@opensecurity/zonzon-core 0.1.0

package/src/schema.ts

@@ -0,0 +1,137 @@
+import { z } from "zod";
+import * as net from "net";
+import { HostConfig, DnsRecord, ServerConfig } from "./types.js";
+
+const CrlfFreeString = z.string().refine((val) => !/[\r\n]/.test(val), "Contains CR/LF");
+
+const Ipv4Schema = z.string().refine((ip) => net.isIPv4(ip), "Invalid IPv4");
+const Ipv6Schema = z.string().refine((ip) => net.isIPv6(ip), "Invalid IPv6");
+
+const HostnameSchema = z.string().max(253).refine((hostname) => {
+  const parts = hostname.split(".");
+  const hostPattern = /^[a-zA-Z0-9_]([a-zA-Z0-9_-]{0,61}[a-zA-Z0-9])?$/;
+  return parts.every((part) => part.length > 0 && part.length <= 63 && hostPattern.test(part));
+}, "Invalid hostname");
+
+const PortSchema = z.number().int().min(1).max(65535);
+
+const ARecordSchema = z.object({ type: z.literal("A"), address: Ipv4Schema });
+const AAAARecordSchema = z.object({ type: z.literal("AAAA"), address: Ipv6Schema });
+const CNAMERecordSchema = z.object({ type: z.literal("CNAME"), target: HostnameSchema });
+const TXTRecordSchema = z.object({ type: z.literal("TXT"), data: z.array(z.string().max(255).refine((val) => !/[\r\n]/.test(val), "Contains CR/LF")) });
+const MXRecordSchema = z.object({ type: z.literal("MX"), priority: z.number().int().min(0).max(65535), exchange: HostnameSchema });
+const NSRecordSchema = z.object({ type: z.literal("NS"), target: HostnameSchema });
+const SRVRecordSchema = z.object({ type: z.literal("SRV"), priority: z.number().int().min(0).max(65535), weight: z.number().int().min(0).max(65535), port: PortSchema, target: HostnameSchema });
+const PTRRecordSchema = z.object({ type: z.literal("PTR"), target: HostnameSchema });
+
+const DnsRecordSchema = z.discriminatedUnion("type", [
+  ARecordSchema,
+  AAAARecordSchema,
+  CNAMERecordSchema,
+  TXTRecordSchema,
+  MXRecordSchema,
+  NSRecordSchema,
+  SRVRecordSchema,
+  PTRRecordSchema,
+]);
+
+const HttpProxySchema = z.object({
+  enabled: z.boolean(),
+  upstream: CrlfFreeString.optional(),
+  headers: z.record(z.string().regex(/^[a-zA-Z0-9\-]+$/), CrlfFreeString).default({}),
+  forwardRequestBody: z.boolean().default(false),
+  maxRequestBodyBytes: z.number().int().min(0).max(10485760).default(5242880),
+}).refine(data => !data.enabled || !!data.upstream, {
+  message: "HTTP proxy requires 'upstream' URL when enabled",
+  path: ["upstream"]
+});
+
+const RedirectSchema = z.object({
+  enabled: z.boolean().default(true),
+  code: z.union([z.literal(301), z.literal(302), z.literal(303), z.literal(307), z.literal(308)]),
+  target: CrlfFreeString,
+});
+
+const HostConfigSchema = z.object({
+  records: z.array(DnsRecordSchema).default([]),
+  http_proxy: HttpProxySchema.optional(),
+  redirect: RedirectSchema.optional(),
+});
+
+const FirewallSchema = z.object({
+  defaultPolicy: z.enum(["allow", "deny"]).default("deny"),
+  allowlist_domains: z.array(z.string().max(253)).default([]),
+  blocklist_domains: z.array(z.string().max(253)).default([]),
+  allowlist_ranges: z.array(z.string().max(40)).default([]),
+  blocklist_ranges: z.array(z.string().max(40)).default([]),
+  allowlist_ips: z.array(z.string().max(40)).default([]),
+  blocklist_ips: z.array(z.string().max(40)).default([]),
+});
+
+const ControlPlaneSchema = z.object({
+  enabled: z.boolean().default(true).optional(),
+  port: z.coerce.number().int().min(1).max(65535).default(8080).optional(),
+  apiKey: z.string().optional()
+});
+
+const ServerConfigSchema = z.object({
+  port: z.coerce.number().int().min(1).max(65535).default(53),
+  fallbackDns: Ipv4Schema.optional(),
+  firewall: FirewallSchema.optional(),
+  controlPlane: ControlPlaneSchema.optional(),
