feat: add dns redirection (#105)

evgeniy-scherbina · web-flow · commit bbc174e264a9 · 2025-12-05T16:08:46.000-05:00
* feat: add dns redirection

* add debug logss

* comment out debug logs

* initial fix for race condtion

* refactor race condition fix

* add logging

* add 2nd redirection rule

* add real 2nd &amp; 3rd redirection rule

* remove 2nd redirection rule(host)

* remove commented out code

* improve docs

* minor fix

* minor fix

* improve docs

* improve docs

* improve docs

* refactor

* add boolean flag for stub resolved

* add boolean flag for stub resolved

* refactor

* gofmt

* refactor

* refactor
diff --git a/app/app.go b/app/app.go
@@ -15,14 +15,15 @@ import (
 
 // Config holds all configuration for the CLI
 type Config struct {
-	Config           serpent.YAMLConfigPath `yaml:"-"`
-	AllowListStrings serpent.StringArray    `yaml:"allowlist"` // From config file
-	AllowStrings     serpent.StringArray    `yaml:"-"`         // From CLI flags only
-	LogLevel         serpent.String         `yaml:"log_level"`
-	LogDir           serpent.String         `yaml:"log_dir"`
-	ProxyPort        serpent.Int64          `yaml:"proxy_port"`
-	PprofEnabled     serpent.Bool           `yaml:"pprof_enabled"`
-	PprofPort        serpent.Int64          `yaml:"pprof_port"`
+	Config                           serpent.YAMLConfigPath `yaml:"-"`
+	AllowListStrings                 serpent.StringArray    `yaml:"allowlist"` // From config file
+	AllowStrings                     serpent.StringArray    `yaml:"-"`         // From CLI flags only
+	LogLevel                         serpent.String         `yaml:"log_level"`
+	LogDir                           serpent.String         `yaml:"log_dir"`
+	ProxyPort                        serpent.Int64          `yaml:"proxy_port"`
+	PprofEnabled                     serpent.Bool           `yaml:"pprof_enabled"`
+	PprofPort                        serpent.Int64          `yaml:"pprof_port"`
+	ConfigureDNSForLocalStubResolver serpent.Bool           `yaml:"configure_dns_for_local_stub_resolver"`
 }
 
 func isChild() bool {
diff --git a/app/child.go b/app/child.go
@@ -67,6 +67,14 @@ func RunChild(logger *slog.Logger, args []string) error {
 	}
 	logger.Info("child networking is successfully configured")
 
+	if os.Getenv("CONFIGURE_DNS_FOR_LOCAL_STUB_RESOLVER") == "true" {
+		err = jail.ConfigureDNSForLocalStubResolver()
+		if err != nil {
+			return fmt.Errorf("failed to configure DNS in namespace: %v", err)
+		}
+		logger.Info("DNS in namespace is configured successfully")
+	}
+
 	// Program to run
 	bin := args[0]
 	args = args[1:]
diff --git a/app/parent.go b/app/parent.go
@@ -72,14 +72,15 @@ func RunParent(ctx context.Context, logger *slog.Logger, args []string, config C
 
 	// Create jailer with cert path from TLS setup
 	jailer, err := jail.NewLinuxJail(jail.Config{
-		Logger:        logger,
-		HttpProxyPort: int(config.ProxyPort.Value()),
-		Username:      username,
-		Uid:           uid,
-		Gid:           gid,
-		HomeDir:       homeDir,
-		ConfigDir:     configDir,
-		CACertPath:    caCertPath,
+		Logger:                     logger,
+		HttpProxyPort:              int(config.ProxyPort.Value()),
+		Username:                   username,
+		Uid:                        uid,
+		Gid:                        gid,
+		HomeDir:                    homeDir,
+		ConfigDir:                  configDir,
+		CACertPath:                 caCertPath,
+		ConfigureDNSForLocalStubResolver: config.ConfigureDNSForLocalStubResolver.Value(),
 	})
 	if err != nil {
 		return fmt.Errorf("failed to create jailer: %v", err)
diff --git a/cli/cli.go b/cli/cli.go
@@ -108,6 +108,13 @@ func BaseCommand() *serpent.Command {
 				Value:       &config.PprofPort,
 				YAML:        "pprof_port",
 			},
+			{
+				Flag:        "configure-dns-for-local-stub-resolver",
+				Env:         "BOUNDARY_CONFIGURE_DNS_FOR_LOCAL_STUB_RESOLVER",
+				Description: "Configure DNS for local stub resolver (e.g., systemd-resolved). Only needed when /etc/resolv.conf contains nameserver 127.0.0.53.",
+				Value:       &config.ConfigureDNSForLocalStubResolver,
+				YAML:        "configure_dns_for_local_stub_resolver",
+			},
 		},
 		Handler: func(inv *serpent.Invocation) error {
 			args := inv.Args
diff --git a/jail/jail.go b/jail/jail.go
@@ -18,41 +18,44 @@ type Jailer interface {
 }
 
 type Config struct {
-	Logger        *slog.Logger
-	HttpProxyPort int
-	Username      string
-	Uid           int
-	Gid           int
-	HomeDir       string
-	ConfigDir     string
-	CACertPath    string
+	Logger                          *slog.Logger
+	HttpProxyPort                   int
+	Username                        string
+	Uid                             int
+	Gid                             int
+	HomeDir                         string
+	ConfigDir                       string
+	CACertPath                      string
+	ConfigureDNSForLocalStubResolver bool
 }
 
