v7.9.2

.smartconfig.json

@@ -0,0 +1,34 @@
+{
+  "@git.zone/tsrust": {
+    "targets": [
+      "linux_amd64",
+      "linux_arm64"
+    ]
+  },
+  "@git.zone/cli": {
+    "projectType": "npm",
+    "module": {
+      "githost": "code.foss.global",
+      "gitscope": "push.rocks",
+      "gitrepo": "smartdns",
+      "description": "A robust TypeScript library providing advanced DNS management and resolution capabilities including support for DNSSEC, custom DNS servers, and integration with various DNS providers.",
+      "npmPackagename": "@push.rocks/smartdns",
+      "license": "MIT",
+      "projectDomain": "push.rocks"
+    },
+    "release": {
+      "registries": [
+        "https://verdaccio.lossless.digital",
+        "https://registry.npmjs.org"
+      ],
+      "accessLevel": "public"
+    }
+  },
+  "@git.zone/tsdoc": {
+    "legal": "\n## License and Legal Information\n\nThis repository contains open-source code that is licensed under the MIT License. A copy of the MIT License can be found in the [license](license) file within this repository. \n\n**Please note:** The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.\n\n### Trademarks\n\nThis project is owned and maintained by Task Venture Capital GmbH. The names and logos associated with Task Venture Capital GmbH and any related products or services are trademarks of Task Venture Capital GmbH and are not included within the scope of the MIT license granted herein. Use of these trademarks must comply with Task Venture Capital GmbH's Trademark Guidelines, and any usage must be approved in writing by Task Venture Capital GmbH.\n\n### Company Information\n\nTask Venture Capital GmbH  \nRegistered at District court Bremen HRB 35230 HB, Germany\n\nFor any legal inquiries or if you require further information, please contact us via email at hello@task.vc.\n\nBy using this repository, you acknowledge that you have read this section, agree to comply with its terms, and understand that the licensing of the code does not imply endorsement by Task Venture Capital GmbH of any derivative works.\n"
+  },
+  "@ship.zone/szci": {
+    "npmGlobalTools": [],
+    "npmRegistryUrl": "registry.npmjs.org"
+  }
+}

changelog.md

@@ -1,5 +1,47 @@
 # Changelog
 
+## 2026-04-30 - 7.9.2 - fix(test)
+stabilize DNS availability tests with deterministic records and shorter retries
+
+- replace the external TXT record lookup with a localhost A record check to avoid network-dependent test behavior
+- reduce retry count and delay in failing checkUntilAvailable assertions to keep test runs faster and more predictable
+
+## 2026-04-30 - 7.9.1 - fix(client,testing,build)
+improve TypeScript compatibility for DNS client parsing and test suite
+
+- fix TXT record value parsing in the DNS client by normalizing array-based resolver results into strings
+- tighten TypeScript configuration with noImplicitAny and explicit Node types
+- update tests to use the current tstest server-side API and add stricter null-safe typings for decoded DNS answers and server lifecycle handling
+- refresh build and package metadata, including dependency upgrades and published config files
+
+## 2026-02-20 - 7.9.0 - feat(server)
+emit query events with questions, answered status, response time and timestamp
+
+- Added IDnsQueryCompletedEvent interface with questions, answered, responseTimeMs and timestamp fields
+- DnsServer now extends EventEmitter and calls super() in constructor
+- DnsServer emits a 'query' event on incoming dnsQuery from Rust bridge, providing answers and timing
+- Imported IIpcDnsQuestion and used TypeScript 'satisfies' for the emitted event object
+
+## 2026-02-12 - 7.8.1 - fix(server)
+Require Rust bridge for DNS packet processing; remove synchronous TypeScript fallback; change handler API to accept IDnsQuestion and adjust query API
+
+- Breaking API change: handler signature changed from dns-packet.Question to IDnsQuestion — update registered handlers accordingly.
+- Synchronous TypeScript fallback (processDnsRequest/processRawDnsPacket) removed; callers must start the server/bridge and use the async bridge path (processRawDnsPacketAsync) or the new resolveQuery API.
+- processRawDnsPacketAsync now throws if the Rust bridge is not started — call start() before processing packets.
+- Public/test API rename/adjustments: processDnsRequest usages were replaced with resolveQuery and tests updated to use tapbundle_serverside.
+- Dependency changes: moved dns-packet to devDependencies, bumped @push.rocks/smartenv to ^6.0.0, updated @git.zone/* build/test tools and @types/node; removed @push.rocks/smartrequest from client plugin exports.
+- Plugins: dns-packet removed from exported plugins and minimatch kept; ts_client no longer exports smartrequest.
+
+## 2026-02-11 - 7.8.0 - feat(rustdns-client)
+add Rust DNS client binary and TypeScript IPC bridge to enable UDP and DoH resolution, RDATA decoding, and DNSSEC AD/rcode support
+
+- Add new rust crate rustdns-client with IPC management, DoH and UDP resolvers (resolver_doh.rs, resolver_udp.rs) and ipc types
+- Integrate Rust client via a new TypeScript RustDnsClientBridge that spawns rustdns-client and communicates over JSON IPC
+- Expose Rust-based resolution from Smartdns (new strategies: 'udp', 'prefer-udp'; DoH routed through Rust) and add destroy() to clean up the bridge
+- Extend rustdns-protocol with RDATA decoders (A, AAAA, TXT, MX, NS/CNAME/PTR name decoding, SOA, SRV), AD flag detection and rcode() helper
+- Update tests to cover Rust/UDP/DoH paths, DNSSEC AD flag, SOA round-trip and performance assertions
+- Update packaging/readmes and build metadata (npmextra.json, ts_client/readme, ts_server/readme) and Cargo manifests/lock for the new crate
+
 ## 2026-02-11 - 7.7.1 - fix(tests)
 prune flaky SOA integration and performance tests that rely on external tools and long-running signing/serialization checks
 

license

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2016 Task Venture Capital GmbH
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

npmextra.json

@@ -1,5 +1,11 @@
 {
-  "gitzone": {
+  "@git.zone/tsrust": {
+    "targets": [
+      "linux_amd64",
+      "linux_arm64"
+    ]
+  },
+  "@git.zone/cli": {
     "projectType": "npm",
     "module": {
       "githost": "code.foss.global",
@@ -27,20 +33,20 @@
         "Domain Propagation",
         "DNS Server"
       ]
+    },
+    "release": {
+      "registries": [
+        "https://verdaccio.lossless.digital",
+        "https://registry.npmjs.org"
+      ],
+      "accessLevel": "public"
     }
   },
-  "npmci": {
-    "npmGlobalTools": [],
-    "npmAccessLevel": "public",
-    "npmRegistryUrl": "registry.npmjs.org"
-  },
-  "@git.zone/tsrust": {
-    "targets": [
-      "linux_amd64",
-      "linux_arm64"
-    ]
-  },
-  "tsdoc": {
+  "@git.zone/tsdoc": {
     "legal": "\n## License and Legal Information\n\nThis repository contains open-source code that is licensed under the MIT License. A copy of the MIT License can be found in the [license](license) file within this repository. \n\n**Please note:** The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.\n\n### Trademarks\n\nThis project is owned and maintained by Task Venture Capital GmbH. The names and logos associated with Task Venture Capital GmbH and any related products or services are trademarks of Task Venture Capital GmbH and are not included within the scope of the MIT license granted herein. Use of these trademarks must comply with Task Venture Capital GmbH's Trademark Guidelines, and any usage must be approved in writing by Task Venture Capital GmbH.\n\n### Company Information\n\nTask Venture Capital GmbH  \nRegistered at District court Bremen HRB 35230 HB, Germany\n\nFor any legal inquiries or if you require further information, please contact us via email at hello@task.vc.\n\nBy using this repository, you acknowledge that you have read this section, agree to comply with its terms, and understand that the licensing of the code does not imply endorsement by Task Venture Capital GmbH of any derivative works.\n"
+  },
+  "@ship.zone/szci": {
+    "npmGlobalTools": [],
+    "npmRegistryUrl": "registry.npmjs.org"
   }
 }

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@push.rocks/smartdns",
-  "version": "7.7.1",
+  "version": "7.9.2",
   "private": false,
   "description": "A robust TypeScript library providing advanced DNS management and resolution capabilities including support for DNSSEC, custom DNS servers, and integration with various DNS providers.",
   "exports": {
@@ -10,7 +10,7 @@
   },
   "scripts": {
     "test": "(tstest test/ --verbose --timeout 60)",
-    "build": "(tsbuild tsfolders --web --allowimplicitany) && (tsrust)",
+    "build": "(tsbuild tsfolders --web) && (tsrust)",
     "buildDocs": "tsdoc"
   },
   "repository": {
@@ -44,22 +44,22 @@
   "homepage": "https://code.foss.global/push.rocks/smartdns",
   "dependencies": {
     "@push.rocks/smartdelay": "^3.0.1",
-    "@push.rocks/smartenv": "^5.0.13",
+    "@push.rocks/smartenv": "^6.0.0",
     "@push.rocks/smartpromise": "^4.2.3",
-    "@push.rocks/smartrequest": "^2.1.0",
-    "@push.rocks/smartrust": "^1.2.0",
-    "@tsclass/tsclass": "^9.2.0",
-    "@types/dns-packet": "^5.6.5",
+    "@push.rocks/smartrust": "^1.4.0",
+    "@tsclass/tsclass": "^9.5.1",
     "acme-client": "^5.4.0",
-    "dns-packet": "^5.6.1",
-    "minimatch": "^10.0.1"
+    "minimatch": "^10.2.5"
   },
   "devDependencies": {
-    "@git.zone/tsbuild": "^2.6.8",
-    "@git.zone/tsrun": "^1.3.3",
-    "@git.zone/tsrust": "^1.3.0",
-    "@git.zone/tstest": "^2.3.7",
-    "@types/node": "^22.15.21"
+    "@git.zone/tsbuild": "^4.4.0",
+    "@git.zone/tsrun": "^2.0.2",
+    "@git.zone/tsrust": "^1.3.2",
+    "@git.zone/tstest": "^3.6.3",
+    "@types/dns-packet": "^5.6.5",
+    "@types/lodash.clonedeep": "^4.5.9",
+    "@types/node": "^25.6.0",
+    "dns-packet": "^5.6.1"
   },
   "files": [
     "ts/**/*",
@@ -70,6 +70,8 @@
     "dist_ts_web/**/*",
     "assets/**/*",
     "cli.js",
+    ".smartconfig.json",
+    "license",
     "npmextra.json",
     "readme.md"
   ],
@@ -77,5 +79,5 @@
     "last 1 chrome versions"
   ],
   "type": "module",
-  "packageManager": "pnpm@10.10.0+sha512.d615db246fe70f25dcfea6d8d73dee782ce23e2245e3c4f6f888249fb568149318637dca73c2c5c8ef2a4ca0d5657fb9567188bfab47f566d1ee6ce987815c39"
+  "packageManager": "pnpm@10.28.2"
 }

readme.hints.md

@@ -94,11 +94,10 @@ DNS Query -> Rust (UDP/HTTPS) -> Parse packet
 
 ## Key Dependencies
 
-- `dns-packet`: DNS packet encoding/decoding (wire format)
-- `elliptic`: Cryptographic operations for DNSSEC
+- `dns-packet`: DNS packet encoding/decoding (wire format, used by TS fallback path)
 - `acme-client`: Let's Encrypt certificate automation
 - `minimatch`: Glob pattern matching for domains
-- `@push.rocks/smartrequest`: HTTP client for DoH queries
+- `@push.rocks/smartrust`: TypeScript-to-Rust IPC bridge
 - `@tsclass/tsclass`: Type definitions for DNS records
 
 ## Testing Insights

rust/Cargo.toml

@@ -5,4 +5,5 @@ members = [
     "crates/rustdns-protocol",
     "crates/rustdns-server",
     "crates/rustdns-dnssec",
+    "crates/rustdns-client",
 ]

rust/crates/rustdns-client/Cargo.toml

@@ -0,0 +1,20 @@
+[package]
+name = "rustdns-client"
+version = "0.1.0"
+edition = "2021"
+
+[[bin]]
+name = "rustdns-client"
+path = "src/main.rs"
+
+[dependencies]
+rustdns-protocol = { path = "../rustdns-protocol" }
+tokio = { version = "1", features = ["full"] }
+serde = { version = "1", features = ["derive"] }
+serde_json = "1"
+clap = { version = "4", features = ["derive"] }
+tracing = "0.1"
+tracing-subscriber = "0.3"
+reqwest = { version = "0.12", default-features = false, features = ["rustls-tls"] }
+rustls = { version = "0.23", features = ["ring"] }
+rand = "0.9"

rust/crates/rustdns-client/src/ipc_types.rs

@@ -0,0 +1,94 @@
+use serde::{Deserialize, Serialize};
+
+/// IPC request from TypeScript to Rust (via stdin).
+#[derive(Debug, Deserialize)]
+pub struct IpcRequest {
+    pub id: String,
+    pub method: String,
+    #[serde(default)]
+    pub params: serde_json::Value,
+}
+
+/// IPC response from Rust to TypeScript (via stdout).
+#[derive(Debug, Serialize)]
+pub struct IpcResponse {
+    pub id: String,
+    pub success: bool,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub result: Option<serde_json::Value>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub error: Option<String>,
+}
+
+impl IpcResponse {
+    pub fn ok(id: String, result: serde_json::Value) -> Self {
+        IpcResponse {
+            id,
+            success: true,
+            result: Some(result),
+            error: None,
+        }
+    }
+
+    pub fn err(id: String, error: String) -> Self {
+        IpcResponse {
+            id,
+            success: false,
+            result: None,
+            error: Some(error),
+        }
+    }
+}
+
+/// IPC event from Rust to TypeScript (unsolicited, no id).
+#[derive(Debug, Serialize)]
+pub struct IpcEvent {
+    pub event: String,
+    pub data: serde_json::Value,
+}
+
+/// Parameters for a DNS resolve request.
+#[derive(Debug, Deserialize)]
+#[serde(rename_all = "camelCase")]
+pub struct ResolveParams {
+    pub name: String,
+    pub record_type: String,
+    pub protocol: String,
+    #[serde(default = "default_server_addr")]
+    pub server_addr: String,
+    #[serde(default = "default_doh_url")]
+    pub doh_url: String,
+    #[serde(default = "default_timeout_ms")]
+    pub timeout_ms: u64,
+}
+
+fn default_server_addr() -> String {
+    "1.1.1.1:53".to_string()
+}
+
+fn default_doh_url() -> String {
+    "https://cloudflare-dns.com/dns-query".to_string()
+}
+
+fn default_timeout_ms() -> u64 {
+    5000
+}
+
+/// A single DNS answer record sent back to TypeScript.
+#[derive(Debug, Serialize, Clone)]
+pub struct ClientDnsAnswer {
+    pub name: String,
+    #[serde(rename = "type")]
+    pub rtype: String,
+    pub ttl: u32,
+    pub value: String,
+}
+
+/// Result of a DNS resolve request.
+#[derive(Debug, Serialize)]
+#[serde(rename_all = "camelCase")]
+pub struct ResolveResult {
+    pub answers: Vec<ClientDnsAnswer>,
+    pub ad_flag: bool,
+    pub rcode: u8,
+}

rust/crates/rustdns-client/src/main.rs

@@ -0,0 +1,36 @@
+use clap::Parser;
+
+mod ipc_types;
+mod management;
+mod resolver_doh;
+mod resolver_udp;
+
+#[derive(Parser, Debug)]
+#[command(name = "rustdns-client", about = "Rust DNS client with IPC management")]
+struct Cli {
+    /// Run in management mode (IPC via stdin/stdout)
+    #[arg(long)]
+    management: bool,
+}
+
+#[tokio::main]
+async fn main() -> Result<(), Box<dyn std::error::Error>> {
+    // Install the default rustls crypto provider (ring) before any TLS operations
+    let _ = rustls::crypto::ring::default_provider().install_default();
+
+    let cli = Cli::parse();
+
+    // Tracing writes to stderr so stdout is reserved for IPC
+    tracing_subscriber::fmt()
+        .with_writer(std::io::stderr)
+        .init();
+
+    if cli.management {
+        management::management_loop().await?;
+    } else {
+        eprintln!("rustdns-client: use --management flag for IPC mode");
+        std::process::exit(1);
+    }
+
+    Ok(())
+}

