push.rocks/smartdns
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: push.rocks:v7.2.0
Branches Tags
push.rocks:main
push.rocks:v7.9.0 push.rocks:v7.8.1 push.rocks:v7.8.0 push.rocks:v7.7.1 push.rocks:v7.7.0 push.rocks:v7.6.1 push.rocks:v7.6.0 push.rocks:v7.5.1 push.rocks:v7.5.0 push.rocks:v7.4.7 push.rocks:v7.4.6 push.rocks:v7.4.5 push.rocks:v7.4.4 push.rocks:v7.4.3 push.rocks:v7.4.2 push.rocks:v7.4.1 push.rocks:v7.4.0 push.rocks:v7.3.0 push.rocks:v7.2.0 push.rocks:v7.1.0 push.rocks:v7.0.2 push.rocks:v7.0.1 push.rocks:v7.0.0 push.rocks:v6.2.2 push.rocks:v6.2.1 push.rocks:v6.2.0 push.rocks:v6.1.1 push.rocks:v6.1.0 push.rocks:v6.0.0 push.rocks:v5.0.4 push.rocks:v5.0.3 push.rocks:v5.0.2 push.rocks:v5.0.1 push.rocks:v5.0.0 push.rocks:v4.0.11 push.rocks:v4.0.10 push.rocks:v4.0.9 push.rocks:v4.0.8 push.rocks:v4.0.7 push.rocks:v4.0.6 push.rocks:v4.0.5 push.rocks:v4.0.4 push.rocks:v4.0.3 push.rocks:v4.0.2 push.rocks:v4.0.1 push.rocks:v4.0.0 push.rocks:v3.0.8 push.rocks:v3.0.7 push.rocks:v3.0.6 push.rocks:v3.0.5 push.rocks:v3.0.4 push.rocks:v3.0.3 push.rocks:v3.0.2 push.rocks:v3.0.1 push.rocks:v3.0.0 push.rocks:v2.0.10 push.rocks:v2.0.9 push.rocks:v2.0.8 push.rocks:v2.0.7 push.rocks:v2.0.6 push.rocks:v2.0.5 push.rocks:v2.0.4 push.rocks:v2.0.3 push.rocks:v2.0.2 push.rocks:v2.0.1 push.rocks:v2.0.0 push.rocks:v1.0.7 push.rocks:v1.0.6 push.rocks:v1.0.5 push.rocks:v1.0.4 push.rocks:v1.0.3 push.rocks:v1.0.2 push.rocks:v1.0.1
..
compare: push.rocks:v7.7.1
Branches Tags
push.rocks:main
push.rocks:v7.9.0 push.rocks:v7.8.1 push.rocks:v7.8.0 push.rocks:v7.7.1 push.rocks:v7.7.0 push.rocks:v7.6.1 push.rocks:v7.6.0 push.rocks:v7.5.1 push.rocks:v7.5.0 push.rocks:v7.4.7 push.rocks:v7.4.6 push.rocks:v7.4.5 push.rocks:v7.4.4 push.rocks:v7.4.3 push.rocks:v7.4.2 push.rocks:v7.4.1 push.rocks:v7.4.0 push.rocks:v7.3.0 push.rocks:v7.2.0 push.rocks:v7.1.0 push.rocks:v7.0.2 push.rocks:v7.0.1 push.rocks:v7.0.0 push.rocks:v6.2.2 push.rocks:v6.2.1 push.rocks:v6.2.0 push.rocks:v6.1.1 push.rocks:v6.1.0 push.rocks:v6.0.0 push.rocks:v5.0.4 push.rocks:v5.0.3 push.rocks:v5.0.2 push.rocks:v5.0.1 push.rocks:v5.0.0 push.rocks:v4.0.11 push.rocks:v4.0.10 push.rocks:v4.0.9 push.rocks:v4.0.8 push.rocks:v4.0.7 push.rocks:v4.0.6 push.rocks:v4.0.5 push.rocks:v4.0.4 push.rocks:v4.0.3 push.rocks:v4.0.2 push.rocks:v4.0.1 push.rocks:v4.0.0 push.rocks:v3.0.8 push.rocks:v3.0.7 push.rocks:v3.0.6 push.rocks:v3.0.5 push.rocks:v3.0.4 push.rocks:v3.0.3 push.rocks:v3.0.2 push.rocks:v3.0.1 push.rocks:v3.0.0 push.rocks:v2.0.10 push.rocks:v2.0.9 push.rocks:v2.0.8 push.rocks:v2.0.7 push.rocks:v2.0.6 push.rocks:v2.0.5 push.rocks:v2.0.4 push.rocks:v2.0.3 push.rocks:v2.0.2 push.rocks:v2.0.1 push.rocks:v2.0.0 push.rocks:v1.0.7 push.rocks:v1.0.6 push.rocks:v1.0.5 push.rocks:v1.0.4 push.rocks:v1.0.3 push.rocks:v1.0.2 push.rocks:v1.0.1

27 Commits
v7.2.0 ... v7.7.1

Author SHA1 Message Date
Juergen Kunz
9d4db39741 v7.7.1 2026-02-11 11:46:16 +00:00
Juergen Kunz
32d7508dce fix(tests): prune flaky SOA integration and performance tests that rely on external tools and long-running signing/serialization checks 2026-02-11 11:46:16 +00:00
Juergen Kunz
ce7c11d084 v7.7.0 2026-02-11 11:24:10 +00:00
Juergen Kunz
60371e1ad5 feat(rust): add Rust-based DNS server backend with IPC management and TypeScript bridge 2026-02-11 11:24:10 +00:00
Juergen Kunz
abbb971d6a 7.6.1 2025-09-12 17:38:43 +00:00
Juergen Kunz
911a20c86d fix(classes.dnsclient): Remove redundant DOH response parsing in getRecords to avoid duplicate processing and clean up client code 2025-09-12 17:38:43 +00:00
Juergen Kunz
1b9eefd70f 7.6.0 2025-09-12 17:32:03 +00:00
Juergen Kunz
f29962a6dc feat(dnsserver): Return multiple matching records, improve DNSSEC RRset signing, add client resolution strategy and localhost handling, update tests 2025-09-12 17:32:03 +00:00
Juergen Kunz
afd1c18496 7.5.1 2025-09-12 15:38:16 +00:00
Juergen Kunz
0ea622aa8d fix(dependencies): Bump dependency versions and add pnpm workspace onlyBuiltDependencies 2025-09-12 15:38:16 +00:00
Philipp Kunz
56a33dd7ae 7.5.0 2025-06-01 20:53:22 +00:00
Philipp Kunz
9e5fae055f feat(dnssec): Add MX record DNSSEC support for proper serialization and authentication of mail exchange records 2025-06-01 20:53:22 +00:00
Philipp Kunz
afdd6a6074 7.4.7 2025-05-30 19:49:34 +00:00
Philipp Kunz
3d06131e04 fix(dnsserver): Update documentation to clarify the primaryNameserver option and SOA record behavior in the DNS server. The changes detail how the primaryNameserver configuration customizes the SOA mname, ensures proper DNSSEC signing for RRsets, and updates the configuration interface examples. 2025-05-30 19:49:34 +00:00
Philipp Kunz
1811ebd4d4 7.4.6 2025-05-30 19:28:54 +00:00
Philipp Kunz
e7ace9b596 7.4.5 2025-05-30 19:28:22 +00:00
Philipp Kunz
f6175d1f2b 7.4.4 
fix(dnsserver): Fix SOA record timeout issue by correcting RRSIG field formatting

- Fixed RRSIG generation by using correct field name 'signersName' (not 'signerName')
- Fixed label count calculation in RRSIG by filtering empty strings
- Added SOA records to DNSSEC signing map for proper RRSIG generation
- Added error logging and fallback values for RRSIG generation robustness
- Updated test expectations to match corrected DNSSEC RRset signing behavior
- Added comprehensive SOA test coverage including timeout, debug, and simple test scenarios
 2025-05-30 19:27:37 +00:00
Philipp Kunz
d67fbc87e2 7.4.3 2025-05-30 18:27:28 +00:00
Philipp Kunz
b87cbbee5c feat(dnsserver): Enhance DNSSEC RRset signing and add configurable primary nameserver 
- Fix DNSSEC to properly sign entire RRsets together instead of individual records
- Implement proper SOA record serialization according to RFC 1035
- Add primaryNameserver option to IDnsServerOptions for customizable SOA mname field
- Add comprehensive tests for DNSSEC RRset signing and SOA record handling
- Update documentation with v7.4.3 improvements

Co-Authored-By: User <user@example.com>
 2025-05-30 18:20:55 +00:00
Philipp Kunz
4e37bc9bc0 7.4.2 2025-05-30 17:09:02 +00:00
Philipp Kunz
2b97dffb47 fix(dnsserver): Enable multiple DNS record support by removing the premature break in processDnsRequest. Now the DNS server aggregates answers from all matching handlers for NS, A, and TXT records, and improves NS record serialization for DNSSEC. 2025-05-30 17:09:02 +00:00
Philipp Kunz
e7cb0921fc 7.4.1 2025-05-28 19:55:01 +00:00
Philipp Kunz
0f8953fc1d fix(test/server): Fix force cleanup in DNS server tests by casting server properties before closing sockets 2025-05-28 19:55:01 +00:00
Philipp Kunz
1185ea67d4 7.4.0 2025-05-28 19:26:52 +00:00
Philipp Kunz
b187da507b feat(manual socket handling): Add comprehensive manual socket handling documentation for advanced DNS server use cases 2025-05-28 19:26:52 +00:00
Philipp Kunz
3094c9d06c 7.3.0 2025-05-28 19:16:54 +00:00
Philipp Kunz
62b6fa26fa feat(dnsserver): Add manual socket mode support to enable external socket control for the DNS server. 2025-05-28 19:16:54 +00:00
51 changed files with 10208 additions and 3370 deletions
Expand all files Collapse all files

3
.gitignore vendored
View File

@@ -17,4 +17,5 @@ node_modules/
dist/
dist_*/
# custom
# custom
rust/target

103
changelog.md
View File

@@ -1,5 +1,108 @@
# Changelog
## 2026-02-11 - 7.7.1 - fix(tests)
prune flaky SOA integration and performance tests that rely on external tools and long-running signing/serialization checks
- Removed 'Test raw SOA serialization' from test/test.soa.debug.ts
- Removed dig-based 'Test SOA timeout with real dig command' from test/test.soa.timeout.ts
- Removed 'Check DNSSEC signing performance for SOA' and related serialization/signing performance checks
- Removed unused imports (plugins, execSync) and testPort constant; minor whitespace/cleanup in stopServer
## 2026-02-11 - 7.7.0 - feat(rust)
add Rust-based DNS server backend with IPC management and TypeScript bridge
- Adds a new rust/ workspace with crates: rustdns, rustdns-protocol, rustdns-server, rustdns-dnssec (DNS packet parsing/encoding, UDP/HTTPS servers, DNSSEC signing).
- Implements an IPC management loop and command/event protocol (stdin/stdout) for communication between Rust and TypeScript (ipc_types, management).
- Introduces DnsResolver and DNSSEC key/signing logic in Rust (keys, signing, keytag), plus UDP and DoH HTTPS server implementations.
- Adds a TypeScript Rust bridge (ts_server/classes.rustdnsbridge.ts) using @push.rocks/smartrust to spawn and talk to the Rust binary; exposes spawn/start/stop/processPacket/ping APIs.
- Removes JS-based DNSSEC implementation and updates ts_server plugins to use smartrust; adds tsrust integration and tsrust devDependency and build step in package.json.
- Documentation and tooling: README updated with Rust backend architecture, .gitignore updated for rust/target, Cargo config for cross-compile linker added.
## 2025-09-12 - 7.6.1 - fix(classes.dnsclient)
Remove redundant DOH response parsing in getRecords to avoid duplicate processing and clean up client code
- Removed a duplicated/extra iteration that parsed DNS-over-HTTPS (DoH) answers in ts_client/classes.dnsclient.ts.
- Prevents double-processing or incorrect return behavior from Smartdns.getRecords when using DoH providers.
- Changes affect the Smartdns client implementation (ts_client/classes.dnsclient.ts).
## 2025-09-12 - 7.6.0 - feat(dnsserver)
Return multiple matching records, improve DNSSEC RRset signing, add client resolution strategy and localhost handling, update tests
- Server: process all matching handlers for a question so multiple records (NS, A, TXT, etc.) are returned instead of stopping after the first match
- DNSSEC: sign entire RRsets together (single RRSIG per RRset) and ensure DNSKEY/DS generation and key-tag computation are handled correctly
- Server: built-in localhost handling (RFC 6761) with an enableLocalhostHandling option and synthetic answers for localhost/127.0.0.1 reverse lookups
- Server: improved SOA generation (primary nameserver handling), name serialization (trim trailing dot), and safer start/stop behavior
- Client: added resolution strategy options (doh | system | prefer-system), allowDohFallback and per-query timeout support; improved DoH and system lookup handling (proper TXT quoting and name trimming)
- Tests: updated expectations and test descriptions to reflect correct multi-record behavior and other fixes
## 2025-09-12 - 7.5.1 - fix(dependencies)
Bump dependency versions and add pnpm workspace onlyBuiltDependencies
- Bumped @push.rocks/smartenv from ^5.0.5 to ^5.0.13
- Bumped @git.zone/tsbuild from ^2.6.4 to ^2.6.8
- Bumped @git.zone/tstest from ^2.3.1 to ^2.3.7
- Added pnpm-workspace.yaml with onlyBuiltDependencies: [esbuild, mongodb-memory-server, puppeteer]
## 2025-06-01 - 7.5.0 - feat(dnssec)
Add MX record DNSSEC support for proper serialization and authentication of mail exchange records
- Serialize MX records by combining a 16-bit preference with the exchange domain name
- Enable DNSSEC signature generation for MX records to authenticate mail exchange data
- Update documentation to include the new MX record DNSSEC support in version v7.4.8
## 2025-05-30 - 7.4.7 - fix(dnsserver)
Update documentation to clarify the primaryNameserver option and SOA record behavior in the DNS server. The changes detail how the primaryNameserver configuration customizes the SOA mname, ensures proper DNSSEC signing for RRsets, and updates the configuration interface examples.
- Documented the primaryNameserver option in IDnsServerOptions with default behavior (ns1.{dnssecZone})
- Clarified SOA record generation including mname, rname, serial, and TTL fields
- Updated readme examples to demonstrate binding interfaces and proper DNS server configuration
## 2025-05-30 - 7.4.6 - docs(readme)
Document the primaryNameserver option and SOA record behavior in the DNS server documentation.
- Added comprehensive documentation for the primaryNameserver option in IDnsServerOptions
- Explained SOA record automatic generation and the role of the primary nameserver
- Clarified that only one nameserver is designated as primary in SOA records
- Updated the configuration options interface documentation with all available options
## 2025-05-30 - 7.4.3 - fix(dnsserver)
Fix DNSSEC RRset signing, SOA record timeout issues, and add configurable primary nameserver support.
- Fixed DNSSEC to sign entire RRsets together instead of individual records (one RRSIG per record type)
- Fixed SOA record serialization by implementing proper wire format encoding in serializeRData method
- Fixed RRSIG generation by using correct field names (signersName) and types (string typeCovered)
- Added configurable primary nameserver via primaryNameserver option in IDnsServerOptions
- Enhanced test coverage with comprehensive SOA and DNSSEC test scenarios
## 2025-05-30 - 7.4.2 - fix(dnsserver)
Enable multiple DNS record support by removing the premature break in processDnsRequest. Now the DNS server aggregates answers from all matching handlers for NS, A, and TXT records, and improves NS record serialization for DNSSEC.
- Removed the break statement in processDnsRequest to allow all matching handlers to contribute responses.
- Updated NS record serialization to properly handle domain names in DNSSEC context.
- Enhanced tests for round-robin A records and multiple TXT records scenarios.
## 2025-05-28 - 7.4.1 - fix(test/server)
Fix force cleanup in DNS server tests by casting server properties before closing sockets
- Cast server to any to safely invoke close() on httpsServer and udpServer in test cleanup
- Ensures proper emergency cleanup of server sockets without direct access to private properties
## 2025-05-28 - 7.4.0 - feat(manual socket handling)
Add comprehensive manual socket handling documentation for advanced DNS server use cases
- Introduced detailed examples for configuring manual UDP and HTTPS socket handling
- Provided sample code for load balancing, clustering, custom transport protocols, and multi-interface binding
- Updated performance and best practices sections to reflect manual socket handling benefits
## 2025-05-28 - 7.3.0 - feat(dnsserver)
Add manual socket mode support to enable external socket control for the DNS server.
- Introduced new manualUdpMode and manualHttpsMode options in the server options interface.
- Added initializeServers, initializeUdpServer, and initializeHttpsServer methods for manual socket initialization.
- Updated start() and stop() methods to handle both automatic and manual socket binding modes.
- Enhanced UDP and HTTPS socket error handling and IP address validations.
- Removed obsolete internal documentation file (readme.plan2.md).
## 2025-05-28 - 7.2.0 - feat(dns-server)
Improve DNS server interface binding by adding explicit IP validation, configurable UDP/HTTPS binding, and enhanced logging.

6
npmextra.json
View File

@@ -34,6 +34,12 @@
"npmAccessLevel": "public",
"npmRegistryUrl": "registry.npmjs.org"
},
"@git.zone/tsrust": {
"targets": [
"linux_amd64",
"linux_arm64"
]
},
"tsdoc": {
"legal": "\n## License and Legal Information\n\nThis repository contains open-source code that is licensed under the MIT License. A copy of the MIT License can be found in the [license](license) file within this repository. \n\n**Please note:** The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.\n\n### Trademarks\n\nThis project is owned and maintained by Task Venture Capital GmbH. The names and logos associated with Task Venture Capital GmbH and any related products or services are trademarks of Task Venture Capital GmbH and are not included within the scope of the MIT license granted herein. Use of these trademarks must comply with Task Venture Capital GmbH's Trademark Guidelines, and any usage must be approved in writing by Task Venture Capital GmbH.\n\n### Company Information\n\nTask Venture Capital GmbH \nRegistered at District court Bremen HRB 35230 HB, Germany\n\nFor any legal inquiries or if you require further information, please contact us via email at hello@task.vc.\n\nBy using this repository, you acknowledge that you have read this section, agree to comply with its terms, and understand that the licensing of the code does not imply endorsement by Task Venture Capital GmbH of any derivative works.\n"
}

14
package.json
View File

@@ -1,6 +1,6 @@
{
"name": "@push.rocks/smartdns",
"version": "7.2.0",
"version": "7.7.1",
"private": false,
"description": "A robust TypeScript library providing advanced DNS management and resolution capabilities including support for DNSSEC, custom DNS servers, and integration with various DNS providers.",
"exports": {
@@ -10,7 +10,7 @@
},
"scripts": {
"test": "(tstest test/ --verbose --timeout 60)",
"build": "(tsbuild tsfolders --web --allowimplicitany)",
"build": "(tsbuild tsfolders --web --allowimplicitany) && (tsrust)",
"buildDocs": "tsdoc"
},
"repository": {
@@ -44,21 +44,21 @@
"homepage": "https://code.foss.global/push.rocks/smartdns",
"dependencies": {
"@push.rocks/smartdelay": "^3.0.1",
"@push.rocks/smartenv": "^5.0.5",
"@push.rocks/smartenv": "^5.0.13",
"@push.rocks/smartpromise": "^4.2.3",
"@push.rocks/smartrequest": "^2.1.0",
"@push.rocks/smartrust": "^1.2.0",
"@tsclass/tsclass": "^9.2.0",
"@types/dns-packet": "^5.6.5",
"@types/elliptic": "^6.4.18",
"acme-client": "^5.4.0",
"dns-packet": "^5.6.1",
"elliptic": "^6.6.1",
"minimatch": "^10.0.1"
},
"devDependencies": {
"@git.zone/tsbuild": "^2.6.4",
"@git.zone/tsbuild": "^2.6.8",
"@git.zone/tsrun": "^1.3.3",
"@git.zone/tstest": "^2.3.1",
"@git.zone/tsrust": "^1.3.0",
"@git.zone/tstest": "^2.3.7",
"@types/node": "^22.15.21"
},
"files": [

4796
pnpm-lock.yaml generated
View File

File diff suppressed because it is too large Load Diff

4
pnpm-workspace.yaml Normal file
View File

@@ -0,0 +1,4 @@
onlyBuiltDependencies:
- esbuild
- mongodb-memory-server
- puppeteer

56
readme.hints.md
View File

@@ -5,8 +5,35 @@
The smartdns library is structured into three main modules:
1. **Client Module** (`ts_client/`) - DNS client functionality
2. **Server Module** (`ts_server/`) - DNS server implementation
2. **Server Module** (`ts_server/`) - DNS server with Rust backend
3. **Main Module** (`ts/`) - Re-exports both client and server
4. **Rust Module** (`rust/`) - High-performance DNS server binary
## Rust Backend Architecture (v8.0+)
The DNS server's network I/O, packet parsing/encoding, and DNSSEC signing run in Rust.
TypeScript retains handler registration, ACME orchestration, and the public API.
### Rust Crate Structure
- `rustdns` - Main binary with IPC management loop (`--management` flag)
- `rustdns-protocol` - DNS wire format parsing/encoding, record types
- `rustdns-server` - Async UDP + HTTPS DoH servers (tokio, hyper, rustls)
- `rustdns-dnssec` - ECDSA P-256 / ED25519 key generation and RRset signing
### IPC Flow
```
DNS Query -> Rust (UDP/HTTPS) -> Parse packet
-> Try local resolution (localhost, DNSKEY)
-> If handler needed: emit "dnsQuery" event to TypeScript
-> TypeScript runs minimatch handlers, sends "dnsQueryResult" back
-> Rust builds response, signs DNSSEC if requested, sends packet
```
### Key Files
- `ts_server/classes.rustdnsbridge.ts` - TypeScript IPC bridge wrapping smartrust.RustBridge
- `ts_server/classes.dnsserver.ts` - DnsServer class (public API, delegates to Rust bridge)
- `rust/crates/rustdns/src/management.rs` - IPC management loop
- `rust/crates/rustdns/src/resolver.rs` - DNS resolver with callback support
## Client Module (Smartdns class)
@@ -54,9 +81,17 @@ The smartdns library is structured into three main modules:
### Handler System:
- Pattern-based domain matching using minimatch
- Support for all common record types
- **Multiple Handler Support**: As of v7.4.2+, multiple handlers can contribute records of the same type
- Handler chaining for complex scenarios
- Automatic SOA response for unhandled queries
### Multiple Records Support (v7.4.2+):
- Server now processes ALL matching handlers for a query (previously stopped after first match)
- Enables proper multi-NS record support for domain registration
- Supports round-robin DNS with multiple A/AAAA records
- Allows multiple TXT records (SPF, DKIM, domain verification)
- Each handler contributes its record to the response
## Key Dependencies
- `dns-packet`: DNS packet encoding/decoding (wire format)
@@ -94,4 +129,21 @@ The test suite demonstrates:
- DNSSEC provides authentication but not encryption
- DoH (DNS-over-HTTPS) provides both privacy and integrity
- Let's Encrypt integration requires proper domain authorization
- Handler patterns should be carefully designed to avoid open resolvers
- Handler patterns should be carefully designed to avoid open resolvers
## Recent Improvements (v7.4.3)
1. **DNSSEC RRset Signing**: Fixed to properly sign entire RRsets together instead of individual records
2. **SOA Record Serialization**: Implemented proper SOA record encoding for DNSSEC compatibility
3. **Configurable Primary Nameserver**: Added `primaryNameserver` option to customize SOA mname field
## Recent Improvements (v7.4.8)
1. **MX Record DNSSEC Support**: Implemented MX record serialization for DNSSEC signing
- MX records consist of a 16-bit preference value followed by the exchange domain name
- Properly serializes both components for DNSSEC signature generation
- Enables mail exchange records to be authenticated with DNSSEC
## Known Limitations
1. **Handler Deduplication**: If the same handler is registered multiple times, it will contribute duplicate records (this may be desired behavior for some use cases)

