Add configurable idle-timeout for DoH connections (#484)

Author: emlimap

cmd/routedns/config.go

@@ -73,7 +73,8 @@ type resolver struct {
 
 // DoH-specific resolver options
 type doh struct {
-	Method string
+	Method      string
+	IdleTimeout int `toml:"idle-timeout"` // Idle connection timeout in seconds. TCP default: 30s. QUIC: uses library default if not set.
 }
 
 // Cache backend options

cmd/routedns/resolver.go

@@ -81,6 +81,7 @@ func instantiateResolver(id string, r resolver, resolvers map[string]rdns.Resolv
 			Transport:     r.Transport,
 			LocalAddr:     net.ParseIP(r.LocalAddr),
 			QueryTimeout:  time.Duration(r.QueryTimeout) * time.Second,
+			IdleTimeout:   time.Duration(r.DoH.IdleTimeout) * time.Second,
 			Dialer:        socks5DialerFromConfig(r),
 			Use0RTT:       r.Use0RTT,
 		}
@@ -100,6 +101,7 @@ func instantiateResolver(id string, r resolver, resolvers map[string]rdns.Resolv
 			Transport:     r.Transport,
 			LocalAddr:     net.ParseIP(r.LocalAddr),
 			QueryTimeout:  time.Duration(r.QueryTimeout) * time.Second,
+			IdleTimeout:   time.Duration(r.DoH.IdleTimeout) * time.Second,
 		}
 		resolvers[id], err = rdns.NewODoHClient(id, r.Address, r.Target, r.TargetConfig, opt)
 		if err != nil {

doc/configuration.md

@@ -1740,6 +1740,7 @@ Example config files: [well-known.toml](../cmd/routedns/example-config/well-know
 
 DNS resolvers using the HTTPS protocol are configured with `protocol = "doh"`. By default, DoH uses TCP as transport, but it can also be run over QUIC (UDP) by providing the option `transport = "quic"`. DoH supports two HTTP methods, GET and POST. By default RouteDNS uses the POST method, but can be configured to use GET as well using the option `doh = { method = "GET" }`.
 DoH with QUIC supports 0-RTT. The DoH resolver will try to use 0-RTT connection establishment if `transport = "quic"` and `enable-0rtt = true` are configured. When 0-RTT is enabled, the resolver will disregard the configured method and always use GET instead. This means the configured address nees to contain a URL template (with the `{?dns}` part).
+The idle connection timeout can be configured with `doh = { idle-timeout = 60 }` (in seconds). This controls how long idle HTTP connections are kept open before being closed. For TCP transport, the default is 30 seconds. For QUIC transport, the default is determined by the quic-go library. Note that for QUIC, the actual idle timeout is the minimum of the client and server values.
 
 Examples:
 
