push.rocks/smartdns
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

update

Browse Source
This commit is contained in:
Philipp Kunz
2025-03-21 18:21:47 +00:00
parent 9bc8278464
commit 7997e9dc94
9 changed files with 6038 additions and 1922 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
ts_server/classes.dnssec.ts
View File

@ -83,10 +83,27 @@ export class DnsSec {
}
public signData(data: Buffer): Buffer {
// Sign the data using the private key
const keyPair = this.ec!.keyFromPrivate(this.keyPair.privateKey, 'hex');
const signature = keyPair.sign(plugins.crypto.createHash('sha256').update(data).digest());
return Buffer.from(signature.toDER());
switch (this.zone.algorithm) {
case 'ECDSA':
if (!this.ec) throw new Error('EC instance is not initialized.');
const ecKeyPair = this.ec.keyFromPrivate(this.keyPair.privateKey, 'hex');
const ecSignature = ecKeyPair.sign(plugins.crypto.createHash('sha256').update(data).digest());
return Buffer.from(ecSignature.toDER());
case 'ED25519':
if (!this.eddsa) throw new Error('EdDSA instance is not initialized.');
const edKeyPair = this.eddsa.keyFromSecret(Buffer.from(this.keyPair.privateKey, 'hex'));
// ED25519 doesn't need a separate hash function as it includes the hashing internally
const edSignature = edKeyPair.sign(data);
// Convert the signature to the correct format for Buffer.from
return Buffer.from(edSignature.toBytes());
case 'RSA':
throw new Error('RSA signing is not yet implemented.');
default:
throw new Error(`Unsupported algorithm: ${this.zone.algorithm}`);
}
}
private generateDNSKEY(): Buffer {
@ -169,4 +186,4 @@ export class DnsSec {
const dnskeyRecord = this.getDNSKEYRecord();
return { keyPair: this.keyPair, dsRecord, dnskeyRecord };
}
}
}

