Enhance DNS resolutionn

Author: poupas

Dockerfile

@@ -77,6 +77,7 @@ RUN set -eux \
        dnsutils \
        wireguard-tools \
        ca-certificates \
+       ipcalc \
     && apt-get clean \
     && for d in bin etc lib run sbin; do mkdir -p /farcaster/"${d}"; done \
     && ln -s /run/farcaster/wg-tunnel.conf /farcaster/etc/ \

scripts/_lib.sh

@@ -117,8 +117,19 @@ get_iface_addr() {
 
 resolve_host() {
 	host="$1"
-	dig +short "${host}" | grep '^[.0-9]*$' | sort
-	return $?
+	# Check if it's already an IP address using ipcalc
+	if ! ipcalc -n -b "${host}" 2>&1 | grep -qi "INVALID ADDRESS"; then
+		echo "${host}"
+		return 0
+	fi
+	# Otherwise, resolve via DNS
+	resolved=$(dig a +short "${host}" | head -1)
+	if [ -z "${resolved}" ]; then
+		# DNS resolution failed, return empty
+		return 1
+	fi
+	echo "${resolved}"
+	return 0
 }
 
 HUB_IP_CHECK_TS=
@@ -229,7 +240,7 @@ get_proxy_address() {
 	echo "${proxy}" | sed 's|^.*@||'
 }
 
-get_proxy_host_from_address() {
+extract_host_from_proxy_address() {
 	local address="$1"
 	# Remove protocol if present
 	address=$(echo "${address}" | sed -r 's|^https?://||')
@@ -264,6 +275,11 @@ get_proxy_port() {
 start_udp_over_tcp_tunnel() {
 	local_udp_port="$1"
 	remote_ip=$(resolve_host "$2")
+	if [ -z "${remote_ip}" ]; then
+		echo "Failed to resolve host: $2" >&2
+		echo "-1"
+		return 1
+	fi
 	remote_tcp_port="$3"
 	setpriv --reuid=tcptun --regid=tcptun --clear-groups --no-new-privs \
 		nohup /usr/local/bin/udp2tcp --tcp-forward "${remote_ip}":"${remote_tcp_port}" --udp-listen 127.0.0.1:${local_udp_port} > /dev/null &
@@ -288,8 +304,8 @@ create_moproxy_config() {
 	user=$(get_proxy_username)
 	password=$(get_proxy_password)
 	address=$(get_proxy_address)
-	host=$(get_proxy_host_from_address "${address}")
-	ipaddr=$(dig +short "${host}" || echo "")
+	host=$(extract_host_from_proxy_address "${address}")
+	ipaddr=$(resolve_host "${host}" || echo "")
 	ipaddr=$(test ! -z "${ipaddr}" && echo "${ipaddr}" || echo "${host}")
 	port=$(get_proxy_port "${address}")
 	auth=$(test ! -z "${user}" && printf "http username = %s\nhttp password = %s\n" "${user}" "${password}" || echo "")
@@ -316,7 +332,7 @@ set_proxy_redirect_rules() {
 	done
 	# Do not redirect traffic to the proxy itself
 	proxy_addr=$(get_proxy_address)
-	proxy_host=$(get_proxy_host_from_address "${proxy_addr}")
+	proxy_host=$(extract_host_from_proxy_address "${proxy_addr}")
 	${IPT_CMD} -t nat -A PROXY-REDIRECT -d "${proxy_host}" -j RETURN
 
 	${IPT_CMD} -t nat -A PROXY-REDIRECT -p tcp -j REDIRECT --to-port "${proxy_port}"
@@ -409,24 +425,27 @@ start_userspace_agent() {
 }
 
 scrub_secrets() {
-	local text="${1}"
-	local temp_file=$(mktemp)
-	echo "${text}" > "${temp_file}"
-
-	for secret in FARCASTER_AGENT_TOKEN HTTP_PROXY HTTPS_PROXY SOCKS5_PROXY; do
-		# Word boundary: (^|[^A-Za-z0-9_])
-		sed -i -E \
-			-e "s/(^|[^A-Za-z0-9_])${secret}[[:space:]]*=[[:space:]]*([^[:space:]\"']+)/\1${secret}=********/g" \
-			-e "s/(^|[^A-Za-z0-9_])${secret}[[:space:]]*=[[:space:]]*\"([^\"]*)\"/\1${secret}=\"********\"/g" \
-			-e "s/(^|[^A-Za-z0-9_])${secret}[[:space:]]*=[[:space:]]*'([^']*)'/\1${secret}='********'/g" \
-			"${temp_file}"
+	local text="$1"
+	shift  # Remove first argument, leaving only secrets
+
+	local result="$text"
+
+	# Replace each secret value with asterisks
+	for secret in "$@"; do
+		# Skip empty values
+		[ -z "$secret" ] && continue
+
+		# Escape special regex characters in the secret
+		local escaped_secret=$(printf '%s\n' "$secret" | sed 's/[[\.*^$()+?{|]/\\&/g')
+
+		# Replace all occurrences of the secret with asterisks
+		result=$(echo "$result" | sed "s/${escaped_secret}/*******/g")
 	done
 
