search domain discovery: add reverse DNS lookup fallback

FR4NK-W · FR4NK-W · commit 8ae3fd0e463f · 2024-10-11T16:07:19.000+02:00
Add fallback feature for discovering a valid search domain for the current host using DNS, by performing a reverse DNS lookup and deriving candidate search domains from the returned hostname. Add a fallback for the fallback: In case the current host does not have a public IP configured, obtain the externally visible (NAT, proxy) IP used for DNS by leveraging the Akamai whoami DNS service. https://www.akamai.com/blog/developers/introducing-new-whoami-tool-dns-resolver-information Add additional layers of fallbacks: In case there is no working DNS resolver configured, use the Quad9 public DNS resolver to obtain the IP of a default Akamai authoritative NS, or query for additional fallback authoritative NS. The number of external requests is minimized and the fallback paths involving additional 3rd parties are only taken if local DNS resolution is not working.
diff --git a/go.mod b/go.mod
@@ -7,19 +7,22 @@ require (
 	github.com/mdlayher/ndp v0.10.0
 	github.com/miekg/dns v1.1.27
 	github.com/pelletier/go-toml v1.8.1-0.20200708110244-34de94e6a887
+	github.com/stretchr/testify v1.6.1
 	golang.org/x/net v0.0.0-20220225172249-27dd8689420f
 	golang.org/x/sys v0.0.0-20220317061510-51cd9980dadf
 )
 
 require (
 	github.com/cenkalti/backoff v2.2.1+incompatible // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/go-stack/stack v1.8.0 // indirect
 	github.com/mattn/go-colorable v0.1.8 // indirect
 	github.com/mattn/go-isatty v0.0.12 // indirect
-	github.com/stretchr/testify v1.6.1 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/u-root/u-root v7.0.0+incompatible // indirect
 	gitlab.com/golang-commonmark/puny v0.0.0-20191124015043-9f83538fa04f // indirect
 	golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 // indirect
+	gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c // indirect
 )
 
 replace github.com/insomniacslk/dhcp => github.com/stapelberg/dhcp v0.0.0-20190429172946-5244c0daddf0
diff --git a/go.sum b/go.sum
@@ -59,6 +59,7 @@ golang.org/x/sys v0.0.0-20220317061510-51cd9980dadf/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/tools v0.0.0-20191216052735-49a3e744a425/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
diff --git a/hinting/dns_search_domain_fallbacks.go b/hinting/dns_search_domain_fallbacks.go
@@ -0,0 +1,35 @@
+package hinting
+
+import (
+	"slices"
+	"strings"
+)
+
+func domainsFromHostnames(hostnames []string) (domains []string) {
+	for _, hostname := range hostnames {
+		labels := strings.Split(strings.TrimRight(hostname, "."), ".")
+		// skip hostname label, not part of the search domain
+		if len(labels) == 1 {
+			domains = append(domains, "local")
+			continue
+		}
+		domainString := ""
+		slices.Reverse(labels)
+		for _, label := range labels[:len(labels)-1] {
+			if domainString == "" {
+				domainString = label
+				// do not add TLD to domains candidate list
+				continue
+			}
+			domainString = strings.Join([]string{label, domainString}, ".")
+			if !slices.Contains(domains, domainString) {
+				domains = append(domains, domainString)
+			}
+		}
+	}
+	// order search domains by hostname from most specific to least specific,
+	// a more specific search domains of an earlier hostname might sort after
+	// a search domain derived from a later hostname.
+	slices.Reverse(domains)
+	return
+}
diff --git a/hinting/dns_search_domain_fallbacks_reverse.go b/hinting/dns_search_domain_fallbacks_reverse.go
@@ -0,0 +1,96 @@
+package hinting
+
+import (
+	"context"
+	"errors"
+	"github.com/miekg/dns"
+	"math/rand"
+	"net"
+	"net/netip"
+)
+
+var (
+	akamaiDomain     = "akamai.net."
+	akamaiNameserver = "zh.akamaitech.net"
+	quad9DNSResolver = "9.9.9.9:53"
+)
+
+// reverseLookupDomains obtains the reverse DNS entries for IP addr to derive DNS search domain candidates.
+// Uses in-addr.arpa and ip6.arpa domains to lookup reverse pointer records.
+func reverseLookupDomains(addr netip.Addr) (domains []string) {
+	hostnames, err := net.LookupAddr(addr.String())
+	if err != nil {
+		return
+	}
+	return domainsFromHostnames(hostnames)
+}
+
+// Fallbacks to obtain an external public IP address using DNS.
+
+// getAkaNS returns one random authoritative nameserver for akamai.net.
+func getAkaNS() (nameserver *string, err error) {
+	// try default resolver
+	resolver := net.Resolver{}
+	ctx := context.TODO()
+	nameservers, err := resolver.LookupNS(ctx, akamaiDomain)
+	if err == nil {
+		return &nameservers[rand.Intn(len(nameservers))].Host, err
+	}
+
+	m := new(dns.Msg)
+	m.SetQuestion(akamaiDomain, dns.TypeNS)
+	// try Quad9
+	in, err := dns.Exchange(m, quad9DNSResolver)
+	if err != nil {
+		return nil, err
+	}
+	if len(in.Answer) < 1 {
+		err = errors.New("getAkaNS: No DNS RR answer")
+		return nil, err
+	}
+	if ns, ok := in.Answer[rand.Intn(len(in.Answer))].(*dns.NS); ok {
+		return &ns.Ns, nil
+	}
+	return nil, errors.New("getAkaNS: Invalid NS record")
+}
+
+// getExternalIP returns the external IP used for DNS resolution of the executing host using nameserver.
+func getExternalIPbyNS(nameserver *string) (addr *netip.Addr, err error) {
+	if nameserver == nil {
+		// Default external authoritative nameserver
+		nameserver = &akamaiNameserver
+	}
+	m := new(dns.Msg)
+	// The akamai.net nameservers reply to queries for the name `whoami`
+	// with the IP address of the host sending the query.
+	m.SetQuestion("whoami.akamai.net.", dns.TypeA)
+	in, err := dns.Exchange(m, net.JoinHostPort(*nameserver, "53"))
+	if err != nil {
+		return nil, err
+	}
+	if len(in.Answer) < 1 {
+		err = errors.New("getExternalIP: No DNS RR answer")
+		return nil, err
+	}
+	if a, ok := in.Answer[0].(*dns.A); ok {
+		if addr, ok := netip.AddrFromSlice(a.A); ok {
+			return &addr, nil
+		}
+		return nil, &net.AddrError{Err: "invalid IP address", Addr: a.A.String()}
+	}
+	return nil, errors.New("getExternalIP: Invalid A record")
+}
+
+// queryExternalIP returns the external IP used for DNS resolution of the executing host.
+func queryExternalIP() (addr *netip.Addr, err error) {
+	// Try with default NS
+	addr, err = getExternalIPbyNS(nil)
+	if err != nil {
+		// try with looking up alternative NS
+		ns, err := getAkaNS()
+		if err == nil {
+			addr, err = getExternalIPbyNS(ns)
+		}
+	}
+	return
+}
