Merge pull request #146 from SenseUnit/ext-resolver

External resolver integration

Author: Snawoot

README.md

@@ -25,7 +25,13 @@ Simple, scriptable, secure forward proxy.
     * Optional AEAD encryption layer for cache
 * Per-user bandwidth limits
 * HTTP/2 support, both server and client, including h2c support
-* Optional DNS cache
+* Advanced DNS support
+  * Plain DNS
+  * DNS-over-HTTPS
+  * DNS-over-TLS
+  * System-provided DNS
+  * Competitive parallel resolving using any of above
+  * Optional DNS cache
 * Resilient to DPI (including active probing, see `hidden_domain` option for authentication providers)
 * Connecting via upstream HTTP(S)/SOCKS5 proxies (proxy chaining)
   * Optional parroting of TLS fingerprints of popular software such as web browsers.
@@ -493,6 +499,10 @@ Usage of /home/user/go/bin/dumbproxy:
     	timeout for shared resolves of DNS cache (default 5s)
   -dns-cache-ttl duration
     	enable DNS cache with specified fixed TTL
+  -dns-prefer-address value
+    	address resolution preference (none/ipv4/ipv6) (default ipv4)
+  -dns-server value
+    	nameserver specification (udp://..., tcp://..., https://..., tls://..., doh://..., dot://..., default://). Option can be used multiple times for parallel use of multiple nameservers. Empty string resets the list
   -hmac-genkey
     	generate hex-encoded HMAC signing key of optimal length
   -hmac-sign

go.mod

@@ -11,6 +11,7 @@ require (
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/jellydator/ttlcache/v3 v3.4.0
 	github.com/libp2p/go-reuseport v0.4.0
+	github.com/ncruces/go-dns v1.2.7
 	github.com/redis/go-redis/v9 v9.13.0
 	github.com/refraction-networking/utls v1.8.0
 	github.com/tg123/go-htpasswd v1.2.4

go.sum

@@ -41,6 +41,8 @@ github.com/klauspost/cpuid/v2 v2.3.0 h1:S4CRMLnYUhGeDFDqkGriYKdfoFlDnMtqTiI/sFzh
 github.com/klauspost/cpuid/v2 v2.3.0/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
 github.com/libp2p/go-reuseport v0.4.0 h1:nR5KU7hD0WxXCJbmw7r2rhRYruNRl2koHw8fQscQm2s=
 github.com/libp2p/go-reuseport v0.4.0/go.mod h1:ZtI03j/wO5hZVDFo2jKywN6bYKWLOy8Se6DrI2E1cLU=
+github.com/ncruces/go-dns v1.2.7 h1:NMA7vFqXUl+nBhGFlleLyo2ni3Lqv3v+qFWZidzRemI=
+github.com/ncruces/go-dns v1.2.7/go.mod h1:SqmhVMBd8Wr7hsu3q6yTt6/Jno/xLMrbse/JLOMBo1Y=
 github.com/pires/go-proxyproto v0.8.1 h1:9KEixbdJfhrbtjpz/ZwCdWDD2Xem0NZ38qMYaASJgp0=
 github.com/pires/go-proxyproto v0.8.1/go.mod h1:ZKAAyp3cgy5Y5Mo4n9AlScrkCZwUy0g3Jf+slqQVcuU=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=

main.go

@@ -42,6 +42,7 @@ import (
 	"github.com/SenseUnit/dumbproxy/forward"
 	"github.com/SenseUnit/dumbproxy/handler"
 	clog "github.com/SenseUnit/dumbproxy/log"
+	"github.com/SenseUnit/dumbproxy/resolver"
 	"github.com/SenseUnit/dumbproxy/tlsutil"
 	proxyproto "github.com/pires/go-proxyproto"
 
@@ -196,6 +197,25 @@ type autocertCache struct {
 
 const envCacheEncKey = "DUMBPROXY_CACHE_ENC_KEY"
 
