apple
diff --git a/‎Package.resolved‎
Lines changed: 1 addition & 19 deletions b/‎Package.resolved‎
Lines changed: 1 addition & 19 deletions
diff --git a/‎Package.swift‎
Lines changed: 2 additions & 6 deletions b/‎Package.swift‎
Lines changed: 2 additions & 6 deletions
diff --git a/‎Sources/DNSServer/DNSServer+Handle.swift‎
Lines changed: 47 additions & 11 deletions b/‎Sources/DNSServer/DNSServer+Handle.swift‎
Lines changed: 47 additions & 11 deletions
diff --git a/‎Sources/DNSServer/Handlers/HostTableResolver.swift‎
Lines changed: 25 additions & 28 deletions b/‎Sources/DNSServer/Handlers/HostTableResolver.swift‎
Lines changed: 25 additions & 28 deletions
diff --git a/‎Sources/DNSServer/Handlers/NxDomainResolver.swift‎
Lines changed: 1 addition & 21 deletions b/‎Sources/DNSServer/Handlers/NxDomainResolver.swift‎
Lines changed: 1 addition & 21 deletions
diff --git a/‎Sources/DNSServer/Records/DNSBindError.swift‎
Lines changed: 39 additions & 0 deletions b/‎Sources/DNSServer/Records/DNSBindError.swift‎
Lines changed: 39 additions & 0 deletions
@@ -47,7 +47,6 @@ let package = Package(
         .library(name: "TerminalProgress", targets: ["TerminalProgress"]),
     ],
     dependencies: [
-        .package(url: "https://github.com/Bouke/DNS.git", from: "1.2.0"),
         .package(url: "https://github.com/apple/containerization.git", exact: Version(stringLiteral: scVersion)),
         .package(url: "https://github.com/apple/swift-argument-parser.git", from: "1.3.0"),
         .package(url: "https://github.com/apple/swift-collections.git", from: "1.2.0"),
@@ -56,7 +55,6 @@ let package = Package(
         .package(url: "https://github.com/apple/swift-protobuf.git", from: "1.29.0"),
         .package(url: "https://github.com/apple/swift-system.git", from: "1.4.0"),
         .package(url: "https://github.com/grpc/grpc-swift.git", from: "1.26.0"),
-        .package(url: "https://github.com/orlandos-nl/DNSClient.git", from: "2.4.1"),
         .package(url: "https://github.com/swift-server/async-http-client.git", from: "1.20.1"),
         .package(url: "https://github.com/swiftlang/swift-docc-plugin.git", from: "1.1.0"),
     ],
@@ -427,17 +425,15 @@ let package = Package(
             dependencies: [
                 .product(name: "NIOCore", package: "swift-nio"),
                 .product(name: "NIOPosix", package: "swift-nio"),
-                .product(name: "DNSClient", package: "DNSClient"),
-                .product(name: "DNS", package: "DNS"),
                 .product(name: "Logging", package: "swift-log"),
+                .product(name: "ContainerizationExtras", package: "containerization"),
                 .product(name: "ContainerizationOS", package: "containerization"),
             ]
         ),
         .testTarget(
             name: "DNSServerTests",
             dependencies: [
-                .product(name: "DNS", package: "DNS"),
-                "DNSServer",
+                "DNSServer"
             ]
         ),
         .testTarget(
 
@@ -27,23 +27,32 @@ extension DNSServer {
         outbound: NIOAsyncChannelOutboundWriter<AddressedEnvelope<ByteBuffer>>,
         packet: inout AddressedEnvelope<ByteBuffer>
     ) async throws {
-        let chunkSize = 512
-        var data = Data()
+        // RFC 1035 §2.3.4 limits UDP DNS messages to 512 bytes. We don't implement
+        // EDNS0 (RFC 6891), and this server only resolves host A/AAAA queries, so a
+        // legitimate query will never approach this limit. Reject oversized packets
+        // before reading to avoid allocating memory for malformed or malicious datagrams.
+        let maxPacketSize = 512
+        guard packet.data.readableBytes <= maxPacketSize else {
+            self.log?.error("dropping oversized DNS packet: \(packet.data.readableBytes) bytes")
+            return
+        }
 
+        var data = Data()
         self.log?.debug("reading data")
         while packet.data.readableBytes > 0 {
-            if let chunk = packet.data.readBytes(length: min(chunkSize, packet.data.readableBytes)) {
+            if let chunk = packet.data.readBytes(length: packet.data.readableBytes) {
                 data.append(contentsOf: chunk)
             }
         }
 
         self.log?.debug("deserializing message")
-        let query = try Message(deserialize: data)
-        self.log?.debug("processing query: \(query.questions)")
 