rust/crates/rustdns-client/src/management.rs

@@ -0,0 +1,130 @@
+use crate::ipc_types::*;
+use crate::resolver_doh;
+use crate::resolver_udp;
+use std::io::{self, BufRead, Write};
+use tokio::sync::mpsc;
+use tracing::{error, info};
+
+/// Emit a JSON event on stdout.
+fn send_event(event: &str, data: serde_json::Value) {
+    let evt = IpcEvent {
+        event: event.to_string(),
+        data,
+    };
+    let json = serde_json::to_string(&evt).unwrap();
+    let stdout = io::stdout();
+    let mut lock = stdout.lock();
+    let _ = writeln!(lock, "{}", json);
+    let _ = lock.flush();
+}
+
+/// Send a JSON response on stdout.
+fn send_response(response: &IpcResponse) {
+    let json = serde_json::to_string(response).unwrap();
+    let stdout = io::stdout();
+    let mut lock = stdout.lock();
+    let _ = writeln!(lock, "{}", json);
+    let _ = lock.flush();
+}
+
+/// Main management loop — reads JSON lines from stdin, dispatches commands.
+pub async fn management_loop() -> Result<(), Box<dyn std::error::Error>> {
+    // Emit ready event
+    send_event(
+        "ready",
+        serde_json::json!({
+            "version": env!("CARGO_PKG_VERSION")
+        }),
+    );
+
+    // Create a shared HTTP client for DoH connection pooling
+    let http_client = reqwest::Client::builder()
+        .use_rustls_tls()
+        .build()
+        .map_err(|e| format!("Failed to create HTTP client: {}", e))?;
+
+    // Channel for stdin commands (read in blocking thread)
+    let (cmd_tx, mut cmd_rx) = mpsc::channel::<String>(256);
+
+    // Spawn blocking stdin reader
+    std::thread::spawn(move || {
+        let stdin = io::stdin();
+        let reader = stdin.lock();
+        for line in reader.lines() {
+            match line {
+                Ok(l) => {
+                    if cmd_tx.blocking_send(l).is_err() {
+                        break; // channel closed
+                    }
+                }
+                Err(_) => break, // stdin closed
+            }
+        }
+    });
+
+    loop {
+        match cmd_rx.recv().await {
+            Some(line) => {
+                let request: IpcRequest = match serde_json::from_str(&line) {
+                    Ok(r) => r,
+                    Err(e) => {
+                        error!("Failed to parse IPC request: {}", e);
+                        continue;
+                    }
+                };
+
+                let response = handle_request(&request, &http_client).await;
+                send_response(&response);
+            }
+            None => {
+                // stdin closed — parent process exited
+                info!("stdin closed, shutting down");
+                break;
+            }
+        }
+    }
+
+    Ok(())
+}
+
+async fn handle_request(request: &IpcRequest, http_client: &reqwest::Client) -> IpcResponse {
+    let id = request.id.clone();
+
+    match request.method.as_str() {
+        "ping" => IpcResponse::ok(id, serde_json::json!({ "pong": true })),
+
+        "resolve" => handle_resolve(id, &request.params, http_client).await,
+
+        _ => IpcResponse::err(id, format!("Unknown method: {}", request.method)),
+    }
+}
+
+async fn handle_resolve(
+    id: String,
+    params: &serde_json::Value,
+    http_client: &reqwest::Client,
+) -> IpcResponse {
+    let resolve_params: ResolveParams = match serde_json::from_value(params.clone()) {
+        Ok(p) => p,
+        Err(e) => return IpcResponse::err(id, format!("Invalid resolve params: {}", e)),
+    };
+
+    let result = match resolve_params.protocol.as_str() {
+        "udp" => resolver_udp::resolve_udp(&resolve_params).await,
+        "doh" => resolver_doh::resolve_doh(&resolve_params, http_client).await,
+        other => {
+            return IpcResponse::err(
+                id,
+                format!("Unknown protocol '{}'. Use 'udp' or 'doh'.", other),
+            );
+        }
+    };
+
+    match result {
+        Ok(resolve_result) => {
+            let result_json = serde_json::to_value(&resolve_result).unwrap();
+            IpcResponse::ok(id, result_json)
+        }
+        Err(e) => IpcResponse::err(id, e),
+    }
+}

rust/crates/rustdns-client/src/resolver_doh.rs

@@ -0,0 +1,75 @@
+use crate::ipc_types::{ResolveParams, ResolveResult};
+use crate::resolver_udp::decode_answers;
+use rustdns_protocol::packet::{DnsPacket, DnsQuestion};
+use rustdns_protocol::types::{QClass, QType, EDNS_DO_BIT, FLAG_RD};
+use std::time::Duration;
+use tracing::debug;
+
+/// Resolve a DNS query via DNS-over-HTTPS (RFC 8484 wire format).
+pub async fn resolve_doh(
+    params: &ResolveParams,
+    http_client: &reqwest::Client,
+) -> Result<ResolveResult, String> {
+    let qtype = QType::from_str(&params.record_type);
+    let id: u16 = rand::random();
+
+    // Build query packet (same as UDP)
+    let mut query = DnsPacket::new_query(id);
+    query.flags = FLAG_RD;
+    query.questions.push(DnsQuestion {
+        name: params.name.clone(),
+        qtype,
+        qclass: QClass::IN,
+    });
+
+    // Add OPT record with DO bit for DNSSEC
+    query.additionals.push(rustdns_protocol::packet::DnsRecord {
+        name: ".".to_string(),
+        rtype: QType::OPT,
+        rclass: QClass::from_u16(4096),
+        ttl: 0,
+        rdata: vec![],
+        opt_flags: Some(EDNS_DO_BIT),
+    });
+
+    let query_bytes = query.encode();
+    let timeout = Duration::from_millis(params.timeout_ms);
+
+    let response = http_client
+        .post(&params.doh_url)
+        .header("Content-Type", "application/dns-message")
+        .header("Accept", "application/dns-message")
+        .body(query_bytes)
+        .timeout(timeout)
+        .send()
+        .await
+        .map_err(|e| format!("DoH request failed: {}", e))?;
+
+    if !response.status().is_success() {
+        return Err(format!("DoH server returned status {}", response.status()));
+    }
+
+    let response_bytes = response
+        .bytes()
+        .await
+        .map_err(|e| format!("Failed to read DoH response body: {}", e))?;
+
+    let dns_response = DnsPacket::parse(&response_bytes)
+        .map_err(|e| format!("Failed to parse DoH response: {}", e))?;
+
+    debug!(
+        "DoH response: id={}, rcode={}, answers={}, ad={}",
+        dns_response.id,
+        dns_response.rcode(),
+        dns_response.answers.len(),
+        dns_response.has_ad_flag()
+    );
+
+    let answers = decode_answers(&dns_response.answers, &response_bytes);
+
+    Ok(ResolveResult {
+        answers,
+        ad_flag: dns_response.has_ad_flag(),
+        rcode: dns_response.rcode(),
+    })
+}

rust/crates/rustdns-client/src/resolver_udp.rs

@@ -0,0 +1,193 @@
+use crate::ipc_types::{ClientDnsAnswer, ResolveParams, ResolveResult};
+use rustdns_protocol::packet::{
+    decode_a, decode_aaaa, decode_mx, decode_name_rdata, decode_soa, decode_srv, decode_txt,
+    DnsPacket, DnsQuestion, DnsRecord,
+};
+use rustdns_protocol::types::{QClass, QType, EDNS_DO_BIT, FLAG_RD};
+use std::net::SocketAddr;
+use std::time::Duration;
+use tokio::net::UdpSocket;
+use tracing::debug;
+
+/// Resolve a DNS query via UDP to an upstream server.
+pub async fn resolve_udp(params: &ResolveParams) -> Result<ResolveResult, String> {
+    let server_addr: SocketAddr = params
+        .server_addr
+        .parse()
+        .map_err(|e| format!("Invalid server address '{}': {}", params.server_addr, e))?;
+
+    let qtype = QType::from_str(&params.record_type);
+    let id: u16 = rand::random();
+
+    // Build query packet with RD flag and EDNS0 DO bit
+    let mut query = DnsPacket::new_query(id);
+    query.flags = FLAG_RD;
+    query.questions.push(DnsQuestion {
+        name: params.name.clone(),
+        qtype,
+        qclass: QClass::IN,
+    });
+
+    // Add OPT record with DO bit for DNSSEC
+    query.additionals.push(rustdns_protocol::packet::DnsRecord {
+        name: ".".to_string(),
+        rtype: QType::OPT,
+        rclass: QClass::from_u16(4096), // UDP payload size
+        ttl: 0,
+        rdata: vec![],
+        opt_flags: Some(EDNS_DO_BIT),
+    });
+
+    let query_bytes = query.encode();
+
+    // Bind to an ephemeral port
+    let bind_addr = if server_addr.is_ipv6() {
+        "[::]:0"
+    } else {
+        "0.0.0.0:0"
+    };
+    let socket = UdpSocket::bind(bind_addr)
+        .await
+        .map_err(|e| format!("Failed to bind UDP socket: {}", e))?;
+
+    socket
+        .send_to(&query_bytes, server_addr)
+        .await
+        .map_err(|e| format!("Failed to send UDP query: {}", e))?;
+
+    let mut buf = vec![0u8; 4096];
+    let timeout = Duration::from_millis(params.timeout_ms);
+
+    let len = tokio::time::timeout(timeout, socket.recv_from(&mut buf))
+        .await
+        .map_err(|_| "UDP query timed out".to_string())?
+        .map_err(|e| format!("Failed to receive UDP response: {}", e))?
+        .0;
+
+    let response_bytes = &buf[..len];
+    let response = DnsPacket::parse(response_bytes)
+        .map_err(|e| format!("Failed to parse UDP response: {}", e))?;
+
+    debug!(
+        "UDP response: id={}, rcode={}, answers={}, ad={}",
+        response.id,
+        response.rcode(),
+        response.answers.len(),
+        response.has_ad_flag()
+    );
+
+    let answers = decode_answers(&response.answers, response_bytes);
+
+    Ok(ResolveResult {
+        answers,
+        ad_flag: response.has_ad_flag(),
+        rcode: response.rcode(),
+    })
+}
+
+/// Decode answer records into ClientDnsAnswer values.
+pub fn decode_answers(records: &[DnsRecord], packet_bytes: &[u8]) -> Vec<ClientDnsAnswer> {
+    let mut answers = Vec::new();
+
+    for record in records {
+        // Skip OPT, RRSIG, DNSKEY records — they're metadata, not answer data
+        match record.rtype {
+            QType::OPT | QType::RRSIG | QType::DNSKEY => continue,
+            _ => {}
+        }
+
+        let value = decode_record_value(record, packet_bytes);
+        let value = match value {
+            Ok(v) => v,
+            Err(_) => continue, // skip records we can't decode
+        };
+
+        // Strip trailing dot from name
+        let name = record.name.strip_suffix('.').unwrap_or(&record.name).to_string();
+
+        answers.push(ClientDnsAnswer {
+            name,
+            rtype: record.rtype.as_str().to_string(),
+            ttl: record.ttl,
+            value,
+        });
+    }
+
+    answers
+}
+
+/// Decode a single record's RDATA to a string value.
+fn decode_record_value(record: &DnsRecord, packet_bytes: &[u8]) -> Result<String, String> {
+    // We need the rdata offset within the packet for compression pointer resolution.
+    // Since we have the raw rdata and the full packet, we find the rdata position.
+    let rdata_offset = find_rdata_offset(packet_bytes, &record.rdata);
+
+    match record.rtype {
+        QType::A => decode_a(&record.rdata).map_err(|e| e.to_string()),
+        QType::AAAA => decode_aaaa(&record.rdata).map_err(|e| e.to_string()),
+        QType::TXT => {
+            let chunks = decode_txt(&record.rdata).map_err(|e| e.to_string())?;
+            Ok(chunks.join(""))
+        }
+        QType::MX => {
+            if let Some(offset) = rdata_offset {
+                let (pref, exchange) = decode_mx(&record.rdata, packet_bytes, offset)?;
+                Ok(format!("{} {}", pref, exchange))
+            } else {
+                Err("Cannot find MX rdata in packet".into())
+            }
+        }
+        QType::NS | QType::CNAME | QType::PTR => {
+            if let Some(offset) = rdata_offset {
+                decode_name_rdata(&record.rdata, packet_bytes, offset)
+            } else {
+                Err("Cannot find name rdata in packet".into())
+            }
+        }
+        QType::SOA => {
+            if let Some(offset) = rdata_offset {
+                let soa = decode_soa(&record.rdata, packet_bytes, offset)?;
+                Ok(format!(
+                    "{} {} {} {} {} {} {}",
+                    soa.mname, soa.rname, soa.serial, soa.refresh, soa.retry, soa.expire, soa.minimum
+                ))
+            } else {
+                Err("Cannot find SOA rdata in packet".into())
+            }
+        }
+        QType::SRV => {
+            if let Some(offset) = rdata_offset {
+                let srv = decode_srv(&record.rdata, packet_bytes, offset)?;
+                Ok(format!(
+                    "{} {} {} {}",
+                    srv.priority, srv.weight, srv.port, srv.target
+                ))
+            } else {
+                Err("Cannot find SRV rdata in packet".into())
+            }
+        }
+        _ => {
+            // Unknown type: return hex encoding
+            Ok(record.rdata.iter().map(|b| format!("{:02x}", b)).collect::<String>())
+        }
+    }
+}
+
+/// Find the offset of the rdata bytes within the full packet buffer.
+/// This is needed because compression pointers in RDATA reference absolute positions.
+fn find_rdata_offset(packet: &[u8], rdata: &[u8]) -> Option<usize> {
+    if rdata.is_empty() {
+        return None;
+    }
+    // Search for the rdata slice within the packet
+    let rdata_len = rdata.len();
+    if rdata_len > packet.len() {
+        return None;
+    }
+    for i in 0..=(packet.len() - rdata_len) {
+        if &packet[i..i + rdata_len] == rdata {
+            return Some(i);
+        }
+    }
+    None
+}

rust/crates/rustdns-protocol/src/packet.rs

@@ -1,5 +1,5 @@
 use crate::name::{decode_name, encode_name};
-use crate::types::{QClass, QType, FLAG_QR, FLAG_AA, FLAG_RD, FLAG_RA, EDNS_DO_BIT};
+use crate::types::{QClass, QType, FLAG_QR, FLAG_AA, FLAG_RD, FLAG_RA, FLAG_AD, EDNS_DO_BIT};
 
 /// A parsed DNS question.
 #[derive(Debug, Clone)]
@@ -61,6 +61,16 @@ impl DnsPacket {
         }
     }
 
+    /// Extract the response code (lower 4 bits of flags).
+    pub fn rcode(&self) -> u8 {
+        (self.flags & 0x000F) as u8
+    }
+
+    /// Check if the AD (Authenticated Data) flag is set.
+    pub fn has_ad_flag(&self) -> bool {
+        self.flags & FLAG_AD != 0
+    }
+
     /// Check if DNSSEC (DO bit) is requested in the OPT record.
     pub fn is_dnssec_requested(&self) -> bool {
         for additional in &self.additionals {
@@ -335,6 +345,181 @@ pub fn encode_rrsig(
     buf
 }
 
