366. 

  366.                             //ignore incomplete udp datagrams
    367. 

  367.                         }
    368. 

  368.                         catch (Exception ex)
    369. 

  369.                         {
    370. 

  370.                             _log?.Write(remoteEP, DnsTransportProtocol.Udp, ex);
    371. 

  371.                         }
    372. 

  372.                     }
    373. 

  373.                 }
    374. 

  374.             }
    375. 

  375.             catch (ObjectDisposedException)
    376. 

  376.             {
    377. 

  377.                 //server stopping
    378. 

  378.             }
    379. 

  379.             catch (SocketException ex)
    380. 

  380.             {
    381. 

  381.                 switch (ex.SocketErrorCode)
    382. 

  382.                 {
    383. 

  383.                     case SocketError.OperationAborted:
    384. 

  384.                     case SocketError.Interrupted:
    385. 

  385.                         break; //server stopping
    386. 

  386. 

  387.                     default:
    388. 

  388.                         if ((_state == ServiceState.Stopping) || (_state == ServiceState.Stopped))
    389. 

  389.                             return; //server stopping
    390. 

  390. 

  391.                         _log?.Write(ex);
    392. 

  392.                         break;
    393. 

  393.                 }
    394. 

  394.             }
    395. 

  395.             catch (Exception ex)
    396. 

  396.             {
    397. 

  397.                 if ((_state == ServiceState.Stopping) || (_state == ServiceState.Stopped))
    398. 

  398.                     return; //server stopping
    399. 

  399. 

  400.                 _log?.Write(ex);
    401. 

  401.             }
    402. 

  402.         }
    403. 

  403. 

  404.         private async Task ProcessUdpRequestAsync(Socket udpListener, IPEndPoint remoteEP, DnsDatagram request)
    405. 

  405.         {
    406. 

  406.             try
    407. 

  407.             {
    408. 

  408.                 DnsDatagram response = await PreProcessQueryAsync(request, remoteEP, DnsTransportProtocol.Udp, IsRecursionAllowed(remoteEP.Address));
    409. 

  409.                 if (response is null)
    410. 

  410.                     return; //drop request
    411. 

  411. 

  412.                 //send response
    413. 

  413.                 byte[] sendBuffer;
    414. 

  414. 

  415.                 if (request.EDNS is null)
    416. 

  416.                     sendBuffer = new byte[512];
    417. 

  417.                 else if (request.EDNS.UdpPayloadSize > _udpPayloadSize)
    418. 

  418.                     sendBuffer = new byte[_udpPayloadSize];
    419. 

  419.                 else
    420. 

  420.                     sendBuffer = new byte[request.EDNS.UdpPayloadSize];
    421. 

  421. 

  422.                 using (MemoryStream sendBufferStream = new MemoryStream(sendBuffer))
    423. 

  423.                 {
    424. 

  424.                     try
    425. 

  425.                     {
    426. 

  426.                         response.WriteTo(sendBufferStream);
    427. 

  427.                     }
    428. 

  428.                     catch (NotSupportedException)
    429. 

  429.                     {
    430. 

  430.                         if (response.IsSigned)
    431. 

  431.                         {
    432. 

  432.                             //rfc8945 section 5.3
    433. 

  433.                             response = new DnsDatagram(response.Identifier, true, response.OPCODE, response.AuthoritativeAnswer, true, response.RecursionDesired, response.RecursionAvailable, response.AuthenticData, response.CheckingDisabled, DnsResponseCode.NoError, response.Question, null, null, new DnsResourceRecord[] { response.Additional[response.Additional.Count - 1] }, request.EDNS is null ? ushort.MinValue : _udpPayloadSize) { Tag = DnsServerResponseType.Authoritative };
    434. 

  434.                         }
    435. 

  435.                         else
    436. 

  436.                         {
    437. 

  437.                             switch (response.Question[0].Type)
    438. 

  438.                             {
    439. 

  439.                                 case DnsResourceRecordType.MX:
    440. 

  440.                                     //removing glue records and trying again since some mail servers fail to fallback to TCP on truncation
    441. 

  441.                                     response = response.CloneWithoutGlueRecords();
    442. 

  442.                                     sendBufferStream.Position = 0;
    443. 

  443. 

  444.                                     try
    445. 

  445.                                     {
    446. 

  446.                                         response.WriteTo(sendBufferStream);
    447. 

  447.                                     }
    448. 

  448.                                     catch (NotSupportedException)
    449. 

  449.                                     {
    450. 

  450.                                         //send TC since response is still big even after removing glue records
    451. 

  451.                                         response = new DnsDatagram(response.Identifier, true, response.OPCODE, response.AuthoritativeAnswer, true, response.RecursionDesired, response.RecursionAvailable, response.AuthenticData, response.CheckingDisabled, response.RCODE, response.Question, null, null, null, request.EDNS is null ? ushort.MinValue : _udpPayloadSize) { Tag = DnsServerResponseType.Authoritative };
    452. 

  452.                                     }
    453. 

  453.                                     break;
    454. 

  454. 

  455.                                 case DnsResourceRecordType.IXFR:
    456. 

  456.                                     response = new DnsDatagram(response.Identifier, true, response.OPCODE, response.AuthoritativeAnswer, false, response.RecursionDesired, response.RecursionAvailable, response.AuthenticData, response.CheckingDisabled, response.RCODE, response.Question, new DnsResourceRecord[] { response.Answer[0] }, null, null, request.EDNS is null ? ushort.MinValue : _udpPayloadSize) { Tag = DnsServerResponseType.Authoritative }; //truncate response
    457. 

  457.                                     break;
    458. 

  458. 

  459.                                 default:
    460. 

  460.                                     response = new DnsDatagram(response.Identifier, true, response.OPCODE, response.AuthoritativeAnswer, true, response.RecursionDesired, response.RecursionAvailable, response.AuthenticData, response.CheckingDisabled, response.RCODE, response.Question, null, null, null, request.EDNS is null ? ushort.MinValue : _udpPayloadSize) { Tag = DnsServerResponseType.Authoritative };
    461. 

  461.                                     break;
    462. 

  462.                             }
    463. 

  463.                         }
    464. 

  464. 

  465.                         sendBufferStream.Position = 0;
    466. 

  466.                         response.WriteTo(sendBufferStream);
    467. 

  467.                     }
    468. 

  468. 

  469.                     //send dns datagram async
    470. 

  470.                     await udpListener.SendToAsync(new ArraySegment<byte>(sendBuffer, 0, (int)sendBufferStream.Position), SocketFlags.None, remoteEP);
    471. 

  471.                 }
    472. 

  472. 

  473.                 _queryLog?.Write(remoteEP, DnsTransportProtocol.Udp, request, response);
    474. 

  474.                 _stats.QueueUpdate(request, remoteEP, DnsTransportProtocol.Udp, response);
    475. 

  475.             }
    476. 

  476.             catch (Exception ex)
    477. 

  477.             {
    478. 

  478.                 if ((_state == ServiceState.Stopping) || (_state == ServiceState.Stopped))
    479. 

  479.                     return; //server stopping
    480. 

  480. 

  481.                 _queryLog?.Write(remoteEP, DnsTransportProtocol.Udp, request, null);
    482. 

  482.                 _log?.Write(remoteEP, DnsTransportProtocol.Udp, ex);
    483. 

  483.             }
    484. 

  484.         }
    485. 

  485. 

  486.         private async Task AcceptConnectionAsync(Socket tcpListener, DnsTransportProtocol protocol)
    487. 

  487.         {
    488. 

  488.             IPEndPoint localEP = tcpListener.LocalEndPoint as IPEndPoint;
    489. 

  489. 

  490.             try
    491. 

  491.             {
    492. 

  492.                 tcpListener.SendTimeout = _tcpSendTimeout;
    493. 

  493.                 tcpListener.ReceiveTimeout = _tcpReceiveTimeout;
    494. 

  494.                 tcpListener.NoDelay = true;
    495. 

  495. 

  496.                 while (true)
    497. 

  497.                 {
    498. 

  498.                     Socket socket = await tcpListener.AcceptAsync();
    499. 

  499. 

  500.                     _ = ProcessConnectionAsync(socket, protocol);
    501. 

  501.                 }
    502. 

  502.             }
    503. 

  503.             catch (SocketException ex)
    504. 

  504.             {
    505. 

  505.                 if (ex.SocketErrorCode == SocketError.OperationAborted)
    506. 

  506.                     return; //server stopping
    507. 

  507. 

  508.                 _log?.Write(localEP, protocol, ex);
    509. 

  509.             }
    510. 

  510.             catch (ObjectDisposedException)
    511. 

  511.             {
    512. 

  512.                 //server stopped
    513. 

  513.             }
    514. 

  514.             catch (Exception ex)
    515. 

  515.             {
    516. 

  516.                 if ((_state == ServiceState.Stopping) || (_state == ServiceState.Stopped))
    517. 

  517.                     return; //server stopping
    518. 

  518. 

  519.                 _log?.Write(localEP, protocol, ex);
    520. 

  520.             }
    521. 

  521.         }
    522. 

  522. 

  523.         private async Task ProcessConnectionAsync(Socket socket, DnsTransportProtocol protocol)
    524. 

  524.         {
    525. 

  525.             IPEndPoint remoteEP = null;
    526. 

  526. 

  527.             try
    528. 

  528.             {
    529. 

  529.                 remoteEP = socket.RemoteEndPoint as IPEndPoint;
    530. 

  530. 

  531.                 switch (protocol)
    532. 

  532.                 {
    533. 

  533.                     case DnsTransportProtocol.Tcp:
    534. 

  534.                         await ReadStreamRequestAsync(new NetworkStream(socket), remoteEP, protocol);
    535. 

  535.                         break;
    536. 

  536. 

  537.                     case DnsTransportProtocol.Tls:
    538. 

  538.                         SslStream tlsStream = new SslStream(new NetworkStream(socket));
    539. 

  539.                         await tlsStream.AuthenticateAsServerAsync(_certificate).WithTimeout(_tcpReceiveTimeout);
    540. 

  540. 

  541.                         await ReadStreamRequestAsync(tlsStream, remoteEP, protocol);
    542. 

  542.                         break;
    543. 

  543. 

  544.                     default:
    545. 

  545.                         throw new InvalidOperationException();
    546. 

  546.                 }
    547. 

  547.             }
    548. 

  548.             catch (TimeoutException)
    549. 

  549.             {
    550. 

  550.                 //ignore timeout exception on TLS auth
    551. 

  551.             }
    552. 

  552.             catch (IOException)
    553. 

  553.             {
    554. 

  554.                 //ignore IO exceptions
    555. 

  555.             }
    556. 

  556.             catch (Exception ex)
    557. 

  557.             {
    558. 

  558.                 _log?.Write(remoteEP, protocol, ex);
    559. 

  559.             }
    560. 

  560.             finally
    561. 

  561.             {
    562. 

  562.                 socket.Dispose();
    563. 

  563.             }
    564. 

  564.         }
    565. 

  565. 

  566.         private async Task ReadStreamRequestAsync(Stream stream, IPEndPoint remoteEP, DnsTransportProtocol protocol)
    567. 

  567.         {
    568. 

  568.             try
    569. 

  569.             {
    570. 

  570.                 using MemoryStream readBuffer = new MemoryStream(64);
    571. 

  571.                 using MemoryStream writeBuffer = new MemoryStream(2048);
    572. 

  572.                 using SemaphoreSlim writeSemaphore = new SemaphoreSlim(1, 1);
    573. 

  573. 

  574.                 while (true)
    575. 

  575.                 {
    576. 

  576.                     if (IsQpmLimitCrossed(remoteEP.Address))
    577. 

  577.                         break;
    578. 

  578. 

  579.                     DnsDatagram request;
    580. 

  580. 

  581.                     //read dns datagram with timeout
    582. 

  582.                     using (CancellationTokenSource cancellationTokenSource = new CancellationTokenSource())
    583. 

  583.                     {
    584. 

  584.                         Task<DnsDatagram> task = DnsDatagram.ReadFromTcpAsync(stream, readBuffer, cancellationTokenSource.Token);
    585. 

  585. 

  586.                         if (await Task.WhenAny(task, Task.Delay(_tcpReceiveTimeout, cancellationTokenSource.Token)) != task)
    587. 

  587.                         {
    588. 

  588.                             //read timed out
    589. 

  589.                             await stream.DisposeAsync();
    590. 

  590.                             return;
    591. 

  591.                         }
    592. 

  592. 

  593.                         cancellationTokenSource.Cancel(); //cancel delay task
    594. 

  594. 

  595.                         request = await task;
    596. 

  596.                     }
    597. 

  597. 

  598.                     //process request async
    599. 

  599.                     _ = ProcessStreamRequestAsync(stream, writeBuffer, writeSemaphore, remoteEP, request, protocol);
    600. 

  600.                 }
    601. 

  601.             }
    602. 

  602.             catch (ObjectDisposedException)
    603. 

  603.             {
    604. 

  604.                 //ignore
    605. 

  605.             }
    606. 

  606.             catch (IOException)
    607. 

  607.             {
    608. 

  608.                 //ignore IO exceptions
    609. 

  609.             }
    610. 

  610.             catch (Exception ex)
    611. 

  611.             {
    612. 

  612.                 _log?.Write(remoteEP, protocol, ex);
    613. 

  613.             }
    614. 

  614.         }
    615. 

  615. 

  616.         private async Task ProcessStreamRequestAsync(Stream stream, MemoryStream writeBuffer, SemaphoreSlim writeSemaphore, IPEndPoint remoteEP, DnsDatagram request, DnsTransportProtocol protocol)
    617. 

  617.         {
    618. 

  618.             try
    619. 

  619.             {
    620. 

  620.                 DnsDatagram response = await PreProcessQueryAsync(request, remoteEP, protocol, IsRecursionAllowed(remoteEP.Address));
    621. 

  621.                 if (response is null)
    622. 

  622.                 {
    623. 

  623.                     await stream.DisposeAsync();
    624. 

  624.                     return; //drop request
    625. 

  625.                 }
    626. 

  626. 

  627.                 //send response
    628. 

  628.                 await writeSemaphore.WaitAsync();
    629. 

  629.                 try
    630. 

  630.                 {
    631. 

  631.                     //send dns datagram
    632. 

  632.                     await response.WriteToTcpAsync(stream, writeBuffer);
    633. 

  633.                     await stream.FlushAsync();
    634. 

  634.                 }
    635. 

  635.                 finally
    636. 

  636.                 {
    637. 

  637.                     writeSemaphore.Release();
    638. 

  638.                 }
    639. 

  639. 

  640.                 _queryLog?.Write(remoteEP, protocol, request, response);
    641. 

  641.                 _stats.QueueUpdate(request, remoteEP, protocol, response);
    642. 

  642.             }
    643. 

  643.             catch (ObjectDisposedException)
    644. 

  644.             {
    645. 

  645.                 //ignore
    646. 

  646.             }
    647. 

  647.             catch (IOException)
    648. 

  648.             {
    649. 

  649.                 //ignore IO exceptions
    650. 

  650.             }
    651. 

  651.             catch (Exception ex)
    652. 

  652.             {
    653. 

  653.                 if (request is not null)
    654. 

  654.                     _queryLog.Write(remoteEP, protocol, request, null);
    655. 

  655. 

  656.                 _log?.Write(remoteEP, protocol, ex);
    657. 

  657.             }
    658. 

  658.         }
    659. 

  659. 

  660.         private async Task AcceptQuicConnectionAsync(QuicListener quicListener)
    661. 

  661.         {
    662. 

  662.             try
    663. 

  663.             {
    664. 

  664.                 while (true)
    665. 

  665.                 {
    666. 

  666.                     QuicConnection quicConnection = await quicListener.AcceptConnectionAsync();
    667. 

  667. 

  668.                     _ = ProcessQuicConnectionAsync(quicConnection);
    669. 

  669.                 }
    670. 

  670.             }
    671. 

  671.             catch (ObjectDisposedException)
    672. 

  672.             {
    673. 

  673.                 //server stopped
    674. 

  674.             }
    675. 

  675.             catch (Exception ex)
    676. 

  676.             {
    677. 

  677.                 if ((_state == ServiceState.Stopping) || (_state == ServiceState.Stopped))
    678. 

  678.                     return; //server stopping
    679. 

  679. 

  680.                 _log?.Write(quicListener.LocalEndPoint, DnsTransportProtocol.Quic, ex);
    681. 

  681.             }
    682. 

  682.         }
    683. 

  683. 

  684.         private async Task ProcessQuicConnectionAsync(QuicConnection quicConnection)
    685. 

  685.         {
    686. 

  686.             try
    687. 

  687.             {
    688. 

  688.                 while (true)
    689. 

  689.                 {
    690. 

  690.                     if (IsQpmLimitCrossed(quicConnection.RemoteEndPoint.Address))
    691. 

  691.                         break;
    692. 

  692. 

  693.                     QuicStream quicStream = await quicConnection.AcceptInboundStreamAsync();
    694. 

  694. 

  695.                     _ = ProcessQuicStreamRequestAsync(quicStream, quicConnection.RemoteEndPoint);
    696. 

  696.                 }
    697. 

  697.             }
    698. 

  698.             catch (QuicException ex)
    699. 

  699.             {
    700. 

  700.                 switch (ex.QuicError)
    701. 

  701.                 {
    702. 

  702.                     case QuicError.ConnectionIdle:
    703. 

  703.                     case QuicError.ConnectionAborted:
    704. 

  704.                     case QuicError.ConnectionTimeout:
    705. 

  705.                         break;
    706. 

  706. 

  707.                     default:
    708. 

  708.                         _log?.Write(quicConnection.RemoteEndPoint, DnsTransportProtocol.Quic, ex);
    709. 

  709.                         break;
    710. 

  710.                 }
    711. 

  711.             }
    712. 

  712.             catch (Exception ex)
    713. 

  713.             {
    714. 

  714.                 _log?.Write(quicConnection.RemoteEndPoint, DnsTransportProtocol.Quic, ex);
    715. 

  715.             }
    716. 

  716.             finally
    717. 

  717.             {
    718. 

  718.                 await quicConnection.DisposeAsync();
    719. 

  719.             }
    720. 

  720.         }
    721. 

  721. 

  722.         private async Task ProcessQuicStreamRequestAsync(QuicStream quicStream, IPEndPoint remoteEP)
    723. 

  723.         {
    724. 

  724.             MemoryStream sharedBuffer = new MemoryStream(512);
    725. 

  725.             DnsDatagram request = null;
    726. 

  726. 

  727.             try
    728. 

  728.             {
    729. 

  729.                 //read dns datagram with timeout
    730. 

  730.                 using (CancellationTokenSource cancellationTokenSource = new CancellationTokenSource())
    731. 

  731.                 {
    732. 

  732.                     Task<DnsDatagram> task = DnsDatagram.ReadFromTcpAsync(quicStream, sharedBuffer, cancellationTokenSource.Token);
    733. 

  733. 

  734.                     if (await Task.WhenAny(task, Task.Delay(_tcpReceiveTimeout, cancellationTokenSource.Token)) != task)
    735. 

  735.                     {
    736. 

  736.                         //read timed out
    737. 

  737.                         quicStream.Abort(QuicAbortDirection.Both, (long)DnsOverQuicErrorCodes.DOQ_UNSPECIFIED_ERROR);
    738. 

  738.                         return;
    739. 

  739.                     }
    740. 

  740. 

  741.                     cancellationTokenSource.Cancel(); //cancel delay task
    742. 

  742. 

  743.                     request = await task;
    744. 

  744.                 }
    745. 

  745. 

  746.                 //process request async
    747. 

  747.                 DnsDatagram response = await PreProcessQueryAsync(request, remoteEP, DnsTransportProtocol.Quic, IsRecursionAllowed(remoteEP.Address));
    748. 

  748.                 if (response is null)
    749. 

  749.                     return; //drop request
    750. 

  750. 

  751.                 //send response
    752. 

  752.                 await response.WriteToTcpAsync(quicStream, sharedBuffer);
    753. 

  753. 

  754.                 _queryLog?.Write(remoteEP, DnsTransportProtocol.Quic, request, response);
    755. 

  755.                 _stats.QueueUpdate(request, remoteEP, DnsTransportProtocol.Quic, response);
    756. 

  756.             }
    757. 

  757.             catch (IOException)
    758. 

  758.             {
    759. 

  759.                 //ignore QuicException / IOException
    760. 

  760.             }
    761. 

  761.             catch (Exception ex)
    762. 

  762.             {
    763. 

  763.                 if (request is not null)
    764. 

  764.                     _queryLog.Write(remoteEP, DnsTransportProtocol.Quic, request, null);
    765. 

  765. 

  766.                 _log?.Write(remoteEP, DnsTransportProtocol.Quic, ex);
    767. 

  767.             }
    768. 

  768.             finally
    769. 

  769.             {
    770. 

  770.                 await sharedBuffer.DisposeAsync();
    771. 

  771.                 await quicStream.DisposeAsync();
    772. 

  772.             }
    773. 

  773.         }
    774. 

  774. 

  775.         private async Task ProcessDoHRequestAsync(HttpContext context)
    776. 

  776.         {
    777. 

  777.             IPEndPoint remoteEP = context.GetRemoteEndPoint();
    778. 

  778.             DnsDatagram dnsRequest = null;
    779. 

  779. 

  780.             try
    781. 

  781.             {
    782. 

  782.                 HttpRequest request = context.Request;
    783. 

  783.                 HttpResponse response = context.Response;
    784. 

  784. 

  785.                 if (IsQpmLimitCrossed(remoteEP.Address))
    786. 

  786.                 {
    787. 

  787.                     response.StatusCode = 429;
    788. 

  788.                     await response.WriteAsync("Too Many Requests");
    789. 

  789.                     return;
    790. 

  790.                 }
    791. 

  791. 

  792.                 if (!request.IsHttps)
    793. 

  793.                 {
    794. 

  794.                     //get the actual connection remote EP
    795. 

  795.                     IPEndPoint connectionEp = context.GetRemoteEndPoint(true);
    796. 

  796. 

  797.                     if (!NetUtilities.IsPrivateIP(connectionEp.Address))
    798. 

  798.                     {
    799. 

  799.                         //intentionally blocking public IP addresses from using DNS-over-HTTP (without TLS)
    800. 

  800.                         //this feature is intended to be used with an SSL terminated reverse proxy like nginx on private network
    801. 

  801.                         response.StatusCode = 403;
    802. 

  802.                         await response.WriteAsync("DNS-over-HTTPS (DoH) queries are supported only on HTTPS.");
    803. 

  803.                         return;
    804. 

  804.                     }
    805. 

  805.                 }
    806. 

  806. 

  807.                 switch (request.Method)
    808. 

  808.                 {
    809. 

  809.                     case "GET":
    810. 

  810.                         bool acceptsDoH = false;
    811. 

  811.                         string requestAccept = request.Headers["Accept"];
    812. 

  812.                         if (!string.IsNullOrEmpty(requestAccept))
    813. 

  813.                         {
    814. 

  814.                             foreach (string mediaType in requestAccept.Split(','))
    815. 

  815.                             {
    816. 

  816.                                 if (mediaType.Equals("application/dns-message", StringComparison.OrdinalIgnoreCase))
    817. 

  817.                                 {
    818. 

  818.                                     acceptsDoH = true;
    819. 

  819.                                     break;
    820. 

  820.                                 }
    821. 

  821.                             }
    822. 

  822.                         }
    823. 

  823. 

  824.                         if (!acceptsDoH)
    825. 

  825.                         {
    826. 

  826.                             response.Redirect((request.IsHttps ? "https://" : "http://") + request.Headers["Host"]);
    827. 

  827.                             return;
    828. 

  828.                         }
    829. 

  829. 

  830.                         string dnsRequestBase64Url = request.Query["dns"];
    831. 

  831.                         if (string.IsNullOrEmpty(dnsRequestBase64Url))
    832. 

  832.                         {
    833. 

  833.                             response.StatusCode = 400;
    834. 

  834.                             await response.WriteAsync("Bad Request");
    835. 

  835.                             return;
    836. 

  836.                         }
    837. 

  837. 

  838.                         //convert from base64url to base64
    839. 

  839.                         dnsRequestBase64Url = dnsRequestBase64Url.Replace('-', '+');
    840. 

  840.                         dnsRequestBase64Url = dnsRequestBase64Url.Replace('_', '/');
    841. 

  841. 

  842.                         //add padding
    843. 

  843.                         int x = dnsRequestBase64Url.Length % 4;
    844. 

  844.                         if (x > 0)
    845. 

  845.                             dnsRequestBase64Url = dnsRequestBase64Url.PadRight(dnsRequestBase64Url.Length - x + 4, '=');
    846. 

  846. 

  847.                         using (MemoryStream mS = new MemoryStream(Convert.FromBase64String(dnsRequestBase64Url)))
    848. 

  848.                         {
    849. 

  849.                             dnsRequest = DnsDatagram.ReadFrom(mS);
    850. 

  850.                         }
    851. 

  851. 

  852.                         break;
    853. 

  853. 

  854.                     case "POST":
    855. 

  855.                         if (!string.Equals(request.Headers["Content-Type"], "application/dns-message", StringComparison.OrdinalIgnoreCase))
    856. 

  856.                         {
    857. 

  857.                             response.StatusCode = 415;
    858. 

  858.                             await response.WriteAsync("Unsupported Media Type");
    859. 

  859.                             return;
    860. 

  860.                         }
    861. 

  861. 

  862.                         using (MemoryStream mS = new MemoryStream(32))
    863. 

  863.                         {
    864. 

  864.                             await request.Body.CopyToAsync(mS, 32);
    865. 

  865. 

  866.                             mS.Position = 0;
    867. 

  867.                             dnsRequest = DnsDatagram.ReadFrom(mS);
    868. 

  868.                         }
    869. 

  869. 

  870.                         break;
    871. 

  871. 

  872.                     default:
    873. 

  873.                         throw new InvalidOperationException();
    874. 

  874.                 }
    875. 

  875. 

  876.                 DnsDatagram dnsResponse = await PreProcessQueryAsync(dnsRequest, remoteEP, DnsTransportProtocol.Https, IsRecursionAllowed(remoteEP.Address));
    877. 

  877.                 if (dnsResponse is null)
    878. 

  878.                 {
    879. 

  879.                     //drop request
    880. 

  880.                     context.Connection.RequestClose();
    881. 

  881.                     return;
    882. 

  882.                 }
    883. 

  883. 

  884.                 using (MemoryStream mS = new MemoryStream(512))
    885. 

  885.                 {
    886. 

  886.                     dnsResponse.WriteTo(mS);
    887. 

  887. 

  888.                     mS.Position = 0;
    889. 

  889.                     response.ContentType = "application/dns-message";
    890. 

  890.                     response.ContentLength = mS.Length;
    891. 

  891. 

  892.                     using (Stream s = response.Body)
    893. 

  893.                     {
    894. 

  894.                         await mS.CopyToAsync(s, 512);
    895. 

  895.                     }
    896. 

  896.                 }
    897. 

  897. 

  898.                 _queryLog?.Write(remoteEP, DnsTransportProtocol.Https, dnsRequest, dnsResponse);
    899. 

  899.                 _stats.QueueUpdate(dnsRequest, remoteEP, DnsTransportProtocol.Https, dnsResponse);
    900. 

  900.             }
    901. 

  901.             catch (Exception ex)
    902. 

  902.             {
    903. 

  903.                 if (dnsRequest is not null)
    904. 

  904.                     _queryLog?.Write(remoteEP, DnsTransportProtocol.Https, dnsRequest, null);
    905. 

  905. 

  906.                 _log?.Write(remoteEP, DnsTransportProtocol.Https, ex);
    907. 

  907.             }
    908. 

  908.         }
    909. 

  909. 

  910.         private bool IsRecursionAllowed(IPAddress remoteIP)
    911. 

  911.         {
    912. 

  912.             switch (_recursion)
    913. 

  913.             {
    914. 

  914.                 case DnsServerRecursion.Allow:
    915. 

  915.                     return true;
    916. 

  916. 

  917.                 case DnsServerRecursion.AllowOnlyForPrivateNetworks:
    918. 

  918.                     switch (remoteIP.AddressFamily)
    919. 

  919.                     {
    920. 

  920.                         case AddressFamily.InterNetwork:
    921. 

  921.                         case AddressFamily.InterNetworkV6:
    922. 

  922.                             return NetUtilities.IsPrivateIP(remoteIP);
    923. 

  923. 

  924.                         default:
    925. 

  925.                             return false;
    926. 

  926.                     }
    927. 

  927. 

  928.                 case DnsServerRecursion.UseSpecifiedNetworks:
    929. 

  929.                     if (_recursionDeniedNetworks is not null)
    930. 

  930.                     {
    931. 

  931.                         foreach (NetworkAddress deniedNetworkAddress in _recursionDeniedNetworks)
    932. 

  932.                         {
    933. 

  933.                             if (deniedNetworkAddress.Contains(remoteIP))
    934. 

  934.                                 return false;
    935. 

  935.                         }
    936. 

  936.                     }
    937. 

  937. 

  938.                     if (_recursionAllowedNetworks is not null)
    939. 

  939.                     {
    940. 

  940.                         foreach (NetworkAddress allowedNetworkAddress in _recursionAllowedNetworks)
    941. 

  941.                         {
    942. 

  942.                             if (allowedNetworkAddress.Contains(remoteIP))
    943. 

  943.                                 return true;
    944. 

  944.                         }
    945. 

  945.                     }
    946. 

  946. 

  947.                     if (IPAddress.IsLoopback(remoteIP))
    948. 

  948.                         return true;
    949. 

  949. 

  950.                     return false;
    951. 

  951. 

  952.                 default:
    953. 

  953.                     return false;
    954. 

  954.             }
    955. 

  955.         }
    956. 

  956. 

  957.         private async Task<DnsDatagram> PreProcessQueryAsync(DnsDatagram request, IPEndPoint remoteEP, DnsTransportProtocol protocol, bool isRecursionAllowed)
    958. 

  958.         {
    959. 

  959.             foreach (IDnsRequestController requestController in _dnsApplicationManager.DnsRequestControllers)
    960. 

  960.             {
    961. 

  961.                 try
    962. 

  962.                 {
    963. 

  963.                     DnsRequestControllerAction action = await requestController.GetRequestActionAsync(request, remoteEP, protocol);
    964. 

  964.                     switch (action)
    965. 

  965.                     {
    966. 

  966.                         case DnsRequestControllerAction.DropSilently:
    967. 

  967.                             return null; //drop request
    968. 

  968. 

  969.                         case DnsRequestControllerAction.DropWithRefused:
    970. 

  970.                             return new DnsDatagram(request.Identifier, true, DnsOpcode.StandardQuery, false, false, request.RecursionDesired, isRecursionAllowed, false, false, DnsResponseCode.Refused, request.Question, null, null, null, request.EDNS is null ? ushort.MinValue : _udpPayloadSize, request.DnssecOk ? EDnsHeaderFlags.DNSSEC_OK : EDnsHeaderFlags.None) { Tag = DnsServerResponseType.Authoritative }; //drop request with refused
    971. 

  971.                     }
    972. 

  972.                 }
    973. 

  973.                 catch (Exception ex)
    974. 

  974.                 {
    975. 

  975.                     _log?.Write(remoteEP, protocol, ex);
    976. 

  976.                 }
    977. 

  977.             }
    978. 

  978. 

  979.             if (request.ParsingException is not null)
    980. 

  980.             {
    981. 

  981.                 //format error
    982. 

  982.                 if (request.ParsingException is not IOException)
    983. 

  983.                     _log?.Write(remoteEP, protocol, request.ParsingException);
    984. 

  984. 

  985.                 //format error response
    986. 

  986.                 return new DnsDatagram(request.Identifier, true, request.OPCODE, false, false, request.RecursionDesired, isRecursionAllowed, false, false, DnsResponseCode.FormatError, request.Question, null, null, null, request.EDNS is null ? ushort.MinValue : _udpPayloadSize, request.DnssecOk ? EDnsHeaderFlags.DNSSEC_OK : EDnsHeaderFlags.None) { Tag = DnsServerResponseType.Authoritative };
    987. 

  987.             }
    988. 

  988. 

  989.             if (request.IsSigned)
    990. 

  990.             {
    991. 

  991.                 if (!request.VerifySignedRequest(_tsigKeys, out DnsDatagram unsignedRequest, out DnsDatagram errorResponse))
    992. 

  992.                 {
    993. 

  993.                     _log?.Write(remoteEP, protocol, "DNS Server received a request that failed TSIG signature verification (RCODE: " + errorResponse.RCODE + "; TSIG Error: " + errorResponse.TsigError + ")");
    994. 

  994. 

  995.                     errorResponse.Tag = DnsServerResponseType.Authoritative;
    996. 

  996.                     return errorResponse;
    997. 

  997.                 }
    998. 

  998. 

  999.                 DnsDatagram unsignedResponse = await PostProcessQueryAsync(request, remoteEP, protocol, await ProcessQueryAsync(unsignedRequest, remoteEP, protocol, isRecursionAllowed, false, request.TsigKeyName));
    1000. 

  1000.                 return unsignedResponse.SignResponse(request, _tsigKeys);
    1001. 

  1001.             }
    1002. 

  1002. 

  1003.             if (request.EDNS is not null)
    1004. 

  1004.             {
    1005. 

  1005.                 if (request.EDNS.Version != 0)
    1006. 

  1006.                     return new DnsDatagram(request.Identifier, true, request.OPCODE, false, false, request.RecursionDesired, isRecursionAllowed, false, false, DnsResponseCode.BADVERS, request.Question, null, null, null, _udpPayloadSize, request.DnssecOk ? EDnsHeaderFlags.DNSSEC_OK : EDnsHeaderFlags.None) { Tag = DnsServerResponseType.Authoritative };
    1007. 

  1007.             }
    1008. 

  1008. 

  1009.             return await PostProcessQueryAsync(request, remoteEP, protocol, await ProcessQueryAsync(request, remoteEP, protocol, isRecursionAllowed, false, null));
    1010. 

  1010.         }
    1011. 

  1011. 

  1012.         private async Task<DnsDatagram> PostProcessQueryAsync(DnsDatagram request, IPEndPoint remoteEP, DnsTransportProtocol protocol, DnsDatagram response)
    1013. 

  1013.         {
    1014. 

  1014.             foreach (IDnsPostProcessor postProcessor in _dnsApplicationManager.DnsPostProcessors)
    1015. 

  1015.             {
    1016. 

  1016.                 try
    1017. 

  1017.                 {
    1018. 

  1018.                     response = await postProcessor.PostProcessAsync(request, remoteEP, protocol, response);
    1019. 

  1019.                 }
    1020. 

  1020.                 catch (Exception ex)
    1021. 

  1021.                 {
    1022. 

  1022.                     _log?.Write(remoteEP, protocol, ex);
    1023. 

  1023.                 }
    1024. 