252
readme.md
View File

@@ -198,7 +198,8 @@ const secureServer = new DnsServer({
httpsCert: 'path/to/cert.pem',
dnssecZone: 'example.com',
udpBindInterface: '127.0.0.1', // Bind UDP to localhost only
httpsBindInterface: '127.0.0.1' // Bind HTTPS to localhost only
httpsBindInterface: '127.0.0.1', // Bind HTTPS to localhost only
primaryNameserver: 'ns1.example.com' // Optional: primary nameserver for SOA records (defaults to ns1.{dnssecZone})
});
// Register a handler for all subdomains of example.com
@@ -224,6 +225,35 @@ await dnsServer.start();
console.log('DNS Server started!');
```
### SOA Records and Primary Nameserver
The DNS server automatically generates SOA (Start of Authority) records for zones when no specific handler matches a query. The SOA record contains important zone metadata including the primary nameserver.
```typescript
const dnsServer = new DnsServer({
udpPort: 53,
httpsPort: 443,
httpsKey: 'path/to/key.pem',
httpsCert: 'path/to/cert.pem',
dnssecZone: 'example.com',
primaryNameserver: 'ns1.example.com' // Specify your actual primary nameserver
});
// Without primaryNameserver, the SOA mname defaults to 'ns1.{dnssecZone}'
// In this case, it would be 'ns1.example.com'
// The automatic SOA record includes:
// - mname: Primary nameserver (from primaryNameserver option)
// - rname: Responsible person email (hostmaster.{dnssecZone})
// - serial: Unix timestamp
// - refresh: 3600 (1 hour)
// - retry: 600 (10 minutes)
// - expire: 604800 (7 days)
// - minimum: 86400 (1 day)
```
**Important**: Even if you have multiple nameservers (NS records), only one is designated as the primary in the SOA record. All authoritative nameservers should return the same SOA record.
### DNSSEC Support
The DNS server includes comprehensive DNSSEC support with automatic key generation and record signing:
@@ -306,6 +336,222 @@ await dnsServer.start();
console.log('DNS Server with Let\'s Encrypt SSL started!');
```
### Manual Socket Handling
The DNS server supports manual socket handling for advanced use cases like clustering, load balancing, and custom transport implementations. You can control UDP and HTTPS socket handling independently.
#### Configuration Options
```typescript
export interface IDnsServerOptions {
httpsKey: string; // Path or content of HTTPS private key
httpsCert: string; // Path or content of HTTPS certificate
httpsPort: number; // Port for DNS-over-HTTPS
udpPort: number; // Port for standard UDP DNS
dnssecZone: string; // Zone name for DNSSEC signing
udpBindInterface?: string; // IP address to bind UDP socket (default: '0.0.0.0')
httpsBindInterface?: string; // IP address to bind HTTPS server (default: '0.0.0.0')
manualUdpMode?: boolean; // Handle UDP sockets manually
manualHttpsMode?: boolean; // Handle HTTPS sockets manually
primaryNameserver?: string; // Primary nameserver for SOA records (default: 'ns1.{dnssecZone}')
}
```
#### Basic Manual Socket Usage
```typescript
import { DnsServer } from '@push.rocks/smartdns/server';
import * as dgram from 'dgram';
import * as net from 'net';
// Create server with manual UDP mode
const dnsServer = new DnsServer({
httpsKey: '...',
httpsCert: '...',
httpsPort: 853,
udpPort: 53,
dnssecZone: 'example.com',
manualUdpMode: true // UDP manual, HTTPS automatic
});
await dnsServer.start(); // HTTPS binds, UDP doesn't
// Create your own UDP socket
const udpSocket = dgram.createSocket('udp4');
// Handle incoming UDP messages
udpSocket.on('message', (msg, rinfo) => {
dnsServer.handleUdpMessage(msg, rinfo, (response, responseRinfo) => {
// Send response using your socket
udpSocket.send(response, responseRinfo.port, responseRinfo.address);
});
});
// Bind to custom port or multiple interfaces
udpSocket.bind(5353, '0.0.0.0');
```
#### Manual HTTPS Socket Handling
```typescript
// Create server with manual HTTPS mode
const dnsServer = new DnsServer({
httpsKey: '...',
httpsCert: '...',
httpsPort: 853,
udpPort: 53,
dnssecZone: 'example.com',
manualHttpsMode: true // HTTPS manual, UDP automatic
});
await dnsServer.start(); // UDP binds, HTTPS doesn't
// Create your own TCP server
const tcpServer = net.createServer((socket) => {
// Pass TCP sockets to DNS server
dnsServer.handleHttpsSocket(socket);
});
tcpServer.listen(8853, '0.0.0.0');
```
#### Full Manual Mode
Control both protocols manually for complete flexibility:
```typescript
const dnsServer = new DnsServer({
httpsKey: '...',
httpsCert: '...',
httpsPort: 853,
udpPort: 53,
dnssecZone: 'example.com',
manualUdpMode: true,
manualHttpsMode: true
});
await dnsServer.start(); // Neither protocol binds
// Set up your own socket handling for both protocols
// Perfect for custom routing, load balancing, or clustering
```
#### Advanced Use Cases
##### Load Balancing Across Multiple UDP Sockets
```typescript
// Create multiple UDP sockets for different CPU cores
const sockets = [];
const numCPUs = require('os').cpus().length;
for (let i = 0; i < numCPUs; i++) {
const socket = dgram.createSocket({
type: 'udp4',
reuseAddr: true // Allow multiple sockets on same port
});
socket.on('message', (msg, rinfo) => {
dnsServer.handleUdpMessage(msg, rinfo, (response, rinfo) => {
socket.send(response, rinfo.port, rinfo.address);
});
});
socket.bind(53);
sockets.push(socket);
}
```
##### Clustering with Worker Processes
```typescript
import cluster from 'cluster';
import { DnsServer } from '@push.rocks/smartdns/server';
if (cluster.isPrimary) {
// Master process accepts connections
const server = net.createServer({ pauseOnConnect: true });
// Distribute connections to workers
server.on('connection', (socket) => {
const worker = getNextWorker(); // Round-robin or custom logic
worker.send('socket', socket);
});
server.listen(853);
} else {
// Worker process handles DNS
const dnsServer = new DnsServer({
httpsKey: '...',
httpsCert: '...',
httpsPort: 853,
udpPort: 53,
dnssecZone: 'example.com',
manualHttpsMode: true
});
process.on('message', (msg, socket) => {
if (msg === 'socket') {
dnsServer.handleHttpsSocket(socket);
}
});
await dnsServer.start();
}
```
##### Custom Transport Protocol
```typescript
// Use DNS server with custom transport (e.g., WebSocket)
import WebSocket from 'ws';
const wss = new WebSocket.Server({ port: 8080 });
const dnsServer = new DnsServer({
httpsKey: '...',
httpsCert: '...',
httpsPort: 853,
udpPort: 53,
dnssecZone: 'example.com',
manualUdpMode: true,
manualHttpsMode: true
});
await dnsServer.start();
wss.on('connection', (ws) => {
ws.on('message', (data) => {
// Process DNS query from WebSocket
const response = dnsServer.processRawDnsPacket(Buffer.from(data));
ws.send(response);
});
});
```
##### Multi-Interface Binding
```typescript
// Bind to multiple network interfaces manually
const interfaces = [
{ address: '192.168.1.100', type: 'udp4' },
{ address: '10.0.0.50', type: 'udp4' },
{ address: '::1', type: 'udp6' }
];
interfaces.forEach(({ address, type }) => {
const socket = dgram.createSocket(type);
socket.on('message', (msg, rinfo) => {
console.log(`Query received on ${address}`);
dnsServer.handleUdpMessage(msg, rinfo, (response, rinfo) => {
socket.send(response, rinfo.port, rinfo.address);
});
});
socket.bind(53, address);
});
```
### Handling Different Protocols
#### UDP DNS Server
@@ -573,6 +819,7 @@ await tap.start();
5. **Monitoring**: Log DNS queries for debugging and analytics
6. **Rate Limiting**: Implement rate limiting for public DNS servers
7. **Caching**: Respect TTL values and implement proper caching
8. **Manual Sockets**: Use manual socket handling for clustering and load balancing
### Performance Considerations
@@ -580,6 +827,7 @@ await tap.start();
- The DNS server handles concurrent UDP and HTTPS requests efficiently
- DNSSEC signatures are generated on-demand to reduce memory usage
- Pattern matching uses caching for improved performance
- Manual socket handling enables horizontal scaling across CPU cores
### Security Considerations
@@ -589,6 +837,8 @@ await tap.start();
- Implement access controls for DNS server handlers
- Use Let's Encrypt for automatic SSL certificate management
- Never expose internal network information through DNS
- Bind to specific interfaces in production environments
- Use manual socket handling for custom security layers
This comprehensive library provides everything needed for both DNS client operations and running production-grade DNS servers with modern security features in TypeScript.

103
readme.plan.md
View File

@@ -1,103 +0,0 @@
# DNS Server Interface Binding Implementation Plan
Command to reread CLAUDE.md: `cat /home/philkunz/.claude/CLAUDE.md`
## Overview ✅ COMPLETED
Enable specific interface binding for the DNSServer class to allow binding to specific network interfaces instead of all interfaces (0.0.0.0).
## Implementation Status: COMPLETED ✅
### What was implemented:
**1. Updated IDnsServerOptions Interface**
- Added optional `udpBindInterface?: string` property (defaults to '0.0.0.0')
- Added optional `httpsBindInterface?: string` property (defaults to '0.0.0.0')
- Located in `ts_server/classes.dnsserver.ts:5-11`
**2. Modified DnsServer.start() Method**
- Updated UDP server binding to use `this.options.udpBindInterface || '0.0.0.0'`
- Updated HTTPS server listening to use `this.options.httpsBindInterface || '0.0.0.0'`
- Added IP address validation before binding
- Updated console logging to show specific interface being bound
- Located in `ts_server/classes.dnsserver.ts:699-752`
**3. Added IP Address Validation**
- Created `isValidIpAddress()` method supporting IPv4 and IPv6
- Validates interface addresses before binding
- Throws meaningful error messages for invalid addresses
- Located in `ts_server/classes.dnsserver.ts:392-398`
**4. Updated Documentation**
- Added dedicated "Interface Binding" section to readme.md
- Included examples for localhost-only binding (`127.0.0.1`, `::1`)
- Documented security considerations and use cases
- Added examples for specific interface binding
**5. Added Comprehensive Tests**
- **localhost binding test**: Verifies binding to `127.0.0.1` instead of `0.0.0.0`
- **Invalid IP validation test**: Ensures invalid IP addresses are rejected
- **IPv6 support test**: Tests `::1` binding (with graceful fallback if IPv6 unavailable)
- **Backwards compatibility**: Existing tests continue to work with default behavior
- Located in `test/test.server.ts`
**6. Updated restartHttpsServer Method**
- Modified to respect interface binding options during certificate updates
- Ensures Let's Encrypt certificate renewal maintains interface binding
## ✅ Implementation Results
### Test Results
All interface binding functionality has been successfully tested:
```bash
✅ should bind to localhost interface only (318ms)
- UDP DNS server running on 127.0.0.1:8085
- HTTPS DNS server running on 127.0.0.1:8084
✅ should reject invalid IP addresses (151ms)
- Validates IP address format correctly
- Throws meaningful error messages
✅ should work with IPv6 localhost if available
- Gracefully handles IPv6 unavailability in containerized environments
```
### Benefits Achieved
- ✅ Enhanced security by allowing localhost-only binding
- ✅ Support for multi-homed servers with specific interface requirements
- ✅ Better isolation in containerized environments
- ✅ Backwards compatible (defaults to current behavior)
- ✅ IP address validation with clear error messages
- ✅ IPv4 and IPv6 support
## Example Usage (Now Available)
```typescript
// Bind to localhost only
const dnsServer = new DnsServer({
httpsKey: cert.key,
httpsCert: cert.cert,
httpsPort: 443,
udpPort: 53,
dnssecZone: 'example.com',
udpBindInterface: '127.0.0.1',
httpsBindInterface: '127.0.0.1'
});
// Bind to specific interface
const dnsServer = new DnsServer({
// ... other options
udpBindInterface: '192.168.1.100',
httpsBindInterface: '192.168.1.100'
});
```
## Files to Modify
1. `ts_server/classes.dnsserver.ts` - Interface and implementation
2. `readme.md` - Documentation updates
3. `test/test.server.ts` - Add interface binding tests
## Testing Strategy
- Unit tests for interface validation
- Integration tests for binding behavior
- Error handling tests for invalid interfaces
- Backwards compatibility tests

211
readme.plan2.md
View File

@@ -1,211 +0,0 @@
# DNS Server Manual Socket Handling Implementation Plan
Command to reread CLAUDE.md: `cat /home/philkunz/.claude/CLAUDE.md`
## Overview
Enable manual socket handling for the DNSServer class to allow external socket management instead of internal socket creation and binding. This enables advanced use cases like socket pooling, custom networking layers, and integration with existing socket infrastructures.
## Current Implementation Analysis
- DNSServer currently creates and manages its own UDP (`dgram.Socket`) and HTTPS (`https.Server`) sockets
- Socket creation happens in `start()` method at lines ~728-752 in `ts_server/classes.dnsserver.ts`
- No mechanism exists to inject pre-created sockets
- Socket lifecycle is tightly coupled with server lifecycle
## Implementation Plan
### 1. Update IDnsServerOptions Interface
- Add optional `udpSocket?: dgram.Socket` property
- Add optional `httpsServer?: https.Server` property
- Add optional `manualMode?: boolean` flag to indicate manual socket handling
- Maintain backwards compatibility with existing automatic socket creation
### 2. Modify DnsServer Constructor
- Accept pre-created sockets in options
- Store references to manual sockets
- Set internal flags to track manual vs automatic mode
### 3. Update start() Method Logic
- Skip socket creation if manual sockets provided
- Validate manual sockets are in correct state
- Attach event listeners to provided sockets
- Support hybrid mode (UDP manual, HTTPS automatic, or vice versa)
### 4. Update stop() Method Logic
- For manual sockets: only remove event listeners, don't close sockets
- For automatic sockets: close sockets as current behavior
- Provide clear separation of lifecycle management
### 5. Add Socket Validation
- Verify provided UDP socket is correct type (udp4/udp6)
- Ensure HTTPS server is properly configured
- Validate socket state (not already listening, etc.)
### 6. Error Handling & Events
- Emit events for socket errors without stopping server
- Allow graceful handling of external socket failures
- Provide clear error messages for socket state issues
## Benefits
- **Socket Pooling**: Share sockets across multiple DNS server instances
- **Custom Networking**: Integration with custom network stacks
- **Performance**: Reuse existing socket infrastructure
- **Advanced Configuration**: Fine-grained control over socket options
- **Testing**: Easier mocking and testing with provided sockets
- **Container Integration**: Better integration with orchestration platforms
## Example Usage After Implementation
### Manual UDP Socket with Automatic HTTPS
```typescript
import * as dgram from 'dgram';
import { DnsServer } from '@push.rocks/smartdns/server';
// Create and configure UDP socket externally
const udpSocket = dgram.createSocket('udp4');
udpSocket.bind(53, '0.0.0.0');
const dnsServer = new DnsServer({
// Manual UDP socket
udpSocket: udpSocket,
manualMode: true,
// Automatic HTTPS server
httpsPort: 443,
httpsKey: cert.key,
httpsCert: cert.cert,
dnssecZone: 'example.com'
});
await dnsServer.start(); // Won't create new UDP socket
```
### Fully Manual Mode
```typescript
import * as https from 'https';
import * as dgram from 'dgram';
// Create both sockets externally
const udpSocket = dgram.createSocket('udp4');
const httpsServer = https.createServer({ key: cert.key, cert: cert.cert });
udpSocket.bind(53, '0.0.0.0');
httpsServer.listen(443, '0.0.0.0');
const dnsServer = new DnsServer({
udpSocket: udpSocket,
httpsServer: httpsServer,
manualMode: true,
dnssecZone: 'example.com'
});
await dnsServer.start(); // Only attaches handlers, no socket creation
```
### Socket Pooling Example
```typescript
// Shared socket pool
const socketPool = {
udp: dgram.createSocket('udp4'),
https: https.createServer(sslOptions)
};
// Multiple DNS servers sharing sockets
const server1 = new DnsServer({
udpSocket: socketPool.udp,
httpsServer: socketPool.https,
manualMode: true,
dnssecZone: 'zone1.com'
});
const server2 = new DnsServer({
udpSocket: socketPool.udp,
httpsServer: socketPool.https,
manualMode: true,
dnssecZone: 'zone2.com'
});
```
## Implementation Details
### New Interface Properties
```typescript
export interface IDnsServerOptions {
// Existing properties...
httpsKey: string;
httpsCert: string;
httpsPort: number;
udpPort: number;
dnssecZone: string;
udpBindInterface?: string;
httpsBindInterface?: string;
// New manual socket properties
udpSocket?: plugins.dgram.Socket;
httpsServer?: plugins.https.Server;
manualMode?: boolean;
}
```
### Modified Constructor Logic
```typescript
constructor(private options: IDnsServerOptions) {
// Existing DNSSEC initialization...
// Handle manual sockets
if (options.manualMode) {
if (options.udpSocket) {
this.udpServer = options.udpSocket;
}
if (options.httpsServer) {
this.httpsServer = options.httpsServer;
}
}
}
```
### Updated start() Method
```typescript
public async start(): Promise<void> {
// Manual socket mode handling
if (this.options.manualMode) {
await this.startManualMode();
} else {
await this.startAutomaticMode();
}
}
private async startManualMode(): Promise<void> {
if (this.udpServer) {
this.attachUdpHandlers();
}
if (this.httpsServer) {
this.attachHttpsHandlers();
}
}
```
## Files to Modify
1. `ts_server/classes.dnsserver.ts` - Core implementation
2. `test/test.server.ts` - Add manual socket tests
3. `readme.md` - Documentation updates with examples
## Testing Strategy
- Unit tests for manual socket validation
- Integration tests for mixed manual/automatic mode
- Socket lifecycle tests (start/stop behavior)
- Error handling tests for invalid socket states
- Performance tests comparing manual vs automatic modes
## Migration Path
- Feature is completely backwards compatible
- Existing code continues to work unchanged
- New `manualMode` flag clearly indicates intent
- Gradual adoption possible (UDP manual, HTTPS automatic, etc.)
## Security Considerations
- Validate provided sockets are properly configured
- Ensure manual sockets have appropriate permissions
- Document security implications of socket sharing
- Provide guidance on proper socket isolation
This enhancement enables advanced DNS server deployments while maintaining full backwards compatibility with existing implementations.

2
rust/.cargo/config.toml Normal file
View File

@@ -0,0 +1,2 @@
[target.aarch64-unknown-linux-gnu]
linker = "aarch64-linux-gnu-gcc"

1446
rust/Cargo.lock generated Normal file
View File

File diff suppressed because it is too large Load Diff

8
rust/Cargo.toml Normal file
View File

@@ -0,0 +1,8 @@
[workspace]
resolver = "2"
members = [
"crates/rustdns",
"crates/rustdns-protocol",
"crates/rustdns-server",
"crates/rustdns-dnssec",
]

11
rust/crates/rustdns-dnssec/Cargo.toml Normal file
View File

@@ -0,0 +1,11 @@
[package]
name = "rustdns-dnssec"
version = "0.1.0"
edition = "2021"
[dependencies]
rustdns-protocol = { path = "../rustdns-protocol" }
p256 = { version = "0.13", features = ["ecdsa", "ecdsa-core"] }
ed25519-dalek = { version = "2", features = ["rand_core"] }
sha2 = "0.10"
rand = "0.8"

157
rust/crates/rustdns-dnssec/src/keys.rs Normal file
View File

@@ -0,0 +1,157 @@
use p256::ecdsa::SigningKey as EcdsaSigningKey;
use ed25519_dalek::SigningKey as Ed25519SigningKey;
use rand::rngs::OsRng;
/// Supported DNSSEC algorithms.
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum DnssecAlgorithm {
/// ECDSA P-256 with SHA-256 (algorithm 13)
EcdsaP256Sha256,
/// ED25519 (algorithm 15)
Ed25519,
}
impl DnssecAlgorithm {
pub fn number(&self) -> u8 {
match self {
DnssecAlgorithm::EcdsaP256Sha256 => 13,
DnssecAlgorithm::Ed25519 => 15,
}
}
pub fn from_str(s: &str) -> Option<Self> {
match s.to_uppercase().as_str() {
"ECDSA" | "ECDSAP256SHA256" => Some(DnssecAlgorithm::EcdsaP256Sha256),
"ED25519" => Some(DnssecAlgorithm::Ed25519),
_ => None,
}
}
}
/// A DNSSEC key pair with material for signing and DNSKEY generation.
pub enum DnssecKeyPair {
EcdsaP256 {
signing_key: EcdsaSigningKey,
},
Ed25519 {
signing_key: Ed25519SigningKey,
},
}
impl DnssecKeyPair {
/// Generate a new key pair for the given algorithm.
pub fn generate(algorithm: DnssecAlgorithm) -> Self {
match algorithm {
DnssecAlgorithm::EcdsaP256Sha256 => {
let signing_key = EcdsaSigningKey::random(&mut OsRng);
DnssecKeyPair::EcdsaP256 { signing_key }
}
DnssecAlgorithm::Ed25519 => {
let signing_key = Ed25519SigningKey::generate(&mut OsRng);
DnssecKeyPair::Ed25519 { signing_key }
}
}
}
/// Get the algorithm.
pub fn algorithm(&self) -> DnssecAlgorithm {
match self {
DnssecKeyPair::EcdsaP256 { .. } => DnssecAlgorithm::EcdsaP256Sha256,
DnssecKeyPair::Ed25519 { .. } => DnssecAlgorithm::Ed25519,
}
}
/// Get the public key bytes for the DNSKEY record.
/// For ECDSA P-256: 64 bytes (uncompressed x || y, without 0x04 prefix).
/// For ED25519: 32 bytes.
pub fn public_key_bytes(&self) -> Vec<u8> {
match self {
DnssecKeyPair::EcdsaP256 { signing_key } => {
use p256::ecdsa::VerifyingKey;
let verifying_key = VerifyingKey::from(signing_key);
let point = verifying_key.to_encoded_point(false); // uncompressed
let bytes = point.as_bytes();
// Remove 0x04 prefix for DNS format
bytes[1..].to_vec()
}
DnssecKeyPair::Ed25519 { signing_key } => {
let verifying_key = signing_key.verifying_key();
verifying_key.as_bytes().to_vec()
}
}
}
/// Get the DNSKEY RDATA (flags=256/ZSK, protocol=3, algorithm, public key).
pub fn dnskey_rdata(&self) -> Vec<u8> {
let flags: u16 = 256; // Zone Signing Key
let protocol: u8 = 3;
let algorithm = self.algorithm().number();
let pubkey = self.public_key_bytes();
let mut buf = Vec::new();
buf.extend_from_slice(&flags.to_be_bytes());
buf.push(protocol);
buf.push(algorithm);
buf.extend_from_slice(&pubkey);
buf
}
/// Sign data with this key pair.
pub fn sign(&self, data: &[u8]) -> Vec<u8> {
match self {
DnssecKeyPair::EcdsaP256 { signing_key } => {
use p256::ecdsa::{signature::Signer, Signature};
let sig: Signature = signing_key.sign(data);
sig.to_der().as_bytes().to_vec()
}
DnssecKeyPair::Ed25519 { signing_key } => {
use ed25519_dalek::Signer;
let sig = signing_key.sign(data);
sig.to_bytes().to_vec()
}
}
}
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn test_ecdsa_key_generation() {
let kp = DnssecKeyPair::generate(DnssecAlgorithm::EcdsaP256Sha256);
assert_eq!(kp.algorithm(), DnssecAlgorithm::EcdsaP256Sha256);
assert_eq!(kp.public_key_bytes().len(), 64); // x(32) + y(32)
}
#[test]
fn test_ed25519_key_generation() {
let kp = DnssecKeyPair::generate(DnssecAlgorithm::Ed25519);
assert_eq!(kp.algorithm(), DnssecAlgorithm::Ed25519);
assert_eq!(kp.public_key_bytes().len(), 32);
}
#[test]
fn test_dnskey_rdata() {
let kp = DnssecKeyPair::generate(DnssecAlgorithm::EcdsaP256Sha256);
let rdata = kp.dnskey_rdata();
// flags(2) + protocol(1) + algorithm(1) + pubkey(64) = 68
assert_eq!(rdata.len(), 68);
assert_eq!(rdata[0], 1); // flags high byte (256 >> 8)
assert_eq!(rdata[1], 0); // flags low byte
assert_eq!(rdata[2], 3); // protocol
assert_eq!(rdata[3], 13); // algorithm 13 = ECDSA P-256
}
#[test]
fn test_sign_and_verify() {
let kp = DnssecKeyPair::generate(DnssecAlgorithm::EcdsaP256Sha256);
let data = b"test data to sign";
let sig = kp.sign(data);
assert!(!sig.is_empty());
let kp2 = DnssecKeyPair::generate(DnssecAlgorithm::Ed25519);
let sig2 = kp2.sign(data);
assert!(!sig2.is_empty());
}
}

38
rust/crates/rustdns-dnssec/src/keytag.rs Normal file
View File

@@ -0,0 +1,38 @@
/// Compute the DNSSEC key tag as per RFC 4034 Appendix B.
/// Input is the full DNSKEY RDATA (flags + protocol + algorithm + public key).
pub fn compute_key_tag(dnskey_rdata: &[u8]) -> u16 {
let mut acc: u32 = 0;
for (i, &byte) in dnskey_rdata.iter().enumerate() {
if i & 1 == 0 {
acc += (byte as u32) << 8;
} else {
acc += byte as u32;
}
}
acc += (acc >> 16) & 0xFFFF;
(acc & 0xFFFF) as u16
}
/// Compute a DS record digest (SHA-256) from owner name + DNSKEY RDATA.
pub fn compute_ds_digest(owner_name_wire: &[u8], dnskey_rdata: &[u8]) -> Vec<u8> {
use sha2::{Sha256, Digest};
let mut hasher = Sha256::new();
hasher.update(owner_name_wire);
hasher.update(dnskey_rdata);
hasher.finalize().to_vec()
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn test_key_tag_computation() {
// A known DNSKEY RDATA: flags=256, protocol=3, algorithm=13, plus some key bytes
let mut rdata = vec![1u8, 0, 3, 13]; // flags=256, protocol=3, algorithm=13
rdata.extend_from_slice(&[0u8; 64]); // dummy 64-byte key
let tag = compute_key_tag(&rdata);
// Just verify it produces a reasonable value
assert!(tag > 0);
}
}