+  dnsCacheMaxSize: z.coerce.number().int().min(1).max(100000).default(1024),
+  dnsCacheTtlMs: z.coerce.number().int().min(0).max(3600000).default(0),
+  maxTcpConnections: z.coerce.number().int().min(1).max(10000).default(100),
+  tcpIdleTimeoutMs: z.coerce.number().int().min(1000).max(600000).default(30000),
+  rateLimitMaxRequests: z.coerce.number().int().min(0).max(100000).default(0),
+  rateLimitWindowMs: z.coerce.number().int().min(100).max(60000).default(1000),
+  hosts: z.record(z.string(), HostConfigSchema).default({}),
+}).refine(data => {
+  for (const key of Object.keys(data.hosts)) {
+    const normalized = key.toLowerCase();
+    if (normalized === "*") continue;
+    if (normalized.startsWith("*.")) {
+      HostnameSchema.parse(normalized.slice(2));
+    } else {
+      HostnameSchema.parse(normalized);
+    }
+  }
+  return true;
+}, "Contains invalid hostnames in configuration keys");
+
+export function validateARecord(record: unknown): DnsRecord { return ARecordSchema.parse(record) as DnsRecord; }
+export function validateAAAARecord(record: unknown): DnsRecord { return AAAARecordSchema.parse(record) as DnsRecord; }
+export function validateCNAME(record: unknown): DnsRecord { return CNAMERecordSchema.parse(record) as DnsRecord; }
+export function validateTXT(record: unknown): DnsRecord { return TXTRecordSchema.parse(record) as DnsRecord; }
+export function validateMX(record: unknown): DnsRecord { return MXRecordSchema.parse(record) as DnsRecord; }
+export function validateNS(record: unknown): DnsRecord { return NSRecordSchema.parse(record) as DnsRecord; }
+export function validateSRV(record: unknown): DnsRecord { return SRVRecordSchema.parse(record) as DnsRecord; }
+export function validatePTR(record: unknown): DnsRecord { return PTRRecordSchema.parse(record) as DnsRecord; }
+
+export function validateRecord(record: unknown): DnsRecord {
+  if (!record || typeof record !== "object" || !("type" in record)) {
+    throw new Error("DNS record must be an object with a 'type' field");
+  }
+  return DnsRecordSchema.parse(record) as DnsRecord;
+}
+
+export function validateHostConfig(config: unknown): HostConfig {
+  try {
+    return HostConfigSchema.parse(config) as HostConfig;
+  } catch (error) {
+    throw new Error(`Host validation error: ${error}`);
+  }
+}
+
+export function validateServerConfig(config: unknown): ServerConfig {
+  try {
+    const parsed = ServerConfigSchema.parse(config);
+    const lowercaseHosts: Record<string, HostConfig> = {};
+    for (const [key, value] of Object.entries(parsed.hosts)) {
+      lowercaseHosts[key.toLowerCase()] = value as HostConfig;
+    }
+    return { ...parsed, hosts: lowercaseHosts } as ServerConfig;
+  } catch (error) {
+    throw new Error(`Configuration validation error: ${error}`);
+  }
+}

package/src/sni-proxy.ts

@@ -0,0 +1,164 @@
+import * as net from "net";
+import * as dns from "dns/promises";
+import { ServerConfig } from "./types.js";
+import { firewallEngine } from "./firewall.js";
+import { audit } from "./audit.js";
+
+export class SniProxyService {
+  private port: number;
+  private config: ServerConfig;
+  private server: net.Server | null = null;
+  private activeConnections = new Set<net.Socket>();
+
+  constructor(config: ServerConfig, port: number = 443) {
+    this.config = config;
+    this.port = port;
+  }
+
+  private extractSNI(data: Buffer): string | null {
+    try {
+      if (data.length < 5 || data[0] !== 0x16 || data[5] !== 0x01) {
+        return null;
+      }
+
+      let offset = 43; 
+      if (offset >= data.length) return null;
+
+      const sessionIdLength = data[offset];