  1024.             }
    1025. 

  1025. 

  1026.             if (request.EDNS is null)
    1027. 

  1027.             {
    1028. 

  1028.                 if (response.EDNS is not null)
    1029. 

  1029.                     response = response.CloneWithoutEDns();
    1030. 

  1030. 

  1031.                 return response;
    1032. 

  1032.             }
    1033. 

  1033. 

  1034.             if (response.EDNS is not null)
    1035. 

  1035.                 return response;
    1036. 

  1036. 

  1037.             IReadOnlyList<EDnsOption> options = null;
    1038. 

  1038. 

  1039.             EDnsClientSubnetOptionData requestECS = request.GetEDnsClientSubnetOption(true);
    1040. 

  1040.             if ((requestECS is not null) && (request.Question.Count == 1) && CacheZone.IsTypeSupportedForEDnsClientSubnet(request.Question[0].Type))
    1041. 

  1041.                 options = EDnsClientSubnetOptionData.GetEDnsClientSubnetOption(requestECS.SourcePrefixLength, 0, requestECS.Address);
    1042. 

  1042. 

  1043.             if (response.Additional.Count == 0)
    1044. 

  1044.                 return response.Clone(null, null, new DnsResourceRecord[] { DnsDatagramEdns.GetOPTFor(_udpPayloadSize, response.RCODE, 0, request.DnssecOk ? EDnsHeaderFlags.DNSSEC_OK : EDnsHeaderFlags.None, options) });
    1045. 

  1045. 

  1046.             if (response.IsSigned)
    1047. 

  1047.                 return response;
    1048. 

  1048. 

  1049.             DnsResourceRecord[] newAdditional = new DnsResourceRecord[response.Additional.Count + 1];
    1050. 

  1050. 

  1051.             for (int i = 0; i < response.Additional.Count; i++)
    1052. 

  1052.                 newAdditional[i] = response.Additional[i];
    1053. 

  1053. 

  1054.             newAdditional[response.Additional.Count] = DnsDatagramEdns.GetOPTFor(_udpPayloadSize, response.RCODE, 0, request.DnssecOk ? EDnsHeaderFlags.DNSSEC_OK : EDnsHeaderFlags.None, options);
    1055. 

  1055. 

  1056.             return response.Clone(null, null, newAdditional);
    1057. 

  1057.         }
    1058. 

  1058. 

  1059.         private async Task<DnsDatagram> ProcessQueryAsync(DnsDatagram request, IPEndPoint remoteEP, DnsTransportProtocol protocol, bool isRecursionAllowed, bool skipDnsAppAuthoritativeRequestHandlers, string tsigAuthenticatedKeyName)
    1060. 

  1060.         {
    1061. 

  1061.             if (request.IsResponse)
    1062. 

  1062.                 return null; //drop response datagram to avoid loops in rare scenarios
    1063. 

  1063. 

  1064.             switch (request.OPCODE)
    1065. 

  1065.             {
    1066. 

  1066.                 case DnsOpcode.StandardQuery:
    1067. 

  1067.                     if (request.Question.Count != 1)
    1068. 

  1068.                         return new DnsDatagram(request.Identifier, true, DnsOpcode.StandardQuery, false, false, request.RecursionDesired, isRecursionAllowed, false, false, DnsResponseCode.FormatError, request.Question) { Tag = DnsServerResponseType.Authoritative };
    1069. 

  1069. 

  1070.                     if (request.Question[0].Class != DnsClass.IN)
    1071. 

  1071.                         return new DnsDatagram(request.Identifier, true, DnsOpcode.StandardQuery, false, false, request.RecursionDesired, isRecursionAllowed, false, false, DnsResponseCode.Refused, request.Question) { Tag = DnsServerResponseType.Authoritative };
    1072. 

  1072. 

  1073.                     try
    1074. 

  1074.                     {
    1075. 

  1075.                         DnsQuestionRecord question = request.Question[0];
    1076. 

  1076. 

  1077.                         switch (question.Type)
    1078. 

  1078.                         {
    1079. 

  1079.                             case DnsResourceRecordType.AXFR:
    1080. 

  1080.                                 if (protocol == DnsTransportProtocol.Udp)
    1081. 

  1081.                                     return new DnsDatagram(request.Identifier, true, DnsOpcode.StandardQuery, false, false, request.RecursionDesired, false, false, false, DnsResponseCode.FormatError, request.Question) { Tag = DnsServerResponseType.Authoritative };
    1082. 

  1082. 

  1083.                                 return await ProcessZoneTransferQueryAsync(request, remoteEP, protocol, tsigAuthenticatedKeyName);
    1084. 

  1084. 

  1085.                             case DnsResourceRecordType.IXFR:
    1086. 

  1086.                                 return await ProcessZoneTransferQueryAsync(request, remoteEP, protocol, tsigAuthenticatedKeyName);
    1087. 

  1087. 

  1088.                             case DnsResourceRecordType.FWD:
    1089. 

  1089.                             case DnsResourceRecordType.APP:
    1090. 

  1090.                                 return new DnsDatagram(request.Identifier, true, DnsOpcode.StandardQuery, false, false, request.RecursionDesired, isRecursionAllowed, false, false, DnsResponseCode.Refused, request.Question) { Tag = DnsServerResponseType.Authoritative };
    1091. 

  1091.                         }
    1092. 

  1092. 

  1093.                         //query authoritative zone
    1094. 

  1094.                         DnsDatagram response = await ProcessAuthoritativeQueryAsync(request, remoteEP, protocol, isRecursionAllowed, skipDnsAppAuthoritativeRequestHandlers);
    1095. 

  1095.                         if (response is not null)
    1096. 

  1096.                         {
    1097. 

  1097.                             if ((question.Type == DnsResourceRecordType.ANY) && (protocol == DnsTransportProtocol.Udp)) //force TCP for ANY request
    1098. 

  1098.                                 return new DnsDatagram(request.Identifier, true, DnsOpcode.StandardQuery, true, true, request.RecursionDesired, isRecursionAllowed, false, false, response.RCODE, request.Question) { Tag = DnsServerResponseType.Authoritative };
    1099. 

  1099. 

  1100.                             return response;
    1101. 

  1101.                         }
    1102. 

  1102. 

  1103.                         if (!request.RecursionDesired || !isRecursionAllowed)
    1104. 

  1104.                             return new DnsDatagram(request.Identifier, true, DnsOpcode.StandardQuery, false, false, request.RecursionDesired, isRecursionAllowed, false, false, DnsResponseCode.Refused, request.Question) { Tag = DnsServerResponseType.Authoritative };
    1105. 

  1105. 

  1106.                         //do recursive query
    1107. 

  1107.                         if ((question.Type == DnsResourceRecordType.ANY) && (protocol == DnsTransportProtocol.Udp)) //force TCP for ANY request
    1108. 

  1108.                             return new DnsDatagram(request.Identifier, true, DnsOpcode.StandardQuery, false, true, request.RecursionDesired, isRecursionAllowed, false, false, DnsResponseCode.NoError, request.Question) { Tag = DnsServerResponseType.Authoritative };
    1109. 

  1109. 

  1110.                         return await ProcessRecursiveQueryAsync(request, remoteEP, protocol, null, _dnssecValidation, false, skipDnsAppAuthoritativeRequestHandlers);
    1111. 

  1111.                     }
    1112. 

  1112.                     catch (InvalidDomainNameException)
    1113. 

  1113.                     {
    1114. 

  1114.                         //format error response
    1115. 

  1115.                         return new DnsDatagram(request.Identifier, true, request.OPCODE, false, false, request.RecursionDesired, isRecursionAllowed, false, false, DnsResponseCode.FormatError, request.Question) { Tag = DnsServerResponseType.Authoritative };
    1116. 

  1116.                     }
    1117. 

  1117.                     catch (Exception ex)
    1118. 

  1118.                     {
    1119. 

  1119.                         _log?.Write(remoteEP, protocol, ex);
    1120. 

  1120. 

  1121.                         return new DnsDatagram(request.Identifier, true, DnsOpcode.StandardQuery, false, false, request.RecursionDesired, isRecursionAllowed, false, false, DnsResponseCode.ServerFailure, request.Question) { Tag = DnsServerResponseType.Authoritative };
    1122. 

  1122.                     }
    1123. 

  1123. 

  1124.                 case DnsOpcode.Notify:
    1125. 

  1125.                     return await ProcessNotifyQueryAsync(request, remoteEP, protocol);
    1126. 

  1126. 

  1127.                 case DnsOpcode.Update:
    1128. 

  1128.                     return await ProcessUpdateQueryAsync(request, remoteEP, protocol, tsigAuthenticatedKeyName);
    1129. 

  1129. 

  1130.                 default:
    1131. 

  1131.                     return new DnsDatagram(request.Identifier, true, request.OPCODE, false, false, request.RecursionDesired, isRecursionAllowed, false, false, DnsResponseCode.NotImplemented, request.Question) { Tag = DnsServerResponseType.Authoritative };
    1132. 

  1132.             }
    1133. 

  1133.         }
    1134. 

  1134. 

  1135.         private async Task<DnsDatagram> ProcessNotifyQueryAsync(DnsDatagram request, IPEndPoint remoteEP, DnsTransportProtocol protocol)
    1136. 

  1136.         {
    1137. 

  1137.             AuthZoneInfo authZoneInfo = _authZoneManager.GetAuthZoneInfo(request.Question[0].Name);
    1138. 

  1138.             if ((authZoneInfo is null) || (authZoneInfo.Type != AuthZoneType.Secondary) || authZoneInfo.Disabled)
    1139. 

  1139.                 return new DnsDatagram(request.Identifier, true, DnsOpcode.Notify, false, false, request.RecursionDesired, false, false, false, DnsResponseCode.Refused, request.Question) { Tag = DnsServerResponseType.Authoritative };
    1140. 

  1140. 

  1141.             IPAddress remoteAddress = remoteEP.Address;
    1142. 

  1142.             bool remoteVerified = false;
    1143. 

  1143. 

  1144.             IReadOnlyList<NameServerAddress> primaryNameServers = await authZoneInfo.GetPrimaryNameServerAddressesAsync(this);
    1145. 

  1145. 

  1146.             foreach (NameServerAddress primaryNameServer in primaryNameServers)
    1147. 

  1147.             {
    1148. 

  1148.                 if (primaryNameServer.IPEndPoint.Address.Equals(remoteAddress))
    1149. 

  1149.                 {
    1150. 

  1150.                     remoteVerified = true;
    1151. 

  1151.                     break;
    1152. 

  1152.                 }
    1153. 

  1153.             }
    1154. 

  1154. 

  1155.             if (!remoteVerified)
    1156. 

  1156.             {
    1157. 

  1157.                 _log?.Write(remoteEP, protocol, "DNS Server refused a NOTIFY request since the request IP address was not recognized by the secondary zone: " + (authZoneInfo.Name == "" ? "<root>" : authZoneInfo.Name));
    1158. 

  1158. 

  1159.                 return new DnsDatagram(request.Identifier, true, DnsOpcode.Notify, false, false, request.RecursionDesired, false, false, false, DnsResponseCode.Refused, request.Question) { Tag = DnsServerResponseType.Authoritative };
    1160. 

  1160.             }
    1161. 

  1161. 

  1162.             _log?.Write(remoteEP, protocol, "DNS Server received a NOTIFY request for secondary zone: " + (authZoneInfo.Name == "" ? "<root>" : authZoneInfo.Name));
    1163. 

  1163. 

  1164.             if ((request.Answer.Count > 0) && (request.Answer[0].Type == DnsResourceRecordType.SOA))
    1165. 

  1165.             {
    1166. 

  1166.                 IReadOnlyList<DnsResourceRecord> localSoaRecords = authZoneInfo.GetApexRecords(DnsResourceRecordType.SOA);
    1167. 

  1167. 

  1168.                 if (!DnsSOARecordData.IsZoneUpdateAvailable((localSoaRecords[0].RDATA as DnsSOARecordData).Serial, (request.Answer[0].RDATA as DnsSOARecordData).Serial))
    1169. 

  1169.                 {
    1170. 

  1170.                     //no update was available
    1171. 

  1171.                     return new DnsDatagram(request.Identifier, true, DnsOpcode.Notify, false, false, request.RecursionDesired, false, false, false, DnsResponseCode.NoError, request.Question) { Tag = DnsServerResponseType.Authoritative };
    1172. 

  1172.                 }
    1173. 

  1173.             }
    1174. 

  1174. 

  1175.             authZoneInfo.TriggerRefresh();
    1176. 

  1176.             return new DnsDatagram(request.Identifier, true, DnsOpcode.Notify, false, false, request.RecursionDesired, false, false, false, DnsResponseCode.NoError, request.Question) { Tag = DnsServerResponseType.Authoritative };
    1177. 

  1177.         }
    1178. 

  1178. 

  1179.         private async Task<DnsDatagram> ProcessUpdateQueryAsync(DnsDatagram request, IPEndPoint remoteEP, DnsTransportProtocol protocol, string tsigAuthenticatedKeyName)
    1180. 

  1180.         {
    1181. 

  1181.             if ((request.Question.Count != 1) || (request.Question[0].Type != DnsResourceRecordType.SOA))
    1182. 

  1182.                 return new DnsDatagram(request.Identifier, true, DnsOpcode.Update, false, false, request.RecursionDesired, false, false, false, DnsResponseCode.FormatError, request.Question) { Tag = DnsServerResponseType.Authoritative };
    1183. 

  1183. 

  1184.             if (request.Question[0].Class != DnsClass.IN)
    1185. 

  1185.                 return new DnsDatagram(request.Identifier, true, DnsOpcode.Update, false, false, request.RecursionDesired, false, false, false, DnsResponseCode.NotAuth, request.Question) { Tag = DnsServerResponseType.Authoritative };
    1186. 

  1186. 

  1187.             AuthZoneInfo authZoneInfo = _authZoneManager.GetAuthZoneInfo(request.Question[0].Name);
    1188. 

  1188.             if ((authZoneInfo is null) || authZoneInfo.Disabled)
    1189. 

  1189.                 return new DnsDatagram(request.Identifier, true, DnsOpcode.Update, false, false, request.RecursionDesired, false, false, false, DnsResponseCode.NotAuth, request.Question) { Tag = DnsServerResponseType.Authoritative };
    1190. 

  1190. 

  1191.             _log?.Write(remoteEP, protocol, "DNS Server received a zone UPDATE request for zone: " + (authZoneInfo.Name == "" ? "<root>" : authZoneInfo.Name));
    1192. 

  1192. 

  1193.             async Task<bool> IsZoneNameServerAllowedAsync()
    1194. 

  1194.             {
    1195. 

  1195.                 IPAddress remoteAddress = remoteEP.Address;
    1196. 

  1196.                 IReadOnlyList<NameServerAddress> secondaryNameServers = await authZoneInfo.GetSecondaryNameServerAddressesAsync(this);
    1197. 

  1197. 

  1198.                 foreach (NameServerAddress secondaryNameServer in secondaryNameServers)
    1199. 

  1199.                 {
    1200. 

  1200.                     if (secondaryNameServer.IPEndPoint.Address.Equals(remoteAddress))
    1201. 

  1201.                         return true;
    1202. 

  1202.                 }
    1203. 

  1203. 

  1204.                 return false;
    1205. 

  1205.             }
    1206. 

  1206. 

  1207.             bool IsSpecifiedIpAddressAllowed()
    1208. 

  1208.             {
    1209. 

  1209.                 IPAddress remoteAddress = remoteEP.Address;
    1210. 

  1210.                 IReadOnlyCollection<IPAddress> specifiedIpAddresses = authZoneInfo.UpdateIpAddresses;
    1211. 

  1211.                 if (specifiedIpAddresses is not null)
    1212. 

  1212.                 {
    1213. 

  1213.                     foreach (IPAddress specifiedIpAddress in specifiedIpAddresses)
    1214. 

  1214.                     {
    1215. 

  1215.                         if (specifiedIpAddress.Equals(remoteAddress))
    1216. 

  1216.                             return true;
    1217. 

  1217.                     }
    1218. 

  1218.                 }
    1219. 

  1219. 

  1220.                 return false;
    1221. 

  1221.             }
    1222. 

  1222. 

  1223.             async Task<bool> IsUpdatePermittedAsync()
    1224. 

  1224.             {
    1225. 

  1225.                 bool isUpdateAllowed;
    1226. 

  1226. 

  1227.                 switch (authZoneInfo.Update)
    1228. 

  1228.                 {
    1229. 

  1229.                     case AuthZoneUpdate.Allow:
    1230. 

  1230.                         isUpdateAllowed = true;
    1231. 

  1231.                         break;
    1232. 

  1232. 

  1233.                     case AuthZoneUpdate.AllowOnlyZoneNameServers:
    1234. 

  1234.                         isUpdateAllowed = await IsZoneNameServerAllowedAsync();
    1235. 

  1235.                         break;
    1236. 

  1236. 

  1237.                     case AuthZoneUpdate.AllowOnlySpecifiedIpAddresses:
    1238. 

  1238.                         isUpdateAllowed = IsSpecifiedIpAddressAllowed();
    1239. 

  1239.                         break;
    1240. 

  1240. 

  1241.                     case AuthZoneUpdate.AllowBothZoneNameServersAndSpecifiedIpAddresses:
    1242. 

  1242.                         isUpdateAllowed = IsSpecifiedIpAddressAllowed() || await IsZoneNameServerAllowedAsync();
    1243. 

  1243.                         break;
    1244. 

  1244. 

  1245.                     case AuthZoneUpdate.Deny:
    1246. 

  1246.                     default:
    1247. 

  1247.                         isUpdateAllowed = false;
    1248. 

  1248.                         break;
    1249. 

  1249.                 }
    1250. 

  1250. 

  1251.                 if (!isUpdateAllowed)
    1252. 

  1252.                 {
    1253. 

  1253.                     _log?.Write(remoteEP, protocol, "DNS Server refused a zone UPDATE request since the request IP address is not allowed by the zone: " + (authZoneInfo.Name == "" ? "<root>" : authZoneInfo.Name));
    1254. 

  1254. 

  1255.                     return false;
    1256. 

  1256.                 }
    1257. 

  1257. 

  1258.                 //check security policies
    1259. 

  1259.                 if ((authZoneInfo.UpdateSecurityPolicies is not null) && (authZoneInfo.UpdateSecurityPolicies.Count > 0))
    1260. 

  1260.                 {
    1261. 

  1261.                     if ((tsigAuthenticatedKeyName is null) || !authZoneInfo.UpdateSecurityPolicies.TryGetValue(tsigAuthenticatedKeyName.ToLower(), out IReadOnlyDictionary<string, IReadOnlyList<DnsResourceRecordType>> policyMap))
    1262. 

  1262.                     {
    1263. 

  1263.                         _log?.Write(remoteEP, protocol, "DNS Server refused a zone UPDATE request since the request is missing TSIG auth required by the zone: " + (authZoneInfo.Name == "" ? "<root>" : authZoneInfo.Name));
    1264. 

  1264. 

  1265.                         return false;
    1266. 

  1266.                     }
    1267. 

  1267. 

  1268.                     //check policy
    1269. 

  1269.                     foreach (DnsResourceRecord uRecord in request.Authority)
    1270. 

  1270.                     {
    1271. 

  1271.                         bool isPermitted = false;
    1272. 

  1272. 

  1273.                         foreach (KeyValuePair<string, IReadOnlyList<DnsResourceRecordType>> policy in policyMap)
    1274. 

  1274.                         {
    1275. 

  1275.                             if (
    1276. 

  1276.                                   uRecord.Name.Equals(policy.Key, StringComparison.OrdinalIgnoreCase) ||
    1277. 

  1277.                                   (policy.Key.StartsWith("*.") && uRecord.Name.EndsWith(policy.Key.Substring(1), StringComparison.OrdinalIgnoreCase))
    1278. 

  1278.                                )
    1279. 

  1279.                             {
    1280. 

  1280.                                 foreach (DnsResourceRecordType allowedType in policy.Value)
    1281. 

  1281.                                 {
    1282. 

  1282.                                     if ((allowedType == DnsResourceRecordType.ANY) || (allowedType == uRecord.Type))
    1283. 

  1283.                                     {
    1284. 

  1284.                                         isPermitted = true;
    1285. 

  1285.                                         break;
    1286. 

  1286.                                     }
    1287. 

  1287.                                 }
    1288. 

  1288. 

  1289.                                 if (isPermitted)
    1290. 

  1290.                                     break;
    1291. 

  1291.                             }
    1292. 

  1292.                         }
    1293. 

  1293. 

  1294.                         if (!isPermitted)
    1295. 

  1295.                             return false;
    1296. 

  1296.                     }
    1297. 

  1297.                 }
    1298. 

  1298. 

  1299.                 return true;
    1300. 

  1300.             }
    1301. 

  1301. 

  1302.             switch (authZoneInfo.Type)
    1303. 

  1303.             {
    1304. 

  1304.                 case AuthZoneType.Primary:
    1305. 

  1305.                     //update
    1306. 

  1306.                     {
    1307. 

  1307.                         //process prerequisite section
    1308. 

  1308.                         {
    1309. 

  1309.                             Dictionary<string, Dictionary<DnsResourceRecordType, List<DnsResourceRecord>>> temp = new Dictionary<string, Dictionary<DnsResourceRecordType, List<DnsResourceRecord>>>();
    1310. 

  1310. 

  1311.                             foreach (DnsResourceRecord prRecord in request.Answer)
    1312. 

  1312.                             {
    1313. 

  1313.                                 if (prRecord.TTL != 0)
    1314. 

  1314.                                     return new DnsDatagram(request.Identifier, true, DnsOpcode.Update, false, false, request.RecursionDesired, false, false, false, DnsResponseCode.FormatError, request.Question) { Tag = DnsServerResponseType.Authoritative };
    1315. 

  1315. 

  1316.                                 AuthZoneInfo prAuthZoneInfo = _authZoneManager.FindAuthZoneInfo(prRecord.Name);
    1317. 

  1317.                                 if ((prAuthZoneInfo is null) || !prAuthZoneInfo.Name.Equals(authZoneInfo.Name, StringComparison.OrdinalIgnoreCase))
    1318. 

  1318.                                     return new DnsDatagram(request.Identifier, true, DnsOpcode.Update, false, false, request.RecursionDesired, false, false, false, DnsResponseCode.NotZone, request.Question) { Tag = DnsServerResponseType.Authoritative };
    1319. 

  1319. 

  1320.                                 if (prRecord.Class == DnsClass.ANY)
    1321. 

  1321.                                 {
    1322. 

  1322.                                     if (prRecord.RDATA.RDLENGTH != 0)
    1323. 

  1323.                                         return new DnsDatagram(request.Identifier, true, DnsOpcode.Update, false, false, request.RecursionDesired, false, false, false, DnsResponseCode.FormatError, request.Question) { Tag = DnsServerResponseType.Authoritative };
    1324. 

  1324. 

  1325.                                     if (prRecord.Type == DnsResourceRecordType.ANY)
    1326. 

  1326.                                     {
    1327. 

  1327.                                         //check if name is in use
    1328. 

  1328.                                         if (!_authZoneManager.NameExists(authZoneInfo.Name, prRecord.Name))
    1329. 

  1329.                                             return new DnsDatagram(request.Identifier, true, DnsOpcode.Update, false, false, request.RecursionDesired, false, false, false, DnsResponseCode.NxDomain, request.Question) { Tag = DnsServerResponseType.Authoritative };
    1330. 

  1330.                                     }
    1331. 

  1331.                                     else
    1332. 

  1332.                                     {
    1333. 

  1333.                                         //check if RRSet exists (value independent)
    1334. 

  1334.                                         IReadOnlyList<DnsResourceRecord> rrset = _authZoneManager.GetRecords(authZoneInfo.Name, prRecord.Name, prRecord.Type);
    1335. 

  1335.                                         if (rrset.Count == 0)
    1336. 

  1336.                                             return new DnsDatagram(request.Identifier, true, DnsOpcode.Update, false, false, request.RecursionDesired, false, false, false, DnsResponseCode.NXRRSet, request.Question) { Tag = DnsServerResponseType.Authoritative };
    1337. 

  1337.                                     }
    1338. 

  1338.                                 }
    1339. 

  1339.                                 else if (prRecord.Class == DnsClass.NONE)
    1340. 

  1340.                                 {
    1341. 

  1341.                                     if (prRecord.RDATA.RDLENGTH != 0)
    1342. 

  1342.                                         return new DnsDatagram(request.Identifier, true, DnsOpcode.Update, false, false, request.RecursionDesired, false, false, false, DnsResponseCode.FormatError, request.Question) { Tag = DnsServerResponseType.Authoritative };
    1343. 

  1343. 

  1344.                                     if (prRecord.Type == DnsResourceRecordType.ANY)
    1345. 

  1345.                                     {
    1346. 

  1346.                                         //check if name is not in use
    1347. 

  1347.                                         if (_authZoneManager.NameExists(authZoneInfo.Name, prRecord.Name))
    1348. 

  1348.                                             return new DnsDatagram(request.Identifier, true, DnsOpcode.Update, false, false, request.RecursionDesired, false, false, false, DnsResponseCode.YXDomain, request.Question) { Tag = DnsServerResponseType.Authoritative };
    1349. 

  1349.                                     }
    1350. 

  1350.                                     else
    1351. 

  1351.                                     {
    1352. 

  1352.                                         //check if RRSet does not exists
    1353. 

  1353.                                         IReadOnlyList<DnsResourceRecord> rrset = _authZoneManager.GetRecords(authZoneInfo.Name, prRecord.Name, prRecord.Type);
    1354. 

  1354.                                         if (rrset.Count > 0)
    1355. 

  1355.                                             return new DnsDatagram(request.Identifier, true, DnsOpcode.Update, false, false, request.RecursionDesired, false, false, false, DnsResponseCode.YXRRSet, request.Question) { Tag = DnsServerResponseType.Authoritative };
    1356. 

  1356.                                     }
    1357. 

  1357.                                 }
    1358. 

  1358.                                 else if (prRecord.Class == request.Question[0].Class)
    1359. 

  1359.                                 {
    1360. 

  1360.                                     //check if RRSet exists (value dependent)
    1361. 

  1361.                                     //add to temp for later comparison
    1362. 

  1362.                                     string recordName = prRecord.Name.ToLower();
    1363. 

  1363. 

  1364.                                     if (!temp.TryGetValue(recordName, out Dictionary<DnsResourceRecordType, List<DnsResourceRecord>> rrsetEntry))
    1365. 

  1365.                                     {
    1366. 

  1366.                                         rrsetEntry = new Dictionary<DnsResourceRecordType, List<DnsResourceRecord>>();
    1367. 

  1367.                                         temp.Add(recordName, rrsetEntry);
    1368. 

  1368.                                     }
    1369. 

  1369. 

  1370.                                     if (!rrsetEntry.TryGetValue(prRecord.Type, out List<DnsResourceRecord> rrset))
    1371. 

  1371.                                     {
    1372. 

  1372.                                         rrset = new List<DnsResourceRecord>();
    1373. 

  1373.                                         rrsetEntry.Add(prRecord.Type, rrset);
    1374. 

  1374.                                     }
    1375. 

  1375. 

  1376.                                     rrset.Add(prRecord);
    1377. 

  1377.                                 }
    1378. 

  1378.                                 else
    1379. 

  1379.                                 {
    1380. 

  1380.                                     //FORMERR
    1381. 

  1381.                                     return new DnsDatagram(request.Identifier, true, DnsOpcode.Update, false, false, request.RecursionDesired, false, false, false, DnsResponseCode.FormatError, request.Question) { Tag = DnsServerResponseType.Authoritative };
    1382. 

  1382.                                 }
    1383. 

  1383.                             }
    1384. 

  1384. 

  1385.                             //compare collected RRSets in temp
    1386. 

  1386.                             foreach (KeyValuePair<string, Dictionary<DnsResourceRecordType, List<DnsResourceRecord>>> zoneEntry in temp)
    1387. 

  1387.                             {
    1388. 

  1388.                                 foreach (KeyValuePair<DnsResourceRecordType, List<DnsResourceRecord>> rrsetEntry in zoneEntry.Value)
    1389. 

  1389.                                 {
    1390. 

  1390.                                     IReadOnlyList<DnsResourceRecord> prRRSet = rrsetEntry.Value;
    1391. 

  1391.                                     IReadOnlyList<DnsResourceRecord> rrset = _authZoneManager.GetRecords(authZoneInfo.Name, zoneEntry.Key, rrsetEntry.Key);
    1392. 

  1392. 

  1393.                                     //check if RRSet exists (value dependent)
    1394. 

  1394.                                     //compare RRSets
    1395. 

  1395. 

  1396.                                     if (prRRSet.Count != rrset.Count)
    1397. 

  1397.                                         return new DnsDatagram(request.Identifier, true, DnsOpcode.Update, false, false, request.RecursionDesired, false, false, false, DnsResponseCode.NXRRSet, request.Question) { Tag = DnsServerResponseType.Authoritative };
    1398. 

  1398. 

  1399.                                     foreach (DnsResourceRecord prRecord in prRRSet)
    1400. 

  1400.                                     {
    1401. 

  1401.                                         bool found = false;
    1402. 

  1402. 

  1403.                                         foreach (DnsResourceRecord record in rrset)
    1404. 

  1404.                                         {
    1405. 

  1405.                                             if (
    1406. 

  1406.                                                 prRecord.Name.Equals(record.Name, StringComparison.OrdinalIgnoreCase) &&
    1407. 

  1407.                                                 (prRecord.Class == record.Class) &&
    1408. 

  1408.                                                 (prRecord.Type == record.Type) &&
    1409. 

  1409.                                                 (prRecord.RDATA.RDLENGTH == record.RDATA.RDLENGTH) &&
    1410. 

  1410.                                                 prRecord.RDATA.Equals(record.RDATA)
    1411. 

  1411.                                                )
    1412. 

  1412.                                             {
    1413. 

  1413.                                                 found = true;
    1414. 

  1414.                                                 break;
    1415. 

  1415.                                             }
    1416. 

  1416.                                         }
    1417. 

  1417. 

  1418.                                         if (!found)
    1419. 

  1419.                                             return new DnsDatagram(request.Identifier, true, DnsOpcode.Update, false, false, request.RecursionDesired, false, false, false, DnsResponseCode.NXRRSet, request.Question) { Tag = DnsServerResponseType.Authoritative };
    1420. 

  1420.                                     }
    1421. 

  1421.                                 }
    1422. 

  1422.                             }
    1423. 

  1423.                         }
    1424. 

  1424. 

  1425.                         //check for permissions
    1426. 

  1426.                         if (!await IsUpdatePermittedAsync())
    1427. 

  1427.                         {
    1428. 

  1428.                             _log?.Write(remoteEP, protocol, "DNS Server refused a zone UPDATE request due to Dynamic Updates Security Policy for zone: " + (authZoneInfo.Name == "" ? "<root>" : authZoneInfo.Name));
    1429. 

  1429. 

  1430.                             return new DnsDatagram(request.Identifier, true, DnsOpcode.Update, false, false, request.RecursionDesired, false, false, false, DnsResponseCode.Refused, request.Question) { Tag = DnsServerResponseType.Authoritative };
    1431. 

  1431.                         }
    1432. 

  1432. 

  1433.                         //process update section
    1434. 

  1434.                         {
    1435. 

  1435.                             //prescan
    1436. 

  1436.                             foreach (DnsResourceRecord uRecord in request.Authority)
    1437. 

  1437.                             {
    1438. 

  1438.                                 AuthZoneInfo prAuthZoneInfo = _authZoneManager.FindAuthZoneInfo(uRecord.Name);
    1439. 

  1439.                                 if ((prAuthZoneInfo is null) || !prAuthZoneInfo.Name.Equals(authZoneInfo.Name, StringComparison.OrdinalIgnoreCase))
    1440. 

  1440.                                     return new DnsDatagram(request.Identifier, true, DnsOpcode.Update, false, false, request.RecursionDesired, false, false, false, DnsResponseCode.NotZone, request.Question) { Tag = DnsServerResponseType.Authoritative };
    1441. 

  1441. 

  1442.                                 if (uRecord.Class == request.Question[0].Class)
    1443. 

  1443.                                 {
    1444. 

  1444.                                     switch (uRecord.Type)
    1445. 

  1445.                                     {
    1446. 

  1446.                                         case DnsResourceRecordType.ANY:
    1447. 

  1447.                                         case DnsResourceRecordType.AXFR:
    1448. 

  1448.                                         case DnsResourceRecordType.MAILA:
    1449. 

  1449.                                         case DnsResourceRecordType.MAILB:
    1450. 

  1450.                                         case DnsResourceRecordType.IXFR:
    1451. 

  1451.                                             return new DnsDatagram(request.Identifier, true, DnsOpcode.Update, false, false, request.RecursionDesired, false, false, false, DnsResponseCode.FormatError, request.Question) { Tag = DnsServerResponseType.Authoritative };
    1452. 

  1452.                                     }
    1453. 

  1453.                                 }
    1454. 

  1454.                                 else if (uRecord.Class == DnsClass.ANY)
    1455. 

  1455.                                 {
    1456. 

  1456.                                     if ((uRecord.TTL != 0) || (uRecord.RDATA.RDLENGTH != 0))
    1457. 

  1457.                                         return new DnsDatagram(request.Identifier, true, DnsOpcode.Update, false, false, request.RecursionDesired, false, false, false, DnsResponseCode.FormatError, request.Question) { Tag = DnsServerResponseType.Authoritative };
    1458. 

  1458. 

  1459.                                     switch (uRecord.Type)
    1460. 

  1460.                                     {
    1461. 

  1461.                                         case DnsResourceRecordType.AXFR:
    1462. 

  1462.                                         case DnsResourceRecordType.MAILA:
    1463. 

  1463.                                         case DnsResourceRecordType.MAILB:
    1464. 

  1464.                                         case DnsResourceRecordType.IXFR:
    1465. 

  1465.                                             return new DnsDatagram(request.Identifier, true, DnsOpcode.Update, false, false, request.RecursionDesired, false, false, false, DnsResponseCode.FormatError, request.Question) { Tag = DnsServerResponseType.Authoritative };
    1466. 

  1466.                                     }
    1467. 

  1467.                                 }
    1468. 

  1468.                                 else if (uRecord.Class == DnsClass.NONE)
    1469. 

  1469.                                 {
    1470. 

  1470.                                     if (uRecord.TTL != 0)
    1471. 

  1471.                                         return new DnsDatagram(request.Identifier, true, DnsOpcode.Update, false, false, request.RecursionDesired, false, false, false, DnsResponseCode.FormatError, request.Question) { Tag = DnsServerResponseType.Authoritative };
    1472. 

  1472. 

  1473.                                     switch (uRecord.Type)
    1474. 

  1474.                                     {
    1475. 

  1475.                                         case DnsResourceRecordType.ANY:
    1476. 