+// ── RDATA decoding helpers ─────────────────────────────────────────
+
+/// Decode an A record (4 bytes -> IPv4 string).
+pub fn decode_a(rdata: &[u8]) -> Result<String, &'static str> {
+    if rdata.len() < 4 {
+        return Err("A rdata too short");
+    }
+    Ok(format!("{}.{}.{}.{}", rdata[0], rdata[1], rdata[2], rdata[3]))
+}
+
+/// Decode an AAAA record (16 bytes -> IPv6 string).
+pub fn decode_aaaa(rdata: &[u8]) -> Result<String, &'static str> {
+    if rdata.len() < 16 {
+        return Err("AAAA rdata too short");
+    }
+    let groups: Vec<String> = (0..8)
+        .map(|i| {
+            let val = u16::from_be_bytes([rdata[i * 2], rdata[i * 2 + 1]]);
+            format!("{:x}", val)
+        })
+        .collect();
+    // Build full form, then compress :: notation
+    let full = groups.join(":");
+    compress_ipv6(&full)
+}
+
+/// Compress a full IPv6 address to shortest form.
+fn compress_ipv6(full: &str) -> Result<String, &'static str> {
+    let groups: Vec<&str> = full.split(':').collect();
+    if groups.len() != 8 {
+        return Ok(full.to_string());
+    }
+
+    // Find longest run of consecutive "0" groups
+    let mut best_start = None;
+    let mut best_len = 0usize;
+    let mut cur_start = None;
+    let mut cur_len = 0usize;
+
+    for (i, g) in groups.iter().enumerate() {
+        if *g == "0" {
+            if cur_start.is_none() {
+                cur_start = Some(i);
+                cur_len = 1;
+            } else {
+                cur_len += 1;
+            }
+            if cur_len > best_len {
+                best_start = cur_start;
+                best_len = cur_len;
+            }
+        } else {
+            cur_start = None;
+            cur_len = 0;
+        }
+    }
+
+    if best_len >= 2 {
+        let bs = best_start.unwrap();
+        let left: Vec<&str> = groups[..bs].to_vec();
+        let right: Vec<&str> = groups[bs + best_len..].to_vec();
+        let l = left.join(":");
+        let r = right.join(":");
+        if l.is_empty() && r.is_empty() {
+            Ok("::".to_string())
+        } else if l.is_empty() {
+            Ok(format!("::{}", r))
+        } else if r.is_empty() {
+            Ok(format!("{}::", l))
+        } else {
+            Ok(format!("{}::{}", l, r))
+        }
+    } else {
+        Ok(full.to_string())
+    }
+}
+
+/// Decode a TXT record (length-prefixed chunks -> strings).
+pub fn decode_txt(rdata: &[u8]) -> Result<Vec<String>, &'static str> {
+    let mut strings = Vec::new();
+    let mut pos = 0;
+    while pos < rdata.len() {
+        let len = rdata[pos] as usize;
+        pos += 1;
+        if pos + len > rdata.len() {
+            return Err("TXT chunk extends beyond rdata");
+        }
+        let s = std::str::from_utf8(&rdata[pos..pos + len])
+            .map_err(|_| "invalid UTF-8 in TXT")?;
+        strings.push(s.to_string());
+        pos += len;
+    }
+    Ok(strings)
+}
+
+/// Decode an MX record (preference + exchange name with compression).
+pub fn decode_mx(rdata: &[u8], packet: &[u8], rdata_offset: usize) -> Result<(u16, String), String> {
+    if rdata.len() < 3 {
+        return Err("MX rdata too short".into());
+    }
+    let preference = u16::from_be_bytes([rdata[0], rdata[1]]);
+    let (name, _) = decode_name(packet, rdata_offset + 2).map_err(|e| e.to_string())?;
+    Ok((preference, name))
+}
+
+/// Decode a name from RDATA (for NS, CNAME, PTR records with compression).
+pub fn decode_name_rdata(_rdata: &[u8], packet: &[u8], rdata_offset: usize) -> Result<String, String> {
+    let (name, _) = decode_name(packet, rdata_offset).map_err(|e| e.to_string())?;
+    Ok(name)
+}
+
+/// SOA record decoded fields.
+#[derive(Debug, Clone)]
+pub struct SoaData {
+    pub mname: String,
+    pub rname: String,
+    pub serial: u32,
+    pub refresh: u32,
+    pub retry: u32,
+    pub expire: u32,
+    pub minimum: u32,
+}
+
+/// Decode a SOA record RDATA.
+pub fn decode_soa(rdata: &[u8], packet: &[u8], rdata_offset: usize) -> Result<SoaData, String> {
+    let (mname, consumed1) = decode_name(packet, rdata_offset).map_err(|e| e.to_string())?;
+    let (rname, consumed2) = decode_name(packet, rdata_offset + consumed1).map_err(|e| e.to_string())?;
+    let nums_offset = consumed1 + consumed2;
+    if rdata.len() < nums_offset + 20 {
+        return Err("SOA rdata too short for numeric fields".into());
+    }
+    let serial = u32::from_be_bytes([
+        rdata[nums_offset], rdata[nums_offset + 1],
+        rdata[nums_offset + 2], rdata[nums_offset + 3],
+    ]);
+    let refresh = u32::from_be_bytes([
+        rdata[nums_offset + 4], rdata[nums_offset + 5],
+        rdata[nums_offset + 6], rdata[nums_offset + 7],
+    ]);
+    let retry = u32::from_be_bytes([
+        rdata[nums_offset + 8], rdata[nums_offset + 9],
+        rdata[nums_offset + 10], rdata[nums_offset + 11],
+    ]);
+    let expire = u32::from_be_bytes([
+        rdata[nums_offset + 12], rdata[nums_offset + 13],
+        rdata[nums_offset + 14], rdata[nums_offset + 15],
+    ]);
+    let minimum = u32::from_be_bytes([
+        rdata[nums_offset + 16], rdata[nums_offset + 17],
+        rdata[nums_offset + 18], rdata[nums_offset + 19],
+    ]);
+    Ok(SoaData { mname, rname, serial, refresh, retry, expire, minimum })
+}
+
+/// SRV record decoded fields.
+#[derive(Debug, Clone)]
+pub struct SrvData {
+    pub priority: u16,
+    pub weight: u16,
+    pub port: u16,
+    pub target: String,
+}
+
+/// Decode a SRV record RDATA.
+pub fn decode_srv(rdata: &[u8], packet: &[u8], rdata_offset: usize) -> Result<SrvData, String> {
+    if rdata.len() < 7 {
+        return Err("SRV rdata too short".into());
+    }
+    let priority = u16::from_be_bytes([rdata[0], rdata[1]]);
+    let weight = u16::from_be_bytes([rdata[2], rdata[3]]);
+    let port = u16::from_be_bytes([rdata[4], rdata[5]]);
+    let (target, _) = decode_name(packet, rdata_offset + 6).map_err(|e| e.to_string())?;
+    Ok(SrvData { priority, weight, port, target })
+}
+
 /// Build a DnsRecord from high-level data.
 pub fn build_record(name: &str, rtype: QType, ttl: u32, rdata: Vec<u8>) -> DnsRecord {
     DnsRecord {
@@ -416,6 +601,45 @@ mod tests {
         assert_eq!(&data[7..12], b"world");
     }
 
+    #[test]
+    fn test_decode_a() {
+        let rdata = encode_a("192.168.1.1");
+        let decoded = decode_a(&rdata).unwrap();
+        assert_eq!(decoded, "192.168.1.1");
+    }
+
+    #[test]
+    fn test_decode_aaaa() {
+        let rdata = encode_aaaa("::1");
+        let decoded = decode_aaaa(&rdata).unwrap();
+        assert_eq!(decoded, "::1");
+
+        let rdata2 = encode_aaaa("2001:db8::1");
+        let decoded2 = decode_aaaa(&rdata2).unwrap();
+        assert_eq!(decoded2, "2001:db8::1");
+    }
+
+    #[test]
+    fn test_decode_txt() {
+        let strings = vec!["hello".to_string(), "world".to_string()];
+        let rdata = encode_txt(&strings);
+        let decoded = decode_txt(&rdata).unwrap();
+        assert_eq!(decoded, strings);
+    }
+
+    #[test]
+    fn test_rcode_and_ad_flag() {
+        let mut pkt = DnsPacket::new_query(1);
+        assert_eq!(pkt.rcode(), 0);
+        assert!(!pkt.has_ad_flag());
+
+        pkt.flags |= crate::types::FLAG_AD;
+        assert!(pkt.has_ad_flag());
+
+        pkt.flags |= 0x0003; // NXDOMAIN
+        assert_eq!(pkt.rcode(), 3);
+    }
+
     #[test]
     fn test_dnssec_do_bit() {
         let mut query = DnsPacket::new_query(1);

rust/crates/rustdns-protocol/src/types.rs

@@ -127,5 +127,8 @@ pub const FLAG_AA: u16 = 0x0400;
 pub const FLAG_RD: u16 = 0x0100;
 pub const FLAG_RA: u16 = 0x0080;
 
+/// Authenticated Data flag
+pub const FLAG_AD: u16 = 0x0020;
+
 /// OPT record DO bit (DNSSEC OK)
 pub const EDNS_DO_BIT: u16 = 0x8000;

test/test.client.ts

@@ -4,12 +4,12 @@ import * as smartdns from '../ts_client/index.js';
 
 let testDnsClient: smartdns.Smartdns;
 
-tap.test('should create an instance of Dnsly', async () => {
+tap.test('should create an instance of Smartdns', async () => {
   testDnsClient = new smartdns.Smartdns({});
   expect(testDnsClient).toBeInstanceOf(smartdns.Smartdns);
 });
 
-tap.test('should get an A DNS Record', async () => {
+tap.test('should get an A DNS Record (system)', async () => {
   const records = await testDnsClient.getRecordsA('google.com');
   expect(records).toBeInstanceOf(Array);
   expect(records.length).toBeGreaterThan(0);
@@ -19,7 +19,7 @@ tap.test('should get an A DNS Record', async () => {
   expect(records[0]).toHaveProperty('dnsSecEnabled');
 });
 
-tap.test('should get an AAAA Record', async () => {
+tap.test('should get an AAAA Record (system)', async () => {
   const records = await testDnsClient.getRecordsAAAA('google.com');
   expect(records).toBeInstanceOf(Array);
   expect(records.length).toBeGreaterThan(0);
@@ -29,7 +29,7 @@ tap.test('should get an AAAA Record', async () => {
   expect(records[0]).toHaveProperty('dnsSecEnabled');
 });
 
-tap.test('should get a txt record', async () => {
+tap.test('should get a txt record (system)', async () => {
   const records = await testDnsClient.getRecordsTxt('google.com');
   expect(records).toBeInstanceOf(Array);
   expect(records.length).toBeGreaterThan(0);
@@ -39,28 +39,25 @@ tap.test('should get a txt record', async () => {
   expect(records[0]).toHaveProperty('dnsSecEnabled');
 });
 
-tap.test('should, get a mx record for a domain', async () => {
+tap.test('should get a mx record for a domain (system)', async () => {
   const res = await testDnsClient.getRecords('bleu.de', 'MX');
   console.log(res);
 });
 
 tap.test('should check until DNS is available', async () => {
-  const records = await testDnsClient.getRecordsTxt('google.com');
-  if (records.length > 0) {
-    const result = await testDnsClient.checkUntilAvailable('google.com', 'TXT', records[0].value);
+  const result = await testDnsClient.checkUntilAvailable('localhost', 'A', '127.0.0.1', 4, 50);
   expect(result).toBeTrue();
-  }
 });
 
-tap.test('should check until DNS is available an return false if it fails', async () => {
+tap.test('should check until DNS is available and return false if it fails', async () => {
   return expect(
-    await testDnsClient.checkUntilAvailable('google.com', 'TXT', 'this-txt-record-does-not-exist')
+    await testDnsClient.checkUntilAvailable('google.com', 'TXT', 'this-txt-record-does-not-exist', 2, 50)
   ).toBeFalse();
 });
 
-tap.test('should check until DNS is available an return false if it fails', async () => {
+tap.test('should check until DNS is available and return false if it fails', async () => {
   return expect(
-    await testDnsClient.checkUntilAvailable('nonexistent.example.com', 'TXT', 'sometext_txt2')
+    await testDnsClient.checkUntilAvailable('nonexistent.example.com', 'TXT', 'sometext_txt2', 2, 50)
   ).toBeFalse();
 });
 
@@ -69,10 +66,79 @@ tap.test('should get name server for hostname', async () => {
   console.log(result);
 });
 
-tap.test('should detect dns sec', async () => {
-  const result = await testDnsClient.getRecordsA('lossless.com');
+tap.test('should detect DNSSEC via DoH (Rust)', async () => {
+  const dohClient = new smartdns.Smartdns({ strategy: 'doh' });
+  const result = await dohClient.getRecordsA('lossless.com');
   console.log(result[0]);
   expect(result[0].dnsSecEnabled).toBeTrue();
+  dohClient.destroy();
+});
+
+// ── New tests for UDP and Rust-based resolution ──────────────────
+
+tap.test('should resolve A record via UDP (Rust)', async () => {
+  const udpClient = new smartdns.Smartdns({ strategy: 'udp' });
+  const records = await udpClient.getRecordsA('google.com');
+  expect(records).toBeInstanceOf(Array);
+  expect(records.length).toBeGreaterThan(0);
+  expect(records[0]).toHaveProperty('name', 'google.com');
+  expect(records[0]).toHaveProperty('type', 'A');
+  expect(records[0]).toHaveProperty('value');
+  console.log('UDP A record:', records[0]);
+  udpClient.destroy();
+});
+
+tap.test('should resolve AAAA record via UDP (Rust)', async () => {
+  const udpClient = new smartdns.Smartdns({ strategy: 'udp' });
+  const records = await udpClient.getRecordsAAAA('google.com');
+  expect(records).toBeInstanceOf(Array);
+  expect(records.length).toBeGreaterThan(0);
+  expect(records[0]).toHaveProperty('type', 'AAAA');
+  console.log('UDP AAAA record:', records[0]);
+  udpClient.destroy();
+});
+
+tap.test('should resolve TXT record via DoH (Rust)', async () => {
+  const dohClient = new smartdns.Smartdns({ strategy: 'doh' });
+  const records = await dohClient.getRecordsTxt('google.com');
+  expect(records).toBeInstanceOf(Array);
+  expect(records.length).toBeGreaterThan(0);
+  expect(records[0]).toHaveProperty('type', 'TXT');
+  expect(records[0]).toHaveProperty('value');
+  console.log('DoH TXT record:', records[0]);
+  dohClient.destroy();
+});
+
+tap.test('should resolve with prefer-udp strategy', async () => {
+  const client = new smartdns.Smartdns({ strategy: 'prefer-udp' });
+  const records = await client.getRecordsA('google.com');
+  expect(records).toBeInstanceOf(Array);
+  expect(records.length).toBeGreaterThan(0);
+  expect(records[0]).toHaveProperty('type', 'A');
+  console.log('prefer-udp A record:', records[0]);
+  client.destroy();
+});
+
+tap.test('should detect DNSSEC AD flag via UDP (Rust)', async () => {
+  const udpClient = new smartdns.Smartdns({ strategy: 'udp' });
+  const records = await udpClient.getRecordsA('lossless.com');
+  expect(records.length).toBeGreaterThan(0);
+  // Note: AD flag from upstream depends on upstream resolver behavior
+  // Cloudflare 1.1.1.1 sets AD for DNSSEC-signed domains
+  console.log('UDP DNSSEC:', records[0]);
+  udpClient.destroy();
+});
+
+tap.test('should cleanup via destroy()', async () => {
+  const client = new smartdns.Smartdns({ strategy: 'udp' });
+  // Trigger bridge spawn
+  await client.getRecordsA('google.com');
+  // Destroy should not throw
+  client.destroy();
+});
+
+tap.test('cleanup default client', async () => {
+  testDnsClient.destroy();
 });
 
 export default tap.start();

test/test.dnssec.rrset.ts

@@ -1,12 +1,14 @@
 import * as plugins from '../ts_server/plugins.js';
 import { expect, tap } from '@git.zone/tstest/tapbundle';
-import { tapNodeTools } from '@git.zone/tstest/tapbundle_node';
+import { TapNodeTools } from '@git.zone/tstest/tapbundle_serverside';
 import * as dnsPacket from 'dns-packet';
 import * as dgram from 'dgram';
 
 import * as smartdns from '../ts_server/index.js';
 
-let dnsServer: smartdns.DnsServer;
+const tapNodeTools = new TapNodeTools(tap);
+
+let dnsServer: smartdns.DnsServer | null;
 
 // Port management for tests
 let nextHttpsPort = 8500;
@@ -29,7 +31,7 @@ async function stopServer(server: smartdns.DnsServer | null | undefined) {
   try {
     await server.stop();
   } catch (e) {
-    console.log('Handled error when stopping server:', e.message || e);
+    console.log('Handled error when stopping server:', e instanceof Error ? e.message : e);
   }
 }
 
@@ -126,8 +128,8 @@ tap.test('DNSSEC should sign entire RRset together, not individual records', asy
   const dnsResponse = await responsePromise;
   