         // always send response
         let responseData: Data
         do {
+            let query = try Message(deserialize: data)
+            self.log?.debug("processing query: \(query.questions)")
+
             self.log?.debug("awaiting processing")
             var response =
                 try await handler.answer(query: query)
@@ -64,21 +73,48 @@ extension DNSServer {
 
             self.log?.debug("serializing response")
             responseData = try response.serialize()
+        } catch let error as DNSBindError {
+            // Best-effort: echo the transaction ID from the first two bytes of the raw packet.
+            let rawId = data.count >= 2 ? data[0..<2].withUnsafeBytes { $0.load(as: UInt16.self) } : 0
+            let id = UInt16(bigEndian: rawId)
+            let returnCode: ReturnCode
+            switch error {
+            case .unsupportedValue:
+                self.log?.error("not implemented processing DNS message: \(error)")
+                returnCode = .notImplemented
+            default:
+                self.log?.error("format error processing DNS message: \(error)")
+                returnCode = .formatError
+            }
+            let response = Message(
+                id: id,
+                type: .response,
+                returnCode: returnCode,
+                questions: [],
+                answers: []
+            )
+            responseData = try response.serialize()
         } catch {
-            self.log?.error("error processing message from \(query): \(error)")
+            let rawId = data.count >= 2 ? data[0..<2].withUnsafeBytes { $0.load(as: UInt16.self) } : 0
+            let id = UInt16(bigEndian: rawId)
+            self.log?.error("error processing DNS message: \(error)")
             let response = Message(
-                id: query.id,
+                id: id,
                 type: .response,
-                returnCode: .notImplemented,
-                questions: query.questions,
+                returnCode: .serverFailure,
+                questions: [],
                 answers: []
             )
             responseData = try response.serialize()
         }
 
-        self.log?.debug("sending response for \(query.id)")
+        self.log?.debug("sending response")
         let rData = ByteBuffer(bytes: responseData)
-        try? await outbound.write(AddressedEnvelope(remoteAddress: packet.remoteAddress, data: rData))
+        do {
+            try await outbound.write(AddressedEnvelope(remoteAddress: packet.remoteAddress, data: rData))
+        } catch {
+            self.log?.error("failed to send DNS response: \(error)")
+        }
 
         self.log?.debug("processing done")
 
 
@@ -14,30 +14,44 @@
 // limitations under the License.
 //===----------------------------------------------------------------------===//
 
-import DNS
+import ContainerizationExtras
 
 /// Handler that uses table lookup to resolve hostnames.
+///
+/// Keys in `hosts4` are normalized to `DNSName` on construction, so lookups
+/// are case-insensitive and trailing dots are optional.
 public struct HostTableResolver: DNSHandler {
-    public let hosts4: [String: IPv4]
+    public let hosts4: [DNSName: IPv4Address]
     private let ttl: UInt32
 
-    public init(hosts4: [String: IPv4], ttl: UInt32 = 300) {
-        self.hosts4 = hosts4
+    /// Creates a resolver backed by a static IPv4 host table.
+    ///
+    /// - Parameter hosts4: A dictionary mapping domain names to IPv4 addresses.
+    ///   Keys are normalized to `DNSName` (lowercased, trailing dot stripped), so
+    ///   `"FOO."`, `"foo."`, and `"foo"` all refer to the same entry.
+    /// - Parameter ttl: The TTL in seconds to set on answer records (default is 300).
+    /// - Throws: `DNSBindError.invalidName` if any key is not a valid DNS name.
+    public init(hosts4: [String: IPv4Address], ttl: UInt32 = 300) throws {
+        self.hosts4 = try Dictionary(uniqueKeysWithValues: hosts4.map { (try DNSName($0.key), $0.value) })
         self.ttl = ttl
     }
 
