Bind bootstrap DNS lookups to -S source address (#1) #202
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Motivation: ----------- PR aarond10#196 added the `-S` flag to bind HTTPS connections to a source address, enabling policy-based routing. However, bootstrap DNS queries (used to resolve DoH server hostnames like "dns.google") were not bound to the source address. This caused two issues: 1. **Privacy leak**: Bootstrap DNS queries go via default route (local ISP), exposing which DoH server you're using 2. **Routing mismatch**: HTTPS connection routes via VPN but may fail if resolved IP is unreachable from VPN Implementation: --------------- - Bind bootstrap DNS queries using `ares_set_local_ip4()` and `ares_set_local_ip6()` from c-ares - Validate address family matches proxy mode (`-4`/`-6`), warn on mismatch - Warn on invalid address literals - Robot Framework tests for source binding and validation warnings - Docker-based test infrastructure for CI/CD and macOS development Example Usage: -------------- ```bash https_dns_proxy -S 192.168.12.1 -b 1.1.1.1,8.8.8.8 -r https://dns.google/dns-query ``` With PBR rules routing traffic from source 192.168.12.1 via VPN: ```text # Route DoH HTTPS (port 443) via VPN config policy option name 'DoH WA via wg_wa' option interface 'wg_wa' option chain 'output' option proto 'tcp' option src_addr '192.168.12.1' option dest_port '443' # Route bootstrap DNS (port 53) via VPN config policy option name 'Bootstrap DNS WA via wg_wa' option interface 'wg_wa' option chain 'output' option proto 'udp' option src_addr '192.168.12.1' option dest_port '53' option dest_addr '1.1.1.1 8.8.8.8' ``` Both rules now match because `-S` binds both HTTPS and bootstrap DNS to the same source address. Verification: ------------- Bootstrap DNS bound to source address: ``` [I] dns_poller.c:163 Using source address: 192.168.12.1 [I] dns_poller.c:208 Received new DNS server IP: 142.250.80.110 for dns.google ``` Warning on address family mismatch: ``` [W] dns_poller.c:133 Bootstrap source address '::1' is IPv6, but IPv4-only mode is set ``` Warning on invalid address: ``` [W] dns_poller.c:141 Bootstrap source address 'not-an-ip' is not a valid IP literal ``` Files Modified: --------------- - `src/dns_poller.c`: Added `set_bootstrap_source_addr()` function - `src/dns_poller.h`: Added source_addr parameter to poller init - `src/main.c`: Pass source_addr to dns_poller - `src/options.c`: Fix format string type - `tests/robot/functional_tests.robot`: Source binding and validation tests - `tests/docker/Dockerfile`: Test image with valgrind and ctest integration - `tests/docker/run_all_tests.sh`: Simplified test runner using Dockerfile CMD - `CMakeLists.txt`: Fix robot test WORKING_DIRECTORY, add distclean target - `README.md`: Update Docker test documentation - `.gitignore`: Add build/ directory
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation:
PR #196 added the
-Sflag to bind HTTPS connections to a source address, enabling policy-based routing. However, bootstrap DNS queries (used to resolve DoH server hostnames like "dns.google") were not bound to the source address.This caused two issues:
Implementation:
ares_set_local_ip4()andares_set_local_ip6()from c-ares-4/-6), warn on mismatchExample Usage:
With PBR rules routing traffic from source 192.168.12.1 via VPN:
Both rules now match because
-Sbinds both HTTPS and bootstrap DNS to the same source address.Verification:
Bootstrap DNS bound to source address:
Warning on address family mismatch:
Warning on invalid address:
Files Modified:
src/dns_poller.c: Addedset_bootstrap_source_addr()functionsrc/dns_poller.h: Added source_addr parameter to poller initsrc/main.c: Pass source_addr to dns_pollersrc/options.c: Fix format string typetests/robot/functional_tests.robot: Source binding and validation teststests/docker/Dockerfile: Test image with valgrind and ctest integrationtests/docker/run_all_tests.sh: Simplified test runner using Dockerfile CMDCMakeLists.txt: Fix robot test WORKING_DIRECTORY, add distclean targetREADME.md: Update Docker test documentation.gitignore: Add build/ directory