   // Count NS and RRSIG records
-  const nsAnswers = dnsResponse.answers.filter(a => a.type === 'NS');
-  const rrsigAnswers = dnsResponse.answers.filter(a => a.type === 'RRSIG');
+  const nsAnswers = dnsResponse.answers!.filter(a => a.type === 'NS');
+  const rrsigAnswers = dnsResponse.answers!.filter(a => a.type === 'RRSIG');
   
   console.log('NS records returned:', nsAnswers.length);
   console.log('RRSIG records returned:', rrsigAnswers.length);
@@ -197,7 +199,7 @@ tap.test('SOA records should be properly serialized and returned', async () => {
   const dnsResponse = await responsePromise;
   
   // Should have SOA record in response
-  const soaAnswers = dnsResponse.answers.filter(a => a.type === 'SOA');
+  const soaAnswers = dnsResponse.answers!.filter(a => a.type === 'SOA');
   expect(soaAnswers.length).toEqual(1);
   
   const soaData = (soaAnswers[0] as any).data;
@@ -269,7 +271,7 @@ tap.test('Primary nameserver should be configurable', async () => {
   const dnsResponse = await responsePromise;
   
   // Should have SOA record with custom nameserver
-  const soaAnswers = dnsResponse.answers.filter(a => a.type === 'SOA');
+  const soaAnswers = dnsResponse.answers!.filter(a => a.type === 'SOA');
   expect(soaAnswers.length).toEqual(1);
   
   const soaData = (soaAnswers[0] as any).data;
@@ -356,8 +358,8 @@ tap.test('Multiple A records should have single RRSIG when DNSSEC is enabled', a
   
   const dnsResponse = await responsePromise;
   
-  const aAnswers = dnsResponse.answers.filter(a => a.type === 'A');
-  const rrsigAnswers = dnsResponse.answers.filter(a => a.type === 'RRSIG');
+  const aAnswers = dnsResponse.answers!.filter(a => a.type === 'A');
+  const rrsigAnswers = dnsResponse.answers!.filter(a => a.type === 'RRSIG');
   
   console.log('A records:', aAnswers.length);
   console.log('RRSIG records:', rrsigAnswers.length);

test/test.fixes.simple.ts

@@ -1,12 +1,14 @@
 import * as plugins from '../ts_server/plugins.js';
 import { expect, tap } from '@git.zone/tstest/tapbundle';
-import { tapNodeTools } from '@git.zone/tstest/tapbundle_node';
+import { TapNodeTools } from '@git.zone/tstest/tapbundle_serverside';
 import * as dnsPacket from 'dns-packet';
 import * as dgram from 'dgram';
 
 import * as smartdns from '../ts_server/index.js';
 
-let dnsServer: smartdns.DnsServer;
+const tapNodeTools = new TapNodeTools(tap);
+
+let dnsServer: smartdns.DnsServer | null;
 
 // Port management for tests
 let nextHttpsPort = 8600;
@@ -29,7 +31,7 @@ async function stopServer(server: smartdns.DnsServer | null | undefined) {
   try {
     await server.stop();
   } catch (e) {
-    console.log('Handled error when stopping server:', e.message || e);
+    console.log('Handled error when stopping server:', e instanceof Error ? e.message : e);
   }
 }
 
@@ -85,7 +87,7 @@ tap.test('SOA records should be returned for non-existent domains', async () =>
   const dnsResponse = await responsePromise;
   
   console.log('✅ SOA response received');
-  const soaAnswers = dnsResponse.answers.filter(a => a.type === 'SOA');
+  const soaAnswers = dnsResponse.answers!.filter(a => a.type === 'SOA');
   expect(soaAnswers.length).toEqual(1);
   
   const soaData = (soaAnswers[0] as any).data;
@@ -151,7 +153,7 @@ tap.test('Primary nameserver should be configurable', async () => {
   
   const dnsResponse = await responsePromise;
   
-  const soaAnswers = dnsResponse.answers.filter(a => a.type === 'SOA');
+  const soaAnswers = dnsResponse.answers!.filter(a => a.type === 'SOA');
   expect(soaAnswers.length).toEqual(1);
   
   const soaData = (soaAnswers[0] as any).data;
@@ -215,7 +217,7 @@ tap.test('Default primary nameserver with FQDN', async () => {
   
   const dnsResponse = await responsePromise;
   
-  const soaAnswers = dnsResponse.answers.filter(a => a.type === 'SOA');
+  const soaAnswers = dnsResponse.answers!.filter(a => a.type === 'SOA');
   const soaData = (soaAnswers[0] as any).data;
   console.log('✅ FQDN primary nameserver:', soaData.mname);
   

test/test.multiplerecords.fixed.ts

@@ -1,12 +1,14 @@
 import * as plugins from '../ts_server/plugins.js';
 import { expect, tap } from '@git.zone/tstest/tapbundle';
-import { tapNodeTools } from '@git.zone/tstest/tapbundle_node';
+import { TapNodeTools } from '@git.zone/tstest/tapbundle_serverside';
 import * as dnsPacket from 'dns-packet';
 import * as dgram from 'dgram';
 
 import * as smartdns from '../ts_server/index.js';
 
-let dnsServer: smartdns.DnsServer;
+const tapNodeTools = new TapNodeTools(tap);
+
+let dnsServer: smartdns.DnsServer | null;
 
 // Port management for tests
 let nextHttpsPort = 8300;
@@ -34,7 +36,7 @@ async function stopServer(server: smartdns.DnsServer | null | undefined) {
     
     await Promise.race([stopPromise, timeoutPromise]);
   } catch (e) {
-    console.log('Handled error when stopping server:', e.message || e);
+    console.log('Handled error when stopping server:', e instanceof Error ? e.message : e);
     
     // Force close if normal stop fails
     try {
@@ -49,7 +51,7 @@ async function stopServer(server: smartdns.DnsServer | null | undefined) {
         (server as any).udpServer = null;
       }
     } catch (forceError) {
-      console.log('Force cleanup error:', forceError.message || forceError);
+      console.log('Force cleanup error:', forceError instanceof Error ? forceError.message : forceError);
     }
   }
 }
@@ -128,13 +130,13 @@ tap.test('should now return multiple NS records after fix', async () => {
   
   const dnsResponse = await responsePromise;
   
-  console.log('Fixed behavior - NS records returned:', dnsResponse.answers.length);
-  console.log('NS records:', dnsResponse.answers.filter(a => a.type === 'NS').map(a => a.data));
+  console.log('Fixed behavior - NS records returned:', dnsResponse.answers!.length);
+  console.log('NS records:', dnsResponse.answers!.filter(a => a.type === 'NS').map(a => (a as any).data));
   
   // FIXED BEHAVIOR: Should now return both NS records
-  const nsAnswers = dnsResponse.answers.filter(a => a.type === 'NS');
+  const nsAnswers = dnsResponse.answers!.filter(a => a.type === 'NS');
   expect(nsAnswers.length).toEqual(2);
-  expect(nsAnswers.map(a => a.data).sort()).toEqual(['ns1.example.com', 'ns2.example.com']);
+  expect(nsAnswers.map(a => (a as any).data).sort()).toEqual(['ns1.example.com', 'ns2.example.com']);
   
   await stopServer(dnsServer);
   dnsServer = null;
@@ -206,13 +208,13 @@ tap.test('should support round-robin DNS with multiple A records', async () => {
   
   const dnsResponse = await responsePromise;
   
-  console.log('Fixed behavior - A records returned:', dnsResponse.answers.length);
-  console.log('A records:', dnsResponse.answers.filter(a => a.type === 'A').map(a => a.data));
+  console.log('Fixed behavior - A records returned:', dnsResponse.answers!.length);
+  console.log('A records:', dnsResponse.answers!.filter(a => a.type === 'A').map(a => (a as any).data));
   
   // FIXED BEHAVIOR: Should return all A records for round-robin
-  const aAnswers = dnsResponse.answers.filter(a => a.type === 'A');
+  const aAnswers = dnsResponse.answers!.filter(a => a.type === 'A');
   expect(aAnswers.length).toEqual(3);
-  expect(aAnswers.map(a => a.data).sort()).toEqual(['10.0.0.1', '10.0.0.2', '10.0.0.3']);
+  expect(aAnswers.map(a => (a as any).data).sort()).toEqual(['10.0.0.1', '10.0.0.2', '10.0.0.3']);
   
   await stopServer(dnsServer);
   dnsServer = null;
@@ -289,8 +291,8 @@ tap.test('should return multiple TXT records', async () => {
   
   const dnsResponse = await responsePromise;
   
-  console.log('Fixed behavior - TXT records returned:', dnsResponse.answers.length);
-  const txtAnswers = dnsResponse.answers.filter(a => a.type === 'TXT');
+  console.log('Fixed behavior - TXT records returned:', dnsResponse.answers!.length);
+  const txtAnswers = dnsResponse.answers!.filter(a => a.type === 'TXT');
   console.log('TXT records count:', txtAnswers.length);
   
   // FIXED BEHAVIOR: Should return all TXT records
@@ -388,10 +390,10 @@ tap.test('should handle DNSSEC correctly with multiple records', async () => {
   
   const dnsResponse = await responsePromise;
   
-  console.log('DNSSEC response - total answers:', dnsResponse.answers.length);
+  console.log('DNSSEC response - total answers:', dnsResponse.answers!.length);
   
-  const nsAnswers = dnsResponse.answers.filter(a => a.type === 'NS');
-  const rrsigAnswers = dnsResponse.answers.filter(a => a.type === 'RRSIG');
+  const nsAnswers = dnsResponse.answers!.filter(a => a.type === 'NS');
+  const rrsigAnswers = dnsResponse.answers!.filter(a => a.type === 'RRSIG');
   
   console.log('NS records:', nsAnswers.length);
   console.log('RRSIG records:', rrsigAnswers.length);
@@ -417,7 +419,7 @@ tap.test('should not return duplicate records when same handler registered multi
   });
   
   // Register the same handler multiple times (edge case)
-  const sameHandler = (question) => {
+  const sameHandler = (question: smartdns.IDnsQuestion) => {
     return {
       name: question.name,
       type: 'A',
@@ -470,13 +472,13 @@ tap.test('should not return duplicate records when same handler registered multi
   
   const dnsResponse = await responsePromise;
   
-  const aAnswers = dnsResponse.answers.filter(a => a.type === 'A');
+  const aAnswers = dnsResponse.answers!.filter(a => a.type === 'A');
   console.log('Duplicate handler test - A records returned:', aAnswers.length);
   
   // Even though handler is registered 3 times, we get 3 identical records
   // This is expected behavior - the DNS server doesn't deduplicate
   expect(aAnswers.length).toEqual(3);
-  expect(aAnswers.every(a => a.data === '10.0.0.1')).toEqual(true);
+  expect(aAnswers.every(a => (a as any).data === '10.0.0.1')).toEqual(true);
   
   await stopServer(dnsServer);
   dnsServer = null;

test/test.multiplerecords.simple.ts

@@ -1,12 +1,14 @@
 import * as plugins from '../ts_server/plugins.js';
 import { expect, tap } from '@git.zone/tstest/tapbundle';
-import { tapNodeTools } from '@git.zone/tstest/tapbundle_node';
+import { TapNodeTools } from '@git.zone/tstest/tapbundle_serverside';
 import * as dnsPacket from 'dns-packet';
 import * as dgram from 'dgram';
 
 import * as smartdns from '../ts_server/index.js';
 
-let dnsServer: smartdns.DnsServer;
+const tapNodeTools = new TapNodeTools(tap);
+
+let dnsServer: smartdns.DnsServer | null;
 
 // Port management for tests
 let nextHttpsPort = 8400;
@@ -29,7 +31,7 @@ async function stopServer(server: smartdns.DnsServer | null | undefined) {
   try {
     await server.stop();
   } catch (e) {
-    console.log('Handled error when stopping server:', e.message || e);
+    console.log('Handled error when stopping server:', e instanceof Error ? e.message : e);
   }
 }
 
@@ -105,12 +107,12 @@ tap.test('Multiple NS records should work correctly', async () => {
   
   const dnsResponse = await responsePromise;
   
-  console.log('✅ NS records returned:', dnsResponse.answers.length);
-  console.log('✅ NS records:', dnsResponse.answers.map(a => (a as any).data));
+  console.log('✅ NS records returned:', dnsResponse.answers!.length);
+  console.log('✅ NS records:', dnsResponse.answers!.map(a => (a as any).data));
   
   // SUCCESS: Multiple NS records are now returned
-  expect(dnsResponse.answers.length).toEqual(2);
-  expect(dnsResponse.answers.map(a => (a as any).data).sort()).toEqual(['ns1.example.com', 'ns2.example.com']);
+  expect(dnsResponse.answers!.length).toEqual(2);
+  expect(dnsResponse.answers!.map(a => (a as any).data).sort()).toEqual(['ns1.example.com', 'ns2.example.com']);
   
   await stopServer(dnsServer);
   dnsServer = null;
@@ -181,12 +183,12 @@ tap.test('Multiple A records for round-robin DNS', async () => {
   
   const dnsResponse = await responsePromise;
   
-  console.log('✅ A records returned:', dnsResponse.answers.length);
-  console.log('✅ A records:', dnsResponse.answers.map(a => (a as any).data));
+  console.log('✅ A records returned:', dnsResponse.answers!.length);
+  console.log('✅ A records:', dnsResponse.answers!.map(a => (a as any).data));
   
   // SUCCESS: All A records for round-robin DNS
-  expect(dnsResponse.answers.length).toEqual(3);
-  expect(dnsResponse.answers.map(a => (a as any).data).sort()).toEqual(['10.0.0.1', '10.0.0.2', '10.0.0.3']);
+  expect(dnsResponse.answers!.length).toEqual(3);
+  expect(dnsResponse.answers!.map(a => (a as any).data).sort()).toEqual(['10.0.0.1', '10.0.0.2', '10.0.0.3']);
   
   await stopServer(dnsServer);
   dnsServer = null;
@@ -262,12 +264,12 @@ tap.test('Multiple TXT records', async () => {
   
   const dnsResponse = await responsePromise;
   
-  console.log('✅ TXT records returned:', dnsResponse.answers.length);
+  console.log('✅ TXT records returned:', dnsResponse.answers!.length);
   
   // SUCCESS: All TXT records are returned
-  expect(dnsResponse.answers.length).toEqual(3);
+  expect(dnsResponse.answers!.length).toEqual(3);
   
-  const txtData = dnsResponse.answers.map(a => (a as any).data[0].toString());
+  const txtData = dnsResponse.answers!.map(a => (a as any).data[0].toString());
   expect(txtData.some(d => d.includes('spf1'))).toEqual(true);
   expect(txtData.some(d => d.includes('DKIM1'))).toEqual(true);
   expect(txtData.some(d => d.includes('google-site-verification'))).toEqual(true);

test/test.multiplerecords.ts

@@ -1,12 +1,14 @@
 import * as plugins from '../ts_server/plugins.js';
 import { expect, tap } from '@git.zone/tstest/tapbundle';
-import { tapNodeTools } from '@git.zone/tstest/tapbundle_node';
+import { TapNodeTools } from '@git.zone/tstest/tapbundle_serverside';
 import * as dnsPacket from 'dns-packet';
 import * as dgram from 'dgram';
 
 import * as smartdns from '../ts_server/index.js';
 
-let dnsServer: smartdns.DnsServer;
+const tapNodeTools = new TapNodeTools(tap);
+
+let dnsServer: smartdns.DnsServer | null;
 
 // Port management for tests
 let nextHttpsPort = 8200;
@@ -34,7 +36,7 @@ async function stopServer(server: smartdns.DnsServer | null | undefined) {
     
     await Promise.race([stopPromise, timeoutPromise]);
   } catch (e) {
-    console.log('Handled error when stopping server:', e.message || e);
+    console.log('Handled error when stopping server:', e instanceof Error ? e.message : e);
     
     // Force close if normal stop fails
     try {
@@ -49,7 +51,7 @@ async function stopServer(server: smartdns.DnsServer | null | undefined) {
         (server as any).udpServer = null;
       }
     } catch (forceError) {
-      console.log('Force cleanup error:', forceError.message || forceError);
+      console.log('Force cleanup error:', forceError instanceof Error ? forceError.message : forceError);
     }
   }
 }
@@ -128,12 +130,12 @@ tap.test('should properly return multiple NS records', async () => {
   
   const dnsResponse = await responsePromise;
   
