feat: add DNS tunnel support (#1507)

* feat: add DNS tunnel support

* add dnstt config validation function

* add nil dnstt config test, make dnstt config optional in template

* recompile genconfig with recent changes

Author: garmr-ulfr

common/httpclient.go

@@ -10,40 +10,71 @@ import (
 	"sync"
 	"sync/atomic"
 
-	"github.com/getlantern/flashlight/v7/sentry"
+	"github.com/getlantern/dnstt"
 	"github.com/getlantern/fronted"
 	"github.com/getlantern/kindling"
+
+	"github.com/getlantern/flashlight/v7/sentry"
 )
 
-var httpClient *http.Client
-var mutex = &sync.Mutex{}
-
-// These are the domains we will access via kindling.
-var domains = []string{
-	"api.iantem.io",
-	"api.getiantem.org",    // Still used on iOS
-	"geo.getiantem.org",    // Still used on iOS
-	"config.getiantem.org", // Still used on iOS
-	"df.iantem.io",
-	"raw.githubusercontent.com",
-	"media.githubusercontent.com",
-	"objects.githubusercontent.com",
-	"replica-r2.lantern.io",
-	"replica-search.lantern.io",
-	"update.getlantern.org",
-	"globalconfig.flashlightproxy.com",
-	"dogsdogs.xyz",         // Used in replica
-	"service.dogsdogs.xyz", // Used in replica
+var (
+	httpClient *http.Client
+	mutex      = &sync.Mutex{}
+
+	// These are the domains we will access via kindling.
+	domains = []string{
+		"api.iantem.io",
+		"api.getiantem.org",    // Still used on iOS
+		"geo.getiantem.org",    // Still used on iOS
+		"config.getiantem.org", // Still used on iOS
+		"df.iantem.io",
+		"raw.githubusercontent.com",
+		"media.githubusercontent.com",
+		"objects.githubusercontent.com",
+		"replica-r2.lantern.io",
+		"replica-search.lantern.io",
+		"update.getlantern.org",
+		"globalconfig.flashlightproxy.com",
+		"dogsdogs.xyz",         // Used in replica
+		"service.dogsdogs.xyz", // Used in replica
+	}
+
+	configDir   atomic.Value
+	dnsttConfig atomic.Value // Holds the DNSTTConfig
+
+	defaultDNSTTConfig = &DNSTTConfig{
+		Domain:           "t.iantem.io",
+		PublicKey:        "405eb9e22d806e3a0a8e667c6665a321c8a6a35fa680ed814716a66d7ad84977",
+		DoHResolver:      "https://cloudflare-dns.com/dns-query",
+		DoTResolver:      "",
+		UTLSDistribution: "",
+	}
+)
+
+type DNSTTConfig struct {
+	Domain           string `yaml:"domain"`    // DNS tunnel domain, e.g., "t.iantem.io"
+	PublicKey        string `yaml:"publicKey"` // DNSTT server public key
+	DoHResolver      string `yaml:"dohResolver,omitempty"`
+	DoTResolver      string `yaml:"dotResolver,omitempty"`
+	UTLSDistribution string `yaml:"utlsDistribution,omitempty"`
 }
 
-var configDir atomic.Value
+func init() {
+	dnsttConfig.Store(defaultDNSTTConfig)
+}
 
 // The config directory on some platforms, such as Android, can only be determined in native code, so we
 // need to set it externally.
 func SetConfigDir(dir string) {
 	configDir.Store(dir)
 }
 
+func SetDNSTTConfig(cfg *DNSTTConfig) {
+	if cfg != nil {
+		dnsttConfig.Store(cfg)
+	}
+}
+
 func GetHTTPClient() *http.Client {
 	mutex.Lock()
 	defer mutex.Unlock()
@@ -53,26 +84,25 @@ func GetHTTPClient() *http.Client {
 