  1476.                                         case DnsResourceRecordType.AXFR:
    1477. 

  1477.                                         case DnsResourceRecordType.MAILA:
    1478. 

  1478.                                         case DnsResourceRecordType.MAILB:
    1479. 

  1479.                                         case DnsResourceRecordType.IXFR:
    1480. 

  1480.                                             return new DnsDatagram(request.Identifier, true, DnsOpcode.Update, false, false, request.RecursionDesired, false, false, false, DnsResponseCode.FormatError, request.Question) { Tag = DnsServerResponseType.Authoritative };
    1481. 

  1481.                                     }
    1482. 

  1482.                                 }
    1483. 

  1483.                                 else
    1484. 

  1484.                                 {
    1485. 

  1485.                                     //FORMERR
    1486. 

  1486.                                     return new DnsDatagram(request.Identifier, true, DnsOpcode.Update, false, false, request.RecursionDesired, false, false, false, DnsResponseCode.FormatError, request.Question) { Tag = DnsServerResponseType.Authoritative };
    1487. 

  1487.                                 }
    1488. 

  1488.                             }
    1489. 

  1489. 

  1490.                             //update
    1491. 

  1491.                             Dictionary<string, Dictionary<DnsResourceRecordType, IReadOnlyList<DnsResourceRecord>>> originalRRSets = new Dictionary<string, Dictionary<DnsResourceRecordType, IReadOnlyList<DnsResourceRecord>>>();
    1492. 

  1492. 

  1493.                             void AddToOriginalRRSets(string domain, DnsResourceRecordType type, IReadOnlyList<DnsResourceRecord> existingRRSet)
    1494. 

  1494.                             {
    1495. 

  1495.                                 if (!originalRRSets.TryGetValue(domain, out Dictionary<DnsResourceRecordType, IReadOnlyList<DnsResourceRecord>> originalRRSetEntries))
    1496. 

  1496.                                 {
    1497. 

  1497.                                     originalRRSetEntries = new Dictionary<DnsResourceRecordType, IReadOnlyList<DnsResourceRecord>>();
    1498. 

  1498.                                     originalRRSets.Add(domain, originalRRSetEntries);
    1499. 

  1499.                                 }
    1500. 

  1500. 

  1501.                                 originalRRSetEntries.TryAdd(type, existingRRSet);
    1502. 

  1502.                             }
    1503. 

  1503. 

  1504.                             try
    1505. 

  1505.                             {
    1506. 

  1506.                                 foreach (DnsResourceRecord uRecord in request.Authority)
    1507. 

  1507.                                 {
    1508. 

  1508.                                     if (uRecord.Class == request.Question[0].Class)
    1509. 

  1509.                                     {
    1510. 

  1510.                                         //Add to an RRset
    1511. 

  1511.                                         if (uRecord.Type == DnsResourceRecordType.CNAME)
    1512. 

  1512.                                         {
    1513. 

  1513.                                             if (_authZoneManager.NameExists(authZoneInfo.Name, uRecord.Name) && (_authZoneManager.GetRecords(authZoneInfo.Name, uRecord.Name, DnsResourceRecordType.CNAME).Count == 0))
    1514. 

  1514.                                                 continue; //current name exists and has non-CNAME records so cannot add CNAME record
    1515. 

  1515. 

  1516.                                             IReadOnlyList<DnsResourceRecord> existingRRSet = _authZoneManager.GetRecords(authZoneInfo.Name, uRecord.Name, uRecord.Type);
    1517. 

  1517.                                             AddToOriginalRRSets(uRecord.Name, uRecord.Type, existingRRSet);
    1518. 

  1518. 

  1519.                                             _authZoneManager.SetRecord(authZoneInfo.Name, uRecord);
    1520. 

  1520.                                         }
    1521. 

  1521.                                         else if (uRecord.Type == DnsResourceRecordType.DNAME)
    1522. 

  1522.                                         {
    1523. 

  1523.                                             IReadOnlyList<DnsResourceRecord> existingRRSet = _authZoneManager.GetRecords(authZoneInfo.Name, uRecord.Name, uRecord.Type);
    1524. 

  1524.                                             AddToOriginalRRSets(uRecord.Name, uRecord.Type, existingRRSet);
    1525. 

  1525. 

  1526.                                             _authZoneManager.SetRecord(authZoneInfo.Name, uRecord);
    1527. 

  1527.                                         }
    1528. 

  1528.                                         else if (uRecord.Type == DnsResourceRecordType.SOA)
    1529. 

  1529.                                         {
    1530. 

  1530.                                             if (!uRecord.Name.Equals(authZoneInfo.Name, StringComparison.OrdinalIgnoreCase))
    1531. 

  1531.                                                 continue; //can add SOA only to apex
    1532. 

  1532. 

  1533.                                             IReadOnlyList<DnsResourceRecord> existingRRSet = _authZoneManager.GetRecords(authZoneInfo.Name, uRecord.Name, uRecord.Type);
    1534. 

  1534.                                             AddToOriginalRRSets(uRecord.Name, uRecord.Type, existingRRSet);
    1535. 

  1535. 

  1536.                                             _authZoneManager.SetRecord(authZoneInfo.Name, uRecord);
    1537. 

  1537.                                         }
    1538. 

  1538.                                         else
    1539. 

  1539.                                         {
    1540. 

  1540.                                             if (_authZoneManager.GetRecords(authZoneInfo.Name, uRecord.Name, DnsResourceRecordType.CNAME).Count > 0)
    1541. 

  1541.                                                 continue; //current name contains CNAME so cannot add non-CNAME record
    1542. 

  1542. 

  1543.                                             IReadOnlyList<DnsResourceRecord> existingRRSet = _authZoneManager.GetRecords(authZoneInfo.Name, uRecord.Name, uRecord.Type);
    1544. 

  1544.                                             AddToOriginalRRSets(uRecord.Name, uRecord.Type, existingRRSet);
    1545. 

  1545. 

  1546.                                             if (uRecord.Type == DnsResourceRecordType.NS)
    1547. 

  1547.                                                 uRecord.SyncGlueRecords(request.Additional);
    1548. 

  1548. 

  1549.                                             _authZoneManager.AddRecord(authZoneInfo.Name, uRecord);
    1550. 

  1550.                                         }
    1551. 

  1551.                                     }
    1552. 

  1552.                                     else if (uRecord.Class == DnsClass.ANY)
    1553. 

  1553.                                     {
    1554. 

  1554.                                         if (uRecord.Type == DnsResourceRecordType.ANY)
    1555. 

  1555.                                         {
    1556. 

  1556.                                             //Delete all RRsets from a name
    1557. 

  1557.                                             IReadOnlyDictionary<DnsResourceRecordType, IReadOnlyList<DnsResourceRecord>> existingRRSets = _authZoneManager.GetAllRecords(authZoneInfo.Name, uRecord.Name);
    1558. 

  1558. 

  1559.                                             if (uRecord.Name.Equals(authZoneInfo.Name, StringComparison.OrdinalIgnoreCase))
    1560. 

  1560.                                             {
    1561. 

  1561.                                                 foreach (KeyValuePair<DnsResourceRecordType, IReadOnlyList<DnsResourceRecord>> existingRRSet in existingRRSets)
    1562. 

  1562.                                                 {
    1563. 

  1563.                                                     switch (existingRRSet.Key)
    1564. 

  1564.                                                     {
    1565. 

  1565.                                                         case DnsResourceRecordType.SOA:
    1566. 

  1566.                                                         case DnsResourceRecordType.NS:
    1567. 

  1567.                                                         case DnsResourceRecordType.DNSKEY:
    1568. 

  1568.                                                         case DnsResourceRecordType.RRSIG:
    1569. 

  1569.                                                         case DnsResourceRecordType.NSEC:
    1570. 

  1570.                                                         case DnsResourceRecordType.NSEC3PARAM:
    1571. 

  1571.                                                         case DnsResourceRecordType.NSEC3:
    1572. 

  1572.                                                             continue; //no apex SOA/NS can be deleted; skip DNSSEC rrsets
    1573. 

  1573.                                                     }
    1574. 

  1574. 

  1575.                                                     AddToOriginalRRSets(uRecord.Name, existingRRSet.Key, existingRRSet.Value);
    1576. 

  1576. 

  1577.                                                     _authZoneManager.DeleteRecords(authZoneInfo.Name, uRecord.Name, existingRRSet.Key);
    1578. 

  1578.                                                 }
    1579. 

  1579.                                             }
    1580. 

  1580.                                             else
    1581. 

  1581.                                             {
    1582. 

  1582.                                                 foreach (KeyValuePair<DnsResourceRecordType, IReadOnlyList<DnsResourceRecord>> existingRRSet in existingRRSets)
    1583. 

  1583.                                                 {
    1584. 

  1584.                                                     switch (existingRRSet.Key)
    1585. 

  1585.                                                     {
    1586. 

  1586.                                                         case DnsResourceRecordType.DNSKEY:
    1587. 

  1587.                                                         case DnsResourceRecordType.RRSIG:
    1588. 

  1588.                                                         case DnsResourceRecordType.NSEC:
    1589. 

  1589.                                                         case DnsResourceRecordType.NSEC3PARAM:
    1590. 

  1590.                                                         case DnsResourceRecordType.NSEC3:
    1591. 

  1591.                                                             continue; //skip DNSSEC rrsets
    1592. 

  1592.                                                     }
    1593. 

  1593. 

  1594.                                                     AddToOriginalRRSets(uRecord.Name, existingRRSet.Key, existingRRSet.Value);
    1595. 

  1595. 

  1596.                                                     _authZoneManager.DeleteRecords(authZoneInfo.Name, uRecord.Name, existingRRSet.Key);
    1597. 

  1597.                                                 }
    1598. 

  1598.                                             }
    1599. 

  1599.                                         }
    1600. 

  1600.                                         else
    1601. 

  1601.                                         {
    1602. 

  1602.                                             //Delete an RRset
    1603. 

  1603.                                             if (uRecord.Name.Equals(authZoneInfo.Name, StringComparison.OrdinalIgnoreCase))
    1604. 

  1604.                                             {
    1605. 

  1605.                                                 switch (uRecord.Type)
    1606. 

  1606.                                                 {
    1607. 

  1607.                                                     case DnsResourceRecordType.SOA:
    1608. 

  1608.                                                     case DnsResourceRecordType.NS:
    1609. 

  1609.                                                     case DnsResourceRecordType.DNSKEY:
    1610. 

  1610.                                                     case DnsResourceRecordType.RRSIG:
    1611. 

  1611.                                                     case DnsResourceRecordType.NSEC:
    1612. 

  1612.                                                     case DnsResourceRecordType.NSEC3PARAM:
    1613. 

  1613.                                                     case DnsResourceRecordType.NSEC3:
    1614. 

  1614.                                                         continue; //no apex SOA/NS can be deleted; skip DNSSEC rrsets
    1615. 

  1615.                                                 }
    1616. 

  1616.                                             }
    1617. 

  1617. 

  1618.                                             IReadOnlyList<DnsResourceRecord> existingRRSet = _authZoneManager.GetRecords(authZoneInfo.Name, uRecord.Name, uRecord.Type);
    1619. 

  1619.                                             AddToOriginalRRSets(uRecord.Name, uRecord.Type, existingRRSet);
    1620. 

  1620. 

  1621.                                             _authZoneManager.DeleteRecords(authZoneInfo.Name, uRecord.Name, uRecord.Type);
    1622. 

  1622.                                         }
    1623. 

  1623.                                     }
    1624. 

  1624.                                     else if (uRecord.Class == DnsClass.NONE)
    1625. 

  1625.                                     {
    1626. 

  1626.                                         //Delete an RR from an RRset
    1627. 

  1627. 

  1628.                                         switch (uRecord.Type)
    1629. 

  1629.                                         {
    1630. 

  1630.                                             case DnsResourceRecordType.SOA:
    1631. 

  1631.                                             case DnsResourceRecordType.DNSKEY:
    1632. 

  1632.                                             case DnsResourceRecordType.RRSIG:
    1633. 

  1633.                                             case DnsResourceRecordType.NSEC:
    1634. 

  1634.                                             case DnsResourceRecordType.NSEC3PARAM:
    1635. 

  1635.                                             case DnsResourceRecordType.NSEC3:
    1636. 

  1636.                                                 continue; //no SOA can be deleted; skip DNSSEC rrsets
    1637. 

  1637.                                         }
    1638. 

  1638. 

  1639.                                         IReadOnlyList<DnsResourceRecord> existingRRSet = _authZoneManager.GetRecords(authZoneInfo.Name, uRecord.Name, uRecord.Type);
    1640. 

  1640. 

  1641.                                         if ((uRecord.Type == DnsResourceRecordType.NS) && (existingRRSet.Count == 1) && uRecord.Name.Equals(authZoneInfo.Name, StringComparison.OrdinalIgnoreCase))
    1642. 

  1642.                                             continue; //no apex NS can be deleted if only 1 NS exists
    1643. 

  1643. 

  1644.                                         AddToOriginalRRSets(uRecord.Name, uRecord.Type, existingRRSet);
    1645. 

  1645. 

  1646.                                         _authZoneManager.DeleteRecord(authZoneInfo.Name, uRecord.Name, uRecord.Type, uRecord.RDATA);
    1647. 

  1647.                                     }
    1648. 

  1648.                                 }
    1649. 

  1649.                             }
    1650. 

  1650.                             catch
    1651. 

  1651.                             {
    1652. 

  1652.                                 //revert
    1653. 

  1653.                                 foreach (KeyValuePair<string, Dictionary<DnsResourceRecordType, IReadOnlyList<DnsResourceRecord>>> originalRRSetEntries in originalRRSets)
    1654. 

  1654.                                 {
    1655. 

  1655.                                     foreach (KeyValuePair<DnsResourceRecordType, IReadOnlyList<DnsResourceRecord>> originalRRSet in originalRRSetEntries.Value)
    1656. 

  1656.                                     {
    1657. 

  1657.                                         if (originalRRSet.Value.Count == 0)
    1658. 

  1658.                                             _authZoneManager.DeleteRecords(authZoneInfo.Name, originalRRSetEntries.Key, originalRRSet.Key);
    1659. 

  1659.                                         else
    1660. 

  1660.                                             _authZoneManager.SetRecords(authZoneInfo.Name, originalRRSet.Value);
    1661. 

  1661.                                     }
    1662. 

  1662.                                 }
    1663. 

  1663. 

  1664.                                 throw;
    1665. 

  1665.                             }
    1666. 

  1666.                         }
    1667. 

  1667. 

  1668.                         _authZoneManager.SaveZoneFile(authZoneInfo.Name);
    1669. 

  1669. 

  1670.                         _log?.Write(remoteEP, protocol, "DNS Server successfully processed a zone UPDATE request for zone: " + (authZoneInfo.Name == "" ? "<root>" : authZoneInfo.Name));
    1671. 

  1671. 

  1672.                         //NOERROR
    1673. 

  1673.                         return new DnsDatagram(request.Identifier, true, DnsOpcode.Update, false, false, request.RecursionDesired, false, false, false, DnsResponseCode.NoError, request.Question) { Tag = DnsServerResponseType.Authoritative };
    1674. 

  1674.                     }
    1675. 

  1675. 

  1676.                 case AuthZoneType.Secondary:
    1677. 

  1677.                     //forward to primary
    1678. 

  1678.                     {
    1679. 

  1679.                         IReadOnlyList<NameServerAddress> primaryNameServers = await authZoneInfo.GetPrimaryNameServerAddressesAsync(this);
    1680. 

  1680. 

  1681.                         DnsResourceRecord soaRecord = authZoneInfo.GetApexRecords(DnsResourceRecordType.SOA)[0];
    1682. 

  1682.                         AuthRecordInfo recordInfo = soaRecord.GetAuthRecordInfo();
    1683. 

  1683. 

  1684.                         switch (recordInfo.ZoneTransferProtocol)
    1685. 

  1685.                         {
    1686. 

  1686.                             case DnsTransportProtocol.Tls:
    1687. 

  1687.                             case DnsTransportProtocol.Quic:
    1688. 

  1688.                                 {
    1689. 

  1689.                                     //change name server protocol to TLS/QUIC
    1690. 

  1690.                                     List<NameServerAddress> updatedNameServers = new List<NameServerAddress>(primaryNameServers.Count);
    1691. 

  1691. 

  1692.                                     foreach (NameServerAddress primaryNameServer in primaryNameServers)
    1693. 

  1693.                                     {
    1694. 

  1694.                                         if (primaryNameServer.Protocol == recordInfo.ZoneTransferProtocol)
    1695. 

  1695.                                             updatedNameServers.Add(primaryNameServer);
    1696. 

  1696.                                         else
    1697. 

  1697.                                             updatedNameServers.Add(primaryNameServer.ChangeProtocol(recordInfo.ZoneTransferProtocol));
    1698. 

  1698.                                     }
    1699. 

  1699. 

  1700.                                     primaryNameServers = updatedNameServers;
    1701. 

  1701.                                 }
    1702. 

  1702.                                 break;
    1703. 

  1703. 

  1704.                             default:
    1705. 

  1705.                                 if (protocol == DnsTransportProtocol.Tcp)
    1706. 

  1706.                                 {
    1707. 

  1707.                                     //change name server protocol to TCP
    1708. 

  1708.                                     List<NameServerAddress> updatedNameServers = new List<NameServerAddress>(primaryNameServers.Count);
    1709. 

  1709. 

  1710.                                     foreach (NameServerAddress primaryNameServer in primaryNameServers)
    1711. 

  1711.                                     {
    1712. 

  1712.                                         if (primaryNameServer.Protocol == DnsTransportProtocol.Tcp)
    1713. 

  1713.                                             updatedNameServers.Add(primaryNameServer);
    1714. 

  1714.                                         else
    1715. 

  1715.                                             updatedNameServers.Add(primaryNameServer.ChangeProtocol(DnsTransportProtocol.Tcp));
    1716. 

  1716.                                     }
    1717. 

  1717. 

  1718.                                     primaryNameServers = updatedNameServers;
    1719. 

  1719.                                 }
    1720. 

  1720.                                 break;
    1721. 

  1721.                         }
    1722. 

  1722. 

  1723.                         TsigKey key = null;
    1724. 

  1724. 

  1725.                         if (!string.IsNullOrEmpty(tsigAuthenticatedKeyName) && ((_tsigKeys is null) || !_tsigKeys.TryGetValue(tsigAuthenticatedKeyName, out key)))
    1726. 

  1726.                             throw new DnsServerException("DNS Server does not have TSIG key '" + tsigAuthenticatedKeyName + "' configured to authenticate dynamic updates for secondary zone: " + (authZoneInfo.Name == "" ? "<root>" : authZoneInfo.Name));
    1727. 

  1727. 

  1728.                         DnsClient dnsClient = new DnsClient(primaryNameServers);
    1729. 

  1729. 

  1730.                         dnsClient.Proxy = _proxy;
    1731. 

  1731.                         dnsClient.PreferIPv6 = _preferIPv6;
    1732. 

  1732.                         dnsClient.Retries = _forwarderRetries;
    1733. 

  1733.                         dnsClient.Timeout = _forwarderTimeout;
    1734. 

  1734.                         dnsClient.Concurrency = 1;
    1735. 

  1735. 

  1736.                         DnsDatagram newRequest = request.Clone();
    1737. 

  1737.                         newRequest.SetRandomIdentifier();
    1738. 

  1738. 

  1739.                         DnsDatagram newResponse;
    1740. 

  1740. 

  1741.                         if (key is null)
    1742. 

  1742.                             newResponse = await dnsClient.ResolveAsync(newRequest);
    1743. 

  1743.                         else
    1744. 

  1744.                             newResponse = await dnsClient.ResolveAsync(newRequest, key);
    1745. 

  1745. 

  1746.                         newResponse.SetIdentifier(request.Identifier);
    1747. 

  1747. 

  1748.                         return newResponse;
    1749. 

  1749.                     }
    1750. 

  1750. 

  1751.                 default:
    1752. 

  1752.                     return new DnsDatagram(request.Identifier, true, DnsOpcode.Update, false, false, request.RecursionDesired, false, false, false, DnsResponseCode.NotAuth, request.Question) { Tag = DnsServerResponseType.Authoritative };
    1753. 

  1753.             }
    1754. 

  1754.         }
    1755. 

  1755. 

  1756.         private async Task<DnsDatagram> ProcessZoneTransferQueryAsync(DnsDatagram request, IPEndPoint remoteEP, DnsTransportProtocol protocol, string tsigAuthenticatedKeyName)
    1757. 

  1757.         {
    1758. 

  1758.             AuthZoneInfo authZoneInfo = _authZoneManager.GetAuthZoneInfo(request.Question[0].Name);
    1759. 

  1759.             if ((authZoneInfo is null) || authZoneInfo.Disabled || authZoneInfo.IsExpired)
    1760. 

  1760.             {
    1761. 

  1761.                 _log?.Write(remoteEP, protocol, "DNS Server refused a zone transfer request due to zone not found, zone disabled, or zone expired reasons for zone: " + (authZoneInfo.Name == "" ? "<root>" : authZoneInfo.Name));
    1762. 

  1762. 

  1763.                 return new DnsDatagram(request.Identifier, true, DnsOpcode.StandardQuery, false, false, request.RecursionDesired, false, false, false, DnsResponseCode.Refused, request.Question) { Tag = DnsServerResponseType.Authoritative };
    1764. 

  1764.             }
    1765. 

  1765. 

  1766.             switch (authZoneInfo.Type)
    1767. 

  1767.             {
    1768. 

  1768.                 case AuthZoneType.Primary:
    1769. 

  1769.                 case AuthZoneType.Secondary:
    1770. 

  1770.                     break;
    1771. 

  1771. 

  1772.                 default:
    1773. 

  1773.                     _log?.Write(remoteEP, protocol, "DNS Server refused a zone transfer request since the DNS server is not authoritative for zone: " + (authZoneInfo.Name == "" ? "<root>" : authZoneInfo.Name));
    1774. 

  1774. 

  1775.                     return new DnsDatagram(request.Identifier, true, DnsOpcode.StandardQuery, false, false, request.RecursionDesired, false, false, false, DnsResponseCode.Refused, request.Question) { Tag = DnsServerResponseType.Authoritative };
    1776. 

  1776.             }
    1777. 

  1777. 

  1778.             async Task<bool> IsZoneNameServerAllowedAsync()
    1779. 

  1779.             {
    1780. 

  1780.                 IPAddress remoteAddress = remoteEP.Address;
    1781. 

  1781.                 IReadOnlyList<NameServerAddress> secondaryNameServers = await authZoneInfo.GetSecondaryNameServerAddressesAsync(this);
    1782. 

  1782. 

  1783.                 foreach (NameServerAddress secondaryNameServer in secondaryNameServers)
    1784. 

  1784.                 {
    1785. 

  1785.                     if (secondaryNameServer.IPEndPoint.Address.Equals(remoteAddress))
    1786. 

  1786.                         return true;
    1787. 

  1787.                 }
    1788. 

  1788. 

  1789.                 return false;
    1790. 

  1790.             }
    1791. 

  1791. 

  1792.             bool IsSpecifiedNameServerAllowed()
    1793. 

  1793.             {
    1794. 

  1794.                 IPAddress remoteAddress = remoteEP.Address;
    1795. 

  1795.                 IReadOnlyCollection<IPAddress> specifiedNameServers = authZoneInfo.ZoneTransferNameServers;
    1796. 

  1796.                 if (specifiedNameServers is not null)
    1797. 

  1797.                 {
    1798. 

  1798.                     foreach (IPAddress specifiedNameServer in specifiedNameServers)
    1799. 

  1799.                     {
    1800. 

  1800.                         if (specifiedNameServer.Equals(remoteAddress))
    1801. 

  1801.                             return true;
    1802. 

  1802.                     }
    1803. 

  1803.                 }
    1804. 

  1804. 

  1805.                 return false;
    1806. 

  1806.             }
    1807. 

  1807. 

  1808.             bool isZoneTransferAllowed = false;
    1809. 

  1809. 

  1810.             switch (authZoneInfo.ZoneTransfer)
    1811. 

  1811.             {
    1812. 

  1812.                 case AuthZoneTransfer.Deny:
    1813. 

  1813.                     break;
    1814. 

  1814. 

  1815.                 case AuthZoneTransfer.Allow:
    1816. 

  1816.                     isZoneTransferAllowed = true;
    1817. 

  1817.                     break;
    1818. 

  1818. 

  1819.                 case AuthZoneTransfer.AllowOnlyZoneNameServers:
    1820. 

  1820.                     isZoneTransferAllowed = await IsZoneNameServerAllowedAsync();
    1821. 

  1821.                     break;
    1822. 

  1822. 

  1823.                 case AuthZoneTransfer.AllowOnlySpecifiedNameServers:
    1824. 

  1824.                     isZoneTransferAllowed = IsSpecifiedNameServerAllowed();
    1825. 

  1825.                     break;
    1826. 

  1826. 

  1827.                 case AuthZoneTransfer.AllowBothZoneAndSpecifiedNameServers:
    1828. 

  1828.                     isZoneTransferAllowed = IsSpecifiedNameServerAllowed() || await IsZoneNameServerAllowedAsync();
    1829. 

  1829.                     break;
    1830. 

  1830.             }
    1831. 

  1831. 

  1832.             if (!isZoneTransferAllowed)
    1833. 

  1833.             {
    1834. 

  1834.                 _log?.Write(remoteEP, protocol, "DNS Server refused a zone transfer request since the request IP address is not allowed by the zone: " + (authZoneInfo.Name == "" ? "<root>" : authZoneInfo.Name));
    1835. 

  1835. 

  1836.                 return new DnsDatagram(request.Identifier, true, DnsOpcode.StandardQuery, false, false, request.RecursionDesired, false, false, false, DnsResponseCode.Refused, request.Question) { Tag = DnsServerResponseType.Authoritative };
    1837. 

  1837.             }
    1838. 

  1838. 

  1839.             if ((authZoneInfo.ZoneTransferTsigKeyNames is not null) && (authZoneInfo.ZoneTransferTsigKeyNames.Count > 0))
    1840. 

  1840.             {
    1841. 

  1841.                 if ((tsigAuthenticatedKeyName is null) || !authZoneInfo.ZoneTransferTsigKeyNames.ContainsKey(tsigAuthenticatedKeyName.ToLower()))
    1842. 

  1842.                 {
    1843. 

  1843.                     _log?.Write(remoteEP, protocol, "DNS Server refused a zone transfer request since the request is missing TSIG auth required by the zone: " + (authZoneInfo.Name == "" ? "<root>" : authZoneInfo.Name));
    1844. 

  1844. 

  1845.                     return new DnsDatagram(request.Identifier, true, DnsOpcode.StandardQuery, false, false, request.RecursionDesired, false, false, false, DnsResponseCode.Refused, request.Question) { Tag = DnsServerResponseType.Authoritative };
    1846. 

  1846.                 }
    1847. 

  1847.             }
    1848. 

  1848. 

  1849.             _log?.Write(remoteEP, protocol, "DNS Server received zone transfer request for zone: " + (authZoneInfo.Name == "" ? "<root>" : authZoneInfo.Name));
    1850. 

  1850. 

  1851.             IReadOnlyList<DnsResourceRecord> xfrRecords;
    1852. 

  1852. 

  1853.             if (request.Question[0].Type == DnsResourceRecordType.IXFR)
    1854. 

  1854.             {
    1855. 

  1855.                 if ((request.Authority.Count == 1) && (request.Authority[0].Type == DnsResourceRecordType.SOA))
    1856. 

  1856.                     xfrRecords = _authZoneManager.QueryIncrementalZoneTransferRecords(request.Question[0].Name, request.Authority[0]);
    1857. 

  1857.                 else
    1858. 

  1858.                     return new DnsDatagram(request.Identifier, true, DnsOpcode.StandardQuery, false, false, request.RecursionDesired, false, false, false, DnsResponseCode.FormatError, request.Question) { Tag = DnsServerResponseType.Authoritative };
    1859. 

  1859.             }
    1860. 

  1860.             else
    1861. 

  1861.             {
    1862. 

  1862.                 xfrRecords = _authZoneManager.QueryZoneTransferRecords(request.Question[0].Name);
    1863. 

  1863.             }
    1864. 

  1864. 

  1865.             DnsDatagram xfrResponse = new DnsDatagram(request.Identifier, true, DnsOpcode.StandardQuery, true, false, request.RecursionDesired, false, false, false, DnsResponseCode.NoError, request.Question, xfrRecords) { Tag = DnsServerResponseType.Authoritative };
    1866. 

  1866.             xfrResponse = xfrResponse.Split();
    1867. 

  1867. 

  1868.             return xfrResponse;
    1869. 

  1869.         }
    1870. 

  1870. 

  1871.         private async Task<DnsDatagram> ProcessAuthoritativeQueryAsync(DnsDatagram request, IPEndPoint remoteEP, DnsTransportProtocol protocol, bool isRecursionAllowed, bool skipDnsAppAuthoritativeRequestHandlers)
    1872. 

  1872.         {
    1873. 

  1873.             DnsDatagram response = await AuthoritativeQueryAsync(request, remoteEP, protocol, isRecursionAllowed, skipDnsAppAuthoritativeRequestHandlers);
    1874. 

  1874.             if (response is null)
    1875. 

  1875.                 return null;
    1876. 

  1876. 

  1877.             bool reprocessResponse;
    1878. 

  1878.             do
    1879. 

  1879.             {
    1880. 

  1880.                 reprocessResponse = false;
    1881. 

  1881. 

  1882.                 if (response.RCODE == DnsResponseCode.NoError)
    1883. 

  1883.                 {
    1884. 

  1884.                     if (response.Answer.Count > 0)
    1885. 

  1885.                     {
    1886. 

  1886.                         DnsResourceRecordType questionType = request.Question[0].Type;
    1887. 

  1887.                         DnsResourceRecord lastRR = response.GetLastAnswerRecord();
    1888. 

  1888. 

  1889.                         if ((lastRR.Type != questionType) && (questionType != DnsResourceRecordType.ANY))
    1890. 

  1890.                         {
    1891. 

  1891.                             switch (lastRR.Type)
    1892. 

  1892.                             {
    1893. 

  1893.                                 case DnsResourceRecordType.CNAME:
    1894. 

  1894.                                     return await ProcessCNAMEAsync(request, remoteEP, response, isRecursionAllowed, protocol, false, skipDnsAppAuthoritativeRequestHandlers);
    1895. 

  1895. 

  1896.                                 case DnsResourceRecordType.ANAME:
    1897. 

  1897.                                     return await ProcessANAMEAsync(request, remoteEP, response, isRecursionAllowed, protocol, skipDnsAppAuthoritativeRequestHandlers);
    1898. 

  1898.                             }
    1899. 

  1899.                         }
    1900. 

  1900.                     }
    1901. 

  1901.                     else if (response.Authority.Count > 0)
    1902. 

  1902.                     {
    1903. 

  1903.                         DnsResourceRecord firstAuthority = response.FindFirstAuthorityRecord();
    1904. 

  1904.                         switch (firstAuthority.Type)
    1905. 

  1905.                         {
    1906. 

  1906.                             case DnsResourceRecordType.NS:
    1907. 

  1907.                                 if (request.RecursionDesired && isRecursionAllowed)
    1908. 

  1908.                                 {
    1909. 

  1909.                                     //do forced recursive resolution using empty conditional forwarders; name servers will be provided via ResolverDnsCache
    1910. 

  1910.                                     return await ProcessRecursiveQueryAsync(request, remoteEP, protocol, Array.Empty<DnsResourceRecord>(), _dnssecValidation, false, skipDnsAppAuthoritativeRequestHandlers);
    1911. 

  1911.                                 }
    1912. 

  1912. 

  1913.                                 break;
    1914. 

  1914. 

  1915.                             case DnsResourceRecordType.FWD:
    1916. 

  1916.                                 if (!request.RecursionDesired || !isRecursionAllowed)
    1917. 

  1917.                                     return new DnsDatagram(request.Identifier, true, DnsOpcode.StandardQuery, false, false, request.RecursionDesired, isRecursionAllowed, false, false, DnsResponseCode.Refused, request.Question) { Tag = DnsServerResponseType.Authoritative };
    1918. 

  1918. 

  1919.                                 //do conditional forwarding
    1920. 

  1920.                                 return await ProcessRecursiveQueryAsync(request, remoteEP, protocol, response.Authority, _dnssecValidation, false, skipDnsAppAuthoritativeRequestHandlers);
    1921. 

  1921. 

  1922.                             case DnsResourceRecordType.APP:
    1923. 

  1923.                                 response = await ProcessAPPAsync(request, remoteEP, response, isRecursionAllowed, protocol);
    1924. 

  1924.                                 reprocessResponse = true;
    1925. 

  1925.                                 break;
    1926. 

  1926.                         }
    1927. 

  1927.                     }
    1928. 

  1928.                 }
    1929. 

  1929.             }
    1930. 

  1930.             while (reprocessResponse);
    1931. 

  1931. 

  1932.             return response;
    1933. 

  1933.         }
    1934. 

  1934. 

  1935.         private async Task<DnsDatagram> AuthoritativeQueryAsync(DnsDatagram request, IPEndPoint remoteEP, DnsTransportProtocol protocol, bool isRecursionAllowed, bool skipDnsAppAuthoritativeRequestHandlers)
    1936. 

  1936.         {
    1937. 

  1937.             if (!skipDnsAppAuthoritativeRequestHandlers)
    1938. 

  1938.             {
    1939. 

  1939.                 foreach (IDnsAuthoritativeRequestHandler requestHandler in _dnsApplicationManager.DnsAuthoritativeRequestHandlers)
    1940. 

  1940.                 {
    1941. 

  1941.                     try
    1942. 

  1942.                     {
    1943. 

  1943.                         DnsDatagram appResponse = await requestHandler.ProcessRequestAsync(request, remoteEP, protocol, isRecursionAllowed);
    1944. 

  1944.                         if (appResponse is not null)
    1945. 

  1945.                         {
    1946. 

  1946.                             if (appResponse.Tag is null)
    1947. 

  1947.                                 appResponse.Tag = DnsServerResponseType.Authoritative;
    1948. 

  1948. 

  1949.                             return appResponse;
    1950. 

  1950.                         }
    1951. 

  1951.                     }
    1952. 

  1952.                     catch (Exception ex)
    1953. 

  1953.                     {
    1954. 

  1954.                         _log?.Write(remoteEP, protocol, ex);
    1955. 

  1955.                     }
    1956. 

  1956.                 }
    1957. 

  1957.             }
    1958. 

  1958. 

  1959.             DnsDatagram response = _authZoneManager.Query(request, isRecursionAllowed);
    1960. 

  1960.             if (response is not null)
    1961. 

  1961.             {
    1962. 

  1962.                 response.Tag = DnsServerResponseType.Authoritative;
    1963. 

  1963. 

  1964.                 return response;
    1965. 