381
ts_server/classes.dnsserver.ts
View File

@ -2,7 +2,7 @@ import * as plugins from './plugins.js';
import { DnsSec } from './classes.dnssec.js';
import * as dnsPacket from 'dns-packet';
interface IDnsServerOptions {
export interface IDnsServerOptions {
httpsKey: string;
httpsCert: string;
httpsPort: number;
@ -10,7 +10,7 @@ interface IDnsServerOptions {
dnssecZone: string;
}
interface DnsAnswer {
export interface DnsAnswer {
name: string;
type: string;
class: string | number;
@ -18,7 +18,7 @@ interface DnsAnswer {
data: any;
}
interface IDnsHandler {
export interface IDnsHandler {
domainPattern: string;
recordTypes: string[];
handler: (question: dnsPacket.Question) => DnsAnswer | null;
@ -43,6 +43,13 @@ interface RRSIGData {
signature: Buffer;
}
// Let's Encrypt related interfaces
interface LetsEncryptOptions {
email?: string;
staging?: boolean;
certDir?: string;
}
export class DnsServer {
private udpServer: plugins.dgram.Socket;
private httpsServer: plugins.https.Server;
@ -78,7 +85,327 @@ export class DnsServer {
this.handlers.push({ domainPattern, recordTypes, handler });
}
private processDnsRequest(request: dnsPacket.Packet): dnsPacket.Packet {
// Unregister a specific handler
public unregisterHandler(domainPattern: string, recordTypes: string[]): boolean {
const initialLength = this.handlers.length;
this.handlers = this.handlers.filter(handler =>
!(handler.domainPattern === domainPattern &&
recordTypes.every(type => handler.recordTypes.includes(type)))
);
return this.handlers.length < initialLength;
}
/**
* Retrieve SSL certificate for specified domains using Let's Encrypt
* @param domainNames Array of domain names to include in the certificate
* @param options Configuration options for Let's Encrypt
* @returns Object containing certificate, private key, and success status
*/
public async retrieveSslCertificate(
domainNames: string[],
options: LetsEncryptOptions = {}
): Promise<{ cert: string; key: string; success: boolean }> {
// Default options
const opts = {
email: options.email || 'admin@example.com',
staging: options.staging !== undefined ? options.staging : false,
certDir: options.certDir || './certs'
};
// Create certificate directory if it doesn't exist
if (!plugins.fs.existsSync(opts.certDir)) {
plugins.fs.mkdirSync(opts.certDir, { recursive: true });
}
// Filter domains this server is authoritative for
const authorizedDomains = this.filterAuthorizedDomains(domainNames);
if (authorizedDomains.length === 0) {
console.error('None of the provided domains are authorized for this DNS server');
return { cert: '', key: '', success: false };
}
console.log(`Retrieving SSL certificate for domains: ${authorizedDomains.join(', ')}`);
try {
// Allow for override in tests
// @ts-ignore - acmeClientOverride is added for testing purposes
const acmeClient = this.acmeClientOverride || await import('acme-client');
// Generate or load account key
const accountKeyPath = plugins.path.join(opts.certDir, 'account.key');
let accountKey: Buffer;
if (plugins.fs.existsSync(accountKeyPath)) {
accountKey = plugins.fs.readFileSync(accountKeyPath);
} else {
// Generate new account key
const { privateKey } = plugins.crypto.generateKeyPairSync('rsa', {
modulusLength: 2048,
publicKeyEncoding: { type: 'spki', format: 'pem' },
privateKeyEncoding: { type: 'pkcs8', format: 'pem' }
});
accountKey = Buffer.from(privateKey);
plugins.fs.writeFileSync(accountKeyPath, accountKey);
}
// Initialize ACME client
const client = new acmeClient.Client({
directoryUrl: opts.staging
? acmeClient.directory.letsencrypt.staging
: acmeClient.directory.letsencrypt.production,
accountKey: accountKey
});
// Create or update account
await client.createAccount({
termsOfServiceAgreed: true,
contact: [`mailto:${opts.email}`]
});
// Create order for certificate
const order = await client.createOrder({
identifiers: authorizedDomains.map(domain => ({
type: 'dns',
value: domain
}))
});
// Get authorizations
const authorizations = await client.getAuthorizations(order);
// Track handlers to clean up later
const challengeHandlers: { domain: string; pattern: string }[] = [];
// Process each authorization
for (const auth of authorizations) {
const domain = auth.identifier.value;
// Get DNS challenge
const challenge = auth.challenges.find(c => c.type === 'dns-01');
if (!challenge) {
throw new Error(`No DNS-01 challenge found for ${domain}`);
}
// Get key authorization and DNS record value
const keyAuthorization = await client.getChallengeKeyAuthorization(challenge);
const recordValue = this.getDnsRecordValueForChallenge(keyAuthorization);
// Create challenge domain (where TXT record should be placed)
const challengeDomain = `_acme-challenge.${domain}`;
console.log(`Setting up TXT record for ${challengeDomain}: ${recordValue}`);
// Register handler for the TXT record
this.registerHandler(
challengeDomain,
['TXT'],
(question: dnsPacket.Question): DnsAnswer | null => {
if (question.name === challengeDomain && question.type === 'TXT') {
return {
name: question.name,
type: 'TXT',
class: 'IN',
ttl: 300,
data: [recordValue]
};
}
return null;
}
);
// Track the handler for cleanup
challengeHandlers.push({ domain, pattern: challengeDomain });
// Wait briefly for DNS propagation
await new Promise(resolve => setTimeout(resolve, 2000));
// Complete the challenge
await client.completeChallenge(challenge);
// Wait for verification
await client.waitForValidStatus(challenge);
console.log(`Challenge for ${domain} validated successfully!`);
}
// Generate certificate key
const domainKeyPath = plugins.path.join(opts.certDir, `${authorizedDomains[0]}.key`);
const { privateKey } = plugins.crypto.generateKeyPairSync('rsa', {
modulusLength: 2048,
publicKeyEncoding: { type: 'spki', format: 'pem' },
privateKeyEncoding: { type: 'pkcs8', format: 'pem' }
});
plugins.fs.writeFileSync(domainKeyPath, privateKey);
// Create CSR
// Define an interface for the expected CSR result structure
interface CSRResult {
csr: Buffer;
}
// Use the forge.createCsr method and handle typing with a more direct approach