3
rust/crates/rustdns-dnssec/src/lib.rs Normal file
View File

@@ -0,0 +1,3 @@
pub mod keys;
pub mod signing;
pub mod keytag;

147
rust/crates/rustdns-dnssec/src/signing.rs Normal file
View File

@@ -0,0 +1,147 @@
use crate::keys::DnssecKeyPair;
use crate::keytag::compute_key_tag;
use rustdns_protocol::name::encode_name;
use rustdns_protocol::packet::{encode_rrsig, DnsRecord};
use rustdns_protocol::types::QType;
use sha2::{Sha256, Digest};
/// Canonical RRset serialization for DNSSEC signing (RFC 4034 Section 6).
/// Each record: name(wire) + type(2) + class(2) + ttl(4) + rdlength(2) + rdata
pub fn serialize_rrset_canonical(records: &[DnsRecord]) -> Vec<u8> {
let mut buf = Vec::new();
for rr in records {
if rr.rtype == QType::OPT {
continue;
}
let name = if rr.name.ends_with('.') {
rr.name.to_lowercase()
} else {
format!("{}.", rr.name).to_lowercase()
};
buf.extend_from_slice(&encode_name(&name));
buf.extend_from_slice(&rr.rtype.to_u16().to_be_bytes());
buf.extend_from_slice(&rr.rclass.to_u16().to_be_bytes());
buf.extend_from_slice(&rr.ttl.to_be_bytes());
buf.extend_from_slice(&(rr.rdata.len() as u16).to_be_bytes());
buf.extend_from_slice(&rr.rdata);
}
buf
}
/// Generate an RRSIG record for a given RRset.
pub fn generate_rrsig(
key_pair: &DnssecKeyPair,
zone: &str,
rrset: &[DnsRecord],
name: &str,
rtype: QType,
) -> DnsRecord {
let algorithm = key_pair.algorithm().number();
let dnskey_rdata = key_pair.dnskey_rdata();
let key_tag = compute_key_tag(&dnskey_rdata);
let signers_name = if zone.ends_with('.') {
zone.to_string()
} else {
format!("{}.", zone)
};
let ttl = if rrset.is_empty() { 300 } else { rrset[0].ttl };
let now = std::time::SystemTime::now()
.duration_since(std::time::UNIX_EPOCH)
.unwrap()
.as_secs() as u32;
let inception = now.wrapping_sub(3600); // 1 hour ago
let expiration = inception.wrapping_add(86400); // +1 day
let labels = name
.strip_suffix('.')
.unwrap_or(name)
.split('.')
.filter(|l| !l.is_empty())
.count() as u8;
// Build the RRSIG RDATA preamble (everything before the signature)
let type_covered = rtype.to_u16();
let mut sig_data = Vec::new();
sig_data.extend_from_slice(&type_covered.to_be_bytes());
sig_data.push(algorithm);
sig_data.push(labels);
sig_data.extend_from_slice(&ttl.to_be_bytes());
sig_data.extend_from_slice(&expiration.to_be_bytes());
sig_data.extend_from_slice(&inception.to_be_bytes());
sig_data.extend_from_slice(&key_tag.to_be_bytes());
sig_data.extend_from_slice(&encode_name(&signers_name));
// Append the canonical RRset
sig_data.extend_from_slice(&serialize_rrset_canonical(rrset));
// Sign: ECDSA uses SHA-256 internally via the p256 crate, ED25519 does its own hashing
let signature = match key_pair {
DnssecKeyPair::EcdsaP256 { .. } => {
// For ECDSA, we hash first then sign
let hash = Sha256::digest(&sig_data);
key_pair.sign(&hash)
}
DnssecKeyPair::Ed25519 { .. } => {
// ED25519 includes hashing internally
key_pair.sign(&sig_data)
}
};
let rrsig_rdata = encode_rrsig(
type_covered,
algorithm,
labels,
ttl,
expiration,
inception,
key_tag,
&signers_name,
&signature,
);
DnsRecord {
name: name.to_string(),
rtype: QType::RRSIG,
rclass: rustdns_protocol::types::QClass::IN,
ttl,
rdata: rrsig_rdata,
opt_flags: None,
}
}
#[cfg(test)]
mod tests {
use super::*;
use crate::keys::{DnssecAlgorithm, DnssecKeyPair};
use rustdns_protocol::packet::{build_record, encode_a};
#[test]
fn test_generate_rrsig_ecdsa() {
let kp = DnssecKeyPair::generate(DnssecAlgorithm::EcdsaP256Sha256);
let record = build_record("test.example.com", QType::A, 300, encode_a("127.0.0.1"));
let rrsig = generate_rrsig(&kp, "example.com", &[record], "test.example.com", QType::A);
assert_eq!(rrsig.rtype, QType::RRSIG);
assert!(!rrsig.rdata.is_empty());
}
#[test]
fn test_generate_rrsig_ed25519() {
let kp = DnssecKeyPair::generate(DnssecAlgorithm::Ed25519);
let record = build_record("test.example.com", QType::A, 300, encode_a("10.0.0.1"));
let rrsig = generate_rrsig(&kp, "example.com", &[record], "test.example.com", QType::A);
assert_eq!(rrsig.rtype, QType::RRSIG);
assert!(!rrsig.rdata.is_empty());
}
#[test]
fn test_serialize_rrset_canonical() {
let r1 = build_record("example.com", QType::A, 300, encode_a("1.2.3.4"));
let r2 = build_record("example.com", QType::A, 300, encode_a("5.6.7.8"));
let serialized = serialize_rrset_canonical(&[r1, r2]);
assert!(!serialized.is_empty());
}
}

6
rust/crates/rustdns-protocol/Cargo.toml Normal file
View File

@@ -0,0 +1,6 @@
[package]
name = "rustdns-protocol"
version = "0.1.0"
edition = "2021"
[dependencies]

3
rust/crates/rustdns-protocol/src/lib.rs Normal file
View File

@@ -0,0 +1,3 @@
pub mod types;
pub mod name;
pub mod packet;

108
rust/crates/rustdns-protocol/src/name.rs Normal file
View File

@@ -0,0 +1,108 @@
/// Encode a domain name into DNS wire format.
/// e.g. "example.com" -> [7, 'e','x','a','m','p','l','e', 3, 'c','o','m', 0]
pub fn encode_name(name: &str) -> Vec<u8> {
let mut buf = Vec::new();
let trimmed = name.strip_suffix('.').unwrap_or(name);
if trimmed.is_empty() {
buf.push(0);
return buf;
}
for label in trimmed.split('.') {
let len = label.len();
if len > 63 {
// Truncate to 63 per DNS spec
buf.push(63);
buf.extend_from_slice(&label.as_bytes()[..63]);
} else {
buf.push(len as u8);
buf.extend_from_slice(label.as_bytes());
}
}
buf.push(0); // root label
buf
}
/// Decode a domain name from DNS wire format at the given offset.
/// Returns (name, bytes_consumed).
/// Handles compression pointers (0xC0 prefix).
pub fn decode_name(data: &[u8], offset: usize) -> Result<(String, usize), &'static str> {
let mut labels: Vec<String> = Vec::new();
let mut pos = offset;
let mut bytes_consumed = 0;
let mut jumped = false;
loop {
if pos >= data.len() {
return Err("unexpected end of data in name");
}
let len = data[pos] as usize;
if len == 0 {
// Root label
if !jumped {
bytes_consumed = pos - offset + 1;
}
break;
}
// Check for compression pointer
if len & 0xC0 == 0xC0 {
if pos + 1 >= data.len() {
return Err("unexpected end of data in compression pointer");
}
let pointer = ((len & 0x3F) << 8) | (data[pos + 1] as usize);
if !jumped {
bytes_consumed = pos - offset + 2;
jumped = true;
}
pos = pointer;
continue;
}
// Regular label
pos += 1;
if pos + len > data.len() {
return Err("label extends beyond data");
}
let label = std::str::from_utf8(&data[pos..pos + len]).map_err(|_| "invalid UTF-8 in label")?;
labels.push(label.to_string());
pos += len;
}
if bytes_consumed == 0 && !jumped {
bytes_consumed = 1; // just the root label
}
Ok((labels.join("."), bytes_consumed))
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn test_encode_decode_roundtrip() {
let names = vec!["example.com", "sub.domain.example.com", "localhost", "a.b.c.d.e"];
for name in names {
let encoded = encode_name(name);
let (decoded, consumed) = decode_name(&encoded, 0).unwrap();
assert_eq!(decoded, name);
assert_eq!(consumed, encoded.len());
}
}
#[test]
fn test_encode_trailing_dot() {
let a = encode_name("example.com.");
let b = encode_name("example.com");
assert_eq!(a, b);
}
#[test]
fn test_root_name() {
let encoded = encode_name("");
assert_eq!(encoded, vec![0]);
let (decoded, _) = decode_name(&encoded, 0).unwrap();
assert_eq!(decoded, "");
}
}

442
rust/crates/rustdns-protocol/src/packet.rs Normal file
View File

@@ -0,0 +1,442 @@
use crate::name::{decode_name, encode_name};
use crate::types::{QClass, QType, FLAG_QR, FLAG_AA, FLAG_RD, FLAG_RA, EDNS_DO_BIT};
/// A parsed DNS question.
#[derive(Debug, Clone)]
pub struct DnsQuestion {
pub name: String,
pub qtype: QType,
pub qclass: QClass,
}
/// A parsed DNS resource record.
#[derive(Debug, Clone)]
pub struct DnsRecord {
pub name: String,
pub rtype: QType,
pub rclass: QClass,
pub ttl: u32,
pub rdata: Vec<u8>,
// For OPT records, the flags are stored in the TTL field position
pub opt_flags: Option<u16>,
}
/// A complete DNS packet (parsed).
#[derive(Debug, Clone)]
pub struct DnsPacket {
pub id: u16,
pub flags: u16,
pub questions: Vec<DnsQuestion>,
pub answers: Vec<DnsRecord>,
pub authorities: Vec<DnsRecord>,
pub additionals: Vec<DnsRecord>,
}
impl DnsPacket {
/// Create a new empty query packet.
pub fn new_query(id: u16) -> Self {
DnsPacket {
id,
flags: 0,
questions: Vec::new(),
answers: Vec::new(),
authorities: Vec::new(),
additionals: Vec::new(),
}
}
/// Create a response packet for a given request.
pub fn new_response(request: &DnsPacket) -> Self {
let mut flags = FLAG_QR | FLAG_AA | FLAG_RA;
if request.flags & FLAG_RD != 0 {
flags |= FLAG_RD;
}
DnsPacket {
id: request.id,
flags,
questions: request.questions.clone(),
answers: Vec::new(),
authorities: Vec::new(),
additionals: Vec::new(),
}
}
/// Check if DNSSEC (DO bit) is requested in the OPT record.
pub fn is_dnssec_requested(&self) -> bool {
for additional in &self.additionals {
if additional.rtype == QType::OPT {
if let Some(flags) = additional.opt_flags {
if flags & EDNS_DO_BIT != 0 {
return true;
}
}
}
}
false
}
/// Parse a DNS packet from wire format bytes.
pub fn parse(data: &[u8]) -> Result<Self, String> {
if data.len() < 12 {
return Err("packet too short for DNS header".into());
}
let id = u16::from_be_bytes([data[0], data[1]]);
let flags = u16::from_be_bytes([data[2], data[3]]);
let qdcount = u16::from_be_bytes([data[4], data[5]]) as usize;
let ancount = u16::from_be_bytes([data[6], data[7]]) as usize;
let nscount = u16::from_be_bytes([data[8], data[9]]) as usize;
let arcount = u16::from_be_bytes([data[10], data[11]]) as usize;
let mut offset = 12;
// Parse questions
let mut questions = Vec::with_capacity(qdcount);
for _ in 0..qdcount {
let (name, consumed) = decode_name(data, offset).map_err(|e| e.to_string())?;
offset += consumed;
if offset + 4 > data.len() {
return Err("packet too short for question fields".into());
}
let qtype = QType::from_u16(u16::from_be_bytes([data[offset], data[offset + 1]]));
let qclass = QClass::from_u16(u16::from_be_bytes([data[offset + 2], data[offset + 3]]));
offset += 4;
questions.push(DnsQuestion { name, qtype, qclass });
}
// Parse resource records
fn parse_records(data: &[u8], offset: &mut usize, count: usize) -> Result<Vec<DnsRecord>, String> {
let mut records = Vec::with_capacity(count);
for _ in 0..count {
let (name, consumed) = decode_name(data, *offset).map_err(|e| e.to_string())?;
*offset += consumed;
if *offset + 10 > data.len() {
return Err("packet too short for RR fields".into());
}
let rtype = QType::from_u16(u16::from_be_bytes([data[*offset], data[*offset + 1]]));
let rclass_or_payload = u16::from_be_bytes([data[*offset + 2], data[*offset + 3]]);
let ttl_bytes = u32::from_be_bytes([data[*offset + 4], data[*offset + 5], data[*offset + 6], data[*offset + 7]]);
let rdlength = u16::from_be_bytes([data[*offset + 8], data[*offset + 9]]) as usize;
*offset += 10;
if *offset + rdlength > data.len() {
return Err("packet too short for RDATA".into());
}
let rdata = data[*offset..*offset + rdlength].to_vec();
*offset += rdlength;
// For OPT records, extract flags from the TTL position
let (rclass, ttl, opt_flags) = if rtype == QType::OPT {
// OPT: class = UDP payload size, TTL upper 16 = extended RCODE + version, lower 16 = flags
let flags = (ttl_bytes & 0xFFFF) as u16;
(QClass::from_u16(rclass_or_payload), 0, Some(flags))
} else {
(QClass::from_u16(rclass_or_payload), ttl_bytes, None)
};
records.push(DnsRecord {
name,
rtype,
rclass,
ttl,
rdata,
opt_flags,
});
}
Ok(records)
}
let answers = parse_records(data, &mut offset, ancount)?;
let authorities = parse_records(data, &mut offset, nscount)?;
let additionals = parse_records(data, &mut offset, arcount)?;
Ok(DnsPacket {
id,
flags,
questions,
answers,
authorities,
additionals,
})
}
/// Encode this DNS packet to wire format bytes.
pub fn encode(&self) -> Vec<u8> {
let mut buf = Vec::with_capacity(512);
// Header
buf.extend_from_slice(&self.id.to_be_bytes());
buf.extend_from_slice(&self.flags.to_be_bytes());
buf.extend_from_slice(&(self.questions.len() as u16).to_be_bytes());
buf.extend_from_slice(&(self.answers.len() as u16).to_be_bytes());
buf.extend_from_slice(&(self.authorities.len() as u16).to_be_bytes());
buf.extend_from_slice(&(self.additionals.len() as u16).to_be_bytes());
// Questions
for q in &self.questions {
buf.extend_from_slice(&encode_name(&q.name));
buf.extend_from_slice(&q.qtype.to_u16().to_be_bytes());
buf.extend_from_slice(&q.qclass.to_u16().to_be_bytes());
}
// Resource records
fn encode_records(buf: &mut Vec<u8>, records: &[DnsRecord]) {
for rr in records {
buf.extend_from_slice(&encode_name(&rr.name));
buf.extend_from_slice(&rr.rtype.to_u16().to_be_bytes());
if rr.rtype == QType::OPT {
// OPT: class = UDP payload size (4096), TTL = ext rcode + flags
buf.extend_from_slice(&rr.rclass.to_u16().to_be_bytes());
let flags = rr.opt_flags.unwrap_or(0) as u32;
buf.extend_from_slice(&flags.to_be_bytes());
} else {
buf.extend_from_slice(&rr.rclass.to_u16().to_be_bytes());
buf.extend_from_slice(&rr.ttl.to_be_bytes());
}
buf.extend_from_slice(&(rr.rdata.len() as u16).to_be_bytes());
buf.extend_from_slice(&rr.rdata);
}
}
encode_records(&mut buf, &self.answers);
encode_records(&mut buf, &self.authorities);
encode_records(&mut buf, &self.additionals);
buf
}
}
// ── RDATA encoding helpers ─────────────────────────────────────────
/// Encode an A record (IPv4 address string -> 4 bytes).
pub fn encode_a(ip: &str) -> Vec<u8> {
ip.split('.')
.filter_map(|s| s.parse::<u8>().ok())
.collect()
}
/// Encode an AAAA record (IPv6 address string -> 16 bytes).
pub fn encode_aaaa(ip: &str) -> Vec<u8> {
// Handle :: expansion
let expanded = expand_ipv6(ip);
expanded
.split(':')
.flat_map(|seg| {
let val = u16::from_str_radix(seg, 16).unwrap_or(0);
val.to_be_bytes().to_vec()
})
.collect()
}
fn expand_ipv6(ip: &str) -> String {
if !ip.contains("::") {
return ip.to_string();
}
let parts: Vec<&str> = ip.split("::").collect();
let left: Vec<&str> = if parts[0].is_empty() {
vec![]
} else {
parts[0].split(':').collect()
};
let right: Vec<&str> = if parts.len() > 1 && !parts[1].is_empty() {
parts[1].split(':').collect()
} else {
vec![]
};
let fill_count = 8 - left.len() - right.len();
let mut result: Vec<String> = left.iter().map(|s| s.to_string()).collect();
for _ in 0..fill_count {
result.push("0".to_string());
}
result.extend(right.iter().map(|s| s.to_string()));
result.join(":")
}
/// Encode a TXT record (array of strings -> length-prefixed chunks).
pub fn encode_txt(strings: &[String]) -> Vec<u8> {
let mut buf = Vec::new();
for s in strings {
let bytes = s.as_bytes();
// TXT strings must be <= 255 bytes each
let len = bytes.len().min(255);
buf.push(len as u8);
buf.extend_from_slice(&bytes[..len]);
}
buf
}
/// Encode a domain name for use in RDATA (NS, CNAME, PTR, etc.).
pub fn encode_name_rdata(name: &str) -> Vec<u8> {
encode_name(name)
}
/// Encode a SOA record RDATA.
pub fn encode_soa(mname: &str, rname: &str, serial: u32, refresh: u32, retry: u32, expire: u32, minimum: u32) -> Vec<u8> {
let mut buf = Vec::new();
buf.extend_from_slice(&encode_name(mname));
buf.extend_from_slice(&encode_name(rname));
buf.extend_from_slice(&serial.to_be_bytes());
buf.extend_from_slice(&refresh.to_be_bytes());
buf.extend_from_slice(&retry.to_be_bytes());
buf.extend_from_slice(&expire.to_be_bytes());
buf.extend_from_slice(&minimum.to_be_bytes());
buf
}
/// Encode an MX record RDATA.
pub fn encode_mx(preference: u16, exchange: &str) -> Vec<u8> {
let mut buf = Vec::new();
buf.extend_from_slice(&preference.to_be_bytes());
buf.extend_from_slice(&encode_name(exchange));
buf
}
/// Encode a SRV record RDATA.
pub fn encode_srv(priority: u16, weight: u16, port: u16, target: &str) -> Vec<u8> {
let mut buf = Vec::new();
buf.extend_from_slice(&priority.to_be_bytes());
buf.extend_from_slice(&weight.to_be_bytes());
buf.extend_from_slice(&port.to_be_bytes());
buf.extend_from_slice(&encode_name(target));
buf
}
/// Encode a DNSKEY record RDATA.
pub fn encode_dnskey(flags: u16, protocol: u8, algorithm: u8, public_key: &[u8]) -> Vec<u8> {
let mut buf = Vec::new();
buf.extend_from_slice(&flags.to_be_bytes());
buf.push(protocol);
buf.push(algorithm);
buf.extend_from_slice(public_key);
buf
}
/// Encode an RRSIG record RDATA.
pub fn encode_rrsig(
type_covered: u16,
algorithm: u8,
labels: u8,
original_ttl: u32,
expiration: u32,
inception: u32,
key_tag: u16,
signers_name: &str,
signature: &[u8],
) -> Vec<u8> {
let mut buf = Vec::new();
buf.extend_from_slice(&type_covered.to_be_bytes());
buf.push(algorithm);
buf.push(labels);
buf.extend_from_slice(&original_ttl.to_be_bytes());
buf.extend_from_slice(&expiration.to_be_bytes());
buf.extend_from_slice(&inception.to_be_bytes());
buf.extend_from_slice(&key_tag.to_be_bytes());
buf.extend_from_slice(&encode_name(signers_name));
buf.extend_from_slice(signature);
buf
}
/// Build a DnsRecord from high-level data.
pub fn build_record(name: &str, rtype: QType, ttl: u32, rdata: Vec<u8>) -> DnsRecord {
DnsRecord {
name: name.to_string(),
rtype,
rclass: QClass::IN,
ttl,
rdata,
opt_flags: None,
}
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn test_parse_encode_roundtrip() {
// Build a simple query
let mut query = DnsPacket::new_query(0x1234);
query.flags = FLAG_RD;
query.questions.push(DnsQuestion {
name: "example.com".to_string(),
qtype: QType::A,
qclass: QClass::IN,
});
let encoded = query.encode();
let parsed = DnsPacket::parse(&encoded).unwrap();
assert_eq!(parsed.id, 0x1234);
assert_eq!(parsed.questions.len(), 1);
assert_eq!(parsed.questions[0].name, "example.com");
assert_eq!(parsed.questions[0].qtype, QType::A);
}
#[test]
fn test_response_with_answer() {
let mut query = DnsPacket::new_query(0x5678);
query.flags = FLAG_RD;
query.questions.push(DnsQuestion {
name: "test.example.com".to_string(),
qtype: QType::A,
qclass: QClass::IN,
});
let mut response = DnsPacket::new_response(&query);
response.answers.push(build_record(
"test.example.com",
QType::A,
300,
encode_a("127.0.0.1"),
));
let encoded = response.encode();
let parsed = DnsPacket::parse(&encoded).unwrap();
assert_eq!(parsed.id, 0x5678);
assert!(parsed.flags & FLAG_QR != 0); // Is a response
assert!(parsed.flags & FLAG_AA != 0); // Authoritative
assert_eq!(parsed.answers.len(), 1);
assert_eq!(parsed.answers[0].rdata, vec![127, 0, 0, 1]);
}
#[test]
fn test_encode_aaaa() {
let data = encode_aaaa("::1");
assert_eq!(data.len(), 16);
assert_eq!(data[15], 1);
assert!(data[..15].iter().all(|&b| b == 0));
}
#[test]
fn test_encode_txt() {
let data = encode_txt(&["hello".to_string(), "world".to_string()]);
assert_eq!(data[0], 5); // length of "hello"
assert_eq!(&data[1..6], b"hello");
assert_eq!(data[6], 5); // length of "world"
assert_eq!(&data[7..12], b"world");
}
#[test]
fn test_dnssec_do_bit() {
let mut query = DnsPacket::new_query(1);
query.questions.push(DnsQuestion {
name: "example.com".to_string(),
qtype: QType::A,
qclass: QClass::IN,
});
// No OPT record = no DNSSEC
assert!(!query.is_dnssec_requested());
// Add OPT with DO bit
query.additionals.push(DnsRecord {
name: ".".to_string(),
rtype: QType::OPT,
rclass: QClass::from_u16(4096), // UDP payload size
ttl: 0,
rdata: vec![],
opt_flags: Some(EDNS_DO_BIT),
});
assert!(query.is_dnssec_requested());
}
}

