simulator: rework interface binding for DNS sims; introduce BindAddr

Extend how flightsim finds a usable (up until now, only external) IP.
An external IP is favoured, however, allow flightsim to fallback to a
local/internal IP if necessary.  This will correctly show failures in
IP simulations if a user specifies '-iface lo'.  For DNS simulations
using systemd's stub resolver, this will allow the simulation to
succeed.

Further, DNS simulations should use the interface obtained via a DNS
probe, unless overridden via the -iface flag.

Author: kmroz

cmd/run/print.go

@@ -21,12 +21,13 @@ func printMsg(s *Simulation, msg string) {
 	fmt.Printf("%s [%s] %s\n", time.Now().Format("15:04:05"), s.Name(), msg)
 }
 
-func printWelcome(ip string) {
+func printWelcome(ip, dnsIntfIP string) {
 	fmt.Printf(`
 AlphaSOC Network Flight Simulator™ %s (https://github.com/alphasoc/flightsim)
-The IP address of the network interface is %s
+The address of the network interface for IP traffic is %s
+The address of the network interface for DNS queries is %s
 The current time is %s
-`, Version, ip, time.Now().Format("02-Jan-06 15:04:05"))
+`, Version, ip, dnsIntfIP, time.Now().Format("02-Jan-06 15:04:05"))
 }
 
 func printGoodbye() {

cmd/run/run.go

@@ -74,10 +74,14 @@ func RunCmd(args []string) error {
 	if *size < 0 {
 		*size = 0
 	}
-
-	extIP, err := utils.ExternalIP(*ifaceName)
+	// Grab a "usable" IP address for ifaceName.
+	bindIP, err := utils.UsableIP(*ifaceName)
 	if err != nil {
-		return err
+		return fmt.Errorf("Unable to determine usable IP address for '%v': %v", *ifaceName, err)
+	}
+	bind := simulator.BindAddr{Addr: bindIP}
+	if *ifaceName != "" {
+		bind.UserSet = true
 	}
 
 	sims, err := selectSimulations(modules)
@@ -90,7 +94,7 @@ func RunCmd(args []string) error {
 	// 		sims[i].Timeout = 100 * time.Millisecond
 	// 	}
 	// }
-	return run(sims, extIP, *size)
+	return run(sims, bind, *size)
 }
 
 func selectSimulations(names []string) ([]*Simulation, error) {
@@ -322,15 +326,59 @@ const (
 	msgPrefixErrorRecover = "FATAL: Module terminated: "
 )
 
-func run(sims []*Simulation, extIP net.IP, size int) error {
-	printWelcome(extIP.String())
+// getDefaultDNSIntf runs a DNS probe using default system resolver and returns the IP of
+// the interface used and an error.  Thanks @tg.
+func getDefaultDNSIntf() (string, error) {
+	timeout := 10 * time.Second
+	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	defer cancel()
+	var defaultDNSServer string
+	r := &net.Resolver{
+		PreferGo: true,
+		Dial: func(ctx context.Context, network, address string) (net.Conn, error) {
+			// we can capture the address here
+			defaultDNSServer = address
+			// still use the default dialer
+			var d net.Dialer
+			return d.DialContext(ctx, network, address)
+		},
+	}
+	_, err := r.LookupHost(ctx, "alphasoc.com")
+	if err != nil {
+		return "", err
+	}
+	conn, err := net.DialTimeout("udp", defaultDNSServer, timeout)
+	if err != nil {
+		return "", err
+	}
+	dnsIntfIP, _, err := net.SplitHostPort(conn.LocalAddr().String())
+	if err != nil {
+		return "", err
+	}
+	return dnsIntfIP, nil
+}
+
+func run(sims []*Simulation, bind simulator.BindAddr, size int) error {
+	// If user override on iface, both IP and DNS traffic will flow through bind.Addr.
+	// NOTE: not passing the DNS server to printWelcome(), as it may be confusing in cases
+	// where there are multiple nameservers configured (ie. resolver errors will carry
+	// the address of the last queried nameserver).
+	defaultDNSIntfIP, err := getDefaultDNSIntf()
+	if err != nil {
+		return fmt.Errorf("Failed DNS probe: %v", err)
+	}
+	if bind.UserSet {
+		printWelcome(bind.String(), bind.String())
+	} else {
+		printWelcome(bind.String(), defaultDNSIntfIP)
+	}
 	printHeader()
 
 	for simN, sim := range sims {
 		fmt.Print("\n")
 
 		okHosts := 0
-		err := sim.Init(extIP)
+		err := sim.Init(bind)
 		if err != nil {
 			printMsg(sim, msgPrefixErrorInit+fmt.Sprint(err))
 		} else {

simulator/dga.go

@@ -2,7 +2,6 @@ package simulator
 
 import (
 	"math/rand"
-	"net"
 	"strconv"
 	"strings"
 
