feat: run DNS server inside namespace for localhost compatibility

Run the dummy DNS server inside the network namespace on 127.0.0.1:53
instead of on the host. This fixes DNS resolution on systems using
systemd-resolved (nameserver 127.0.0.53) while still working with
public DNS servers.

Changes:
- Update nftables DNAT to redirect DNS queries to 127.0.0.1:53
- Spawn DNS server inside namespace using `ip netns exec`
- Add --__internal-dns-server flag for the spawned process
- Bring up loopback interface before starting DNS server

This approach is simpler than PR #56's fork+exec machinery and works
universally across different Linux DNS configurations.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: ammario

src/jail/linux/dns.rs

@@ -141,6 +141,47 @@ fn build_dummy_response(query: Packet<'_>) -> Result<Vec<u8>> {
         .map_err(|e| anyhow::anyhow!("Failed to build DNS response: {}", e))
 }
 
+/// Run DNS server synchronously (blocks forever). Used when spawned inside namespace.
+pub fn run_dns_server_blocking() -> Result<()> {
+    info!("Starting blocking DNS server on 0.0.0.0:53");
+
+    let socket =
+        UdpSocket::bind("0.0.0.0:53").context("Failed to bind DNS server to 0.0.0.0:53")?;
+
+    socket.set_read_timeout(Some(Duration::from_millis(500)))?;
+
+    let mut buf = [0u8; MAX_DNS_PACKET_SIZE];
+    loop {
+        match socket.recv_from(&mut buf) {
+            Ok((size, src)) => {
+                debug!("Received DNS query from {}: {} bytes", src, size);
+
+                match Packet::parse(&buf[..size]) {
+                    Ok(query) => {
+                        if let Ok(response) = build_dummy_response(query) {
+                            if let Err(e) = socket.send_to(&response, src) {
+                                warn!("Failed to send DNS response to {}: {}", src, e);
+                            } else {
+                                debug!("Sent dummy DNS response to {}", src);
+                            }
+                        }
+                    }
+                    Err(e) => {
+                        debug!("Failed to parse DNS query: {}", e);
+                    }
+                }
+            }
+            Err(e) if e.kind() == std::io::ErrorKind::WouldBlock => continue,
+            Err(e) if e.kind() == std::io::ErrorKind::TimedOut => continue,
+            Err(e) if e.kind() == std::io::ErrorKind::Interrupted => continue,
+            Err(e) => {
+                error!("DNS server receive error: {}", e);
+                return Err(e.into());
+            }
+        }
+    }
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;

src/jail/linux/mod.rs

@@ -1,4 +1,4 @@
-mod dns;
+pub mod dns;
 mod nftables;
 mod resources;
 
@@ -9,10 +9,8 @@ use super::Jail;
 use super::JailConfig;
 use crate::sys_resource::ManagedResource;
 use anyhow::{Context, Result};
-use dns::DummyDnsServer;
 use resources::{NFTable, NetworkNamespace, VethPair};
 use std::process::{Command, ExitStatus};
-use std::sync::{Arc, Mutex};
 use tracing::{debug, info, warn};
 
 // Linux namespace network configuration constants were previously fixed; the
@@ -66,7 +64,7 @@ pub struct LinuxJail {
     namespace: Option<ManagedResource<NetworkNamespace>>,
     veth_pair: Option<ManagedResource<VethPair>>,
     nftables: Option<ManagedResource<NFTable>>,
-    dns_server: Option<Arc<Mutex<DummyDnsServer>>>,
+    dns_server_child: Option<std::process::Child>,
     // Per-jail computed networking (unique /30 inside 10.99/16)
     host_ip: [u8; 4],
     host_cidr: String,
@@ -83,7 +81,7 @@ impl LinuxJail {
             namespace: None,
             veth_pair: None,
             nftables: None,
-            dns_server: None,
+            dns_server_child: None,
             host_ip,
             host_cidr,
             guest_cidr,
@@ -368,29 +366,43 @@ impl LinuxJail {
     fn start_dns_server(&mut self) -> Result<()> {
         let namespace_name = self.namespace_name();
 
-        info!("Starting dummy DNS server in namespace {}", namespace_name);
+        info!(
+            "Starting dummy DNS server inside namespace {}",
+            namespace_name
+        );
 
