@opensecurity/zonzon-core 0.1.0

package/src/types.ts

@@ -0,0 +1,168 @@
+export interface ARecord {
+  type: "A";
+  address: string;
+}
+
+export interface AAAARecord {
+  type: "AAAA";
+  address: string;
+}
+
+export interface CNAME {
+  type: "CNAME";
+  target: string;
+}
+
+export interface TXT {
+  type: "TXT";
+  data: string[];
+}
+
+export interface MX {
+  type: "MX";
+  priority: number;
+  exchange: string;
+}
+
+export interface NS {
+  type: "NS";
+  target: string;
+}
+
+export interface SRV {
+  type: "SRV";
+  priority: number;
+  weight: number;
+  port: number;
+  target: string;
+}
+
+export interface PTR {
+  type: "PTR";
+  target: string;
+}
+
+export type DnsRecord = ARecord | AAAARecord | CNAME | TXT | MX | NS | SRV | PTR;
+
+export interface HttpProxyConfig {
+  enabled: boolean;
+  upstream?: string;
+  headers: Record<string, string>;
+  forwardRequestBody?: boolean;
+  maxRequestBodyBytes?: number;
+}
+
+export interface RedirectConfig {
+  enabled: boolean;
+  code: number;
+  target: string;
+}
+
+export interface HostConfig {
+  records: DnsRecord[];
+  http_proxy?: HttpProxyConfig;
+  redirect?: RedirectConfig;
+}
+
+export interface FirewallConfig {
+  defaultPolicy: "allow" | "deny";
+  allowlist_domains?: string[];
+  blocklist_domains?: string[];
+  allowlist_ranges?: string[];
+  blocklist_ranges?: string[];
+  allowlist_ips?: string[];
+  blocklist_ips?: string[];
+}
+
+export interface ControlPlaneConfig {
+  enabled?: boolean;
+  port?: number;
+  apiKey?: string;
+}
+
+export interface ServerConfig {
+  port: number;
+  fallbackDns?: string;
+  firewall?: FirewallConfig;
+  controlPlane?: ControlPlaneConfig;
+  dnsCacheMaxSize?: number;
+  dnsCacheTtlMs?: number;
+  maxTcpConnections?: number;
+  tcpIdleTimeoutMs?: number;
+  rateLimitMaxRequests?: number;
+  rateLimitWindowMs?: number;
+  hosts: Record<string, HostConfig>;
+}
+
+export interface DnsQuestion {
+  name: string;
+  type: number;
+  class: number;
+}
+
+export interface DnsResponseHeader {
+  id: number;
+  flags: number;
+  qdcount: number;
+  ancount: number;
+  nscount: number;
+  arcount: number;
+}
+
+export interface DnsQuestionSection {
+  questions: DnsQuestion[];
+  additional?: string; 
+}
+
+export interface ProxiedRequest {
+  hostname: string;
+  originalUrl: string;
+  headers: Record<string, string>;
+  method: string;
+  body?: Buffer;
+}
+
+export interface ModifiedHeaders {
+  upstreamHeaders: Record<string, string>;
+  clientResponseHeaders: Record<string, string>;
+}
+
+export const DNS_CLASSES = { IN: 1 };
+
+export const DNS_TYPES = {
+  A: 1,
+  NS: 2,
+  CNAME: 5,
+  SOA: 6,
+  MX: 15,
+  TXT: 16,
+  PTR: 12,
+  AAAA: 28,
+  SRV: 33,
+} as const;
+
+export const DNS_OPCODE = {
+  QUERY: 0,
+  IQUERY: 1,
+  STATUS: 2,
+};
+
+export const DNS_RCODE = {
+  NOERROR: 0,
+  FORMERR: 1,
+  SERVFAIL: 2,
+  NXDOMAIN: 3,
+  NOTIMP: 4,
+  REFUSED: 5,
+};
+
+export const RESPONSE_FLAGS = {
+  QR: (1 << 15) as number,
+  AA: (1 << 10) as number,
+  TC: (1 << 9) as number,
+  RD: (1 << 8) as number,
+  RA: (1 << 7) as number,
+};
+
+export const MAX_DNS_PACKET_SIZE = 512;
+export const MAX_TXT_RECORD_LENGTH = 255;