-  console.log('Current behavior - NS records returned:', dnsResponse.answers.length);
-  console.log('NS records:', dnsResponse.answers.map(a => (a as any).data));
+  console.log('Current behavior - NS records returned:', dnsResponse.answers!.length);
+  console.log('NS records:', dnsResponse.answers!.map(a => (a as any).data));
   
   // Should return all registered NS records
-  expect(dnsResponse.answers.length).toEqual(2);
-  const nsData = dnsResponse.answers.map(a => (a as any).data).sort();
+  expect(dnsResponse.answers!.length).toEqual(2);
+  const nsData = dnsResponse.answers!.map(a => (a as any).data).sort();
   expect(nsData).toEqual(['ns1.example.com', 'ns2.example.com']);
   
   await stopServer(dnsServer);
@@ -225,12 +227,12 @@ tap.test('should properly return multiple A records for round-robin DNS', async
   
   const dnsResponse = await responsePromise;
   
-  console.log('Current behavior - A records returned:', dnsResponse.answers.length);
-  console.log('A records:', dnsResponse.answers.map(a => (a as any).data));
+  console.log('Current behavior - A records returned:', dnsResponse.answers!.length);
+  console.log('A records:', dnsResponse.answers!.map(a => (a as any).data));
   
   // Should return all registered A records for round-robin DNS
-  expect(dnsResponse.answers.length).toEqual(3);
-  const aData = dnsResponse.answers.map(a => (a as any).data).sort();
+  expect(dnsResponse.answers!.length).toEqual(3);
+  const aData = dnsResponse.answers!.map(a => (a as any).data).sort();
   expect(aData).toEqual(['10.0.0.1', '10.0.0.2', '10.0.0.3']);
   
   await stopServer(dnsServer);
@@ -322,12 +324,12 @@ tap.test('should properly return multiple TXT records', async () => {
   
   const dnsResponse = await responsePromise;
   
-  console.log('Current behavior - TXT records returned:', dnsResponse.answers.length);
-  console.log('TXT records:', dnsResponse.answers.map(a => (a as any).data));
+  console.log('Current behavior - TXT records returned:', dnsResponse.answers!.length);
+  console.log('TXT records:', dnsResponse.answers!.map(a => (a as any).data));
   
   // Should return all registered TXT records
-  expect(dnsResponse.answers.length).toEqual(3);
-  const txtData = dnsResponse.answers.map(a => (a as any).data[0]).sort();
+  expect(dnsResponse.answers!.length).toEqual(3);
+  const txtData = dnsResponse.answers!.map(a => (a as any).data[0]).sort();
   expect(txtData[0]).toInclude('google-site-verification');
   expect(txtData[1]).toInclude('DKIM1');
   expect(txtData[2]).toInclude('spf1');
@@ -408,14 +410,14 @@ tap.test('should rotate between records when using a single handler', async () =
   
   const [response1, response2] = await Promise.all([responsePromise1, responsePromise2]);
   
-  console.log('First query NS:', (response1.answers[0] as any).data);
-  console.log('Second query NS:', (response2.answers[0] as any).data);
+  console.log('First query NS:', (response1.answers![0] as any).data);
+  console.log('Second query NS:', (response2.answers![0] as any).data);
   
   // This pattern rotates between records but returns one at a time per query
-  expect(response1.answers.length).toEqual(1);
-  expect(response2.answers.length).toEqual(1);
-  expect((response1.answers[0] as any).data).toEqual('ns1.example.com');
-  expect((response2.answers[0] as any).data).toEqual('ns2.example.com');
+  expect(response1.answers!.length).toEqual(1);
+  expect(response2.answers!.length).toEqual(1);
+  expect((response1.answers![0] as any).data).toEqual('ns1.example.com');
+  expect((response2.answers![0] as any).data).toEqual('ns2.example.com');
   
   await stopServer(dnsServer);
   dnsServer = null;

test/test.server.ts

@@ -1,6 +1,6 @@
 import * as plugins from '../ts_server/plugins.js';
 import { expect, tap } from '@git.zone/tstest/tapbundle';
-import { tapNodeTools } from '@git.zone/tstest/tapbundle_node';
+import { TapNodeTools } from '@git.zone/tstest/tapbundle_serverside';
 import { execSync } from 'child_process';
 
 import * as dnsPacket from 'dns-packet';
@@ -12,6 +12,8 @@ import * as os from 'os';
 
 import * as smartdns from '../ts_server/index.js';
 
+const tapNodeTools = new TapNodeTools(tap);
+
 // Generate a real self-signed certificate using OpenSSL
 function generateSelfSignedCert() {
   const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'cert-'));
@@ -48,7 +50,7 @@ function generateSelfSignedCert() {
 }
 
 // Cache the generated certificate for performance
-let cachedCert = null;
+let cachedCert: { key: string; cert: string } | null = null;
 
 // Helper function to get certificate
 function getTestCertificate() {
@@ -108,7 +110,7 @@ const acmeClientMock = {
   },
   
   forge: {
-    createCsr({commonName, altNames}) {
+    createCsr({ commonName, altNames }: { commonName: string; altNames: string[] }) {
       return Promise.resolve({
         csr: Buffer.from('mock-csr-data')
       });
@@ -125,7 +127,7 @@ const acmeClientMock = {
 
 // Override generateKeyPairSync to use our test key for certificate generation in tests
 const originalGenerateKeyPairSync = plugins.crypto.generateKeyPairSync;
-plugins.crypto.generateKeyPairSync = function(type, options) {
+(plugins.crypto.generateKeyPairSync as any) = function(this: any, type: string, options?: any) {
   if (type === 'rsa' && 
       options?.modulusLength === 2048 && 
       options?.privateKeyEncoding?.type === 'pkcs8') {
@@ -143,10 +145,10 @@ plugins.crypto.generateKeyPairSync = function(type, options) {
   }
   
   // Use the original function for other cases
-  return originalGenerateKeyPairSync.apply(this, arguments);
+  return (originalGenerateKeyPairSync as any).apply(this, arguments);
 };
 
-let dnsServer: smartdns.DnsServer;
+let dnsServer: smartdns.DnsServer | null;
 const testCertDir = path.join(process.cwd(), 'test-certs');
 
 // Helper to clean up test certificate directory
@@ -187,7 +189,7 @@ async function stopServer(server: smartdns.DnsServer | null | undefined) {
     
     await Promise.race([stopPromise, timeoutPromise]);
   } catch (e) {
-    console.log('Handled error when stopping server:', e.message || e);
+    console.log('Handled error when stopping server:', e instanceof Error ? e.message : e);
     
     // Force close if normal stop fails
     try {
@@ -202,7 +204,7 @@ async function stopServer(server: smartdns.DnsServer | null | undefined) {
         (server as any).udpServer = null;
       }
     } catch (forceError) {
-      console.log('Force cleanup error:', forceError.message || forceError);
+      console.log('Force cleanup error:', forceError instanceof Error ? forceError.message : forceError);
     }
   }
 }
@@ -282,10 +284,8 @@ tap.test('lets add a handler', async () => {
   });
 
   // @ts-ignore - accessing private method for testing
-  const response = dnsServer.processDnsRequest({
-    type: 'query',
-    id: 1,
-    flags: 0,
+  const response = dnsServer.resolveQuery({
+    correlationId: 'test-1',
     questions: [
       {
         name: 'dnsly_a.bleu.de',
@@ -293,8 +293,8 @@ tap.test('lets add a handler', async () => {
         class: 'IN',
       },
     ],
-    answers: [],
   });
+  expect(response.answered).toEqual(true);
   expect(response.answers[0]).toEqual({
     name: 'dnsly_a.bleu.de',
     type: 'A',
@@ -341,10 +341,8 @@ tap.test('should unregister a handler', async () => {
 
   // Verify handler is removed
   // @ts-ignore - accessing private method for testing
-  const response = dnsServer.processDnsRequest({
-    type: 'query',
-    id: 1,
-    flags: 0,
+  const response = dnsServer.resolveQuery({
+    correlationId: 'test-2',
     questions: [
       {
         name: 'dnsly_a.bleu.de',
@@ -352,11 +350,11 @@ tap.test('should unregister a handler', async () => {
         class: 'IN',
       },
     ],
-    answers: [],
   });
 
-  // Should get SOA record instead of A record
-  expect(response.answers[0].type).toEqual('SOA');
+  // Should not find any handler match
+  expect(response.answered).toEqual(false);
+  expect(response.answers.length).toEqual(0);
 });
 
 tap.test('lets query over https', async () => {
@@ -404,7 +402,7 @@ tap.test('lets query over https', async () => {
 
   const response = await fetch(`https://localhost:${httpsPort}/dns-query`, {
     method: 'POST',
-    body: query,
+    body: query as unknown as BodyInit,
     headers: {
       'Content-Type': 'application/dns-message',
     }
@@ -415,9 +413,9 @@ tap.test('lets query over https', async () => {
   const responseData = await response.arrayBuffer();
   const dnsResponse = dnsPacket.decode(Buffer.from(responseData));
 
-  console.log(dnsResponse.answers[0]);
+  console.log(dnsResponse.answers![0]);
 
-  expect(dnsResponse.answers[0]).toEqual({
+  expect(dnsResponse.answers![0]).toEqual({
     name: 'dnsly_a.bleu.de',
     type: 'A',
     class: 'IN',
@@ -498,9 +496,9 @@ tap.test('lets query over udp', async () => {
 
   const dnsResponse = await responsePromise;
 
-  console.log(dnsResponse.answers[0]);
+  console.log(dnsResponse.answers![0]);
 
-  expect(dnsResponse.answers[0]).toEqual({
+  expect(dnsResponse.answers![0]).toEqual({
     name: 'dnsly_a.bleu.de',
     type: 'A',
     class: 'IN',
@@ -678,14 +676,17 @@ tap.test('should reject invalid IP addresses', async () => {
     udpBindInterface: 'invalid-ip',
   });
   
-  let error1 = null;
+  let error1: Error | null = null;
   try {
     await dnsServer.start();
   } catch (err) {
-    error1 = err;
+    error1 = err instanceof Error ? err : new Error(String(err));
   }
   
   expect(error1).toBeDefined();
+  if (!error1) {
+    throw new Error('Expected invalid UDP bind interface to throw');
+  }
   expect(error1.message).toContain('Invalid UDP bind interface');
   
   // Test invalid HTTPS interface
@@ -698,14 +699,17 @@ tap.test('should reject invalid IP addresses', async () => {
     httpsBindInterface: '999.999.999.999',
   });
   
-  let error2 = null;
+  let error2: Error | null = null;
   try {
     await dnsServer.start();
   } catch (err) {
-    error2 = err;
+    error2 = err instanceof Error ? err : new Error(String(err));
   }
   
   expect(error2).toBeDefined();
+  if (!error2) {
+    throw new Error('Expected invalid HTTPS bind interface to throw');
+  }
   expect(error2.message).toContain('Invalid HTTPS bind interface');
   
   dnsServer = null;
@@ -744,7 +748,7 @@ tap.test('should work with IPv6 localhost if available', async () => {
     
     await stopServer(dnsServer);
   } catch (err) {
-    console.log('IPv6 binding failed:', err.message);
+    console.log('IPv6 binding failed:', err instanceof Error ? err.message : err);
     await stopServer(dnsServer);
     throw err;
   }

test/test.soa.debug.ts

@@ -1,12 +1,14 @@
 import * as plugins from '../ts_server/plugins.js';
 import { expect, tap } from '@git.zone/tstest/tapbundle';
-import { tapNodeTools } from '@git.zone/tstest/tapbundle_node';
+import { TapNodeTools } from '@git.zone/tstest/tapbundle_serverside';
 import * as dnsPacket from 'dns-packet';
 import * as dgram from 'dgram';
 
 import * as smartdns from '../ts_server/index.js';
 
-let dnsServer: smartdns.DnsServer;
+const tapNodeTools = new TapNodeTools(tap);
+
+let dnsServer: smartdns.DnsServer | null;
 
 // Port management for tests
 let nextHttpsPort = 8700;
@@ -29,7 +31,7 @@ async function stopServer(server: smartdns.DnsServer | null | undefined) {
   try {
     await server.stop();
   } catch (e) {
-    console.log('Handled error when stopping server:', e.message || e);
+    console.log('Handled error when stopping server:', e instanceof Error ? e.message : e);
   }
 }
 
@@ -96,7 +98,7 @@ tap.test('Direct SOA query should work without timeout', async () => {
         const dnsResponse = dnsPacket.decode(msg);
         resolve(dnsResponse);
       } catch (e) {
-        reject(new Error(`Failed to decode response: ${e.message}`));
+        reject(new Error(`Failed to decode response: ${e instanceof Error ? e.message : String(e)}`));
       }
       client.close();
     });
@@ -118,9 +120,9 @@ tap.test('Direct SOA query should work without timeout', async () => {
   
   try {
     const dnsResponse = await responsePromise;
-    console.log('SOA response received:', dnsResponse.answers.length, 'answers');
+    console.log('SOA response received:', dnsResponse.answers!.length, 'answers');
     
-    const soaAnswers = dnsResponse.answers.filter(a => a.type === 'SOA');
+    const soaAnswers = dnsResponse.answers!.filter(a => a.type === 'SOA');
     expect(soaAnswers.length).toEqual(1);
     
     const soaData = (soaAnswers[0] as any).data;
@@ -189,7 +191,7 @@ tap.test('SOA query with DNSSEC should work', async () => {
         const dnsResponse = dnsPacket.decode(msg);
         resolve(dnsResponse);
       } catch (e) {
-        reject(new Error(`Failed to decode response: ${e.message}`));
+        reject(new Error(`Failed to decode response: ${e instanceof Error ? e.message : String(e)}`));
       }
       client.close();
     });
@@ -211,10 +213,10 @@ tap.test('SOA query with DNSSEC should work', async () => {
   
   try {
     const dnsResponse = await responsePromise;
-    console.log('Response received with', dnsResponse.answers.length, 'answers');
+    console.log('Response received with', dnsResponse.answers!.length, 'answers');
 
-    const soaAnswers = dnsResponse.answers.filter(a => a.type === 'SOA');
-    const rrsigAnswers = dnsResponse.answers.filter(a => a.type === 'RRSIG');
+    const soaAnswers = dnsResponse.answers!.filter(a => a.type === 'SOA');
+    const rrsigAnswers = dnsResponse.answers!.filter(a => a.type === 'RRSIG');
     console.log('SOA records found:', soaAnswers.length);
     console.log('RRSIG records found:', rrsigAnswers.length);
 
@@ -247,4 +249,115 @@ tap.test('SOA query with DNSSEC should work', async () => {
   dnsServer = null;
 });
 