@@ -21,7 +20,7 @@ func NewDGA() *DGA {
 	return &DGA{}
 }
 
-func (s *DGA) Init(bind net.IP) error {
+func (s *DGA) Init(bind BindAddr) error {
 	return s.DNSResolveSimulator.Init(bind)
 }
 

simulator/hijack.go

@@ -16,9 +16,11 @@ func NewHijack() *Hijack {
 }
 
 // Simulate port scanning for given host.
-func (*Hijack) Simulate(ctx context.Context, extIP net.IP, host string) error {
-	d := &net.Dialer{
-		LocalAddr: &net.UDPAddr{IP: extIP},
+func (*Hijack) Simulate(ctx context.Context, bind BindAddr, host string) error {
+	d := &net.Dialer{}
+	// Set the user overridden bind iface.
+	if bind.UserSet {
+		d.LocalAddr = &net.UDPAddr{IP: bind.Addr}
 	}
 	r := &net.Resolver{
 		PreferGo: true,

simulator/miner.go

@@ -10,15 +10,15 @@ const miningSubscribeBody string = `{"jsonrpc": "2.0", "id": 1, "method": "minin
 
 //StratumMiner simulator
 type StratumMiner struct {
-	bind net.IP
+	bind BindAddr
 }
 
 //NewStratumMiner creates new StratumMiner simulator
 func NewStratumMiner() *StratumMiner {
 	return &StratumMiner{}
 }
 
-func (s *StratumMiner) Init(bind net.IP) error {
+func (s *StratumMiner) Init(bind BindAddr) error {
 	s.bind = bind
 	return nil
 }
@@ -28,10 +28,7 @@ func (StratumMiner) Cleanup() {
 
 //Simulate connection to mining pool using Stratum protocol
 func (s *StratumMiner) Simulate(ctx context.Context, dst string) error {
-	d := &net.Dialer{}
-	if s.bind != nil {
-		d.LocalAddr = &net.TCPAddr{IP: s.bind}
-	}
+	d := &net.Dialer{LocalAddr: &net.TCPAddr{IP: s.bind.Addr}}
 	conn, err := d.DialContext(ctx, "tcp", dst)
 	if conn != nil {
 		deadline, _ := ctx.Deadline()

simulator/scan.go

@@ -61,7 +61,7 @@ func NewPortScan() *PortScan {
 	return &PortScan{}
 }
 
-func (s *PortScan) Init(bind net.IP) error {
+func (s *PortScan) Init(bind BindAddr) error {
 	return s.tcp.Init(bind)
 }
 

simulator/simulator.go

@@ -15,8 +15,23 @@ type HostMsgFormatter interface {
 	HostMsg(host string) string
 }
 
+// BindAddr wraps addr along with whether it was set by the user.  The UserSet flag is
+// solely used by PipelineDNS simulators that specify their own dialer+LocalAddr.  In such
+// cases, the usable/external IP is not always the correct choice (ie. on systems using
+// systemd's stub resolver running on 127.0.0.53:53), so explicitly setting the LocalAddr
+// is done only if the user has supplied an interface/address via flightsim's `-iface` flag.
+type BindAddr struct {
+	Addr    net.IP
+	UserSet bool
+}
+
+// String returns the string representation of the underlying address.
+func (b *BindAddr) String() string {
+	return b.Addr.String()
+}
+
 type Simulator interface {
-	Init(bind net.IP) error
+	Init(bind BindAddr) error
 	Simulate(ctx context.Context, host string) error
 	Cleanup()
 }
@@ -39,10 +54,10 @@ func CreateModule(src HostSource, sim Simulator) Module {
 }
 
 type TCPConnectSimulator struct {
-	bind net.IP
+	bind BindAddr
 }
 
-func (s *TCPConnectSimulator) Init(bind net.IP) error {
+func (s *TCPConnectSimulator) Init(bind BindAddr) error {
 	s.bind = bind
 	return nil
 }
@@ -51,27 +66,25 @@ func (TCPConnectSimulator) Cleanup() {
 }
 
 func (s *TCPConnectSimulator) Simulate(ctx context.Context, dst string) error {
-	d := &net.Dialer{}
-	if s.bind != nil {
-		d.LocalAddr = &net.TCPAddr{IP: s.bind}
-	}
+	d := &net.Dialer{LocalAddr: &net.TCPAddr{IP: s.bind.Addr}}
 