 	var k kindling.Kindling
 	ioWriter := log.AsDebugLogger().Writer()
+	kOptions := []kindling.Option{
+		kindling.WithPanicListener(sentry.PanicListener),
+		kindling.WithLogWriter(ioWriter),
+		kindling.WithProxyless(domains...),
+	}
+
 	// Create new fronted instance.
 	f, err := newFronted(ioWriter, sentry.PanicListener)
 	if err != nil {
 		log.Errorf("Failed to create fronted instance: %v", err)
-		k = kindling.NewKindling(
-			"flashlight",
-			kindling.WithPanicListener(sentry.PanicListener),
-			kindling.WithLogWriter(ioWriter),
-			kindling.WithProxyless(domains...),
-		)
 	} else {
-		// Set the client to the kindling client.
-		k = kindling.NewKindling(
-			"flashlight",
-			kindling.WithPanicListener(sentry.PanicListener),
-			kindling.WithLogWriter(ioWriter),
-			kindling.WithDomainFronting(f),
-			kindling.WithProxyless(domains...),
-		)
+		kOptions = append(kOptions, kindling.WithDomainFronting(f))
+	}
+	if d, err := newDNSTT(); err != nil {
+		log.Errorf("Failed to create DNSTT: %v", err)
+	} else {
+		kOptions = append(kOptions, kindling.WithDNSTunnel(d))
 	}
+	k = kindling.NewKindling("flashlight", kOptions...)
 	httpClient = k.NewHTTPClient()
 	return httpClient
 }
@@ -110,3 +140,38 @@ func newFronted(logWriter io.Writer, panicListener func(string)) (fronted.Fronte
 		fronted.WithConfigURL(configURL),
 	), nil
 }
+
+func (c *DNSTTConfig) Validate() error {
+	if c.PublicKey == "" {
+		return fmt.Errorf("publicKey is required")
+	}
+	if c.Domain == "" {
+		return fmt.Errorf("domain is required")
+	}
+	if c.DoHResolver == "" && c.DoTResolver == "" {
+		return fmt.Errorf("at least one of DoHResolver or DoTResolver must be specified")
+	}
+	return nil
+}
+
+func newDNSTT() (dnstt.DNSTT, error) {
+	cfg := dnsttConfig.Load().(*DNSTTConfig)
+	if err := cfg.Validate(); err != nil {
+		return nil, fmt.Errorf("invalid DNSTT configuration: %w", err)
+	}
+
+	options := []dnstt.Option{
+		dnstt.WithPublicKey(cfg.PublicKey),
+		dnstt.WithTunnelDomain(cfg.Domain),
+	}
+	switch {
+	case cfg.DoHResolver != "":
+		options = append(options, dnstt.WithDoH(cfg.DoHResolver))
+	case cfg.DoTResolver != "":
+		options = append(options, dnstt.WithDoT(cfg.DoTResolver))
+	}
+	if cfg.UTLSDistribution != "" {
+		options = append(options, dnstt.WithUTLSDistribution(cfg.UTLSDistribution))
+	}
+	return dnstt.NewDNSTT(options...)
+}

config/global.go

@@ -1,10 +1,12 @@
 package config
 
 import (
-	"github.com/getlantern/fronted"
 	"time"
 
+	"github.com/getlantern/fronted"
+
 	"github.com/getlantern/flashlight/v7/browsers/simbrowser"
+	"github.com/getlantern/flashlight/v7/common"
 	"github.com/getlantern/flashlight/v7/domainrouting"
 	"github.com/getlantern/flashlight/v7/embeddedconfig"
 	"github.com/getlantern/flashlight/v7/otel"
@@ -44,6 +46,9 @@ type Global struct {
 	// TrustedCAs are trusted CAs for domain fronting domains only.
 	TrustedCAs []*fronted.CA
 
+	// DNSTTConfig is the configuration for the DNS tunnel.
+	DNSTTConfig *common.DNSTTConfig
+
 	// GlobalConfigPollInterval sets interval at which to poll for global config
 	GlobalConfigPollInterval time.Duration
 

embeddedconfig/global.yaml.tmpl

@@ -428,3 +428,12 @@ otel:
     check_update: 1
     broflake_fronted_roundtrip: 800000
     new_broflake: 1000
+
+{{with .dnstt}}
+dnsttconfig:
+  domain: "{{.Domain}}"
+  publicKey: "{{.PublicKey}}"
+  dohResolver: "{{.DoHResolver}}"
+  dotResolver: "{{.DoTResolver}}"
+  utlsDistribution: "{{.UTLSDistribution}}"
+{{end}}

flashlight.go

@@ -396,6 +396,8 @@ func (f *Flashlight) onGlobalConfig(cfg *config.Global, src config.Source) {
 	f.applyOtel(cfg)
 	f.callbacks.onConfigUpdate(cfg, src)
 	f.callbacks.onInit()
+
+	common.SetDNSTTConfig(cfg.DNSTTConfig)
 }
 
 // EnabledFeatures gets all features enabled based on current conditions

genconfig/genconfig

@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:33bad90db6008dc8deaa61998b380c830bdb88b5f46bd59b88f2441da4a4336b
-size 34832016
+oid sha256:de1d3ec9511278c13bcdeda8ab1d57b74a20d64ac92e803c6282b1029e554638
+size 40599248

genconfig/genconfig.go

@@ -29,6 +29,7 @@ import (
 	"github.com/getlantern/tlsdialer/v3"
 	"github.com/getlantern/yaml"
 
+	"github.com/getlantern/flashlight/v7/common"
 	"github.com/getlantern/flashlight/v7/config"
 	"github.com/getlantern/flashlight/v7/embeddedconfig"
 