+tap.test('SOA serialization produces correct wire format', async () => {
+  const httpsData = await tapNodeTools.createHttpsCert();
+  const udpPort = getUniqueUdpPort();
+
+  dnsServer = new smartdns.DnsServer({
+    httpsKey: httpsData.key,
+    httpsCert: httpsData.cert,
+    httpsPort: getUniqueHttpsPort(),
+    udpPort: udpPort,
+    dnssecZone: 'roundtrip.example.com',
+  });
+
+  // Register a handler with specific SOA data we can verify round-trips correctly
+  const expectedSoa = {
+    mname: 'ns1.roundtrip.example.com',
+    rname: 'admin.roundtrip.example.com',
+    serial: 2025020101,
+    refresh: 7200,
+    retry: 1800,
+    expire: 1209600,
+    minimum: 43200,
+  };
+
+  dnsServer.registerHandler('roundtrip.example.com', ['SOA'], (question) => {
+    return {
+      name: question.name,
+      type: 'SOA',
+      class: 'IN',
+      ttl: 3600,
+      data: expectedSoa,
+    };
+  });
+
+  await dnsServer.start();
+
+  const client = dgram.createSocket('udp4');
+
+  // Plain UDP query without DNSSEC to test pure SOA serialization
+  const query = dnsPacket.encode({
+    type: 'query',
+    id: 3,
+    flags: dnsPacket.RECURSION_DESIRED,
+    questions: [
+      {
+        name: 'roundtrip.example.com',
+        type: 'SOA',
+        class: 'IN',
+      },
+    ],
+  });
+
+  console.log('Sending plain SOA query for serialization round-trip test');
+
+  const responsePromise = new Promise<dnsPacket.Packet>((resolve, reject) => {
+    const timeout = setTimeout(() => {
+      client.close();
+      reject(new Error('Query timed out after 5 seconds'));
+    }, 5000);
+
+    client.on('message', (msg) => {
+      clearTimeout(timeout);
+      try {
+        const dnsResponse = dnsPacket.decode(msg);
+        resolve(dnsResponse);
+      } catch (e) {
+        reject(new Error(`Failed to decode response: ${e instanceof Error ? e.message : String(e)}`));
+      }
+      client.close();
+    });
+
+    client.on('error', (err) => {
+      clearTimeout(timeout);
+      reject(err);
+      client.close();
+    });
+
+    client.send(query, udpPort, 'localhost', (err) => {
+      if (err) {
+        clearTimeout(timeout);
+        reject(err);
+        client.close();
+      }
+    });
+  });
+
+  try {
+    const dnsResponse = await responsePromise;
+    const soaAnswers = dnsResponse.answers!.filter(a => a.type === 'SOA');
+    expect(soaAnswers.length).toEqual(1);
+
+    const soaData = (soaAnswers[0] as any).data;
+    console.log('Round-trip SOA data:', soaData);
+
+    // Verify all 7 SOA fields survived the full round-trip:
+    // handler → Rust encode_soa → wire → dns-packet decode
+    expect(soaData.mname).toEqual(expectedSoa.mname);
+    expect(soaData.rname).toEqual(expectedSoa.rname);
+    expect(soaData.serial).toEqual(expectedSoa.serial);
+    expect(soaData.refresh).toEqual(expectedSoa.refresh);
+    expect(soaData.retry).toEqual(expectedSoa.retry);
+    expect(soaData.expire).toEqual(expectedSoa.expire);
+    expect(soaData.minimum).toEqual(expectedSoa.minimum);
+  } catch (error) {
+    console.error('SOA serialization round-trip test failed:', error);
+    throw error;
+  }
+
+  await stopServer(dnsServer);
+  dnsServer = null;
+});
+
 export default tap.start();

test/test.soa.final.ts

@@ -1,12 +1,14 @@
 import * as plugins from '../ts_server/plugins.js';
 import { expect, tap } from '@git.zone/tstest/tapbundle';
-import { tapNodeTools } from '@git.zone/tstest/tapbundle_node';
+import { TapNodeTools } from '@git.zone/tstest/tapbundle_serverside';
 import * as dnsPacket from 'dns-packet';
 import * as dgram from 'dgram';
 
 import * as smartdns from '../ts_server/index.js';
 
-let dnsServer: smartdns.DnsServer;
+const tapNodeTools = new TapNodeTools(tap);
+
+let dnsServer: smartdns.DnsServer | null;
 
 // Port management for tests
 let nextHttpsPort = 8900;
@@ -29,7 +31,7 @@ async function stopServer(server: smartdns.DnsServer | null | undefined) {
   try {
     await server.stop();
   } catch (e) {
-    console.log('Handled error when stopping server:', e.message || e);
+    console.log('Handled error when stopping server:', e instanceof Error ? e.message : e);
   }
 }
 
@@ -118,9 +120,9 @@ tap.test('SOA records work for all scenarios', async () => {
     client.send(soaQuery, udpPort, 'localhost');
   });
   
-  console.log('Direct SOA query response:', response.answers.length, 'answers');
-  expect(response.answers.length).toEqual(1);
-  expect(response.answers[0].type).toEqual('SOA');
+  console.log('Direct SOA query response:', response.answers!.length, 'answers');
+  expect(response.answers!.length).toEqual(1);
+  expect(response.answers![0].type).toEqual('SOA');
   
   // Test 2: Non-existent domain query (should get SOA in authority)
   console.log('\n--- Test 2: Non-existent domain query ---');
@@ -153,8 +155,8 @@ tap.test('SOA records work for all scenarios', async () => {
     client.send(nxQuery, udpPort, 'localhost');
   });
   
-  console.log('Non-existent query response:', response.answers.length, 'answers');
-  const soaAnswers = response.answers.filter(a => a.type === 'SOA');
+  console.log('Non-existent query response:', response.answers!.length, 'answers');
+  const soaAnswers = response.answers!.filter(a => a.type === 'SOA');
   expect(soaAnswers.length).toEqual(1);
   
   // Test 3: SOA with DNSSEC
@@ -197,11 +199,11 @@ tap.test('SOA records work for all scenarios', async () => {
     client.send(dnssecQuery, udpPort, 'localhost');
   });
   
-  console.log('DNSSEC SOA query response:', response.answers.length, 'answers');
-  console.log('Answer types:', response.answers.map(a => a.type));
-  expect(response.answers.length).toEqual(2); // SOA + RRSIG
-  expect(response.answers.some(a => a.type === 'SOA')).toEqual(true);
-  expect(response.answers.some(a => a.type === 'RRSIG')).toEqual(true);
+  console.log('DNSSEC SOA query response:', response.answers!.length, 'answers');
+  console.log('Answer types:', response.answers!.map(a => a.type));
+  expect(response.answers!.length).toEqual(2); // SOA + RRSIG
+  expect(response.answers!.some(a => a.type === 'SOA')).toEqual(true);
+  expect(response.answers!.some(a => a.type === 'RRSIG')).toEqual(true);
   
   client.close();
   await stopServer(dnsServer);
@@ -259,7 +261,7 @@ tap.test('Configurable primary nameserver works correctly', async () => {
     client.send(query, udpPort, 'localhost');
   });
   
-  const soaAnswers = response.answers.filter(a => a.type === 'SOA');
+  const soaAnswers = response.answers!.filter(a => a.type === 'SOA');
   console.log('✅ Configured primary nameserver:', (soaAnswers[0] as any).data.mname);
   expect((soaAnswers[0] as any).data.mname).toEqual('master.test.com');
   

test/test.soa.simple.ts

@@ -1,12 +1,14 @@
 import * as plugins from '../ts_server/plugins.js';
 import { expect, tap } from '@git.zone/tstest/tapbundle';
-import { tapNodeTools } from '@git.zone/tstest/tapbundle_node';
+import { TapNodeTools } from '@git.zone/tstest/tapbundle_serverside';
 import * as dnsPacket from 'dns-packet';
 import * as dgram from 'dgram';
 
 import * as smartdns from '../ts_server/index.js';
 
-let dnsServer: smartdns.DnsServer;
+const tapNodeTools = new TapNodeTools(tap);
+
+let dnsServer: smartdns.DnsServer | null;
 
 // Port management for tests
 let nextHttpsPort = 8800;
@@ -29,7 +31,7 @@ async function stopServer(server: smartdns.DnsServer | null | undefined) {
   try {
     await server.stop();
   } catch (e) {
-    console.log('Handled error when stopping server:', e.message || e);
+    console.log('Handled error when stopping server:', e instanceof Error ? e.message : e);
   }
 }
 
@@ -98,7 +100,7 @@ tap.test('Simple SOA query without DNSSEC', async () => {
   const dnsResponse = await responsePromise;
   console.log('✅ SOA response without DNSSEC received');
   
-  const soaAnswers = dnsResponse.answers.filter(a => a.type === 'SOA');
+  const soaAnswers = dnsResponse.answers!.filter(a => a.type === 'SOA');
   expect(soaAnswers.length).toEqual(1);
   
   const soaData = (soaAnswers[0] as any).data;
@@ -191,7 +193,7 @@ tap.test('Direct SOA query without DNSSEC', async () => {
   const dnsResponse = await responsePromise;
   console.log('✅ Direct SOA query succeeded');
   
-  const soaAnswers = dnsResponse.answers.filter(a => a.type === 'SOA');
+  const soaAnswers = dnsResponse.answers!.filter(a => a.type === 'SOA');
   expect(soaAnswers.length).toEqual(1);
   
   await stopServer(dnsServer);

test/test.soa.timeout.ts

@@ -1,11 +1,13 @@
 import { expect, tap } from '@git.zone/tstest/tapbundle';
-import { tapNodeTools } from '@git.zone/tstest/tapbundle_node';
+import { TapNodeTools } from '@git.zone/tstest/tapbundle_serverside';
 import * as dnsPacket from 'dns-packet';
 import * as dgram from 'dgram';
 
 import * as smartdns from '../ts_server/index.js';
 
-let dnsServer: smartdns.DnsServer;
+const tapNodeTools = new TapNodeTools(tap);
+
+let dnsServer: smartdns.DnsServer | null;
 
 // Cleanup function for servers
 async function stopServer(server: smartdns.DnsServer | null | undefined) {
@@ -16,7 +18,7 @@ async function stopServer(server: smartdns.DnsServer | null | undefined) {
   try {
     await server.stop();
   } catch (e) {
-    console.log('Handled error when stopping server:', e.message || e);
+    console.log('Handled error when stopping server:', e instanceof Error ? e.message : e);
   }
 }
 
@@ -78,7 +80,7 @@ tap.test('Test SOA with DNSSEC timing', async () => {
         const dnsResponse = dnsPacket.decode(msg);
         resolve(dnsResponse);
       } catch (e) {
-        reject(new Error(`Failed to decode response: ${e.message}`));
+        reject(new Error(`Failed to decode response: ${e instanceof Error ? e.message : String(e)}`));
       }
       client.close();
     });
@@ -103,19 +105,24 @@ tap.test('Test SOA with DNSSEC timing', async () => {
   try {
     const dnsResponse = await responsePromise;
     console.log('Response details:');
-    console.log('- Answers:', dnsResponse.answers.length);
-    console.log('- Answer types:', dnsResponse.answers.map(a => a.type));
+    console.log('- Answers:', dnsResponse.answers!.length);
+    console.log('- Answer types:', dnsResponse.answers!.map(a => a.type));
     
-    const soaAnswers = dnsResponse.answers.filter(a => a.type === 'SOA');
-    const rrsigAnswers = dnsResponse.answers.filter(a => a.type === 'RRSIG');
+    const soaAnswers = dnsResponse.answers!.filter(a => a.type === 'SOA');
+    const rrsigAnswers = dnsResponse.answers!.filter(a => a.type === 'RRSIG');
 
     console.log('- SOA records:', soaAnswers.length);
     console.log('- RRSIG records:', rrsigAnswers.length);
 
-    // With the fix, SOA should have its RRSIG
-    if (soaAnswers.length > 0) {
+    // Must have exactly 1 SOA for the zone
+    expect(soaAnswers.length).toEqual(1);
+
+    // Must have at least 1 RRSIG covering the SOA
     expect(rrsigAnswers.length).toBeGreaterThan(0);
-    }
+
+    // Verify RRSIG covers SOA type
+    const rrsigData = (rrsigAnswers[0] as any).data;
+    expect(rrsigData.typeCovered).toEqual('SOA');
   } catch (error) {
     console.error('DNSSEC SOA query failed:', error);
     throw error;
@@ -125,4 +132,108 @@ tap.test('Test SOA with DNSSEC timing', async () => {
   dnsServer = null;
 });
 
+tap.test('DNSSEC signing completes within reasonable time', async () => {
+  const httpsData = await tapNodeTools.createHttpsCert();
+  const udpPort = 8756;
+
+  dnsServer = new smartdns.DnsServer({
+    httpsKey: httpsData.key,
+    httpsCert: httpsData.cert,
+    httpsPort: 8757,
+    udpPort: udpPort,
+    dnssecZone: 'perf.example.com',
+  });
+
+  // No handlers registered — server returns SOA for nonexistent domain
+  await dnsServer.start();
+
+  const client = dgram.createSocket('udp4');
+
+  const query = dnsPacket.encode({
+    type: 'query',
+    id: 2,
+    flags: dnsPacket.RECURSION_DESIRED,
+    questions: [
+      {
+        name: 'nonexistent.perf.example.com',
+        type: 'A',
+        class: 'IN',
+      },
+    ],
+    additionals: [
+      {
+        name: '.',
+        type: 'OPT',
+        ttl: 0,
+        flags: 0x8000, // DO bit set for DNSSEC
+        data: Buffer.alloc(0),
+      } as any,
+    ],
+  });
+
+  const startTime = Date.now();
+  console.log('Sending DNSSEC query for performance test...');
+
+  const responsePromise = new Promise<dnsPacket.Packet>((resolve, reject) => {
+    const timeout = setTimeout(() => {
+      client.close();
+      const elapsed = Date.now() - startTime;
+      reject(new Error(`Query timed out after ${elapsed}ms — exceeds 2s budget`));
+    }, 2000);
+
+    client.on('message', (msg) => {
+      clearTimeout(timeout);
+      const elapsed = Date.now() - startTime;
+      console.log(`DNSSEC response received in ${elapsed}ms`);
+      try {
+        const dnsResponse = dnsPacket.decode(msg);
+        resolve(dnsResponse);
+      } catch (e) {
+        reject(new Error(`Failed to decode response: ${e instanceof Error ? e.message : String(e)}`));
+      }
+      client.close();
+    });
+
+    client.on('error', (err) => {
+      clearTimeout(timeout);
+      reject(err);
+      client.close();
+    });
+
+    client.send(query, udpPort, 'localhost', (err) => {
+      if (err) {
+        clearTimeout(timeout);
+        reject(err);
+        client.close();
+      }
+    });
+  });
+
+  try {
+    const dnsResponse = await responsePromise;
+    const elapsed = Date.now() - startTime;
+
+    // Response must arrive within 2 seconds (generous for CI)
+    expect(elapsed).toBeLessThan(2000);
+
+    // Verify correctness: SOA + RRSIG present
+    const soaAnswers = dnsResponse.answers!.filter(a => a.type === 'SOA');
+    const rrsigAnswers = dnsResponse.answers!.filter(a => a.type === 'RRSIG');
+
+    expect(soaAnswers.length).toEqual(1);
+    expect(rrsigAnswers.length).toBeGreaterThan(0);
+
+    const rrsigData = (rrsigAnswers[0] as any).data;
+    expect(rrsigData.typeCovered).toEqual('SOA');
+
+    console.log(`DNSSEC signing performance OK: ${elapsed}ms`);
+  } catch (error) {
+    console.error('DNSSEC performance test failed:', error);
+    throw error;
+  }
+
+  await stopServer(dnsServer);
+  dnsServer = null;
+});
+
 export default tap.start();

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@push.rocks/smartdns',
-  version: '7.7.1',
+  version: '7.9.2',
   description: 'A robust TypeScript library providing advanced DNS management and resolution capabilities including support for DNSSEC, custom DNS servers, and integration with various DNS providers.'
 }

ts/readme.md

@@ -0,0 +1,47 @@
+# @push.rocks/smartdns
+
+Unified entry point that re-exports both the DNS client and DNS server modules.
+
+## Import
+
+```typescript
+import { dnsClientMod, dnsServerMod } from '@push.rocks/smartdns';
+```
+
+## Modules
+
+| Module | Description |
+|---|---|
+| `dnsClientMod` | DNS resolution — system, UDP, DoH strategies via `Smartdns` class |
+| `dnsServerMod` | Authoritative DNS server — UDP, HTTPS, DNSSEC, ACME via `DnsServer` class |
+
+## Usage
+
+```typescript
+import { dnsClientMod, dnsServerMod } from '@push.rocks/smartdns';
+
+// Client
+const client = new dnsClientMod.Smartdns({ strategy: 'prefer-udp' });
+const records = await client.getRecordsA('example.com');
+client.destroy();
+
+// Server
+const server = new dnsServerMod.DnsServer({
+  udpPort: 5333,
+  httpsPort: 8443,
+  httpsKey: '...',
+  httpsCert: '...',
+  dnssecZone: 'example.com',
+});
+server.registerHandler('example.com', ['A'], (q) => ({
+  name: q.name, type: 'A', class: 'IN', ttl: 300, data: '93.184.215.14',
+}));
+await server.start();
+```
+
+For direct imports, use the sub-module paths:
+
+```typescript
+import { Smartdns } from '@push.rocks/smartdns/client';
+import { DnsServer } from '@push.rocks/smartdns/server';
+```

ts_client/classes.dnsclient.ts

@@ -1,4 +1,5 @@
 import * as plugins from './plugins.js';
+import { RustDnsClientBridge } from './classes.rustdnsclientbridge.js';
 
 export type TDnsProvider = 'google' | 'cloudflare';
 