  1965.             }
    1966. 

  1966. 

  1967.             return null;
    1968. 

  1968.         }
    1969. 

  1969. 

  1970.         private async Task<DnsDatagram> ProcessAPPAsync(DnsDatagram request, IPEndPoint remoteEP, DnsDatagram response, bool isRecursionAllowed, DnsTransportProtocol protocol)
    1971. 

  1971.         {
    1972. 

  1972.             DnsResourceRecord appResourceRecord = response.Authority[0];
    1973. 

  1973.             DnsApplicationRecordData appRecord = appResourceRecord.RDATA as DnsApplicationRecordData;
    1974. 

  1974. 

  1975.             if (_dnsApplicationManager.Applications.TryGetValue(appRecord.AppName, out DnsApplication application))
    1976. 

  1976.             {
    1977. 

  1977.                 if (application.DnsAppRecordRequestHandlers.TryGetValue(appRecord.ClassPath, out IDnsAppRecordRequestHandler appRecordRequestHandler))
    1978. 

  1978.                 {
    1979. 

  1979.                     AuthZoneInfo zoneInfo = _authZoneManager.FindAuthZoneInfo(appResourceRecord.Name);
    1980. 

  1980. 

  1981.                     DnsDatagram appResponse = await appRecordRequestHandler.ProcessRequestAsync(request, remoteEP, protocol, isRecursionAllowed, zoneInfo.Name, appResourceRecord.Name, appResourceRecord.TTL, appRecord.Data);
    1982. 

  1982.                     if (appResponse is null)
    1983. 

  1983.                     {
    1984. 

  1984.                         DnsResponseCode rcode;
    1985. 

  1985.                         IReadOnlyList<DnsResourceRecord> authority = null;
    1986. 

  1986. 

  1987.                         if (zoneInfo.Type == AuthZoneType.Forwarder)
    1988. 

  1988.                         {
    1989. 

  1989.                             //return FWD response
    1990. 

  1990.                             rcode = DnsResponseCode.NoError;
    1991. 

  1991. 

  1992.                             if (!zoneInfo.Name.Equals(appResourceRecord.Name, StringComparison.OrdinalIgnoreCase))
    1993. 

  1993.                             {
    1994. 

  1994.                                 AuthZone authZone = _authZoneManager.GetAuthZone(zoneInfo.Name, appResourceRecord.Name);
    1995. 

  1995.                                 if (authZone is not null)
    1996. 

  1996.                                     authority = authZone.QueryRecords(DnsResourceRecordType.FWD, false);
    1997. 

  1997.                             }
    1998. 

  1998. 

  1999.                             if ((authority is null) || (authority.Count == 0))
    2000. 

  2000.                                 authority = zoneInfo.ApexZone.QueryRecords(DnsResourceRecordType.FWD, false);
    2001. 

  2001.                         }
    2002. 

  2002.                         else
    2003. 

  2003.                         {
    2004. 

  2004.                             //return NODATA/NXDOMAIN response
    2005. 

  2005.                             if (request.Question[0].Name.Length > appResourceRecord.Name.Length)
    2006. 

  2006.                                 rcode = DnsResponseCode.NxDomain;
    2007. 

  2007.                             else
    2008. 

  2008.                                 rcode = DnsResponseCode.NoError;
    2009. 

  2009. 

  2010.                             authority = zoneInfo.GetApexRecords(DnsResourceRecordType.SOA);
    2011. 

  2011.                         }
    2012. 

  2012. 

  2013.                         return new DnsDatagram(request.Identifier, true, request.OPCODE, false, false, request.RecursionDesired, isRecursionAllowed, false, false, rcode, request.Question, null, authority) { Tag = DnsServerResponseType.Authoritative };
    2014. 

  2014.                     }
    2015. 

  2015.                     else
    2016. 

  2016.                     {
    2017. 

  2017.                         if (appResponse.AuthoritativeAnswer)
    2018. 

  2018.                             appResponse.Tag = DnsServerResponseType.Authoritative;
    2019. 

  2019. 

  2020.                         return appResponse; //return app response
    2021. 

  2021.                     }
    2022. 

  2022.                 }
    2023. 

  2023.                 else
    2024. 

  2024.                 {
    2025. 

  2025.                     _log?.Write(remoteEP, protocol, "DNS request handler '" + appRecord.ClassPath + "' was not found in the application '" + appRecord.AppName + "': " + appResourceRecord.Name);
    2026. 

  2026.                 }
    2027. 

  2027.             }
    2028. 

  2028.             else
    2029. 

  2029.             {
    2030. 

  2030.                 _log?.Write(remoteEP, protocol, "DNS application '" + appRecord.AppName + "' was not found: " + appResourceRecord.Name);
    2031. 

  2031.             }
    2032. 

  2032. 

  2033.             //return server failure response with SOA
    2034. 

  2034.             {
    2035. 

  2035.                 AuthZoneInfo zoneInfo = _authZoneManager.FindAuthZoneInfo(request.Question[0].Name);
    2036. 

  2036.                 IReadOnlyList<DnsResourceRecord> authority = zoneInfo.GetApexRecords(DnsResourceRecordType.SOA);
    2037. 

  2037. 

  2038.                 return new DnsDatagram(request.Identifier, true, request.OPCODE, false, false, request.RecursionDesired, isRecursionAllowed, false, false, DnsResponseCode.ServerFailure, request.Question, null, authority) { Tag = DnsServerResponseType.Authoritative };
    2039. 

  2039.             }
    2040. 

  2040.         }
    2041. 

  2041. 

  2042.         private async Task<DnsDatagram> ProcessCNAMEAsync(DnsDatagram request, IPEndPoint remoteEP, DnsDatagram response, bool isRecursionAllowed, DnsTransportProtocol protocol, bool cacheRefreshOperation, bool skipDnsAppAuthoritativeRequestHandlers)
    2043. 

  2043.         {
    2044. 

  2044.             List<DnsResourceRecord> newAnswer = new List<DnsResourceRecord>(response.Answer.Count + 4);
    2045. 

  2045.             newAnswer.AddRange(response.Answer);
    2046. 

  2046. 

  2047.             //copying NSEC/NSEC3 for for wildcard answers
    2048. 

  2048.             List<DnsResourceRecord> newAuthority = new List<DnsResourceRecord>(2);
    2049. 

  2049. 

  2050.             foreach (DnsResourceRecord record in response.Authority)
    2051. 

  2051.             {
    2052. 

  2052.                 switch (record.Type)
    2053. 

  2053.                 {
    2054. 

  2054.                     case DnsResourceRecordType.NSEC:
    2055. 

  2055.                     case DnsResourceRecordType.NSEC3:
    2056. 

  2056.                         newAuthority.Add(record);
    2057. 

  2057.                         break;
    2058. 

  2058. 

  2059.                     case DnsResourceRecordType.RRSIG:
    2060. 

  2060.                         switch ((record.RDATA as DnsRRSIGRecordData).TypeCovered)
    2061. 

  2061.                         {
    2062. 

  2062.                             case DnsResourceRecordType.NSEC:
    2063. 

  2063.                             case DnsResourceRecordType.NSEC3:
    2064. 

  2064.                                 newAuthority.Add(record);
    2065. 

  2065.                                 break;
    2066. 

  2066.                         }
    2067. 

  2067.                         break;
    2068. 

  2068.                 }
    2069. 

  2069.             }
    2070. 

  2070. 

  2071.             DnsDatagram lastResponse = response;
    2072. 

  2072.             bool isAuthoritativeAnswer = response.AuthoritativeAnswer;
    2073. 

  2073.             DnsResourceRecord lastRR = response.GetLastAnswerRecord();
    2074. 

  2074.             EDnsOption[] eDnsClientSubnetOption = null;
    2075. 

  2075.             DnsDatagram newResponse = null;
    2076. 

  2076. 

  2077.             if (_eDnsClientSubnet)
    2078. 

  2078.             {
    2079. 

  2079.                 EDnsClientSubnetOptionData requestECS = request.GetEDnsClientSubnetOption();
    2080. 

  2080.                 if (requestECS is not null)
    2081. 

  2081.                     eDnsClientSubnetOption = new EDnsOption[] { new EDnsOption(EDnsOptionCode.EDNS_CLIENT_SUBNET, requestECS) };
    2082. 

  2082.             }
    2083. 

  2083. 

  2084.             int queryCount = 0;
    2085. 

  2085.             do
    2086. 

  2086.             {
    2087. 

  2087.                 string cnameDomain = (lastRR.RDATA as DnsCNAMERecordData).Domain;
    2088. 

  2088.                 if (lastRR.Name.Equals(cnameDomain, StringComparison.OrdinalIgnoreCase))
    2089. 

  2089.                     break; //loop detected
    2090. 

  2090. 

  2091.                 DnsDatagram newRequest = new DnsDatagram(0, false, DnsOpcode.StandardQuery, false, false, request.RecursionDesired, false, false, false, DnsResponseCode.NoError, new DnsQuestionRecord[] { new DnsQuestionRecord(cnameDomain, request.Question[0].Type, request.Question[0].Class) }, null, null, null, _udpPayloadSize, request.DnssecOk ? EDnsHeaderFlags.DNSSEC_OK : EDnsHeaderFlags.None, eDnsClientSubnetOption);
    2092. 

  2092. 

  2093.                 //query authoritative zone first
    2094. 

  2094.                 newResponse = await AuthoritativeQueryAsync(newRequest, remoteEP, protocol, isRecursionAllowed, skipDnsAppAuthoritativeRequestHandlers);
    2095. 

  2095.                 if (newResponse is null)
    2096. 

  2096.                 {
    2097. 

  2097.                     //not found in auth zone
    2098. 

  2098.                     if (newRequest.RecursionDesired && isRecursionAllowed)
    2099. 

  2099.                     {
    2100. 

  2100.                         //do recursion
    2101. 

  2101.                         newResponse = await RecursiveResolveAsync(newRequest, remoteEP, null, _dnssecValidation, false, cacheRefreshOperation, skipDnsAppAuthoritativeRequestHandlers);
    2102. 

  2102.                         isAuthoritativeAnswer = false;
    2103. 

  2103.                     }
    2104. 

  2104.                     else
    2105. 

  2105.                     {
    2106. 

  2106.                         //break since no recursion allowed/desired
    2107. 

  2107.                         break;
    2108. 

  2108.                     }
    2109. 

  2109.                 }
    2110. 

  2110.                 else if ((newResponse.Answer.Count > 0) && (newResponse.GetLastAnswerRecord().Type == DnsResourceRecordType.ANAME))
    2111. 

  2111.                 {
    2112. 

  2112.                     newResponse = await ProcessANAMEAsync(request, remoteEP, newResponse, isRecursionAllowed, protocol, skipDnsAppAuthoritativeRequestHandlers);
    2113. 

  2113.                 }
    2114. 

  2114.                 else if ((newResponse.Answer.Count == 0) && (newResponse.Authority.Count > 0))
    2115. 

  2115.                 {
    2116. 

  2116.                     //found delegated/forwarded zone
    2117. 

  2117.                     DnsResourceRecord firstAuthority = newResponse.FindFirstAuthorityRecord();
    2118. 

  2118.                     switch (firstAuthority.Type)
    2119. 

  2119.                     {
    2120. 

  2120.                         case DnsResourceRecordType.NS:
    2121. 

  2121.                             if (newRequest.RecursionDesired && isRecursionAllowed)
    2122. 

  2122.                             {
    2123. 

  2123.                                 //do forced recursive resolution using empty conditional forwarders; name servers will be provided via ResolveDnsCache
    2124. 

  2124.                                 newResponse = await RecursiveResolveAsync(newRequest, remoteEP, Array.Empty<DnsResourceRecord>(), _dnssecValidation, false, false, skipDnsAppAuthoritativeRequestHandlers);
    2125. 

  2125.                                 isAuthoritativeAnswer = false;
    2126. 

  2126.                             }
    2127. 

  2127. 

  2128.                             break;
    2129. 

  2129. 

  2130.                         case DnsResourceRecordType.FWD:
    2131. 

  2131.                             //do conditional forwarding
    2132. 

  2132.                             newResponse = await RecursiveResolveAsync(newRequest, remoteEP, newResponse.Authority, _dnssecValidation, false, false, skipDnsAppAuthoritativeRequestHandlers);
    2133. 

  2133.                             isAuthoritativeAnswer = false;
    2134. 

  2134.                             break;
    2135. 

  2135. 

  2136.                         case DnsResourceRecordType.APP:
    2137. 

  2137.                             newResponse = await ProcessAPPAsync(newRequest, remoteEP, newResponse, isRecursionAllowed, protocol);
    2138. 

  2138.                             break;
    2139. 

  2139.                     }
    2140. 

  2140.                 }
    2141. 

  2141. 

  2142.                 //check last response
    2143. 

  2143.                 if (newResponse.Answer.Count == 0)
    2144. 

  2144.                     break; //cannot proceed to resolve further
    2145. 

  2145. 

  2146.                 lastRR = newResponse.GetLastAnswerRecord();
    2147. 

  2147.                 if (lastRR.Type != DnsResourceRecordType.CNAME)
    2148. 

  2148.                 {
    2149. 

  2149.                     newAnswer.AddRange(newResponse.Answer);
    2150. 

  2150.                     break; //cname was resolved
    2151. 

  2151.                 }
    2152. 

  2152. 

  2153.                 bool foundRepeat = false;
    2154. 

  2154. 

  2155.                 foreach (DnsResourceRecord answerRecord in newAnswer)
    2156. 

  2156.                 {
    2157. 

  2157.                     if (answerRecord.Type != DnsResourceRecordType.CNAME)
    2158. 

  2158.                         continue;
    2159. 

  2159. 

  2160.                     if (answerRecord.RDATA.Equals(lastRR.RDATA))
    2161. 

  2161.                     {
    2162. 

  2162.                         foundRepeat = true;
    2163. 

  2163.                         break;
    2164. 

  2164.                     }
    2165. 

  2165.                 }
    2166. 

  2166. 

  2167.                 if (foundRepeat)
    2168. 

  2168.                     break; //loop detected
    2169. 

  2169. 

  2170.                 newAnswer.AddRange(newResponse.Answer);
    2171. 

  2171. 

  2172.                 lastResponse = newResponse;
    2173. 

  2173.             }
    2174. 

  2174.             while (++queryCount < MAX_CNAME_HOPS);
    2175. 

  2175. 

  2176.             DnsResponseCode rcode;
    2177. 

  2177.             IReadOnlyList<DnsResourceRecord> authority;
    2178. 

  2178.             IReadOnlyList<DnsResourceRecord> additional;
    2179. 

  2179. 

  2180.             if (newResponse is null)
    2181. 

  2181.             {
    2182. 

  2182.                 //no recursion available
    2183. 

  2183.                 rcode = DnsResponseCode.NoError;
    2184. 

  2184. 

  2185.                 if (newAuthority.Count == 0)
    2186. 

  2186.                 {
    2187. 

  2187.                     authority = lastResponse.Authority;
    2188. 

  2188.                 }
    2189. 

  2189.                 else
    2190. 

  2190.                 {
    2191. 

  2191.                     newAuthority.AddRange(lastResponse.Authority);
    2192. 

  2192.                     authority = newAuthority;
    2193. 

  2193.                 }
    2194. 

  2194. 

  2195.                 additional = lastResponse.Additional;
    2196. 

  2196.             }
    2197. 

  2197.             else
    2198. 

  2198.             {
    2199. 

  2199.                 rcode = newResponse.RCODE;
    2200. 

  2200. 

  2201.                 if (newAuthority.Count == 0)
    2202. 

  2202.                 {
    2203. 

  2203.                     authority = newResponse.Authority;
    2204. 

  2204.                 }
    2205. 

  2205.                 else
    2206. 

  2206.                 {
    2207. 

  2207.                     newAuthority.AddRange(newResponse.Authority);
    2208. 

  2208.                     authority = newAuthority;
    2209. 

  2209.                 }
    2210. 

  2210. 

  2211.                 additional = newResponse.Additional;
    2212. 

  2212.             }
    2213. 

  2213. 

  2214.             return new DnsDatagram(request.Identifier, true, DnsOpcode.StandardQuery, isAuthoritativeAnswer, false, request.RecursionDesired, isRecursionAllowed, false, request.CheckingDisabled, rcode, request.Question, newAnswer, authority, additional) { Tag = response.Tag };
    2215. 

  2215.         }
    2216. 

  2216. 

  2217.         private async Task<DnsDatagram> ProcessANAMEAsync(DnsDatagram request, IPEndPoint remoteEP, DnsDatagram response, bool isRecursionAllowed, DnsTransportProtocol protocol, bool skipDnsAppAuthoritativeRequestHandlers)
    2218. 

  2218.         {
    2219. 

  2219.             EDnsOption[] eDnsClientSubnetOption = null;
    2220. 

  2220. 

  2221.             if (_eDnsClientSubnet)
    2222. 

  2222.             {
    2223. 

  2223.                 EDnsClientSubnetOptionData requestECS = request.GetEDnsClientSubnetOption();
    2224. 

  2224.                 if (requestECS is not null)
    2225. 

  2225.                     eDnsClientSubnetOption = new EDnsOption[] { new EDnsOption(EDnsOptionCode.EDNS_CLIENT_SUBNET, requestECS) };
    2226. 

  2226.             }
    2227. 

  2227. 

  2228.             Queue<Task<IReadOnlyList<DnsResourceRecord>>> resolveQueue = new Queue<Task<IReadOnlyList<DnsResourceRecord>>>();
    2229. 

  2229. 

  2230.             async Task<IReadOnlyList<DnsResourceRecord>> ResolveANAMEAsync(DnsResourceRecord anameRR, int queryCount = 0)
    2231. 

  2231.             {
    2232. 

  2232.                 string lastDomain = (anameRR.RDATA as DnsANAMERecordData).Domain;
    2233. 

  2233.                 if (anameRR.Name.Equals(lastDomain, StringComparison.OrdinalIgnoreCase))
    2234. 

  2234.                     return null; //loop detected
    2235. 

  2235. 

  2236.                 do
    2237. 

  2237.                 {
    2238. 

  2238.                     DnsDatagram newRequest = new DnsDatagram(0, false, DnsOpcode.StandardQuery, false, false, request.RecursionDesired, false, false, false, DnsResponseCode.NoError, new DnsQuestionRecord[] { new DnsQuestionRecord(lastDomain, request.Question[0].Type, request.Question[0].Class) }, null, null, null, _udpPayloadSize, request.DnssecOk ? EDnsHeaderFlags.DNSSEC_OK : EDnsHeaderFlags.None, eDnsClientSubnetOption);
    2239. 

  2239. 

  2240.                     //query authoritative zone first
    2241. 

  2241.                     DnsDatagram newResponse = await AuthoritativeQueryAsync(newRequest, remoteEP, protocol, isRecursionAllowed, skipDnsAppAuthoritativeRequestHandlers);
    2242. 

  2242.                     if (newResponse is null)
    2243. 

  2243.                     {
    2244. 

  2244.                         //not found in auth zone; do recursion
    2245. 

  2245.                         newResponse = await RecursiveResolveAsync(newRequest, remoteEP, null, _dnssecValidation, false, false, skipDnsAppAuthoritativeRequestHandlers);
    2246. 

  2246.                     }
    2247. 

  2247.                     else if ((newResponse.Answer.Count == 0) && (newResponse.Authority.Count > 0))
    2248. 

  2248.                     {
    2249. 

  2249.                         //found delegated/forwarded zone
    2250. 

  2250.                         DnsResourceRecord firstAuthority = newResponse.FindFirstAuthorityRecord();
    2251. 

  2251.                         switch (firstAuthority.Type)
    2252. 

  2252.                         {
    2253. 

  2253.                             case DnsResourceRecordType.NS:
    2254. 

  2254.                                 //do forced recursive resolution using empty conditional forwarders; name servers will be provided via ResolverDnsCache
    2255. 

  2255.                                 newResponse = await RecursiveResolveAsync(newRequest, remoteEP, Array.Empty<DnsResourceRecord>(), _dnssecValidation, false, false, skipDnsAppAuthoritativeRequestHandlers);
    2256. 

  2256.                                 break;
    2257. 

  2257. 

  2258.                             case DnsResourceRecordType.FWD:
    2259. 

  2259.                                 //do conditional forwarding
    2260. 

  2260.                                 newResponse = await RecursiveResolveAsync(newRequest, remoteEP, newResponse.Authority, _dnssecValidation, false, false, skipDnsAppAuthoritativeRequestHandlers);
    2261. 

  2261.                                 break;
    2262. 

  2262. 

  2263.                             case DnsResourceRecordType.APP:
    2264. 

  2264.                                 newResponse = await ProcessAPPAsync(newRequest, remoteEP, newResponse, isRecursionAllowed, protocol);
    2265. 

  2265.                                 break;
    2266. 

  2266.                         }
    2267. 

  2267.                     }
    2268. 

  2268. 

  2269.                     //check new response
    2270. 

  2270.                     if (newResponse.RCODE != DnsResponseCode.NoError)
    2271. 

  2271.                         return null; //cannot proceed to resolve further
    2272. 

  2272. 

  2273.                     if (newResponse.Answer.Count == 0)
    2274. 

  2274.                         return Array.Empty<DnsResourceRecord>(); //NO DATA
    2275. 

  2275. 

  2276.                     DnsResourceRecordType questionType = request.Question[0].Type;
    2277. 

  2277.                     DnsResourceRecord lastRR = newResponse.GetLastAnswerRecord();
    2278. 

  2278.                     if (lastRR.Type == questionType)
    2279. 

  2279.                     {
    2280. 

  2280.                         //found final answer
    2281. 

  2281.                         List<DnsResourceRecord> answers = new List<DnsResourceRecord>();
    2282. 

  2282. 

  2283.                         foreach (DnsResourceRecord answer in newResponse.Answer)
    2284. 

  2284.                         {
    2285. 

  2285.                             if (answer.Type != questionType)
    2286. 

  2286.                                 continue;
    2287. 

  2287. 

  2288.                             if (anameRR.TTL < answer.TTL)
    2289. 

  2289.                                 answers.Add(new DnsResourceRecord(anameRR.Name, answer.Type, answer.Class, anameRR.TTL, answer.RDATA));
    2290. 

  2290.                             else
    2291. 

  2291.                                 answers.Add(new DnsResourceRecord(anameRR.Name, answer.Type, answer.Class, answer.TTL, answer.RDATA));
    2292. 

  2292.                         }
    2293. 

  2293. 

  2294.                         return answers;
    2295. 

  2295.                     }
    2296. 

  2296. 

  2297.                     if (lastRR.Type == DnsResourceRecordType.ANAME)
    2298. 

  2298.                     {
    2299. 

  2299.                         if (newResponse.Answer.Count == 1)
    2300. 

  2300.                         {
    2301. 

  2301.                             lastDomain = (lastRR.RDATA as DnsANAMERecordData).Domain;
    2302. 

  2302.                         }
    2303. 

  2303.                         else
    2304. 

  2304.                         {
    2305. 

  2305.                             //resolve multiple ANAME records async
    2306. 

  2306.                             queryCount++; //increment since one query was done already
    2307. 

  2307. 

  2308.                             foreach (DnsResourceRecord newAnswer in newResponse.Answer)
    2309. 

  2309.                                 resolveQueue.Enqueue(ResolveANAMEAsync(newAnswer, queryCount));
    2310. 

  2310. 

  2311.                             return Array.Empty<DnsResourceRecord>();
    2312. 

  2312.                         }
    2313. 

  2313.                     }
    2314. 

  2314.                     else if (lastRR.Type == DnsResourceRecordType.CNAME)
    2315. 

  2315.                     {
    2316. 

  2316.                         lastDomain = (lastRR.RDATA as DnsCNAMERecordData).Domain;
    2317. 

  2317.                     }
    2318. 

  2318.                     else
    2319. 

  2319.                     {
    2320. 

  2320.                         //aname/cname was resolved, but no answer found
    2321. 

  2321.                         return Array.Empty<DnsResourceRecord>();
    2322. 

  2322.                     }
    2323. 

  2323.                 }
    2324. 

  2324.                 while (++queryCount < MAX_CNAME_HOPS);
    2325. 

  2325. 

  2326.                 //max hops limit crossed
    2327. 

  2327.                 return null;
    2328. 

  2328.             }
    2329. 

  2329. 

  2330.             List<DnsResourceRecord> responseAnswer = new List<DnsResourceRecord>();
    2331. 

  2331. 

  2332.             foreach (DnsResourceRecord answer in response.Answer)
    2333. 

  2333.             {
    2334. 

  2334.                 if (answer.Type == DnsResourceRecordType.ANAME)
    2335. 

  2335.                 {
    2336. 

  2336.                     resolveQueue.Enqueue(ResolveANAMEAsync(answer));
    2337. 

  2337.                 }
    2338. 

  2338.                 else
    2339. 

  2339.                 {
    2340. 

  2340.                     if (resolveQueue.Count == 0)
    2341. 

  2341.                         responseAnswer.Add(answer);
    2342. 

  2342.                 }
    2343. 

  2343.             }
    2344. 

  2344. 

  2345.             bool foundErrors = false;
    2346. 

  2346. 

  2347.             while (resolveQueue.Count > 0)
    2348. 

  2348.             {
    2349. 

  2349.                 IReadOnlyList<DnsResourceRecord> records = await resolveQueue.Dequeue();
    2350. 

  2350.                 if (records is null)
    2351. 

  2351.                     foundErrors = true;
    2352. 

  2352.                 else if (records.Count > 0)
    2353. 

  2353.                     responseAnswer.AddRange(records);
    2354. 

  2354.             }
    2355. 

  2355. 

  2356.             DnsResponseCode rcode = DnsResponseCode.NoError;
    2357. 

  2357.             IReadOnlyList<DnsResourceRecord> authority = null;
    2358. 

  2358. 

  2359.             if (responseAnswer.Count == 0)
    2360. 

  2360.             {
    2361. 

  2361.                 if (foundErrors)
    2362. 

  2362.                 {
    2363. 

  2363.                     rcode = DnsResponseCode.ServerFailure;
    2364. 

  2364.                 }
    2365. 

  2365.                 else
    2366. 

  2366.                 {
    2367. 

  2367.                     authority = response.Authority;
    2368. 

  2368. 

  2369.                     //update last used on
    2370. 

  2370.                     DateTime utcNow = DateTime.UtcNow;
    2371. 

  2371. 

  2372.                     foreach (DnsResourceRecord record in authority)
    2373. 

  2373.                         record.GetAuthRecordInfo().LastUsedOn = utcNow;
    2374. 

  2374.                 }
    2375. 

  2375.             }
    2376. 

  2376. 

  2377.             return new DnsDatagram(request.Identifier, true, DnsOpcode.StandardQuery, true, false, request.RecursionDesired, isRecursionAllowed, false, false, rcode, request.Question, responseAnswer, authority, null) { Tag = response.Tag };
    2378. 

  2378.         }
    2379. 

  2379. 

  2380.         private DnsDatagram ProcessBlockedQuery(DnsDatagram request)
    2381. 

  2381.         {
    2382. 

  2382.             DnsDatagram response = _blockedZoneManager.Query(request);
    2383. 

  2383.             if (response is null)
    2384. 

  2384.             {
    2385. 

  2385.                 //domain not blocked in blocked zone
    2386. 

  2386.                 response = _blockListZoneManager.Query(request); //check in block list zone
    2387. 

  2387.                 if (response is null)
    2388. 

  2388.                     return null; //domain not blocked in block list zone
    2389. 

  2389. 

  2390.                 //domain is blocked in block list zone
    2391. 

  2391.                 response.Tag = DnsServerResponseType.Blocked;
    2392. 

  2392.                 return response;
    2393. 

  2393.             }
    2394. 

  2394.             else
    2395. 

  2395.             {
    2396. 

  2396.                 //domain is blocked in blocked zone
    2397. 

  2397.                 DnsQuestionRecord question = request.Question[0];
    2398. 

  2398. 

  2399.                 string GetBlockedDomain()
    2400. 

  2400.                 {
    2401. 

  2401.                     DnsResourceRecord firstAuthority = response.FindFirstAuthorityRecord();
    2402. 

  2402.                     if ((firstAuthority is not null) && (firstAuthority.Type == DnsResourceRecordType.SOA))
    2403. 

  2403.                         return firstAuthority.Name;
    2404. 

  2404.                     else
    2405. 

  2405.                         return question.Name;
    2406. 

  2406.                 }
    2407. 

  2407. 

  2408.                 if (_allowTxtBlockingReport && (question.Type == DnsResourceRecordType.TXT))
    2409. 

  2409.                 {
    2410. 

  2410.                     //return meta data
    2411. 

  2411.                     string blockedDomain = GetBlockedDomain();
    2412. 

  2412. 

  2413.                     IReadOnlyList<DnsResourceRecord> answer = new DnsResourceRecord[] { new DnsResourceRecord(question.Name, DnsResourceRecordType.TXT, question.Class, 60, new DnsTXTRecordData("source=blocked-zone; domain=" + blockedDomain)) };
    2414. 

  2414. 

  2415.                     return new DnsDatagram(request.Identifier, true, DnsOpcode.StandardQuery, false, false, request.RecursionDesired, false, false, false, DnsResponseCode.NoError, request.Question, answer) { Tag = DnsServerResponseType.Blocked };
    2416. 

  2416.                 }
    2417. 

  2417.                 else
    2418. 

  2418.                 {
    2419. 

  2419.                     string blockedDomain = null;
    2420. 

  2420.                     EDnsOption[] options = null;
    2421. 

  2421. 

  2422.                     if (_allowTxtBlockingReport && (request.EDNS is not null))
    2423. 

  2423.                     {
    2424. 

  2424.                         blockedDomain = GetBlockedDomain();
    2425. 

  2425.                         options = new EDnsOption[] { new EDnsOption(EDnsOptionCode.EXTENDED_DNS_ERROR, new EDnsExtendedDnsErrorOptionData(EDnsExtendedDnsErrorCode.Blocked, "source=blocked-zone; domain=" + blockedDomain)) };
    2426. 

  2426.                     }
    2427. 

  2427. 

  2428.                     IReadOnlyCollection<DnsARecordData> aRecords;
    2429. 

  2429.                     IReadOnlyCollection<DnsAAAARecordData> aaaaRecords;
    2430. 

  2430. 

  2431.                     switch (_blockingType)
    2432. 

  2432.                     {
    2433. 

  2433.                         case DnsServerBlockingType.AnyAddress:
    2434. 

  2434.                             aRecords = _aRecords;
    2435. 

  2435.                             aaaaRecords = _aaaaRecords;
    2436. 

  2436.                             break;
    2437. 

  2437. 

  2438.                         case DnsServerBlockingType.CustomAddress:
    2439. 

  2439.                             aRecords = _customBlockingARecords;
    2440. 

  2440.                             aaaaRecords = _customBlockingAAAARecords;
    2441. 

  2441.                             break;
    2442. 

  2442. 

  2443.                         case DnsServerBlockingType.NxDomain:
    2444. 

  2444.                             if (blockedDomain is null)
    2445. 

  2445.                                 blockedDomain = GetBlockedDomain();
    2446. 

  2446. 

  2447.                             string parentDomain = AuthZoneManager.GetParentZone(blockedDomain);
    2448. 

  2448.                             if (parentDomain is null)
    2449. 

  2449.                                 parentDomain = string.Empty;
    2450. 

  2450. 

  2451.                             return new DnsDatagram(request.Identifier, true, DnsOpcode.StandardQuery, false, false, request.RecursionDesired, false, false, false, DnsResponseCode.NxDomain, request.Question, null, new DnsResourceRecord[] { new DnsResourceRecord(parentDomain, DnsResourceRecordType.SOA, question.Class, 60, _blockedZoneManager.DnsSOARecord) }, null, request.EDNS is null ? ushort.MinValue : _udpPayloadSize, EDnsHeaderFlags.None, options) { Tag = DnsServerResponseType.Blocked };
    2452. 

  2452. 

  2453.                         default:
    2454. 

  2454.                             throw new InvalidOperationException();
    2455. 

  2455.                     }
    2456. 

  2456. 

  2457.                     IReadOnlyList<DnsResourceRecord> answer;
    2458. 

  2458.                     IReadOnlyList<DnsResourceRecord> authority = null;
    2459. 

  2459. 

  2460.                     switch (question.Type)
    2461. 

  2461.                     {
    2462. 

  2462.                         case DnsResourceRecordType.A:
    2463. 

  2463.                             {
    2464. 

  2464.                                 List<DnsResourceRecord> rrList = new List<DnsResourceRecord>(aRecords.Count);
    2465. 

  2465. 

  2466.                                 foreach (DnsARecordData record in aRecords)
    2467. 

  2467.                                     rrList.Add(new DnsResourceRecord(question.Name, DnsResourceRecordType.A, question.Class, 60, record));
    2468. 

  2468. 

  2469.                                 answer = rrList;
    2470. 

  2470.                             }
    2471. 

  2471.                             break;
    2472. 

  2472. 

  2473.                         case DnsResourceRecordType.AAAA:
    2474. 

  2474.                             {
    2475. 

  2475.                                 List<DnsResourceRecord> rrList = new List<DnsResourceRecord>(aaaaRecords.Count);
    2476. 

  2476. 

  2477.                                 foreach (DnsAAAARecordData record in aaaaRecords)
    2478. 

  2478.                                     rrList.Add(new DnsResourceRecord(question.Name, DnsResourceRecordType.AAAA, question.Class, 60, record));
    2479. 

  2479. 

  2480.                                 answer = rrList;
    2481. 

  2481.                             }
    2482. 

  2482.                             break;
    2483. 

  2483. 

  2484.                         default:
    2485. 

  2485.                             answer = response.Answer;
    2486. 

  2486.                             authority = response.Authority;
    2487. 

  2487.                             break;
    2488. 

  2488.                     }
    2489. 

  2489. 

  2490.                     return new DnsDatagram(request.Identifier, true, DnsOpcode.StandardQuery, false, false, request.RecursionDesired, false, false, false, DnsResponseCode.NoError, request.Question, answer, authority, null, request.EDNS is null ? ushort.MinValue : _udpPayloadSize, EDnsHeaderFlags.None, options) { Tag = DnsServerResponseType.Blocked };
    2491. 

  2491.                 }
    2492. 

  2492.             }
    2493. 

  2493.         }
    2494. 

  2494. 

  2495.         private async Task<DnsDatagram> ProcessRecursiveQueryAsync(DnsDatagram request, IPEndPoint remoteEP, DnsTransportProtocol protocol, IReadOnlyList<DnsResourceRecord> conditionalForwarders, bool dnssecValidation, bool cacheRefreshOperation, bool skipDnsAppAuthoritativeRequestHandlers)
    2496. 

  2496.         {
    2497. 

  2497.             bool inAllowedZone;
    2498. 

  2498. 

  2499.             if (cacheRefreshOperation)
    2500. 