131
rust/crates/rustdns-protocol/src/types.rs Normal file
View File

@@ -0,0 +1,131 @@
/// DNS record types
#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
#[repr(u16)]
pub enum QType {
A = 1,
NS = 2,
CNAME = 5,
SOA = 6,
PTR = 12,
MX = 15,
TXT = 16,
AAAA = 28,
SRV = 33,
OPT = 41,
RRSIG = 46,
DNSKEY = 48,
Unknown(u16),
}
impl QType {
pub fn from_u16(val: u16) -> Self {
match val {
1 => QType::A,
2 => QType::NS,
5 => QType::CNAME,
6 => QType::SOA,
12 => QType::PTR,
15 => QType::MX,
16 => QType::TXT,
28 => QType::AAAA,
33 => QType::SRV,
41 => QType::OPT,
46 => QType::RRSIG,
48 => QType::DNSKEY,
v => QType::Unknown(v),
}
}
pub fn to_u16(self) -> u16 {
match self {
QType::A => 1,
QType::NS => 2,
QType::CNAME => 5,
QType::SOA => 6,
QType::PTR => 12,
QType::MX => 15,
QType::TXT => 16,
QType::AAAA => 28,
QType::SRV => 33,
QType::OPT => 41,
QType::RRSIG => 46,
QType::DNSKEY => 48,
QType::Unknown(v) => v,
}
}
pub fn from_str(s: &str) -> Self {
match s.to_uppercase().as_str() {
"A" => QType::A,
"NS" => QType::NS,
"CNAME" => QType::CNAME,
"SOA" => QType::SOA,
"PTR" => QType::PTR,
"MX" => QType::MX,
"TXT" => QType::TXT,
"AAAA" => QType::AAAA,
"SRV" => QType::SRV,
"OPT" => QType::OPT,
"RRSIG" => QType::RRSIG,
"DNSKEY" => QType::DNSKEY,
_ => QType::Unknown(0),
}
}
pub fn as_str(&self) -> &'static str {
match self {
QType::A => "A",
QType::NS => "NS",
QType::CNAME => "CNAME",
QType::SOA => "SOA",
QType::PTR => "PTR",
QType::MX => "MX",
QType::TXT => "TXT",
QType::AAAA => "AAAA",
QType::SRV => "SRV",
QType::OPT => "OPT",
QType::RRSIG => "RRSIG",
QType::DNSKEY => "DNSKEY",
QType::Unknown(_) => "UNKNOWN",
}
}
}
/// DNS record classes
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
#[repr(u16)]
pub enum QClass {
IN = 1,
CH = 3,
HS = 4,
Unknown(u16),
}
impl QClass {
pub fn from_u16(val: u16) -> Self {
match val {
1 => QClass::IN,
3 => QClass::CH,
4 => QClass::HS,
v => QClass::Unknown(v),
}
}
pub fn to_u16(self) -> u16 {
match self {
QClass::IN => 1,
QClass::CH => 3,
QClass::HS => 4,
QClass::Unknown(v) => v,
}
}
}
/// DNS header flags
pub const FLAG_QR: u16 = 0x8000;
pub const FLAG_AA: u16 = 0x0400;
pub const FLAG_RD: u16 = 0x0100;
pub const FLAG_RA: u16 = 0x0080;
/// OPT record DO bit (DNSSEC OK)
pub const EDNS_DO_BIT: u16 = 0x8000;

17
rust/crates/rustdns-server/Cargo.toml Normal file
View File

@@ -0,0 +1,17 @@
[package]
name = "rustdns-server"
version = "0.1.0"
edition = "2021"
[dependencies]
rustdns-protocol = { path = "../rustdns-protocol" }
rustdns-dnssec = { path = "../rustdns-dnssec" }
tokio = { version = "1", features = ["full"] }
hyper = { version = "1", features = ["http1", "server"] }
hyper-util = { version = "0.1", features = ["tokio"] }
http-body-util = "0.1"
rustls = { version = "0.23", features = ["ring"] }
tokio-rustls = "0.26"
rustls-pemfile = "2"
tracing = "0.1"
bytes = "1"

164
rust/crates/rustdns-server/src/https.rs Normal file
View File

@@ -0,0 +1,164 @@
use hyper::body::Incoming;
use hyper::{Request, Response, StatusCode};
use hyper::service::service_fn;
use hyper_util::rt::TokioIo;
use http_body_util::{BodyExt, Full};
use rustdns_protocol::packet::DnsPacket;
use rustls::ServerConfig;
use std::net::SocketAddr;
use std::sync::Arc;
use tokio::net::TcpListener;
use tokio_rustls::TlsAcceptor;
use tracing::{error, info};
/// Configuration for the HTTPS DoH server.
pub struct HttpsServerConfig {
pub bind_addr: SocketAddr,
pub tls_config: Arc<ServerConfig>,
}
/// An HTTPS DNS-over-HTTPS server.
pub struct HttpsServer {
shutdown: tokio::sync::watch::Sender<bool>,
local_addr: SocketAddr,
}
impl HttpsServer {
/// Start the HTTPS DoH server.
pub async fn start<F, Fut>(
config: HttpsServerConfig,
resolver: F,
) -> Result<Self, Box<dyn std::error::Error + Send + Sync>>
where
F: Fn(DnsPacket) -> Fut + Send + Sync + 'static,
Fut: std::future::Future<Output = DnsPacket> + Send + 'static,
{
let listener = TcpListener::bind(config.bind_addr).await?;
let local_addr = listener.local_addr()?;
let (shutdown_tx, shutdown_rx) = tokio::sync::watch::channel(false);
let tls_acceptor = TlsAcceptor::from(config.tls_config);
let resolver = Arc::new(resolver);
info!("HTTPS DoH server listening on {}", local_addr);
tokio::spawn(async move {
let mut shutdown_rx = shutdown_rx;
loop {
tokio::select! {
result = listener.accept() => {
match result {
Ok((stream, _peer_addr)) => {
let acceptor = tls_acceptor.clone();
let resolver = resolver.clone();
tokio::spawn(async move {
match acceptor.accept(stream).await {
Ok(tls_stream) => {
let io = TokioIo::new(tls_stream);
let resolver = resolver.clone();
let service = service_fn(move |req: Request<Incoming>| {
let resolver = resolver.clone();
async move {
handle_doh_request(req, resolver).await
}
});
if let Err(e) = hyper::server::conn::http1::Builder::new()
.serve_connection(io, service)
.await
{
error!("HTTPS connection error: {}", e);
}
}
Err(e) => {
error!("TLS accept error: {}", e);
}
}
});
}
Err(e) => {
error!("TCP accept error: {}", e);
}
}
}
_ = shutdown_rx.changed() => {
if *shutdown_rx.borrow() {
info!("HTTPS DoH server shutting down");
break;
}
}
}
}
});
Ok(HttpsServer {
shutdown: shutdown_tx,
local_addr,
})
}
/// Stop the HTTPS server.
pub fn stop(&self) {
let _ = self.shutdown.send(true);
}
/// Get the bound local address.
pub fn local_addr(&self) -> SocketAddr {
self.local_addr
}
}
async fn handle_doh_request<F, Fut>(
req: Request<Incoming>,
resolver: Arc<F>,
) -> Result<Response<Full<bytes::Bytes>>, hyper::Error>
where
F: Fn(DnsPacket) -> Fut + Send + Sync,
Fut: std::future::Future<Output = DnsPacket> + Send,
{
if req.method() == hyper::Method::POST && req.uri().path() == "/dns-query" {
let body = req.collect().await?.to_bytes();
match DnsPacket::parse(&body) {
Ok(request) => {
let response = resolver(request).await;
let encoded = response.encode();
Ok(Response::builder()
.status(StatusCode::OK)
.header("Content-Type", "application/dns-message")
.body(Full::new(bytes::Bytes::from(encoded)))
.unwrap())
}
Err(e) => {
error!("Failed to parse DoH request: {}", e);
Ok(Response::builder()
.status(StatusCode::BAD_REQUEST)
.body(Full::new(bytes::Bytes::from(format!("Invalid DNS message: {}", e))))
.unwrap())
}
}
} else {
Ok(Response::builder()
.status(StatusCode::NOT_FOUND)
.body(Full::new(bytes::Bytes::new()))
.unwrap())
}
}
/// Create a rustls ServerConfig from PEM-encoded certificate and key.
pub fn create_tls_config(cert_pem: &str, key_pem: &str) -> Result<Arc<ServerConfig>, Box<dyn std::error::Error + Send + Sync>> {
let certs = rustls_pemfile::certs(&mut cert_pem.as_bytes())
.collect::<Result<Vec<_>, _>>()?;
let key = rustls_pemfile::private_key(&mut key_pem.as_bytes())?
.ok_or("no private key found in PEM data")?;
let config = ServerConfig::builder()
.with_no_client_auth()
.with_single_cert(certs, key)?;
Ok(Arc::new(config))
}

12
rust/crates/rustdns-server/src/lib.rs Normal file
View File

@@ -0,0 +1,12 @@
pub mod udp;
pub mod https;
use rustdns_protocol::packet::DnsPacket;
use std::future::Future;
use std::pin::Pin;
/// Trait for DNS query resolution.
/// The resolver receives a parsed DNS packet and returns a response packet.
pub type DnsResolverFn = Box<
dyn Fn(DnsPacket) -> Pin<Box<dyn Future<Output = DnsPacket> + Send>> + Send + Sync,
>;

95
rust/crates/rustdns-server/src/udp.rs Normal file
View File

@@ -0,0 +1,95 @@
use rustdns_protocol::packet::DnsPacket;
use std::net::SocketAddr;
use std::sync::Arc;
use tokio::net::UdpSocket;
use tracing::{error, info};
/// Configuration for the UDP DNS server.
pub struct UdpServerConfig {
pub bind_addr: SocketAddr,
}
/// A UDP DNS server that delegates resolution to a callback.
pub struct UdpServer {
socket: Arc<UdpSocket>,
shutdown: tokio::sync::watch::Sender<bool>,
}
impl UdpServer {
/// Bind and start the UDP server. The resolver function is called for each query.
pub async fn start<F, Fut>(
config: UdpServerConfig,
resolver: F,
) -> Result<Self, Box<dyn std::error::Error + Send + Sync>>
where
F: Fn(DnsPacket) -> Fut + Send + Sync + 'static,
Fut: std::future::Future<Output = DnsPacket> + Send + 'static,
{
let socket = UdpSocket::bind(config.bind_addr).await?;
let socket = Arc::new(socket);
let (shutdown_tx, shutdown_rx) = tokio::sync::watch::channel(false);
info!("UDP DNS server listening on {}", config.bind_addr);
let recv_socket = socket.clone();
let resolver = Arc::new(resolver);
tokio::spawn(async move {
let mut buf = vec![0u8; 4096];
let mut shutdown_rx = shutdown_rx;
loop {
tokio::select! {
result = recv_socket.recv_from(&mut buf) => {
match result {
Ok((len, src)) => {
let data = buf[..len].to_vec();
let sock = recv_socket.clone();
let resolver = resolver.clone();
tokio::spawn(async move {
match DnsPacket::parse(&data) {
Ok(request) => {
let response = resolver(request).await;
let encoded = response.encode();
if let Err(e) = sock.send_to(&encoded, src).await {
error!("Failed to send UDP response: {}", e);
}
}
Err(e) => {
error!("Failed to parse DNS packet from {}: {}", src, e);
}
}
});
}
Err(e) => {
error!("UDP recv error: {}", e);
}
}
}
_ = shutdown_rx.changed() => {
if *shutdown_rx.borrow() {
info!("UDP DNS server shutting down");
break;
}
}
}
}
});
Ok(UdpServer {
socket,
shutdown: shutdown_tx,
})
}
/// Stop the UDP server.
pub fn stop(&self) {
let _ = self.shutdown.send(true);
}
/// Get the bound local address.
pub fn local_addr(&self) -> std::io::Result<SocketAddr> {
self.socket.local_addr()
}
}

26
rust/crates/rustdns/Cargo.toml Normal file
View File

@@ -0,0 +1,26 @@
[package]
name = "rustdns"
version = "0.1.0"
edition = "2021"
[[bin]]
name = "rustdns"
path = "src/main.rs"
[lib]
name = "rustdns"
path = "src/lib.rs"
[dependencies]
rustdns-protocol = { path = "../rustdns-protocol" }
rustdns-dnssec = { path = "../rustdns-dnssec" }
rustdns-server = { path = "../rustdns-server" }
tokio = { version = "1", features = ["full"] }
serde = { version = "1", features = ["derive"] }
serde_json = "1"
clap = { version = "4", features = ["derive"] }
tracing = "0.1"
tracing-subscriber = "0.3"
dashmap = "6"
base64 = "0.22"
rustls = { version = "0.23", features = ["ring"] }

125
rust/crates/rustdns/src/ipc_types.rs Normal file
View File

@@ -0,0 +1,125 @@
use serde::{Deserialize, Serialize};
/// IPC request from TypeScript to Rust (via stdin).
#[derive(Debug, Deserialize)]
pub struct IpcRequest {
pub id: String,
pub method: String,
#[serde(default)]
pub params: serde_json::Value,
}
/// IPC response from Rust to TypeScript (via stdout).
#[derive(Debug, Serialize)]
pub struct IpcResponse {
pub id: String,
pub success: bool,
#[serde(skip_serializing_if = "Option::is_none")]
pub result: Option<serde_json::Value>,
#[serde(skip_serializing_if = "Option::is_none")]
pub error: Option<String>,
}
impl IpcResponse {
pub fn ok(id: String, result: serde_json::Value) -> Self {
IpcResponse {
id,
success: true,
result: Some(result),
error: None,
}
}
pub fn err(id: String, error: String) -> Self {
IpcResponse {
id,
success: false,
result: None,
error: Some(error),
}
}
}
/// IPC event from Rust to TypeScript (unsolicited, no id).
#[derive(Debug, Serialize)]
pub struct IpcEvent {
pub event: String,
pub data: serde_json::Value,
}
/// Configuration sent via the "start" command.
#[derive(Debug, Deserialize)]
#[serde(rename_all = "camelCase")]
pub struct RustDnsConfig {
pub udp_port: u16,
pub https_port: u16,
#[serde(default = "default_bind")]
pub udp_bind_interface: String,
#[serde(default = "default_bind")]
pub https_bind_interface: String,
#[serde(default)]
pub https_key: String,
#[serde(default)]
pub https_cert: String,
pub dnssec_zone: String,
#[serde(default = "default_algorithm")]
pub dnssec_algorithm: String,
#[serde(default)]
pub primary_nameserver: String,
#[serde(default = "default_true")]
pub enable_localhost_handling: bool,
#[serde(default)]
pub manual_udp_mode: bool,
#[serde(default)]
pub manual_https_mode: bool,
}
fn default_bind() -> String {
"0.0.0.0".to_string()
}
fn default_algorithm() -> String {
"ECDSA".to_string()
}
fn default_true() -> bool {
true
}
/// A DNS question as sent over IPC.
#[derive(Debug, Serialize, Deserialize, Clone)]
pub struct IpcDnsQuestion {
pub name: String,
#[serde(rename = "type")]
pub qtype: String,
pub class: String,
}
/// A DNS answer as received from TypeScript over IPC.
#[derive(Debug, Serialize, Deserialize, Clone)]
pub struct IpcDnsAnswer {
pub name: String,
#[serde(rename = "type")]
pub rtype: String,
pub class: String,
pub ttl: u32,
pub data: serde_json::Value,
}
/// The dnsQuery event sent from Rust to TypeScript.
#[derive(Debug, Serialize)]
#[serde(rename_all = "camelCase")]
pub struct DnsQueryEvent {
pub correlation_id: String,
pub questions: Vec<IpcDnsQuestion>,
pub dnssec_requested: bool,
}
/// The dnsQueryResult command from TypeScript to Rust.
#[derive(Debug, Deserialize)]
#[serde(rename_all = "camelCase")]
pub struct DnsQueryResult {
pub correlation_id: String,
pub answers: Vec<IpcDnsAnswer>,
pub answered: bool,
}

3
rust/crates/rustdns/src/lib.rs Normal file
View File

@@ -0,0 +1,3 @@
pub mod management;
pub mod ipc_types;
pub mod resolver;

36
rust/crates/rustdns/src/main.rs Normal file
View File

@@ -0,0 +1,36 @@
use clap::Parser;
use tracing_subscriber;
mod management;
mod ipc_types;
mod resolver;
#[derive(Parser, Debug)]
#[command(name = "rustdns", about = "Rust DNS server with IPC management")]
struct Cli {
/// Run in management mode (IPC via stdin/stdout)
#[arg(long)]
management: bool,
}
#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
// Install the default rustls crypto provider (ring) before any TLS operations
let _ = rustls::crypto::ring::default_provider().install_default();
let cli = Cli::parse();
// Tracing writes to stderr so stdout is reserved for IPC
tracing_subscriber::fmt()
.with_writer(std::io::stderr)
.init();
if cli.management {
management::management_loop().await?;
} else {
eprintln!("rustdns: use --management flag for IPC mode");
std::process::exit(1);
}
Ok(())
}

402
rust/crates/rustdns/src/management.rs Normal file
View File

@@ -0,0 +1,402 @@
use crate::ipc_types::*;
use crate::resolver::DnsResolver;
use dashmap::DashMap;
use rustdns_dnssec::keys::DnssecAlgorithm;
use rustdns_protocol::packet::DnsPacket;
use rustdns_server::https::{self, HttpsServer};
use rustdns_server::udp::{UdpServer, UdpServerConfig};
use std::io::{self, BufRead, Write};
use std::net::SocketAddr;
use std::sync::Arc;
use tokio::sync::{mpsc, oneshot};
use tracing::{error, info};
/// Pending DNS query callbacks waiting for TypeScript response.
type PendingCallbacks = Arc<DashMap<String, oneshot::Sender<DnsQueryResult>>>;
/// Active server state.
struct ServerState {
udp_server: Option<UdpServer>,
https_server: Option<HttpsServer>,
resolver: Arc<DnsResolver>,
}
/// Emit a JSON event on stdout.
fn send_event(event: &str, data: serde_json::Value) {
let evt = IpcEvent {
event: event.to_string(),
data,
};
let json = serde_json::to_string(&evt).unwrap();
let stdout = io::stdout();
let mut lock = stdout.lock();
let _ = writeln!(lock, "{}", json);
let _ = lock.flush();
}
/// Send a JSON response on stdout.
fn send_response(response: &IpcResponse) {
let json = serde_json::to_string(response).unwrap();
let stdout = io::stdout();
let mut lock = stdout.lock();
let _ = writeln!(lock, "{}", json);
let _ = lock.flush();
}
/// Main management loop — reads JSON lines from stdin, dispatches commands.
pub async fn management_loop() -> Result<(), Box<dyn std::error::Error>> {
// Emit ready event
send_event("ready", serde_json::json!({
"version": env!("CARGO_PKG_VERSION")
}));
let pending: PendingCallbacks = Arc::new(DashMap::new());
let mut server_state: Option<ServerState> = None;
// Channel for stdin commands (read in blocking thread)
let (cmd_tx, mut cmd_rx) = mpsc::channel::<String>(256);
// Channel for DNS query events from the server
let (query_tx, mut query_rx) = mpsc::channel::<(String, DnsPacket)>(256);
// Spawn blocking stdin reader
std::thread::spawn(move || {
let stdin = io::stdin();
let reader = stdin.lock();
for line in reader.lines() {
match line {
Ok(l) => {
if cmd_tx.blocking_send(l).is_err() {
break; // channel closed
}
}
Err(_) => break, // stdin closed
}
}
});
loop {
tokio::select! {
cmd = cmd_rx.recv() => {
match cmd {
Some(line) => {
let request: IpcRequest = match serde_json::from_str(&line) {
Ok(r) => r,
Err(e) => {
error!("Failed to parse IPC request: {}", e);
continue;
}
};
let response = handle_request(
&request,
&mut server_state,
&pending,
&query_tx,
).await;
send_response(&response);
}
None => {
// stdin closed — parent process exited
info!("stdin closed, shutting down");
if let Some(ref state) = server_state {
if let Some(ref udp) = state.udp_server {
udp.stop();
}
if let Some(ref https) = state.https_server {
https.stop();
}
}
break;
}
}
}
query = query_rx.recv() => {
if let Some((correlation_id, packet)) = query {
let dnssec = packet.is_dnssec_requested();
let questions = DnsResolver::questions_to_ipc(&packet.questions);
send_event("dnsQuery", serde_json::to_value(&DnsQueryEvent {
correlation_id,
questions,
dnssec_requested: dnssec,
}).unwrap());
}
}
}
}
Ok(())
}
async fn handle_request(
request: &IpcRequest,
server_state: &mut Option<ServerState>,
pending: &PendingCallbacks,
query_tx: &mpsc::Sender<(String, DnsPacket)>,
) -> IpcResponse {
let id = request.id.clone();
match request.method.as_str() {
"ping" => IpcResponse::ok(id, serde_json::json!({ "pong": true })),
"start" => {
handle_start(id, &request.params, server_state, pending, query_tx).await
}
"stop" => {
handle_stop(id, server_state)
}
"dnsQueryResult" => {
handle_query_result(id, &request.params, pending)
}
"updateCerts" => {
// TODO: hot-swap TLS certs (requires rustls cert resolver)
IpcResponse::ok(id, serde_json::json!({}))
}
"processPacket" => {
handle_process_packet(id, &request.params, server_state, pending, query_tx).await
}
_ => IpcResponse::err(id, format!("Unknown method: {}", request.method)),
}
}
async fn handle_start(
id: String,
params: &serde_json::Value,
server_state: &mut Option<ServerState>,
pending: &PendingCallbacks,
query_tx: &mpsc::Sender<(String, DnsPacket)>,
) -> IpcResponse {
let config: RustDnsConfig = match serde_json::from_value(params.get("config").cloned().unwrap_or_default()) {
Ok(c) => c,
Err(e) => return IpcResponse::err(id, format!("Invalid config: {}", e)),
};
let algorithm = DnssecAlgorithm::from_str(&config.dnssec_algorithm)
.unwrap_or(DnssecAlgorithm::EcdsaP256Sha256);
let resolver = Arc::new(DnsResolver::new(
&config.dnssec_zone,
algorithm,
&config.primary_nameserver,
config.enable_localhost_handling,
));
// Start UDP server if not manual mode
let udp_server = if !config.manual_udp_mode {
let addr: SocketAddr = format!("{}:{}", config.udp_bind_interface, config.udp_port)
.parse()
.unwrap_or_else(|_| SocketAddr::from(([0, 0, 0, 0], config.udp_port)));
let resolver_clone = resolver.clone();
let pending_clone = pending.clone();
let query_tx_clone = query_tx.clone();
match UdpServer::start(
UdpServerConfig { bind_addr: addr },
move |packet| {
let resolver = resolver_clone.clone();
let pending = pending_clone.clone();
let query_tx = query_tx_clone.clone();
async move {
resolve_with_callback(packet, &resolver, &pending, &query_tx).await
}
},
).await {
Ok(server) => {
info!("UDP DNS server started on {}", addr);
Some(server)
}
Err(e) => {
return IpcResponse::err(id, format!("Failed to start UDP server: {}", e));
}
}
} else {
None
};
// Start HTTPS server if not manual mode and certs are provided
let https_server = if !config.manual_https_mode && !config.https_cert.is_empty() && !config.https_key.is_empty() {
let addr: SocketAddr = format!("{}:{}", config.https_bind_interface, config.https_port)
.parse()
.unwrap_or_else(|_| SocketAddr::from(([0, 0, 0, 0], config.https_port)));
match https::create_tls_config(&config.https_cert, &config.https_key) {
Ok(tls_config) => {
let resolver_clone = resolver.clone();
let pending_clone = pending.clone();
let query_tx_clone = query_tx.clone();
match HttpsServer::start(
https::HttpsServerConfig {
bind_addr: addr,
tls_config,
},
move |packet| {
let resolver = resolver_clone.clone();
let pending = pending_clone.clone();
let query_tx = query_tx_clone.clone();
async move {
resolve_with_callback(packet, &resolver, &pending, &query_tx).await
}
},
).await {
Ok(server) => {
info!("HTTPS DoH server started on {}", addr);
Some(server)
}
Err(e) => {
return IpcResponse::err(id, format!("Failed to start HTTPS server: {}", e));
}
}
}
Err(e) => {
return IpcResponse::err(id, format!("Failed to configure TLS: {}", e));
}
}
} else {
None
};
*server_state = Some(ServerState {
udp_server,
https_server,
resolver,
});
send_event("started", serde_json::json!({}));
IpcResponse::ok(id, serde_json::json!({}))
}
fn handle_stop(id: String, server_state: &mut Option<ServerState>) -> IpcResponse {
if let Some(ref state) = server_state {
if let Some(ref udp) = state.udp_server {
udp.stop();
}
if let Some(ref https) = state.https_server {
https.stop();
}
}
*server_state = None;
send_event("stopped", serde_json::json!({}));
IpcResponse::ok(id, serde_json::json!({}))
}
fn handle_query_result(
id: String,
params: &serde_json::Value,
pending: &PendingCallbacks,
) -> IpcResponse {
let result: DnsQueryResult = match serde_json::from_value(params.clone()) {
Ok(r) => r,
Err(e) => return IpcResponse::err(id, format!("Invalid query result: {}", e)),
};
let correlation_id = result.correlation_id.clone();
if let Some((_, sender)) = pending.remove(&correlation_id) {
let _ = sender.send(result);
IpcResponse::ok(id, serde_json::json!({ "resolved": true }))
} else {
IpcResponse::err(id, format!("No pending query for correlationId: {}", correlation_id))
}
}
async fn handle_process_packet(
id: String,
params: &serde_json::Value,
server_state: &mut Option<ServerState>,
pending: &PendingCallbacks,
query_tx: &mpsc::Sender<(String, DnsPacket)>,
) -> IpcResponse {
let packet_b64 = match params.get("packet").and_then(|v| v.as_str()) {
Some(p) => p,
None => return IpcResponse::err(id, "Missing packet parameter".to_string()),
};
let packet_data = match base64_decode(packet_b64) {
Ok(d) => d,
Err(e) => return IpcResponse::err(id, format!("Invalid base64: {}", e)),
};
let state = match server_state {
Some(ref s) => s,
None => return IpcResponse::err(id, "Server not started".to_string()),
};
let request = match DnsPacket::parse(&packet_data) {
Ok(p) => p,
Err(e) => return IpcResponse::err(id, format!("Failed to parse packet: {}", e)),
};
let response = resolve_with_callback(request, &state.resolver, pending, query_tx).await;
let encoded = response.encode();
use base64::Engine;
let response_b64 = base64::engine::general_purpose::STANDARD.encode(&encoded);
IpcResponse::ok(id, serde_json::json!({ "packet": response_b64 }))
}
/// Core resolution: try local first, then IPC callback to TypeScript.
async fn resolve_with_callback(
packet: DnsPacket,
resolver: &DnsResolver,
pending: &PendingCallbacks,
query_tx: &mpsc::Sender<(String, DnsPacket)>,
) -> DnsPacket {
// Try local resolution first (localhost, DNSKEY)
if let Some(response) = resolver.try_local_resolution(&packet) {
return response;
}
// Need IPC callback to TypeScript
let correlation_id = format!("dns_{}", uuid_v4());
let (tx, rx) = oneshot::channel();
pending.insert(correlation_id.clone(), tx);
// Send the query event to the management loop for emission
if query_tx.send((correlation_id.clone(), packet.clone())).await.is_err() {
pending.remove(&correlation_id);
return DnsPacket::new_response(&packet);
}
// Wait for the result with a timeout
match tokio::time::timeout(std::time::Duration::from_secs(10), rx).await {
Ok(Ok(result)) => {
resolver.build_response_from_answers(&packet, &result.answers, result.answered)
}
Ok(Err(_)) => {
// Sender dropped
pending.remove(&correlation_id);
resolver.build_response_from_answers(&packet, &[], false)
}
Err(_) => {
// Timeout
pending.remove(&correlation_id);
resolver.build_response_from_answers(&packet, &[], false)
}
}
}
/// Simple UUID v4 generation (no external dep needed).
fn uuid_v4() -> String {
use std::time::{SystemTime, UNIX_EPOCH};
let nanos = SystemTime::now()
.duration_since(UNIX_EPOCH)
.unwrap()
.as_nanos();
let random: u64 = nanos as u64 ^ (std::process::id() as u64 * 0x517cc1b727220a95);
format!("{:016x}{:016x}", nanos as u64, random)
}
fn base64_decode(input: &str) -> Result<Vec<u8>, String> {
use base64::Engine;
base64::engine::general_purpose::STANDARD
.decode(input)
.map_err(|e| e.to_string())
}

