dns: add a getaddrinfo based system resolver

CODEOWNERS

@@ -197,6 +197,7 @@ extensions/filters/http/oauth2 @derekargueta @snowp
 # DNS resolution
 /*/extensions/network/dns_resolver/cares @yanavlasov @mattklein123
 /*/extensions/network/dns_resolver/apple @yanavlasov @mattklein123
+/*/extensions/network/dns_resolver/getaddrinfo @alyssawilk @mattklein123
 # compression code
 /*/extensions/filters/http/decompressor @kbaichoo @mattklein123
 /*/extensions/filters/http/compressor @kbaichoo @mattklein123

api/BUILD

@@ -238,6 +238,7 @@ proto_library(
         "//envoy/extensions/matching/input_matchers/ip/v3:pkg",
         "//envoy/extensions/network/dns_resolver/apple/v3:pkg",
         "//envoy/extensions/network/dns_resolver/cares/v3:pkg",
+        "//envoy/extensions/network/dns_resolver/getaddrinfo/v3:pkg",
         "//envoy/extensions/network/socket_interface/v3:pkg",
         "//envoy/extensions/quic/crypto_stream/v3:pkg",
         "//envoy/extensions/quic/proof_source/v3:pkg",

api/envoy/extensions/network/dns_resolver/getaddrinfo/v3/BUILD

@@ -0,0 +1,9 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = ["@com_github_cncf_udpa//udpa/annotations:pkg"],
+)

api/envoy/extensions/network/dns_resolver/getaddrinfo/v3/getaddrinfo_dns_resolver.proto

@@ -0,0 +1,30 @@
+syntax = "proto3";
+
+package envoy.extensions.network.dns_resolver.getaddrinfo.v3;
+
+import "udpa/annotations/status.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.network.dns_resolver.getaddrinfo.v3";
+option java_outer_classname = "GetaddrinfoDnsResolverProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/network/dns_resolver/getaddrinfo/v3;getaddrinfov3";
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: getaddrinfo DNS resolver]
+// [#extension: envoy.network.dns_resolver.getaddrinfo]
+
+// Configuration for getaddrinfo DNS resolver. This resolver will use the system's getaddrinfo()
+// function to resolve hosts.
+//
+// .. attention::
+//
+//   This resolver uses a single background thread to do resolutions. As such, it is not currently
+//   advised for use in situations requiring a high resolution rate. A thread pool can be added
+//   in the future if needed.
+//
+// .. attention::
+//
+//   Resolutions currently use a hard coded TTL of 60s because the getaddrinfo() API does not
+//   provide the actual TTL. Configuration for this can be added in the future if needed.
+message GetAddrInfoDnsResolverConfig {
+}

api/versioning/BUILD

@@ -180,6 +180,7 @@ proto_library(
         "//envoy/extensions/matching/input_matchers/ip/v3:pkg",
         "//envoy/extensions/network/dns_resolver/apple/v3:pkg",
         "//envoy/extensions/network/dns_resolver/cares/v3:pkg",
+        "//envoy/extensions/network/dns_resolver/getaddrinfo/v3:pkg",
         "//envoy/extensions/network/socket_interface/v3:pkg",
         "//envoy/extensions/quic/crypto_stream/v3:pkg",
         "//envoy/extensions/quic/proof_source/v3:pkg",