@@ -49,6 +50,7 @@ var (
 	proxiedSitesDir = flag.String("proxiedsites", "proxiedsites", "Path to directory containing proxied site lists, which will be combined and proxied by Lantern")
 	minFreq         = flag.Float64("minfreq", 3.0, "Minimum frequency (percentage) for including CA cert in list of trusted certs, defaults to 3.0%")
 	numberOfWorkers = flag.Int("numworkers", 50, "Number of worker threads")
+	dnsttFile       = flag.String("dnstt-file", "", "Path to yaml file containing DNSTT config")
 
 	enabledProviders   stringsFlag // --enable-provider in init()
 	masqueradesInFiles stringsFlag // --masquerades in init()
@@ -198,7 +200,16 @@ func (ss *stringsFlag) Set(value string) error {
 	return nil
 }
 
-func (c *ConfigGenerator) GenerateConfig(ctx context.Context, yamlTmpl string, masquerades []string, proxiedSites, blacklist filter, numberOfWorkers int, minFreq float64, minMasquerades, maxMasquerades int) ([]byte, error) {
+func (c *ConfigGenerator) GenerateConfig(
+	ctx context.Context,
+	yamlTmpl string,
+	masquerades []string,
+	proxiedSites, blacklist filter,
+	numberOfWorkers int,
+	minFreq float64,
+	minMasquerades, maxMasquerades int,
+	dnsttConfig *common.DNSTTConfig,
+) ([]byte, error) {
 	if err := c.loadFtVersion(); err != nil {
 		return nil, err
 	}
@@ -209,7 +220,7 @@ func (c *ConfigGenerator) GenerateConfig(ctx context.Context, yamlTmpl string, m
 		return nil, err
 	}
 
-	model, err := c.buildModel("cloud.yaml", cas)
+	model, err := c.buildModel("cloud.yaml", cas, dnsttConfig)
 	if err != nil {
 		return nil, fmt.Errorf("invalid configuration: %w", err)
 	}
@@ -243,9 +254,24 @@ func main() {
 	loadMasquerades()
 	loadProxiedSitesList()
 	loadBlacklist()
+	dnsttCfg, err := loadDNSTTConfig()
+	if err != nil {
+		log.Errorf("Error loading DNSTT config: %s", err)
+	}
 
 	yamlTmpl := string(embeddedconfig.GlobalTemplate)
-	template, err := generator.GenerateConfig(context.Background(), yamlTmpl, masquerades, proxiedSites, blacklist, *numberOfWorkers, *minFreq, *minMasquerades, *maxMasquerades)
+	template, err := generator.GenerateConfig(
+		context.Background(),
+		yamlTmpl,
+		masquerades,
+		proxiedSites,
+		blacklist,
+		*numberOfWorkers,
+		*minFreq,
+		*minMasquerades,
+		*maxMasquerades,
+		dnsttCfg,
+	)
 	if err != nil {
 		log.Fatalf("Error generating configuration: %s", err)
 	}
@@ -343,6 +369,24 @@ func loadBlacklist() {
 	}
 }
 
+func loadDNSTTConfig() (*common.DNSTTConfig, error) {
+	if *dnsttFile == "" {
+		return nil, nil
+	}
+	bytes, err := os.ReadFile(*dnsttFile)
+	if err != nil {
+		return nil, fmt.Errorf("Unable to read dnstt file at %s: %s", *dnsttFile, err)
+	}
+	var cfg common.DNSTTConfig
+	if err := yaml.Unmarshal(bytes, &cfg); err != nil {
+		return nil, fmt.Errorf("Unable to parse dnstt file at %s: %s", *dnsttFile, err)
+	}
+	if err := cfg.Validate(); err != nil {
+		return nil, fmt.Errorf("Invalid DNSTT config: %s", err)
+	}
+	return &cfg, nil
+}
+
 func loadTemplate(name string) string {
 	bytes, err := os.ReadFile(name)
 	if err != nil {
@@ -558,7 +602,7 @@ func (c *ConfigGenerator) doVetMasquerades(certPool *x509.CertPool, inCh chan *m
 	c.wg.Done()
 }
 
-func (c *ConfigGenerator) buildModel(configName string, cas map[string]*castat) (map[string]interface{}, error) {
+func (c *ConfigGenerator) buildModel(configName string, cas map[string]*castat, dnsttCfg *common.DNSTTConfig) (map[string]interface{}, error) {
 	casList := make([]*castat, 0, len(cas))
 	for _, ca := range cas {
 		casList = append(casList, ca)
@@ -607,6 +651,7 @@ func (c *ConfigGenerator) buildModel(configName string, cas map[string]*castat)
 		"providers":             enabledProviders,
 		"proxiedsites":          ps,
 		"ftVersion":             c.ftVersion,
+		"dnstt":                 dnsttCfg,
 	}, nil
 }