 	conn, err := d.DialContext(ctx, "tcp", dst)
 	if conn != nil {
 		conn.Close()
 	}
-
-	if isSoftError(err, "connect: connection refused") {
-		return nil
+	// This will likely generate some superfluous io-timeout error messages, but if the
+	// user specifies a misconfigured interface, they'll see the simulation failing.
+	if err != nil && (!isSoftError(err, "connect: connection refused") || isDialError(err)) {
+		return err
 	}
-	return err
+	return nil
 }
 
 type DNSResolveSimulator struct {
-	bind net.IP
+	bind BindAddr
 }
 
-func (s *DNSResolveSimulator) Init(bind net.IP) error {
+func (s *DNSResolveSimulator) Init(bind BindAddr) error {
 	s.bind = bind
 	return nil
 }
@@ -86,19 +99,42 @@ func (s *DNSResolveSimulator) Simulate(ctx context.Context, dst string) error {
 	}
 
 	d := &net.Dialer{}
-	if s.bind != nil {
-		d.LocalAddr = &net.UDPAddr{IP: s.bind}
+	// Set the user overridden bind iface.
+	if s.bind.UserSet {
+		d.LocalAddr = &net.UDPAddr{IP: s.bind.Addr}
 	}
 	r := &net.Resolver{
 		PreferGo: true,
 		Dial:     d.DialContext,
 	}
-	_, err := r.LookupHost(ctx, utils.FQDN(host))
 
-	if isSoftError(err, "no such host") {
-		return nil
+	host = utils.FQDN(host)
+
+	_, err := r.LookupHost(ctx, host)
+	// Ignore "no such host".  Will ignore timeouts as well, so check for dial errors.
+	if err != nil && (!isSoftError(err, "no such host") || isDialError(err)) {
+		return err
+	}
+
+	return nil
+}
+
+// isDialError scans an error message for signs of a dial error, returning a boolean.
+func isDialError(err error) bool {
+	// Errors we're after are of the form:
+	// lookup abc.sandbox.alphasoc.xyz. on A.B.C.D:53: dial udp E.F.G.H:0->A.B.C.D:53: i/o timeout
+	// TODO: something more robust?  I don't want to double-dial though.
+	return isTimeout(err) &&
+		strings.Contains(err.Error(), "dial") &&
+		strings.Count(err.Error(), "->") == 1
+}
+
+func isTimeout(err error) bool {
+	netErr, ok := err.(net.Error)
+	if !ok {
+		return false
 	}
-	return err
+	return netErr.Timeout()
 }
 
 func isSoftError(err error, ss ...string) bool {

simulator/spambot.go

@@ -69,7 +69,7 @@ func NewSpambot() *Spambot {
 	return &Spambot{}
 }
 
-func (s *Spambot) Init(bind net.IP) error {
+func (s *Spambot) Init(bind BindAddr) error {
 	return s.TCPConnectSimulator.Init(bind)
 }
 
@@ -88,8 +88,13 @@ func (s *Spambot) Hosts(scope string, size int) ([]string, error) {
 
 	for n := 0; len(hosts) < size && n < len(idx); n++ {
 		ctx, cancel := context.WithTimeout(context.Background(), 300*time.Millisecond)
-		mx, _ := rv.LookupMX(ctx, utils.FQDN(domains[idx[n]]))
+		host := utils.FQDN(domains[idx[n]])
+		mx, err := rv.LookupMX(ctx, host)
 		cancel()
+		// Check error message for sign of resolver/routing issue.
+		if err != nil && isDialError(err) {
+			return hosts, err
+		}
 		if len(mx) > 0 {
 			host := strings.TrimSuffix(mx[0].Host, ".")
 			if !seen[host] {

simulator/ssh-transfer.go

@@ -51,8 +51,8 @@ func (s *SSHTransfer) HostMsg(host string) string {
 }
 
 // Init sets the source IP for this simulation.
-func (s *SSHTransfer) Init(src net.IP) error {
-	s.src = src
+func (s *SSHTransfer) Init(src BindAddr) error {
+	s.src = src.Addr
 	return nil
 }
 

simulator/tor.go

@@ -5,7 +5,6 @@ import (
 	"errors"
 	"fmt"
 	"math/rand"
-	"net"
 	"net/http"
 	"os"
 	"os/exec"
@@ -37,7 +36,7 @@ func NewTorSimulator() *TorSimulator {
 
 // Tor creates tor connector;
 // There is no way to pass the bind IP to tor, so we ignore it.
-func (t *TorSimulator) Init(_ net.IP) error {
+func (t *TorSimulator) Init(_ BindAddr) error {
 	tor, err := tor.Start(nil, &tor.StartConf{
 		TempDataDirBase:   os.TempDir(),
 		RetainTempDataDir: false,