changelogs/current.yaml

@@ -232,6 +232,8 @@ new_features:
     added :ref:`include_unroutable_families<envoy_v3_api_field_extensions.network.dns_resolver.apple.v3.AppleDnsResolverConfig.include_unroutable_families>` to the Apple DNS resolver.
   change: |
     added support for multiple addresses. This is most valuable when used in conjunction with :ref:`ALL <envoy_v3_api_enum_value_config.cluster.v3.Cluster.DnsLookupFamily.ALL>` enabling full happy eyeballs support for Envoy (see detailed documentation :ref:`here <arch_overview_conn_pool>` but will also result in trying multiple addresses for resolvers doing only IPv4 or IPv6. This behavioral change can be temporarily disabled by setting runtime guard ``envoy.restart_features.remove_runtime_singleton`` to false.
+  change: |
+    added :ref:`GetAddrInfoDnsResolverConfig <envoy_v3_api_msg_extensions.network.dns_resolver.getaddrinfo.v3.GetAddrInfoDnsResolverConfig>`, a new DNS resolver that uses the system's getaddrinfo() function to resolve DNS. This was primarily added for use on Android but can also be used in other situations in which the system resolver is desired.
 - area: dubbo_proxy
   change: |
     added :ref:`dynamic routes discovery <envoy_v3_api_field_extensions.filters.network.dubbo_proxy.v3.DubboProxy.drds>` support to the dubbo proxy.

docs/root/intro/arch_overview/upstream/dns_resolution.rst

@@ -13,12 +13,14 @@ Envoy uses `c-ares <https://github.com/c-ares/c-ares>`_ as a third party DNS res
 On Apple OSes Envoy additionally offers resolution using Apple specific APIs via the
 ``envoy.restart_features.use_apple_api_for_dns_lookups`` runtime feature.
 
-Envoy provides DNS resolution through extensions, and contains 2 built-in extensions:
+Envoy provides DNS resolution through extensions, and contains 3 built-in extensions:
 
 1) c-ares: :ref:`CaresDnsResolverConfig<envoy_v3_api_msg_extensions.network.dns_resolver.cares.v3.CaresDnsResolverConfig>`
 
 2) Apple (iOS/macOS only): :ref:`AppleDnsResolverConfig<envoy_v3_api_msg_extensions.network.dns_resolver.apple.v3.AppleDnsResolverConfig>`
 
+3) getaddrinfo: :ref:`GetAddrInfoDnsResolverConfig <envoy_v3_api_msg_extensions.network.dns_resolver.getaddrinfo.v3.GetAddrInfoDnsResolverConfig>`
+
 For an example of a built-in DNS typed configuration see the :ref:`HTTP filter configuration documentation <config_http_filters_dynamic_forward_proxy>`.
 
 The Apple-based DNS Resolver emits the following stats rooted in the ``dns.apple`` stats tree:

envoy/api/os_sys_calls.h

@@ -282,6 +282,17 @@ class OsSysCalls {
     alternate_getifaddrs_ = alternate_getifaddrs;
   }
 
+  /**
+   * @see man getaddrinfo
+   */
+  virtual SysCallIntResult getaddrinfo(const char* node, const char* service, const addrinfo* hints,
+                                       addrinfo** res) PURE;
+
+  /**
+   * @see man freeaddrinfo
+   */
+  virtual void freeaddrinfo(addrinfo* res) PURE;
+
 protected:
   absl::optional<AlternateGetifaddrs> alternate_getifaddrs_{};
 };

source/common/api/posix/os_sys_calls_impl.cc

@@ -404,5 +404,13 @@ SysCallIntResult OsSysCallsImpl::getifaddrs([[maybe_unused]] InterfaceAddressVec
 #endif
 }
 
+SysCallIntResult OsSysCallsImpl::getaddrinfo(const char* node, const char* service,
+                                             const addrinfo* hints, addrinfo** res) {
+  const int rc = ::getaddrinfo(node, service, hints, res);
+  return {rc, errno};
+}
+
+void OsSysCallsImpl::freeaddrinfo(addrinfo* res) { ::freeaddrinfo(res); }
+
 } // namespace Api
 } // namespace Envoy

source/common/api/posix/os_sys_calls_impl.h

@@ -62,6 +62,9 @@ class OsSysCallsImpl : public OsSysCalls {
   SysCallBoolResult socketTcpInfo(os_fd_t sockfd, EnvoyTcpInfo* tcp_info) override;
   bool supportsGetifaddrs() const override;
   SysCallIntResult getifaddrs(InterfaceAddressVector& interfaces) override;
+  SysCallIntResult getaddrinfo(const char* node, const char* service, const addrinfo* hints,
+                               addrinfo** res) override;
+  void freeaddrinfo(addrinfo* res) override;
 };
 
 using OsSysCallsSingleton = ThreadSafeSingleton<OsSysCallsImpl>;

source/common/api/win32/os_sys_calls_impl.cc

@@ -458,5 +458,13 @@ SysCallIntResult OsSysCallsImpl::getifaddrs([[maybe_unused]] InterfaceAddressVec
   PANIC("not implemented");
 }
 