package/src/wildcard-matching.test.ts

@@ -0,0 +1,196 @@
+import { describe, it } from "node:test";
+import assert from "assert";
+import { DevDnsServer } from "./dns-service.js";
+import { ServerConfig, DNS_TYPES } from "./types.js";
+
+function buildQuery(name: string, type: number): Buffer {
+  const encoder = new (class {
+    buf = Buffer.alloc(256);
+    offset = 0;
+
+    writeUint16(v: number) {
+      this.buf.writeUInt16BE(v, this.offset);
+      this.offset += 2;
+    }
+
+    writeUint8(v: number) {
+      this.buf.writeUInt8(v, this.offset);
+      this.offset += 1;
+    }
+
+    writeDomainName(nm: string) {
+      for (const label of nm.split(".")) {
+        if (label.length === 0) continue;
+        this.writeUint8(label.length);
+        Buffer.from(label).copy(this.buf, this.offset);
+        this.offset += label.length;
+      }
+      this.writeUint8(0);
+    }
+
+    finish(): Buffer {
+      return this.buf.subarray(0, this.offset);
+    }
+  })();
+
+  encoder.writeUint16(0xBEEF);
+  encoder.writeUint16(0x0100);
+  encoder.writeUint16(1);
+  encoder.writeUint16(0);
+  encoder.writeUint16(0);
+  encoder.writeUint16(0);
+
+  encoder.writeDomainName(name);
+  encoder.writeUint16(type);
+  encoder.writeUint16(1);
+
+  return encoder.finish();
+}
+
+function getAnswerCount(buf: Buffer): number {
+  return buf.readUInt16BE(6);
+}
+
+describe("DevDnsServer - Wildcard Host Matching", () => {
+  let server: DevDnsServer;
+
+  it("resolves subdomains under a wildcard pattern *.loop", () => {
+    const config: ServerConfig & { dnsCacheMaxSize?: number; dnsCacheTtlMs?: number } = {
+      port: 53,
+      dnsCacheMaxSize: 100,
+      dnsCacheTtlMs: 0,
+      hosts: {
+        "*.loop": { records: [{ type: "A", address: "192.168.1.1" }] },
+      },
+    };
+
+    server = new DevDnsServer(config);
+
+    const appResp = server.resolve(buildQuery("app.loop", DNS_TYPES.A))!;
+    assert.ok(appResp.length > 0);
+    assert.strictEqual(getAnswerCount(appResp), 1);
+
+    const deepResp = server.resolve(buildQuery("deep.sub.loop", DNS_TYPES.A))!;
+    assert.ok(deepResp.length > 0);
+    assert.strictEqual(getAnswerCount(deepResp), 1);
+  });
+
+  it("resolves wildcard with multiple record types", () => {
+    const config: ServerConfig & { dnsCacheMaxSize?: number; dnsCacheTtlMs?: number } = {
+      port: 53,
+      dnsCacheMaxSize: 100,
+      dnsCacheTtlMs: 0,
+      hosts: {
+        "*.dev": {
+          records: [
+            { type: "A", address: "10.0.0.1" },
+            { type: "AAAA", address: "::1" },
+            { type: "TXT", data: ["v=dev"] },
+          ],
+        },
+      },
+    };
+
+    server = new DevDnsServer(config);
+
+    const aResp = server.resolve(buildQuery("random.dev", DNS_TYPES.A))!;
+    assert.ok(aResp.length > 0);
+    assert.strictEqual(getAnswerCount(aResp), 1);
+
+    const aaaaResp = server.resolve(buildQuery("another.dev", DNS_TYPES.AAAA))!;
+    assert.ok(aaaaResp.length > 0);
+    assert.strictEqual(getAnswerCount(aaaaResp), 1);
+
+    const txtResp = server.resolve(buildQuery("foo.dev", DNS_TYPES.TXT))!;
+    assert.ok(txtResp.length > 0);
+    assert.strictEqual(getAnswerCount(txtResp), 1);