+      offset += 1 + sessionIdLength;
+      if (offset >= data.length) return null;
+
+      const cipherSuitesLength = data.readUInt16BE(offset);
+      offset += 2 + cipherSuitesLength;
+      if (offset >= data.length) return null;
+
+      const compressionMethodsLength = data[offset];
+      offset += 1 + compressionMethodsLength;
+      if (offset >= data.length) return null;
+
+      const extensionsLength = data.readUInt16BE(offset);
+      offset += 2;
+      const extensionsEnd = offset + extensionsLength;
+
+      while (offset < extensionsEnd && offset + 4 <= data.length) {
+        const extType = data.readUInt16BE(offset);
+        const extLength = data.readUInt16BE(offset + 2);
+        offset += 4;
+
+        if (extType === 0x0000) {
+          let sniOffset = offset;
+          sniOffset += 2;
+          
+          const nameType = data[sniOffset];
+          if (nameType === 0) {
+            sniOffset += 1;
+            const nameLength = data.readUInt16BE(sniOffset);
+            sniOffset += 2;
+            return data.toString("utf8", sniOffset, sniOffset + nameLength);
+          }
+        }
+        offset += extLength;
+      }
+    } catch {
+      return null;
+    }
+    return null;
+  }
+
+  private async handleConnection(clientSocket: net.Socket): Promise<void> {
+    const clientIp = clientSocket.remoteAddress || "unknown";
+    let buffer = Buffer.alloc(0);
+    let isHandled = false;
+
+    clientSocket.on("data", async (chunk: Buffer) => {
+      if (isHandled) return;
+
+      buffer = Buffer.concat([buffer, chunk]);
+
+      if (buffer.length < 5) return;
+      const recordLength = buffer.readUInt16BE(3);
+      if (buffer.length < 5 + recordLength) return;
+
+      isHandled = true;
+      const sni = this.extractSNI(buffer);
+
+      if (!sni) {
+        audit.http(clientIp, "TLS", "UNKNOWN", ":443", 400, "Dropped: No SNI detected");
+        clientSocket.destroy();
+        return;
+      }
+
+      try {
+        if (firewallEngine.evaluateDomain(sni, this.config.firewall) === "DENY") {
+          throw new Error("Domain blocked by Firewall policy");
+        }
+
+        const records = await dns.resolve(sni);
+        const targetIps = records.filter(ip => typeof ip === "string");
+
+        if (targetIps.length === 0) {
+          throw new Error("NXDOMAIN on upstream resolution");
+        }
+
+        const targetIp = targetIps[0];
+        if (firewallEngine.evaluateIp(targetIp, this.config.firewall) === "DENY") {
+          throw new Error(`Target IP ${targetIp} blocked by Firewall policy`);
+        }
+
+        audit.http(clientIp, "TLS-SNI", sni, ":443", 200, `Tunneled to ${targetIp}`);
+
+        const srvSocket = net.connect(443, targetIp, () => {
+          srvSocket.write(buffer);
+          clientSocket.pipe(srvSocket);
+          srvSocket.pipe(clientSocket);
+        });
+
+        this.activeConnections.add(srvSocket);
+        srvSocket.on("close", () => this.activeConnections.delete(srvSocket));
+
+        srvSocket.on("error", (err) => {
+          audit.error(`Upstream tunnel fault on ${sni}:443 - ${err.message}`);
+          if (!clientSocket.destroyed) clientSocket.destroy();
+        });
+
+      } catch (err: any) {
+        audit.http(clientIp, "TLS-SNI", sni, ":443", 403, `Blocked: ${err.message}`);
+        clientSocket.destroy();
+      }
+    });
+
+    clientSocket.on("error", (err) => {
+      audit.error(`Client tunnel fault from ${clientIp} - ${err.message}`);
+    });
+  }
+
+  public start(): Promise<void> {
+    return new Promise((resolve, reject) => {
+      this.server = net.createServer((socket: net.Socket) => {
+        this.activeConnections.add(socket);