+SysCallIntResult OsSysCallsImpl::getaddrinfo(const char* node, const char* service,
+                                             const addrinfo* hints, addrinfo** res) {
+  const int rc = ::getaddrinfo(node, service, hints, res);
+  return {rc, errno};
+}
+
+void OsSysCallsImpl::freeaddrinfo(addrinfo* res) { ::freeaddrinfo(res); }
+
 } // namespace Api
 } // namespace Envoy

source/common/api/win32/os_sys_calls_impl.h

@@ -64,6 +64,9 @@ class OsSysCallsImpl : public OsSysCalls {
   SysCallBoolResult socketTcpInfo(os_fd_t sockfd, EnvoyTcpInfo* tcp_info) override;
   bool supportsGetifaddrs() const override;
   SysCallIntResult getifaddrs(InterfaceAddressVector&) override;
+  SysCallIntResult getaddrinfo(const char* node, const char* service, const addrinfo* hints,
+                               addrinfo** res) override;
+  void freeaddrinfo(addrinfo* res) override;
 };
 
 using OsSysCallsSingleton = ThreadSafeSingleton<OsSysCallsImpl>;

source/extensions/extensions_build_config.bzl

@@ -339,9 +339,10 @@ EXTENSIONS = {
 
     # c-ares DNS resolver extension is recommended to be enabled to maintain the legacy DNS resolving behavior.
     "envoy.network.dns_resolver.cares":                "//source/extensions/network/dns_resolver/cares:config",
-
     # apple DNS resolver extension is only needed in MacOS build plus one want to use apple library for DNS resolving.
     "envoy.network.dns_resolver.apple":                "//source/extensions/network/dns_resolver/apple:config",
+    # getaddrinfo DNS resolver extension can be used when the system resolver is desired (e.g., Android)
+    "envoy.network.dns_resolver.getaddrinfo":          "//source/extensions/network/dns_resolver/getaddrinfo:config",
 
     #
     # Custom matchers

source/extensions/extensions_metadata.yaml

@@ -1096,6 +1096,13 @@ envoy.network.dns_resolver.apple:
   status: stable
   type_urls:
   - envoy.extensions.network.dns_resolver.apple.v3.AppleDnsResolverConfig
+envoy.network.dns_resolver.getaddrinfo:
+  categories:
+  - envoy.network.dns_resolver
+  security_posture: robust_to_untrusted_downstream_and_upstream
+  status: stable
+  type_urls:
+  - envoy.extensions.network.dns_resolver.getaddrinfo.v3.GetAddrInfoDnsResolverConfig
 envoy.rbac.matchers.upstream_ip_port:
   categories:
   - envoy.rbac.matchers

source/extensions/network/dns_resolver/getaddrinfo/BUILD

@@ -0,0 +1,20 @@
+load(
+    "//bazel:envoy_build_system.bzl",
+    "envoy_cc_extension",
+    "envoy_extension_package",
+)
+
+licenses(["notice"])  # Apache 2
+
+envoy_extension_package()
+
+envoy_cc_extension(
+    name = "config",
+    srcs = ["getaddrinfo.cc"],
+    hdrs = ["getaddrinfo.h"],
+    deps = [
+        "//envoy/network:dns_resolver_interface",
+        "//envoy/registry",
+        "@envoy_api//envoy/extensions/network/dns_resolver/getaddrinfo/v3:pkg_cc_proto",
+    ],
+)