@@ -1770,6 +1771,15 @@ transport = "quic"
 enable-0rtt = true
 ```
 
+DoH resolver with extended idle timeout.
+
+```toml
+[resolvers.cloudflare-doh-long-idle]
+address = "https://1.1.1.1/dns-query"
+protocol = "doh"
+doh = { idle-timeout = 60 }
+```
+
 Example config files: [well-known.toml](../cmd/routedns/example-config/well-known.toml), [simple-doh.toml](../cmd/routedns/example-config/simple-doh.toml), [mutual-tls-doh-client.toml](../cmd/routedns/example-config/mutual-tls-doh-client.toml)
 
 ### Oblivious DNS (ODoH)

dohclient.go

@@ -23,6 +23,9 @@ import (
 	"golang.org/x/net/http2"
 )
 
+// defaultDoHIdleTimeout is the default idle connection timeout for DoH TCP transport.
+const defaultDoHIdleTimeout = 30 * time.Second
+
 // DoHClientOptions contains options used by the DNS-over-HTTP resolver.
 type DoHClientOptions struct {
 	// Query method, either GET or POST. If empty, POST is used.
@@ -42,6 +45,12 @@ type DoHClientOptions struct {
 
 	QueryTimeout time.Duration
 
+	// IdleTimeout is the maximum amount of time an idle connection will remain
+	// open before being closed. For TCP transport, defaults to 30 seconds if not set.
+	// For QUIC transport, defaults to the quic-go library default if not set. Note
+	// that for QUIC, the actual timeout is the minimum of client and server values.
+	IdleTimeout time.Duration
+
 	// Optional dialer, e.g. proxy
 	Dialer Dialer
 
@@ -61,6 +70,11 @@ type DoHClient struct {
 var _ Resolver = &DoHClient{}
 
 func NewDoHClient(id, endpoint string, opt DoHClientOptions) (*DoHClient, error) {
+	// Validate options
+	if opt.IdleTimeout < 0 {
+		return nil, fmt.Errorf("idle-timeout must not be negative")
+	}
+
 	// Parse the URL template
 	template, err := uritemplates.Parse(endpoint)
 	if err != nil {
@@ -237,12 +251,16 @@ func (d *DoHClient) responseFromHTTP(resp *http.Response) (*dns.Msg, error) {
 }
 
 func dohTcpTransport(opt DoHClientOptions) (http.RoundTripper, error) {
+	idleTimeout := opt.IdleTimeout
+	if idleTimeout == 0 {
+		idleTimeout = defaultDoHIdleTimeout
+	}
 	tr := &http.Transport{
 		Proxy:                 http.ProxyFromEnvironment,
 		TLSClientConfig:       opt.TLSConfig,
 		DisableCompression:    true,
 		ResponseHeaderTimeout: 10 * time.Second,
-		IdleConnTimeout:       30 * time.Second,
+		IdleConnTimeout:       idleTimeout,
 	}
 	// If we're using a custom tls.Config, HTTP2 isn't enabled by default in
 	// the HTTP library. Turn it on for this transport.
@@ -320,12 +338,17 @@ func dohQuicTransport(endpoint string, opt DoHClientOptions) (http.RoundTripper,
 		return dialFunc(ctx, rAddr, tlsConfig, config)
 	}
 
+	quicConfig := &quic.Config{
+		TokenStore: quic.NewLRUTokenStore(10, 10),
+	}
+	if opt.IdleTimeout > 0 {
+		quicConfig.MaxIdleTimeout = opt.IdleTimeout
+	}
+
 	tr := &http3.Transport{
 		TLSClientConfig: tlsConfig,
-		QUICConfig: &quic.Config{
-			TokenStore: quic.NewLRUTokenStore(10, 10),
-		},
-		Dial: dialer,
+		QUICConfig:      quicConfig,
+		Dial:            dialer,
 	}
 	return tr, nil
 }

dohclient_test.go

@@ -1,9 +1,12 @@
 package rdns
 
 import (
+	"net/http"
 	"testing"
+	"time"
 
 	"github.com/miekg/dns"
+	"github.com/quic-go/quic-go/http3"
 	"github.com/stretchr/testify/require"
 )
 
@@ -26,3 +29,39 @@ func TestDoHClientSimpleGET(t *testing.T) {
 	require.NoError(t, err)
 	require.NotEmpty(t, r.Answer)
 }
+
+func TestDoHTcpTransportIdleTimeoutDefault(t *testing.T) {
+	tr, err := dohTcpTransport(DoHClientOptions{})
+	require.NoError(t, err)
+	httpTransport := tr.(*http.Transport)
+	require.Equal(t, defaultDoHIdleTimeout, httpTransport.IdleConnTimeout)
+}
+
+func TestDoHTcpTransportIdleTimeoutConfigured(t *testing.T) {
+	tr, err := dohTcpTransport(DoHClientOptions{IdleTimeout: 2 * time.Minute})
+	require.NoError(t, err)
+	httpTransport := tr.(*http.Transport)
+	require.Equal(t, 2*time.Minute, httpTransport.IdleConnTimeout)
+}
+
+func TestDoHQuicTransportIdleTimeoutDefault(t *testing.T) {
+	tr, err := dohQuicTransport("https://example.com/dns-query", DoHClientOptions{})
+	require.NoError(t, err)
+	http3Transport := tr.(*http3.Transport)
+	// When not configured, MaxIdleTimeout should not be set (zero value)
+	// The quic-go library will use its own default
+	require.Equal(t, time.Duration(0), http3Transport.QUICConfig.MaxIdleTimeout)
+}
+
+func TestDoHQuicTransportIdleTimeoutConfigured(t *testing.T) {
+	tr, err := dohQuicTransport("https://example.com/dns-query", DoHClientOptions{IdleTimeout: 2 * time.Minute})
+	require.NoError(t, err)
+	http3Transport := tr.(*http3.Transport)
+	require.Equal(t, 2*time.Minute, http3Transport.QUICConfig.MaxIdleTimeout)
+}
+
+func TestDoHClientIdleTimeoutNegative(t *testing.T) {
+	_, err := NewDoHClient("test-doh", "https://example.com/dns-query", DoHClientOptions{IdleTimeout: -1 * time.Second})
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "idle-timeout must not be negative")
+}