@@ -22,7 +23,7 @@ export const makeNodeProcessUseDnsProvider = (providerArg: TDnsProvider) => {
   }
 };
 
-export type TResolutionStrategy = 'doh' | 'system' | 'prefer-system';
+export type TResolutionStrategy = 'doh' | 'udp' | 'system' | 'prefer-system' | 'prefer-udp';
 
 export interface ISmartDnsConstructorOptions {
   strategy?: TResolutionStrategy; // default: 'prefer-system'
@@ -30,40 +31,28 @@ export interface ISmartDnsConstructorOptions {
   timeoutMs?: number; // optional per-query timeout
 }
 
-export interface IDnsJsonResponse {
-  Status: number;
-  TC: boolean;
-  RD: boolean;
-  RA: boolean;
-  AD: boolean;
-  CD: boolean;
-  Question: Array<{ name: string; type: number }>;
-  Answer: Array<{ name: string; type: number; TTL: number; data: string }>;
-  Additional: [];
-  Comment: string;
-}
-
 /**
- * class dnsly offers methods for working with dns from a dns provider like Google DNS
+ * Smartdns offers methods for working with DNS resolution.
+ * Supports system resolver, UDP wire-format, and DoH (DNS-over-HTTPS) via a Rust binary.
  */
 export class Smartdns {
-  public dnsServerIp: string;
-  public dnsServerPort: number;
   private strategy: TResolutionStrategy = 'prefer-system';
   private allowDohFallback = true;
   private timeoutMs: number | undefined;
+  private rustBridge: RustDnsClientBridge | null = null;
 
   public dnsTypeMap: { [key: string]: number } = {
     A: 1,
-    AAAA: 28,
+    NS: 2,
     CNAME: 5,
+    SOA: 6,
+    PTR: 12,
     MX: 15,
     TXT: 16,
+    AAAA: 28,
+    SRV: 33,
   };
 
-  /**
-   * constructor for class dnsly
-   */
   constructor(optionsArg: ISmartDnsConstructorOptions) {
     this.strategy = optionsArg?.strategy || 'prefer-system';
     this.allowDohFallback =
@@ -71,12 +60,15 @@ export class Smartdns {
     this.timeoutMs = optionsArg?.timeoutMs;
   }
 
+  private getRustBridge(): RustDnsClientBridge {
+    if (!this.rustBridge) {
+      this.rustBridge = new RustDnsClientBridge();
+    }
+    return this.rustBridge;
+  }
+
   /**
-   * check a dns record until it has propagated to Google DNS
-   * should be considerably fast
-   * @param recordNameArg
-   * @param recordTypeArg
-   * @param expectedValue
+   * check a dns record until it has propagated
    */
   public async checkUntilAvailable(
     recordNameArg: string,
@@ -107,7 +99,6 @@ export class Smartdns {
             return await doCheck();
           }
         } catch (err) {
-          // console.log(err);
           await plugins.smartdelay.delayFor(intervalArg);
           return await doCheck();
         }
@@ -185,7 +176,7 @@ export class Smartdns {
         });
         return records.map((chunks) => ({
           name: recordNameArg,
-          type: 'TXT',
+          type: 'TXT' as plugins.tsclass.network.TDnsRecordType,
           dnsSecEnabled: false,
           value: chunks.join(''),
         }));
@@ -193,44 +184,22 @@ export class Smartdns {
       return [];
     };
 
-    const tryDoh = async (): Promise<plugins.tsclass.network.IDnsRecord[]> => {
-      const requestUrl = `https://cloudflare-dns.com/dns-query?name=${recordNameArg}&type=${recordTypeArg}&do=1`;
-      const returnArray: plugins.tsclass.network.IDnsRecord[] = [];
-      const getResponseBody = async (counterArg = 0): Promise<IDnsJsonResponse> => {
-        const response = await plugins.smartrequest.request(requestUrl, {
-          method: 'GET',
-          headers: {
-            accept: 'application/dns-json',
-          },
-          timeout: this.timeoutMs,
-        });
-        const responseBody: IDnsJsonResponse = response.body;
-        if (responseBody?.Status !== 0 && counterArg < retriesCounterArg) {
-          await plugins.smartdelay.delayFor(500);
-          return getResponseBody(counterArg + 1);
-        } else {
-          return responseBody;
-        }
-      };
-      const responseBody = await getResponseBody();
-      if (!responseBody || !responseBody.Answer || !typeof (responseBody.Answer as any)[Symbol.iterator]) {
-        return returnArray;
-      }
-      for (const dnsEntry of responseBody.Answer) {
-        if (typeof dnsEntry.data === 'string' && dnsEntry.data.startsWith('"') && dnsEntry.data.endsWith('"')) {
-          dnsEntry.data = dnsEntry.data.replace(/^\"(.*)\"$/, '$1');
-        }
-        if (dnsEntry.name.endsWith('.')) {
-          dnsEntry.name = dnsEntry.name.substring(0, dnsEntry.name.length - 1);
-        }
-        returnArray.push({
-          name: dnsEntry.name,
-          type: this.convertDnsTypeNumberToTypeName(dnsEntry.type),
-          dnsSecEnabled: !!responseBody.AD,
-          value: dnsEntry.data,
-        });
-      }
-      return returnArray;
+    const tryRust = async (protocol: 'udp' | 'doh'): Promise<plugins.tsclass.network.IDnsRecord[]> => {
+      const bridge = this.getRustBridge();
+      const result = await bridge.resolve(
+        recordNameArg,
+        recordTypeArg,
+        protocol,
+        undefined,
+        undefined,
+        this.timeoutMs
+      );
+      return result.answers.map((answer) => ({
+        name: answer.name,
+        type: this.convertDnsTypeNameToCanonical(answer.type) || recordTypeArg,
+        dnsSecEnabled: result.adFlag,
+        value: answer.value,
+      }));
     };
 
     try {
@@ -238,22 +207,33 @@ export class Smartdns {
         return await trySystem();
       }
       if (this.strategy === 'doh') {
-        return await tryDoh();
+        return await tryRust('doh');
       }
-      // prefer-system
+      if (this.strategy === 'udp') {
+        return await tryRust('udp');
+      }
+      if (this.strategy === 'prefer-udp') {
+        try {
+          const udpRes = await tryRust('udp');
+          if (udpRes.length > 0) return udpRes;
+          return await tryRust('doh');
+        } catch (err) {
+          return await tryRust('doh');
+        }
+      }
+      // prefer-system (default)
       try {
         const sysRes = await trySystem();
         if (sysRes.length > 0) return sysRes;
-        return this.allowDohFallback ? await tryDoh() : [];
+        return this.allowDohFallback ? await tryRust('doh') : [];
       } catch (err) {
-        return this.allowDohFallback ? await tryDoh() : [];
+        return this.allowDohFallback ? await tryRust('doh') : [];
       }
     } catch (finalErr) {
       return [];
     }
   }
 
-
   /**
    * gets a record using nodejs dns resolver
    */
@@ -268,10 +248,11 @@ export class Smartdns {
         return;
       }
       const returnArray: plugins.tsclass.network.IDnsRecord[] = [];
-      for (const recordKey in recordsArg) {
+      for (const record of recordsArg as unknown[]) {
+        const value = Array.isArray(record) ? record.join('') : String(record);
         returnArray.push({
           name: recordNameArg,
-          value: recordsArg[recordKey][0],
+          value,
           type: recordTypeArg,
           dnsSecEnabled: false,
         });
@@ -300,7 +281,7 @@ export class Smartdns {
 
   public convertDnsTypeNumberToTypeName(
     dnsTypeNumberArg: number
-  ): plugins.tsclass.network.TDnsRecordType {
+  ): plugins.tsclass.network.TDnsRecordType | null {
     for (const key in this.dnsTypeMap) {
       if (this.dnsTypeMap[key] === dnsTypeNumberArg) {
         return key as plugins.tsclass.network.TDnsRecordType;
@@ -308,4 +289,25 @@ export class Smartdns {
     }
     return null;
   }
+
+  /**
+   * Convert a DNS type string from Rust (e.g. "A", "AAAA") to the canonical TDnsRecordType.
+   */
+  private convertDnsTypeNameToCanonical(typeName: string): plugins.tsclass.network.TDnsRecordType | null {
+    const upper = typeName.toUpperCase();
+    if (upper in this.dnsTypeMap) {
+      return upper as plugins.tsclass.network.TDnsRecordType;
+    }
+    return null;
+  }
+
+  /**
+   * Destroy the Rust client bridge and free resources.
+   */
+  public destroy(): void {
+    if (this.rustBridge) {
+      this.rustBridge.kill();
+      this.rustBridge = null;
+    }
+  }
 }

ts_client/classes.rustdnsclientbridge.ts

@@ -0,0 +1,168 @@
+import * as plugins from './plugins.js';
+
+// IPC command map for type-safe bridge communication
+export type TClientDnsCommands = {
+  resolve: {
+    params: IResolveParams;
+    result: IResolveResult;
+  };
+  ping: {
+    params: Record<string, never>;
+    result: { pong: boolean };
+  };
+};
+
+export interface IResolveParams {
+  name: string;
+  recordType: string;
+  protocol: 'udp' | 'doh';
+  serverAddr?: string;
+  dohUrl?: string;
+  timeoutMs?: number;
+}
+
+export interface IClientDnsAnswer {
+  name: string;
+  type: string;
+  ttl: number;
+  value: string;
+}
+
+export interface IResolveResult {
+  answers: IClientDnsAnswer[];
+  adFlag: boolean;
+  rcode: number;
+}
+
+/**
+ * Bridge to the Rust DNS client binary via smartrust IPC.
+ */
+export class RustDnsClientBridge {
+  private bridge: InstanceType<typeof plugins.smartrust.RustBridge<TClientDnsCommands>>;
+  private spawnPromise: Promise<boolean> | null = null;
+
+  constructor() {
+    const packageDir = plugins.path.resolve(
+      plugins.path.dirname(new URL(import.meta.url).pathname),
+      '..'
+    );
+
+    // Determine platform suffix for dist_rust binaries (matches tsrust naming)
+    const platformSuffix = getPlatformSuffix();
+    const localPaths: string[] = [];
+
+    // dist_rust/ candidates (tsrust cross-compiled output, platform-specific)
+    if (platformSuffix) {
+      localPaths.push(plugins.path.join(packageDir, 'dist_rust', `rustdns-client_${platformSuffix}`));
+    }
+    // dist_rust/ without suffix (native build)
+    localPaths.push(plugins.path.join(packageDir, 'dist_rust', 'rustdns-client'));
+    // Local dev build paths
+    localPaths.push(plugins.path.join(packageDir, 'rust', 'target', 'release', 'rustdns-client'));
+    localPaths.push(plugins.path.join(packageDir, 'rust', 'target', 'debug', 'rustdns-client'));
+
+    this.bridge = new plugins.smartrust.RustBridge<TClientDnsCommands>({
+      binaryName: 'rustdns-client',
+      cliArgs: ['--management'],
+      requestTimeoutMs: 30_000,
+      readyTimeoutMs: 10_000,
+      localPaths,
+      searchSystemPath: false,
+    });
+
+    this.bridge.on('stderr', (line: string) => {
+      if (line.trim()) {
+        console.log(`[rustdns-client] ${line}`);
+      }
+    });
+  }
+
+  /**
+   * Lazily spawn the Rust binary. Only spawns once, caches the promise.
+   */
+  public async ensureSpawned(): Promise<void> {
+    if (!this.spawnPromise) {
+      this.spawnPromise = this.bridge.spawn();
+    }
+    const ok = await this.spawnPromise;
+    if (!ok) {
+      this.spawnPromise = null;
+      throw new Error('Failed to spawn rustdns-client binary');
+    }
+  }
+
+  /**
+   * Resolve a DNS query through the Rust binary.
+   */
+  public async resolve(
+    name: string,
+    recordType: string,
+    protocol: 'udp' | 'doh',
+    serverAddr?: string,
+    dohUrl?: string,
+    timeoutMs?: number
+  ): Promise<IResolveResult> {
+    await this.ensureSpawned();
+    const params: IResolveParams = {
+      name,
+      recordType,
+      protocol,
+    };
+    if (serverAddr) params.serverAddr = serverAddr;
+    if (dohUrl) params.dohUrl = dohUrl;
+    if (timeoutMs) params.timeoutMs = timeoutMs;
+    return this.bridge.sendCommand('resolve', params);
+  }
+
+  /**
+   * Ping the Rust binary for health check.
+   */
+  public async ping(): Promise<boolean> {
+    await this.ensureSpawned();
+    const result = await this.bridge.sendCommand('ping', {} as Record<string, never>);
+    return result.pong;
+  }
+
+  /**
+   * Kill the Rust process.
+   */
+  public kill(): void {
+    this.bridge.kill();
+    this.spawnPromise = null;
+  }
+
+  /**
+   * Whether the bridge is running.
+   */
+  public get running(): boolean {
+    return this.bridge.running;
+  }
+}
+
+/**
+ * Get the tsrust platform suffix for the current platform.
+ */
+function getPlatformSuffix(): string | null {
+  const platform = process.platform;
+  const arch = process.arch;
+
+  const platformMap: Record<string, string> = {
+    'linux': 'linux',
+    'darwin': 'macos',
+    'win32': 'windows',
+  };
+
+  const archMap: Record<string, string> = {
+    'x64': 'amd64',
+    'arm64': 'arm64',
+  };
+
+  const p = platformMap[platform];
+  const a = archMap[arch];
+
+  if (p && a) {
+    return `${p}_${a}`;
+  }
+
+  return null;
+}

ts_client/index.ts

@@ -1 +1,2 @@
 export * from './classes.dnsclient.js';
+export * from './classes.rustdnsclientbridge.js';

ts_client/plugins.ts

@@ -6,12 +6,19 @@ const dns: typeof dnsType = await smartenvInstance.getSafeNodeModule('dns');
 
 export { dns };
 
+// node native scope
+import * as path from 'path';
+import { EventEmitter } from 'events';
+
+export { path };
+export const events = { EventEmitter };
+
 // pushrocks scope
 import * as smartdelay from '@push.rocks/smartdelay';
 import * as smartpromise from '@push.rocks/smartpromise';
-import * as smartrequest from '@push.rocks/smartrequest';
+import * as smartrust from '@push.rocks/smartrust';
 