258
rust/crates/rustdns/src/resolver.rs Normal file
View File

@@ -0,0 +1,258 @@
use crate::ipc_types::{IpcDnsAnswer, IpcDnsQuestion};
use rustdns_protocol::packet::*;
use rustdns_protocol::types::QType;
use rustdns_dnssec::keys::{DnssecAlgorithm, DnssecKeyPair};
use rustdns_dnssec::keytag::compute_key_tag;
use rustdns_dnssec::signing::generate_rrsig;
use std::collections::HashMap;
/// DNS resolver that builds responses from IPC callback answers.
pub struct DnsResolver {
pub zone: String,
pub primary_nameserver: String,
pub enable_localhost: bool,
pub key_pair: DnssecKeyPair,
pub dnskey_rdata: Vec<u8>,
pub key_tag: u16,
}
impl DnsResolver {
pub fn new(zone: &str, algorithm: DnssecAlgorithm, primary_nameserver: &str, enable_localhost: bool) -> Self {
let key_pair = DnssecKeyPair::generate(algorithm);
let dnskey_rdata = key_pair.dnskey_rdata();
let key_tag = compute_key_tag(&dnskey_rdata);
let primary_ns = if primary_nameserver.is_empty() {
format!("ns1.{}", zone)
} else {
primary_nameserver.to_string()
};
DnsResolver {
zone: zone.to_string(),
primary_nameserver: primary_ns,
enable_localhost,
key_pair,
dnskey_rdata,
key_tag,
}
}
/// Check if a query can be answered locally (localhost, DNSKEY).
/// Returns Some(answers) if handled locally, None if it needs IPC callback.
pub fn try_local_resolution(&self, packet: &DnsPacket) -> Option<DnsPacket> {
let dnssec = packet.is_dnssec_requested();
let mut response = DnsPacket::new_response(packet);
let mut all_local = true;
for q in &packet.questions {
if let Some(records) = self.try_local_question(q, dnssec) {
for r in records {
response.answers.push(r);
}
} else {
all_local = false;
}
}
if all_local && !packet.questions.is_empty() {
Some(response)
} else {
None
}
}
fn try_local_question(&self, q: &DnsQuestion, dnssec: bool) -> Option<Vec<DnsRecord>> {
let name_lower = q.name.to_lowercase();
let name_trimmed = name_lower.strip_suffix('.').unwrap_or(&name_lower);
// DNSKEY queries for our zone
if dnssec && q.qtype == QType::DNSKEY && name_trimmed == self.zone.to_lowercase() {
let record = build_record(&q.name, QType::DNSKEY, 3600, self.dnskey_rdata.clone());
let mut records = vec![record.clone()];
// Sign the DNSKEY record
let rrsig = generate_rrsig(&self.key_pair, &self.zone, &[record], &q.name, QType::DNSKEY);
records.push(rrsig);
return Some(records);
}
// Localhost handling (RFC 6761)
if self.enable_localhost {
if name_trimmed == "localhost" {
match q.qtype {
QType::A => {
return Some(vec![build_record(&q.name, QType::A, 0, encode_a("127.0.0.1"))]);
}
QType::AAAA => {
return Some(vec![build_record(&q.name, QType::AAAA, 0, encode_aaaa("::1"))]);
}
_ => {}
}
}
// Reverse localhost
if name_trimmed == "1.0.0.127.in-addr.arpa" && q.qtype == QType::PTR {
return Some(vec![build_record(&q.name, QType::PTR, 0, encode_name_rdata("localhost."))]);
}
}
None
}
/// Build a response from IPC callback answers.
pub fn build_response_from_answers(
&self,
request: &DnsPacket,
answers: &[IpcDnsAnswer],
answered: bool,
) -> DnsPacket {
let dnssec = request.is_dnssec_requested();
let mut response = DnsPacket::new_response(request);
if answered && !answers.is_empty() {
// Group answers by (name, type) for DNSSEC RRset signing
let mut rrset_map: HashMap<(String, QType), Vec<DnsRecord>> = HashMap::new();
for answer in answers {
let rtype = QType::from_str(&answer.rtype);
let rdata = self.encode_answer_rdata(rtype, &answer.data);
let record = build_record(&answer.name, rtype, answer.ttl, rdata);
response.answers.push(record.clone());
if dnssec {
let key = (answer.name.clone(), rtype);
rrset_map.entry(key).or_default().push(record);
}
}
// Sign RRsets
if dnssec {
for ((name, rtype), rrset) in &rrset_map {
let rrsig = generate_rrsig(&self.key_pair, &self.zone, rrset, name, *rtype);
response.answers.push(rrsig);
}
}
} else {
// No handler matched — return SOA
for q in &request.questions {
let soa_rdata = encode_soa(
&self.primary_nameserver,
&format!("hostmaster.{}", self.zone),
std::time::SystemTime::now()
.duration_since(std::time::UNIX_EPOCH)
.unwrap()
.as_secs() as u32,
3600,
600,
604800,
86400,
);
let soa_record = build_record(&q.name, QType::SOA, 3600, soa_rdata);
response.answers.push(soa_record.clone());
if dnssec {
let rrsig = generate_rrsig(&self.key_pair, &self.zone, &[soa_record], &q.name, QType::SOA);
response.answers.push(rrsig);
}
}
}
response
}
/// Process a raw DNS packet (for manual/passthrough mode).
/// Returns local answers or None if IPC callback is needed.
pub fn process_packet_local(&self, data: &[u8]) -> Result<Option<Vec<u8>>, String> {
let packet = DnsPacket::parse(data)?;
if let Some(response) = self.try_local_resolution(&packet) {
Ok(Some(response.encode()))
} else {
Ok(None)
}
}
fn encode_answer_rdata(&self, rtype: QType, data: &serde_json::Value) -> Vec<u8> {
match rtype {
QType::A => {
if let Some(ip) = data.as_str() {
encode_a(ip)
} else {
vec![]
}
}
QType::AAAA => {
if let Some(ip) = data.as_str() {
encode_aaaa(ip)
} else {
vec![]
}
}
QType::TXT => {
if let Some(arr) = data.as_array() {
let strings: Vec<String> = arr.iter().filter_map(|v| v.as_str().map(|s| s.to_string())).collect();
encode_txt(&strings)
} else if let Some(s) = data.as_str() {
encode_txt(&[s.to_string()])
} else {
vec![]
}
}
QType::NS | QType::CNAME | QType::PTR => {
if let Some(name) = data.as_str() {
encode_name_rdata(name)
} else {
vec![]
}
}
QType::MX => {
let preference = data.get("preference").and_then(|v| v.as_u64()).unwrap_or(10) as u16;
let exchange = data.get("exchange").and_then(|v| v.as_str()).unwrap_or("");
encode_mx(preference, exchange)
}
QType::SRV => {
let priority = data.get("priority").and_then(|v| v.as_u64()).unwrap_or(0) as u16;
let weight = data.get("weight").and_then(|v| v.as_u64()).unwrap_or(0) as u16;
let port = data.get("port").and_then(|v| v.as_u64()).unwrap_or(0) as u16;
let target = data.get("target").and_then(|v| v.as_str()).unwrap_or("");
encode_srv(priority, weight, port, target)
}
QType::SOA => {
let mname = data.get("mname").and_then(|v| v.as_str()).unwrap_or("");
let rname = data.get("rname").and_then(|v| v.as_str()).unwrap_or("");
let serial = data.get("serial").and_then(|v| v.as_u64()).unwrap_or(0) as u32;
let refresh = data.get("refresh").and_then(|v| v.as_u64()).unwrap_or(3600) as u32;
let retry = data.get("retry").and_then(|v| v.as_u64()).unwrap_or(600) as u32;
let expire = data.get("expire").and_then(|v| v.as_u64()).unwrap_or(604800) as u32;
let minimum = data.get("minimum").and_then(|v| v.as_u64()).unwrap_or(86400) as u32;
encode_soa(mname, rname, serial, refresh, retry, expire, minimum)
}
_ => {
// For unknown types, try to interpret as raw base64
if let Some(b64) = data.as_str() {
base64_decode(b64).unwrap_or_default()
} else {
vec![]
}
}
}
}
/// Convert questions to IPC format.
pub fn questions_to_ipc(questions: &[DnsQuestion]) -> Vec<IpcDnsQuestion> {
questions
.iter()
.map(|q| IpcDnsQuestion {
name: q.name.clone(),
qtype: q.qtype.as_str().to_string(),
class: "IN".to_string(),
})
.collect()
}
}
fn base64_decode(input: &str) -> Result<Vec<u8>, String> {
use base64::Engine;
base64::engine::general_purpose::STANDARD
.decode(input)
.map_err(|e| e.to_string())
}

123
test/example.primaryns.ts Normal file
View File

@@ -0,0 +1,123 @@
import * as smartdns from '../ts_server/index.js';
// Example: Using custom primary nameserver
async function exampleCustomNameserver() {
const dnsServer = new smartdns.DnsServer({
httpsKey: 'your-https-key',
httpsCert: 'your-https-cert',
httpsPort: 8443,
udpPort: 8053,
dnssecZone: 'example.com',
// Custom primary nameserver for SOA records
primaryNameserver: 'ns-primary.example.com',
});
// Register some handlers
dnsServer.registerHandler('example.com', ['NS'], (question) => {
return {
name: question.name,
type: 'NS',
class: 'IN',
ttl: 3600,
data: 'ns-primary.example.com',
};
});
dnsServer.registerHandler('example.com', ['NS'], (question) => {
return {
name: question.name,
type: 'NS',
class: 'IN',
ttl: 3600,
data: 'ns-secondary.example.com',
};
});
await dnsServer.start();
console.log('DNS server started with custom primary nameserver');
// SOA records will now use 'ns-primary.example.com' instead of 'ns1.example.com'
}
// Example: DNSSEC with multiple records (proper RRset signing)
async function exampleDnssecMultipleRecords() {
const dnsServer = new smartdns.DnsServer({
httpsKey: 'your-https-key',
httpsCert: 'your-https-cert',
httpsPort: 8443,
udpPort: 8053,
dnssecZone: 'secure.example.com',
});
// Register multiple A records for round-robin
const ips = ['192.168.1.10', '192.168.1.11', '192.168.1.12'];
for (const ip of ips) {
dnsServer.registerHandler('www.secure.example.com', ['A'], (question) => {
return {
name: question.name,
type: 'A',
class: 'IN',
ttl: 300,
data: ip,
};
});
}
await dnsServer.start();
console.log('DNS server started with DNSSEC and multiple A records');
// When queried with DNSSEC enabled, all 3 A records will be signed together
// as a single RRset with one RRSIG record (not 3 separate RRSIGs)
}
// Example: Multiple TXT records for various purposes
async function exampleMultipleTxtRecords() {
const dnsServer = new smartdns.DnsServer({
httpsKey: 'your-https-key',
httpsCert: 'your-https-cert',
httpsPort: 8443,
udpPort: 8053,
dnssecZone: 'example.com',
});
// SPF record
dnsServer.registerHandler('example.com', ['TXT'], (question) => {
return {
name: question.name,
type: 'TXT',
class: 'IN',
ttl: 3600,
data: ['v=spf1 include:_spf.google.com ~all'],
};
});
// DKIM record
dnsServer.registerHandler('example.com', ['TXT'], (question) => {
return {
name: question.name,
type: 'TXT',
class: 'IN',
ttl: 3600,
data: ['v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4...'],
};
});
// Domain verification
dnsServer.registerHandler('example.com', ['TXT'], (question) => {
return {
name: question.name,
type: 'TXT',
class: 'IN',
ttl: 3600,
data: ['google-site-verification=1234567890abcdef'],
};
});
await dnsServer.start();
console.log('DNS server started with multiple TXT records');
// All TXT records will be returned when queried
}
// Export examples for reference
export { exampleCustomNameserver, exampleDnssecMultipleRecords, exampleMultipleTxtRecords };

373
test/test.dnssec.rrset.ts Normal file
View File

@@ -0,0 +1,373 @@
import * as plugins from '../ts_server/plugins.js';
import { expect, tap } from '@git.zone/tstest/tapbundle';
import { tapNodeTools } from '@git.zone/tstest/tapbundle_node';
import * as dnsPacket from 'dns-packet';
import * as dgram from 'dgram';
import * as smartdns from '../ts_server/index.js';
let dnsServer: smartdns.DnsServer;
// Port management for tests
let nextHttpsPort = 8500;
let nextUdpPort = 8501;
function getUniqueHttpsPort() {
return nextHttpsPort++;
}
function getUniqueUdpPort() {
return nextUdpPort++;
}
// Cleanup function for servers
async function stopServer(server: smartdns.DnsServer | null | undefined) {
if (!server) {
return;
}
try {
await server.stop();
} catch (e) {
console.log('Handled error when stopping server:', e.message || e);
}
}
tap.test('DNSSEC should sign entire RRset together, not individual records', async () => {
const httpsData = await tapNodeTools.createHttpsCert();
const udpPort = getUniqueUdpPort();
dnsServer = new smartdns.DnsServer({
httpsKey: httpsData.key,
httpsCert: httpsData.cert,
httpsPort: getUniqueHttpsPort(),
udpPort: udpPort,
dnssecZone: 'example.com',
});
// Register multiple NS record handlers
dnsServer.registerHandler('example.com', ['NS'], (question) => {
return {
name: question.name,
type: 'NS',
class: 'IN',
ttl: 3600,
data: 'ns1.example.com',
};
});
dnsServer.registerHandler('example.com', ['NS'], (question) => {
return {
name: question.name,
type: 'NS',
class: 'IN',
ttl: 3600,
data: 'ns2.example.com',
};
});
dnsServer.registerHandler('example.com', ['NS'], (question) => {
return {
name: question.name,
type: 'NS',
class: 'IN',
ttl: 3600,
data: 'ns3.example.com',
};
});
await dnsServer.start();
const client = dgram.createSocket('udp4');
// Create query with DNSSEC requested
const query = dnsPacket.encode({
type: 'query',
id: 1,
flags: dnsPacket.RECURSION_DESIRED,
questions: [
{
name: 'example.com',
type: 'NS',
class: 'IN',
},
],
additionals: [
{
name: '.',
type: 'OPT',
ttl: 0,
flags: 0x8000, // DO bit set for DNSSEC
data: Buffer.alloc(0),
} as any,
],
});
const responsePromise = new Promise<dnsPacket.Packet>((resolve, reject) => {
client.on('message', (msg) => {
const dnsResponse = dnsPacket.decode(msg);
resolve(dnsResponse);
client.close();
});
client.on('error', (err) => {
reject(err);
client.close();
});
client.send(query, udpPort, 'localhost', (err) => {
if (err) {
reject(err);
client.close();
}
});
});
const dnsResponse = await responsePromise;
// Count NS and RRSIG records
const nsAnswers = dnsResponse.answers.filter(a => a.type === 'NS');
const rrsigAnswers = dnsResponse.answers.filter(a => a.type === 'RRSIG');
console.log('NS records returned:', nsAnswers.length);
console.log('RRSIG records returned:', rrsigAnswers.length);
// Should have 3 NS records and only 1 RRSIG for the entire RRset
expect(nsAnswers.length).toEqual(3);
expect(rrsigAnswers.length).toEqual(1);
// Verify RRSIG covers NS type
const rrsigData = (rrsigAnswers[0] as any).data;
expect(rrsigData.typeCovered).toEqual('NS');
await stopServer(dnsServer);
dnsServer = null;
});
tap.test('SOA records should be properly serialized and returned', async () => {
const httpsData = await tapNodeTools.createHttpsCert();
const udpPort = getUniqueUdpPort();
dnsServer = new smartdns.DnsServer({
httpsKey: httpsData.key,
httpsCert: httpsData.cert,
httpsPort: getUniqueHttpsPort(),
udpPort: udpPort,
dnssecZone: 'example.com',
});
await dnsServer.start();
const client = dgram.createSocket('udp4');
// Query for a non-existent subdomain to trigger SOA response
const query = dnsPacket.encode({
type: 'query',
id: 2,
flags: dnsPacket.RECURSION_DESIRED,
questions: [
{
name: 'nonexistent.example.com',
type: 'A',
class: 'IN',
},
],
});
const responsePromise = new Promise<dnsPacket.Packet>((resolve, reject) => {
client.on('message', (msg) => {
const dnsResponse = dnsPacket.decode(msg);
resolve(dnsResponse);
client.close();
});
client.on('error', (err) => {
reject(err);
client.close();
});
client.send(query, udpPort, 'localhost', (err) => {
if (err) {
reject(err);
client.close();
}
});
});
const dnsResponse = await responsePromise;
// Should have SOA record in response
const soaAnswers = dnsResponse.answers.filter(a => a.type === 'SOA');
expect(soaAnswers.length).toEqual(1);
const soaData = (soaAnswers[0] as any).data;
console.log('SOA record:', soaData);
expect(soaData.mname).toEqual('ns1.example.com');
expect(soaData.rname).toEqual('hostmaster.example.com');
expect(typeof soaData.serial).toEqual('number');
expect(soaData.refresh).toEqual(3600);
expect(soaData.retry).toEqual(600);
expect(soaData.expire).toEqual(604800);
expect(soaData.minimum).toEqual(86400);
await stopServer(dnsServer);
dnsServer = null;
});
tap.test('Primary nameserver should be configurable', async () => {
const httpsData = await tapNodeTools.createHttpsCert();
const udpPort = getUniqueUdpPort();
dnsServer = new smartdns.DnsServer({
httpsKey: httpsData.key,
httpsCert: httpsData.cert,
httpsPort: getUniqueHttpsPort(),
udpPort: udpPort,
dnssecZone: 'example.com',
primaryNameserver: 'custom-ns.example.com',
});
await dnsServer.start();
const client = dgram.createSocket('udp4');
// Query for SOA record
const query = dnsPacket.encode({
type: 'query',
id: 3,
flags: dnsPacket.RECURSION_DESIRED,
questions: [
{
name: 'example.com',
type: 'SOA',
class: 'IN',
},
],
});
const responsePromise = new Promise<dnsPacket.Packet>((resolve, reject) => {
client.on('message', (msg) => {
const dnsResponse = dnsPacket.decode(msg);
resolve(dnsResponse);
client.close();
});
client.on('error', (err) => {
reject(err);
client.close();
});
client.send(query, udpPort, 'localhost', (err) => {
if (err) {
reject(err);
client.close();
}
});
});
const dnsResponse = await responsePromise;
// Should have SOA record with custom nameserver
const soaAnswers = dnsResponse.answers.filter(a => a.type === 'SOA');
expect(soaAnswers.length).toEqual(1);
const soaData = (soaAnswers[0] as any).data;
console.log('SOA mname:', soaData.mname);
// Should use the custom primary nameserver
expect(soaData.mname).toEqual('custom-ns.example.com');
await stopServer(dnsServer);
dnsServer = null;
});
tap.test('Multiple A records should have single RRSIG when DNSSEC is enabled', async () => {
const httpsData = await tapNodeTools.createHttpsCert();
const udpPort = getUniqueUdpPort();
dnsServer = new smartdns.DnsServer({
httpsKey: httpsData.key,
httpsCert: httpsData.cert,
httpsPort: getUniqueHttpsPort(),
udpPort: udpPort,
dnssecZone: 'example.com',
});
// Register multiple A records for round-robin
const ips = ['10.0.0.1', '10.0.0.2', '10.0.0.3'];
for (const ip of ips) {
dnsServer.registerHandler('www.example.com', ['A'], (question) => {
return {
name: question.name,
type: 'A',
class: 'IN',
ttl: 300,
data: ip,
};
});
}
await dnsServer.start();
const client = dgram.createSocket('udp4');
const query = dnsPacket.encode({
type: 'query',
id: 4,
flags: dnsPacket.RECURSION_DESIRED,
questions: [
{
name: 'www.example.com',
type: 'A',
class: 'IN',
},
],
additionals: [
{
name: '.',
type: 'OPT',
ttl: 0,
flags: 0x8000, // DO bit set for DNSSEC
data: Buffer.alloc(0),
} as any,
],
});
const responsePromise = new Promise<dnsPacket.Packet>((resolve, reject) => {
client.on('message', (msg) => {
const dnsResponse = dnsPacket.decode(msg);
resolve(dnsResponse);
client.close();
});
client.on('error', (err) => {
reject(err);
client.close();
});
client.send(query, udpPort, 'localhost', (err) => {
if (err) {
reject(err);
client.close();
}
});
});
const dnsResponse = await responsePromise;
const aAnswers = dnsResponse.answers.filter(a => a.type === 'A');
const rrsigAnswers = dnsResponse.answers.filter(a => a.type === 'RRSIG');
console.log('A records:', aAnswers.length);
console.log('RRSIG records:', rrsigAnswers.length);
// Should have 3 A records and only 1 RRSIG
expect(aAnswers.length).toEqual(3);
expect(rrsigAnswers.length).toEqual(1);
await stopServer(dnsServer);
dnsServer = null;
});
export default tap.start();