+        socket.on("close", () => this.activeConnections.delete(socket));
+        this.handleConnection(socket);
+      });
+
+      this.server.on("error", (err) => reject(err));
+
+      this.server.listen(this.port, "0.0.0.0", () => {
+        resolve();
+      });
+    });
+  }
+
+  public async stop(): Promise<void> {
+    if (this.server) {
+      for (const socket of this.activeConnections) {
+        socket.destroy();
+      }
+      this.activeConnections.clear();
+
+      await new Promise<void>((resolve) => {
+        this.server!.close(() => resolve());
+      });
+      this.server = null;
+    }
+  }
+}

package/src/srv-record.test.ts

@@ -0,0 +1,211 @@
+import { describe, it } from "node:test";
+import assert from "assert";
+import { DevDnsServer } from "./dns-service.js";
+import { ServerConfig, DNS_TYPES, DNS_RCODE } from "./types.js";
+
+function buildQuery(name: string, type: number): Buffer {
+  const encoder = new (class {
+    buf = Buffer.alloc(256);
+    offset = 0;
+
+    writeUint16(v: number) {
+      this.buf.writeUInt16BE(v, this.offset);
+      this.offset += 2;
+    }
+
+    writeUint8(v: number) {
+      this.buf.writeUInt8(v, this.offset);
+      this.offset += 1;
+    }
+
+    writeDomainName(nm: string) {
+      for (const label of nm.split(".")) {
+        if (label.length === 0) continue;
+        this.writeUint8(label.length);
+        Buffer.from(label).copy(this.buf, this.offset);
+        this.offset += label.length;
+      }
+      this.writeUint8(0);
+    }
+
+    finish(): Buffer {
+      return this.buf.subarray(0, this.offset);
+    }
+  })();
+
+  encoder.writeUint16(0xabcd);
+  encoder.writeUint16(0x0100);
+  encoder.writeUint16(1);
+  encoder.writeUint16(0);
+  encoder.writeUint16(0);
+  encoder.writeUint16(0);
+
+  encoder.writeDomainName(name);
+  encoder.writeUint16(type);
+  encoder.writeUint16(1);
+
+  return encoder.finish();
+}
+
+function parseResponseFlags(buf: Buffer): { qr: number; rcode: number } {
+  const flags = buf.readUInt16BE(2);
+  const qr = (flags >> 15) & 0x1;
+  const rcode = flags & 0xf;
+  return { qr, rcode };
+}
+
+function getAnswerCount(buf: Buffer): number {
+  return buf.readUInt16BE(6);
+}
+
+describe("DevDnsServer - SRV Wire Format Encoding", () => {
+  let server: DevDnsServer;
+
+  it("returns correctly encoded SRV record with priority=10 weight=5 port=8080", () => {
+    const config: ServerConfig = {
+      port: 53,
+      hosts: {
+        "my.service.loop": {
+          records: [
+            { type: "SRV", priority: 10, weight: 5, port: 8080, target: "backend.my.service.loop" },
+          ],
+        },
+      },
+    };
+
+    server = new DevDnsServer(config);
+    const queryBuffer = buildQuery("my.service.loop", DNS_TYPES.SRV);
+    const response = server.resolve(queryBuffer)!;
+
+    assert.ok(response.length > 0);
+
+    const { qr, rcode } = parseResponseFlags(response);
+    assert.strictEqual(qr, 1);
+    assert.strictEqual(rcode, DNS_RCODE.NOERROR);
+
+    const ancount = getAnswerCount(response);
+    assert.strictEqual(ancount, 1);
+    assert.ok(response.length > 40);
+    const rdlen = response.readUInt16BE(20);
+    assert.ok(rdlen >= 6);
+  });
+
+  it("returns correctly encoded SRV record with zero priority and weight", () => {
+    const config: ServerConfig = {
+      port: 53,
+      hosts: {
+        "zero.srv.loop": {
+          records: [
+            { type: "SRV", priority: 0, weight: 0, port: 443, target: "primary.zero.srv.loop" },
+          ],
+        },
+      },
+    };
+
+    server = new DevDnsServer(config);
+    const response = server.resolve(buildQuery("zero.srv.loop", DNS_TYPES.SRV))!;