-	cat "${temp_file}"
-	rm -f "${temp_file}"
+	echo "$result"
 }
 
-function print_log() {
+function dump_log() {
 	set +e
 	echo
 	echo
@@ -438,8 +457,14 @@ function print_log() {
 		local content
 		local scrubbed
 		content=$(cat "${log_file}" 2>/dev/null)
-		scrubbed=$(scrub_secrets "${content}" 2>/dev/null)
-		echo "${scrubbed}" > "${log_file}"
+		# Ensure the log file is removed.
+		rm -f "${log_file}"
+		scrubbed=$(scrub_secrets "${content}" \
+			"${FARCASTER_AGENT_TOKEN:-}" \
+			"${HTTP_PROXY:-}" \
+			"${HTTPS_PROXY:-}" \
+			"${SOCKS5_PROXY:-}")
+		echo "${scrubbed}"
 	fi
 
 	echo
@@ -452,6 +477,7 @@ function print_log() {
 	echo
 	echo "===================================================================="
 	echo
+
 	sleep 120
 }
 

scripts/run.sh

@@ -66,20 +66,20 @@ if [ "${v2_config_success}" != "true" ]; then
 	elif [ -f "${SECRETS_DIR_V2}/wg-tunnel.conf" ] && [ -f "${SECRETS_DIR_V2}/wg-gateway.conf" ]; then
 		cp ${SECRETS_DIR_V2}/* "${WORK_DIR}/"
 	else
-		print_log "${LOG_FILE}"
+		dump_log "${LOG_FILE}"
 		echo "Could not find the configuration files and the agent token is not set."
 	fi
 fi
 
 if [ ! -f "${WORK_DIR}/wg-tunnel.conf" ] || [ ! -f "${WORK_DIR}/wg-gateway.conf" ]; then
 	echo "Could not find the configuration files."
-	print_log "${LOG_FILE}"
+	dump_log "${LOG_FILE}"
 	exit 1
 fi
 
 if ! HUB_HOST="$(wg_get_endpoint "${WG_TUN_IF}")"; then
 	echo "Could not find the hub host"
-	print_log "${LOG_FILE}"
+	dump_log "${LOG_FILE}"
 	exit 1
 fi
 
@@ -98,7 +98,7 @@ echo -ne "Starting local DNS resolver\t... "
 if ! start_dnsmasq; then
 	echo "failed"
 	echo "Could not start local DNS resolver"
-	print_log "${LOG_FILE}"
+	dump_log "${LOG_FILE}"
 	exit 1
 fi
 echo "done"
@@ -111,7 +111,7 @@ if ! start_proxy_maybe "${TCP_PROXY_PORT}"; then
 	echo -n "HTTP_PROXY defined, but could not set traffic redirection rules. "
 	echo "Ensure HTTP_PROXY is correct and this container has NET_ADMIN capabilities."
 	echo
-	print_log "${LOG_FILE}"
+	dump_log "${LOG_FILE}"
 	exit 1
 fi
 echo "done"
@@ -140,7 +140,7 @@ if [ "${CONNECTED_UDP}" = "0" ]; then
 		echo
 		echo "Could not start fallback TCP tunnel."
 		proxy_warning
-		print_log "${LOG_FILE}"
+		dump_log "${LOG_FILE}"
 		exit 1
 	fi
 	echo "done"
@@ -154,7 +154,7 @@ if [ "${CONNECTED_UDP}" = "0" ]; then
 		echo
 		echo "Could not establish TCP tunnel."
 		proxy_warning
-		print_log "${LOG_FILE}"
+		dump_log "${LOG_FILE}"
 		exit 1
 	fi
 	echo "done"
@@ -170,7 +170,7 @@ if [ "${DISABLE_FIREWALL}" != "true" ] &&
 		echo "failed"
 		echo
 		echo "Could not set network gateway filter rules."
-		print_log "${LOG_FILE}"
+		dump_log "${LOG_FILE}"
 		exit 1
 	else
 		echo "done"
@@ -184,7 +184,7 @@ if ! set_gw_nat_rules; then
 	echo "failed"
 	echo
 	echo "Could not set network gateway NAT rules."
-	print_log "${LOG_FILE}"
+	dump_log "${LOG_FILE}"
 	exit 1
 fi
 echo "done"
@@ -194,7 +194,7 @@ if ! wg_start "${WG_GW_IF}"; then
 	echo "failed"
 	echo
 	echo "Could not start WireGuard gateway."
-	print_log "${LOG_FILE}"
+	dump_log "${LOG_FILE}"
 	exit 1
 fi
 echo "done"

tests/agent/docker-compose.yml

@@ -23,7 +23,7 @@ services:
       - FARCASTER_API_URL
       - FARCASTER_FORCE_TCP
     cap_add:
-    - ${NET_ADMIN}
+      - ${NET_ADMIN:-SETUID}
     volumes:
     - shared-logs:/logs
     restart: "no"

tests/proxy/docker-compose.yml

@@ -11,7 +11,7 @@ services:
     - /bin/bash
     - -c
     - set -eu
-      && proxy_ip=$$(dig +short proxy) 
+      && proxy_ip=$$(dig +short proxy)
       && iptables -t nat -I PREROUTING -p tcp -m multiport --dport 80,443 -j REDIRECT --to-port 1080
       && iptables -t nat -I OUTPUT -p tcp -m multiport --dports 80,443 -j REDIRECT --to-port 1080
       && { curl ifconfig.me >/dev/null 2>&1 && echo "FAILED" || echo "OK"; }