 // LinuxJail implements Jailer using Linux network namespaces
 type LinuxJail struct {
-	logger        *slog.Logger
-	vethHostName  string // Host-side veth interface name for iptables rules
-	vethJailName  string // Jail-side veth interface name for iptables rules
-	commandEnv    []string
-	httpProxyPort int
-	configDir     string
-	caCertPath    string
-	homeDir       string
-	username      string
-	uid           int
-	gid           int
+	logger                     *slog.Logger
+	vethHostName               string // Host-side veth interface name for iptables rules
+	vethJailName               string // Jail-side veth interface name for iptables rules
+	commandEnv                 []string
+	httpProxyPort              int
+	configDir                  string
+	caCertPath                 string
+	homeDir                    string
+	username                   string
+	uid                        int
+	gid                        int
+	configureDNSForLocalStubResolver bool
 }
 
 func NewLinuxJail(config Config) (*LinuxJail, error) {
 	return &LinuxJail{
-		logger:        config.Logger,
-		httpProxyPort: config.HttpProxyPort,
-		configDir:     config.ConfigDir,
-		caCertPath:    config.CACertPath,
-		homeDir:       config.HomeDir,
-		username:      config.Username,
-		uid:           config.Uid,
-		gid:           config.Gid,
+		logger:                     config.Logger,
+		httpProxyPort:              config.HttpProxyPort,
+		configDir:                  config.ConfigDir,
+		caCertPath:                 config.CACertPath,
+		homeDir:                    config.HomeDir,
+		username:                   config.Username,
+		uid:                        config.Uid,
+		gid:                        config.Gid,
+		configureDNSForLocalStubResolver: config.ConfigureDNSForLocalStubResolver,
 	}, nil
 }
 
@@ -81,6 +84,9 @@ func (l *LinuxJail) Command(command []string) *exec.Cmd {
 	cmd.Env = l.commandEnv
 	cmd.Env = append(cmd.Env, "CHILD=true")
 	cmd.Env = append(cmd.Env, fmt.Sprintf("VETH_JAIL_NAME=%v", l.vethJailName))
+	if l.configureDNSForLocalStubResolver {
+		cmd.Env = append(cmd.Env, "CONFIGURE_DNS_FOR_LOCAL_STUB_RESOLVER=true")
+	}
 	cmd.Stderr = os.Stderr
 	cmd.Stdout = os.Stdout
 	cmd.Stdin = os.Stdin
diff --git a/jail/local_stub_resolver.go b/jail/local_stub_resolver.go
@@ -0,0 +1,50 @@
+package jail
+
+import (
+	"os/exec"
+
+	"golang.org/x/sys/unix"
+)
+
+// ConfigureDNSForLocalStubResolver configures DNS redirection from the network namespace
+// to the host's local stub resolver. This function should only be called when the host
+// runs a local stub resolver such as systemd-resolved, and /etc/resolv.conf contains
+// "nameserver 127.0.0.53" (listening on localhost). It redirects DNS requests from the
+// namespace to the host by setting up iptables NAT rules. Additionally, /etc/systemd/resolved.conf
+// should be configured with DNSStubListener=yes and DNSStubListenerExtra=192.168.100.1:53
+// to listen on the additional server address.
+// NOTE: it's called inside network namespace.
+func ConfigureDNSForLocalStubResolver() error {
+	runner := newCommandRunner([]*command{
+		// Redirect all DNS queries inside the namespace to the host DNS listener.
+		// Needed because systemd-resolved listens on a host-side IP, not inside the namespace.
+		{
+			"Redirect DNS queries (DNAT 53 → host DNS)",
+			exec.Command("iptables", "-t", "nat", "-A", "OUTPUT", "-p", "udp", "--dport", "53", "-j", "DNAT", "--to-destination", "192.168.100.1:53"),
+			[]uintptr{uintptr(unix.CAP_NET_ADMIN)},
+		},
+		// Rewrite the SOURCE IP of redirected DNS packets.
+		// Required because DNS queries originating as 127.0.0.1 inside the namespace
+		// must not leave the namespace with a loopback source (kernel drops them).
+		// SNAT ensures packets arrive at systemd-resolved with a valid, routable source.
+		{
+			"Fix DNS source IP (SNAT 127.0.0.x → 192.168.100.2)",
+			exec.Command("iptables", "-t", "nat", "-A", "POSTROUTING", "-p", "udp", "--dport", "53", "-d", "192.168.100.1", "-j", "SNAT", "--to-source", "192.168.100.2"),
+			[]uintptr{uintptr(unix.CAP_NET_ADMIN)},
+		},
+		// Allow packets destined for 127.0.0.0/8 to go through routing and NAT.
+		// Without this, DNS queries to 127.0.0.53 never hit iptables OUTPUT
+		// and cannot be redirected to the host.
+		{
+			"Allow loopback-destined traffic to pass through NAT (route_localnet)",
+			// TODO(yevhenii): consider replacing with specific interfaces instead of all
+			exec.Command("sysctl", "-w", "net.ipv4.conf.all.route_localnet=1"),
+			[]uintptr{uintptr(unix.CAP_NET_ADMIN)},
+		},
+	})
+	if err := runner.run(); err != nil {
+		return err
+	}
+
+	return nil
+}