     public func answer(query: Message) async throws -> Message? {
-        let question = query.questions[0]
+        guard let question = query.questions.first else {
+            return nil
+        }
+        let n = question.name.hasSuffix(".") ? String(question.name.dropLast()) : question.name
+        let key = try DNSName(labels: n.isEmpty ? [] : n.split(separator: ".", omittingEmptySubsequences: false).map(String.init))
         let record: ResourceRecord?
         switch question.type {
         case ResourceRecordType.host:
-            record = answerHost(question: question)
+            record = answerHost(question: question, key: key)
         case ResourceRecordType.host6:
             // Return NODATA (noError with empty answers) for AAAA queries ONLY if A record exists.
             // This is required because musl libc has issues when A record exists but AAAA returns NXDOMAIN.
             // musl treats NXDOMAIN on AAAA as "domain doesn't exist" and fails DNS resolution entirely.
             // NODATA correctly indicates "no IPv6 address available, but domain exists".
-            if hosts4[question.name] != nil {
+            if hosts4[key] != nil {
                 return Message(
                     id: query.id,
                     type: .response,
@@ -48,28 +62,11 @@ public struct HostTableResolver: DNSHandler {
             }
             // If hostname doesn't exist, return nil which will become NXDOMAIN
             return nil
-        case ResourceRecordType.nameServer,
-            ResourceRecordType.alias,
-            ResourceRecordType.startOfAuthority,
-            ResourceRecordType.pointer,
-            ResourceRecordType.mailExchange,
-            ResourceRecordType.text,
-            ResourceRecordType.service,
-            ResourceRecordType.incrementalZoneTransfer,
-            ResourceRecordType.standardZoneTransfer,
-            ResourceRecordType.all:
-            return Message(
-                id: query.id,
-                type: .response,
-                returnCode: .notImplemented,
-                questions: query.questions,
-                answers: []
-            )
         default:
             return Message(
                 id: query.id,
                 type: .response,
-                returnCode: .formatError,
+                returnCode: .notImplemented,
                 questions: query.questions,
                 answers: []
             )
@@ -88,11 +85,11 @@ public struct HostTableResolver: DNSHandler {
         )
     }
 
-    private func answerHost(question: Question) -> ResourceRecord? {
-        guard let ip = hosts4[question.name] else {
+    private func answerHost(question: Question, key: DNSName) -> ResourceRecord? {
+        guard let ip = hosts4[key] else {
             return nil
         }
 
-        return HostRecord<IPv4>(name: question.name, ttl: ttl, ip: ip)
+        return HostRecord<IPv4Address>(name: question.name, ttl: ttl, ip: ip)
     }
 }
@@ -14,8 +14,6 @@
 // limitations under the License.
 //===----------------------------------------------------------------------===//
 
-import DNS
-
 /// Handler that returns NXDOMAIN for all hostnames.
 public struct NxDomainResolver: DNSHandler {
     private let ttl: UInt32
@@ -35,29 +33,11 @@ public struct NxDomainResolver: DNSHandler {
                 questions: query.questions,
                 answers: []
             )
-        case ResourceRecordType.nameServer,
-            ResourceRecordType.alias,
-            ResourceRecordType.startOfAuthority,
-            ResourceRecordType.pointer,
-            ResourceRecordType.mailExchange,
-            ResourceRecordType.text,
-            ResourceRecordType.host6,
-            ResourceRecordType.service,
-            ResourceRecordType.incrementalZoneTransfer,
-            ResourceRecordType.standardZoneTransfer,
-            ResourceRecordType.all:
-            return Message(
-                id: query.id,
-                type: .response,
-                returnCode: .notImplemented,
-                questions: query.questions,
-                answers: []
-            )
         default:
             return Message(
                 id: query.id,
                 type: .response,
-                returnCode: .formatError,
+                returnCode: .notImplemented,
                 questions: query.questions,
                 answers: []
             )
 
@@ -0,0 +1,39 @@
+//===----------------------------------------------------------------------===//
+// Copyright © 2026 Apple Inc. and the container project authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//   https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//===----------------------------------------------------------------------===//
+
+/// Errors that can occur during DNS message serialization/deserialization.
+public enum DNSBindError: Error, CustomStringConvertible {
+    case marshalFailure(type: String, field: String)
+    case unmarshalFailure(type: String, field: String)
+    case unsupportedValue(type: String, field: String)
+    case invalidName(String)
+    case unexpectedOffset(type: String, expected: Int, actual: Int)
+
+    public var description: String {
+        switch self {
+        case .marshalFailure(let type, let field):
+            return "failed to marshal \(type).\(field)"
+        case .unmarshalFailure(let type, let field):
+            return "failed to unmarshal \(type).\(field)"
+        case .unsupportedValue(let type, let field):
+            return "unsupported value for \(type).\(field)"
+        case .invalidName(let reason):
+            return "invalid DNS name: \(reason)"
+        case .unexpectedOffset(let type, let expected, let actual):
+            return "unexpected offset serializing \(type): expected \(expected), got \(actual)"
+        }
+    }
+}