  2500.             {
    2501. 

  2501.                 //cache refresh operation should be able to refresh all the records in cache
    2502. 

  2502.                 //this is since a blocked CNAME record could still be used by an allowed domain name and so must resolve
    2503. 

  2503.                 inAllowedZone = true;
    2504. 

  2504.             }
    2505. 

  2505.             else if (!_enableBlocking)
    2506. 

  2506.             {
    2507. 

  2507.                 inAllowedZone = true;
    2508. 

  2508.             }
    2509. 

  2509.             else
    2510. 

  2510.             {
    2511. 

  2511.                 inAllowedZone = _allowedZoneManager.IsAllowed(request) || _blockListZoneManager.IsAllowed(request);
    2512. 

  2512.                 if (!inAllowedZone)
    2513. 

  2513.                 {
    2514. 

  2514.                     //check in blocked zone and block list zone
    2515. 

  2515.                     DnsDatagram blockedResponse = ProcessBlockedQuery(request);
    2516. 

  2516.                     if (blockedResponse is not null)
    2517. 

  2517.                         return blockedResponse;
    2518. 

  2518.                 }
    2519. 

  2519.             }
    2520. 

  2520. 

  2521.             DnsDatagram response = await RecursiveResolveAsync(request, remoteEP, conditionalForwarders, dnssecValidation, false, cacheRefreshOperation, skipDnsAppAuthoritativeRequestHandlers);
    2522. 

  2522. 

  2523.             if (response.Answer.Count > 0)
    2524. 

  2524.             {
    2525. 

  2525.                 DnsResourceRecordType questionType = request.Question[0].Type;
    2526. 

  2526.                 DnsResourceRecord lastRR = response.GetLastAnswerRecord();
    2527. 

  2527. 

  2528.                 if ((lastRR.Type != questionType) && (lastRR.Type == DnsResourceRecordType.CNAME) && (questionType != DnsResourceRecordType.ANY))
    2529. 

  2529.                     response = await ProcessCNAMEAsync(request, remoteEP, response, true, protocol, cacheRefreshOperation, skipDnsAppAuthoritativeRequestHandlers);
    2530. 

  2530. 

  2531.                 if (!inAllowedZone)
    2532. 

  2532.                 {
    2533. 

  2533.                     //check for CNAME cloaking
    2534. 

  2534.                     for (int i = 0; i < response.Answer.Count; i++)
    2535. 

  2535.                     {
    2536. 

  2536.                         DnsResourceRecord record = response.Answer[i];
    2537. 

  2537. 

  2538.                         if (record.Type != DnsResourceRecordType.CNAME)
    2539. 

  2539.                             break; //no further CNAME records exists
    2540. 

  2540. 

  2541.                         DnsDatagram newRequest = new DnsDatagram(0, false, DnsOpcode.StandardQuery, false, false, true, false, false, false, DnsResponseCode.NoError, new DnsQuestionRecord[] { new DnsQuestionRecord((record.RDATA as DnsCNAMERecordData).Domain, request.Question[0].Type, request.Question[0].Class) }, null, null, null, _udpPayloadSize);
    2542. 

  2542. 

  2543.                         //check allowed zone
    2544. 

  2544.                         inAllowedZone = _allowedZoneManager.IsAllowed(newRequest) || _blockListZoneManager.IsAllowed(newRequest);
    2545. 

  2545.                         if (inAllowedZone)
    2546. 

  2546.                             break; //CNAME is in allowed zone
    2547. 

  2547. 

  2548.                         //check blocked zone and block list zone
    2549. 

  2549.                         DnsDatagram blockedResponse = ProcessBlockedQuery(newRequest);
    2550. 

  2550.                         if (blockedResponse is not null)
    2551. 

  2551.                         {
    2552. 

  2552.                             //found cname cloaking
    2553. 

  2553.                             List<DnsResourceRecord> answer = new List<DnsResourceRecord>();
    2554. 

  2554. 

  2555.                             //copy current and previous CNAME records
    2556. 

  2556.                             for (int j = 0; j <= i; j++)
    2557. 

  2557.                                 answer.Add(response.Answer[j]);
    2558. 

  2558. 

  2559.                             //copy last response answers
    2560. 

  2560.                             answer.AddRange(blockedResponse.Answer);
    2561. 

  2561. 

  2562.                             //include blocked response additional section to pass on Extended DNS Errors
    2563. 

  2563.                             return new DnsDatagram(request.Identifier, true, DnsOpcode.StandardQuery, false, false, true, true, false, false, DnsResponseCode.NoError, request.Question, answer, blockedResponse.Authority, blockedResponse.Additional) { Tag = blockedResponse.Tag };
    2564. 

  2564.                         }
    2565. 

  2565.                     }
    2566. 

  2566.                 }
    2567. 

  2567.             }
    2568. 

  2568. 

  2569.             if (response.Tag is null)
    2570. 

  2570.             {
    2571. 

  2571.                 if (response.IsBlockedResponse())
    2572. 

  2572.                     response.Tag = DnsServerResponseType.UpstreamBlocked;
    2573. 

  2573.             }
    2574. 

  2574.             else if ((DnsServerResponseType)response.Tag == DnsServerResponseType.Cached)
    2575. 

  2575.             {
    2576. 

  2576.                 if (response.IsBlockedResponse())
    2577. 

  2577.                     response.Tag = DnsServerResponseType.CacheBlocked;
    2578. 

  2578.             }
    2579. 

  2579. 

  2580.             return response;
    2581. 

  2581.         }
    2582. 

  2582. 

  2583.         private async Task<DnsDatagram> RecursiveResolveAsync(DnsDatagram request, IPEndPoint remoteEP, IReadOnlyList<DnsResourceRecord> conditionalForwarders, bool dnssecValidation, bool cachePrefetchOperation, bool cacheRefreshOperation, bool skipDnsAppAuthoritativeRequestHandlers)
    2584. 

  2584.         {
    2585. 

  2585.             DnsQuestionRecord question = request.Question[0];
    2586. 

  2586.             NetworkAddress eDnsClientSubnet = null;
    2587. 

  2587. 

  2588.             if (_eDnsClientSubnet && CacheZone.IsTypeSupportedForEDnsClientSubnet(question.Type))
    2589. 

  2589.             {
    2590. 

  2590.                 EDnsClientSubnetOptionData requestECS = request.GetEDnsClientSubnetOption();
    2591. 

  2591.                 if (requestECS is null)
    2592. 

  2592.                 {
    2593. 

  2593.                     if (!NetUtilities.IsPrivateIP(remoteEP.Address))
    2594. 

  2594.                     {
    2595. 

  2595.                         //set shadow ECS option
    2596. 

  2596.                         switch (remoteEP.AddressFamily)
    2597. 

  2597.                         {
    2598. 

  2598.                             case AddressFamily.InterNetwork:
    2599. 

  2599.                                 eDnsClientSubnet = new NetworkAddress(remoteEP.Address, _eDnsClientSubnetIPv4PrefixLength);
    2600. 

  2600.                                 request.SetShadowEDnsClientSubnetOption(eDnsClientSubnet);
    2601. 

  2601.                                 break;
    2602. 

  2602. 

  2603.                             case AddressFamily.InterNetworkV6:
    2604. 

  2604.                                 eDnsClientSubnet = new NetworkAddress(remoteEP.Address, _eDnsClientSubnetIPv6PrefixLength);
    2605. 

  2605.                                 request.SetShadowEDnsClientSubnetOption(eDnsClientSubnet);
    2606. 

  2606.                                 break;
    2607. 

  2607. 

  2608.                             default:
    2609. 

  2609.                                 request.ShadowHideEDnsClientSubnetOption();
    2610. 

  2610.                                 break;
    2611. 

  2611.                         }
    2612. 

  2612.                     }
    2613. 

  2613.                 }
    2614. 

  2614.                 else if ((requestECS.Family != EDnsClientSubnetAddressFamily.IPv4) && (requestECS.Family != EDnsClientSubnetAddressFamily.IPv6))
    2615. 

  2615.                 {
    2616. 

  2616.                     return new DnsDatagram(request.Identifier, true, DnsOpcode.StandardQuery, false, false, request.RecursionDesired, true, false, false, DnsResponseCode.FormatError, request.Question) { Tag = DnsServerResponseType.Authoritative };
    2617. 

  2617.                 }
    2618. 

  2618.                 else if ((requestECS.SourcePrefixLength == 0) || NetUtilities.IsPrivateIP(requestECS.Address))
    2619. 

  2619.                 {
    2620. 

  2620.                     //disable ECS option
    2621. 

  2621.                     request.ShadowHideEDnsClientSubnetOption();
    2622. 

  2622.                 }
    2623. 

  2623.                 else
    2624. 

  2624.                 {
    2625. 

  2625.                     //use ECS from client request
    2626. 

  2626.                     switch (requestECS.Family)
    2627. 

  2627.                     {
    2628. 

  2628.                         case EDnsClientSubnetAddressFamily.IPv4:
    2629. 

  2629.                             eDnsClientSubnet = new NetworkAddress(requestECS.Address, Math.Min(requestECS.SourcePrefixLength, _eDnsClientSubnetIPv4PrefixLength));
    2630. 

  2630.                             request.SetShadowEDnsClientSubnetOption(eDnsClientSubnet);
    2631. 

  2631.                             break;
    2632. 

  2632. 

  2633.                         case EDnsClientSubnetAddressFamily.IPv6:
    2634. 

  2634.                             eDnsClientSubnet = new NetworkAddress(requestECS.Address, Math.Min(requestECS.SourcePrefixLength, _eDnsClientSubnetIPv6PrefixLength));
    2635. 

  2635.                             request.SetShadowEDnsClientSubnetOption(eDnsClientSubnet);
    2636. 

  2636.                             break;
    2637. 

  2637.                     }
    2638. 

  2638.                 }
    2639. 

  2639.             }
    2640. 

  2640.             else
    2641. 

  2641.             {
    2642. 

  2642.                 //hide ECS option
    2643. 

  2643.                 request.ShadowHideEDnsClientSubnetOption();
    2644. 

  2644.             }
    2645. 

  2645. 

  2646.             if (!cachePrefetchOperation && !cacheRefreshOperation)
    2647. 

  2647.             {
    2648. 

  2648.                 //query cache zone to see if answer available
    2649. 

  2649.                 DnsDatagram cacheResponse = QueryCache(request, false);
    2650. 

  2650.                 if (cacheResponse is not null)
    2651. 

  2651.                 {
    2652. 

  2652.                     if (_cachePrefetchTrigger > 0)
    2653. 

  2653.                     {
    2654. 

  2654.                         //inspect response TTL values to decide if prefetch trigger is needed
    2655. 

  2655.                         foreach (DnsResourceRecord answer in cacheResponse.Answer)
    2656. 

  2656.                         {
    2657. 

  2657.                             if ((answer.OriginalTtlValue >= _cachePrefetchEligibility) && (answer.TTL <= _cachePrefetchTrigger))
    2658. 

  2658.                             {
    2659. 

  2659.                                 //trigger prefetch async
    2660. 

  2660.                                 _ = PrefetchCacheAsync(request, remoteEP, conditionalForwarders);
    2661. 

  2661.                                 break;
    2662. 

  2662.                             }
    2663. 

  2663.                         }
    2664. 

  2664.                     }
    2665. 

  2665. 

  2666.                     return cacheResponse;
    2667. 

  2667.                 }
    2668. 

  2668.             }
    2669. 

  2669. 

  2670.             //recursion with locking
    2671. 

  2671.             TaskCompletionSource<RecursiveResolveResponse> resolverTaskCompletionSource = new TaskCompletionSource<RecursiveResolveResponse>();
    2672. 

  2672.             Task<RecursiveResolveResponse> resolverTask = _resolverTasks.GetOrAdd(GetResolverQueryKey(question, eDnsClientSubnet), resolverTaskCompletionSource.Task);
    2673. 

  2673. 

  2674.             if (resolverTask.Equals(resolverTaskCompletionSource.Task))
    2675. 

  2675.             {
    2676. 

  2676.                 //got new resolver task added so question is not being resolved; do recursive resolution in another task on resolver thread pool
    2677. 

  2677.                 _ = Task.Factory.StartNew(delegate ()
    2678. 

  2678.                 {
    2679. 

  2679.                     return RecursiveResolveAsync(question, eDnsClientSubnet, conditionalForwarders, dnssecValidation, cachePrefetchOperation, cacheRefreshOperation, skipDnsAppAuthoritativeRequestHandlers, resolverTaskCompletionSource);
    2680. 

  2680.                 }, CancellationToken.None, TaskCreationOptions.DenyChildAttach, _resolverTaskScheduler);
    2681. 

  2681.             }
    2682. 

  2682. 

  2683.             //request is being recursively resolved by another thread
    2684. 

  2684. 

  2685.             if (cachePrefetchOperation)
    2686. 

  2686.                 return null; //return null as prefetch worker thread does not need valid response and thus does not need to wait
    2687. 

  2687. 

  2688.             DateTime resolverWaitStartTime = DateTime.UtcNow;
    2689. 

  2689. 

  2690.             //wait till short timeout for response
    2691. 

  2691.             if (await Task.WhenAny(resolverTask, Task.Delay(SERVE_STALE_WAIT_TIME)) == resolverTask) //1.8 sec wait as per draft-ietf-dnsop-serve-stale-04
    2692. 

  2692.             {
    2693. 

  2693.                 //resolver signaled
    2694. 

  2694.                 RecursiveResolveResponse response = await resolverTask;
    2695. 

  2695. 

  2696.                 if (response is not null)
    2697. 

  2697.                     return PrepareRecursiveResolveResponse(request, response);
    2698. 

  2698. 

  2699.                 //resolver had exception and no stale record was found
    2700. 

  2700.             }
    2701. 

  2701.             else
    2702. 

  2702.             {
    2703. 

  2703.                 //wait timed out
    2704. 

  2704. 

  2705.                 if (_serveStale)
    2706. 

  2706.                 {
    2707. 

  2707.                     //query cache zone to return stale answer (if available) as per draft-ietf-dnsop-serve-stale-04
    2708. 

  2708.                     DnsDatagram staleResponse = QueryCache(request, true);
    2709. 

  2709.                     if (staleResponse is not null)
    2710. 

  2710.                         return staleResponse;
    2711. 

  2711.                 }
    2712. 

  2712. 

  2713.                 //wait till full timeout before responding as ServerFailure
    2714. 

  2714.                 int timeout = Convert.ToInt32(_clientTimeout - (DateTime.UtcNow - resolverWaitStartTime).TotalMilliseconds);
    2715. 

  2715.                 if (timeout > 0)
    2716. 

  2716.                 {
    2717. 

  2717.                     if (await Task.WhenAny(resolverTask, Task.Delay(timeout)) == resolverTask)
    2718. 

  2718.                     {
    2719. 

  2719.                         //resolver signaled
    2720. 

  2720.                         RecursiveResolveResponse response = await resolverTask;
    2721. 

  2721. 

  2722.                         if (response is not null)
    2723. 

  2723.                             return PrepareRecursiveResolveResponse(request, response);
    2724. 

  2724.                     }
    2725. 

  2725. 

  2726.                     //no response available from resolver or resolver had exception and no stale record was found
    2727. 

  2727.                 }
    2728. 

  2728.             }
    2729. 

  2729. 

  2730.             //no response available; respond with ServerFailure
    2731. 

  2731.             EDnsOption[] options = new EDnsOption[] { new EDnsOption(EDnsOptionCode.EXTENDED_DNS_ERROR, new EDnsExtendedDnsErrorOptionData(EDnsExtendedDnsErrorCode.Other, "Waiting for resolver")) };
    2732. 

  2732.             return new DnsDatagram(request.Identifier, true, DnsOpcode.StandardQuery, false, false, request.RecursionDesired, true, false, false, DnsResponseCode.ServerFailure, request.Question, null, null, null, _udpPayloadSize, request.DnssecOk ? EDnsHeaderFlags.DNSSEC_OK : EDnsHeaderFlags.None, options);
    2733. 

  2733.         }
    2734. 

  2734. 

  2735.         private async Task RecursiveResolveAsync(DnsQuestionRecord question, NetworkAddress eDnsClientSubnet, IReadOnlyList<DnsResourceRecord> conditionalForwarders, bool dnssecValidation, bool cachePrefetchOperation, bool cacheRefreshOperation, bool skipDnsAppAuthoritativeRequestHandlers, TaskCompletionSource<RecursiveResolveResponse> taskCompletionSource)
    2736. 

  2736.         {
    2737. 

  2737.             try
    2738. 

  2738.             {
    2739. 

  2739.                 //recursive resolve and update cache
    2740. 

  2740.                 IDnsCache dnsCache;
    2741. 

  2741. 

  2742.                 if (cachePrefetchOperation || cacheRefreshOperation)
    2743. 

  2743.                     dnsCache = new ResolverPrefetchDnsCache(_dnsApplicationManager, _authZoneManager, _cacheZoneManager, _log, skipDnsAppAuthoritativeRequestHandlers, question);
    2744. 

  2744.                 else if (skipDnsAppAuthoritativeRequestHandlers)
    2745. 

  2745.                     dnsCache = new ResolverDnsCache(_dnsApplicationManager, _authZoneManager, _cacheZoneManager, _log, true);
    2746. 

  2746.                 else
    2747. 

  2747.                     dnsCache = _dnsCache;
    2748. 

  2748. 

  2749.                 //check for this-server
    2750. 

  2750.                 if ((conditionalForwarders is not null) && (conditionalForwarders.Count == 1) && (conditionalForwarders[0].RDATA is DnsForwarderRecordData fwd) && fwd.Forwarder.Equals("this-server", StringComparison.OrdinalIgnoreCase))
    2751. 

  2751.                 {
    2752. 

  2752.                     //resolve directly with DNSSEC validation preference
    2753. 

  2753.                     conditionalForwarders = null;
    2754. 

  2754.                     dnssecValidation = fwd.DnssecValidation;
    2755. 

  2755.                 }
    2756. 

  2756. 

  2757.                 DnsDatagram response;
    2758. 

  2758. 

  2759.                 if ((conditionalForwarders is not null) && (conditionalForwarders.Count > 0))
    2760. 

  2760.                 {
    2761. 

  2761.                     //check for forwarder name server resolution
    2762. 

  2762.                     foreach (DnsResourceRecord conditionalForwarder in conditionalForwarders)
    2763. 

  2763.                     {
    2764. 

  2764.                         if (conditionalForwarder.Type != DnsResourceRecordType.FWD)
    2765. 

  2765.                             continue;
    2766. 

  2766. 

  2767.                         DnsForwarderRecordData forwarder = conditionalForwarder.RDATA as DnsForwarderRecordData;
    2768. 

  2768. 

  2769.                         if (forwarder.Forwarder.Equals("this-server", StringComparison.OrdinalIgnoreCase))
    2770. 

  2770.                             continue;
    2771. 

  2771. 

  2772.                         NetProxy proxy = forwarder.Proxy;
    2773. 

  2773.                         if (proxy is null)
    2774. 

  2774.                             proxy = _proxy;
    2775. 

  2775. 

  2776.                         if (proxy is null)
    2777. 

  2777.                         {
    2778. 

  2778.                             //recursive resolve name server when proxy is null else let proxy resolve it
    2779. 

  2779.                             if (forwarder.NameServer.IsIPEndPointStale) //refresh forwarder IPEndPoint if stale
    2780. 

  2780.                                 await forwarder.NameServer.RecursiveResolveIPAddressAsync(dnsCache, null, _preferIPv6, _udpPayloadSize, _randomizeName, _resolverRetries, _resolverTimeout);
    2781. 

  2781.                         }
    2782. 

  2782.                     }
    2783. 

  2783. 

  2784.                     if (conditionalForwarders.Count == 1)
    2785. 

  2785.                     {
    2786. 

  2786.                         DnsResourceRecord conditionalForwarder = conditionalForwarders[0];
    2787. 

  2787.                         response = await ConditionalForwarderResolveAsync(question, eDnsClientSubnet, dnsCache, conditionalForwarder.RDATA as DnsForwarderRecordData, conditionalForwarder.Name);
    2788. 

  2788.                     }
    2789. 

  2789.                     else
    2790. 

  2790.                     {
    2791. 

  2791.                         using (CancellationTokenSource cancellationTokenSource = new CancellationTokenSource())
    2792. 

  2792.                         {
    2793. 

  2793.                             List<Task<DnsDatagram>> tasks = new List<Task<DnsDatagram>>(conditionalForwarders.Count);
    2794. 

  2794. 

  2795.                             //start worker tasks
    2796. 

  2796.                             foreach (DnsResourceRecord conditionalForwarder in conditionalForwarders)
    2797. 

  2797.                             {
    2798. 

  2798.                                 if (conditionalForwarder.Type != DnsResourceRecordType.FWD)
    2799. 

  2799.                                     continue;
    2800. 

  2800. 

  2801.                                 DnsForwarderRecordData forwarder = conditionalForwarder.RDATA as DnsForwarderRecordData;
    2802. 

  2802. 

  2803.                                 if (forwarder.Forwarder.Equals("this-server", StringComparison.OrdinalIgnoreCase))
    2804. 

  2804.                                     continue;
    2805. 

  2805. 

  2806.                                 tasks.Add(Task.Factory.StartNew(delegate ()
    2807. 

  2807.                                 {
    2808. 

  2808.                                     return ConditionalForwarderResolveAsync(question, eDnsClientSubnet, dnsCache, forwarder, conditionalForwarder.Name, cancellationTokenSource.Token);
    2809. 

  2809.                                 }, CancellationToken.None, TaskCreationOptions.DenyChildAttach, TaskScheduler.Current).Unwrap());
    2810. 

  2810.                             }
    2811. 

  2811. 

  2812.                             //wait for first positive response, or for all tasks to fault
    2813. 

  2813.                             response = null;
    2814. 

  2814.                             DnsDatagram lastResponse = null;
    2815. 

  2815.                             Exception lastException = null;
    2816. 

  2816. 

  2817.                             while (tasks.Count > 0)
    2818. 

  2818.                             {
    2819. 

  2819.                                 Task<DnsDatagram> completedTask = await Task.WhenAny(tasks);
    2820. 

  2820. 

  2821.                                 if (completedTask.Status == TaskStatus.RanToCompletion)
    2822. 

  2822.                                 {
    2823. 

  2823.                                     //resolver task complete
    2824. 

  2824.                                     DnsDatagram taskResponse = await completedTask; //await to get response
    2825. 

  2825.                                     bool foundResponse = false;
    2826. 

  2826. 

  2827.                                     switch (taskResponse.RCODE)
    2828. 

  2828.                                     {
    2829. 

  2829.                                         case DnsResponseCode.NoError:
    2830. 

  2830.                                         case DnsResponseCode.NxDomain:
    2831. 

  2831.                                         case DnsResponseCode.YXDomain:
    2832. 

  2832.                                             cancellationTokenSource.Cancel(); //to stop other resolver tasks
    2833. 

  2833.                                             response = taskResponse;
    2834. 

  2834.                                             foundResponse = true;
    2835. 

  2835.                                             break;
    2836. 

  2836. 

  2837.                                         default:
    2838. 

  2838.                                             //keep response
    2839. 

  2839.                                             lastResponse = taskResponse;
    2840. 

  2840.                                             break;
    2841. 

  2841.                                     }
    2842. 

  2842. 

  2843.                                     if (foundResponse)
    2844. 

  2844.                                         break;
    2845. 

  2845.                                 }
    2846. 

  2846. 

  2847.                                 tasks.Remove(completedTask);
    2848. 

  2848.                                 lastException = completedTask.Exception;
    2849. 

  2849. 

  2850.                                 if (lastException is AggregateException)
    2851. 

  2851.                                     lastException = lastException.InnerException;
    2852. 

  2852.                             }
    2853. 

  2853. 

  2854.                             if (response is null)
    2855. 

  2855.                             {
    2856. 

  2856.                                 if (lastResponse is not null)
    2857. 

  2857.                                     response = lastResponse;
    2858. 

  2858.                                 else if (lastException is not null)
    2859. 

  2859.                                     ExceptionDispatchInfo.Capture(lastException).Throw();
    2860. 

  2860.                                 else
    2861. 

  2861.                                     throw new InvalidOperationException();
    2862. 

  2862.                             }
    2863. 

  2863.                         }
    2864. 

  2864.                     }
    2865. 

  2865.                 }
    2866. 

  2866.                 else if ((conditionalForwarders is null) && (_forwarders is not null) && (_forwarders.Count > 0))
    2867. 

  2867.                 {
    2868. 

  2868.                     //use forwarders
    2869. 

  2869.                     if (_proxy is null)
    2870. 

  2870.                     {
    2871. 

  2871.                         //recursive resolve name server when proxy is null else let proxy resolve it
    2872. 

  2872.                         foreach (NameServerAddress nameServerAddress in _forwarders)
    2873. 

  2873.                         {
    2874. 

  2874.                             if (nameServerAddress.IsIPEndPointStale) //refresh forwarder IPEndPoint if stale
    2875. 

  2875.                                 await nameServerAddress.RecursiveResolveIPAddressAsync(dnsCache, null, _preferIPv6, _udpPayloadSize, _randomizeName, _resolverRetries, _resolverTimeout);
    2876. 

  2876.                         }
    2877. 

  2877.                     }
    2878. 

  2878. 

  2879.                     //query forwarders and update cache
    2880. 

  2880.                     DnsClient dnsClient = new DnsClient(_forwarders);
    2881. 

  2881. 

  2882.                     dnsClient.Cache = dnsCache;
    2883. 

  2883.                     dnsClient.Proxy = _proxy;
    2884. 

  2884.                     dnsClient.PreferIPv6 = _preferIPv6;
    2885. 

  2885.                     dnsClient.RandomizeName = _randomizeName;
    2886. 

  2886.                     dnsClient.Retries = _forwarderRetries;
    2887. 

  2887.                     dnsClient.Timeout = _forwarderTimeout;
    2888. 

  2888.                     dnsClient.Concurrency = _forwarderConcurrency;
    2889. 

  2889.                     dnsClient.UdpPayloadSize = _udpPayloadSize;
    2890. 

  2890.                     dnsClient.DnssecValidation = dnssecValidation;
    2891. 

  2891.                     dnsClient.EDnsClientSubnet = eDnsClientSubnet;
    2892. 

  2892.                     dnsClient.ConditionalForwardingZoneCut = question.Name; //adding zone cut to allow CNAME domains to be resolved independently to handle cases when private/forwarder zone is configured for them
    2893. 

  2893. 

  2894.                     response = await dnsClient.ResolveAsync(question);
    2895. 

  2895.                 }
    2896. 

  2896.                 else
    2897. 

  2897.                 {
    2898. 

  2898.                     //do recursive resolution
    2899. 

  2899.                     response = await DnsClient.RecursiveResolveAsync(question, dnsCache, _proxy, _preferIPv6, _udpPayloadSize, _randomizeName, _qnameMinimization, _nsRevalidation, dnssecValidation, eDnsClientSubnet, _resolverRetries, _resolverTimeout, _resolverMaxStackCount, true, true);
    2900. 

  2900.                 }
    2901. 

  2901. 

  2902.                 switch (response.RCODE)
    2903. 

  2903.                 {
    2904. 

  2904.                     case DnsResponseCode.NoError:
    2905. 

  2905.                     case DnsResponseCode.NxDomain:
    2906. 

  2906.                     case DnsResponseCode.YXDomain:
    2907. 

  2907.                         taskCompletionSource.SetResult(new RecursiveResolveResponse(response, response));
    2908. 

  2908.                         break;
    2909. 

  2909. 

  2910.                     default:
    2911. 

  2911.                         throw new DnsServerException("DNS Server received a response with RCODE=" + response.RCODE.ToString() + " from: " + (response.Metadata is null ? "unknown" : response.Metadata.NameServer));
    2912. 

  2912.                 }
    2913. 

  2913.             }
    2914. 

  2914.             catch (Exception ex)
    2915. 

  2915.             {
    2916. 

  2916.                 if (_log is not null)
    2917. 

  2917.                 {
    2918. 

  2918.                     string strForwarders = null;
    2919. 

  2919. 

  2920.                     if ((conditionalForwarders is not null) && (conditionalForwarders.Count > 0))
    2921. 

  2921.                     {
    2922. 

  2922.                         foreach (DnsResourceRecord conditionalForwarder in conditionalForwarders)
    2923. 

  2923.                         {
    2924. 

  2924.                             NameServerAddress nameServer = (conditionalForwarder.RDATA as DnsForwarderRecordData).NameServer;
    2925. 

  2925. 

  2926.                             if (strForwarders is null)
    2927. 

  2927.                                 strForwarders = nameServer.ToString();
    2928. 

  2928.                             else
    2929. 

  2929.                                 strForwarders += ", " + nameServer.ToString();
    2930. 

  2930.                         }
    2931. 

  2931.                     }
    2932. 

  2932.                     else if ((_forwarders is not null) && (_forwarders.Count > 0))
    2933. 

  2933.                     {
    2934. 

  2934.                         foreach (NameServerAddress nameServer in _forwarders)
    2935. 

  2935.                         {
    2936. 

  2936.                             if (strForwarders is null)
    2937. 

  2937.                                 strForwarders = nameServer.ToString();
    2938. 

  2938.                             else
    2939. 

  2939.                                 strForwarders += ", " + nameServer.ToString();
    2940. 

  2940.                         }
    2941. 

  2941.                     }
    2942. 

  2942. 

  2943.                     _log.Write("DNS Server failed to resolve the request with QNAME: " + question.Name + "; QTYPE: " + question.Type.ToString() + "; QCLASS: " + question.Class.ToString() + (strForwarders is null ? "" : "; Forwarders: " + strForwarders) + ";\r\n" + ex.ToString());
    2944. 

  2944.                 }
    2945. 

  2945. 

  2946.                 if (_serveStale)
    2947. 

  2947.                 {
    2948. 

  2948.                     //fetch stale record
    2949. 

  2949.                     DnsDatagram cacheRequest = new DnsDatagram(0, false, DnsOpcode.StandardQuery, false, false, true, false, false, dnssecValidation, DnsResponseCode.NoError, new DnsQuestionRecord[] { question }, null, null, null, _udpPayloadSize, dnssecValidation ? EDnsHeaderFlags.DNSSEC_OK : EDnsHeaderFlags.None, EDnsClientSubnetOptionData.GetEDnsClientSubnetOption(eDnsClientSubnet));
    2950. 

  2950.                     DnsDatagram staleResponse = QueryCache(cacheRequest, true);
    2951. 

  2951.                     if (staleResponse is not null)
    2952. 

  2952.                     {
    2953. 

  2953.                         //signal stale response
    2954. 

  2954.                         if (!dnssecValidation || staleResponse.AuthenticData)
    2955. 

  2955.                         {
    2956. 

  2956.                             taskCompletionSource.SetResult(new RecursiveResolveResponse(staleResponse, staleResponse));
    2957. 

  2957.                         }
    2958. 

  2958.                         else
    2959. 

  2959.                         {
    2960. 

  2960.                             DnsDatagram failureResponse = new DnsDatagram(0, true, DnsOpcode.StandardQuery, false, false, true, true, false, dnssecValidation, DnsResponseCode.ServerFailure, new DnsQuestionRecord[] { question });
    2961. 

  2961. 

  2962.                             taskCompletionSource.SetResult(new RecursiveResolveResponse(failureResponse, staleResponse));
    2963. 

  2963.                         }
    2964. 

  2964. 

  2965.                         return;
    2966. 

  2966.                     }
    2967. 

  2967.                 }
    2968. 

  2968. 

  2969.                 //signal failure response to release waiting tasks
    2970. 

  2970.                 if (ex is DnsClientResponseDnssecValidationException ex2)
    2971. 

  2971.                 {
    2972. 

  2972.                     List<EDnsOption> options;
    2973. 

  2973. 

  2974.                     if (ex2.Response.DnsClientExtendedErrors.Count > 0)
    2975. 

  2975.                     {
    2976. 

  2976.                         options = new List<EDnsOption>(ex2.Response.DnsClientExtendedErrors.Count);
    2977. 

  2977. 

  2978.                         foreach (EDnsExtendedDnsErrorOptionData dnsError in ex2.Response.DnsClientExtendedErrors)
    2979. 

  2979.                             options.Add(new EDnsOption(EDnsOptionCode.EXTENDED_DNS_ERROR, dnsError));
    2980. 

  2980.                     }
    2981. 

  2981.                     else
    2982. 

  2982.                     {
    2983. 

  2983.                         options = null;
    2984. 

  2984.                     }
    2985. 

  2985. 

  2986.                     DnsDatagram failureResponse = new DnsDatagram(0, true, DnsOpcode.StandardQuery, false, false, true, true, false, dnssecValidation, DnsResponseCode.ServerFailure, new DnsQuestionRecord[] { question }, null, null, null, _udpPayloadSize, EDnsHeaderFlags.DNSSEC_OK, options);
    2987. 

  2987. 

  2988.                     if ((ex2.Response.Question.Count > 0) && ex2.Response.Question[0].Equals(question))
    2989. 

  2989.                         taskCompletionSource.SetResult(new RecursiveResolveResponse(failureResponse, ex2.Response));
    2990. 

  2990.                     else
    2991. 

  2991.                         taskCompletionSource.SetResult(new RecursiveResolveResponse(failureResponse, failureResponse));
    2992. 

  2992.                 }
    2993. 

  2993.                 else if (ex is DnsClientNoResponseException ex3)
    2994. 

  2994.                 {
    2995. 

  2995.                     IReadOnlyList<EDnsOption> options;
    2996. 

  2996. 

  2997.                     if (ex.InnerException is SocketException ex3a)
    2998. 

  2998.                     {
    2999. 

  2999.                         if (ex3a.SocketErrorCode == SocketError.TimedOut)
    3000. 

  3000.                             options = new EDnsOption[] { new EDnsOption(EDnsOptionCode.EXTENDED_DNS_ERROR, new EDnsExtendedDnsErrorOptionData(EDnsExtendedDnsErrorCode.NoReachableAuthority, "Request timed out")) };
    3001. 

  3001.                         else
    3002. 

  3002.                             options = new EDnsOption[] { new EDnsOption(EDnsOptionCode.EXTENDED_DNS_ERROR, new EDnsExtendedDnsErrorOptionData(EDnsExtendedDnsErrorCode.NetworkError, "Socket error: " + ex3a.SocketErrorCode.ToString())) };
    3003. 

  3003.                     }
    3004. 

  3004.                     else
    3005. 

  3005.                     {
    3006. 

  3006.                         options = new EDnsOption[] { new EDnsOption(EDnsOptionCode.EXTENDED_DNS_ERROR, new EDnsExtendedDnsErrorOptionData(EDnsExtendedDnsErrorCode.NoReachableAuthority, "No response from name servers for " + question.ToString())) };
    3007. 

  3007.                     }
    3008. 

  3008. 

