diff --git a/control-plane/src/dnsproxy.rs b/control-plane/src/dnsproxy.rs index a0c181c4..8d4a0f0e 100644 --- a/control-plane/src/dnsproxy.rs +++ b/control-plane/src/dnsproxy.rs @@ -123,7 +123,6 @@ impl DnsProxy { socket.send(&request_buffer[..packet_size]).await?; let (amt, _) = socket.recv_from(&mut response_buffer).await?; let response_bytes = &response_buffer[..amt]; - println!("About to cache IP"); cache_ip_for_allowlist(response_bytes)?; stream.write_all(response_bytes).await?; stream.flush().await?; diff --git a/data-plane/src/dns/egressproxy.rs b/data-plane/src/dns/egressproxy.rs index 46375772..af84f372 100644 --- a/data-plane/src/dns/egressproxy.rs +++ b/data-plane/src/dns/egressproxy.rs @@ -51,7 +51,6 @@ impl EgressProxy { mut external_stream: TcpStream, allowed_domains: EgressDestinations, ) -> Result<(), DNSError> { - println!("Handling egress connection:::::::::"); let mut buf = vec![0u8; 4096]; let n = external_stream.read(&mut buf).await?; let customer_data = &mut buf[..n]; @@ -60,10 +59,8 @@ impl EgressProxy { let fd = external_stream.as_raw_fd(); let (ip, port) = Self::get_destination(fd)?; - println!("IP: {ip}, Port: {port}"); check_ip_allow_list(ip.to_string(), &allowed_domains)?; - println!("Sending request to data plane :::: {}", ip); let external_request = ExternalRequest { ip, data: customer_data.to_vec(), diff --git a/data-plane/src/dns/enclavedns.rs b/data-plane/src/dns/enclavedns.rs index 75c9718d..7c236ddf 100644 --- a/data-plane/src/dns/enclavedns.rs +++ b/data-plane/src/dns/enclavedns.rs @@ -1,5 +1,6 @@ use super::error::DNSError; use bytes::Bytes; +use shared::server::egress::cache_ip_for_allowlist; use shared::server::egress::check_dns_allowed_for_domain; use shared::server::egress::get_cached_dns; use shared::server::egress::EgressDestinations; @@ -16,7 +17,6 @@ use tokio::time::timeout; use trust_dns_proto::op::{Message, MessageType, OpCode, ResponseCode}; use trust_dns_proto::rr::Record; use trust_dns_proto::serialize::binary::BinEncodable; -use shared::server::egress::cache_ip_for_allowlist; /// Empty struct for the DNS proxy that runs in the data plane pub struct EnclaveDnsProxy; @@ -152,24 +152,24 @@ impl EnclaveDnsDriver { // Check domain is allowed before proxying lookup let packet = check_dns_allowed_for_domain(&dns_packet, &allowed_destinations)?; match get_cached_dns(packet.clone()) { - Ok(record) => { - match record { - Some(record) => { - let dns_response = Self::get_dns_answer(packet.header().id(), record); - return Ok(Bytes::copy_from_slice(&dns_response)); - } - None => { - let dns_response = timeout(request_upper_bound, Self::forward_dns_lookup(dns_packet)).await??; - cache_ip_for_allowlist(&dns_response.clone())?; - Ok(dns_response) - } + Ok(record) => match record { + Some(record) => { + let dns_response = Self::get_dns_answer(packet.header().id(), record); + Ok(Bytes::copy_from_slice(&dns_response)) } - } + None => { + let dns_response = + timeout(request_upper_bound, Self::forward_dns_lookup(dns_packet)) + .await??; + cache_ip_for_allowlist(&dns_response.clone())?; + Ok(dns_response) + } + }, Err(_) => { // // Attempt DNS lookup wth a timeout, flatten timeout errors into a DNS Error let dns_response = timeout(request_upper_bound, Self::forward_dns_lookup(dns_packet)).await??; - cache_ip_for_allowlist(&dns_response.clone())?; + cache_ip_for_allowlist(&dns_response.clone())?; Ok(dns_response) } } diff --git a/data-plane/src/server/server.rs b/data-plane/src/server/server.rs index 799eea44..9ad81e8f 100644 --- a/data-plane/src/server/server.rs +++ b/data-plane/src/server/server.rs @@ -54,7 +54,7 @@ where }); } - log::info!("TLS Server Created - Listening for new connections. ::::::::"); + log::info!("TLS Server Created - Listening for new connections."); let enclave_context = match EnclaveContext::get() { Ok(context) => Arc::new(context), Err(e) => { diff --git a/shared/src/server/egress.rs b/shared/src/server/egress.rs index 66b9f4fa..1f6f133c 100644 --- a/shared/src/server/egress.rs +++ b/shared/src/server/egress.rs @@ -95,28 +95,19 @@ pub fn check_dns_allowed_for_domain( pub fn cache_ip_for_allowlist(packet: &[u8]) -> Result<(), EgressError> { let parsed_packet = Message::from_bytes(packet).unwrap(); parsed_packet.answers().iter().try_for_each(|ans| { - let ip = ans.data().unwrap().ip_addr().unwrap().to_string(); - println!("Caching IP: {}", ip); - cache_ip( - ip, - ans.name().to_string(), - ans.ttl(), - ) + let ip = ans.data().unwrap().ip_addr().unwrap().to_string(); + cache_ip(ip, ans.name().to_string(), ans.ttl())?; + cache_dns_record(ans.name().to_string(), ans.clone()) }) } pub fn get_ip_from_cache(ip: String) -> Result<(), EgressError> { - println!("Checking IP cache!!!!!!!!"); - ALLOWED_IPS_FROM_DNS.lock().unwrap().iter().for_each(|(k, v)| println!("{}: {}", k, v)); let cache = match ALLOWED_IPS_FROM_DNS.lock() { Ok(cache) => cache, Err(_) => return Err(EgressError::CouldntObtainLock), }; match cache.get(&ip) { - Some(_) => { - println!("Found IP: {} in cache", ip); - Ok(()) - } + Some(_) => Ok(()), None => Err(EgressError::EgressIpNotAllowed(ip)), } } @@ -139,7 +130,6 @@ fn cache_ip(ip: String, name: String, ttl: u32) -> Result<(), EgressError> { Ok(cache) => cache, Err(_) => return Err(EgressError::CouldntObtainLock), }; - println!("Caching IP: {} for domain: {}", ip, name); cache.insert(ip, name, Duration::from_secs(ttl as u64)); Ok(()) } @@ -157,14 +147,12 @@ pub fn check_ip_allow_list( ip: String, allowed_destinations: &EgressDestinations, ) -> Result<(), EgressError> { - println!("Checking IP: {}", ip); if allowed_destinations.allow_all || allowed_destinations.ips.contains(&ip) || get_ip_from_cache(ip.clone()).is_ok() { Ok(()) } else { - println!("IP not allowed: {}", ip); Err(EgressError::EgressIpNotAllowed(ip)) } }