228
test/test.fixes.simple.ts Normal file
View File

@@ -0,0 +1,228 @@
import * as plugins from '../ts_server/plugins.js';
import { expect, tap } from '@git.zone/tstest/tapbundle';
import { tapNodeTools } from '@git.zone/tstest/tapbundle_node';
import * as dnsPacket from 'dns-packet';
import * as dgram from 'dgram';
import * as smartdns from '../ts_server/index.js';
let dnsServer: smartdns.DnsServer;
// Port management for tests
let nextHttpsPort = 8600;
let nextUdpPort = 8601;
function getUniqueHttpsPort() {
return nextHttpsPort++;
}
function getUniqueUdpPort() {
return nextUdpPort++;
}
// Cleanup function for servers
async function stopServer(server: smartdns.DnsServer | null | undefined) {
if (!server) {
return;
}
try {
await server.stop();
} catch (e) {
console.log('Handled error when stopping server:', e.message || e);
}
}
tap.test('SOA records should be returned for non-existent domains', async () => {
const httpsData = await tapNodeTools.createHttpsCert();
const udpPort = getUniqueUdpPort();
dnsServer = new smartdns.DnsServer({
httpsKey: httpsData.key,
httpsCert: httpsData.cert,
httpsPort: getUniqueHttpsPort(),
udpPort: udpPort,
dnssecZone: 'example.com',
});
await dnsServer.start();
const client = dgram.createSocket('udp4');
const query = dnsPacket.encode({
type: 'query',
id: 1,
flags: dnsPacket.RECURSION_DESIRED,
questions: [
{
name: 'nonexistent.example.com',
type: 'A',
class: 'IN',
},
],
});
const responsePromise = new Promise<dnsPacket.Packet>((resolve, reject) => {
client.on('message', (msg) => {
const dnsResponse = dnsPacket.decode(msg);
resolve(dnsResponse);
client.close();
});
client.on('error', (err) => {
reject(err);
client.close();
});
client.send(query, udpPort, 'localhost', (err) => {
if (err) {
reject(err);
client.close();
}
});
});
const dnsResponse = await responsePromise;
console.log('✅ SOA response received');
const soaAnswers = dnsResponse.answers.filter(a => a.type === 'SOA');
expect(soaAnswers.length).toEqual(1);
const soaData = (soaAnswers[0] as any).data;
console.log('✅ SOA mname:', soaData.mname);
console.log('✅ SOA rname:', soaData.rname);
expect(soaData.mname).toEqual('ns1.example.com');
expect(soaData.rname).toEqual('hostmaster.example.com');
await stopServer(dnsServer);
dnsServer = null;
});
tap.test('Primary nameserver should be configurable', async () => {
const httpsData = await tapNodeTools.createHttpsCert();
const udpPort = getUniqueUdpPort();
dnsServer = new smartdns.DnsServer({
httpsKey: httpsData.key,
httpsCert: httpsData.cert,
httpsPort: getUniqueHttpsPort(),
udpPort: udpPort,
dnssecZone: 'example.com',
primaryNameserver: 'custom-ns.example.com',
});
await dnsServer.start();
const client = dgram.createSocket('udp4');
const query = dnsPacket.encode({
type: 'query',
id: 2,
flags: dnsPacket.RECURSION_DESIRED,
questions: [
{
name: 'nonexistent.example.com',
type: 'A',
class: 'IN',
},
],
});
const responsePromise = new Promise<dnsPacket.Packet>((resolve, reject) => {
client.on('message', (msg) => {
const dnsResponse = dnsPacket.decode(msg);
resolve(dnsResponse);
client.close();
});
client.on('error', (err) => {
reject(err);
client.close();
});
client.send(query, udpPort, 'localhost', (err) => {
if (err) {
reject(err);
client.close();
}
});
});
const dnsResponse = await responsePromise;
const soaAnswers = dnsResponse.answers.filter(a => a.type === 'SOA');
expect(soaAnswers.length).toEqual(1);
const soaData = (soaAnswers[0] as any).data;
console.log('✅ Custom primary nameserver:', soaData.mname);
expect(soaData.mname).toEqual('custom-ns.example.com');
await stopServer(dnsServer);
dnsServer = null;
});
tap.test('Default primary nameserver with FQDN', async () => {
const httpsData = await tapNodeTools.createHttpsCert();
const udpPort = getUniqueUdpPort();
dnsServer = new smartdns.DnsServer({
httpsKey: httpsData.key,
httpsCert: httpsData.cert,
httpsPort: getUniqueHttpsPort(),
udpPort: udpPort,
dnssecZone: 'example.com',
primaryNameserver: 'ns.example.com.', // FQDN with trailing dot
});
await dnsServer.start();
const client = dgram.createSocket('udp4');
const query = dnsPacket.encode({
type: 'query',
id: 3,
flags: dnsPacket.RECURSION_DESIRED,
questions: [
{
name: 'nonexistent.example.com',
type: 'A',
class: 'IN',
},
],
});
const responsePromise = new Promise<dnsPacket.Packet>((resolve, reject) => {
client.on('message', (msg) => {
const dnsResponse = dnsPacket.decode(msg);
resolve(dnsResponse);
client.close();
});
client.on('error', (err) => {
reject(err);
client.close();
});
client.send(query, udpPort, 'localhost', (err) => {
if (err) {
reject(err);
client.close();
}
});
});
const dnsResponse = await responsePromise;
const soaAnswers = dnsResponse.answers.filter(a => a.type === 'SOA');
const soaData = (soaAnswers[0] as any).data;
console.log('✅ FQDN primary nameserver:', soaData.mname);
expect(soaData.mname).toEqual('ns.example.com');
await stopServer(dnsServer);
dnsServer = null;
});
export default tap.start();

485
test/test.multiplerecords.fixed.ts Normal file
View File

@@ -0,0 +1,485 @@
import * as plugins from '../ts_server/plugins.js';
import { expect, tap } from '@git.zone/tstest/tapbundle';
import { tapNodeTools } from '@git.zone/tstest/tapbundle_node';
import * as dnsPacket from 'dns-packet';
import * as dgram from 'dgram';
import * as smartdns from '../ts_server/index.js';
let dnsServer: smartdns.DnsServer;
// Port management for tests
let nextHttpsPort = 8300;
let nextUdpPort = 8301;
function getUniqueHttpsPort() {
return nextHttpsPort++;
}
function getUniqueUdpPort() {
return nextUdpPort++;
}
// Cleanup function for servers
async function stopServer(server: smartdns.DnsServer | null | undefined) {
if (!server) {
return;
}
try {
const stopPromise = server.stop();
const timeoutPromise = new Promise((_, reject) => {
setTimeout(() => reject(new Error('Stop operation timed out')), 5000);
});
await Promise.race([stopPromise, timeoutPromise]);
} catch (e) {
console.log('Handled error when stopping server:', e.message || e);
// Force close if normal stop fails
try {
// @ts-ignore - accessing private properties for emergency cleanup
if (server.httpsServer) {
(server as any).httpsServer.close();
(server as any).httpsServer = null;
}
// @ts-ignore - accessing private properties for emergency cleanup
if (server.udpServer) {
(server as any).udpServer.close();
(server as any).udpServer = null;
}
} catch (forceError) {
console.log('Force cleanup error:', forceError.message || forceError);
}
}
}
tap.test('should now return multiple NS records after fix', async () => {
const httpsData = await tapNodeTools.createHttpsCert();
const udpPort = getUniqueUdpPort();
dnsServer = new smartdns.DnsServer({
httpsKey: httpsData.key,
httpsCert: httpsData.cert,
httpsPort: getUniqueHttpsPort(),
udpPort: udpPort,
dnssecZone: 'example.com',
});
// Register multiple NS record handlers for the same domain
dnsServer.registerHandler('example.com', ['NS'], (question) => {
console.log('First NS handler called');
return {
name: question.name,
type: 'NS',
class: 'IN',
ttl: 3600,
data: 'ns1.example.com',
};
});
dnsServer.registerHandler('example.com', ['NS'], (question) => {
console.log('Second NS handler called');
return {
name: question.name,
type: 'NS',
class: 'IN',
ttl: 3600,
data: 'ns2.example.com',
};
});
await dnsServer.start();
const client = dgram.createSocket('udp4');
const query = dnsPacket.encode({
type: 'query',
id: 1,
flags: dnsPacket.RECURSION_DESIRED,
questions: [
{
name: 'example.com',
type: 'NS',
class: 'IN',
},
],
});
const responsePromise = new Promise<dnsPacket.Packet>((resolve, reject) => {
client.on('message', (msg) => {
const dnsResponse = dnsPacket.decode(msg);
resolve(dnsResponse);
client.close();
});
client.on('error', (err) => {
reject(err);
client.close();
});
client.send(query, udpPort, 'localhost', (err) => {
if (err) {
reject(err);
client.close();
}
});
});
const dnsResponse = await responsePromise;
console.log('Fixed behavior - NS records returned:', dnsResponse.answers.length);
console.log('NS records:', dnsResponse.answers.filter(a => a.type === 'NS').map(a => a.data));
// FIXED BEHAVIOR: Should now return both NS records
const nsAnswers = dnsResponse.answers.filter(a => a.type === 'NS');
expect(nsAnswers.length).toEqual(2);
expect(nsAnswers.map(a => a.data).sort()).toEqual(['ns1.example.com', 'ns2.example.com']);
await stopServer(dnsServer);
dnsServer = null;
});
tap.test('should support round-robin DNS with multiple A records', async () => {
const httpsData = await tapNodeTools.createHttpsCert();
const udpPort = getUniqueUdpPort();
dnsServer = new smartdns.DnsServer({
httpsKey: httpsData.key,
httpsCert: httpsData.cert,
httpsPort: getUniqueHttpsPort(),
udpPort: udpPort,
dnssecZone: 'example.com',
});
// Register multiple A record handlers for round-robin DNS
const ips = ['10.0.0.1', '10.0.0.2', '10.0.0.3'];
for (const ip of ips) {
dnsServer.registerHandler('www.example.com', ['A'], (question) => {
console.log(`A handler for ${ip} called`);
return {
name: question.name,
type: 'A',
class: 'IN',
ttl: 300,
data: ip,
};
});
}
await dnsServer.start();
const client = dgram.createSocket('udp4');
const query = dnsPacket.encode({
type: 'query',
id: 2,
flags: dnsPacket.RECURSION_DESIRED,
questions: [
{
name: 'www.example.com',
type: 'A',
class: 'IN',
},
],
});
const responsePromise = new Promise<dnsPacket.Packet>((resolve, reject) => {
client.on('message', (msg) => {
const dnsResponse = dnsPacket.decode(msg);
resolve(dnsResponse);
client.close();
});
client.on('error', (err) => {
reject(err);
client.close();
});
client.send(query, udpPort, 'localhost', (err) => {
if (err) {
reject(err);
client.close();
}
});
});
const dnsResponse = await responsePromise;
console.log('Fixed behavior - A records returned:', dnsResponse.answers.length);
console.log('A records:', dnsResponse.answers.filter(a => a.type === 'A').map(a => a.data));
// FIXED BEHAVIOR: Should return all A records for round-robin
const aAnswers = dnsResponse.answers.filter(a => a.type === 'A');
expect(aAnswers.length).toEqual(3);
expect(aAnswers.map(a => a.data).sort()).toEqual(['10.0.0.1', '10.0.0.2', '10.0.0.3']);
await stopServer(dnsServer);
dnsServer = null;
});
tap.test('should return multiple TXT records', async () => {
const httpsData = await tapNodeTools.createHttpsCert();
const udpPort = getUniqueUdpPort();
dnsServer = new smartdns.DnsServer({
httpsKey: httpsData.key,
httpsCert: httpsData.cert,
httpsPort: getUniqueHttpsPort(),
udpPort: udpPort,
dnssecZone: 'example.com',
});
// Register multiple TXT record handlers
const txtRecords = [
['v=spf1 include:_spf.example.com ~all'],
['v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNA...'],
['google-site-verification=1234567890abcdef']
];
for (const data of txtRecords) {
dnsServer.registerHandler('example.com', ['TXT'], (question) => {
console.log(`TXT handler for ${data[0].substring(0, 20)}... called`);
return {
name: question.name,
type: 'TXT',
class: 'IN',
ttl: 3600,
data: data,
};
});
}
await dnsServer.start();
const client = dgram.createSocket('udp4');
const query = dnsPacket.encode({
type: 'query',
id: 3,
flags: dnsPacket.RECURSION_DESIRED,
questions: [
{
name: 'example.com',
type: 'TXT',
class: 'IN',
},
],
});
const responsePromise = new Promise<dnsPacket.Packet>((resolve, reject) => {
client.on('message', (msg) => {
const dnsResponse = dnsPacket.decode(msg);
resolve(dnsResponse);
client.close();
});
client.on('error', (err) => {
reject(err);
client.close();
});
client.send(query, udpPort, 'localhost', (err) => {
if (err) {
reject(err);
client.close();
}
});
});
const dnsResponse = await responsePromise;
console.log('Fixed behavior - TXT records returned:', dnsResponse.answers.length);
const txtAnswers = dnsResponse.answers.filter(a => a.type === 'TXT');
console.log('TXT records count:', txtAnswers.length);
// FIXED BEHAVIOR: Should return all TXT records
expect(txtAnswers.length).toEqual(3);
// Check that all expected records are present
const txtData = txtAnswers.map(a => a.data[0].toString());
expect(txtData.some(d => d.includes('spf1'))).toEqual(true);
expect(txtData.some(d => d.includes('DKIM1'))).toEqual(true);
expect(txtData.some(d => d.includes('google-site-verification'))).toEqual(true);
await stopServer(dnsServer);
dnsServer = null;
});
tap.test('should handle DNSSEC correctly with multiple records', async () => {
const httpsData = await tapNodeTools.createHttpsCert();
const udpPort = getUniqueUdpPort();
dnsServer = new smartdns.DnsServer({
httpsKey: httpsData.key,
httpsCert: httpsData.cert,
httpsPort: getUniqueHttpsPort(),
udpPort: udpPort,
dnssecZone: 'example.com',
});
// Register multiple NS record handlers
dnsServer.registerHandler('example.com', ['NS'], (question) => {
return {
name: question.name,
type: 'NS',
class: 'IN',
ttl: 3600,
data: 'ns1.example.com',
};
});
dnsServer.registerHandler('example.com', ['NS'], (question) => {
return {
name: question.name,
type: 'NS',
class: 'IN',
ttl: 3600,
data: 'ns2.example.com',
};
});
await dnsServer.start();
const client = dgram.createSocket('udp4');
// Create query with DNSSEC requested
const query = dnsPacket.encode({
type: 'query',
id: 4,
flags: dnsPacket.RECURSION_DESIRED,
questions: [
{
name: 'example.com',
type: 'NS',
class: 'IN',
},
],
additionals: [
{
name: '.',
type: 'OPT',
ttl: 0,
flags: 0x8000, // DO bit set for DNSSEC
data: Buffer.alloc(0),
} as any,
],
});
const responsePromise = new Promise<dnsPacket.Packet>((resolve, reject) => {
client.on('message', (msg) => {
const dnsResponse = dnsPacket.decode(msg);
resolve(dnsResponse);
client.close();
});
client.on('error', (err) => {
reject(err);
client.close();
});
client.send(query, udpPort, 'localhost', (err) => {
if (err) {
reject(err);
client.close();
}
});
});
const dnsResponse = await responsePromise;
console.log('DNSSEC response - total answers:', dnsResponse.answers.length);
const nsAnswers = dnsResponse.answers.filter(a => a.type === 'NS');
const rrsigAnswers = dnsResponse.answers.filter(a => a.type === 'RRSIG');
console.log('NS records:', nsAnswers.length);
console.log('RRSIG records:', rrsigAnswers.length);
// With DNSSEC RRset signing, all NS records share ONE RRSIG (entire RRset signed together)
expect(nsAnswers.length).toEqual(2);
expect(rrsigAnswers.length).toEqual(1);
await stopServer(dnsServer);
dnsServer = null;
});
tap.test('should not return duplicate records when same handler registered multiple times', async () => {
const httpsData = await tapNodeTools.createHttpsCert();
const udpPort = getUniqueUdpPort();
dnsServer = new smartdns.DnsServer({
httpsKey: httpsData.key,
httpsCert: httpsData.cert,
httpsPort: getUniqueHttpsPort(),
udpPort: udpPort,
dnssecZone: 'example.com',
});
// Register the same handler multiple times (edge case)
const sameHandler = (question) => {
return {
name: question.name,
type: 'A',
class: 'IN',
ttl: 300,
data: '10.0.0.1',
};
};
dnsServer.registerHandler('test.example.com', ['A'], sameHandler);
dnsServer.registerHandler('test.example.com', ['A'], sameHandler);
dnsServer.registerHandler('test.example.com', ['A'], sameHandler);
await dnsServer.start();
const client = dgram.createSocket('udp4');
const query = dnsPacket.encode({
type: 'query',
id: 5,
flags: dnsPacket.RECURSION_DESIRED,
questions: [
{
name: 'test.example.com',
type: 'A',
class: 'IN',
},
],
});
const responsePromise = new Promise<dnsPacket.Packet>((resolve, reject) => {
client.on('message', (msg) => {
const dnsResponse = dnsPacket.decode(msg);
resolve(dnsResponse);
client.close();
});
client.on('error', (err) => {
reject(err);
client.close();
});
client.send(query, udpPort, 'localhost', (err) => {
if (err) {
reject(err);
client.close();
}
});
});
const dnsResponse = await responsePromise;
const aAnswers = dnsResponse.answers.filter(a => a.type === 'A');
console.log('Duplicate handler test - A records returned:', aAnswers.length);
// Even though handler is registered 3 times, we get 3 identical records
// This is expected behavior - the DNS server doesn't deduplicate
expect(aAnswers.length).toEqual(3);
expect(aAnswers.every(a => a.data === '10.0.0.1')).toEqual(true);
await stopServer(dnsServer);
dnsServer = null;
});
export default tap.start();

279
test/test.multiplerecords.simple.ts Normal file
View File

@@ -0,0 +1,279 @@
import * as plugins from '../ts_server/plugins.js';
import { expect, tap } from '@git.zone/tstest/tapbundle';
import { tapNodeTools } from '@git.zone/tstest/tapbundle_node';
import * as dnsPacket from 'dns-packet';
import * as dgram from 'dgram';
import * as smartdns from '../ts_server/index.js';
let dnsServer: smartdns.DnsServer;
// Port management for tests
let nextHttpsPort = 8400;
let nextUdpPort = 8401;
function getUniqueHttpsPort() {
return nextHttpsPort++;
}
function getUniqueUdpPort() {
return nextUdpPort++;
}
// Cleanup function for servers
async function stopServer(server: smartdns.DnsServer | null | undefined) {
if (!server) {
return;
}
try {
await server.stop();
} catch (e) {
console.log('Handled error when stopping server:', e.message || e);
}
}
tap.test('Multiple NS records should work correctly', async () => {
const httpsData = await tapNodeTools.createHttpsCert();
const udpPort = getUniqueUdpPort();
dnsServer = new smartdns.DnsServer({
httpsKey: httpsData.key,
httpsCert: httpsData.cert,
httpsPort: getUniqueHttpsPort(),
udpPort: udpPort,
dnssecZone: 'example.com',
});
// Register multiple NS record handlers
dnsServer.registerHandler('example.com', ['NS'], (question) => {
return {
name: question.name,
type: 'NS',
class: 'IN',
ttl: 3600,
data: 'ns1.example.com',
};
});
dnsServer.registerHandler('example.com', ['NS'], (question) => {
return {
name: question.name,
type: 'NS',
class: 'IN',
ttl: 3600,
data: 'ns2.example.com',
};
});
await dnsServer.start();
const client = dgram.createSocket('udp4');
const query = dnsPacket.encode({
type: 'query',
id: 1,
flags: dnsPacket.RECURSION_DESIRED,
questions: [
{
name: 'example.com',
type: 'NS',
class: 'IN',
},
],
});
const responsePromise = new Promise<dnsPacket.Packet>((resolve, reject) => {
client.on('message', (msg) => {
const dnsResponse = dnsPacket.decode(msg);
resolve(dnsResponse);
client.close();
});
client.on('error', (err) => {
reject(err);
client.close();
});
client.send(query, udpPort, 'localhost', (err) => {
if (err) {
reject(err);
client.close();
}
});
});
const dnsResponse = await responsePromise;
console.log('✅ NS records returned:', dnsResponse.answers.length);
console.log('✅ NS records:', dnsResponse.answers.map(a => (a as any).data));
// SUCCESS: Multiple NS records are now returned
expect(dnsResponse.answers.length).toEqual(2);
expect(dnsResponse.answers.map(a => (a as any).data).sort()).toEqual(['ns1.example.com', 'ns2.example.com']);
await stopServer(dnsServer);
dnsServer = null;
});
tap.test('Multiple A records for round-robin DNS', async () => {
const httpsData = await tapNodeTools.createHttpsCert();
const udpPort = getUniqueUdpPort();
dnsServer = new smartdns.DnsServer({
httpsKey: httpsData.key,
httpsCert: httpsData.cert,
httpsPort: getUniqueHttpsPort(),
udpPort: udpPort,
dnssecZone: 'example.com',
});
// Register multiple A records
const ips = ['10.0.0.1', '10.0.0.2', '10.0.0.3'];
for (const ip of ips) {
dnsServer.registerHandler('www.example.com', ['A'], (question) => {
return {
name: question.name,
type: 'A',
class: 'IN',
ttl: 300,
data: ip,
};
});
}
await dnsServer.start();
const client = dgram.createSocket('udp4');
const query = dnsPacket.encode({
type: 'query',
id: 2,
flags: dnsPacket.RECURSION_DESIRED,
questions: [
{
name: 'www.example.com',
type: 'A',
class: 'IN',
},
],
});
const responsePromise = new Promise<dnsPacket.Packet>((resolve, reject) => {
client.on('message', (msg) => {
const dnsResponse = dnsPacket.decode(msg);
resolve(dnsResponse);
client.close();
});
client.on('error', (err) => {
reject(err);
client.close();
});
client.send(query, udpPort, 'localhost', (err) => {
if (err) {
reject(err);
client.close();
}
});
});
const dnsResponse = await responsePromise;
console.log('✅ A records returned:', dnsResponse.answers.length);
console.log('✅ A records:', dnsResponse.answers.map(a => (a as any).data));
// SUCCESS: All A records for round-robin DNS
expect(dnsResponse.answers.length).toEqual(3);
expect(dnsResponse.answers.map(a => (a as any).data).sort()).toEqual(['10.0.0.1', '10.0.0.2', '10.0.0.3']);
await stopServer(dnsServer);
dnsServer = null;
});
tap.test('Multiple TXT records', async () => {
const httpsData = await tapNodeTools.createHttpsCert();
const udpPort = getUniqueUdpPort();
dnsServer = new smartdns.DnsServer({
httpsKey: httpsData.key,
httpsCert: httpsData.cert,
httpsPort: getUniqueHttpsPort(),
udpPort: udpPort,
dnssecZone: 'example.com',
});
// Register multiple TXT records
const txtRecords = [
['v=spf1 include:_spf.example.com ~all'],
['v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNA...'],
['google-site-verification=1234567890abcdef']
];
for (const data of txtRecords) {
dnsServer.registerHandler('example.com', ['TXT'], (question) => {
return {
name: question.name,
type: 'TXT',
class: 'IN',
ttl: 3600,
data: data,
};
});
}
await dnsServer.start();
const client = dgram.createSocket('udp4');
const query = dnsPacket.encode({
type: 'query',
id: 3,
flags: dnsPacket.RECURSION_DESIRED,
questions: [
{
name: 'example.com',
type: 'TXT',
class: 'IN',
},
],
});
const responsePromise = new Promise<dnsPacket.Packet>((resolve, reject) => {
client.on('message', (msg) => {
const dnsResponse = dnsPacket.decode(msg);
resolve(dnsResponse);
client.close();
});
client.on('error', (err) => {
reject(err);
client.close();
});
client.send(query, udpPort, 'localhost', (err) => {
if (err) {
reject(err);
client.close();
}
});
});
const dnsResponse = await responsePromise;
console.log('✅ TXT records returned:', dnsResponse.answers.length);
// SUCCESS: All TXT records are returned
expect(dnsResponse.answers.length).toEqual(3);
const txtData = dnsResponse.answers.map(a => (a as any).data[0].toString());
expect(txtData.some(d => d.includes('spf1'))).toEqual(true);
expect(txtData.some(d => d.includes('DKIM1'))).toEqual(true);
expect(txtData.some(d => d.includes('google-site-verification'))).toEqual(true);
await stopServer(dnsServer);
dnsServer = null;
});
export default tap.start();