  3009.                     DnsDatagram failureResponse = new DnsDatagram(0, true, DnsOpcode.StandardQuery, false, false, true, true, false, dnssecValidation, DnsResponseCode.ServerFailure, new DnsQuestionRecord[] { question }, null, null, null, _udpPayloadSize, dnssecValidation ? EDnsHeaderFlags.DNSSEC_OK : EDnsHeaderFlags.None, options);
    3010. 

  3010. 

  3011.                     taskCompletionSource.SetResult(new RecursiveResolveResponse(failureResponse, failureResponse));
    3012. 

  3012.                 }
    3013. 

  3013.                 else if (ex is SocketException ex4)
    3014. 

  3014.                 {
    3015. 

  3015.                     IReadOnlyList<EDnsOption> options;
    3016. 

  3016. 

  3017.                     if (ex4.SocketErrorCode == SocketError.TimedOut)
    3018. 

  3018.                         options = new EDnsOption[] { new EDnsOption(EDnsOptionCode.EXTENDED_DNS_ERROR, new EDnsExtendedDnsErrorOptionData(EDnsExtendedDnsErrorCode.NoReachableAuthority, "Request timed out")) };
    3019. 

  3019.                     else
    3020. 

  3020.                         options = new EDnsOption[] { new EDnsOption(EDnsOptionCode.EXTENDED_DNS_ERROR, new EDnsExtendedDnsErrorOptionData(EDnsExtendedDnsErrorCode.NetworkError, "Socket error: " + ex4.SocketErrorCode.ToString())) };
    3021. 

  3021. 

  3022.                     DnsDatagram failureResponse = new DnsDatagram(0, true, DnsOpcode.StandardQuery, false, false, true, true, false, dnssecValidation, DnsResponseCode.ServerFailure, new DnsQuestionRecord[] { question }, null, null, null, _udpPayloadSize, dnssecValidation ? EDnsHeaderFlags.DNSSEC_OK : EDnsHeaderFlags.None, options);
    3023. 

  3023. 

  3024.                     taskCompletionSource.SetResult(new RecursiveResolveResponse(failureResponse, failureResponse));
    3025. 

  3025.                 }
    3026. 

  3026.                 else if (ex is IOException ex5)
    3027. 

  3027.                 {
    3028. 

  3028.                     IReadOnlyList<EDnsOption> options;
    3029. 

  3029. 

  3030.                     if (ex5.InnerException is SocketException ex5a)
    3031. 

  3031.                     {
    3032. 

  3032.                         if (ex5a.SocketErrorCode == SocketError.TimedOut)
    3033. 

  3033.                             options = new EDnsOption[] { new EDnsOption(EDnsOptionCode.EXTENDED_DNS_ERROR, new EDnsExtendedDnsErrorOptionData(EDnsExtendedDnsErrorCode.NoReachableAuthority, "Request timed out")) };
    3034. 

  3034.                         else
    3035. 

  3035.                             options = new EDnsOption[] { new EDnsOption(EDnsOptionCode.EXTENDED_DNS_ERROR, new EDnsExtendedDnsErrorOptionData(EDnsExtendedDnsErrorCode.NetworkError, "Socket error: " + ex5a.SocketErrorCode.ToString())) };
    3036. 

  3036.                     }
    3037. 

  3037.                     else
    3038. 

  3038.                     {
    3039. 

  3039.                         options = new EDnsOption[] { new EDnsOption(EDnsOptionCode.EXTENDED_DNS_ERROR, new EDnsExtendedDnsErrorOptionData(EDnsExtendedDnsErrorCode.NetworkError, "IO error: " + ex5.Message)) };
    3040. 

  3040.                     }
    3041. 

  3041. 

  3042.                     DnsDatagram failureResponse = new DnsDatagram(0, true, DnsOpcode.StandardQuery, false, false, true, true, false, dnssecValidation, DnsResponseCode.ServerFailure, new DnsQuestionRecord[] { question }, null, null, null, _udpPayloadSize, dnssecValidation ? EDnsHeaderFlags.DNSSEC_OK : EDnsHeaderFlags.None, options);
    3043. 

  3043. 

  3044.                     taskCompletionSource.SetResult(new RecursiveResolveResponse(failureResponse, failureResponse));
    3045. 

  3045.                 }
    3046. 

  3046.                 else
    3047. 

  3047.                 {
    3048. 

  3048.                     IReadOnlyList<EDnsOption> options = new EDnsOption[] { new EDnsOption(EDnsOptionCode.EXTENDED_DNS_ERROR, new EDnsExtendedDnsErrorOptionData(EDnsExtendedDnsErrorCode.Other, "Server exception")) };
    3049. 

  3049.                     DnsDatagram failureResponse = new DnsDatagram(0, true, DnsOpcode.StandardQuery, false, false, true, true, false, dnssecValidation, DnsResponseCode.ServerFailure, new DnsQuestionRecord[] { question }, null, null, null, _udpPayloadSize, dnssecValidation ? EDnsHeaderFlags.DNSSEC_OK : EDnsHeaderFlags.None, options);
    3050. 

  3050. 

  3051.                     taskCompletionSource.SetResult(new RecursiveResolveResponse(failureResponse, failureResponse));
    3052. 

  3052.                 }
    3053. 

  3053.             }
    3054. 

  3054.             finally
    3055. 

  3055.             {
    3056. 

  3056.                 _resolverTasks.TryRemove(GetResolverQueryKey(question, eDnsClientSubnet), out _);
    3057. 

  3057.             }
    3058. 

  3058.         }
    3059. 

  3059. 

  3060.         private Task<DnsDatagram> ConditionalForwarderResolveAsync(DnsQuestionRecord question, NetworkAddress eDnsClientSubnet, IDnsCache dnsCache, DnsForwarderRecordData forwarder, string conditionalForwardingZoneCut, CancellationToken cancellationToken = default)
    3061. 

  3061.         {
    3062. 

  3062.             NetProxy proxy = forwarder.Proxy;
    3063. 

  3063.             if (proxy is null)
    3064. 

  3064.                 proxy = _proxy;
    3065. 

  3065. 

  3066.             DnsClient dnsClient = new DnsClient(forwarder.NameServer);
    3067. 

  3067. 

  3068.             dnsClient.Cache = dnsCache;
    3069. 

  3069.             dnsClient.Proxy = proxy;
    3070. 

  3070.             dnsClient.PreferIPv6 = _preferIPv6;
    3071. 

  3071.             dnsClient.RandomizeName = _randomizeName;
    3072. 

  3072.             dnsClient.Retries = _forwarderRetries;
    3073. 

  3073.             dnsClient.Timeout = _forwarderTimeout;
    3074. 

  3074.             dnsClient.Concurrency = _forwarderConcurrency;
    3075. 

  3075.             dnsClient.UdpPayloadSize = _udpPayloadSize;
    3076. 

  3076.             dnsClient.DnssecValidation = forwarder.DnssecValidation;
    3077. 

  3077.             dnsClient.EDnsClientSubnet = eDnsClientSubnet;
    3078. 

  3078.             dnsClient.ConditionalForwardingZoneCut = conditionalForwardingZoneCut;
    3079. 

  3079. 

  3080.             return dnsClient.ResolveAsync(question, cancellationToken);
    3081. 

  3081.         }
    3082. 

  3082. 

  3083.         private DnsDatagram PrepareRecursiveResolveResponse(DnsDatagram request, RecursiveResolveResponse resolveResponse)
    3084. 

  3084.         {
    3085. 

  3085.             //get a tailored response for the request
    3086. 

  3086.             bool dnssecOk = request.DnssecOk;
    3087. 

  3087. 

  3088.             if (dnssecOk && request.CheckingDisabled)
    3089. 

  3089.                 return new DnsDatagram(request.Identifier, true, DnsOpcode.StandardQuery, false, false, true, true, resolveResponse.CheckingDisabledResponse.AuthenticData, resolveResponse.CheckingDisabledResponse.CheckingDisabled, resolveResponse.CheckingDisabledResponse.RCODE, request.Question, resolveResponse.CheckingDisabledResponse.Answer, resolveResponse.CheckingDisabledResponse.Authority, RemoveOPTFromAdditional(resolveResponse.CheckingDisabledResponse.Additional, true), _udpPayloadSize, EDnsHeaderFlags.DNSSEC_OK, resolveResponse.CheckingDisabledResponse.EDNS?.Options);
    3090. 

  3090. 

  3091.             DnsDatagram response = resolveResponse.Response;
    3092. 

  3092.             IReadOnlyList<DnsResourceRecord> answer = response.Answer;
    3093. 

  3093.             IReadOnlyList<DnsResourceRecord> authority = response.Authority;
    3094. 

  3094.             IReadOnlyList<DnsResourceRecord> additional = response.Additional;
    3095. 

  3095. 

  3096.             //answer section checks
    3097. 

  3097.             if (!dnssecOk && (answer.Count > 0) && (response.Question[0].Type != DnsResourceRecordType.ANY))
    3098. 

  3098.             {
    3099. 

  3099.                 //remove RRSIGs from answer
    3100. 

  3100.                 bool foundRRSIG = false;
    3101. 

  3101. 

  3102.                 foreach (DnsResourceRecord record in answer)
    3103. 

  3103.                 {
    3104. 

  3104.                     if (record.Type == DnsResourceRecordType.RRSIG)
    3105. 

  3105.                     {
    3106. 

  3106.                         foundRRSIG = true;
    3107. 

  3107.                         break;
    3108. 

  3108.                     }
    3109. 

  3109.                 }
    3110. 

  3110. 

  3111.                 if (foundRRSIG)
    3112. 

  3112.                 {
    3113. 

  3113.                     List<DnsResourceRecord> newAnswer = new List<DnsResourceRecord>(answer.Count);
    3114. 

  3114. 

  3115.                     foreach (DnsResourceRecord record in answer)
    3116. 

  3116.                     {
    3117. 

  3117.                         if (record.Type == DnsResourceRecordType.RRSIG)
    3118. 

  3118.                             continue;
    3119. 

  3119. 

  3120.                         newAnswer.Add(record);
    3121. 

  3121.                     }
    3122. 

  3122. 

  3123.                     answer = newAnswer;
    3124. 

  3124.                 }
    3125. 

  3125.             }
    3126. 

  3126. 

  3127.             //authority section checks
    3128. 

  3128.             if (!dnssecOk && (authority.Count > 0))
    3129. 

  3129.             {
    3130. 

  3130.                 //remove DNSSEC records
    3131. 

  3131.                 bool foundDnssecRecords = false;
    3132. 

  3132.                 bool foundOther = false;
    3133. 

  3133. 

  3134.                 foreach (DnsResourceRecord record in authority)
    3135. 

  3135.                 {
    3136. 

  3136.                     switch (record.Type)
    3137. 

  3137.                     {
    3138. 

  3138.                         case DnsResourceRecordType.DS:
    3139. 

  3139.                         case DnsResourceRecordType.DNSKEY:
    3140. 

  3140.                         case DnsResourceRecordType.RRSIG:
    3141. 

  3141.                         case DnsResourceRecordType.NSEC:
    3142. 

  3142.                         case DnsResourceRecordType.NSEC3:
    3143. 

  3143.                             foundDnssecRecords = true;
    3144. 

  3144.                             break;
    3145. 

  3145. 

  3146.                         default:
    3147. 

  3147.                             foundOther = true;
    3148. 

  3148.                             break;
    3149. 

  3149.                     }
    3150. 

  3150.                 }
    3151. 

  3151. 

  3152.                 if (foundDnssecRecords)
    3153. 

  3153.                 {
    3154. 

  3154.                     if (foundOther)
    3155. 

  3155.                     {
    3156. 

  3156.                         List<DnsResourceRecord> newAuthority = new List<DnsResourceRecord>(2);
    3157. 

  3157. 

  3158.                         foreach (DnsResourceRecord record in authority)
    3159. 

  3159.                         {
    3160. 

  3160.                             switch (record.Type)
    3161. 

  3161.                             {
    3162. 

  3162.                                 case DnsResourceRecordType.DS:
    3163. 

  3163.                                 case DnsResourceRecordType.DNSKEY:
    3164. 

  3164.                                 case DnsResourceRecordType.RRSIG:
    3165. 

  3165.                                 case DnsResourceRecordType.NSEC:
    3166. 

  3166.                                 case DnsResourceRecordType.NSEC3:
    3167. 

  3167.                                     break;
    3168. 

  3168. 

  3169.                                 default:
    3170. 

  3170.                                     newAuthority.Add(record);
    3171. 

  3171.                                     break;
    3172. 

  3172.                             }
    3173. 

  3173.                         }
    3174. 

  3174. 

  3175.                         authority = newAuthority;
    3176. 

  3176.                     }
    3177. 

  3177.                     else
    3178. 

  3178.                     {
    3179. 

  3179.                         authority = Array.Empty<DnsResourceRecord>();
    3180. 

  3180.                     }
    3181. 

  3181.                 }
    3182. 

  3182.             }
    3183. 

  3183. 

  3184.             //additional section checks
    3185. 

  3185.             if (additional.Count > 0)
    3186. 

  3186.             {
    3187. 

  3187.                 if ((request.EDNS is not null) && (response.EDNS is not null) && ((response.EDNS.Options.Count > 0) || (response.DnsClientExtendedErrors.Count > 0)))
    3188. 

  3188.                 {
    3189. 

  3189.                     //copy options as new OPT and keep other records
    3190. 

  3190.                     List<DnsResourceRecord> newAdditional = new List<DnsResourceRecord>(additional.Count);
    3191. 

  3191. 

  3192.                     foreach (DnsResourceRecord record in additional)
    3193. 

  3193.                     {
    3194. 

  3194.                         switch (record.Type)
    3195. 

  3195.                         {
    3196. 

  3196.                             case DnsResourceRecordType.OPT:
    3197. 

  3197.                                 continue;
    3198. 

  3198. 

  3199.                             case DnsResourceRecordType.RRSIG:
    3200. 

  3200.                             case DnsResourceRecordType.DNSKEY:
    3201. 

  3201.                                 if (dnssecOk)
    3202. 

  3202.                                     break;
    3203. 

  3203. 

  3204.                                 continue;
    3205. 

  3205.                         }
    3206. 

  3206. 

  3207.                         newAdditional.Add(record);
    3208. 

  3208.                     }
    3209. 

  3209. 

  3210.                     IReadOnlyList<EDnsOption> options;
    3211. 

  3211. 

  3212.                     if (response.GetEDnsClientSubnetOption(true) is not null)
    3213. 

  3213.                     {
    3214. 

  3214.                         //response contains ECS
    3215. 

  3215.                         if ((request.GetEDnsClientSubnetOption(true) is not null) && CacheZone.IsTypeSupportedForEDnsClientSubnet(request.Question[0].Type))
    3216. 

  3216.                         {
    3217. 

  3217.                             //request has ECS and type is supported; keep ECS in response
    3218. 

  3218.                             options = response.EDNS.Options;
    3219. 

  3219.                         }
    3220. 

  3220.                         else
    3221. 

  3221.                         {
    3222. 

  3222.                             //cache does not support the qtype so remove ECS from response
    3223. 

  3223.                             if (response.EDNS.Options.Count == 1)
    3224. 

  3224.                             {
    3225. 

  3225.                                 options = Array.Empty<EDnsOption>();
    3226. 

  3226.                             }
    3227. 

  3227.                             else
    3228. 

  3228.                             {
    3229. 

  3229.                                 List<EDnsOption> newOptions = new List<EDnsOption>(response.EDNS.Options.Count);
    3230. 

  3230. 

  3231.                                 foreach (EDnsOption option in response.EDNS.Options)
    3232. 

  3232.                                 {
    3233. 

  3233.                                     if (option.Code != EDnsOptionCode.EDNS_CLIENT_SUBNET)
    3234. 

  3234.                                         newOptions.Add(option);
    3235. 

  3235.                                 }
    3236. 

  3236. 

  3237.                                 options = newOptions;
    3238. 

  3238.                             }
    3239. 

  3239.                         }
    3240. 

  3240.                     }
    3241. 

  3241.                     else
    3242. 

  3242.                     {
    3243. 

  3243.                         options = response.EDNS.Options;
    3244. 

  3244.                     }
    3245. 

  3245. 

  3246.                     if (response.DnsClientExtendedErrors.Count > 0)
    3247. 

  3247.                     {
    3248. 

  3248.                         //add dns client extended errors
    3249. 

  3249.                         List<EDnsOption> newOptions = new List<EDnsOption>(options.Count + response.DnsClientExtendedErrors.Count);
    3250. 

  3250. 

  3251.                         newOptions.AddRange(options);
    3252. 

  3252. 

  3253.                         foreach (EDnsExtendedDnsErrorOptionData ee in response.DnsClientExtendedErrors)
    3254. 

  3254.                             newOptions.Add(new EDnsOption(EDnsOptionCode.EXTENDED_DNS_ERROR, ee));
    3255. 

  3255. 

  3256.                         options = newOptions;
    3257. 

  3257.                     }
    3258. 

  3258. 

  3259.                     newAdditional.Add(DnsDatagramEdns.GetOPTFor(_udpPayloadSize, response.RCODE, 0, request.DnssecOk ? EDnsHeaderFlags.DNSSEC_OK : EDnsHeaderFlags.None, options));
    3260. 

  3260. 

  3261.                     additional = newAdditional;
    3262. 

  3262.                 }
    3263. 

  3263.                 else if (response.EDNS is not null)
    3264. 

  3264.                 {
    3265. 

  3265.                     //remove OPT from additional
    3266. 

  3266.                     additional = RemoveOPTFromAdditional(additional, dnssecOk);
    3267. 

  3267.                 }
    3268. 

  3268.             }
    3269. 

  3269. 

  3270.             return new DnsDatagram(request.Identifier, true, DnsOpcode.StandardQuery, false, false, true, true, response.AuthenticData, response.CheckingDisabled, response.RCODE, request.Question, answer, authority, additional);
    3271. 

  3271.         }
    3272. 

  3272. 

  3273.         private static IReadOnlyList<DnsResourceRecord> RemoveOPTFromAdditional(IReadOnlyList<DnsResourceRecord> additional, bool dnssecOk)
    3274. 

  3274.         {
    3275. 

  3275.             if (additional.Count == 0)
    3276. 

  3276.                 return additional;
    3277. 

  3277. 

  3278.             if ((additional.Count == 1) && (additional[0].Type == DnsResourceRecordType.OPT))
    3279. 

  3279.                 return Array.Empty<DnsResourceRecord>();
    3280. 

  3280. 

  3281.             List<DnsResourceRecord> newAdditional = new List<DnsResourceRecord>(additional.Count - 1);
    3282. 

  3282. 

  3283.             foreach (DnsResourceRecord record in additional)
    3284. 

  3284.             {
    3285. 

  3285.                 switch (record.Type)
    3286. 

  3286.                 {
    3287. 

  3287.                     case DnsResourceRecordType.OPT:
    3288. 

  3288.                         continue;
    3289. 

  3289. 

  3290.                     case DnsResourceRecordType.RRSIG:
    3291. 

  3291.                     case DnsResourceRecordType.DNSKEY:
    3292. 

  3292.                         if (dnssecOk)
    3293. 

  3293.                             break;
    3294. 

  3294. 

  3295.                         continue;
    3296. 

  3296.                 }
    3297. 

  3297. 

  3298.                 newAdditional.Add(record);
    3299. 

  3299.             }
    3300. 

  3300. 

  3301.             return newAdditional;
    3302. 

  3302.         }
    3303. 

  3303. 

  3304.         private static string GetResolverQueryKey(DnsQuestionRecord question, NetworkAddress eDnsClientSubnet)
    3305. 

  3305.         {
    3306. 

  3306.             if (eDnsClientSubnet is null)
    3307. 

  3307.                 return question.ToString();
    3308. 

  3308. 

  3309.             return question.ToString() + " " + eDnsClientSubnet.ToString();
    3310. 

  3310.         }
    3311. 

  3311. 

  3312.         private DnsDatagram QueryCache(DnsDatagram request, bool serveStaleAndResetExpiry)
    3313. 

  3313.         {
    3314. 

  3314.             DnsDatagram cacheResponse = _cacheZoneManager.Query(request, serveStaleAndResetExpiry);
    3315. 

  3315.             if (cacheResponse is not null)
    3316. 

  3316.             {
    3317. 

  3317.                 if ((cacheResponse.RCODE != DnsResponseCode.NoError) || (cacheResponse.Answer.Count > 0) || (cacheResponse.Authority.Count == 0) || cacheResponse.IsFirstAuthoritySOA())
    3318. 

  3318.                 {
    3319. 

  3319.                     cacheResponse.Tag = DnsServerResponseType.Cached;
    3320. 

  3320. 

  3321.                     return cacheResponse;
    3322. 

  3322.                 }
    3323. 

  3323.             }
    3324. 

  3324. 

  3325.             return null;
    3326. 

  3326.         }
    3327. 

  3327. 

  3328.         private async Task PrefetchCacheAsync(DnsDatagram request, IPEndPoint remoteEP, IReadOnlyList<DnsResourceRecord> conditionalForwarders)
    3329. 

  3329.         {
    3330. 

  3330.             try
    3331. 

  3331.             {
    3332. 

  3332.                 await RecursiveResolveAsync(request, remoteEP, conditionalForwarders, _dnssecValidation, true, false, false);
    3333. 

  3333.             }
    3334. 

  3334.             catch (Exception ex)
    3335. 

  3335.             {
    3336. 

  3336.                 _log?.Write(ex);
    3337. 

  3337.             }
    3338. 

  3338.         }
    3339. 

  3339. 

  3340.         private async Task RefreshCacheAsync(IList<CacheRefreshSample> cacheRefreshSampleList, CacheRefreshSample sample, int sampleQuestionIndex)
    3341. 

  3341.         {
    3342. 

  3342.             try
    3343. 

  3343.             {
    3344. 

  3344.                 //refresh cache
    3345. 

  3345.                 DnsDatagram request = new DnsDatagram(0, false, DnsOpcode.StandardQuery, false, false, true, false, false, false, DnsResponseCode.NoError, new DnsQuestionRecord[] { sample.SampleQuestion });
    3346. 

  3346.                 DnsDatagram response = await ProcessRecursiveQueryAsync(request, IPENDPOINT_ANY_0, DnsTransportProtocol.Udp, sample.ConditionalForwarders, _dnssecValidation, true, false);
    3347. 

  3347. 

  3348.                 bool addBackToSampleList = false;
    3349. 

  3349.                 DateTime utcNow = DateTime.UtcNow;
    3350. 

  3350. 

  3351.                 foreach (DnsResourceRecord answer in response.Answer)
    3352. 

  3352.                 {
    3353. 

  3353.                     if ((answer.OriginalTtlValue >= _cachePrefetchEligibility) && (utcNow.AddSeconds(answer.TTL) < _cachePrefetchSamplingTimerTriggersOn))
    3354. 

  3354.                     {
    3355. 

  3355.                         //answer expires before next sampling so add back to the list to allow refreshing it
    3356. 

  3356.                         addBackToSampleList = true;
    3357. 

  3357.                         break;
    3358. 

  3358.                     }
    3359. 

  3359.                 }
    3360. 

  3360. 

  3361.                 if (addBackToSampleList)
    3362. 

  3362.                     cacheRefreshSampleList[sampleQuestionIndex] = sample; //put back into sample list to allow refreshing it again
    3363. 

  3363.             }
    3364. 

  3364.             catch (Exception ex)
    3365. 

  3365.             {
    3366. 

  3366.                 _log?.Write(ex);
    3367. 

  3367. 

  3368.                 cacheRefreshSampleList[sampleQuestionIndex] = sample; //put back into sample list to allow refreshing it again
    3369. 

  3369.             }
    3370. 

  3370.         }
    3371. 

  3371. 

  3372.         private DnsQuestionRecord GetCacheRefreshNeededQuery(DnsQuestionRecord question, int trigger)
    3373. 

  3373.         {
    3374. 

  3374.             int queryCount = 0;
    3375. 

  3375. 

  3376.             while (true)
    3377. 

  3377.             {
    3378. 

  3378.                 DnsDatagram cacheResponse = QueryCache(new DnsDatagram(0, false, DnsOpcode.StandardQuery, false, false, true, false, false, false, DnsResponseCode.NoError, new DnsQuestionRecord[] { question }), false);
    3379. 

  3379.                 if (cacheResponse is null)
    3380. 

  3380.                     return question; //cache expired so refresh question
    3381. 

  3381. 

  3382.                 if (cacheResponse.Answer.Count == 0)
    3383. 

  3383.                     return null; //dont refresh empty responses
    3384. 

  3384. 

  3385.                 //inspect response TTL values to decide if refresh is needed
    3386. 

  3386.                 foreach (DnsResourceRecord answer in cacheResponse.Answer)
    3387. 

  3387.                 {
    3388. 

  3388.                     if ((answer.OriginalTtlValue >= _cachePrefetchEligibility) && (answer.TTL <= trigger))
    3389. 

  3389.                         return question; //TTL eligible and less than trigger so refresh question
    3390. 

  3390.                 }
    3391. 

  3391. 

  3392.                 DnsResourceRecord lastRR = cacheResponse.GetLastAnswerRecord();
    3393. 

  3393. 

  3394.                 if (lastRR.Type == question.Type)
    3395. 

  3395.                     return null; //answer was resolved
    3396. 

  3396. 

  3397.                 if (lastRR.Type != DnsResourceRecordType.CNAME)
    3398. 

  3398.                     return null; //invalid response so ignore question
    3399. 

  3399. 

  3400.                 queryCount++;
    3401. 

  3401.                 if (queryCount >= MAX_CNAME_HOPS)
    3402. 

  3402.                     return null; //too many hops so ignore question
    3403. 

  3403. 

  3404.                 //follow CNAME chain to inspect TTL further
    3405. 

  3405.                 question = new DnsQuestionRecord((lastRR.RDATA as DnsCNAMERecordData).Domain, question.Type, question.Class);
    3406. 

  3406.             }
    3407. 

  3407.         }
    3408. 

  3408. 

  3409.         private bool IsCacheRefreshNeeded(DnsQuestionRecord question, int trigger)
    3410. 

  3410.         {
    3411. 

  3411.             DnsDatagram cacheResponse = QueryCache(new DnsDatagram(0, false, DnsOpcode.StandardQuery, false, false, true, false, false, false, DnsResponseCode.NoError, new DnsQuestionRecord[] { question }), false);
    3412. 

  3412.             if (cacheResponse is null)
    3413. 

  3413.                 return true; //cache expired so refresh needed
    3414. 

  3414. 

  3415.             if (cacheResponse.Answer.Count == 0)
    3416. 

  3416.                 return false; //dont refresh empty responses
    3417. 

  3417. 

  3418.             //inspect response TTL values to decide if refresh is needed
    3419. 

  3419.             foreach (DnsResourceRecord answer in cacheResponse.Answer)
    3420. 

  3420.             {
    3421. 

  3421.                 if ((answer.OriginalTtlValue >= _cachePrefetchEligibility) && (answer.TTL <= trigger))
    3422. 

  3422.                     return true; //TTL eligible less than trigger so refresh
    3423. 

  3423.             }
    3424. 

  3424. 

  3425.             return false; //no need to refresh for this query
    3426. 

  3426.         }
    3427. 

  3427. 

  3428.         private async void CachePrefetchSamplingTimerCallback(object state)
    3429. 

  3429.         {
    3430. 

  3430.             try
    3431. 

  3431.             {
    3432. 

  3432.                 List<KeyValuePair<DnsQuestionRecord, long>> eligibleQueries = _stats.GetLastHourEligibleQueries(_cachePrefetchSampleEligibilityHitsPerHour);
    3433. 

  3433.                 List<CacheRefreshSample> cacheRefreshSampleList = new List<CacheRefreshSample>(eligibleQueries.Count);
    3434. 

  3434.                 int cacheRefreshTrigger = (_cachePrefetchSampleIntervalInMinutes + 1) * 60;
    3435. 

  3435. 

  3436.                 foreach (KeyValuePair<DnsQuestionRecord, long> eligibleQuery in eligibleQueries)
    3437. 

  3437.                 {
    3438. 

  3438.                     DnsQuestionRecord eligibleQuerySample = eligibleQuery.Key;
    3439. 

  3439. 

  3440.                     if (eligibleQuerySample.Type == DnsResourceRecordType.ANY)
    3441. 

  3441.                         continue; //dont refresh type ANY queries
    3442. 

  3442. 

  3443.                     DnsQuestionRecord refreshQuery = null;
    3444. 

  3444.                     IReadOnlyList<DnsResourceRecord> conditionalForwarders = null;
    3445. 

  3445. 

  3446.                     //query auth zone for refresh query
    3447. 

  3447.                     int queryCount = 0;
    3448. 

  3448.                     bool reQueryAuthZone;
    3449. 

  3449.                     do
    3450. 

  3450.                     {
    3451. 

  3451.                         reQueryAuthZone = false;
    3452. 

  3452. 

  3453.                         DnsDatagram request = new DnsDatagram(0, false, DnsOpcode.StandardQuery, false, false, false, false, false, false, DnsResponseCode.NoError, new DnsQuestionRecord[] { eligibleQuerySample });
    3454. 

  3454.                         DnsDatagram response = await AuthoritativeQueryAsync(request, IPENDPOINT_ANY_0, DnsTransportProtocol.Tcp, true, false);
    3455. 

  3455.                         if (response is null)
    3456. 

  3456.                         {
    3457. 

  3457.                             //zone not hosted; do refresh
    3458. 

  3458.                             refreshQuery = GetCacheRefreshNeededQuery(eligibleQuerySample, cacheRefreshTrigger);
    3459. 

  3459.                         }
    3460. 

  3460.                         else
    3461. 

  3461.                         {
    3462. 

  3462.                             //zone is hosted; check further
    3463. 

  3463.                             if (response.Answer.Count > 0)
    3464. 

  3464.                             {
    3465. 

  3465.                                 DnsResourceRecord lastRR = response.GetLastAnswerRecord();
    3466. 

  3466.                                 if ((lastRR.Type == DnsResourceRecordType.CNAME) && (eligibleQuerySample.Type != DnsResourceRecordType.CNAME))
    3467. 

  3467.                                 {
    3468. 

  3468.                                     eligibleQuerySample = new DnsQuestionRecord((lastRR.RDATA as DnsCNAMERecordData).Domain, eligibleQuerySample.Type, eligibleQuerySample.Class);
    3469. 

  3469.                                     reQueryAuthZone = true;
    3470. 

  3470.                                 }
    3471. 

  3471.                             }
    3472. 

  3472.                             else if (response.Authority.Count > 0)
    3473. 

  3473.                             {
    3474. 

  3474.                                 DnsResourceRecord firstAuthority = response.FindFirstAuthorityRecord();
    3475. 

  3475.                                 switch (firstAuthority.Type)
    3476. 

  3476.                                 {
    3477. 

  3477.                                     case DnsResourceRecordType.NS: //zone is delegated
    3478. 

  3478.                                         refreshQuery = GetCacheRefreshNeededQuery(eligibleQuerySample, cacheRefreshTrigger);
    3479. 

  3479.                                         conditionalForwarders = Array.Empty<DnsResourceRecord>(); //do forced recursive resolution using empty conditional forwarders
    3480. 

  3480.                                         break;
    3481. 

  3481. 

  3482.                                     case DnsResourceRecordType.FWD: //zone is conditional forwarder
    3483. 

  3483.                                         refreshQuery = GetCacheRefreshNeededQuery(eligibleQuerySample, cacheRefreshTrigger);
    3484. 

  3484.                                         conditionalForwarders = response.Authority; //do conditional forwarding
    3485. 

  3485.                                         break;
    3486. 

  3486.                                 }
    3487. 

  3487.                             }
    3488. 

  3488.                         }
    3489. 

  3489.                     }
    3490. 

  3490.                     while (reQueryAuthZone && (++queryCount < MAX_CNAME_HOPS));
    3491. 

  3491. 

  3492.                     if (refreshQuery is not null)
    3493. 

  3493.                         cacheRefreshSampleList.Add(new CacheRefreshSample(refreshQuery, conditionalForwarders));
    3494. 

  3494.                 }
    3495. 

  3495. 

  3496.                 _cacheRefreshSampleList = cacheRefreshSampleList;
    3497. 

  3497.             }
    3498. 

  3498.             catch (Exception ex)
    3499. 

  3499.             {
    3500. 

  3500.                 _log?.Write(ex);
    3501. 

  3501.             }
    3502. 

  3502.             finally
    3503. 

  3503.             {
    3504. 

  3504.                 lock (_cachePrefetchSamplingTimerLock)
    3505. 

  3505.                 {
    3506. 

  3506.                     if (_cachePrefetchSamplingTimer is not null)
    3507. 

  3507.                     {
    3508. 

  3508.                         _cachePrefetchSamplingTimer.Change(_cachePrefetchSampleIntervalInMinutes * 60 * 1000, Timeout.Infinite);
    3509. 

  3509.                         _cachePrefetchSamplingTimerTriggersOn = DateTime.UtcNow.AddMinutes(_cachePrefetchSampleIntervalInMinutes);
    3510. 

  3510.                     }
    3511. 

  3511.                 }
    3512. 

  3512.             }
    3513. 

  3513.         }
    3514. 

  3514. 

  3515.         private void CachePrefetchRefreshTimerCallback(object state)
    3516. 

  3516.         {
    3517. 

  3517.             try
    3518. 

  3518.             {
    3519. 

  3519.                 IList<CacheRefreshSample> cacheRefreshSampleList = _cacheRefreshSampleList;
    3520. 

  3520.                 if (cacheRefreshSampleList is not null)
    3521. 

  3521.                 {
    3522. 

  3522.                     for (int i = 0; i < cacheRefreshSampleList.Count; i++)
    3523. 

  3523.                     {
    3524. 

  3524.                         CacheRefreshSample sample = cacheRefreshSampleList[i];
    3525. 

  3525.                         if (sample is null)
    3526. 

  3526.                             continue;
    3527. 

  3527. 

  3528.                         if (!IsCacheRefreshNeeded(sample.SampleQuestion, _cachePrefetchTrigger + 1))
    3529. 

  3529.                             continue;
    3530. 

  3530. 

  3531.                         cacheRefreshSampleList[i] = null; //remove from sample list to avoid concurrent refresh attempt
    3532. 

  3532. 

  3533.                         int sampleQuestionIndex = i;
    3534. 

  3534.                         _ = Task.Run(delegate () { return RefreshCacheAsync(cacheRefreshSampleList, sample, sampleQuestionIndex); }); //run task in threadpool since its long running
    3535. 

  3535.                     }
    3536. 

  3536.                 }
    3537. 

  3537.             }
    3538. 

  3538.             catch (Exception ex)
    3539. 

  3539.             {
    3540. 

  3540.                 _log?.Write(ex);
    3541. 

  3541.             }
    3542. 

  3542.             finally
    3543. 