+type dnsPreferenceArg resolver.Preference
+
+func (a *dnsPreferenceArg) String() string {
+	return resolver.Preference(*a).String()
+}
+
+func (a *dnsPreferenceArg) Set(s string) error {
+	p, err := resolver.ParsePreference(s)
+	if err != nil {
+		return nil
+	}
+	*a = dnsPreferenceArg(p)
+	return nil
+}
+
+func (a *dnsPreferenceArg) Value() resolver.Preference {
+	return resolver.Preference(*a)
+}
+
 type bindSpec struct {
 	af      string
 	address string
@@ -240,6 +260,8 @@ type CLIArgs struct {
 	bwBurst                   int64
 	bwBuckets                 uint
 	bwSeparate                bool
+	dnsServers                []string
+	dnsPreferAddress          dnsPreferenceArg
 	dnsCacheTTL               time.Duration
 	dnsCacheNegTTL            time.Duration
 	dnsCacheTimeout           time.Duration
@@ -275,6 +297,7 @@ func parse_args() CLIArgs {
 			address: ":8080",
 			af:      "tcp",
 		},
+		dnsPreferAddress: dnsPreferenceArg(resolver.PreferenceIPv4),
 	}
 	args.autocertCacheEncKey.Set(os.Getenv(envCacheEncKey))
 	flag.Func("bind-address", "HTTP proxy listen address. Set empty value to use systemd socket activation. (default \":8080\")", func(p string) error {
@@ -360,6 +383,15 @@ func parse_args() CLIArgs {
 	flag.Int64Var(&args.bwBurst, "bw-limit-burst", 0, "allowed burst size for bandwidth limit, how many \"tokens\" can fit into leaky bucket")
 	flag.UintVar(&args.bwBuckets, "bw-limit-buckets", 1024*1024, "number of buckets of bandwidth limit")
 	flag.BoolVar(&args.bwSeparate, "bw-limit-separate", false, "separate upload and download bandwidth limits")
+	flag.Func("dns-server", "nameserver specification (udp://..., tcp://..., https://..., tls://..., doh://..., dot://..., default://). Option can be used multiple times for parallel use of multiple nameservers. Empty string resets the list", func(p string) error {
+		if p == "" {
+			args.dnsServers = nil
+		} else {
+			args.dnsServers = append(args.dnsServers, p)
+		}
+		return nil
+	})
+	flag.Var(&args.dnsPreferAddress, "dns-prefer-address", "address resolution preference (none/ipv4/ipv6)")
 	flag.DurationVar(&args.dnsCacheTTL, "dns-cache-ttl", 0, "enable DNS cache with specified fixed TTL")
 	flag.DurationVar(&args.dnsCacheNegTTL, "dns-cache-neg-ttl", time.Second, "TTL for negative responses of DNS cache")
 	flag.DurationVar(&args.dnsCacheTimeout, "dns-cache-timeout", 5*time.Second, "timeout for shared resolves of DNS cache")
@@ -510,10 +542,19 @@ func run() int {
 
 	dialerRoot = dialer.NewFilterDialer(filterRoot.Access, dialerRoot) // must follow after resolving in chain
 
+	var nameResolver dialer.Resolver = net.DefaultResolver
+	if len(args.dnsServers) > 0 {
+		nameResolver, err = resolver.FastFromURLs(args.dnsServers...)
+		if err != nil {
+			mainLogger.Critical("Failed to create name resolver: %v", err)
+			return 3
+		}
+	}
+	nameResolver = resolver.Prefer(nameResolver, args.dnsPreferAddress.Value())
 	if args.dnsCacheTTL > 0 {
 		cd := dialer.NewNameResolveCachingDialer(
 			dialerRoot,
-			net.DefaultResolver,
+			nameResolver,
 			args.dnsCacheTTL,
 			args.dnsCacheNegTTL,
 			args.dnsCacheTimeout,
@@ -522,7 +563,7 @@ func run() int {
 		defer cd.Stop()
 		dialerRoot = cd
 	} else {
-		dialerRoot = dialer.NewNameResolvingDialer(dialerRoot, net.DefaultResolver)
+		dialerRoot = dialer.NewNameResolvingDialer(dialerRoot, nameResolver)
 	}
 
