Merge pull request #22 from netsec-ethz/dns_domains_fallback_reverse

search domain discovery: add reverse DNS lookup fallback

Add fallback feature for discovering a valid search domain for the current host using DNS,
by performing a reverse DNS lookup and deriving candidate search domains from the returned hostname.

Add a fallback for the fallback: In case the current host does not have a public IP configured,
obtain the externally visible (NAT, proxy) IP used for DNS by leveraging the Akamai whoami DNS service.
https://www.akamai.com/blog/developers/introducing-new-whoami-tool-dns-resolver-information

Add additional layers of fallbacks: In case there is no working DNS resolver configured, use the Quad9
public DNS resolver to obtain the IP of a default Akamai authoritative NS, or query for additional
fallback authoritative NS.

The number of external requests is minimized and the fallback paths involving additional 3rd parties are only
taken if local DNS resolution is not working.

Author: FR4NK-W

go.mod

@@ -7,19 +7,22 @@ require (
 	github.com/mdlayher/ndp v0.10.0
 	github.com/miekg/dns v1.1.27
 	github.com/pelletier/go-toml v1.8.1-0.20200708110244-34de94e6a887
+	github.com/stretchr/testify v1.6.1
 	golang.org/x/net v0.0.0-20220225172249-27dd8689420f
 	golang.org/x/sys v0.0.0-20220317061510-51cd9980dadf
 )
 
 require (
 	github.com/cenkalti/backoff v2.2.1+incompatible // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/go-stack/stack v1.8.0 // indirect
 	github.com/mattn/go-colorable v0.1.8 // indirect
 	github.com/mattn/go-isatty v0.0.12 // indirect
-	github.com/stretchr/testify v1.6.1 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/u-root/u-root v7.0.0+incompatible // indirect
 	gitlab.com/golang-commonmark/puny v0.0.0-20191124015043-9f83538fa04f // indirect
 	golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 // indirect
+	gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c // indirect
 )
 
 replace github.com/insomniacslk/dhcp => github.com/stapelberg/dhcp v0.0.0-20190429172946-5244c0daddf0

go.sum

@@ -59,6 +59,7 @@ golang.org/x/sys v0.0.0-20220317061510-51cd9980dadf/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/tools v0.0.0-20191216052735-49a3e744a425/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

hinting/dns_search_domain_fallbacks.go

@@ -0,0 +1,44 @@
+package hinting
+
+import (
+	"slices"
+	"strings"
+)
+
+func domainsFromHostnames(hostnames []string) (domains []string) {
+	for _, hostname := range hostnames {
+		labels := strings.Split(strings.TrimRight(hostname, "."), ".")
+		// skip hostname label, not part of the search domain
+		if len(labels) == 1 {
+			domains = append(domains, "local")
+			continue
+		}
+		domain := ""
+		slices.Reverse(labels)
+		for _, label := range labels[:len(labels)-1] {
+			if domain == "" {
+				domain = label
+				// do not add TLD to domains candidate list
+				continue
+			}
+			domain = strings.Join([]string{label, domain}, ".")
+			// Filter out Effective ccTLDs (of the form "co.uk"), as we are only interested in the ETLD+1 domains
+			if 5 == len(domain) && // TODO: complete TLD specific exceptions, or directly use PSL
+				(label == "co" ||
+					label == "ac" ||
+					label == "re" ||
+					label == "ne") {
+				// do not add country-code second-level ETLD domains to domains candidate list
+				continue
+			}
+			if !slices.Contains(domains, domain) {
+				domains = append(domains, domain)
+			}
+		}
+	}
+	// order search domains by hostname from most specific to least specific,
+	// a more specific search domain of an earlier hostname might sort after
+	// a search domain derived from a later hostname.
+	slices.Reverse(domains)
+	return
+}