424
test/test.multiplerecords.ts Normal file
View File

@@ -0,0 +1,424 @@
import * as plugins from '../ts_server/plugins.js';
import { expect, tap } from '@git.zone/tstest/tapbundle';
import { tapNodeTools } from '@git.zone/tstest/tapbundle_node';
import * as dnsPacket from 'dns-packet';
import * as dgram from 'dgram';
import * as smartdns from '../ts_server/index.js';
let dnsServer: smartdns.DnsServer;
// Port management for tests
let nextHttpsPort = 8200;
let nextUdpPort = 8201;
function getUniqueHttpsPort() {
return nextHttpsPort++;
}
function getUniqueUdpPort() {
return nextUdpPort++;
}
// Cleanup function for servers
async function stopServer(server: smartdns.DnsServer | null | undefined) {
if (!server) {
return;
}
try {
const stopPromise = server.stop();
const timeoutPromise = new Promise((_, reject) => {
setTimeout(() => reject(new Error('Stop operation timed out')), 5000);
});
await Promise.race([stopPromise, timeoutPromise]);
} catch (e) {
console.log('Handled error when stopping server:', e.message || e);
// Force close if normal stop fails
try {
// @ts-ignore - accessing private properties for emergency cleanup
if (server.httpsServer) {
(server as any).httpsServer.close();
(server as any).httpsServer = null;
}
// @ts-ignore - accessing private properties for emergency cleanup
if (server.udpServer) {
(server as any).udpServer.close();
(server as any).udpServer = null;
}
} catch (forceError) {
console.log('Force cleanup error:', forceError.message || forceError);
}
}
}
tap.test('should properly return multiple NS records', async () => {
const httpsData = await tapNodeTools.createHttpsCert();
const udpPort = getUniqueUdpPort();
dnsServer = new smartdns.DnsServer({
httpsKey: httpsData.key,
httpsCert: httpsData.cert,
httpsPort: getUniqueHttpsPort(),
udpPort: udpPort,
dnssecZone: 'example.com',
});
// Register multiple NS record handlers for the same domain
dnsServer.registerHandler('example.com', ['NS'], (question) => {
console.log('First NS handler called');
return {
name: question.name,
type: 'NS',
class: 'IN',
ttl: 3600,
data: 'ns1.example.com',
};
});
dnsServer.registerHandler('example.com', ['NS'], (question) => {
console.log('Second NS handler called');
return {
name: question.name,
type: 'NS',
class: 'IN',
ttl: 3600,
data: 'ns2.example.com',
};
});
await dnsServer.start();
const client = dgram.createSocket('udp4');
const query = dnsPacket.encode({
type: 'query',
id: 1,
flags: dnsPacket.RECURSION_DESIRED,
questions: [
{
name: 'example.com',
type: 'NS',
class: 'IN',
},
],
});
const responsePromise = new Promise<dnsPacket.Packet>((resolve, reject) => {
client.on('message', (msg) => {
const dnsResponse = dnsPacket.decode(msg);
resolve(dnsResponse);
client.close();
});
client.on('error', (err) => {
reject(err);
client.close();
});
client.send(query, udpPort, 'localhost', (err) => {
if (err) {
reject(err);
client.close();
}
});
});
const dnsResponse = await responsePromise;
console.log('Current behavior - NS records returned:', dnsResponse.answers.length);
console.log('NS records:', dnsResponse.answers.map(a => (a as any).data));
// Should return all registered NS records
expect(dnsResponse.answers.length).toEqual(2);
const nsData = dnsResponse.answers.map(a => (a as any).data).sort();
expect(nsData).toEqual(['ns1.example.com', 'ns2.example.com']);
await stopServer(dnsServer);
dnsServer = null;
});
tap.test('should properly return multiple A records for round-robin DNS', async () => {
const httpsData = await tapNodeTools.createHttpsCert();
const udpPort = getUniqueUdpPort();
dnsServer = new smartdns.DnsServer({
httpsKey: httpsData.key,
httpsCert: httpsData.cert,
httpsPort: getUniqueHttpsPort(),
udpPort: udpPort,
dnssecZone: 'example.com',
});
// Register multiple A record handlers for round-robin DNS
dnsServer.registerHandler('www.example.com', ['A'], (question) => {
console.log('First A handler called');
return {
name: question.name,
type: 'A',
class: 'IN',
ttl: 300,
data: '10.0.0.1',
};
});
dnsServer.registerHandler('www.example.com', ['A'], (question) => {
console.log('Second A handler called');
return {
name: question.name,
type: 'A',
class: 'IN',
ttl: 300,
data: '10.0.0.2',
};
});
dnsServer.registerHandler('www.example.com', ['A'], (question) => {
console.log('Third A handler called');
return {
name: question.name,
type: 'A',
class: 'IN',
ttl: 300,
data: '10.0.0.3',
};
});
await dnsServer.start();
const client = dgram.createSocket('udp4');
const query = dnsPacket.encode({
type: 'query',
id: 2,
flags: dnsPacket.RECURSION_DESIRED,
questions: [
{
name: 'www.example.com',
type: 'A',
class: 'IN',
},
],
});
const responsePromise = new Promise<dnsPacket.Packet>((resolve, reject) => {
client.on('message', (msg) => {
const dnsResponse = dnsPacket.decode(msg);
resolve(dnsResponse);
client.close();
});
client.on('error', (err) => {
reject(err);
client.close();
});
client.send(query, udpPort, 'localhost', (err) => {
if (err) {
reject(err);
client.close();
}
});
});
const dnsResponse = await responsePromise;
console.log('Current behavior - A records returned:', dnsResponse.answers.length);
console.log('A records:', dnsResponse.answers.map(a => (a as any).data));
// Should return all registered A records for round-robin DNS
expect(dnsResponse.answers.length).toEqual(3);
const aData = dnsResponse.answers.map(a => (a as any).data).sort();
expect(aData).toEqual(['10.0.0.1', '10.0.0.2', '10.0.0.3']);
await stopServer(dnsServer);
dnsServer = null;
});
tap.test('should properly return multiple TXT records', async () => {
const httpsData = await tapNodeTools.createHttpsCert();
const udpPort = getUniqueUdpPort();
dnsServer = new smartdns.DnsServer({
httpsKey: httpsData.key,
httpsCert: httpsData.cert,
httpsPort: getUniqueHttpsPort(),
udpPort: udpPort,
dnssecZone: 'example.com',
});
// Register multiple TXT record handlers
dnsServer.registerHandler('example.com', ['TXT'], (question) => {
console.log('SPF handler called');
return {
name: question.name,
type: 'TXT',
class: 'IN',
ttl: 3600,
data: ['v=spf1 include:_spf.example.com ~all'],
};
});
dnsServer.registerHandler('example.com', ['TXT'], (question) => {
console.log('DKIM handler called');
return {
name: question.name,
type: 'TXT',
class: 'IN',
ttl: 3600,
data: ['v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNA...'],
};
});
dnsServer.registerHandler('example.com', ['TXT'], (question) => {
console.log('Domain verification handler called');
return {
name: question.name,
type: 'TXT',
class: 'IN',
ttl: 3600,
data: ['google-site-verification=1234567890abcdef'],
};
});
await dnsServer.start();
const client = dgram.createSocket('udp4');
const query = dnsPacket.encode({
type: 'query',
id: 3,
flags: dnsPacket.RECURSION_DESIRED,
questions: [
{
name: 'example.com',
type: 'TXT',
class: 'IN',
},
],
});
const responsePromise = new Promise<dnsPacket.Packet>((resolve, reject) => {
client.on('message', (msg) => {
const dnsResponse = dnsPacket.decode(msg);
resolve(dnsResponse);
client.close();
});
client.on('error', (err) => {
reject(err);
client.close();
});
client.send(query, udpPort, 'localhost', (err) => {
if (err) {
reject(err);
client.close();
}
});
});
const dnsResponse = await responsePromise;
console.log('Current behavior - TXT records returned:', dnsResponse.answers.length);
console.log('TXT records:', dnsResponse.answers.map(a => (a as any).data));
// Should return all registered TXT records
expect(dnsResponse.answers.length).toEqual(3);
const txtData = dnsResponse.answers.map(a => (a as any).data[0]).sort();
expect(txtData[0]).toInclude('google-site-verification');
expect(txtData[1]).toInclude('DKIM1');
expect(txtData[2]).toInclude('spf1');
await stopServer(dnsServer);
dnsServer = null;
});
tap.test('should rotate between records when using a single handler', async () => {
const httpsData = await tapNodeTools.createHttpsCert();
const udpPort = getUniqueUdpPort();
dnsServer = new smartdns.DnsServer({
httpsKey: httpsData.key,
httpsCert: httpsData.cert,
httpsPort: getUniqueHttpsPort(),
udpPort: udpPort,
dnssecZone: 'example.com',
});
// Pattern: Create an array to store NS records and rotate through them
const nsRecords = ['ns1.example.com', 'ns2.example.com'];
let nsIndex = 0;
// This pattern rotates between records on successive queries
dnsServer.registerHandler('example.com', ['NS'], (question) => {
const record = nsRecords[nsIndex % nsRecords.length];
nsIndex++;
return {
name: question.name,
type: 'NS',
class: 'IN',
ttl: 3600,
data: record,
};
});
await dnsServer.start();
// Make two queries to show the workaround behavior
const client1 = dgram.createSocket('udp4');
const client2 = dgram.createSocket('udp4');
const query = dnsPacket.encode({
type: 'query',
id: 4,
flags: dnsPacket.RECURSION_DESIRED,
questions: [
{
name: 'example.com',
type: 'NS',
class: 'IN',
},
],
});
const responsePromise1 = new Promise<dnsPacket.Packet>((resolve, reject) => {
client1.on('message', (msg) => {
const dnsResponse = dnsPacket.decode(msg);
resolve(dnsResponse);
client1.close();
});
client1.send(query, udpPort, 'localhost');
});
const responsePromise2 = new Promise<dnsPacket.Packet>((resolve, reject) => {
client2.on('message', (msg) => {
const dnsResponse = dnsPacket.decode(msg);
resolve(dnsResponse);
client2.close();
});
setTimeout(() => {
client2.send(query, udpPort, 'localhost');
}, 100);
});
const [response1, response2] = await Promise.all([responsePromise1, responsePromise2]);
console.log('First query NS:', (response1.answers[0] as any).data);
console.log('Second query NS:', (response2.answers[0] as any).data);
// This pattern rotates between records but returns one at a time per query
expect(response1.answers.length).toEqual(1);
expect(response2.answers.length).toEqual(1);
expect((response1.answers[0] as any).data).toEqual('ns1.example.com');
expect((response2.answers[0] as any).data).toEqual('ns2.example.com');
await stopServer(dnsServer);
dnsServer = null;
});
export default tap.start();

8
test/test.server.ts
View File

@@ -193,13 +193,13 @@ async function stopServer(server: smartdns.DnsServer | null | undefined) {
try {
// @ts-ignore - accessing private properties for emergency cleanup
if (server.httpsServer) {
server.httpsServer.close();
server.httpsServer = null;
(server as any).httpsServer.close();
(server as any).httpsServer = null;
}
// @ts-ignore - accessing private properties for emergency cleanup
if (server.udpServer) {
server.udpServer.close();
server.udpServer = null;
(server as any).udpServer.close();
(server as any).udpServer = null;
}
} catch (forceError) {
console.log('Force cleanup error:', forceError.message || forceError);

250
test/test.soa.debug.ts Normal file
View File

@@ -0,0 +1,250 @@
import * as plugins from '../ts_server/plugins.js';
import { expect, tap } from '@git.zone/tstest/tapbundle';
import { tapNodeTools } from '@git.zone/tstest/tapbundle_node';
import * as dnsPacket from 'dns-packet';
import * as dgram from 'dgram';
import * as smartdns from '../ts_server/index.js';
let dnsServer: smartdns.DnsServer;
// Port management for tests
let nextHttpsPort = 8700;
let nextUdpPort = 8701;
function getUniqueHttpsPort() {
return nextHttpsPort++;
}
function getUniqueUdpPort() {
return nextUdpPort++;
}
// Cleanup function for servers
async function stopServer(server: smartdns.DnsServer | null | undefined) {
if (!server) {
return;
}
try {
await server.stop();
} catch (e) {
console.log('Handled error when stopping server:', e.message || e);
}
}
tap.test('Direct SOA query should work without timeout', async () => {
const httpsData = await tapNodeTools.createHttpsCert();
const udpPort = getUniqueUdpPort();
dnsServer = new smartdns.DnsServer({
httpsKey: httpsData.key,
httpsCert: httpsData.cert,
httpsPort: getUniqueHttpsPort(),
udpPort: udpPort,
dnssecZone: 'example.com',
});
// Register a SOA handler directly
dnsServer.registerHandler('example.com', ['SOA'], (question) => {
console.log('Direct SOA handler called for:', question.name);
return {
name: question.name,
type: 'SOA',
class: 'IN',
ttl: 3600,
data: {
mname: 'ns1.example.com',
rname: 'hostmaster.example.com',
serial: 2024010101,
refresh: 3600,
retry: 600,
expire: 604800,
minimum: 86400,
},
};
});
await dnsServer.start();
const client = dgram.createSocket('udp4');
const query = dnsPacket.encode({
type: 'query',
id: 1,
flags: dnsPacket.RECURSION_DESIRED,
questions: [
{
name: 'example.com',
type: 'SOA',
class: 'IN',
},
],
});
console.log('Sending SOA query for example.com');
const responsePromise = new Promise<dnsPacket.Packet>((resolve, reject) => {
const timeout = setTimeout(() => {
client.close();
reject(new Error('Query timed out after 5 seconds'));
}, 5000);
client.on('message', (msg) => {
clearTimeout(timeout);
try {
const dnsResponse = dnsPacket.decode(msg);
resolve(dnsResponse);
} catch (e) {
reject(new Error(`Failed to decode response: ${e.message}`));
}
client.close();
});
client.on('error', (err) => {
clearTimeout(timeout);
reject(err);
client.close();
});
client.send(query, udpPort, 'localhost', (err) => {
if (err) {
clearTimeout(timeout);
reject(err);
client.close();
}
});
});
try {
const dnsResponse = await responsePromise;
console.log('SOA response received:', dnsResponse.answers.length, 'answers');
const soaAnswers = dnsResponse.answers.filter(a => a.type === 'SOA');
expect(soaAnswers.length).toEqual(1);
const soaData = (soaAnswers[0] as any).data;
console.log('SOA data:', soaData);
expect(soaData.mname).toEqual('ns1.example.com');
expect(soaData.serial).toEqual(2024010101);
} catch (error) {
console.error('SOA query failed:', error);
throw error;
}
await stopServer(dnsServer);
dnsServer = null;
});
tap.test('SOA query with DNSSEC should work', async () => {
const httpsData = await tapNodeTools.createHttpsCert();
const udpPort = getUniqueUdpPort();
dnsServer = new smartdns.DnsServer({
httpsKey: httpsData.key,
httpsCert: httpsData.cert,
httpsPort: getUniqueHttpsPort(),
udpPort: udpPort,
dnssecZone: 'example.com',
});
await dnsServer.start();
const client = dgram.createSocket('udp4');
const query = dnsPacket.encode({
type: 'query',
id: 2,
flags: dnsPacket.RECURSION_DESIRED,
questions: [
{
name: 'nonexistent.example.com',
type: 'A',
class: 'IN',
},
],
additionals: [
{
name: '.',
type: 'OPT',
ttl: 0,
flags: 0x8000, // DO bit set for DNSSEC
data: Buffer.alloc(0),
} as any,
],
});
console.log('Sending query for nonexistent domain with DNSSEC');
const responsePromise = new Promise<dnsPacket.Packet>((resolve, reject) => {
const timeout = setTimeout(() => {
client.close();
reject(new Error('Query timed out after 5 seconds'));
}, 5000);
client.on('message', (msg) => {
clearTimeout(timeout);
try {
const dnsResponse = dnsPacket.decode(msg);
resolve(dnsResponse);
} catch (e) {
reject(new Error(`Failed to decode response: ${e.message}`));
}
client.close();
});
client.on('error', (err) => {
clearTimeout(timeout);
reject(err);
client.close();
});
client.send(query, udpPort, 'localhost', (err) => {
if (err) {
clearTimeout(timeout);
reject(err);
client.close();
}
});
});
try {
const dnsResponse = await responsePromise;
console.log('Response received with', dnsResponse.answers.length, 'answers');
const soaAnswers = dnsResponse.answers.filter(a => a.type === 'SOA');
const rrsigAnswers = dnsResponse.answers.filter(a => a.type === 'RRSIG');
console.log('SOA records found:', soaAnswers.length);
console.log('RRSIG records found:', rrsigAnswers.length);
// Must have exactly 1 SOA for the zone
expect(soaAnswers.length).toEqual(1);
// Must have at least 1 RRSIG covering the SOA
expect(rrsigAnswers.length).toBeGreaterThan(0);
// Verify RRSIG covers SOA type
const rrsigData = (rrsigAnswers[0] as any).data;
expect(rrsigData.typeCovered).toEqual('SOA');
// Verify SOA data fields are present and valid
const soaData = (soaAnswers[0] as any).data;
console.log('SOA data:', soaData);
expect(soaData.mname).toStartWith('ns'); // nameserver
expect(soaData.rname).toInclude('.'); // responsible party email
expect(typeof soaData.serial).toEqual('number');
expect(soaData.refresh).toBeGreaterThan(0);
expect(soaData.retry).toBeGreaterThan(0);
expect(soaData.expire).toBeGreaterThan(0);
expect(soaData.minimum).toBeGreaterThan(0);
} catch (error) {
console.error('SOA query with DNSSEC failed:', error);
throw error;
}
await stopServer(dnsServer);
dnsServer = null;
});
export default tap.start();

271
test/test.soa.final.ts Normal file
View File

@@ -0,0 +1,271 @@
import * as plugins from '../ts_server/plugins.js';
import { expect, tap } from '@git.zone/tstest/tapbundle';
import { tapNodeTools } from '@git.zone/tstest/tapbundle_node';
import * as dnsPacket from 'dns-packet';
import * as dgram from 'dgram';
import * as smartdns from '../ts_server/index.js';
let dnsServer: smartdns.DnsServer;
// Port management for tests
let nextHttpsPort = 8900;
let nextUdpPort = 8901;
function getUniqueHttpsPort() {
return nextHttpsPort++;
}
function getUniqueUdpPort() {
return nextUdpPort++;
}
// Cleanup function for servers
async function stopServer(server: smartdns.DnsServer | null | undefined) {
if (!server) {
return;
}
try {
await server.stop();
} catch (e) {
console.log('Handled error when stopping server:', e.message || e);
}
}
tap.test('SOA records work for all scenarios', async () => {
const httpsData = await tapNodeTools.createHttpsCert();
const udpPort = getUniqueUdpPort();
dnsServer = new smartdns.DnsServer({
httpsKey: httpsData.key,
httpsCert: httpsData.cert,
httpsPort: getUniqueHttpsPort(),
udpPort: udpPort,
dnssecZone: 'example.com',
primaryNameserver: 'ns.example.com',
});
// Register SOA handler for the zone
dnsServer.registerHandler('example.com', ['SOA'], (question) => {
console.log('SOA handler called for:', question.name);
return {
name: question.name,
type: 'SOA',
class: 'IN',
ttl: 3600,
data: {
mname: 'ns.example.com',
rname: 'admin.example.com',
serial: 2024010101,
refresh: 3600,
retry: 600,
expire: 604800,
minimum: 86400,
},
};
});
// Register some other records
dnsServer.registerHandler('example.com', ['A'], (question) => {
return {
name: question.name,
type: 'A',
class: 'IN',
ttl: 300,
data: '192.168.1.1',
};
});
await dnsServer.start();
const client = dgram.createSocket('udp4');
// Test 1: Direct SOA query
console.log('\n--- Test 1: Direct SOA query ---');
const soaQuery = dnsPacket.encode({
type: 'query',
id: 1,
flags: dnsPacket.RECURSION_DESIRED,
questions: [
{
name: 'example.com',
type: 'SOA',
class: 'IN',
},
],
});
let response = await new Promise<dnsPacket.Packet>((resolve, reject) => {
const timeout = setTimeout(() => {
client.close();
reject(new Error('Query timed out'));
}, 2000);
client.on('message', (msg) => {
clearTimeout(timeout);
const dnsResponse = dnsPacket.decode(msg);
resolve(dnsResponse);
client.removeAllListeners();
});
client.on('error', (err) => {
clearTimeout(timeout);
reject(err);
client.close();
});
client.send(soaQuery, udpPort, 'localhost');
});
console.log('Direct SOA query response:', response.answers.length, 'answers');
expect(response.answers.length).toEqual(1);
expect(response.answers[0].type).toEqual('SOA');
// Test 2: Non-existent domain query (should get SOA in authority)
console.log('\n--- Test 2: Non-existent domain query ---');
const nxQuery = dnsPacket.encode({
type: 'query',
id: 2,
flags: dnsPacket.RECURSION_DESIRED,
questions: [
{
name: 'nonexistent.example.com',
type: 'A',
class: 'IN',
},
],
});
response = await new Promise<dnsPacket.Packet>((resolve, reject) => {
const timeout = setTimeout(() => {
client.close();
reject(new Error('Query timed out'));
}, 2000);
client.on('message', (msg) => {
clearTimeout(timeout);
const dnsResponse = dnsPacket.decode(msg);
resolve(dnsResponse);
client.removeAllListeners();
});
client.send(nxQuery, udpPort, 'localhost');
});
console.log('Non-existent query response:', response.answers.length, 'answers');
const soaAnswers = response.answers.filter(a => a.type === 'SOA');
expect(soaAnswers.length).toEqual(1);
// Test 3: SOA with DNSSEC
console.log('\n--- Test 3: SOA query with DNSSEC ---');
const dnssecQuery = dnsPacket.encode({
type: 'query',
id: 3,
flags: dnsPacket.RECURSION_DESIRED,
questions: [
{
name: 'example.com',
type: 'SOA',
class: 'IN',
},
],
additionals: [
{
name: '.',
type: 'OPT',
ttl: 0,
flags: 0x8000, // DO bit
data: Buffer.alloc(0),
} as any,
],
});
response = await new Promise<dnsPacket.Packet>((resolve, reject) => {
const timeout = setTimeout(() => {
client.close();
reject(new Error('Query timed out'));
}, 2000);
client.on('message', (msg) => {
clearTimeout(timeout);
const dnsResponse = dnsPacket.decode(msg);
resolve(dnsResponse);
client.removeAllListeners();
});
client.send(dnssecQuery, udpPort, 'localhost');
});
console.log('DNSSEC SOA query response:', response.answers.length, 'answers');
console.log('Answer types:', response.answers.map(a => a.type));
expect(response.answers.length).toEqual(2); // SOA + RRSIG
expect(response.answers.some(a => a.type === 'SOA')).toEqual(true);
expect(response.answers.some(a => a.type === 'RRSIG')).toEqual(true);
client.close();
await stopServer(dnsServer);
dnsServer = null;
});
tap.test('Configurable primary nameserver works correctly', async () => {
const httpsData = await tapNodeTools.createHttpsCert();
const udpPort = getUniqueUdpPort();
dnsServer = new smartdns.DnsServer({
httpsKey: httpsData.key,
httpsCert: httpsData.cert,
httpsPort: getUniqueHttpsPort(),
udpPort: udpPort,
dnssecZone: 'test.com',
primaryNameserver: 'master.test.com',
});
await dnsServer.start();
const client = dgram.createSocket('udp4');
const query = dnsPacket.encode({
type: 'query',
id: 1,
flags: dnsPacket.RECURSION_DESIRED,
questions: [
{
name: 'nonexistent.test.com',
type: 'A',
class: 'IN',
},
],
});
const response = await new Promise<dnsPacket.Packet>((resolve, reject) => {
const timeout = setTimeout(() => {
client.close();
reject(new Error('Query timed out'));
}, 2000);
client.on('message', (msg) => {
clearTimeout(timeout);
const dnsResponse = dnsPacket.decode(msg);
resolve(dnsResponse);
});
client.on('error', (err) => {
clearTimeout(timeout);
reject(err);
client.close();
});
client.send(query, udpPort, 'localhost');
});
const soaAnswers = response.answers.filter(a => a.type === 'SOA');
console.log('✅ Configured primary nameserver:', (soaAnswers[0] as any).data.mname);
expect((soaAnswers[0] as any).data.mname).toEqual('master.test.com');
client.close();
await stopServer(dnsServer);
dnsServer = null;
});
export default tap.start();

201
test/test.soa.simple.ts Normal file
View File

@@ -0,0 +1,201 @@
import * as plugins from '../ts_server/plugins.js';
import { expect, tap } from '@git.zone/tstest/tapbundle';
import { tapNodeTools } from '@git.zone/tstest/tapbundle_node';
import * as dnsPacket from 'dns-packet';
import * as dgram from 'dgram';
import * as smartdns from '../ts_server/index.js';
let dnsServer: smartdns.DnsServer;
// Port management for tests
let nextHttpsPort = 8800;
let nextUdpPort = 8801;
function getUniqueHttpsPort() {
return nextHttpsPort++;
}
function getUniqueUdpPort() {
return nextUdpPort++;
}
// Cleanup function for servers
async function stopServer(server: smartdns.DnsServer | null | undefined) {
if (!server) {
return;
}
try {
await server.stop();
} catch (e) {
console.log('Handled error when stopping server:', e.message || e);
}
}
tap.test('Simple SOA query without DNSSEC', async () => {
const httpsData = await tapNodeTools.createHttpsCert();
const udpPort = getUniqueUdpPort();
dnsServer = new smartdns.DnsServer({
httpsKey: httpsData.key,
httpsCert: httpsData.cert,
httpsPort: getUniqueHttpsPort(),
udpPort: udpPort,
dnssecZone: 'example.com',
});
await dnsServer.start();
const client = dgram.createSocket('udp4');
// Query for a non-existent domain WITHOUT DNSSEC
const query = dnsPacket.encode({
type: 'query',
id: 1,
flags: dnsPacket.RECURSION_DESIRED,
questions: [
{
name: 'nonexistent.example.com',
type: 'A',
class: 'IN',
},
],
});
const responsePromise = new Promise<dnsPacket.Packet>((resolve, reject) => {
const timeout = setTimeout(() => {
client.close();
reject(new Error('Query timed out'));
}, 2000);
client.on('message', (msg) => {
clearTimeout(timeout);
try {
const dnsResponse = dnsPacket.decode(msg);
resolve(dnsResponse);
} catch (e) {
reject(e);
}
client.close();
});
client.on('error', (err) => {
clearTimeout(timeout);
reject(err);
client.close();
});
client.send(query, udpPort, 'localhost', (err) => {
if (err) {
clearTimeout(timeout);
reject(err);
client.close();
}
});
});
const dnsResponse = await responsePromise;
console.log('✅ SOA response without DNSSEC received');
const soaAnswers = dnsResponse.answers.filter(a => a.type === 'SOA');
expect(soaAnswers.length).toEqual(1);
const soaData = (soaAnswers[0] as any).data;
console.log('✅ SOA data:', soaData.mname);
await stopServer(dnsServer);
dnsServer = null;
});
tap.test('Direct SOA query without DNSSEC', async () => {
const httpsData = await tapNodeTools.createHttpsCert();
const udpPort = getUniqueUdpPort();
dnsServer = new smartdns.DnsServer({
httpsKey: httpsData.key,
httpsCert: httpsData.cert,
httpsPort: getUniqueHttpsPort(),
udpPort: udpPort,
dnssecZone: 'example.com',
});
// Register direct SOA handler
dnsServer.registerHandler('example.com', ['SOA'], (question) => {
return {
name: question.name,
type: 'SOA',
class: 'IN',
ttl: 3600,
data: {
mname: 'ns1.example.com',
rname: 'hostmaster.example.com',
serial: 2024010101,
refresh: 3600,
retry: 600,
expire: 604800,
minimum: 86400,
},
};
});
await dnsServer.start();
const client = dgram.createSocket('udp4');
const query = dnsPacket.encode({
type: 'query',
id: 2,
flags: dnsPacket.RECURSION_DESIRED,
questions: [
{
name: 'example.com',
type: 'SOA',
class: 'IN',
},
],
});
const responsePromise = new Promise<dnsPacket.Packet>((resolve, reject) => {
const timeout = setTimeout(() => {
client.close();
reject(new Error('Query timed out'));
}, 2000);
client.on('message', (msg) => {
clearTimeout(timeout);
try {
const dnsResponse = dnsPacket.decode(msg);
resolve(dnsResponse);
} catch (e) {
reject(e);
}
client.close();
});
client.on('error', (err) => {
clearTimeout(timeout);
reject(err);
client.close();
});
client.send(query, udpPort, 'localhost', (err) => {
if (err) {
clearTimeout(timeout);
reject(err);
client.close();
}
});
});
const dnsResponse = await responsePromise;
console.log('✅ Direct SOA query succeeded');
const soaAnswers = dnsResponse.answers.filter(a => a.type === 'SOA');
expect(soaAnswers.length).toEqual(1);
await stopServer(dnsServer);
dnsServer = null;
});
export default tap.start();