const csrResult = await acmeClient.forge.createCsr({
commonName: authorizedDomains[0],
altNames: authorizedDomains
}) as unknown as CSRResult;
// Finalize the order with the CSR
await client.finalizeOrder(order, csrResult.csr);
// Get certificate
const certificate = await client.getCertificate(order);
// Save certificate
const certPath = plugins.path.join(opts.certDir, `${authorizedDomains[0]}.cert`);
plugins.fs.writeFileSync(certPath, certificate);
// Update HTTPS server with new certificate
this.options.httpsCert = certificate;
this.options.httpsKey = privateKey;
// Restart HTTPS server with new certificate
await this.restartHttpsServer();
// Clean up challenge handlers
for (const handler of challengeHandlers) {
this.unregisterHandler(handler.pattern, ['TXT']);
console.log(`Cleaned up challenge handler for ${handler.domain}`);
}
return {
cert: certificate,
key: privateKey,
success: true
};
} catch (error) {
console.error('Error retrieving SSL certificate:', error);
return { cert: '', key: '', success: false };
}
}
/**
* Create DNS record value for the ACME challenge
*/
private getDnsRecordValueForChallenge(keyAuthorization: string): string {
// Create SHA-256 digest of the key authorization
const digest = plugins.crypto
.createHash('sha256')
.update(keyAuthorization)
.digest('base64')
.replace(/\+/g, '-')
.replace(/\//g, '_')
.replace(/=/g, '');
return digest;
}
/**
* Restart the HTTPS server with the new certificate
*/
private async restartHttpsServer(): Promise<void> {
return new Promise<void>((resolve, reject) => {
// First check if the server exists
if (!this.httpsServer) {
console.log('No HTTPS server to restart');
resolve();
return;
}
this.httpsServer.close(() => {
try {
// Validate certificate and key before trying to create the server
if (!this.options.httpsCert || !this.options.httpsKey) {
throw new Error('Missing certificate or key for HTTPS server');
}
// For testing, check if we have a mock certificate
if (this.options.httpsCert.includes('MOCK_CERTIFICATE')) {
console.log('Using mock certificate in test mode');
// In test mode with mock cert, we can use the original cert
// @ts-ignore - accessing acmeClientOverride for testing
if (this.acmeClientOverride) {
this.httpsServer = plugins.https.createServer(
{
key: this.options.httpsKey,
cert: this.options.httpsCert,
},
this.handleHttpsRequest.bind(this)
);
this.httpsServer.listen(this.options.httpsPort, () => {
console.log(`HTTPS DNS server restarted on port ${this.options.httpsPort} with test certificate`);
resolve();
});
return;
}
}
// Create the new server with the updated certificate
this.httpsServer = plugins.https.createServer(
{
key: this.options.httpsKey,
cert: this.options.httpsCert,
},
this.handleHttpsRequest.bind(this)
);
this.httpsServer.listen(this.options.httpsPort, () => {
console.log(`HTTPS DNS server restarted on port ${this.options.httpsPort} with new certificate`);
resolve();
});
} catch (err) {
console.error('Error creating HTTPS server with new certificate:', err);
reject(err);
}
});
});
}
/**
* Filter domains to include only those the server is authoritative for
*/
public filterAuthorizedDomains(domainNames: string[]): string[] {
const authorizedDomains: string[] = [];
for (const domain of domainNames) {
// Handle wildcards (*.example.com)
if (domain.startsWith('*.')) {
const baseDomain = domain.substring(2);
if (this.isAuthorizedForDomain(baseDomain)) {
authorizedDomains.push(domain);
}
}
// Regular domains
else if (this.isAuthorizedForDomain(domain)) {
authorizedDomains.push(domain);
}
}
return authorizedDomains;
}
/**
* Check if the server is authoritative for a domain
*/
private isAuthorizedForDomain(domain: string): boolean {
// Check if any handler matches this domain
for (const handler of this.handlers) {
if (plugins.minimatch.minimatch(domain, handler.domainPattern)) {
return true;
}
}
// Also check if the domain is the DNSSEC zone itself
if (domain === this.options.dnssecZone || domain.endsWith(`.${this.options.dnssecZone}`)) {
return true;
}
return false;
}
public processDnsRequest(request: dnsPacket.Packet): dnsPacket.Packet {
const response: dnsPacket.Packet = {
type: 'response',
id: request.id,
@ -268,6 +595,19 @@ export class DnsServer {
const num = parseInt(segment, 16);
return [num >> 8, num & 0xff];
}));
case 'TXT':
// Handle TXT records for ACME challenges
if (Array.isArray(data)) {
// Combine all strings and encode as lengths and values
const buffers = data.map(str => {
const strBuf = Buffer.from(str);
const lenBuf = Buffer.alloc(1);
lenBuf.writeUInt8(strBuf.length, 0);
return Buffer.concat([lenBuf, strBuf]);
});
return Buffer.concat(buffers);
}
return Buffer.alloc(0);
case 'DNSKEY':
const dnskeyData: DNSKEYData = data;
return Buffer.concat([
@ -387,19 +727,32 @@ export class DnsServer {
public async stop(): Promise<void> {
const doneUdp = plugins.smartpromise.defer<void>();
const doneHttps = plugins.smartpromise.defer<void>();
this.udpServer.close(() => {
console.log('UDP DNS server stopped');
this.udpServer.unref();
this.udpServer = null;
if (this.udpServer) {
this.udpServer.close(() => {
console.log('UDP DNS server stopped');
if (this.udpServer) {
this.udpServer.unref();
this.udpServer = null;
}
doneUdp.resolve();
});
} else {
doneUdp.resolve();
});
}
this.httpsServer.close(() => {
console.log('HTTPS DNS server stopped');
this.httpsServer.unref();
this.httpsServer = null;
if (this.httpsServer) {
this.httpsServer.close(() => {
console.log('HTTPS DNS server stopped');
if (this.httpsServer) {
this.httpsServer.unref();
this.httpsServer = null;
}
doneHttps.resolve();
});
} else {
doneHttps.resolve();
});
}
await Promise.all([doneUdp.promise, doneHttps.promise]);
}

4
ts_server/plugins.ts
View File

@ -1,9 +1,10 @@
// node native
import crypto from 'crypto';
import dgram from 'dgram';
import fs from 'fs';
import http from 'http';
import https from 'https';
import dgram from 'dgram';
import * as path from 'path';
export {
crypto,
@ -11,6 +12,7 @@ export {
http,
https,
dgram,
path,
}
// @push.rocks scope