hinting/dns_search_domain_fallbacks_reverse.go

@@ -0,0 +1,96 @@
+package hinting
+
+import (
+	"context"
+	"errors"
+	"github.com/miekg/dns"
+	"math/rand"
+	"net"
+	"net/netip"
+)
+
+var (
+	akamaiDomain     = "akamai.net."
+	akamaiNameserver = "zh.akamaitech.net"
+	quad9DNSResolver = "9.9.9.9:53"
+)
+
+// reverseLookupDomains obtains the reverse DNS entries for IP addr to derive DNS search domain candidates.
+// Uses in-addr.arpa and ip6.arpa domains to lookup reverse pointer records.
+func reverseLookupDomains(addr netip.Addr) (domains []string) {
+	hostnames, err := net.LookupAddr(addr.String())
+	if err != nil {
+		return
+	}
+	return domainsFromHostnames(hostnames)
+}
+
+// Fallbacks to obtain an external public IP address using DNS.
+
+// getAkaNS returns one random authoritative nameserver for akamai.net.
+func getAkaNS() (nameserver string, err error) {
+	// try default resolver
+	resolver := net.Resolver{}
+	ctx := context.TODO()
+	nameservers, err := resolver.LookupNS(ctx, akamaiDomain)
+	if err == nil {
+		return nameservers[rand.Intn(len(nameservers))].Host, err
+	}
+
+	m := new(dns.Msg)
+	m.SetQuestion(akamaiDomain, dns.TypeNS)
+	// try Quad9
+	in, err := dns.Exchange(m, quad9DNSResolver)
+	if err != nil {
+		return "", err
+	}
+	if len(in.Answer) < 1 {
+		err = errors.New("getAkaNS: No DNS RR answer")
+		return "", err
+	}
+	if ns, ok := in.Answer[rand.Intn(len(in.Answer))].(*dns.NS); ok {
+		return ns.Ns, nil
+	}
+	return "", errors.New("getAkaNS: Invalid NS record")
+}
+
+// getExternalIP returns the external IP used for DNS resolution of the executing host using nameserver.
+func getExternalIP(nameserver string) (addr netip.Addr, err error) {
+	if nameserver == "" {
+		// Default external authoritative nameserver
+		nameserver = akamaiNameserver
+	}
+	m := new(dns.Msg)
+	// The akamai.net nameservers reply to queries for the name `whoami`
+	// with the IP address of the host sending the query.
+	m.SetQuestion("whoami.akamai.net.", dns.TypeA)
+	in, err := dns.Exchange(m, net.JoinHostPort(nameserver, "53"))
+	if err != nil {
+		return netip.Addr{}, err
+	}
+	if len(in.Answer) < 1 {
+		err = errors.New("getExternalIP: No DNS RR answer")
+		return netip.Addr{}, err
+	}
+	if a, ok := in.Answer[0].(*dns.A); ok {
+		if addr, ok := netip.AddrFromSlice(a.A); ok {
+			return addr, nil
+		}
+		return netip.Addr{}, &net.AddrError{Err: "invalid IP address", Addr: a.A.String()}
+	}
+	return netip.Addr{}, errors.New("getExternalIP: Invalid A record")
+}
+
+// queryExternalIP returns the external IP used for DNS resolution of the executing host.
+func queryExternalIP() (addr netip.Addr, err error) {
+	// Try with default NS
+	addr, err = getExternalIP("")
+	if err != nil {
+		// try with looking up alternative NS
+		ns, err := getAkaNS()
+		if err == nil {
+			addr, err = getExternalIP(ns)
+		}
+	}
+	return
+}

hinting/dns_search_domain_fallbacks_test.go

@@ -0,0 +1,126 @@
+package hinting
+
+import (
+	"github.com/stretchr/testify/assert"
+	"net/netip"
+	"testing"
+)
+
+func TestReverseLookupDomains(t *testing.T) {
+	testCases := []struct {
+		name   string
+		values []struct {
+			ip     netip.Addr
+			domain string
+		}
+	}{
+		{
+			name: "ETHZ",
+			values: []struct {
+				ip     netip.Addr
+				domain string
+			}{
+				{ip: netip.MustParseAddr("129.132.19.216"), domain: "ethz.ch"},
+				{ip: netip.MustParseAddr("82.130.64.0"), domain: "ethz.ch"},
+				{ip: netip.MustParseAddr("148.187.192.0"), domain: "ethz.ch"},
+			},
+		},
+		{
+			name: "PU",
+			values: []struct {
+				ip     netip.Addr
+				domain string
+			}{
+				{ip: netip.MustParseAddr("66.180.178.131"), domain: "princeton.edu"},
+			},
+		},
+		{
+			name: "VU",
+			values: []struct {
+				ip     netip.Addr
+				domain string
+			}{
+				{ip: netip.MustParseAddr("128.143.33.137"), domain: "virginia.edu"},
+				{ip: netip.MustParseAddr("128.143.33.144"), domain: "virginia.edu"},
+			},
+		},
+		{
+			name: "SWITCH",
+			values: []struct {
+				ip     netip.Addr
+				domain string
+			}{
+				{ip: netip.MustParseAddr("130.59.31.80"), domain: "switch.ch"},
+			},
+		},
+		{
+			name: "KREONET",
+			values: []struct {
+				ip     netip.Addr
+				domain string
+			}{
+				{ip: netip.MustParseAddr("134.75.254.11"), domain: "kreonet.net"},
+				{ip: netip.MustParseAddr("134.75.254.12"), domain: "kreonet.net"},
+			},
+		},
+		{
+			name: "KU",
+			values: []struct {
+				ip     netip.Addr
+				domain string
+			}{
+				{ip: netip.MustParseAddr("163.152.6.10"), domain: "korea.ac.kr"},
+			},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Log(tc.name)
+		for _, v := range tc.values {
+			t.Log(v.ip)
+			res := reverseLookupDomains(v.ip)
+			t.Log(res)
+			assert.Subset(t, res, []string{v.domain}, "")
+		}
+	}
+}
+
+func TestDomainsFromHostnamesDerivation(t *testing.T) {
+	testCases := []struct {
+		name   string
+		values []struct {
+			hostnames []string
+			domains   []string
+		}
+	}{
+		{
+			name: "ETHZ",
+			values: []struct {
+				hostnames []string
+				domains   []string
+			}{
+				{hostnames: []string{"82-130-64-0.net4.ethz.ch."}, domains: []string{"net4.ethz.ch", "ethz.ch"}},
+				{hostnames: []string{"service-id-api-cd-dcz1-server-4-b.ethz.ch."}, domains: []string{"ethz.ch"}},
+			},
+		},
+		{
+			name: "ETHZ",
+			values: []struct {
+				hostnames []string
+				domains []string
+			}{
+				{hostnames: []string{"60.korea.ac.kr.", "sub.korea.ac.kr."}, domains: []string{"korea.ac.kr"}},
+			},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Log(tc.name)
+		for _, v := range tc.values {
+			t.Log(v.hostnames)
+			res := domainsFromHostnames(v.hostnames)
+			t.Log(res)
+			assert.EqualValues(t, v.domains, res, "")
+		}
+	}
+}