128
test/test.soa.timeout.ts Normal file
View File

@@ -0,0 +1,128 @@
import { expect, tap } from '@git.zone/tstest/tapbundle';
import { tapNodeTools } from '@git.zone/tstest/tapbundle_node';
import * as dnsPacket from 'dns-packet';
import * as dgram from 'dgram';
import * as smartdns from '../ts_server/index.js';
let dnsServer: smartdns.DnsServer;
// Cleanup function for servers
async function stopServer(server: smartdns.DnsServer | null | undefined) {
if (!server) {
return;
}
try {
await server.stop();
} catch (e) {
console.log('Handled error when stopping server:', e.message || e);
}
}
tap.test('Test SOA with DNSSEC timing', async () => {
const httpsData = await tapNodeTools.createHttpsCert();
const udpPort = 8754;
dnsServer = new smartdns.DnsServer({
httpsKey: httpsData.key,
httpsCert: httpsData.cert,
httpsPort: 8755,
udpPort: udpPort,
dnssecZone: 'example.com',
});
await dnsServer.start();
const client = dgram.createSocket('udp4');
// Test with DNSSEC enabled
const query = dnsPacket.encode({
type: 'query',
id: 1,
flags: dnsPacket.RECURSION_DESIRED,
questions: [
{
name: 'nonexistent.example.com',
type: 'A',
class: 'IN',
},
],
additionals: [
{
name: '.',
type: 'OPT',
ttl: 0,
flags: 0x8000, // DO bit set for DNSSEC
data: Buffer.alloc(0),
} as any,
],
});
const startTime = Date.now();
console.log('Sending DNSSEC query for nonexistent domain...');
const responsePromise = new Promise<dnsPacket.Packet>((resolve, reject) => {
const timeout = setTimeout(() => {
client.close();
const elapsed = Date.now() - startTime;
reject(new Error(`Query timed out after ${elapsed}ms`));
}, 3000);
client.on('message', (msg) => {
clearTimeout(timeout);
const elapsed = Date.now() - startTime;
console.log(`Response received in ${elapsed}ms`);
try {
const dnsResponse = dnsPacket.decode(msg);
resolve(dnsResponse);
} catch (e) {
reject(new Error(`Failed to decode response: ${e.message}`));
}
client.close();
});
client.on('error', (err) => {
clearTimeout(timeout);
const elapsed = Date.now() - startTime;
console.error(`Error after ${elapsed}ms:`, err);
reject(err);
client.close();
});
client.send(query, udpPort, 'localhost', (err) => {
if (err) {
clearTimeout(timeout);
reject(err);
client.close();
}
});
});
try {
const dnsResponse = await responsePromise;
console.log('Response details:');
console.log('- Answers:', dnsResponse.answers.length);
console.log('- Answer types:', dnsResponse.answers.map(a => a.type));
const soaAnswers = dnsResponse.answers.filter(a => a.type === 'SOA');
const rrsigAnswers = dnsResponse.answers.filter(a => a.type === 'RRSIG');
console.log('- SOA records:', soaAnswers.length);
console.log('- RRSIG records:', rrsigAnswers.length);
// With the fix, SOA should have its RRSIG
if (soaAnswers.length > 0) {
expect(rrsigAnswers.length).toBeGreaterThan(0);
}
} catch (error) {
console.error('DNSSEC SOA query failed:', error);
throw error;
}
await stopServer(dnsServer);
dnsServer = null;
});
export default tap.start();

2
ts/00_commitinfo_data.ts
View File

@@ -3,6 +3,6 @@
*/
export const commitinfo = {
name: '@push.rocks/smartdns',
version: '7.2.0',
version: '7.7.1',
description: 'A robust TypeScript library providing advanced DNS management and resolution capabilities including support for DNSSEC, custom DNS servers, and integration with various DNS providers.'
}

148
ts_client/classes.dnsclient.ts
View File

@@ -22,7 +22,13 @@ export const makeNodeProcessUseDnsProvider = (providerArg: TDnsProvider) => {
}
};
export interface ISmartDnsConstructorOptions {}
export type TResolutionStrategy = 'doh' | 'system' | 'prefer-system';
export interface ISmartDnsConstructorOptions {
strategy?: TResolutionStrategy; // default: 'prefer-system'
allowDohFallback?: boolean; // allow fallback to DoH if system fails (default: true)
timeoutMs?: number; // optional per-query timeout
}
export interface IDnsJsonResponse {
Status: number;
@@ -43,6 +49,9 @@ export interface IDnsJsonResponse {
export class Smartdns {
public dnsServerIp: string;
public dnsServerPort: number;
private strategy: TResolutionStrategy = 'prefer-system';
private allowDohFallback = true;
private timeoutMs: number | undefined;
public dnsTypeMap: { [key: string]: number } = {
A: 1,
@@ -55,7 +64,12 @@ export class Smartdns {
/**
* constructor for class dnsly
*/
constructor(optionsArg: ISmartDnsConstructorOptions) {}
constructor(optionsArg: ISmartDnsConstructorOptions) {
this.strategy = optionsArg?.strategy || 'prefer-system';
this.allowDohFallback =
optionsArg?.allowDohFallback === undefined ? true : optionsArg.allowDohFallback;
this.timeoutMs = optionsArg?.timeoutMs;
}
/**
* check a dns record until it has propagated to Google DNS
@@ -133,44 +147,112 @@ export class Smartdns {
recordTypeArg: plugins.tsclass.network.TDnsRecordType,
retriesCounterArg = 20
): Promise<plugins.tsclass.network.IDnsRecord[]> {
const requestUrl = `https://cloudflare-dns.com/dns-query?name=${recordNameArg}&type=${recordTypeArg}&do=1`;
const returnArray: plugins.tsclass.network.IDnsRecord[] = [];
const getResponseBody = async (counterArg = 0): Promise<IDnsJsonResponse> => {
const response = await plugins.smartrequest.request(requestUrl, {
method: 'GET',
headers: {
accept: 'application/dns-json',
},
});
const responseBody: IDnsJsonResponse = response.body;
if (responseBody?.Status !== 0 && counterArg < retriesCounterArg) {
await plugins.smartdelay.delayFor(500);
return getResponseBody(counterArg + 1);
} else {
return responseBody;
const trySystem = async (): Promise<plugins.tsclass.network.IDnsRecord[]> => {
// Prefer dns.lookup for A/AAAA so hosts file and OS resolver are honored
if (recordTypeArg === 'A' || recordTypeArg === 'AAAA') {
const family = recordTypeArg === 'A' ? 4 : 6;
const addresses = await new Promise<{ address: string }[]>((resolve, reject) => {
const timer = this.timeoutMs
? setTimeout(() => reject(new Error('system lookup timeout')), this.timeoutMs)
: null;
plugins.dns.lookup(
recordNameArg,
{ family, all: true },
(err, result) => {
if (timer) clearTimeout(timer as any);
if (err) return reject(err);
resolve(result || []);
}
);
});
return addresses.map((a) => ({
name: recordNameArg,
type: recordTypeArg,
dnsSecEnabled: false,
value: a.address,
}));
}
if (recordTypeArg === 'TXT') {
const records = await new Promise<string[][]>((resolve, reject) => {
const timer = this.timeoutMs
? setTimeout(() => reject(new Error('system resolveTxt timeout')), this.timeoutMs)
: null;
plugins.dns.resolveTxt(recordNameArg, (err, res) => {
if (timer) clearTimeout(timer as any);
if (err) return reject(err);
resolve(res || []);
});
});
return records.map((chunks) => ({
name: recordNameArg,
type: 'TXT',
dnsSecEnabled: false,
value: chunks.join(''),
}));
}
return [];
};
const responseBody = await getResponseBody();
if (!responseBody.Answer || !typeof responseBody.Answer[Symbol.iterator]) {
const tryDoh = async (): Promise<plugins.tsclass.network.IDnsRecord[]> => {
const requestUrl = `https://cloudflare-dns.com/dns-query?name=${recordNameArg}&type=${recordTypeArg}&do=1`;
const returnArray: plugins.tsclass.network.IDnsRecord[] = [];
const getResponseBody = async (counterArg = 0): Promise<IDnsJsonResponse> => {
const response = await plugins.smartrequest.request(requestUrl, {
method: 'GET',
headers: {
accept: 'application/dns-json',
},
timeout: this.timeoutMs,
});
const responseBody: IDnsJsonResponse = response.body;
if (responseBody?.Status !== 0 && counterArg < retriesCounterArg) {
await plugins.smartdelay.delayFor(500);
return getResponseBody(counterArg + 1);
} else {
return responseBody;
}
};
const responseBody = await getResponseBody();
if (!responseBody || !responseBody.Answer || !typeof (responseBody.Answer as any)[Symbol.iterator]) {
return returnArray;
}
for (const dnsEntry of responseBody.Answer) {
if (typeof dnsEntry.data === 'string' && dnsEntry.data.startsWith('"') && dnsEntry.data.endsWith('"')) {
dnsEntry.data = dnsEntry.data.replace(/^\"(.*)\"$/, '$1');
}
if (dnsEntry.name.endsWith('.')) {
dnsEntry.name = dnsEntry.name.substring(0, dnsEntry.name.length - 1);
}
returnArray.push({
name: dnsEntry.name,
type: this.convertDnsTypeNumberToTypeName(dnsEntry.type),
dnsSecEnabled: !!responseBody.AD,
value: dnsEntry.data,
});
}
return returnArray;
}
for (const dnsEntry of responseBody.Answer) {
if (dnsEntry.data.startsWith('"') && dnsEntry.data.endsWith('"')) {
dnsEntry.data = dnsEntry.data.replace(/^"(.*)"$/, '$1');
};
try {
if (this.strategy === 'system') {
return await trySystem();
}
if (dnsEntry.name.endsWith('.')) {
dnsEntry.name = dnsEntry.name.substring(0, dnsEntry.name.length - 1);
if (this.strategy === 'doh') {
return await tryDoh();
}
returnArray.push({
name: dnsEntry.name,
type: this.convertDnsTypeNumberToTypeName(dnsEntry.type),
dnsSecEnabled: responseBody.AD,
value: dnsEntry.data,
});
// prefer-system
try {
const sysRes = await trySystem();
if (sysRes.length > 0) return sysRes;
return this.allowDohFallback ? await tryDoh() : [];
} catch (err) {
return this.allowDohFallback ? await tryDoh() : [];
}
} catch (finalErr) {
return [];
}
// console.log(responseBody);
return returnArray;
}
/**
* gets a record using nodejs dns resolver

189
ts_server/classes.dnssec.ts
View File

@@ -1,189 +0,0 @@
// Import necessary plugins from plugins.ts
import * as plugins from './plugins.js';
interface DnssecZone {
zone: string;
algorithm: 'ECDSA' | 'ED25519' | 'RSA';
keySize: number;
days: number;
}
interface DnssecKeyPair {
privateKey: string;
publicKey: string;
}
export class DnsSec {
private zone: DnssecZone;
private keyPair: DnssecKeyPair;
private ec?: plugins.elliptic.ec; // For ECDSA algorithms
private eddsa?: plugins.elliptic.eddsa; // For EdDSA algorithms
constructor(zone: DnssecZone) {
this.zone = zone;
// Initialize the appropriate cryptographic instance based on the algorithm
switch (this.zone.algorithm) {
case 'ECDSA':
this.ec = new plugins.elliptic.ec('p256'); // Use P-256 curve for ECDSA
break;
case 'ED25519':
this.eddsa = new plugins.elliptic.eddsa('ed25519');
break;
case 'RSA':
// RSA implementation would go here
throw new Error('RSA algorithm is not yet implemented.');
default:
throw new Error(`Unsupported algorithm: ${this.zone.algorithm}`);
}
// Generate the key pair
this.keyPair = this.generateKeyPair();
}
private generateKeyPair(): DnssecKeyPair {
let privateKey: string;
let publicKey: string;
switch (this.zone.algorithm) {
case 'ECDSA':
if (!this.ec) throw new Error('EC instance is not initialized.');
const ecKeyPair = this.ec.genKeyPair();
privateKey = ecKeyPair.getPrivate('hex');
publicKey = ecKeyPair.getPublic(false, 'hex'); // Uncompressed format
break;
case 'ED25519':
if (!this.eddsa) throw new Error('EdDSA instance is not initialized.');
const secret = plugins.crypto.randomBytes(32);
const edKeyPair = this.eddsa.keyFromSecret(secret);
privateKey = edKeyPair.getSecret('hex');
publicKey = edKeyPair.getPublic('hex');
break;
case 'RSA':
// RSA key generation would be implemented here
throw new Error('RSA key generation is not yet implemented.');
default:
throw new Error(`Unsupported algorithm: ${this.zone.algorithm}`);
}
return { privateKey, publicKey };
}
public getAlgorithmNumber(): number {
switch (this.zone.algorithm) {
case 'ECDSA':
return 13; // ECDSAP256SHA256
case 'ED25519':
return 15;
case 'RSA':
return 8; // RSASHA256
default:
throw new Error(`Unsupported algorithm: ${this.zone.algorithm}`);
}
}
public signData(data: Buffer): Buffer {
switch (this.zone.algorithm) {
case 'ECDSA':
if (!this.ec) throw new Error('EC instance is not initialized.');
const ecKeyPair = this.ec.keyFromPrivate(this.keyPair.privateKey, 'hex');
const ecSignature = ecKeyPair.sign(plugins.crypto.createHash('sha256').update(data).digest());
return Buffer.from(ecSignature.toDER());
case 'ED25519':
if (!this.eddsa) throw new Error('EdDSA instance is not initialized.');
const edKeyPair = this.eddsa.keyFromSecret(Buffer.from(this.keyPair.privateKey, 'hex'));
// ED25519 doesn't need a separate hash function as it includes the hashing internally
const edSignature = edKeyPair.sign(data);
// Convert the signature to the correct format for Buffer.from
return Buffer.from(edSignature.toBytes());
case 'RSA':
throw new Error('RSA signing is not yet implemented.');
default:
throw new Error(`Unsupported algorithm: ${this.zone.algorithm}`);
}
}
private generateDNSKEY(): Buffer {
const flags = 256; // 256 indicates a Zone Signing Key (ZSK)
const protocol = 3; // Must be 3 according to RFC
const algorithm = this.getAlgorithmNumber();
let publicKeyData: Buffer;
switch (this.zone.algorithm) {
case 'ECDSA':
if (!this.ec) throw new Error('EC instance is not initialized.');
const ecPublicKey = this.ec.keyFromPublic(this.keyPair.publicKey, 'hex').getPublic();
const x = ecPublicKey.getX().toArrayLike(Buffer, 'be', 32);
const y = ecPublicKey.getY().toArrayLike(Buffer, 'be', 32);
publicKeyData = Buffer.concat([x, y]);
break;
case 'ED25519':
publicKeyData = Buffer.from(this.keyPair.publicKey, 'hex');
break;
case 'RSA':
// RSA public key extraction would go here
throw new Error('RSA public key extraction is not yet implemented.');
default:
throw new Error(`Unsupported algorithm: ${this.zone.algorithm}`);
}
// Construct the DNSKEY RDATA
const dnskeyRdata = Buffer.concat([
Buffer.from([flags >> 8, flags & 0xff]), // Flags (2 bytes)
Buffer.from([protocol]), // Protocol (1 byte)
Buffer.from([algorithm]), // Algorithm (1 byte)
publicKeyData, // Public Key
]);
return dnskeyRdata;
}
private computeKeyTag(dnskeyRdata: Buffer): number {
// Key Tag calculation as per RFC 4034, Appendix B
let acc = 0;
for (let i = 0; i < dnskeyRdata.length; i++) {
acc += i & 1 ? dnskeyRdata[i] : dnskeyRdata[i] << 8;
}
acc += (acc >> 16) & 0xffff;
return acc & 0xffff;
}
private getDNSKEYRecord(): string {
const dnskeyRdata = this.generateDNSKEY();
const flags = 256;
const protocol = 3;
const algorithm = this.getAlgorithmNumber();
const publicKeyData = dnskeyRdata.slice(4); // Skip flags, protocol, algorithm bytes
const publicKeyBase64 = publicKeyData.toString('base64');
return `${this.zone.zone}. IN DNSKEY ${flags} ${protocol} ${algorithm} ${publicKeyBase64}`;
}
public getDSRecord(): string {
const dnskeyRdata = this.generateDNSKEY();
const keyTag = this.computeKeyTag(dnskeyRdata);
const algorithm = this.getAlgorithmNumber();
const digestType = 2; // SHA-256
const digest = plugins.crypto
.createHash('sha256')
.update(dnskeyRdata)
.digest('hex')
.toUpperCase();
return `${this.zone.zone}. IN DS ${keyTag} ${algorithm} ${digestType} ${digest}`;
}
public getKeyPair(): DnssecKeyPair {
return this.keyPair;
}
public getDsAndKeyPair(): { keyPair: DnssecKeyPair; dsRecord: string; dnskeyRecord: string } {
const dsRecord = this.getDSRecord();
const dnskeyRecord = this.getDNSKEYRecord();
return { keyPair: this.keyPair, dsRecord, dnskeyRecord };
}
}

1025
ts_server/classes.dnsserver.ts
View File

File diff suppressed because it is too large Load Diff

236
ts_server/classes.rustdnsbridge.ts Normal file
View File

@@ -0,0 +1,236 @@
import * as plugins from './plugins.js';
// IPC command map for type-safe bridge communication
export type TDnsCommands = {
start: {
params: { config: IRustDnsConfig };
result: Record<string, never>;
};
stop: {
params: Record<string, never>;
result: Record<string, never>;
};
dnsQueryResult: {
params: {
correlationId: string;
answers: IIpcDnsAnswer[];
answered: boolean;
};
result: { resolved: boolean };
};
updateCerts: {
params: { httpsKey: string; httpsCert: string };
result: Record<string, never>;
};
processPacket: {
params: { packet: string }; // base64-encoded DNS packet
result: { packet: string }; // base64-encoded DNS response
};
ping: {
params: Record<string, never>;
result: { pong: boolean };
};
};
export interface IRustDnsConfig {
udpPort: number;
httpsPort: number;
udpBindInterface: string;
httpsBindInterface: string;
httpsKey: string;
httpsCert: string;
dnssecZone: string;
dnssecAlgorithm: string;
primaryNameserver: string;
enableLocalhostHandling: boolean;
manualUdpMode: boolean;
manualHttpsMode: boolean;
}
export interface IIpcDnsQuestion {
name: string;
type: string;
class: string;
}
export interface IIpcDnsAnswer {
name: string;
type: string;
class: string;
ttl: number;
data: any;
}
export interface IDnsQueryEvent {
correlationId: string;
questions: IIpcDnsQuestion[];
dnssecRequested: boolean;
}
/**
* Bridge to the Rust DNS binary via smartrust IPC.
*/
export class RustDnsBridge extends plugins.events.EventEmitter {
private bridge: InstanceType<typeof plugins.smartrust.RustBridge<TDnsCommands>>;
constructor() {
super();
const packageDir = plugins.path.resolve(
plugins.path.dirname(new URL(import.meta.url).pathname),
'..'
);
// Determine platform suffix for dist_rust binaries (matches tsrust naming)
const platformSuffix = getPlatformSuffix();
const localPaths: string[] = [];
// dist_rust/ candidates (tsrust cross-compiled output, platform-specific)
if (platformSuffix) {
localPaths.push(plugins.path.join(packageDir, 'dist_rust', `rustdns_${platformSuffix}`));
}
// dist_rust/ without suffix (native build)
localPaths.push(plugins.path.join(packageDir, 'dist_rust', 'rustdns'));
// Local dev build paths
localPaths.push(plugins.path.join(packageDir, 'rust', 'target', 'release', 'rustdns'));
localPaths.push(plugins.path.join(packageDir, 'rust', 'target', 'debug', 'rustdns'));
this.bridge = new plugins.smartrust.RustBridge<TDnsCommands>({
binaryName: 'rustdns',
cliArgs: ['--management'],
requestTimeoutMs: 30_000,
readyTimeoutMs: 10_000,
localPaths,
searchSystemPath: false,
});
// Forward events from inner bridge
this.bridge.on('management:dnsQuery', (data: IDnsQueryEvent) => {
this.emit('dnsQuery', data);
});
this.bridge.on('management:started', () => {
this.emit('started');
});
this.bridge.on('management:stopped', () => {
this.emit('stopped');
});
this.bridge.on('management:error', (data: { message: string }) => {
this.emit('error', new Error(data.message));
});
this.bridge.on('stderr', (line: string) => {
// Forward Rust tracing output as debug logs
if (line.trim()) {
console.log(`[rustdns] ${line}`);
}
});
}
/**
* Spawn the Rust binary and wait for readiness.
*/
public async spawn(): Promise<boolean> {
return this.bridge.spawn();
}
/**
* Start the DNS server with given config.
*/
public async startServer(config: IRustDnsConfig): Promise<void> {
await this.bridge.sendCommand('start', { config });
}
/**
* Stop the DNS server.
*/
public async stopServer(): Promise<void> {
await this.bridge.sendCommand('stop', {});
}
/**
* Send a DNS query result back to Rust.
*/
public async sendQueryResult(
correlationId: string,
answers: IIpcDnsAnswer[],
answered: boolean
): Promise<void> {
await this.bridge.sendCommand('dnsQueryResult', {
correlationId,
answers,
answered,
});
}
/**
* Update TLS certificates.
*/
public async updateCerts(httpsKey: string, httpsCert: string): Promise<void> {
await this.bridge.sendCommand('updateCerts', { httpsKey, httpsCert });
}
/**
* Process a raw DNS packet via IPC (for manual/passthrough mode).
* Returns the DNS response as a Buffer.
*/
public async processPacket(packet: Buffer): Promise<Buffer> {
const result = await this.bridge.sendCommand('processPacket', {
packet: packet.toString('base64'),
});
return Buffer.from(result.packet, 'base64');
}
/**
* Ping the Rust binary for health check.
*/
public async ping(): Promise<boolean> {
const result = await this.bridge.sendCommand('ping', {});
return result.pong;
}
/**
* Kill the Rust process.
*/
public kill(): void {
this.bridge.kill();
}
/**
* Whether the bridge is running.
*/
public get running(): boolean {
return this.bridge.running;
}
}
/**
* Get the tsrust platform suffix for the current platform.
* Matches the naming convention used by @git.zone/tsrust.
*/
function getPlatformSuffix(): string | null {
const platform = process.platform;
const arch = process.arch;
const platformMap: Record<string, string> = {
'linux': 'linux',
'darwin': 'macos',
'win32': 'windows',
};
const archMap: Record<string, string> = {
'x64': 'amd64',
'arm64': 'arm64',
};
const p = platformMap[platform];
const a = archMap[arch];
if (p && a) {
return `${p}_${a}`;
}
return null;
}

3
ts_server/index.ts
View File

@@ -1 +1,2 @@
export * from './classes.dnsserver.js';
export * from './classes.dnsserver.js';
export * from './classes.rustdnsbridge.js';

17
ts_server/plugins.ts
View File

@@ -1,34 +1,33 @@
// node native
import crypto from 'crypto';
import dgram from 'dgram';
import { EventEmitter } from 'events';
import fs from 'fs';
import http from 'http';
import https from 'https';
import * as net from 'net';
import * as path from 'path';
export {
crypto,
fs,
http,
https,
dgram,
fs,
net,
path,
}
export const events = { EventEmitter };
// @push.rocks scope
import * as smartpromise from '@push.rocks/smartpromise';
import * as smartrust from '@push.rocks/smartrust';
export {
smartpromise,
smartrust,
}
// third party
import elliptic from 'elliptic';
import * as dnsPacket from 'dns-packet';
import * as minimatch from 'minimatch';
export {
dnsPacket,
elliptic,
minimatch,
}