  3543.             {
    3544. 

  3544.                 lock (_cachePrefetchRefreshTimerLock)
    3545. 

  3545.                 {
    3546. 

  3546.                     _cachePrefetchRefreshTimer?.Change((_cachePrefetchTrigger + 1) * 1000, Timeout.Infinite);
    3547. 

  3547.                 }
    3548. 

  3548.             }
    3549. 

  3549.         }
    3550. 

  3550. 

  3551.         private void CacheMaintenanceTimerCallback(object state)
    3552. 

  3552.         {
    3553. 

  3553.             try
    3554. 

  3554.             {
    3555. 

  3555.                 _cacheZoneManager.RemoveExpiredRecords();
    3556. 

  3556. 

  3557.                 //force GC collection to remove old cache data from memory quickly
    3558. 

  3558.                 GC.Collect();
    3559. 

  3559.             }
    3560. 

  3560.             catch (Exception ex)
    3561. 

  3561.             {
    3562. 

  3562.                 _log?.Write(ex);
    3563. 

  3563.             }
    3564. 

  3564.             finally
    3565. 

  3565.             {
    3566. 

  3566.                 lock (_cacheMaintenanceTimerLock)
    3567. 

  3567.                 {
    3568. 

  3568.                     _cacheMaintenanceTimer?.Change(CACHE_MAINTENANCE_TIMER_PERIODIC_INTERVAL, Timeout.Infinite);
    3569. 

  3569.                 }
    3570. 

  3570.             }
    3571. 

  3571.         }
    3572. 

  3572. 

  3573.         private void ResetPrefetchTimers()
    3574. 

  3574.         {
    3575. 

  3575.             if ((_cachePrefetchTrigger == 0) || (_recursion == DnsServerRecursion.Deny))
    3576. 

  3576.             {
    3577. 

  3577.                 lock (_cachePrefetchSamplingTimerLock)
    3578. 

  3578.                 {
    3579. 

  3579.                     _cachePrefetchSamplingTimer?.Change(Timeout.Infinite, Timeout.Infinite);
    3580. 

  3580.                 }
    3581. 

  3581. 

  3582.                 lock (_cachePrefetchRefreshTimerLock)
    3583. 

  3583.                 {
    3584. 

  3584.                     _cachePrefetchRefreshTimer?.Change(Timeout.Infinite, Timeout.Infinite);
    3585. 

  3585.                 }
    3586. 

  3586.             }
    3587. 

  3587.             else if (_state == ServiceState.Running)
    3588. 

  3588.             {
    3589. 

  3589.                 lock (_cachePrefetchSamplingTimerLock)
    3590. 

  3590.                 {
    3591. 

  3591.                     if (_cachePrefetchSamplingTimer is not null)
    3592. 

  3592.                     {
    3593. 

  3593.                         _cachePrefetchSamplingTimer.Change(CACHE_PREFETCH_SAMPLING_TIMER_INITIAL_INTEVAL, Timeout.Infinite);
    3594. 

  3594.                         _cachePrefetchSamplingTimerTriggersOn = DateTime.UtcNow.AddMilliseconds(CACHE_PREFETCH_SAMPLING_TIMER_INITIAL_INTEVAL);
    3595. 

  3595.                     }
    3596. 

  3596.                 }
    3597. 

  3597. 

  3598.                 lock (_cachePrefetchRefreshTimerLock)
    3599. 

  3599.                 {
    3600. 

  3600.                     _cachePrefetchRefreshTimer?.Change(CACHE_PREFETCH_REFRESH_TIMER_INITIAL_INTEVAL, Timeout.Infinite);
    3601. 

  3601.                 }
    3602. 

  3602.             }
    3603. 

  3603.         }
    3604. 

  3604. 

  3605.         private bool IsQpmLimitCrossed(IPAddress remoteIP)
    3606. 

  3606.         {
    3607. 

  3607.             if ((_qpmLimitRequests < 1) && (_qpmLimitErrors < 1))
    3608. 

  3608.                 return false;
    3609. 

  3609. 

  3610.             if (IPAddress.IsLoopback(remoteIP))
    3611. 

  3611.                 return false;
    3612. 

  3612. 

  3613.             IPAddress remoteSubnet;
    3614. 

  3614. 

  3615.             switch (remoteIP.AddressFamily)
    3616. 

  3616.             {
    3617. 

  3617.                 case AddressFamily.InterNetwork:
    3618. 

  3618.                     remoteSubnet = remoteIP.GetNetworkAddress(_qpmLimitIPv4PrefixLength);
    3619. 

  3619.                     break;
    3620. 

  3620. 

  3621.                 case AddressFamily.InterNetworkV6:
    3622. 

  3622.                     remoteSubnet = remoteIP.GetNetworkAddress(_qpmLimitIPv6PrefixLength);
    3623. 

  3623.                     break;
    3624. 

  3624. 

  3625.                 default:
    3626. 

  3626.                     throw new NotSupportedException("AddressFamily not supported.");
    3627. 

  3627.             }
    3628. 

  3628. 

  3629.             if ((_qpmLimitErrors > 0) && (_qpmLimitErrorClientSubnetStats is not null) && _qpmLimitErrorClientSubnetStats.TryGetValue(remoteSubnet, out long errorCountPerSample))
    3630. 

  3630.             {
    3631. 

  3631.                 long averageErrorCountPerMinute = errorCountPerSample / _qpmLimitSampleMinutes;
    3632. 

  3632.                 if (averageErrorCountPerMinute >= _qpmLimitErrors)
    3633. 

  3633.                     return true;
    3634. 

  3634.             }
    3635. 

  3635. 

  3636.             if ((_qpmLimitRequests > 0) && (_qpmLimitClientSubnetStats is not null) && _qpmLimitClientSubnetStats.TryGetValue(remoteSubnet, out long countPerSample))
    3637. 

  3637.             {
    3638. 

  3638.                 long averageCountPerMinute = countPerSample / _qpmLimitSampleMinutes;
    3639. 

  3639.                 if (averageCountPerMinute >= _qpmLimitRequests)
    3640. 

  3640.                     return true;
    3641. 

  3641.             }
    3642. 

  3642. 

  3643.             return false;
    3644. 

  3644.         }
    3645. 

  3645. 

  3646.         private void QpmLimitSamplingTimerCallback(object state)
    3647. 

  3647.         {
    3648. 

  3648.             try
    3649. 

  3649.             {
    3650. 

  3650.                 _stats.GetLatestClientSubnetStats(_qpmLimitSampleMinutes, _qpmLimitIPv4PrefixLength, _qpmLimitIPv6PrefixLength, out _qpmLimitClientSubnetStats, out _qpmLimitErrorClientSubnetStats);
    3651. 

  3651.             }
    3652. 

  3652.             catch (Exception ex)
    3653. 

  3653.             {
    3654. 

  3654.                 _log?.Write(ex);
    3655. 

  3655.             }
    3656. 

  3656.             finally
    3657. 

  3657.             {
    3658. 

  3658.                 lock (_qpmLimitSamplingTimerLock)
    3659. 

  3659.                 {
    3660. 

  3660.                     _qpmLimitSamplingTimer?.Change(QPM_LIMIT_SAMPLING_TIMER_INTERVAL, Timeout.Infinite);
    3661. 

  3661.                 }
    3662. 

  3662.             }
    3663. 

  3663.         }
    3664. 

  3664. 

  3665.         private void ResetQpsLimitTimer()
    3666. 

  3666.         {
    3667. 

  3667.             if ((_qpmLimitRequests < 1) && (_qpmLimitErrors < 1))
    3668. 

  3668.             {
    3669. 

  3669.                 lock (_qpmLimitSamplingTimerLock)
    3670. 

  3670.                 {
    3671. 

  3671.                     _qpmLimitSamplingTimer?.Change(Timeout.Infinite, Timeout.Infinite);
    3672. 

  3672. 

  3673.                     _qpmLimitClientSubnetStats = null;
    3674. 

  3674.                     _qpmLimitErrorClientSubnetStats = null;
    3675. 

  3675.                 }
    3676. 

  3676.             }
    3677. 

  3677.             else if (_state == ServiceState.Running)
    3678. 

  3678.             {
    3679. 

  3679.                 lock (_qpmLimitSamplingTimerLock)
    3680. 

  3680.                 {
    3681. 

  3681.                     _qpmLimitSamplingTimer?.Change(0, Timeout.Infinite);
    3682. 

  3682.                 }
    3683. 

  3683.             }
    3684. 

  3684.         }
    3685. 

  3685. 

  3686.         private void UpdateThisServer()
    3687. 

  3687.         {
    3688. 

  3688.             if ((_localEndPoints is null) || (_localEndPoints.Count == 0))
    3689. 

  3689.             {
    3690. 

  3690.                 _thisServer = new NameServerAddress(_serverDomain, IPAddress.Loopback);
    3691. 

  3691.             }
    3692. 

  3692.             else
    3693. 

  3693.             {
    3694. 

  3694.                 foreach (IPEndPoint localEndPoint in _localEndPoints)
    3695. 

  3695.                 {
    3696. 

  3696.                     if (localEndPoint.Address.Equals(IPAddress.Any))
    3697. 

  3697.                     {
    3698. 

  3698.                         _thisServer = new NameServerAddress(_serverDomain, new IPEndPoint(IPAddress.Loopback, localEndPoint.Port));
    3699. 

  3699.                         return;
    3700. 

  3700.                     }
    3701. 

  3701. 

  3702.                     if (localEndPoint.Address.Equals(IPAddress.IPv6Any))
    3703. 

  3703.                     {
    3704. 

  3704.                         _thisServer = new NameServerAddress(_serverDomain, new IPEndPoint(IPAddress.IPv6Loopback, localEndPoint.Port));
    3705. 

  3705.                         return;
    3706. 

  3706.                     }
    3707. 

  3707.                 }
    3708. 

  3708. 

  3709.                 _thisServer = new NameServerAddress(_serverDomain, _localEndPoints[0]);
    3710. 

  3710.             }
    3711. 

  3711.         }
    3712. 

  3712. 

  3713.         #endregion
    3714. 

  3714. 

  3715.         #region doh web service
    3716. 

  3716. 

  3717.         private async Task StartDoHAsync()
    3718. 

  3718.         {
    3719. 

  3719.             WebApplicationBuilder builder = WebApplication.CreateBuilder();
    3720. 

  3720. 

  3721.             builder.Environment.ContentRootFileProvider = new PhysicalFileProvider(Path.GetDirectoryName(_dohwwwFolder))
    3722. 

  3722.             {
    3723. 

  3723.                 UseActivePolling = true,
    3724. 

  3724.                 UsePollingFileWatcher = true
    3725. 

  3725.             };
    3726. 

  3726. 

  3727.             builder.Environment.WebRootFileProvider = new PhysicalFileProvider(_dohwwwFolder)
    3728. 

  3728.             {
    3729. 

  3729.                 UseActivePolling = true,
    3730. 

  3730.                 UsePollingFileWatcher = true
    3731. 

  3731.             };
    3732. 

  3732. 

  3733.             IReadOnlyList<IPAddress> localAddresses = GetValidKestralLocalAddresses(_localEndPoints.Convert(delegate (IPEndPoint ep) { return ep.Address; }));
    3734. 

  3734. 

  3735.             builder.WebHost.ConfigureKestrel(delegate (WebHostBuilderContext context, KestrelServerOptions serverOptions)
    3736. 

  3736.             {
    3737. 

  3737.                 //bind to http port
    3738. 

  3738.                 if (_enableDnsOverHttp)
    3739. 

  3739.                 {
    3740. 

  3740.                     foreach (IPAddress localAddress in localAddresses)
    3741. 

  3741.                         serverOptions.Listen(localAddress, _dnsOverHttpPort);
    3742. 

  3742.                 }
    3743. 

  3743. 

  3744.                 //bind to https port
    3745. 

  3745.                 if (_enableDnsOverHttps && (_certificate is not null))
    3746. 

  3746.                 {
    3747. 

  3747.                     serverOptions.ConfigureHttpsDefaults(delegate (HttpsConnectionAdapterOptions configureOptions)
    3748. 

  3748.                     {
    3749. 

  3749.                         configureOptions.ServerCertificateSelector = delegate (ConnectionContext context, string dnsName)
    3750. 

  3750.                         {
    3751. 

  3751.                             return _certificate;
    3752. 

  3752.                         };
    3753. 

  3753.                     });
    3754. 

  3754. 

  3755.                     foreach (IPAddress localAddress in localAddresses)
    3756. 

  3756.                     {
    3757. 

  3757.                         serverOptions.Listen(localAddress, _dnsOverHttpsPort, delegate (ListenOptions listenOptions)
    3758. 

  3758.                         {
    3759. 

  3759.                             listenOptions.Protocols = HttpProtocols.Http1AndHttp2AndHttp3;
    3760. 

  3760.                             listenOptions.UseHttps();
    3761. 

  3761.                         });
    3762. 

  3762.                     }
    3763. 

  3763.                 }
    3764. 

  3764. 

  3765.                 serverOptions.AddServerHeader = false;
    3766. 

  3766.                 serverOptions.Limits.RequestHeadersTimeout = TimeSpan.FromMilliseconds(_tcpReceiveTimeout);
    3767. 

  3767.                 serverOptions.Limits.KeepAliveTimeout = TimeSpan.FromMilliseconds(_tcpReceiveTimeout);
    3768. 

  3768.                 serverOptions.Limits.MaxRequestHeadersTotalSize = 4096;
    3769. 

  3769.                 serverOptions.Limits.MaxRequestLineSize = serverOptions.Limits.MaxRequestHeadersTotalSize;
    3770. 

  3770.                 serverOptions.Limits.MaxRequestBufferSize = serverOptions.Limits.MaxRequestLineSize;
    3771. 

  3771.                 serverOptions.Limits.MaxRequestBodySize = 64 * 1024;
    3772. 

  3772.                 serverOptions.Limits.MaxResponseBufferSize = 4096;
    3773. 

  3773.             });
    3774. 

  3774. 

  3775.             builder.Logging.ClearProviders();
    3776. 

  3776. 

  3777.             _dohWebService = builder.Build();
    3778. 

  3778. 

  3779.             _dohWebService.UseDefaultFiles();
    3780. 

  3780.             _dohWebService.UseStaticFiles(new StaticFileOptions()
    3781. 

  3781.             {
    3782. 

  3782.                 OnPrepareResponse = delegate (StaticFileResponseContext ctx)
    3783. 

  3783.                 {
    3784. 

  3784.                     ctx.Context.Response.Headers.Add("X-Robots-Tag", "noindex, nofollow");
    3785. 

  3785.                     ctx.Context.Response.Headers.Add("Cache-Control", "private, max-age=300");
    3786. 

  3786.                 }
    3787. 

  3787.             });
    3788. 

  3788. 

  3789.             _dohWebService.UseRouting();
    3790. 

  3790.             _dohWebService.MapGet("/dns-query", ProcessDoHRequestAsync);
    3791. 

  3791.             _dohWebService.MapPost("/dns-query", ProcessDoHRequestAsync);
    3792. 

  3792. 

  3793.             try
    3794. 

  3794.             {
    3795. 

  3795.                 await _dohWebService.StartAsync();
    3796. 

  3796. 

  3797.                 if (_log is not null)
    3798. 

  3798.                 {
    3799. 

  3799.                     foreach (IPAddress localAddress in localAddresses)
    3800. 

  3800.                     {
    3801. 

  3801.                         if (_enableDnsOverHttp)
    3802. 

  3802.                             _log?.Write(new IPEndPoint(localAddress, _dnsOverHttpPort), "Http", "DNS Server was bound successfully.");
    3803. 

  3803. 

  3804.                         if (_enableDnsOverHttps && (_certificate is not null))
    3805. 

  3805.                             _log?.Write(new IPEndPoint(localAddress, _dnsOverHttpsPort), "Https", "DNS Server was bound successfully.");
    3806. 

  3806.                     }
    3807. 

  3807.                 }
    3808. 

  3808.             }
    3809. 

  3809.             catch (Exception ex)
    3810. 

  3810.             {
    3811. 

  3811.                 await StopDoHAsync();
    3812. 

  3812. 

  3813.                 if (_log is not null)
    3814. 

  3814.                 {
    3815. 

  3815.                     foreach (IPAddress localAddress in localAddresses)
    3816. 

  3816.                     {
    3817. 

  3817.                         if (_enableDnsOverHttp)
    3818. 

  3818.                             _log?.Write(new IPEndPoint(localAddress, _dnsOverHttpPort), "Http", "DNS Server failed to bind.");
    3819. 

  3819. 

  3820.                         if (_enableDnsOverHttps && (_certificate is not null))
    3821. 

  3821.                             _log?.Write(new IPEndPoint(localAddress, _dnsOverHttpsPort), "Https", "DNS Server failed to bind.");
    3822. 

  3822.                     }
    3823. 

  3823. 

  3824.                     _log?.Write(ex);
    3825. 

  3825.                 }
    3826. 

  3826.             }
    3827. 

  3827.         }
    3828. 

  3828. 

  3829.         private async Task StopDoHAsync()
    3830. 

  3830.         {
    3831. 

  3831.             if (_dohWebService is not null)
    3832. 

  3832.             {
    3833. 

  3833.                 await _dohWebService.DisposeAsync();
    3834. 

  3834.                 _dohWebService = null;
    3835. 

  3835.             }
    3836. 

  3836.         }
    3837. 

  3837. 

  3838.         internal static IReadOnlyList<IPAddress> GetValidKestralLocalAddresses(IReadOnlyList<IPAddress> localAddresses)
    3839. 

  3839.         {
    3840. 

  3840.             List<IPAddress> supportedLocalAddresses = new List<IPAddress>(localAddresses.Count);
    3841. 

  3841. 

  3842.             foreach (IPAddress localAddress in localAddresses)
    3843. 

  3843.             {
    3844. 

  3844.                 switch (localAddress.AddressFamily)
    3845. 

  3845.                 {
    3846. 

  3846.                     case AddressFamily.InterNetwork:
    3847. 

  3847.                         if (Socket.OSSupportsIPv4)
    3848. 

  3848.                         {
    3849. 

  3849.                             if (!supportedLocalAddresses.Contains(localAddress))
    3850. 

  3850.                                 supportedLocalAddresses.Add(localAddress);
    3851. 

  3851.                         }
    3852. 

  3852. 

  3853.                         break;
    3854. 

  3854. 

  3855.                     case AddressFamily.InterNetworkV6:
    3856. 

  3856.                         if (Socket.OSSupportsIPv6)
    3857. 

  3857.                         {
    3858. 

  3858.                             if (!supportedLocalAddresses.Contains(localAddress))
    3859. 

  3859.                                 supportedLocalAddresses.Add(localAddress);
    3860. 

  3860.                         }
    3861. 

  3861. 

  3862.                         break;
    3863. 

  3863.                 }
    3864. 

  3864.             }
    3865. 

  3865. 

  3866.             bool containsUnicastAddress = false;
    3867. 

  3867. 

  3868.             foreach (IPAddress localAddress in supportedLocalAddresses)
    3869. 

  3869.             {
    3870. 

  3870.                 if (!localAddress.Equals(IPAddress.Any) && !localAddress.Equals(IPAddress.IPv6Any))
    3871. 

  3871.                 {
    3872. 

  3872.                     containsUnicastAddress = true;
    3873. 

  3873.                     break;
    3874. 

  3874.                 }
    3875. 

  3875.             }
    3876. 

  3876. 

  3877.             List<IPAddress> newLocalAddresses = new List<IPAddress>(supportedLocalAddresses.Count);
    3878. 

  3878. 

  3879.             if (containsUnicastAddress)
    3880. 

  3880.             {
    3881. 

  3881.                 //replace any with loopback address
    3882. 

  3882.                 foreach (IPAddress localAddress in supportedLocalAddresses)
    3883. 

  3883.                 {
    3884. 

  3884.                     if (localAddress.Equals(IPAddress.Any))
    3885. 

  3885.                     {
    3886. 

  3886.                         if (!newLocalAddresses.Contains(IPAddress.Loopback))
    3887. 

  3887.                             newLocalAddresses.Add(IPAddress.Loopback);
    3888. 

  3888.                     }
    3889. 

  3889.                     else if (localAddress.Equals(IPAddress.IPv6Any))
    3890. 

  3890.                     {
    3891. 

  3891.                         if (!newLocalAddresses.Contains(IPAddress.IPv6Loopback))
    3892. 

  3892.                             newLocalAddresses.Add(IPAddress.IPv6Loopback);
    3893. 

  3893.                     }
    3894. 

  3894.                     else
    3895. 

  3895.                     {
    3896. 

  3896.                         if (!newLocalAddresses.Contains(localAddress))
    3897. 

  3897.                             newLocalAddresses.Add(localAddress);
    3898. 

  3898.                     }
    3899. 

  3899.                 }
    3900. 

  3900.             }
    3901. 

  3901.             else
    3902. 

  3902.             {
    3903. 

  3903.                 //remove "0.0.0.0" if [::] exists
    3904. 

  3904.                 foreach (IPAddress localAddress in supportedLocalAddresses)
    3905. 

  3905.                 {
    3906. 

  3906.                     if (localAddress.Equals(IPAddress.Any))
    3907. 

  3907.                     {
    3908. 

  3908.                         if (!supportedLocalAddresses.Contains(IPAddress.IPv6Any))
    3909. 

  3909.                             newLocalAddresses.Add(localAddress);
    3910. 

  3910.                     }
    3911. 

  3911.                     else
    3912. 

  3912.                     {
    3913. 

  3913.                         newLocalAddresses.Add(localAddress);
    3914. 

  3914.                     }
    3915. 

  3915.                 }
    3916. 

  3916.             }
    3917. 

  3917. 

  3918.             return newLocalAddresses;
    3919. 

  3919.         }
    3920. 

  3920. 

  3921.         #endregion
    3922. 

  3922. 

  3923.         #region public
    3924. 

  3924. 

  3925.         public async Task StartAsync()
    3926. 

  3926.         {
    3927. 

  3927.             if (_disposed)
    3928. 

  3928.                 throw new ObjectDisposedException("DnsServer");
    3929. 

  3929. 

  3930.             if (_state != ServiceState.Stopped)
    3931. 

  3931.                 throw new InvalidOperationException("DNS Server is already running.");
    3932. 

  3932. 

  3933.             _state = ServiceState.Starting;
    3934. 

  3934. 

  3935.             //bind on all local end points
    3936. 

  3936.             foreach (IPEndPoint localEP in _localEndPoints)
    3937. 

  3937.             {
    3938. 

  3938.                 Socket udpListener = null;
    3939. 

  3939. 

  3940.                 try
    3941. 

  3941.                 {
    3942. 

  3942.                     udpListener = new Socket(localEP.AddressFamily, SocketType.Dgram, ProtocolType.Udp);
    3943. 

  3943. 

  3944.                     #region this code ignores ICMP port unreachable responses which creates SocketException in ReceiveFrom()
    3945. 

  3945. 

  3946.                     if (Environment.OSVersion.Platform == PlatformID.Win32NT)
    3947. 

  3947.                     {
    3948. 

  3948.                         const uint IOC_IN = 0x80000000;
    3949. 

  3949.                         const uint IOC_VENDOR = 0x18000000;
    3950. 

  3950.                         const uint SIO_UDP_CONNRESET = IOC_IN | IOC_VENDOR | 12;
    3951. 

  3951. 

  3952.                         udpListener.IOControl((IOControlCode)SIO_UDP_CONNRESET, new byte[] { Convert.ToByte(false) }, null);
    3953. 

  3953.                     }
    3954. 

  3954. 

  3955.                     #endregion
    3956. 

  3956. 

  3957.                     udpListener.ReceiveBufferSize = 512 * 1024;
    3958. 

  3958.                     udpListener.SendBufferSize = 512 * 1024;
    3959. 

  3959. 

  3960.                     udpListener.Bind(localEP);
    3961. 

  3961. 

  3962.                     _udpListeners.Add(udpListener);
    3963. 

  3963. 

  3964.                     _log?.Write(localEP, DnsTransportProtocol.Udp, "DNS Server was bound successfully.");
    3965. 

  3965.                 }
    3966. 

  3966.                 catch (Exception ex)
    3967. 

  3967.                 {
    3968. 

  3968.                     _log?.Write(localEP, DnsTransportProtocol.Udp, "DNS Server failed to bind.\r\n" + ex.ToString());
    3969. 

  3969. 

  3970.                     udpListener?.Dispose();
    3971. 

  3971.                 }
    3972. 

  3972. 

  3973.                 Socket tcpListener = null;
    3974. 

  3974. 

  3975.                 try
    3976. 

  3976.                 {
    3977. 

  3977.                     tcpListener = new Socket(localEP.AddressFamily, SocketType.Stream, ProtocolType.Tcp);
    3978. 

  3978. 

  3979.                     tcpListener.Bind(localEP);
    3980. 

  3980.                     tcpListener.Listen(_listenBacklog);
    3981. 

  3981. 

  3982.                     _tcpListeners.Add(tcpListener);
    3983. 

  3983. 

  3984.                     _log?.Write(localEP, DnsTransportProtocol.Tcp, "DNS Server was bound successfully.");
    3985. 

  3985.                 }
    3986. 

  3986.                 catch (Exception ex)
    3987. 

  3987.                 {
    3988. 

  3988.                     _log?.Write(localEP, DnsTransportProtocol.Tcp, "DNS Server failed to bind.\r\n" + ex.ToString());
    3989. 

  3989. 

  3990.                     tcpListener?.Dispose();
    3991. 

  3991.                 }
    3992. 

  3992. 

  3993.                 if (_enableDnsOverTls && (_certificate is not null))
    3994. 

  3994.                 {
    3995. 

  3995.                     IPEndPoint tlsEP = new IPEndPoint(localEP.Address, _dnsOverTlsPort);
    3996. 

  3996.                     Socket tlsListener = null;
    3997. 

  3997. 

  3998.                     try
    3999. 

  3999.                     {
    4000. 

  4000.                         tlsListener = new Socket(tlsEP.AddressFamily, SocketType.Stream, ProtocolType.Tcp);
    4001. 

  4001. 

  4002.                         tlsListener.Bind(tlsEP);
    4003. 

  4003.                         tlsListener.Listen(_listenBacklog);
    4004. 

  4004. 

  4005.                         _tlsListeners.Add(tlsListener);
    4006. 

  4006. 

  4007.                         _log?.Write(tlsEP, DnsTransportProtocol.Tls, "DNS Server was bound successfully.");
    4008. 

  4008.                     }
    4009. 

  4009.                     catch (Exception ex)
    4010. 

  4010.                     {
    4011. 

  4011.                         _log?.Write(tlsEP, DnsTransportProtocol.Tls, "DNS Server failed to bind.\r\n" + ex.ToString());
    4012. 

  4012. 

  4013.                         tlsListener?.Dispose();
    4014. 

  4014.                     }
    4015. 

  4015.                 }
    4016. 

  4016. 

  4017.                 if (_enableDnsOverQuic && (_certificate is not null))
    4018. 

  4018.                 {
    4019. 

  4019.                     IPEndPoint quicEP = new IPEndPoint(localEP.Address, _dnsOverQuicPort);
    4020. 

  4020.                     QuicListener quicListener = null;
    4021. 

  4021. 

  4022.                     try
    4023. 

  4023.                     {
    4024. 

  4024.                         QuicListenerOptions listenerOptions = new QuicListenerOptions()
    4025. 

  4025.                         {
    4026. 

  4026.                             ListenEndPoint = quicEP,
    4027. 

  4027.                             ListenBacklog = _listenBacklog,
    4028. 

  4028.                             ApplicationProtocols = new List<SslApplicationProtocol>() { new SslApplicationProtocol("doq") },
    4029. 

  4029.                             ConnectionOptionsCallback = delegate (QuicConnection quicConnection, SslClientHelloInfo sslClientHello, CancellationToken cancellationToken)
    4030. 

  4030.                             {
    4031. 

  4031.                                 QuicServerConnectionOptions serverConnectionOptions = new QuicServerConnectionOptions()
    4032. 

  4032.                                 {
    4033. 

  4033.                                     DefaultCloseErrorCode = (long)DnsOverQuicErrorCodes.DOQ_NO_ERROR,
    4034. 

  4034.                                     DefaultStreamErrorCode = (long)DnsOverQuicErrorCodes.DOQ_UNSPECIFIED_ERROR,
    4035. 

  4035.                                     MaxInboundUnidirectionalStreams = 0,
    4036. 

  4036.                                     MaxInboundBidirectionalStreams = _quicMaxInboundStreams,
    4037. 

  4037.                                     IdleTimeout = TimeSpan.FromMilliseconds(_quicIdleTimeout),
    4038. 

  4038.                                     ServerAuthenticationOptions = new SslServerAuthenticationOptions
    4039. 

  4039.                                     {
    4040. 

  4040.                                         ApplicationProtocols = new List<SslApplicationProtocol>() { new SslApplicationProtocol("doq") },
    4041. 

  4041.                                         ServerCertificate = _certificate
    4042. 

  4042.                                     }
    4043. 

  4043.                                 };
    4044. 

  4044. 

  4045.                                 return ValueTask.FromResult(serverConnectionOptions);
    4046. 

  4046.                             }
    4047. 

  4047.                         };
    4048. 

  4048. 

  4049.                         quicListener = await QuicListener.ListenAsync(listenerOptions);
    4050. 

  4050. 

  4051.                         _quicListeners.Add(quicListener);
    4052. 

  4052. 

  4053.                         _log?.Write(quicEP, DnsTransportProtocol.Quic, "DNS Server was bound successfully.");
    4054. 

  4054.                     }
    4055. 

  4055.                     catch (Exception ex)
    4056. 

  4056.                     {
    4057. 

  4057.                         _log?.Write(quicEP, DnsTransportProtocol.Quic, "DNS Server failed to bind.\r\n" + ex.ToString());
    4058. 

  4058. 

  4059.                         if (quicListener is not null)
    4060. 

  4060.                             await quicListener.DisposeAsync();
    4061. 

  4061.                     }
    4062. 

  4062.                 }
    4063. 

  4063.             }
    4064. 

  4064. 

  4065.             //start reading query packets
    4066. 

  4066.             int listenerTaskCount = Math.Max(1, Environment.ProcessorCount);
    4067. 

  4067. 

  4068.             foreach (Socket udpListener in _udpListeners)
    4069. 

  4069.             {
    4070. 

  4070.                 for (int i = 0; i < listenerTaskCount; i++)
    4071. 

  4071.                 {
    4072. 

  4072.                     _ = Task.Factory.StartNew(delegate ()
    4073. 

  4073.                     {
    4074. 

  4074.                         return ReadUdpRequestAsync(udpListener);
    4075. 

  4075.                     }, CancellationToken.None, TaskCreationOptions.DenyChildAttach, _queryTaskScheduler);
    4076. 

  4076.                 }
    4077. 

  4077.             }
    4078. 

  4078. 

  4079.             foreach (Socket tcpListener in _tcpListeners)
    4080. 

  4080.             {
    4081. 

  4081.                 for (int i = 0; i < listenerTaskCount; i++)
    4082. 

  4082.                 {
    4083. 

  4083.                     _ = Task.Factory.StartNew(delegate ()
    4084. 

  4084.                     {
    4085. 

  4085.                         return AcceptConnectionAsync(tcpListener, DnsTransportProtocol.Tcp);
    4086. 

  4086.                     }, CancellationToken.None, TaskCreationOptions.DenyChildAttach, _queryTaskScheduler);
    4087. 

  4087.                 }
    4088. 

  4088.             }
    4089. 

  4089. 

  4090.             foreach (Socket tlsListener in _tlsListeners)
    4091. 

  4091.             {
    4092. 

  4092.                 for (int i = 0; i < listenerTaskCount; i++)
    4093. 

  4093.                 {
    4094. 

  4094.                     _ = Task.Factory.StartNew(delegate ()
    4095. 

  4095.                     {
    4096. 

  4096.                         return AcceptConnectionAsync(tlsListener, DnsTransportProtocol.Tls);
    4097. 

  4097.                     }, CancellationToken.None, TaskCreationOptions.DenyChildAttach, _queryTaskScheduler);
    4098. 

  4098.                 }
    4099. 

  4099.             }
    4100. 

  4100. 

  4101.             foreach (QuicListener quicListener in _quicListeners)
    4102. 

  4102.             {
    4103. 

  4103.                 for (int i = 0; i < listenerTaskCount; i++)
    4104. 

  4104.                 {
    4105. 

  4105.                     _ = Task.Factory.StartNew(delegate ()
    4106. 

  4106.                     {
    4107. 

  4107.                         return AcceptQuicConnectionAsync(quicListener);
    4108. 

  4108.                     }, CancellationToken.None, TaskCreationOptions.DenyChildAttach, _queryTaskScheduler);
    4109. 

  4109.                 }
    4110. 

  4110.             }
    4111. 

  4111. 

  4112.             if (_enableDnsOverHttp || (_enableDnsOverHttps && (_certificate is not null)))
    4113. 

  4113.                 await StartDoHAsync();
    4114. 

  4114. 

  4115.             _cachePrefetchSamplingTimer = new Timer(CachePrefetchSamplingTimerCallback, null, Timeout.Infinite, Timeout.Infinite);
    4116. 

  4116.             _cachePrefetchRefreshTimer = new Timer(CachePrefetchRefreshTimerCallback, null, Timeout.Infinite, Timeout.Infinite);
    4117. 

  4117.             _cacheMaintenanceTimer = new Timer(CacheMaintenanceTimerCallback, null, CACHE_MAINTENANCE_TIMER_INITIAL_INTEVAL, Timeout.Infinite);
    4118. 

  4118.             _qpmLimitSamplingTimer = new Timer(QpmLimitSamplingTimerCallback, null, Timeout.Infinite, Timeout.Infinite);
    4119. 

  4119. 

  4120.             _state = ServiceState.Running;
    4121. 

  4121. 

  4122.             UpdateThisServer();
    4123. 

  4123.             ResetPrefetchTimers();
    4124. 

  4124.             ResetQpsLimitTimer();
    4125. 

  4125.         }
    4126. 

  4126. 

  4127.         public async Task StopAsync()
    4128. 

  4128.         {
    4129. 

  4129.             if (_state != ServiceState.Running)
    4130. 

  4130.                 return;
    4131. 

  4131. 

  4132.             _state = ServiceState.Stopping;
    4133. 

  4133. 

  4134.             lock (_cachePrefetchSamplingTimerLock)
    4135. 

  4135.             {
    4136. 

  4136.                 if (_cachePrefetchSamplingTimer is not null)
    4137. 

  4137.                 {
    4138. 

  4138.                     _cachePrefetchSamplingTimer.Dispose();
    4139. 

  4139.                     _cachePrefetchSamplingTimer = null;
    4140. 

  4140.                 }
    4141. 

  4141.             }
    4142. 

  4142. 