+
+    assert.ok(response.length > 0);
+    const ancount = getAnswerCount(response);
+    assert.strictEqual(ancount, 1);
+  });
+
+  it("returns multiple SRV records for same host (weighted load balancing)", () => {
+    const config: ServerConfig = {
+      port: 53,
+      hosts: {
+        "lb.srv.loop": {
+          records: [
+            { type: "SRV", priority: 10, weight: 7, port: 8080, target: "server1.lb.srv.loop" },
+            { type: "SRV", priority: 20, weight: 3, port: 8080, target: "server2.lb.srv.loop" },
+          ],
+        },
+      },
+    };
+
+    server = new DevDnsServer(config);
+    const response = server.resolve(buildQuery("lb.srv.loop", DNS_TYPES.SRV))!;
+
+    assert.ok(response.length > 0);
+    const ancount = getAnswerCount(response);
+    assert.strictEqual(ancount, 2);
+  });
+
+  it("does not respond with A record type when host only has SRV records", () => {
+    const config: ServerConfig = {
+      port: 53,
+      hosts: {
+        "only-srv.loop": {
+          records: [
+            { type: "SRV", priority: 10, weight: 5, port: 8080, target: "target.only-srv.loop" },
+          ],
+        },
+      },
+    };
+
+    server = new DevDnsServer(config);
+    const response = server.resolve(buildQuery("only-srv.loop", DNS_TYPES.A))!;
+
+    assert.ok(response.length > 0);
+    assert.strictEqual(getAnswerCount(response), 0);
+    const { rcode } = parseResponseFlags(response);
+    assert.strictEqual(rcode, DNS_RCODE.NOERROR);
+  });
+
+  it("handles SRV with maximum port value 65535", () => {
+    const config: ServerConfig = {
+      port: 53,
+      hosts: {
+        "maxport.srv.loop": {
+          records: [
+            { type: "SRV", priority: 100, weight: 200, port: 65535, target: "max.maxport.srv.loop" },
+          ],
+        },
+      },
+    };
+
+    server = new DevDnsServer(config);
+    const response = server.resolve(buildQuery("maxport.srv.loop", DNS_TYPES.SRV))!;
+
+    assert.ok(response.length > 0);
+    const ancount = getAnswerCount(response);
+    assert.strictEqual(ancount, 1);
+  });
+
+  it("preserves query ID in SRV response", () => {
+    const config: ServerConfig = {
+      port: 53,
+      hosts: {
+        "id.srv.loop": {
+          records: [
+            { type: "SRV", priority: 10, weight: 5, port: 8080, target: "target.id.srv.loop" },
+          ],
+        },
+      },
+    };
+
+    const testEncoder = new (class {
+      buf = Buffer.alloc(256);
+      offset = 0;
+      writeUint16(v: number) { this.buf.writeUInt16BE(v, this.offset); this.offset += 2; }
+      writeUint8(v: number) { this.buf.writeUInt8(v, this.offset); this.offset += 1; }
+      writeDomainName(nm: string) { for (const label of nm.split(".")) { if (label.length === 0) continue; this.writeUint8(label.length); Buffer.from(label).copy(this.buf, this.offset); this.offset += label.length; } this.writeUint8(0); }
+      finish(): Buffer { return this.buf.subarray(0, this.offset); }
+    })();
+
+    const testId = 0xDEAD;
+    testEncoder.writeUint16(testId);
+    testEncoder.writeUint16(0x0100);
+    testEncoder.writeUint16(1);
+    testEncoder.writeUint16(0);
+    testEncoder.writeUint16(0);
+    testEncoder.writeUint16(0);
+    testEncoder.writeDomainName("id.srv.loop");
+    testEncoder.writeUint16(DNS_TYPES.SRV);
+    testEncoder.writeUint16(1);
+
+    server = new DevDnsServer(config);
+    const response = server.resolve(testEncoder.finish())!;
+    assert.strictEqual(response.readUInt16BE(0), testId);
+  });
+});

package/src/tcp-connection-limit.test.ts

@@ -0,0 +1,110 @@
+import { describe, it } from "node:test";
+import assert from "assert";
