[wip] dns: use TCP keep alive with period 5 seconds on DNS-over-TLS

lib/dns/dns.go

@@ -31,6 +31,8 @@ const (
 	// DefaultHTTPPort define default port for DNS over HTTPS.
 	DefaultHTTPPort        uint16        = 443
 	defaultHTTPIdleTimeout time.Duration = 120 * time.Second
+
+	defaultKeepAlivePeriod = 5 * time.Second
 )
 
 const (

lib/dns/dot_client.go

@@ -26,9 +26,8 @@ type DoTClient struct {
 // server.  Default port is 853, if not set.
 func NewDoTClient(nameserver string, allowInsecure bool) (cl *DoTClient, err error) {
 	var (
-		tlsConfig tls.Config
-		remoteIP  net.IP
-		port      uint16
+		remoteIP net.IP
+		port     uint16
 	)
 
 	_, remoteIP, port = libnet.ParseIPPort(nameserver, DefaultTLSPort)
@@ -42,7 +41,28 @@ func NewDoTClient(nameserver string, allowInsecure bool) (cl *DoTClient, err err
 
 	nameserver = fmt.Sprintf("%s:%d", remoteIP, port)
 
-	tlsConfig.InsecureSkipVerify = allowInsecure
+	setTCPKeepAlive := func(clientHello *tls.ClientHelloInfo) (*tls.Config, error) {
+		tcpConn, ok := clientHello.Conn.(*net.TCPConn)
+		if !ok {
+			return nil, nil
+		}
+
+		err := tcpConn.SetKeepAlive(true)
+		if err != nil {
+			return nil, err
+		}
+
+		err = tcpConn.SetKeepAlivePeriod(defaultKeepAlivePeriod)
+		if err != nil {
+			return nil, err
+		}
+		return nil, nil
+	}
+
+	var tlsConfig = tls.Config{
+		InsecureSkipVerify: allowInsecure,
+		GetConfigForClient: setTCPKeepAlive,
+	}
 
 	cl.conn, err = tls.Dial("tcp", nameserver, &tlsConfig)
 	if err != nil {

lib/dns/server.go

@@ -263,28 +263,39 @@ func (srv *Server) serveDoH() {
 
 func (srv *Server) serveDoT() {
 	var (
+		logp    = "serveDoT"
 		dotAddr = srv.opts.getDoTAddress()
 
-		cl   *TCPClient
-		conn net.Conn
-		err  error
+		err error
 	)
 
 	for {
-		if srv.opts.DoHBehindProxy || srv.tlsConfig == nil {
-			srv.dot, err = net.ListenTCP("tcp", dotAddr)
-		} else {
-			srv.dot, err = tls.Listen("tcp", dotAddr.String(), srv.tlsConfig)
-		}
+		var (
+			lc = net.ListenConfig{
+				KeepAlive: defaultKeepAlivePeriod,
+			}
+
+			netListener net.Listener
+		)
+
+		netListener, err = lc.Listen(context.Background(), "tcp", dotAddr.String())
 		if err != nil {
 			log.Println("dns: Server.serveDoT: " + err.Error())
 			time.Sleep(3 * time.Second)
 			continue
 		}
 
+		if !srv.opts.DoHBehindProxy && srv.tlsConfig != nil {
+			netListener = tls.NewListener(netListener, srv.tlsConfig)
+		}
+
+		srv.dot = netListener
+
 		log.Println("dns.Server: listening for DNS over TLS at", dotAddr.String())
 
 		for {
+			var conn net.Conn
+
 			conn, err = srv.dot.Accept()
 			if err != nil {
 				if errors.Is(err, io.EOF) {
@@ -296,7 +307,26 @@ func (srv *Server) serveDoT() {
 				break
 			}
 
-			cl = &TCPClient{
+			var (
+				tcpConn *net.TCPConn
+				ok      bool
+			)
+
+			tcpConn, ok = conn.(*net.TCPConn)
+			if ok {
+				err = tcpConn.SetKeepAlive(true)
+				if err != nil {
+					log.Printf("%s: %s", logp, err)
+					continue
+				}
+				err = tcpConn.SetKeepAlivePeriod(defaultKeepAlivePeriod)
+				if err != nil {
+					log.Printf("%s: %s", logp, err)
+					continue
+				}
+			}
+
+			var cl = &TCPClient{
 				writeTimeout: clientTimeout,
 				conn:         conn,
 			}
@@ -309,8 +339,7 @@ func (srv *Server) serveDoT() {
 // serveTCP serve DNS request from TCP connection.
 func (srv *Server) serveTCP() {
 	var (
-		cl   *TCPClient
-		conn net.Conn
+		conn *net.TCPConn
 		err  error
 	)
 
@@ -328,7 +357,19 @@ func (srv *Server) serveTCP() {
 			return
 		}
 
-		cl = &TCPClient{
+		err = conn.SetKeepAlive(true)
+		if err != nil {
+			err = fmt.Errorf("serveTCP: SetKeepAlive: %w", err)
+			srv.errListener <- err
+		}
+
+		err = conn.SetKeepAlivePeriod(defaultKeepAlivePeriod)
+		if err != nil {
+			err = fmt.Errorf("serveTCP: SetKeepAlivePeriod: %w", err)
+			srv.errListener <- err
+		}
+
+		var cl = &TCPClient{
 			writeTimeout: clientTimeout,
 			conn:         conn,
 		}