+  });
+
+  it("exact hostname takes priority over wildcard", () => {
+    const config: ServerConfig & { dnsCacheMaxSize?: number; dnsCacheTtlMs?: number } = {
+      port: 53,
+      dnsCacheMaxSize: 100,
+      dnsCacheTtlMs: 0,
+      hosts: {
+        "*.loop": { records: [{ type: "A", address: "192.168.1.1" }] },
+        "exact.loop": { records: [{ type: "A", address: "10.0.0.100" }] },
+      },
+    };
+
+    server = new DevDnsServer(config);
+
+    const exactResp = server.resolve(buildQuery("exact.loop", DNS_TYPES.A))!;
+    assert.ok(exactResp.length > 0);
+    assert.strictEqual(getAnswerCount(exactResp), 1);
+
+    const wildResp = server.resolve(buildQuery("other.loop", DNS_TYPES.A))!;
+    assert.ok(wildResp.length > 0);
+    assert.strictEqual(getAnswerCount(wildResp), 1);
+  });
+
+  it("rejects bare wildcard pattern query (no subdomain)", () => {
+    const config: ServerConfig & { dnsCacheMaxSize?: number; dnsCacheTtlMs?: number } = {
+      port: 53,
+      dnsCacheMaxSize: 100,
+      dnsCacheTtlMs: 0,
+      hosts: {
+        "*.loop": { records: [{ type: "A", address: "192.168.1.1" }] },
+      },
+    };
+
+    server = new DevDnsServer(config);
+
+    const bareResp = server.resolve(buildQuery("*.loop", DNS_TYPES.A))!;
+    assert.ok(bareResp.length > 0);
+  });
+
+  it("handles deeply nested wildcard matches", () => {
+    const config: ServerConfig & { dnsCacheMaxSize?: number; dnsCacheTtlMs?: number } = {
+      port: 53,
+      dnsCacheMaxSize: 100,
+      dnsCacheTtlMs: 0,
+      hosts: {
+        "*.com": { records: [{ type: "A", address: "8.8.8.8" }] },
+      },
+    };
+
+    server = new DevDnsServer(config);
+
+    const deepResp = server.resolve(buildQuery("a.b.c.d.com", DNS_TYPES.A))!;
+    assert.ok(deepResp.length > 0);
+    assert.strictEqual(getAnswerCount(deepResp), 1);
+  });
+
+  it("is case-insensitive for wildcard matching", () => {
+    const config: ServerConfig & { dnsCacheMaxSize?: number; dnsCacheTtlMs?: number } = {
+      port: 53,
+      dnsCacheMaxSize: 100,
+      dnsCacheTtlMs: 0,
+      hosts: {
+        "*.example": { records: [{ type: "A", address: "1.2.3.4" }] },
+      },
+    };
+
+    server = new DevDnsServer(config);
+
+    const upperResp = server.resolve(buildQuery("APP.EXAMPLE", DNS_TYPES.A))!;
+    assert.ok(upperResp.length > 0);
+    assert.strictEqual(getAnswerCount(upperResp), 1);
+  });
+
+  it("wildcard only matches one label prefix", () => {
+    const config: ServerConfig & { dnsCacheMaxSize?: number; dnsCacheTtlMs?: number } = {
+      port: 53,
+      dnsCacheMaxSize: 100,
+      dnsCacheTtlMs: 0,
+      hosts: {
+        "*.loop": { records: [{ type: "A", address: "5.5.5.5" }] },
+      },
+    };
+
+    server = new DevDnsServer(config);
+
+    const oneLabelResp = server.resolve(buildQuery("x.loop", DNS_TYPES.A))!;
+    assert.ok(oneLabelResp.length > 0);
+  });
+});

package/tsconfig.json

@@ -0,0 +1,9 @@
+{
+  "extends": "../../tsconfig.base.json",
+  "compilerOptions": {
+    "outDir": "./dist",
+    "rootDir": "./src"
+  },
+  "include": ["src/**/*.ts", "src/env.d.ts"],
+  "exclude": ["node_modules", "dist"]
+}