 	// handler requisites

resolver/factory.go

@@ -0,0 +1,63 @@
+package resolver
+
+import (
+	"errors"
+	"net"
+	"net/url"
+	"strings"
+
+	"github.com/ncruces/go-dns"
+)
+
+func FromURL(u string) (*net.Resolver, error) {
+begin:
+	parsed, err := url.Parse(u)
+	if err != nil {
+		return nil, err
+	}
+	host := parsed.Hostname()
+	port := parsed.Port()
+	switch scheme := strings.ToLower(parsed.Scheme); scheme {
+	case "":
+		switch {
+		case strings.HasPrefix(u, "//"):
+			u = "dns:" + u
+		default:
+			u = "dns://" + u
+		}
+		goto begin
+	case "udp", "dns":
+		if port == "" {
+			port = "53"
+		}
+		return NewPlainResolver(net.JoinHostPort(host, port)), nil
+	case "tcp":
+		if port == "" {
+			port = "53"
+		}
+		return NewTCPResolver(net.JoinHostPort(host, port)), nil
+	case "http", "https", "doh":
+		if port == "" {
+			if scheme == "http" {
+				port = "80"
+			} else {
+				port = "443"
+			}
+		}
+		if scheme == "doh" {
+			parsed.Scheme = "https"
+			u = parsed.String()
+		}
+		return dns.NewDoHResolver(u, dns.DoHAddresses(net.JoinHostPort(host, port)))
+	case "tls", "dot":
+		if port == "" {
+			port = "853"
+		}
+		hp := net.JoinHostPort(host, port)
+		return dns.NewDoTResolver(hp, dns.DoTAddresses(hp))
+	case "default":
+		return net.DefaultResolver, nil
+	default:
+		return nil, errors.New("not implemented")
+	}
+}

resolver/fast.go

@@ -0,0 +1,74 @@
+package resolver
+
+import (
+	"context"
+	"fmt"
+	"net/netip"
+
+	"github.com/hashicorp/go-multierror"
+)
+
+type LookupNetIPer interface {
+	LookupNetIP(context.Context, string, string) ([]netip.Addr, error)
+}
+
+type FastResolver struct {
+	upstreams []LookupNetIPer
+}
+
+func FastFromURLs(urls ...string) (LookupNetIPer, error) {
+	resolvers := make([]LookupNetIPer, 0, len(urls))
+	for i, u := range urls {
+		res, err := FromURL(u)
+		if err != nil {
+			return nil, fmt.Errorf("unable to construct resolver #%d (%q): %w", i, u, err)
+		}
+		resolvers = append(resolvers, res)
+	}
+	if len(resolvers) == 1 {
+		return resolvers[0], nil
+	}
+	return NewFastResolver(resolvers...), nil
+}
+
+func NewFastResolver(resolvers ...LookupNetIPer) *FastResolver {
+	return &FastResolver{
+		upstreams: resolvers,
+	}
+}
+
+func (r FastResolver) LookupNetIP(ctx context.Context, network, host string) ([]netip.Addr, error) {
+	ctx, cl := context.WithCancel(ctx)
+	defer cl()
+	errors := make(chan error)
+	success := make(chan []netip.Addr)
+	for _, res := range r.upstreams {
+		go func(res LookupNetIPer) {
+			addrs, err := res.LookupNetIP(ctx, network, host)
+			if err == nil {
+				select {
+				case success <- addrs:
+				case <-ctx.Done():
+				}
+			} else {
+				select {
+				case errors <- err:
+				case <-ctx.Done():
+				}
+			}
+		}(res)
+	}
+
+	var resErr error
+	for _ = range r.upstreams {
+		select {
+		case <-ctx.Done():
+			return nil, ctx.Err()
+		case resAddrs := <-success:
+			return resAddrs, nil
+		case err := <-errors:
+			resErr = multierror.Append(resErr, err)
+		}
+	}
+	return nil, resErr
+}

resolver/plain.go

@@ -0,0 +1,35 @@
+package resolver
+
+import (
+	"context"
+	"net"
+)
+
+func NewPlainResolver(addr string) *net.Resolver {
+	return &net.Resolver{
+		PreferGo: true,
+		Dial: func(ctx context.Context, network, _ string) (net.Conn, error) {
+			return (&net.Dialer{
+				Resolver: &net.Resolver{},
+			}).DialContext(ctx, network, addr)
+		},
+	}
+}
+
+func NewTCPResolver(addr string) *net.Resolver {
+	return &net.Resolver{
+		PreferGo: true,
+		Dial: func(ctx context.Context, network, _ string) (net.Conn, error) {
+			dnet := "tcp"
+			switch network {
+			case "udp4":
+				dnet = "tcp4"
+			case "udp6":
+				dnet = "tcp6"
+			}
+			return (&net.Dialer{
+				Resolver: &net.Resolver{},
+			}).DialContext(ctx, dnet, addr)
+		},
+	}
+}