-export { smartdelay, smartenv, smartpromise, smartrequest };
+export { smartdelay, smartenv, smartpromise, smartrust };
 
 import * as tsclass from '@tsclass/tsclass';
 

ts_client/readme.md

@@ -0,0 +1,94 @@
+# @push.rocks/smartdns/client
+
+DNS client module for `@push.rocks/smartdns` — provides DNS record resolution via system resolver, raw UDP wire-format queries, and DNS-over-HTTPS (RFC 8484), with UDP and DoH powered by a Rust binary for performance.
+
+## Import
+
+```typescript
+import { Smartdns, makeNodeProcessUseDnsProvider } from '@push.rocks/smartdns/client';
+```
+
+## Architecture
+
+The client routes queries through one of three backends depending on the configured strategy:
+
+- **System** — Uses Node.js `dns` module (`dns.lookup` / `dns.resolveTxt`). Honors `/etc/hosts`. No external binary.
+- **UDP** — Sends raw DNS wire-format queries to upstream resolvers (default: Cloudflare 1.1.1.1) via the `rustdns-client` Rust binary over IPC.
+- **DoH** — Sends RFC 8484 wire-format POST requests to a DoH endpoint (default: `https://cloudflare-dns.com/dns-query`) via the same Rust binary.
+
+The Rust binary is spawned **lazily** — only when the first UDP or DoH query is made. The binary stays alive for connection pooling (DoH) and is killed via `destroy()`.
+
+## Classes & Functions
+
+### `Smartdns`
+
+The main DNS client class. Supports five resolution strategies:
+
+| Strategy | Behavior |
+|---|---|
+| `prefer-system` | Try OS resolver first, fall back to Rust DoH |
+| `system` | Use only Node.js system resolver |
+| `doh` | Use only Rust DoH (RFC 8484 wire format) |
+| `udp` | Use only Rust UDP to upstream resolver |
+| `prefer-udp` | Try Rust UDP first, fall back to Rust DoH |
+
+```typescript
+const dns = new Smartdns({
+  strategy: 'prefer-udp',
+  allowDohFallback: true,
+  timeoutMs: 5000,
+});
+```
+
+#### Key Methods
+
+| Method | Description |
+|---|---|
+| `getRecordsA(domain)` | Resolve A records (IPv4) |
+| `getRecordsAAAA(domain)` | Resolve AAAA records (IPv6) |
+| `getRecordsTxt(domain)` | Resolve TXT records |
+| `getRecords(domain, type, retries?)` | Generic query — supports A, AAAA, CNAME, MX, TXT, NS, SOA, PTR, SRV |
+| `getNameServers(domain)` | Resolve NS records |
+| `checkUntilAvailable(domain, type, value, cycles?, interval?)` | Poll until a record propagates |
+| `destroy()` | Kill the Rust client binary and free resources |
+
+All query methods return `IDnsRecord[]`:
+
+```typescript
+interface IDnsRecord {
+  name: string;
+  type: string;
+  dnsSecEnabled: boolean; // true if upstream AD flag was set
+  value: string;
+}
+```
+
+### `RustDnsClientBridge`
+
+Low-level IPC bridge to the `rustdns-client` binary. Used internally by `Smartdns` — typically not imported directly. Provides:
+
+- `ensureSpawned()` — lazy spawn of the Rust binary
+- `resolve(name, type, protocol, ...)` — send a resolve command via IPC
+- `ping()` — health check
+- `kill()` — terminate the binary
+
+### `makeNodeProcessUseDnsProvider(provider)`
+
+Configures the global Node.js DNS resolver to use a specific provider:
+
+```typescript
+makeNodeProcessUseDnsProvider('cloudflare'); // 1.1.1.1
+makeNodeProcessUseDnsProvider('google');     // 8.8.8.8
+```
+
+## Supported Record Types
+
+A, AAAA, CNAME, MX, TXT, NS, SOA, PTR, SRV
+
+## Dependencies
+
+- `@push.rocks/smartrust` — TypeScript-to-Rust IPC bridge
+- `@push.rocks/smartrequest` — HTTP client (used by legacy paths)
+- `@push.rocks/smartdelay` — delay utility for retry logic
+- `@push.rocks/smartpromise` — deferred promise helper
+- `@tsclass/tsclass` — DNS record type definitions

ts_server/classes.dnsserver.ts

@@ -1,6 +1,5 @@
 import * as plugins from './plugins.js';
-import { RustDnsBridge, type IDnsQueryEvent, type IIpcDnsAnswer, type IRustDnsConfig } from './classes.rustdnsbridge.js';
-import * as dnsPacket from 'dns-packet';
+import { RustDnsBridge, type IDnsQueryEvent, type IIpcDnsAnswer, type IIpcDnsQuestion, type IRustDnsConfig } from './classes.rustdnsbridge.js';
 
 export interface IDnsServerOptions {
   httpsKey: string;
@@ -27,10 +26,16 @@ export interface DnsAnswer {
   data: any;
 }
 
+export interface IDnsQuestion {
+  name: string;
+  type: string;
+  class?: string;
+}
+
 export interface IDnsHandler {
   domainPattern: string;
   recordTypes: string[];
-  handler: (question: dnsPacket.Question) => DnsAnswer | null;
+  handler: (question: IDnsQuestion) => DnsAnswer | null;
 }
 
 // Let's Encrypt related interfaces
@@ -40,7 +45,18 @@ interface LetsEncryptOptions {
   certDir?: string;
 }
 
-export class DnsServer {
+export interface IDnsQueryCompletedEvent {
+  /** The original questions from the query */
+  questions: IIpcDnsQuestion[];
+  /** Whether any handler answered the query */
+  answered: boolean;
+  /** How long handler resolution took (ms) */
+  responseTimeMs: number;
+  /** Timestamp of the query */
+  timestamp: number;
+}
+
+export class DnsServer extends plugins.events.EventEmitter {
   private bridge: RustDnsBridge;
   private handlers: IDnsHandler[] = [];
 
@@ -52,12 +68,21 @@ export class DnsServer {
   private udpServer: any = null;
 
   constructor(private options: IDnsServerOptions) {
+    super();
     this.bridge = new RustDnsBridge();
 
     // Wire up the dnsQuery event to run TypeScript handlers
     this.bridge.on('dnsQuery', async (event: IDnsQueryEvent) => {
       try {
+        const startTime = Date.now();
         const answers = this.resolveQuery(event);
+        const responseTimeMs = Date.now() - startTime;
+        this.emit('query', {
+          questions: event.questions,
+          answered: answers.answered,
+          responseTimeMs,
+          timestamp: startTime,
+        } satisfies IDnsQueryCompletedEvent);
         await this.bridge.sendQueryResult(
           event.correlationId,
           answers.answers,
@@ -80,7 +105,7 @@ export class DnsServer {
   public registerHandler(
     domainPattern: string,
     recordTypes: string[],
-    handler: (question: dnsPacket.Question) => DnsAnswer | null
+    handler: (question: IDnsQuestion) => DnsAnswer | null
   ): void {
     this.handlers.push({ domainPattern, recordTypes, handler });
   }
@@ -225,147 +250,15 @@ export class DnsServer {
       });
   }
 
-  /**
-   * Process a raw DNS packet and return the response.
-   * Synchronous version using the TypeScript fallback (for backward compatibility).
-   */
-  public processRawDnsPacket(packet: Buffer): Buffer {
-    // Synchronous fallback — process locally using TypeScript handler logic
-    // This is needed for backward-compatible callers that expect sync results
-    try {
-      const request = dnsPacket.decode(packet);
-      const response = this.processDnsRequest(request);
-      return dnsPacket.encode(response) as unknown as Buffer;
-    } catch (err) {
-      console.error('Error processing raw DNS packet:', err);
-      throw err;
-    }
-  }
-
   /**
    * Process a raw DNS packet asynchronously via Rust bridge.
    */
   public async processRawDnsPacketAsync(packet: Buffer): Promise<Buffer> {
-    if (this.bridgeSpawned) {
+    if (!this.bridgeSpawned) {
+      throw new Error('DNS server not started — call start() first');
+    }
     return this.bridge.processPacket(packet);
   }
-    // Fallback to local processing if bridge not spawned
-    return this.processRawDnsPacket(packet);
-  }
-
-  /**
-   * Process a DNS request locally (TypeScript handler resolution).
-   * Used as fallback and for pre-bridge-spawn calls.
-   */
-  public processDnsRequest(request: dnsPacket.Packet): dnsPacket.Packet {
-    const response: dnsPacket.Packet = {
-      type: 'response',
-      id: request.id,
-      flags:
-        dnsPacket.AUTHORITATIVE_ANSWER |
-        dnsPacket.RECURSION_AVAILABLE |
-        (request.flags & dnsPacket.RECURSION_DESIRED ? dnsPacket.RECURSION_DESIRED : 0),
-      questions: request.questions,
-      answers: [],
-      additionals: [],
-    };
-
-    for (const question of request.questions) {
-      let answered = false;
-      const recordsForQuestion: DnsAnswer[] = [];
-
-      // Built-in handling for localhost and reverse localhost (RFC 6761)
-      const enableLocal = this.options.enableLocalhostHandling !== false;
-      if (enableLocal) {
-        const qnameLower = (question.name || '').toLowerCase();
-        const qnameTrimmed = qnameLower.endsWith('.') ? qnameLower.slice(0, -1) : qnameLower;
-
-        if (qnameTrimmed === 'localhost') {
-          if (question.type === 'A') {
-            recordsForQuestion.push({
-              name: question.name,
-              type: 'A',
-              class: 'IN',
-              ttl: 0,
-              data: '127.0.0.1',
-            });
-            answered = true;
-          } else if (question.type === 'AAAA') {
-            recordsForQuestion.push({
-              name: question.name,
-              type: 'AAAA',
-              class: 'IN',
-              ttl: 0,
-              data: '::1',
-            });
-            answered = true;
-          }
-        }
-
-        if (!answered) {
-          const reverseLocalhostV4 = '1.0.0.127.in-addr.arpa';
-          if (qnameTrimmed === reverseLocalhostV4 && question.type === 'PTR') {
-            recordsForQuestion.push({
-              name: question.name,
-              type: 'PTR',
-              class: 'IN',
-              ttl: 0,
-              data: 'localhost.',
-            });
-            answered = true;
-          }
-        }
-      }
-
-      // Collect all matching records from handlers
-      if (!answered) {
-        for (const handlerEntry of this.handlers) {
-          if (
-            plugins.minimatch.minimatch(question.name, handlerEntry.domainPattern) &&
-            handlerEntry.recordTypes.includes(question.type)
-          ) {
-            const answer = handlerEntry.handler(question);
-            if (answer) {
-              const dnsAnswer: DnsAnswer = {
-                ...answer,
-                ttl: answer.ttl || 300,
-                class: answer.class || 'IN',
-              };
-              recordsForQuestion.push(dnsAnswer);
-              answered = true;
-            }
-          }
-        }
-      }
-
-      if (recordsForQuestion.length > 0) {
-        for (const record of recordsForQuestion) {
-          response.answers.push(record as plugins.dnsPacket.Answer);
-        }
-      }
-
-      if (!answered) {
-        const soaAnswer: DnsAnswer = {
-          name: question.name,
-          type: 'SOA',
-          class: 'IN',
-          ttl: 3600,
-          data: {
-            mname: this.options.primaryNameserver || `ns1.${this.options.dnssecZone}`,
-            rname: `hostmaster.${this.options.dnssecZone}`,
-            serial: Math.floor(Date.now() / 1000),
-            refresh: 3600,
-            retry: 600,
-            expire: 604800,
-            minimum: 86400,
-          },
-        };
-        response.answers.push(soaAnswer as plugins.dnsPacket.Answer);
-      }
-    }
-
-    return response;
-  }
 
   /**
    * Retrieve SSL certificate for specified domains using Let's Encrypt
@@ -451,7 +344,7 @@ export class DnsServer {
         this.registerHandler(
           challengeDomain,
           ['TXT'],
-          (question: dnsPacket.Question): DnsAnswer | null => {
+          (question: IDnsQuestion): DnsAnswer | null => {
             if (question.name === challengeDomain && question.type === 'TXT') {
               return {
                 name: question.name,
@@ -554,10 +447,10 @@ export class DnsServer {
     let answered = false;
 
     for (const q of event.questions) {
-      const question: dnsPacket.Question = {
+      const question: IDnsQuestion = {
         name: q.name,
-        type: q.type as any,
-        class: q.class as any,
+        type: q.type,
+        class: q.class,
       };
 
       for (const handlerEntry of this.handlers) {

ts_server/plugins.ts

@@ -24,10 +24,8 @@ export {
 }
 
 // third party
-import * as dnsPacket from 'dns-packet';
 import * as minimatch from 'minimatch';
 
 export {
-  dnsPacket,
   minimatch,
 }

ts_server/readme.md

@@ -0,0 +1,110 @@
+# @push.rocks/smartdns/server
+
+DNS server module for `@push.rocks/smartdns` — a full-featured authoritative DNS server powered by a Rust backend with DNSSEC, DNS-over-HTTPS, and Let's Encrypt integration.
+
+## Import
+
+```typescript
+import { DnsServer } from '@push.rocks/smartdns/server';
+```
+
+## Architecture
+
+The server delegates network I/O, DNS packet parsing/encoding, and DNSSEC signing to a compiled **Rust binary** (`rustdns`). TypeScript retains the public API, handler registration, and ACME certificate orchestration.
+
+Communication happens via JSON-over-stdin/stdout IPC using `@push.rocks/smartrust`'s `RustBridge`. DNS queries that need handler resolution are forwarded from Rust to TypeScript with correlation IDs, then results are sent back for response assembly and DNSSEC signing.
+
+### Rust Crate Structure
+
+| Crate | Purpose |
+|---|---|
+| `rustdns` | Main binary with IPC management loop |
+| `rustdns-protocol` | DNS wire format parsing/encoding, RDATA encode/decode |
+| `rustdns-server` | Async UDP + HTTPS servers (tokio, hyper, rustls) |
+| `rustdns-dnssec` | ECDSA/ED25519 key generation and RRset signing |
+
+## Classes
+
+### `DnsServer`
+
+The primary class. Manages handler registration, server lifecycle, and certificate retrieval.
+
+```typescript
+const server = new DnsServer({
+  udpPort: 53,
+  httpsPort: 443,
+  httpsKey: '...pem...',
+  httpsCert: '...pem...',
+  dnssecZone: 'example.com',
+  primaryNameserver: 'ns1.example.com',
+});
+```
+
+#### Options
+
+| Option | Type | Default | Description |
+|---|---|---|---|
+| `udpPort` | `number` | — | UDP DNS port |
+| `httpsPort` | `number` | — | HTTPS DoH port |
+| `httpsKey` | `string` | — | TLS private key (PEM) |
+| `httpsCert` | `string` | — | TLS certificate (PEM) |
+| `dnssecZone` | `string` | — | Zone to enable DNSSEC for |
+| `primaryNameserver` | `string` | `ns1.{zone}` | SOA mname field |
+| `udpBindInterface` | `string` | `0.0.0.0` | IP to bind UDP |
+| `httpsBindInterface` | `string` | `0.0.0.0` | IP to bind HTTPS |
+| `manualUdpMode` | `boolean` | `false` | Don't auto-bind UDP |
+| `manualHttpsMode` | `boolean` | `false` | Don't auto-bind HTTPS |
+| `enableLocalhostHandling` | `boolean` | `true` | Handle RFC 6761 localhost |
+
+#### Key Methods
+
+| Method | Description |
+|---|---|
+| `start()` | Spawn Rust binary and start listening |
+| `stop()` | Gracefully shut down |
+| `registerHandler(pattern, types, fn)` | Add a DNS handler (glob patterns via minimatch) |
+| `unregisterHandler(pattern, types)` | Remove a handler |
+| `handleUdpMessage(msg, rinfo, cb)` | Process a UDP message manually |
+| `processRawDnsPacket(buf)` | Sync packet processing (TS fallback) |
+| `processRawDnsPacketAsync(buf)` | Async packet processing (Rust bridge, includes DNSSEC) |
+| `retrieveSslCertificate(domains, opts)` | ACME DNS-01 certificate retrieval |
+| `filterAuthorizedDomains(domains)` | Filter domains the server is authoritative for |
+
+### `RustDnsBridge`
+
+Low-level IPC bridge to the `rustdns` binary. Used internally by `DnsServer` — typically not imported directly.
+
+Emits events: `dnsQuery`, `started`, `stopped`, `error`.
+
+## Handler System
+
+Handlers use **glob patterns** (via `minimatch`) for domain matching. Multiple handlers can contribute records to a single response.
+
+```typescript
+server.registerHandler('*.example.com', ['A'], (question) => ({
+  name: question.name,
+  type: 'A',
+  class: 'IN',
+  ttl: 300,
+  data: '10.0.0.1',
+}));
+```
+
+When no handler matches, the server returns an automatic **SOA record** for the zone.
+
+## DNSSEC
+
+Enabled automatically with the `dnssecZone` option. Supports:
+
+- **ECDSAP256SHA256** (13) — default
+- **ED25519** (15)
+- **RSASHA256** (8)
+
+Key generation, DNSKEY/RRSIG/NSEC record creation is fully handled by the Rust backend.
+
+## Dependencies
+
+- `@push.rocks/smartrust` — TypeScript-to-Rust IPC bridge
+- `dns-packet` — DNS wire format codec (used for TS fallback path)
+- `minimatch` — glob pattern matching for handlers
+- `acme-client` — Let's Encrypt ACME protocol

tsconfig.json

@@ -5,8 +5,10 @@
     "target": "ES2022",
     "module": "NodeNext",
     "moduleResolution": "NodeNext",
+    "noImplicitAny": true,
     "esModuleInterop": true,
-    "verbatimModuleSyntax": true
+    "verbatimModuleSyntax": true,
+    "types": ["node"]
   },
   "exclude": [
     "dist_*/**/*.d.ts"