-        // Start the DNS server on the host side
-        let mut dns_server = DummyDnsServer::new();
+        // Spawn httpjail inside the namespace to run the DNS server
+        // This uses the --__internal-dns-server flag which calls run_dns_server_blocking()
+        let exe_path = std::env::current_exe().context("Failed to get current executable path")?;
 
-        // Bind directly to port 53 on the host IP - no redirection needed
-        let dns_bind_addr = format!("{}:53", format_ip(self.host_ip));
-        dns_server.start(&dns_bind_addr)?;
+        let child = std::process::Command::new("ip")
+            .args([
+                "netns",
+                "exec",
+                &namespace_name,
+                exe_path.to_str().context("Invalid executable path")?,
+                "--__internal-dns-server",
+            ])
+            .stdin(std::process::Stdio::null())
+            .stdout(std::process::Stdio::null())
+            .stderr(std::process::Stdio::null())
+            .spawn()
+            .context("Failed to spawn in-namespace DNS server")?;
 
-        info!("Started dummy DNS server on {}", dns_bind_addr);
+        info!("Started in-namespace DNS server (pid {})", child.id());
 
-        self.dns_server = Some(Arc::new(Mutex::new(dns_server)));
+        self.dns_server_child = Some(child);
 
         Ok(())
     }
 
     /// Stop the DNS server
     fn stop_dns_server(&mut self) {
-        if let Some(dns_server_arc) = self.dns_server.take() {
-            if let Ok(mut dns_server) = dns_server_arc.lock() {
-                dns_server.stop();
-                info!("Stopped dummy DNS server");
-            }
+        if let Some(mut child) = self.dns_server_child.take() {
+            debug!("Stopping in-namespace DNS server (pid {})", child.id());
+            let _ = child.kill();
+            let _ = child.wait();
+            debug!("Stopped in-namespace DNS server");
         }
     }
 }
@@ -567,7 +579,7 @@ impl Clone for LinuxJail {
             namespace: None,
             veth_pair: None,
             nftables: None,
-            dns_server: None,
+            dns_server_child: None,
             host_ip: self.host_ip,
             host_cidr: self.host_cidr.clone(),
             guest_cidr: self.guest_cidr.clone(),

src/jail/linux/nftables.rs

@@ -127,9 +127,9 @@ table ip {table_name} {{
     chain output {{
         type nat hook output priority -100; policy accept;
 
-        # Redirect all DNS queries to our dummy DNS server on host
+        # Redirect all DNS queries to our dummy DNS server running in namespace
         # This works regardless of what nameserver is in /etc/resolv.conf
-        udp dport 53 dnat to {host_ip}
+        udp dport 53 dnat to 127.0.0.1:53
 
         # Redirect HTTP to proxy running on host
         tcp dport 80 dnat to {host_ip}:{http_port}
@@ -145,8 +145,8 @@ table ip {table_name} {{
         # Always allow established/related traffic
         ct state established,related accept
 
-        # Allow DNS traffic to the host (after DNAT redirection)
-        ip daddr {host_ip} udp dport 53 accept
+        # Allow DNS traffic to localhost (after DNAT redirection)
+        ip daddr 127.0.0.1 udp dport 53 accept
 
         # Allow traffic to the host proxy ports after DNAT
         ip daddr {host_ip} tcp dport {{ {http_port}, {https_port} }} accept

src/main.rs

@@ -306,6 +306,22 @@ fn cleanup_orphans() -> Result<()> {
 
 #[tokio::main]
 async fn main() -> Result<()> {
+    // Handle internal DNS server flag (must be first, before clap parsing)
+    // This is called by LinuxJail when spawning DNS server inside namespace
+    #[cfg(target_os = "linux")]
+    if std::env::args().any(|arg| arg == "--__internal-dns-server") {
+        use httpjail::jail::linux::dns::run_dns_server_blocking;
+
+        // Bring up loopback interface in the namespace
+        std::process::Command::new("ip")
+            .args(["link", "set", "lo", "up"])
+            .output()
+            .context("Failed to bring up loopback interface")?;
+
+        // Run the DNS server (blocks forever)
+        return run_dns_server_blocking();
+    }
+
     let args = Args::parse();
 
     // Handle trust subcommand (takes precedence)