+import * as net from "net";
+
+let PORT_BASE = 61500;
+
+function nextPort(): number {
+  return PORT_BASE++;
+}
+
+describe("DnsHandler - TCP Connection Limiting", () => {
+  it("rejects new connections after max is reached", async () => {
+    const port = nextPort();
+    const { DnsHandler } = await import("./dns-handler.js");
+    const { DevDnsServer } = await import("./dns-service.js");
+    const config: any = { port, hosts: {}, maxTcpConnections: 2, tcpIdleTimeoutMs: 30000, rateLimitMaxRequests: 0 };
+
+    const dnsServer = new DevDnsServer(config);
+    const handler = new DnsHandler(dnsServer, config);
+    await handler.start();
+
+    try {
+      await new Promise<void>((r) => setTimeout(r, 150));
+
+      const sockets: net.Socket[] = [];
+      for (let i = 0; i < 2; i++) {
+        const s = net.createConnection(port, "127.0.0.1", () => {});
+        sockets.push(s);
+      }
+
+      await new Promise<void>((r) => setTimeout(r, 150));
+
+      const thirdPromise = new Promise<boolean>((resolve) => {
+        const socket = net.createConnection(port, "127.0.0.1");
+        socket.on("connect", () => {
+          setTimeout(() => resolve(socket.destroyed), 500);
+        });
+        socket.on("error", () => resolve(true));
+      });
+
+      const destroyed = await thirdPromise;
+      assert.strictEqual(destroyed, true);
+
+      for (const s of sockets) s.destroy();
+    } finally {
+      await handler.stop();
+    }
+  });
+
+  it("admits connections when one closes (below max)", async () => {
+    const port = nextPort();
+    const { DnsHandler } = await import("./dns-handler.js");
+    const { DevDnsServer } = await import("./dns-service.js");
+    const config: any = { port, hosts: {}, maxTcpConnections: 2, tcpIdleTimeoutMs: 1000, rateLimitMaxRequests: 0 };
+
+    const dnsServer = new DevDnsServer(config);
+    const handler = new DnsHandler(dnsServer, config);
+    await handler.start();
+
+    try {
+      await new Promise<void>((r) => setTimeout(r, 150));
+
+      const socket1 = net.createConnection(port, "127.0.0.1");
+      const socket2 = net.createConnection(port, "127.0.0.1");
+
+      await new Promise<void>((r) => setTimeout(r, 150));
+
+      socket1.end();
+      await new Promise<void>((r) => { socket1.on("close", r); });
+
+      await new Promise<void>((r) => setTimeout(r, 200));
+
+      const thirdPromise = new Promise<boolean>((resolve) => {
+        const socket3 = net.createConnection(port, "127.0.0.1", () => resolve(true));
+        socket3.on("error", () => resolve(false));
+        socket3.setTimeout(500);
+        socket3.on("timeout", () => { socket3.destroy(); resolve(false); });
+      });
+
+      const admitted = await thirdPromise;
+      assert.strictEqual(admitted, true);
+    } finally {
+      await handler.stop();
+    }
+  });
+
+  it("closes idle connections after timeout", async () => {
+    const port = nextPort();
+    const { DnsHandler } = await import("./dns-handler.js");
+    const { DevDnsServer } = await import("./dns-service.js");
+    const config: any = { port, hosts: {}, maxTcpConnections: 5, tcpIdleTimeoutMs: 300, rateLimitMaxRequests: 0 };
+
+    const dnsServer = new DevDnsServer(config);
+    const handler = new DnsHandler(dnsServer, config);
+    await handler.start();
+
+    try {
+      await new Promise<void>((r) => setTimeout(r, 150));
+
+      const socket = net.createConnection(port, "127.0.0.1");
+      await new Promise<void>((r) => socket.on("connect", () => r()));
+
+      await new Promise<void>((r) => setTimeout(r, 800));
+
+      assert.strictEqual(socket.destroyed, true);
+    } finally {
+      await handler.stop();
+    }
+  });
+});