  4143.             lock (_cachePrefetchRefreshTimerLock)
    4144. 

  4144.             {
    4145. 

  4145.                 if (_cachePrefetchRefreshTimer is not null)
    4146. 

  4146.                 {
    4147. 

  4147.                     _cachePrefetchRefreshTimer.Dispose();
    4148. 

  4148.                     _cachePrefetchRefreshTimer = null;
    4149. 

  4149.                 }
    4150. 

  4150.             }
    4151. 

  4151. 

  4152.             lock (_cacheMaintenanceTimerLock)
    4153. 

  4153.             {
    4154. 

  4154.                 if (_cacheMaintenanceTimer is not null)
    4155. 

  4155.                 {
    4156. 

  4156.                     _cacheMaintenanceTimer.Dispose();
    4157. 

  4157.                     _cacheMaintenanceTimer = null;
    4158. 

  4158.                 }
    4159. 

  4159.             }
    4160. 

  4160. 

  4161.             lock (_qpmLimitSamplingTimerLock)
    4162. 

  4162.             {
    4163. 

  4163.                 if (_qpmLimitSamplingTimer is not null)
    4164. 

  4164.                 {
    4165. 

  4165.                     _qpmLimitSamplingTimer.Dispose();
    4166. 

  4166.                     _qpmLimitSamplingTimer = null;
    4167. 

  4167.                 }
    4168. 

  4168.             }
    4169. 

  4169. 

  4170.             foreach (Socket udpListener in _udpListeners)
    4171. 

  4171.                 udpListener.Dispose();
    4172. 

  4172. 

  4173.             foreach (Socket tcpListener in _tcpListeners)
    4174. 

  4174.                 tcpListener.Dispose();
    4175. 

  4175. 

  4176.             foreach (Socket tlsListener in _tlsListeners)
    4177. 

  4177.                 tlsListener.Dispose();
    4178. 

  4178. 

  4179.             foreach (QuicListener quicListener in _quicListeners)
    4180. 

  4180.                 await quicListener.DisposeAsync();
    4181. 

  4181. 

  4182.             _udpListeners.Clear();
    4183. 

  4183.             _tcpListeners.Clear();
    4184. 

  4184.             _tlsListeners.Clear();
    4185. 

  4185.             _quicListeners.Clear();
    4186. 

  4186. 

  4187.             await StopDoHAsync();
    4188. 

  4188. 

  4189.             _state = ServiceState.Stopped;
    4190. 

  4190.         }
    4191. 

  4191. 

  4192.         public Task<DnsDatagram> DirectQueryAsync(DnsQuestionRecord question, int timeout = 4000, bool skipDnsAppAuthoritativeRequestHandlers = false)
    4193. 

  4193.         {
    4194. 

  4194.             return DirectQueryAsync(new DnsDatagram(0, false, DnsOpcode.StandardQuery, false, false, true, false, false, false, DnsResponseCode.NoError, new DnsQuestionRecord[] { question }), timeout, skipDnsAppAuthoritativeRequestHandlers);
    4195. 

  4195.         }
    4196. 

  4196. 

  4197.         public Task<DnsDatagram> DirectQueryAsync(DnsDatagram request, int timeout = 4000, bool skipDnsAppAuthoritativeRequestHandlers = false)
    4198. 

  4198.         {
    4199. 

  4199.             return ProcessQueryAsync(request, IPENDPOINT_ANY_0, DnsTransportProtocol.Tcp, true, skipDnsAppAuthoritativeRequestHandlers, null).WithTimeout(timeout);
    4200. 

  4200.         }
    4201. 

  4201. 

  4202.         Task<DnsDatagram> IDnsClient.ResolveAsync(DnsQuestionRecord question, CancellationToken cancellationToken)
    4203. 

  4203.         {
    4204. 

  4204.             return DirectQueryAsync(question);
    4205. 

  4205.         }
    4206. 

  4206. 

  4207.         #endregion
    4208. 

  4208. 

  4209.         #region properties
    4210. 

  4210. 

  4211.         public string ServerDomain
    4212. 

  4212.         {
    4213. 

  4213.             get { return _serverDomain; }
    4214. 

  4214.             set
    4215. 

  4215.             {
    4216. 

  4216.                 if (!_serverDomain.Equals(value))
    4217. 

  4217.                 {
    4218. 

  4218.                     _serverDomain = value.ToLower();
    4219. 

  4219. 

  4220.                     _authZoneManager.ServerDomain = _serverDomain;
    4221. 

  4221.                     _allowedZoneManager.ServerDomain = _serverDomain;
    4222. 

  4222.                     _blockedZoneManager.ServerDomain = _serverDomain;
    4223. 

  4223.                     _blockListZoneManager.ServerDomain = _serverDomain;
    4224. 

  4224. 

  4225.                     UpdateThisServer();
    4226. 

  4226.                 }
    4227. 

  4227.             }
    4228. 

  4228.         }
    4229. 

  4229. 

  4230.         public string ConfigFolder
    4231. 

  4231.         { get { return _configFolder; } }
    4232. 

  4232. 

  4233.         public IReadOnlyList<IPEndPoint> LocalEndPoints
    4234. 

  4234.         {
    4235. 

  4235.             get { return _localEndPoints; }
    4236. 

  4236.             set { _localEndPoints = value; }
    4237. 

  4237.         }
    4238. 

  4238. 

  4239.         public LogManager LogManager
    4240. 

  4240.         {
    4241. 

  4241.             get { return _log; }
    4242. 

  4242.             set { _log = value; }
    4243. 

  4243.         }
    4244. 

  4244. 

  4245.         public NameServerAddress ThisServer
    4246. 

  4246.         { get { return _thisServer; } }
    4247. 

  4247. 

  4248.         public AuthZoneManager AuthZoneManager
    4249. 

  4249.         { get { return _authZoneManager; } }
    4250. 

  4250. 

  4251.         public AllowedZoneManager AllowedZoneManager
    4252. 

  4252.         { get { return _allowedZoneManager; } }
    4253. 

  4253. 

  4254.         public BlockedZoneManager BlockedZoneManager
    4255. 

  4255.         { get { return _blockedZoneManager; } }
    4256. 

  4256. 

  4257.         public BlockListZoneManager BlockListZoneManager
    4258. 

  4258.         { get { return _blockListZoneManager; } }
    4259. 

  4259. 

  4260.         public CacheZoneManager CacheZoneManager
    4261. 

  4261.         { get { return _cacheZoneManager; } }
    4262. 

  4262. 

  4263.         public DnsApplicationManager DnsApplicationManager
    4264. 

  4264.         { get { return _dnsApplicationManager; } }
    4265. 

  4265. 

  4266.         public IDnsCache DnsCache
    4267. 

  4267.         { get { return _dnsCache; } }
    4268. 

  4268. 

  4269.         public StatsManager StatsManager
    4270. 

  4270.         { get { return _stats; } }
    4271. 

  4271. 

  4272.         public bool PreferIPv6
    4273. 

  4273.         {
    4274. 

  4274.             get { return _preferIPv6; }
    4275. 

  4275.             set { _preferIPv6 = value; }
    4276. 

  4276.         }
    4277. 

  4277. 

  4278.         public ushort UdpPayloadSize
    4279. 

  4279.         {
    4280. 

  4280.             get { return _udpPayloadSize; }
    4281. 

  4281.             set
    4282. 

  4282.             {
    4283. 

  4283.                 if ((value < 512) || (value > 4096))
    4284. 

  4284.                     throw new ArgumentOutOfRangeException(nameof(UdpPayloadSize), "Invalid EDNS UDP payload size: valid range is 512-4096 bytes.");
    4285. 

  4285. 

  4286.                 _udpPayloadSize = value;
    4287. 

  4287.             }
    4288. 

  4288.         }
    4289. 

  4289. 

  4290.         public bool DnssecValidation
    4291. 

  4291.         {
    4292. 

  4292.             get { return _dnssecValidation; }
    4293. 

  4293.             set
    4294. 

  4294.             {
    4295. 

  4295.                 if (_dnssecValidation != value)
    4296. 

  4296.                 {
    4297. 

  4297.                     if (!_dnssecValidation)
    4298. 

  4298.                         _cacheZoneManager.Flush(); //flush cache to remove non validated data
    4299. 

  4299. 

  4300.                     _dnssecValidation = value;
    4301. 

  4301.                 }
    4302. 

  4302.             }
    4303. 

  4303.         }
    4304. 

  4304. 

  4305.         public bool EDnsClientSubnet
    4306. 

  4306.         {
    4307. 

  4307.             get { return _eDnsClientSubnet; }
    4308. 

  4308.             set
    4309. 

  4309.             {
    4310. 

  4310.                 _eDnsClientSubnet = value;
    4311. 

  4311. 

  4312.                 if (!_eDnsClientSubnet)
    4313. 

  4313.                 {
    4314. 

  4314.                     ThreadPool.QueueUserWorkItem(delegate (object state)
    4315. 

  4315.                     {
    4316. 

  4316.                         _cacheZoneManager.DeleteEDnsClientSubnetData();
    4317. 

  4317.                     });
    4318. 

  4318.                 }
    4319. 

  4319.             }
    4320. 

  4320.         }
    4321. 

  4321. 

  4322.         public byte EDnsClientSubnetIPv4PrefixLength
    4323. 

  4323.         {
    4324. 

  4324.             get { return _eDnsClientSubnetIPv4PrefixLength; }
    4325. 

  4325.             set
    4326. 

  4326.             {
    4327. 

  4327.                 if (value > 32)
    4328. 

  4328.                     throw new ArgumentOutOfRangeException(nameof(EDnsClientSubnetIPv4PrefixLength), "EDNS Client Subnet IPv4 prefix length cannot be greater than 32.");
    4329. 

  4329. 

  4330.                 _eDnsClientSubnetIPv4PrefixLength = value;
    4331. 

  4331.             }
    4332. 

  4332.         }
    4333. 

  4333. 

  4334.         public byte EDnsClientSubnetIPv6PrefixLength
    4335. 

  4335.         {
    4336. 

  4336.             get { return _eDnsClientSubnetIPv6PrefixLength; }
    4337. 

  4337.             set
    4338. 

  4338.             {
    4339. 

  4339.                 if (value > 64)
    4340. 

  4340.                     throw new ArgumentOutOfRangeException(nameof(EDnsClientSubnetIPv6PrefixLength), "EDNS Client Subnet IPv6 prefix length cannot be greater than 64.");
    4341. 

  4341. 

  4342.                 _eDnsClientSubnetIPv6PrefixLength = value;
    4343. 

  4343.             }
    4344. 

  4344.         }
    4345. 

  4345. 

  4346.         public int QpmLimitRequests
    4347. 

  4347.         {
    4348. 

  4348.             get { return _qpmLimitRequests; }
    4349. 

  4349.             set
    4350. 

  4350.             {
    4351. 

  4351.                 if (value < 0)
    4352. 

  4352.                     throw new ArgumentOutOfRangeException(nameof(QpmLimitRequests), "Value cannot be less than 0.");
    4353. 

  4353. 

  4354.                 if (_qpmLimitRequests != value)
    4355. 

  4355.                 {
    4356. 

  4356.                     if ((_qpmLimitRequests == 0) || (value == 0))
    4357. 

  4357.                     {
    4358. 

  4358.                         _qpmLimitRequests = value;
    4359. 

  4359.                         ResetQpsLimitTimer();
    4360. 

  4360.                     }
    4361. 

  4361.                     else
    4362. 

  4362.                     {
    4363. 

  4363.                         _qpmLimitRequests = value;
    4364. 

  4364.                     }
    4365. 

  4365.                 }
    4366. 

  4366.             }
    4367. 

  4367.         }
    4368. 

  4368. 

  4369.         public int QpmLimitErrors
    4370. 

  4370.         {
    4371. 

  4371.             get { return _qpmLimitErrors; }
    4372. 

  4372.             set
    4373. 

  4373.             {
    4374. 

  4374.                 if (value < 0)
    4375. 

  4375.                     throw new ArgumentOutOfRangeException(nameof(QpmLimitErrors), "Value cannot be less than 0.");
    4376. 

  4376. 

  4377.                 if (_qpmLimitErrors != value)
    4378. 

  4378.                 {
    4379. 

  4379.                     if ((_qpmLimitErrors == 0) || (value == 0))
    4380. 

  4380.                     {
    4381. 

  4381.                         _qpmLimitErrors = value;
    4382. 

  4382.                         ResetQpsLimitTimer();
    4383. 

  4383.                     }
    4384. 

  4384.                     else
    4385. 

  4385.                     {
    4386. 

  4386.                         _qpmLimitErrors = value;
    4387. 

  4387.                     }
    4388. 

  4388.                 }
    4389. 

  4389.             }
    4390. 

  4390.         }
    4391. 

  4391. 

  4392.         public int QpmLimitSampleMinutes
    4393. 

  4393.         {
    4394. 

  4394.             get { return _qpmLimitSampleMinutes; }
    4395. 

  4395.             set
    4396. 

  4396.             {
    4397. 

  4397.                 if ((value < 1) || (value > 60))
    4398. 

  4398.                     throw new ArgumentOutOfRangeException(nameof(QpmLimitSampleMinutes), "Valid range is between 1 and 60 minutes.");
    4399. 

  4399. 

  4400.                 _qpmLimitSampleMinutes = value;
    4401. 

  4401.             }
    4402. 

  4402.         }
    4403. 

  4403. 

  4404.         public int QpmLimitIPv4PrefixLength
    4405. 

  4405.         {
    4406. 

  4406.             get { return _qpmLimitIPv4PrefixLength; }
    4407. 

  4407.             set
    4408. 

  4408.             {
    4409. 

  4409.                 if ((value < 0) || (value > 32))
    4410. 

  4410.                     throw new ArgumentOutOfRangeException(nameof(QpmLimitIPv4PrefixLength), "Valid range is between 0 and 32.");
    4411. 

  4411. 

  4412.                 _qpmLimitIPv4PrefixLength = value;
    4413. 

  4413.             }
    4414. 

  4414.         }
    4415. 

  4415. 

  4416.         public int QpmLimitIPv6PrefixLength
    4417. 

  4417.         {
    4418. 

  4418.             get { return _qpmLimitIPv6PrefixLength; }
    4419. 

  4419.             set
    4420. 

  4420.             {
    4421. 

  4421.                 if ((value < 0) || (value > 64))
    4422. 

  4422.                     throw new ArgumentOutOfRangeException(nameof(QpmLimitIPv6PrefixLength), "Valid range is between 0 and 64.");
    4423. 

  4423. 

  4424.                 _qpmLimitIPv6PrefixLength = value;
    4425. 

  4425.             }
    4426. 

  4426.         }
    4427. 

  4427. 

  4428.         public int ClientTimeout
    4429. 

  4429.         {
    4430. 

  4430.             get { return _clientTimeout; }
    4431. 

  4431.             set
    4432. 

  4432.             {
    4433. 

  4433.                 if ((value < 1000) || (value > 10000))
    4434. 

  4434.                     throw new ArgumentOutOfRangeException(nameof(ClientTimeout), "Valid range is from 1000 to 10000.");
    4435. 

  4435. 

  4436.                 _clientTimeout = value;
    4437. 

  4437.             }
    4438. 

  4438.         }
    4439. 

  4439. 

  4440.         public int TcpSendTimeout
    4441. 

  4441.         {
    4442. 

  4442.             get { return _tcpSendTimeout; }
    4443. 

  4443.             set
    4444. 

  4444.             {
    4445. 

  4445.                 if ((value < 1000) || (value > 90000))
    4446. 

  4446.                     throw new ArgumentOutOfRangeException(nameof(TcpSendTimeout), "Valid range is from 1000 to 90000.");
    4447. 

  4447. 

  4448.                 _tcpSendTimeout = value;
    4449. 

  4449.             }
    4450. 

  4450.         }
    4451. 

  4451. 

  4452.         public int TcpReceiveTimeout
    4453. 

  4453.         {
    4454. 

  4454.             get { return _tcpReceiveTimeout; }
    4455. 

  4455.             set
    4456. 

  4456.             {
    4457. 

  4457.                 if ((value < 1000) || (value > 90000))
    4458. 

  4458.                     throw new ArgumentOutOfRangeException(nameof(TcpReceiveTimeout), "Valid range is from 1000 to 90000.");
    4459. 

  4459. 

  4460.                 _tcpReceiveTimeout = value;
    4461. 

  4461.             }
    4462. 

  4462.         }
    4463. 

  4463. 

  4464.         public int QuicIdleTimeout
    4465. 

  4465.         {
    4466. 

  4466.             get { return _quicIdleTimeout; }
    4467. 

  4467.             set
    4468. 

  4468.             {
    4469. 

  4469.                 if ((value < 1000) || (value > 90000))
    4470. 

  4470.                     throw new ArgumentOutOfRangeException(nameof(QuicIdleTimeout), "Valid range is from 1000 to 90000.");
    4471. 

  4471. 

  4472.                 _quicIdleTimeout = value;
    4473. 

  4473.             }
    4474. 

  4474.         }
    4475. 

  4475. 

  4476.         public int QuicMaxInboundStreams
    4477. 

  4477.         {
    4478. 

  4478.             get { return _quicMaxInboundStreams; }
    4479. 

  4479.             set
    4480. 

  4480.             {
    4481. 

  4481.                 if ((value < 0) || (value > 1000))
    4482. 

  4482.                     throw new ArgumentOutOfRangeException(nameof(QuicMaxInboundStreams), "Valid range is from 1 to 1000.");
    4483. 

  4483. 

  4484.                 _quicMaxInboundStreams = value;
    4485. 

  4485.             }
    4486. 

  4486.         }
    4487. 

  4487. 

  4488.         public int ListenBacklog
    4489. 

  4489.         {
    4490. 

  4490.             get { return _listenBacklog; }
    4491. 

  4491.             set { _listenBacklog = value; }
    4492. 

  4492.         }
    4493. 

  4493. 

  4494.         public bool EnableDnsOverHttp
    4495. 

  4495.         {
    4496. 

  4496.             get { return _enableDnsOverHttp; }
    4497. 

  4497.             set { _enableDnsOverHttp = value; }
    4498. 

  4498.         }
    4499. 

  4499. 

  4500.         public bool EnableDnsOverTls
    4501. 

  4501.         {
    4502. 

  4502.             get { return _enableDnsOverTls; }
    4503. 

  4503.             set { _enableDnsOverTls = value; }
    4504. 

  4504.         }
    4505. 

  4505. 

  4506.         public bool EnableDnsOverHttps
    4507. 

  4507.         {
    4508. 

  4508.             get { return _enableDnsOverHttps; }
    4509. 

  4509.             set { _enableDnsOverHttps = value; }
    4510. 

  4510.         }
    4511. 

  4511. 

  4512.         public bool EnableDnsOverQuic
    4513. 

  4513.         {
    4514. 

  4514.             get { return _enableDnsOverQuic; }
    4515. 

  4515.             set { _enableDnsOverQuic = value; }
    4516. 

  4516.         }
    4517. 

  4517. 

  4518.         public int DnsOverHttpPort
    4519. 

  4519.         {
    4520. 

  4520.             get { return _dnsOverHttpPort; }
    4521. 

  4521.             set { _dnsOverHttpPort = value; }
    4522. 

  4522.         }
    4523. 

  4523. 

  4524.         public int DnsOverTlsPort
    4525. 

  4525.         {
    4526. 

  4526.             get { return _dnsOverTlsPort; }
    4527. 

  4527.             set { _dnsOverTlsPort = value; }
    4528. 

  4528.         }
    4529. 

  4529. 

  4530.         public int DnsOverHttpsPort
    4531. 

  4531.         {
    4532. 

  4532.             get { return _dnsOverHttpsPort; }
    4533. 

  4533.             set { _dnsOverHttpsPort = value; }
    4534. 

  4534.         }
    4535. 

  4535. 

  4536.         public int DnsOverQuicPort
    4537. 

  4537.         {
    4538. 

  4538.             get { return _dnsOverQuicPort; }
    4539. 

  4539.             set { _dnsOverQuicPort = value; }
    4540. 

  4540.         }
    4541. 

  4541. 

  4542.         public X509Certificate2 Certificate
    4543. 

  4543.         {
    4544. 

  4544.             get { return _certificate; }
    4545. 

  4545.             set
    4546. 

  4546.             {
    4547. 

  4547.                 if ((value is not null) && !value.HasPrivateKey)
    4548. 

  4548.                     throw new ArgumentException("Tls certificate does not contain private key.");
    4549. 

  4549. 

  4550.                 _certificate = value;
    4551. 

  4551.             }
    4552. 

  4552.         }
    4553. 

  4553. 

  4554.         public IReadOnlyDictionary<string, TsigKey> TsigKeys
    4555. 

  4555.         {
    4556. 

  4556.             get { return _tsigKeys; }
    4557. 

  4557.             set { _tsigKeys = value; }
    4558. 

  4558.         }
    4559. 

  4559. 

  4560.         public DnsServerRecursion Recursion
    4561. 

  4561.         {
    4562. 

  4562.             get { return _recursion; }
    4563. 

  4563.             set
    4564. 

  4564.             {
    4565. 

  4565.                 if (_recursion != value)
    4566. 

  4566.                 {
    4567. 

  4567.                     if ((_recursion == DnsServerRecursion.Deny) || (value == DnsServerRecursion.Deny))
    4568. 

  4568.                     {
    4569. 

  4569.                         _recursion = value;
    4570. 

  4570.                         ResetPrefetchTimers();
    4571. 

  4571.                     }
    4572. 

  4572.                     else
    4573. 

  4573.                     {
    4574. 

  4574.                         _recursion = value;
    4575. 

  4575.                     }
    4576. 

  4576.                 }
    4577. 

  4577.             }
    4578. 

  4578.         }
    4579. 

  4579. 

  4580.         public IReadOnlyCollection<NetworkAddress> RecursionDeniedNetworks
    4581. 

  4581.         {
    4582. 

  4582.             get { return _recursionDeniedNetworks; }
    4583. 

  4583.             set
    4584. 

  4584.             {
    4585. 

  4585.                 if ((value is not null) && (value.Count > byte.MaxValue))
    4586. 

  4586.                     throw new ArgumentOutOfRangeException(nameof(RecursionDeniedNetworks), "Networks cannot be more than 255.");
    4587. 

  4587. 

  4588.                 _recursionDeniedNetworks = value;
    4589. 

  4589.             }
    4590. 

  4590.         }
    4591. 

  4591. 

  4592.         public IReadOnlyCollection<NetworkAddress> RecursionAllowedNetworks
    4593. 

  4593.         {
    4594. 

  4594.             get { return _recursionAllowedNetworks; }
    4595. 

  4595.             set
    4596. 

  4596.             {
    4597. 

  4597.                 if ((value is not null) && (value.Count > byte.MaxValue))
    4598. 

  4598.                     throw new ArgumentOutOfRangeException(nameof(RecursionAllowedNetworks), "Networks cannot be more than 255.");
    4599. 

  4599. 

  4600.                 _recursionAllowedNetworks = value;
    4601. 

  4601.             }
    4602. 

  4602.         }
    4603. 

  4603. 

  4604.         public bool RandomizeName
    4605. 

  4605.         {
    4606. 

  4606.             get { return _randomizeName; }
    4607. 

  4607.             set { _randomizeName = value; }
    4608. 

  4608.         }
    4609. 

  4609. 

  4610.         public bool QnameMinimization
    4611. 

  4611.         {
    4612. 

  4612.             get { return _qnameMinimization; }
    4613. 

  4613.             set { _qnameMinimization = value; }
    4614. 

  4614.         }
    4615. 

  4615. 

  4616.         public bool NsRevalidation
    4617. 

  4617.         {
    4618. 

  4618.             get { return _nsRevalidation; }
    4619. 

  4619.             set { _nsRevalidation = value; }
    4620. 

  4620.         }
    4621. 

  4621. 

  4622.         public int ResolverRetries
    4623. 

  4623.         {
    4624. 

  4624.             get { return _resolverRetries; }
    4625. 

  4625.             set
    4626. 

  4626.             {
    4627. 

  4627.                 if ((value < 1) || (value > 10))
    4628. 

  4628.                     throw new ArgumentOutOfRangeException(nameof(ResolverRetries), "Valid range is from 1 to 10.");
    4629. 

  4629. 

  4630.                 _resolverRetries = value;
    4631. 

  4631.             }
    4632. 

  4632.         }
    4633. 

  4633. 

  4634.         public int ResolverTimeout
    4635. 

  4635.         {
    4636. 

  4636.             get { return _resolverTimeout; }
    4637. 

  4637.             set
    4638. 

  4638.             {
    4639. 

  4639.                 if ((value < 1000) || (value > 10000))
    4640. 

  4640.                     throw new ArgumentOutOfRangeException(nameof(ResolverTimeout), "Valid range is from 1000 to 10000.");
    4641. 

  4641. 

  4642.                 _resolverTimeout = value;
    4643. 

  4643.             }
    4644. 

  4644.         }
    4645. 

  4645. 

  4646.         public int ResolverMaxStackCount
    4647. 

  4647.         {
    4648. 

  4648.             get { return _resolverMaxStackCount; }
    4649. 

  4649.             set
    4650. 

  4650.             {
    4651. 

  4651.                 if ((value < 10) || (value > 30))
    4652. 

  4652.                     throw new ArgumentOutOfRangeException(nameof(ResolverMaxStackCount), "Valid range is from 10 to 30.");
    4653. 

  4653. 

  4654.                 _resolverMaxStackCount = value;
    4655. 

  4655.             }
    4656. 

  4656.         }
    4657. 

  4657. 

  4658.         public bool ServeStale
    4659. 

  4659.         {
    4660. 

  4660.             get { return _serveStale; }
    4661. 

  4661.             set { _serveStale = value; }
    4662. 

  4662.         }
    4663. 

  4663. 

  4664.         public int CachePrefetchEligibility
    4665. 

  4665.         {
    4666. 

  4666.             get { return _cachePrefetchEligibility; }
    4667. 

  4667.             set
    4668. 

  4668.             {
    4669. 

  4669.                 if (value < 2)
    4670. 

  4670.                     throw new ArgumentOutOfRangeException(nameof(CachePrefetchEligibility), "Valid value is greater that or equal to 2.");
    4671. 

  4671. 

  4672.                 _cachePrefetchEligibility = value;
    4673. 

  4673.             }
    4674. 

  4674.         }
    4675. 

  4675. 

  4676.         public int CachePrefetchTrigger
    4677. 

  4677.         {
    4678. 

  4678.             get { return _cachePrefetchTrigger; }
    4679. 

  4679.             set
    4680. 

  4680.             {
    4681. 

  4681.                 if (value < 0)
    4682. 

  4682.                     throw new ArgumentOutOfRangeException(nameof(CachePrefetchTrigger), "Valid value is greater that or equal to 0.");
    4683. 

  4683. 

  4684.                 if (_cachePrefetchTrigger != value)
    4685. 

  4685.                 {
    4686. 

  4686.                     if ((_cachePrefetchTrigger == 0) || (value == 0))
    4687. 

  4687.                     {
    4688. 

  4688.                         _cachePrefetchTrigger = value;
    4689. 

  4689.                         ResetPrefetchTimers();
    4690. 

  4690.                     }
    4691. 

  4691.                     else
    4692. 

  4692.                     {
    4693. 

  4693.                         _cachePrefetchTrigger = value;
    4694. 

  4694.                     }
    4695. 

  4695.                 }
    4696. 

  4696.             }
    4697. 

  4697.         }
    4698. 

  4698. 

  4699.         public int CachePrefetchSampleIntervalInMinutes
    4700. 

  4700.         {
    4701. 

  4701.             get { return _cachePrefetchSampleIntervalInMinutes; }
    4702. 

  4702.             set
    4703. 

  4703.             {
    4704. 

  4704.                 if ((value < 1) || (value > 60))
    4705. 

  4705.                     throw new ArgumentOutOfRangeException(nameof(CachePrefetchSampleIntervalInMinutes), "Valid range is between 1 and 60 minutes.");
    4706. 

  4706. 

  4707.                 _cachePrefetchSampleIntervalInMinutes = value;
    4708. 

  4708.             }
    4709. 

  4709.         }
    4710. 

  4710. 

  4711.         public int CachePrefetchSampleEligibilityHitsPerHour
    4712. 

  4712.         {
    4713. 

  4713.             get { return _cachePrefetchSampleEligibilityHitsPerHour; }
    4714. 

  4714.             set
    4715. 

  4715.             {
    4716. 

  4716.                 if (value < 1)
    4717. 

  4717.                     throw new ArgumentOutOfRangeException(nameof(CachePrefetchSampleEligibilityHitsPerHour), "Valid value is greater than or equal to 1.");
    4718. 

  4718. 

  4719.                 _cachePrefetchSampleEligibilityHitsPerHour = value;
    4720. 

  4720.             }
    4721. 

  4721.         }
    4722. 

  4722. 

  4723.         public bool EnableBlocking
    4724. 

  4724.         {
    4725. 

  4725.             get { return _enableBlocking; }
    4726. 

  4726.             set { _enableBlocking = value; }
    4727. 

  4727.         }
    4728. 

  4728. 

  4729.         public bool AllowTxtBlockingReport
    4730. 

  4730.         {
    4731. 

  4731.             get { return _allowTxtBlockingReport; }
    4732. 

  4732.             set { _allowTxtBlockingReport = value; }
    4733. 

  4733.         }
    4734. 

  4734. 

  4735.         public DnsServerBlockingType BlockingType
    4736. 

  4736.         {
    4737. 

  4737.             get { return _blockingType; }
    4738. 

  4738.             set { _blockingType = value; }
    4739. 

  4739.         }
    4740. 

  4740. 

  4741.         public IReadOnlyCollection<DnsARecordData> CustomBlockingARecords
    4742. 

  4742.         {
    4743. 

  4743.             get { return _customBlockingARecords; }
    4744. 

  4744.             set
    4745. 

  4745.             {
    4746. 

  4746.                 if (value is null)
    4747. 

  4747.                     value = Array.Empty<DnsARecordData>();
    4748. 

  4748. 

  4749.                 _customBlockingARecords = value;
    4750. 

  4750.             }
    4751. 

  4751.         }
    4752. 

  4752. 

  4753.         public IReadOnlyCollection<DnsAAAARecordData> CustomBlockingAAAARecords
    4754. 

  4754.         {
    4755. 

  4755.             get { return _customBlockingAAAARecords; }
    4756. 

  4756.             set
    4757. 

  4757.             {
    4758. 

  4758.                 if (value is null)
    4759. 

  4759.                     value = Array.Empty<DnsAAAARecordData>();
    4760. 

  4760. 

  4761.                 _customBlockingAAAARecords = value;
    4762. 

  4762.             }
    4763. 

  4763.         }
    4764. 

  4764. 

  4765.         public NetProxy Proxy
    4766. 

  4766.         {
    4767. 

  4767.             get { return _proxy; }
    4768. 

  4768.             set { _proxy = value; }
    4769. 

  4769.         }
    4770. 

  4770. 

  4771.         public IReadOnlyList<NameServerAddress> Forwarders
    4772. 

  4772.         {
    4773. 

  4773.             get { return _forwarders; }
    4774. 

  4774.             set { _forwarders = value; }
    4775. 

  4775.         }
    4776. 

  4776. 

  4777.         public int ForwarderRetries
    4778. 

  4778.         {
    4779. 

  4779.             get { return _forwarderRetries; }
    4780. 

  4780.             set
    4781. 

  4781.             {
    4782. 

  4782.                 if ((value < 1) || (value > 10))
    4783. 

  4783.                     throw new ArgumentOutOfRangeException(nameof(ForwarderRetries), "Valid range is from 1 to 10.");
    4784. 

  4784. 

  4785.                 _forwarderRetries = value;
    4786. 

  4786.             }
    4787. 

  4787.         }
    4788. 

  4788. 

  4789.         public int ForwarderTimeout
    4790. 

  4790.         {
    4791. 

  4791.             get { return _forwarderTimeout; }
    4792. 

  4792.             set
    4793. 

  4793.             {
    4794. 

  4794.                 if ((value < 1000) || (value > 10000))
    4795. 

  4795.                     throw new ArgumentOutOfRangeException(nameof(ForwarderTimeout), "Valid range is from 1000 to 10000.");
    4796. 

  4796. 

  4797.                 _forwarderTimeout = value;
    4798. 

  4798.             }
    4799. 

  4799.         }
    4800. 

  4800. 

  4801.         public int ForwarderConcurrency
    4802. 

  4802.         {
    4803. 

  4803.             get { return _forwarderConcurrency; }
    4804. 

  4804.             set
    4805. 

  4805.             {
    4806. 

  4806.                 if ((value < 1) || (value > 10))
    4807. 

  4807.                     throw new ArgumentOutOfRangeException(nameof(ForwarderConcurrency), "Valid range is from 1 to 10.");
    4808. 

  4808. 

  4809.                 _forwarderConcurrency = value;
    4810. 

  4810.             }
    4811. 

  4811.         }
    4812. 

  4812. 

  4813.         public LogManager QueryLogManager
    4814. 

  4814.         {
    4815. 

  4815.             get { return _queryLog; }
    4816. 

  4816.             set { _queryLog = value; }
    4817. 

  4817.         }
    4818. 

  4818. 

  4819.         #endregion
    4820. 

  4820. 

  4821.         class CacheRefreshSample
    4822. 

  4822.         {
    4823. 

  4823.             public CacheRefreshSample(DnsQuestionRecord sampleQuestion, IReadOnlyList<DnsResourceRecord> conditionalForwarders)
    4824. 

  4824.             {
    4825. 

  4825.                 SampleQuestion = sampleQuestion;
    4826. 

  4826.                 ConditionalForwarders = conditionalForwarders;
    4827. 

  4827.             }
    4828. 

  4828. 

  4829.             public DnsQuestionRecord SampleQuestion { get; }
    4830. 

  4830. 

  4831.             public IReadOnlyList<DnsResourceRecord> ConditionalForwarders { get; }
    4832. 

  4832.         }
    4833. 

  4833. 

  4834.         class RecursiveResolveResponse
    4835. 

  4835.         {
    4836. 

  4836.             public RecursiveResolveResponse(DnsDatagram response, DnsDatagram checkingDisabledResponse)
    4837. 

  4837.             {
    4838. 

  4838.                 Response = response;
    4839. 

  4839.                 CheckingDisabledResponse = checkingDisabledResponse;
    4840. 

  4840.             }
    4841. 

  4841. 

  4842.             public DnsDatagram Response { get; }
    4843. 

  4843. 

  4844.             public DnsDatagram CheckingDisabledResponse { get; }
    4845. 

  4845.         }
    4846. 

  4846.     }
    4847. 

  4847. 

  4848. #pragma warning restore CA2252 // This API requires opting into preview features
    4849. 

  4849. #pragma warning restore CA1416 // Validate platform compatibility
    4850. 

  4850. }
    4851.